Microsoft-Windows-ESE

140 events across 2 channels

Event	Title	Channel	Sample
100	ESE TraceBaseId Trace	Operational	N
101	ESE BF Trace	Operational	N
102	ESE Block Trace	Operational	N
103	ESE CacheNewPage Trace	Operational	N
104	ESE CacheReadPage Trace	Operational	Y
105	ESE CachePrereadPage Trace	Operational	Y
106	ESE CacheWritePage Trace	Operational	N
107	ESE CacheEvictPage Trace	Operational	Y
108	ESE CacheRequestPage Trace	Operational	Y
109	ESE LatchPageDeprecated Trace	Operational	N
110	ESE CacheDirtyPage Trace	Operational	Y
111	ESE TransactionBegin Trace	Operational	Y
112	ESE TransactionCommit Trace	Operational	Y
113	ESE TransactionRollback Trace	Operational	Y
114	ESE SpaceAllocExt Trace	Operational	N
115	ESE SpaceFreeExt Trace	Operational	N
116	ESE SpaceAllocPage Trace	Operational	N
117	ESE SpaceFreePage Trace	Operational	N
118	ESE IorunEnqueue Trace	IODiagnose	Y
119	ESE IorunDequeue Trace	IODiagnose	Y
120	ESE IOCompletion Trace	IODiagnose	Y
121	ESE LogStall Trace	Operational	N
122	ESE LogWrite Trace	Operational	Y
123	ESE EventLogInfo Trace	Operational	Y
124	ESE EventLogWarn Trace	Operational	Y
125	ESE EventLogError Trace	Operational	Y
126	ESE TimerQueueScheduleDeprecated Trace	Operational	N
127	ESE TimerQueueRunDeprecated Trace	Operational	N
128	ESE TimerQueueCancelDeprecated Trace	Operational	N
129	ESE TimerTaskSchedule Trace	Operational	Y
130	ESE TimerTaskRun Trace	Operational	Y
131	ESE TimerTaskCancel Trace	Operational	N
132	ESE TaskManagerPost Trace	Operational	Y
133	ESE TaskManagerRun Trace	Operational	Y
134	ESE GPTaskManagerPost Trace	Operational	Y
135	ESE GPTaskManagerRun Trace	Operational	Y
136	ESE TestMarker Trace	Operational	N
137	ESE ThreadCreate Trace	Operational	N
138	ESE ThreadStart Trace	Operational	Y
139	ESE CacheVersionPage Trace	Operational	N
140	ESE CacheVersionCopyPage Trace	Operational	N
141	ESE CacheResize Trace	Operational	Y
142	ESE CacheLimitResize Trace	Operational	Y
143	ESE CacheScavengeProgress Trace	Operational	Y
144	ESE ApiCall_Start Trace	Operational	Y
145	ESE ApiCall_Stop Trace	Operational	Y
146	ESE ResMgrInit Trace	Operational	Y
147	ESE ResMgrTerm Trace	Operational	N
148	ESE CacheCachePage Trace	Operational	Y
149	ESE MarkPageAsSuperCold Trace	Operational	N
150	ESE CacheMissLatency Trace	Operational	Y
151	ESE BTreePrereadPageRequest Trace	Operational	N
152	ESE DiskFlushFileBuffers Trace	Operational	Y
153	ESE DiskFlushFileBuffersBegin Trace	Operational	Y
154	ESE CacheFirstDirtyPage Trace	Operational	N
155	ESE SysStationId Trace	Operational	Y
156	ESE InstStationId Trace	Operational	Y
157	ESE FmpStationId Trace	Operational	Y
158	ESE DiskStationId Trace	Operational	Y
159	ESE FileStationId Trace	Operational	Y
160	ESE IsamDbfilehdrInfo Trace	Operational	Y
161	ESE DiskOsDiskCacheInfo Trace	Operational	Y
162	ESE DiskOsStorageWriteCacheProp Trace	Operational	N
163	ESE DiskOsDeviceSeekPenaltyDesc Trace	Operational	N
164	ESE DirtyPage2Deprecated Trace	Operational	N
165	ESE IOCompletion2 Trace	Operational	Y
166	ESE FCBPurgeFailure Trace	Operational	N
167	ESE IOLatencySpikeNotice Trace	Operational	N
168	ESE IOCompletion2Sess Trace	Operational	N
169	ESE IOIssueThreadPost Trace	Operational	Y
170	ESE IOIssueThreadPosted Trace	Operational	Y
171	ESE IOThreadIssueStart Trace	Operational	Y
172	ESE IOThreadIssuedDisk Trace	Operational	Y
173	ESE IOThreadIssueProcessedIO Trace	Operational	Y
174	ESE IOIoreqCompletion Trace	Operational	N
175	ESE CacheMemoryUsage Trace	Operational	N
176	ESE CacheSetLgposModify Trace	Operational	Y
177	ESE CacheFirstDirtyPage2 Trace	Operational	N
178	ESE DBScanPageSpace Trace	Operational	N
200	ESE tagNull Trace	Operational	N
201	ESE tagInformation Trace	Operational	N
202	ESE tagErrors Trace	Operational	N
203	ESE tagAsserts Trace	Operational	N
204	ESE tagAPI Trace	Operational	N
205	ESE tagInitTerm Trace	Operational	N
206	ESE tagBufferManager Trace	Operational	N
207	ESE tagBufferManagerHashedLatches Trace	Operational	N
208	ESE tagIO Trace	Operational	N
209	ESE tagMemory Trace	Operational	N
210	ESE tagVersionStore Trace	Operational	N
211	ESE tagVersionStoreOOM Trace	Operational	N
212	ESE tagVersionCleanup Trace	Operational	N
213	ESE tagCatalog Trace	Operational	N
214	ESE tagDDLRead Trace	Operational	N
215	ESE tagDDLWrite Trace	Operational	N
216	ESE tagDMLRead Trace	Operational	N
217	ESE tagDMLWrite Trace	Operational	N
218	ESE tagDMLConflicts Trace	Operational	N
219	ESE tagInstances Trace	Operational	N
220	ESE tagDatabases Trace	Operational	N
221	ESE tagSessions Trace	Operational	N
222	ESE tagCursors Trace	Operational	N
223	ESE tagCursorNavigation Trace	Operational	N
224	ESE tagCursorPageRefs Trace	Operational	N
225	ESE tagBtree Trace	Operational	N
226	ESE tagSpace Trace	Operational	N
227	ESE tagFCBs Trace	Operational	N
228	ESE tagTransactions Trace	Operational	N
229	ESE tagLogging Trace	Operational	N
230	ESE tagRecovery Trace	Operational	N
231	ESE tagBackup Trace	Operational	N
232	ESE tagRestore Trace	Operational	N
233	ESE tagOLD Trace	Operational	N
234	ESE tagEventlog Trace	Operational	N
235	ESE tagBufferManagerMaintTasks Trace	Operational	N
236	ESE tagSpaceManagement Trace	Operational	N
237	ESE tagSpaceInternal Trace	Operational	N
238	ESE tagIOQueue Trace	Operational	N
239	ESE tagDiskVolumeManagement Trace	Operational	N
240	ESE tagCallbacks Trace	Operational	N
241	ESE tagIOProblems Trace	Operational	N
242	ESE tagUpgrade Trace	Operational	N
243	ESE tagRecoveryValidation Trace	Operational	N
244	ESE tagBufferManagerBufferCacheState Trace	Operational	N
245	ESE tagBufferManagerBufferDirtyState Trace	Operational	N
246	ESE tagTimerQueue Trace	Operational	N
247	ESE tagSortPerf Trace	Operational	N
248	ESE tagOLDRegistration Trace	Operational	N
249	ESE tagOLDWork Trace	Operational	N
250	ESE tagSysInitTerm Trace	Operational	N
251	ESE tagVersionAndStagingChecks Trace	Operational	N
252	ESE tagFile Trace	Operational	N
253	ESE tagFlushFileBuffers Trace	Operational	N
254	ESE tagCheckpointUpdate Trace	Operational	N
255	ESE tagDiagnostics Trace	Operational	N
256	ESE tagBlockCache Trace	Operational	N
257	ESE tagRBS Trace	Operational	N
258	ESE tagRBSCleaner Trace	Operational	N
259	ESE tagBlockCacheOperations Trace	Operational	N
5000	ESE Compression Experiment Trace	Operational	N

Event ID 100: ESE TraceBaseId Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_TraceBaseId_Trace

Description

ESE TraceBaseId Trace.

Message #

ESE TraceBaseId Trace

Event ID 101: ESE BF Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_BF_Trace

Description

ESE BF Trace.

Message #

ESE BF Trace

Event ID 102: ESE Block Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_Block_Trace

Description

ESE Block Trace.

Message #

ESE Block Trace

Event ID 103: ESE CacheNewPage Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_CacheNewPage_Trace

Description

ESE CacheNewPage Trace.

Message #

ESE CacheNewPage Trace

Fields #

Name	Description
`ifmp` UInt32
`pgno` UInt32
`LatchFlags` UInt32
`objid` UInt32
`PageFlags` UInt32
`UserId` UInt32
`OperationId` UInt8
`OperationType` UInt8	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`ClientType` UInt8
`Flags` UInt8
`CorrelationId` UInt32
`Iorp` UInt8
`Iors` UInt8
`Iort` UInt8
`Ioru` UInt8
`Iorf` UInt8
`ParentObjectClass` UInt8
`dbtimeDirtied` UInt64
`itagMicFree` UInt16
`cbFree` UInt16

Event ID 104: ESE CacheReadPage Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_CacheReadPage_Trace

Description

ESE CacheReadPage Trace.

Message #

ESE CacheReadPage Trace

Fields #

Name	Description
`ifmp` UInt32
`pgno` UInt32
`LatchFlags` UInt32
`objid` UInt32
`PageFlags` UInt32
`UserId` UInt32
`OperationId` UInt8
`OperationType` UInt8	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`ClientType` UInt8
`Flags` UInt8
`CorrelationId` UInt32
`Iorp` UInt8
`Iors` UInt8
`Iort` UInt8
`Ioru` UInt8
`Iorf` UInt8
`ParentObjectClass` UInt8
`dbtimeDirtied` UInt64
`itagMicFree` UInt16
`cbFree` UInt16

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 104,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": "0x0000000000004022",
    "time_created": "2026-06-02T05:23:25.389+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{5FF741DB-F0E3-4F6E-BD7E-A0D869BCBAEE}"
    },
    "execution": {
      "process_id": 1748,
      "thread_id": 19708
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ClientType": 0,
    "CorrelationId": 0,
    "Flags": 0,
    "Iorf": 0,
    "Iorp": 33,
    "Iors": 3,
    "Iort": 1,
    "Ioru": 29,
    "LatchFlags": 16384,
    "OperationId": 0,
    "OperationType": 0,
    "PageFlags": 75780,
    "ParentObjectClass": 0,
    "UserId": 2147483648,
    "cbFree": 1663,
    "dbtimeDirtied": 370534,
    "ifmp": 2,
    "itagMicFree": 182,
    "objid": 8,
    "pgno": 11611
  },
  "message": "ESE_CacheReadPage_Trace"
}

Event ID 105: ESE CachePrereadPage Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_CachePrereadPage_Trace

Description

ESE CachePrereadPage Trace.

Message #

ESE CachePrereadPage Trace

Fields #

Name	Description
`ifmp` UInt32
`pgno` UInt32
`UserId` UInt32
`OperationId` UInt8
`OperationType` UInt8	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`ClientType` UInt8
`Flags` UInt8
`CorrelationId` UInt32
`Iorp` UInt8
`Iors` UInt8
`Iort` UInt8
`Ioru` UInt8
`Iorf` UInt8
`ParentObjectClass` UInt8

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 105,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 0,
    "keywords": "0x0000000000004022",
    "time_created": "2026-06-02T05:23:26.771+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 12112,
      "thread_id": 1804
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ClientType": 0,
    "CorrelationId": 0,
    "Flags": 0,
    "Iorf": 0,
    "Iorp": 34,
    "Iors": 0,
    "Iort": 1,
    "Ioru": 50,
    "OperationId": 0,
    "OperationType": 0,
    "ParentObjectClass": 0,
    "UserId": 2147483648,
    "ifmp": 1,
    "pgno": 3
  },
  "message": "ESE_CachePrereadPage_Trace"
}

Event ID 106: ESE CacheWritePage Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_CacheWritePage_Trace

Description

ESE CacheWritePage Trace.

Message #

ESE CacheWritePage Trace

Fields #

Name	Description
`tick` UInt32
`ifmp` UInt32
`pgno` UInt32
`objid` UInt32
`PageFlags` UInt32
`DirtyLevel` UInt32
`UserId` UInt32
`OperationId` UInt8
`OperationType` UInt8	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`ClientType` UInt8
`Flags` UInt8
`CorrelationId` UInt32
`Iorp` UInt8
`Iors` UInt8
`Iort` UInt8
`Ioru` UInt8
`Iorf` UInt8
`ParentObjectClass` UInt8

Event ID 107: ESE CacheEvictPage Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_CacheEvictPage_Trace

Description

ESE CacheEvictPage Trace.

Message #

ESE CacheEvictPage Trace

Fields #

Name	Description
`tick` UInt32
`ifmp` UInt32
`pgno` UInt32
`fCurrentVersion` UInt32
`errBF` Int32
`bfef` UInt32
`pctPriority` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 107,
    "version": 0,
    "level": 4,
    "task": 8,
    "opcode": 0,
    "keywords": "0x0000000000004420",
    "time_created": "2026-06-02T05:23:25.398+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 1748,
      "thread_id": 19708
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "bfef": 1,
    "errBF": 0,
    "fCurrentVersion": 1,
    "ifmp": 2,
    "pctPriority": 0,
    "pgno": 4858,
    "tick": 35249578
  },
  "message": "ESE_CacheEvictPage_Trace"
}

Event ID 108: ESE CacheRequestPage Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Task: ESE_CacheRequestPage_Trace

Description

ESE CacheRequestPage Trace.

Message #

ESE CacheRequestPage Trace

Fields #

Name	Description
`tick` UInt32
`ifmp` UInt32
`pgno` UInt32
`bflf` UInt32
`objid` UInt32
`PageFlags` UInt32
`bflt` UInt32
`pctPriority` UInt32
`bfrtf` UInt32
`ClientType` UInt8

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 108,
    "version": 0,
    "level": 5,
    "task": 9,
    "opcode": 0,
    "keywords": "0x0000000000000420",
    "time_created": "2026-06-02T05:23:25.374+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4820,
      "thread_id": 7912
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ClientType": 0,
    "PageFlags": 75779,
    "bflf": 82176,
    "bflt": 0,
    "bfrtf": 5,
    "ifmp": 1,
    "objid": 18,
    "pctPriority": 100,
    "pgno": 141,
    "tick": 35249546
  },
  "message": "ESE_CacheRequestPage_Trace"
}

Event ID 109: ESE LatchPageDeprecated Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_LatchPageDeprecated_Trace

Description

ESE LatchPageDeprecated Trace.

Message #

ESE LatchPageDeprecated Trace

Event ID 110: ESE CacheDirtyPage Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Task: ESE_CacheDirtyPage_Trace

Description

ESE CacheDirtyPage Trace.

Message #

ESE CacheDirtyPage Trace

Fields #

Name	Description
`tick` UInt32
`ifmp` UInt32
`pgno` UInt32
`objid` UInt32
`PageFlags` UInt32
`DirtyLevel` UInt32
`LgposModify` UInt64
`UserId` UInt32
`OperationId` UInt8
`OperationType` UInt8	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`ClientType` UInt8
`Flags` UInt8
`CorrelationId` UInt32
`Iorp` UInt8
`Iors` UInt8
`Iort` UInt8
`Ioru` UInt8
`Iorf` UInt8
`ParentObjectClass` UInt8
`ClientComponent` AnsiString
`ClientAction` AnsiString
`ClientActionContext` AnsiString
`GuidActivityId` GUID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 110,
    "version": 0,
    "level": 5,
    "task": 11,
    "opcode": 0,
    "keywords": "0x0000000000000422",
    "time_created": "2026-06-02T05:23:25.374+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4820,
      "thread_id": 7912
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ClientType": 0,
    "CorrelationId": 0,
    "DirtyLevel": 2,
    "Flags": 0,
    "Iorf": 0,
    "Iorp": 0,
    "Iors": 9,
    "Iort": 1,
    "Ioru": 22,
    "LgposModify": 1816803083663,
    "OperationId": 0,
    "OperationType": 0,
    "PageFlags": 75779,
    "ParentObjectClass": 0,
    "UserId": 2147483648,
    "ifmp": 1,
    "objid": 18,
    "pgno": 141,
    "tick": 35249546
  },
  "message": "ESE_CacheDirtyPage_Trace"
}

Event ID 111: ESE TransactionBegin Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Task: ESE_TransactionBegin_Trace

Description

ESE TransactionBegin Trace.

Message #

ESE TransactionBegin Trace

Fields #

Name	Description
`SessionNumber` Pointer
`TransactionNumber` Pointer
`TransactionLevel` UInt8

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 111,
    "version": 0,
    "level": 5,
    "task": 12,
    "opcode": 0,
    "keywords": "0x0000000000000008",
    "time_created": "2026-06-02T05:23:25.374+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4820,
      "thread_id": 7912
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SessionNumber": "0x2B467C60C00",
    "TransactionLevel": 1,
    "TransactionNumber": "0x16CD30C"
  },
  "message": "ESE_TransactionBegin_Trace"
}

Event ID 112: ESE TransactionCommit Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Task: ESE_TransactionCommit_Trace

Description

ESE TransactionCommit Trace.

Message #

ESE TransactionCommit Trace

Fields #

Name	Description
`SessionNumber` Pointer
`TransactionNumber` Pointer
`TransactionLevel` UInt8

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 112,
    "version": 0,
    "level": 5,
    "task": 13,
    "opcode": 0,
    "keywords": "0x0000000000000008",
    "time_created": "2026-06-02T05:23:25.374+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4820,
      "thread_id": 7912
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SessionNumber": "0x2B467C60C00",
    "TransactionLevel": 1,
    "TransactionNumber": "0x16CD30C"
  },
  "message": "ESE_TransactionCommit_Trace"
}

Event ID 113: ESE TransactionRollback Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Task: ESE_TransactionRollback_Trace

Description

ESE TransactionRollback Trace.

Message #

ESE TransactionRollback Trace

Fields #

Name	Description
`SessionNumber` Pointer
`TransactionNumber` Pointer
`TransactionLevel` UInt8

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 113,
    "version": 0,
    "level": 5,
    "task": 14,
    "opcode": 0,
    "keywords": "0x0000000000000008",
    "time_created": "2026-06-02T05:23:26.775+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 12112,
      "thread_id": 7804
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SessionNumber": "0x14B5A0110C0",
    "TransactionLevel": 2,
    "TransactionNumber": "0x65F14"
  },
  "message": "ESE_TransactionRollback_Trace"
}

Event ID 114: ESE SpaceAllocExt Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_SpaceAllocExt_Trace

Description

ESE SpaceAllocExt Trace.

Message #

ESE SpaceAllocExt Trace

Fields #

Name	Description
`ifmp` UInt32
`pgnoFDP` UInt32
`pgnoFirst` UInt32
`cpg` UInt32
`objidFDP` UInt32
`tce` UInt8

Event ID 115: ESE SpaceFreeExt Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_SpaceFreeExt_Trace

Description

ESE SpaceFreeExt Trace.

Message #

ESE SpaceFreeExt Trace

Fields #

Name	Description
`ifmp` UInt32
`pgnoFDP` UInt32
`pgnoFirst` UInt32
`cpg` UInt32
`objidFDP` UInt32
`tce` UInt8

Event ID 116: ESE SpaceAllocPage Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_SpaceAllocPage_Trace

Description

ESE SpaceAllocPage Trace.

Message #

ESE SpaceAllocPage Trace

Fields #

Name	Description
`ifmp` UInt32
`pgnoFDP` UInt32
`pgnoAlloc` UInt32
`objidFDP` UInt32
`tce` UInt8

Event ID 117: ESE SpaceFreePage Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_SpaceFreePage_Trace

Description

ESE SpaceFreePage Trace.

Message #

ESE SpaceFreePage Trace

Fields #

Name	Description
`ifmp` UInt32
`pgnoFDP` UInt32
`pgnoFree` UInt32
`objidFDP` UInt32
`tce` UInt8

Event ID 118: ESE IorunEnqueue Trace

Provider: Microsoft-Windows-ESE
Channel: IODiagnose
Also via: realtime ETW trace
Level: Informational
Task: ESE_IorunEnqueue_Trace

Description

ESE IorunEnqueue Trace.

Message #

ESE IorunEnqueue Trace

Fields #

Name	Description
`iFile` UInt64
`ibOffset` UInt64
`cbData` UInt32
`tidAlloc` UInt32
`fHeapA` UInt32
`fWrite` UInt32
`EngineFileType` UInt32
`EngineFileId` UInt64
`cusecEnqueueLatency` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 118,
    "version": 0,
    "level": 4,
    "task": 19,
    "opcode": 0,
    "keywords": "0x4000000000000040",
    "time_created": "2026-06-02T05:23:26.757+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 12112,
      "thread_id": 7804
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EngineFileId": 1,
    "EngineFileType": 5,
    "cbData": 8192,
    "cusecEnqueueLatency": 0,
    "fHeapA": 2,
    "fWrite": 0,
    "iFile": 1284,
    "ibOffset": 8192,
    "tidAlloc": 7804
  },
  "message": "ESE_IorunEnqueue_Trace"
}

Event ID 119: ESE IorunDequeue Trace

Provider: Microsoft-Windows-ESE
Channel: IODiagnose
Also via: realtime ETW trace
Level: Informational
Task: ESE_IorunDequeue_Trace

Description

ESE IorunDequeue Trace.

Message #

ESE IorunDequeue Trace

Fields #

Name	Description
`iFile` UInt64
`ibOffset` UInt64
`cbData` UInt32
`tidAlloc` UInt32
`fHeapA` UInt32
`fWrite` UInt32
`Iorp` UInt32
`Iors` UInt32
`Ioru` UInt32
`Iorf` UInt32
`grbitQos` UInt32
`cmsecTimeInQueue` UInt64
`EngineFileType` UInt32
`EngineFileId` UInt64
`cDispatchPass` UInt64
`cIorunCombined` UInt16
`cusecDequeueLatency` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 119,
    "version": 0,
    "level": 4,
    "task": 20,
    "opcode": 0,
    "keywords": "0x4000000000000040",
    "time_created": "2026-06-02T05:23:26.762+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 12112,
      "thread_id": 1804
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EngineFileId": 1,
    "EngineFileType": 5,
    "Iorf": 0,
    "Iorp": 106,
    "Iors": 0,
    "Ioru": 50,
    "cDispatchPass": 24779,
    "cIorunCombined": 1,
    "cbData": 8192,
    "cmsecTimeInQueue": 4137,
    "cusecDequeueLatency": 1,
    "fHeapA": 2,
    "fWrite": 0,
    "grbitQos": 16,
    "iFile": 1284,
    "ibOffset": 8192,
    "tidAlloc": 7804
  },
  "message": "ESE_IorunDequeue_Trace"
}

Event ID 120: ESE IOCompletion Trace

Provider: Microsoft-Windows-ESE
Channel: IODiagnose
Also via: realtime ETW trace
Level: Informational
Task: ESE_IOCompletion_Trace

Description

ESE IOCompletion Trace.

Message #

ESE IOCompletion Trace

Fields #

Name	Description
`iFile` UInt64
`fMultiIor` UInt32
`fWrite` UInt8
`UserId` UInt32
`OperationId` UInt8
`OperationType` UInt8	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`ClientType` UInt8
`Flags` UInt8
`CorrelationId` UInt32
`Iorp` UInt8
`Iors` UInt8
`Iort` UInt8
`Ioru` UInt8
`Iorf` UInt8
`ParentObjectClass` UInt8
`ibOffset` UInt64
`cbTransfer` UInt32
`error` UInt32
`qosHighestFirst` UInt32
`cmsecIOElapsed` Double
`dtickQueueDelay` UInt32
`tidAlloc` UInt32
`EngineFileType` UInt32
`EngineFileId` UInt64
`fmfFile` UInt32
`DiskNumber` UInt32
`dwEngineObjid` UInt32
`qosIOComplete` UInt64
`dwTraceFlags` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 120,
    "version": 0,
    "level": 4,
    "task": 21,
    "opcode": 0,
    "keywords": "0x4000000000000040",
    "time_created": "2026-06-02T05:23:26.626+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 21260,
      "thread_id": 12752
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ClientType": 0,
    "CorrelationId": 0,
    "DiskNumber": 0,
    "EngineFileId": 4611686022722355201,
    "EngineFileType": 3,
    "Flags": 0,
    "Iorf": 0,
    "Iorp": 80,
    "Iors": 0,
    "Iort": 9,
    "Ioru": 98,
    "OperationId": 0,
    "OperationType": 0,
    "ParentObjectClass": 0,
    "UserId": 4294967295,
    "cbTransfer": 0,
    "cmsecIOElapsed": 41,
    "dtickQueueDelay": 5,
    "dwEngineObjid": 0,
    "error": 0,
    "fMultiIor": 262144,
    "fWrite": 1,
    "fmfFile": 1,
    "iFile": 1204,
    "ibOffset": 1048576,
    "qosHighestFirst": 16,
    "qosIOComplete": 16,
    "tidAlloc": 12752
  },
  "message": "ESE_IOCompletion_Trace"
}

Event ID 121: ESE LogStall Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_LogStall_Trace

Description

ESE LogStall Trace.

Message #

ESE LogStall Trace

Event ID 122: ESE LogWrite Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_LogWrite_Trace

Description

ESE LogWrite Trace.

Message #

ESE LogWrite Trace

Fields #

Name	Description
`lgenData` Int32
`ibLogData` UInt32
`cbLogData` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 122,
    "version": 0,
    "level": 4,
    "task": 23,
    "opcode": 0,
    "keywords": "0x0000000000000080",
    "time_created": "2026-06-02T05:23:26.631+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 21260,
      "thread_id": 12752
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "cbLogData": 4096,
    "ibLogData": 0,
    "lgenData": 1
  },
  "message": "ESE_LogWrite_Trace"
}

Event ID 123: ESE EventLogInfo Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_EventLogInfo_Trace

Description

ESE EventLogInfo Trace.

Message #

ESE EventLogInfo Trace

Fields #

Name	Description
`szTrace` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78",
    "event_source_name": "",
    "event_id": 123,
    "version": 0,
    "level": 4,
    "task": 24,
    "opcode": 0,
    "keywords": 9223372036854775812,
    "time_created": "2026-03-13T20:00:52.072070+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 7000,
      "thread_id": 7520
    },
    "channel": "Microsoft-Windows-ESE/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "szTrace": "EventLog[ID=102(0x66)@10958217080]:  TiWorker (7000,P,98) SoftwareUsageMetrics-Api: The database engine (10.00.20348.0000) is starting a new instance (0). "
  },
  "message": ""
}

Event ID 124: ESE EventLogWarn Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Level: Warning
Task: ESE_EventLogWarn_Trace

Description

ESE EventLogWarn Trace.

Message #

ESE EventLogWarn Trace

Fields #

Name	Description
`szTrace` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78",
    "event_source_name": "",
    "event_id": 124,
    "version": 0,
    "level": 3,
    "task": 25,
    "opcode": 0,
    "keywords": 9223372036854775812,
    "time_created": "2026-03-13T23:07:16.370107+00:00",
    "event_record_id": 237,
    "correlation": {},
    "execution": {
      "process_id": 14016,
      "thread_id": 13980
    },
    "channel": "Microsoft-Windows-ESE/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "szTrace": "EventLog[ID=640(0x280)@47616170117]:  certsrv.exe (14016,P,98) Restore0001: Error -1919 validating header page on flush map file \"C:\\Windows\\system32\\CertLog\\EvtGen-Root-CA.jfm\". The flush map file will be invalidated. \r\nAdditional information: [SignDbHdrFromDb:Create time:03/13/2026 23:06:22.503 Rand:3655758382 Computer:] [SignFmHdrFromDb:Create time:03/13/2026 23:06:22.385 Rand:413456288 Computer:] [SignDbHdrFromFm:Create time:03/13/2026 23:06:22.931 Rand:2864051150 Computer:] [SignFmHdrFromFm:Create time:03/13/2026 23:06:22.945 Rand:3852748920 Computer:] "
  },
  "message": ""
}

Event ID 125: ESE EventLogError Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Level: Error
Task: ESE_EventLogError_Trace

Description

ESE EventLogError Trace.

Message #

ESE EventLogError Trace

Fields #

Name	Description
`szTrace` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78",
    "event_source_name": "",
    "event_id": 125,
    "version": 0,
    "level": 2,
    "task": 26,
    "opcode": 0,
    "keywords": 9223372036854775812,
    "time_created": "2026-03-13T20:00:00.026028+00:00",
    "event_record_id": 2,
    "correlation": {
      "ActivityID": "DF92C490-B30B-0001-9AC5-92DF0BB3DC01"
    },
    "execution": {
      "process_id": 3312,
      "thread_id": 4008
    },
    "channel": "Microsoft-Windows-ESE/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "szTrace": "EventLog[ID=412(0x19c)@103513027991]:  svchost (3312,R,98) SRUJet: Unable to read the header of logfile C:\\Windows\\system32\\SRU\\SRU.log. Error -501. "
  },
  "message": ""
}

Event ID 126: ESE TimerQueueScheduleDeprecated Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_TimerQueueScheduleDeprecated_Trace

Description

ESE TimerQueueScheduleDeprecated Trace.

Message #

ESE TimerQueueScheduleDeprecated Trace

Event ID 127: ESE TimerQueueRunDeprecated Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_TimerQueueRunDeprecated_Trace

Description

ESE TimerQueueRunDeprecated Trace.

Message #

ESE TimerQueueRunDeprecated Trace

Event ID 128: ESE TimerQueueCancelDeprecated Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_TimerQueueCancelDeprecated_Trace

Description

ESE TimerQueueCancelDeprecated Trace.

Message #

ESE TimerQueueCancelDeprecated Trace

Event ID 129: ESE TimerTaskSchedule Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Task: ESE_TimerTaskSchedule_Trace

Description

ESE TimerTaskSchedule Trace.

Message #

ESE TimerTaskSchedule Trace

Fields #

Name	Description
`posttTimerHandle` Pointer
`pfnTask` Pointer
`pvTaskGroupContext` Pointer
`pvRuntimeContext` Pointer
`dtickMinDelay` UInt32
`dtickSlopDelay` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 129,
    "version": 0,
    "level": 5,
    "task": 30,
    "opcode": 0,
    "keywords": "0x0000000000000100",
    "time_created": "2026-06-02T05:23:25.389+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{5FF741DB-F0E3-4F6E-BD7E-A0D869BCBAEE}"
    },
    "execution": {
      "process_id": 1748,
      "thread_id": 19708
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "dtickMinDelay": 10,
    "dtickSlopDelay": 0,
    "pfnTask": "0x7FF9F681B0A0",
    "posttTimerHandle": "0x2A2B6C57940",
    "pvRuntimeContext": "0x0",
    "pvTaskGroupContext": "0x7FF9F67E61B0"
  },
  "message": "ESE_TimerTaskSchedule_Trace"
}

Event ID 130: ESE TimerTaskRun Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Task: ESE_TimerTaskRun_Trace

Description

ESE TimerTaskRun Trace.

Message #

ESE TimerTaskRun Trace

Fields #

Name	Description
`posttTimerHandle` Pointer
`pfnTask` Pointer
`pvTaskGroupContext` Pointer
`pvRuntimeContext` Pointer
`cRuns` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 130,
    "version": 0,
    "level": 5,
    "task": 31,
    "opcode": 0,
    "keywords": "0x0000000000000100",
    "time_created": "2026-06-02T05:23:25.398+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 1748,
      "thread_id": 19708
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "cRuns": 56841,
    "pfnTask": "0x7FF9F681B0A0",
    "posttTimerHandle": "0x2A2B6C57940",
    "pvRuntimeContext": "0x0",
    "pvTaskGroupContext": "0x7FF9F67E61B0"
  },
  "message": "ESE_TimerTaskRun_Trace"
}

Event ID 131: ESE TimerTaskCancel Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_TimerTaskCancel_Trace

Description

ESE TimerTaskCancel Trace.

Message #

ESE TimerTaskCancel Trace

Fields #

Name	Description
`posttTimerHandle` Pointer
`pfnTask` Pointer
`pvTaskGroupContext` Pointer

Event ID 132: ESE TaskManagerPost Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Task: ESE_TaskManagerPost_Trace

Description

ESE TaskManagerPost Trace.

Message #

ESE TaskManagerPost Trace

Fields #

Name	Description
`ptm` Pointer
`pfnCompletion` Pointer
`dwCompletionKey1` UInt32
`dwCompletionKey2` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 132,
    "version": 0,
    "level": 5,
    "task": 33,
    "opcode": 0,
    "keywords": "0x0000000000000100",
    "time_created": "2026-06-02T05:23:26.757+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 12112,
      "thread_id": 7804
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "dwCompletionKey1": 0,
    "dwCompletionKey2": "0x0",
    "pfnCompletion": "0x7FF9F67BE780",
    "ptm": "0x14B1843FEC0"
  },
  "message": "ESE_TaskManagerPost_Trace"
}

Event ID 133: ESE TaskManagerRun Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Task: ESE_TaskManagerRun_Trace

Description

ESE TaskManagerRun Trace.

Message #

ESE TaskManagerRun Trace

Fields #

Name	Description
`ptm` Pointer
`pfnCompletion` Pointer
`dwCompletionKey1` UInt32
`dwCompletionKey2` Pointer
`gle` UInt32
`dwThreadContext` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 133,
    "version": 0,
    "level": 5,
    "task": 34,
    "opcode": 0,
    "keywords": "0x0000000000000100",
    "time_created": "2026-06-02T05:23:26.762+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 12112,
      "thread_id": 1804
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "dwCompletionKey1": 0,
    "dwCompletionKey2": "0x0",
    "dwThreadContext": "0x0",
    "gle": 0,
    "pfnCompletion": "0x7FF9F67BE780",
    "ptm": "0x14B1843FEC0"
  },
  "message": "ESE_TaskManagerRun_Trace"
}

Event ID 134: ESE GPTaskManagerPost Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Task: ESE_GPTaskManagerPost_Trace

Description

ESE GPTaskManagerPost Trace.

Message #

ESE GPTaskManagerPost Trace

Fields #

Name	Description
`pgptm` Pointer
`pfnCompletion` Pointer
`pvParam` Pointer
`pTaskInfo` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 134,
    "version": 0,
    "level": 5,
    "task": 35,
    "opcode": 0,
    "keywords": "0x0000000000000100",
    "time_created": "2026-06-02T05:23:25.943+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4820,
      "thread_id": 7912
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "pTaskInfo": "0x0",
    "pfnCompletion": "0x7FF9F6748080",
    "pgptm": "0x2B467B101F0",
    "pvParam": "0x2B467B50000"
  },
  "message": "ESE_GPTaskManagerPost_Trace"
}

Event ID 135: ESE GPTaskManagerRun Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Task: ESE_GPTaskManagerRun_Trace

Description

ESE GPTaskManagerRun Trace.

Message #

ESE GPTaskManagerRun Trace

Fields #

Name	Description
`pgptm` Pointer
`pfnCompletion` Pointer
`pvParam` Pointer
`pTaskInfo` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 135,
    "version": 0,
    "level": 5,
    "task": 36,
    "opcode": 0,
    "keywords": "0x0000000000000100",
    "time_created": "2026-06-02T05:23:25.951+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4820,
      "thread_id": 16212
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "pTaskInfo": "0x0",
    "pfnCompletion": "0x7FF9F6748080",
    "pgptm": "0x2B467B101F0",
    "pvParam": "0x2B467B50000"
  },
  "message": "ESE_GPTaskManagerRun_Trace"
}

Event ID 136: ESE TestMarker Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_TestMarker_Trace

Description

ESE TestMarker Trace.

Message #

ESE TestMarker Trace

Fields #

Name	Description
`qwMarkerID` UInt64
`szAnnotation` AnsiString

Event ID 137: ESE ThreadCreate Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_ThreadCreate_Trace

Description

ESE ThreadCreate Trace.

Message #

ESE ThreadCreate Trace

Fields #

Name	Description
`Thread` Pointer
`pfnStart` Pointer
`dwParam` Pointer

Event ID 138: ESE ThreadStart Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_ThreadStart_Trace

Description

ESE ThreadStart Trace.

Message #

ESE ThreadStart Trace

Fields #

Name	Description
`Thread` Pointer
`pfnStart` Pointer
`dwParam` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 138,
    "version": 0,
    "level": 4,
    "task": 39,
    "opcode": 0,
    "keywords": "0x0000000000000100",
    "time_created": "2026-06-02T05:23:26.576+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 21260,
      "thread_id": 4144
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Thread": "0x1D626213470",
    "dwParam": "0x0",
    "pfnStart": "0x7FF9F6806360"
  },
  "message": "ESE_ThreadStart_Trace"
}

Event ID 139: ESE CacheVersionPage Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_CacheVersionPage_Trace

Description

ESE CacheVersionPage Trace.

Message #

ESE CacheVersionPage Trace

Fields #

Name	Description
`ifmp` UInt32
`pgno` UInt32

Event ID 140: ESE CacheVersionCopyPage Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_CacheVersionCopyPage_Trace

Description

ESE CacheVersionCopyPage Trace.

Message #

ESE CacheVersionCopyPage Trace

Fields #

Name	Description
`ifmp` UInt32
`pgno` UInt32

Event ID 141: ESE CacheResize Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_CacheResize_Trace

Description

ESE CacheResize Trace.

Message #

ESE CacheResize Trace

Fields #

Name	Description
`cbfCacheAddressableInitial` Int64
`cbfCacheSizeInitial` Int64
`cbfCacheAddressableFinal` Int64
`cbfCacheSizeFinal` Int64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 141,
    "version": 0,
    "level": 4,
    "task": 42,
    "opcode": 0,
    "keywords": "0x0000000000000022",
    "time_created": "2026-06-02T05:23:26.577+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 21260,
      "thread_id": 12752
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "cbfCacheAddressableFinal": 320,
    "cbfCacheAddressableInitial": 0,
    "cbfCacheSizeFinal": 320,
    "cbfCacheSizeInitial": 0
  },
  "message": "ESE_CacheResize_Trace"
}

Event ID 142: ESE CacheLimitResize Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_CacheLimitResize_Trace

Description

ESE CacheLimitResize Trace.

Message #

ESE CacheLimitResize Trace

Fields #

Name	Description
`cbfCacheSizeLimitInitial` Int64
`cbfCacheSizeLimitFinal` Int64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 142,
    "version": 0,
    "level": 4,
    "task": 43,
    "opcode": 0,
    "keywords": "0x0000000000000022",
    "time_created": "2026-06-02T05:23:25.398+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 1748,
      "thread_id": 19708
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "cbfCacheSizeLimitFinal": 64,
    "cbfCacheSizeLimitInitial": 64
  },
  "message": "ESE_CacheLimitResize_Trace"
}

Event ID 143: ESE CacheScavengeProgress Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_CacheScavengeProgress_Trace

Description

ESE CacheScavengeProgress Trace.

Message #

ESE CacheScavengeProgress Trace

Fields #

Name	Description
`iRun` Int64
`cbfVisited` Int32
`cbfCacheSize` Int32
`cbfCacheTarget` Int32
`cbfCacheSizeStartShrink` Int32
`dtickShrinkDuration` UInt32
`cbfAvail` Int32
`cbfAvailPoolLow` Int32
`cbfAvailPoolHigh` Int32
`cbfFlushPending` Int32
`cbfFlushPendingSlow` Int32
`cbfFlushPendingHung` Int32
`cbfOutOfMemory` Int32
`cbfPermanentErrs` Int32
`eStopReason` Int32
`errRun` Int32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 143,
    "version": 0,
    "level": 4,
    "task": 44,
    "opcode": 0,
    "keywords": "0x0000000000000022",
    "time_created": "2026-06-02T05:23:25.398+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 1748,
      "thread_id": 19708
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "cbfAvail": 8,
    "cbfAvailPoolHigh": 8,
    "cbfAvailPoolLow": 4,
    "cbfCacheSize": 64,
    "cbfCacheSizeStartShrink": 0,
    "cbfCacheTarget": 64,
    "cbfFlushPending": 0,
    "cbfFlushPendingHung": 0,
    "cbfFlushPendingSlow": 0,
    "cbfOutOfMemory": 0,
    "cbfPermanentErrs": 0,
    "cbfVisited": 2,
    "dtickShrinkDuration": 0,
    "eStopReason": 1,
    "errRun": 0,
    "iRun": 69099
  },
  "message": "ESE_CacheScavengeProgress_Trace"
}

Event ID 144: ESE ApiCall_Start Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_ApiCall_Trace
Opcode: Start

Description

ESE ApiCall_Start Trace.

Message #

ESE ApiCall_Start Trace

Fields #

Name	Description
`opApi` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 144,
    "version": 0,
    "level": 4,
    "task": 45,
    "opcode": 1,
    "keywords": "0x0000000000000002",
    "time_created": "2026-06-02T05:23:25.374+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4820,
      "thread_id": 7912
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "opApi": 9
  },
  "message": "ESE_ApiCall_Trace"
}

Event ID 145: ESE ApiCall_Stop Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_ApiCall_Trace
Opcode: Stop

Description

ESE ApiCall_Stop Trace.

Message #

ESE ApiCall_Stop Trace

Fields #

Name	Description
`opApi` UInt32
`err` Int32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 145,
    "version": 0,
    "level": 4,
    "task": 45,
    "opcode": 2,
    "keywords": "0x0000000000000002",
    "time_created": "2026-06-02T05:23:25.374+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4820,
      "thread_id": 7912
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "err": 0,
    "opApi": 9
  },
  "message": "ESE_ApiCall_Trace"
}

Event ID 146: ESE ResMgrInit Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_ResMgrInit_Trace

Description

ESE ResMgrInit Trace.

Message #

ESE ResMgrInit Trace

Fields #

Name	Description
`tick` UInt32
`K` Int32
`csecCorrelatedTouch` Double
`csecTimeout` Double
`csecUncertainty` Double
`dblHashLoadFactor` Double
`dblHashUniformity` Double
`dblSpeedSizeTradeoff` Double

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 146,
    "version": 0,
    "level": 4,
    "task": 46,
    "opcode": 0,
    "keywords": "0x0000000000000400",
    "time_created": "2026-06-02T05:23:26.576+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 21260,
      "thread_id": 12752
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "K": 2,
    "csecCorrelatedTouch": 0.128,
    "csecTimeout": 100.0,
    "csecUncertainty": 1.0,
    "dblHashLoadFactor": 5.0,
    "dblHashUniformity": 1.0,
    "dblSpeedSizeTradeoff": 0.0,
    "tick": 35250750
  },
  "message": "ESE_ResMgrInit_Trace"
}

Event ID 147: ESE ResMgrTerm Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_ResMgrTerm_Trace

Description

ESE ResMgrTerm Trace.

Message #

ESE ResMgrTerm Trace

Fields #

Name	Description
`tick` UInt32

Event ID 148: ESE CacheCachePage Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Task: ESE_CacheCachePage_Trace

Description

ESE CacheCachePage Trace.

Message #

ESE CacheCachePage Trace

Fields #

Name	Description
`tick` UInt32
`ifmp` UInt32
`pgno` UInt32
`bflf` UInt32
`bflt` UInt32
`pctPriority` UInt32
`bfrtf` UInt32
`ClientType` UInt8

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 148,
    "version": 0,
    "level": 5,
    "task": 48,
    "opcode": 0,
    "keywords": "0x0000000000000420",
    "time_created": "2026-06-02T05:23:25.389+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{5FF741DB-F0E3-4F6E-BD7E-A0D869BCBAEE}"
    },
    "execution": {
      "process_id": 1748,
      "thread_id": 19708
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ClientType": 0,
    "bflf": 16384,
    "bflt": 0,
    "bfrtf": 12,
    "ifmp": 2,
    "pctPriority": 100,
    "pgno": 11611,
    "tick": 35249562
  },
  "message": "ESE_CacheCachePage_Trace"
}

Event ID 149: ESE MarkPageAsSuperCold Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_MarkPageAsSuperCold_Trace

Description

ESE MarkPageAsSuperCold Trace.

Message #

ESE MarkPageAsSuperCold Trace

Fields #

Name	Description
`tick` UInt32
`ifmp` UInt32
`pgno` UInt32

Event ID 150: ESE CacheMissLatency Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_CacheMissLatency_Trace

Description

ESE CacheMissLatency Trace.

Message #

ESE CacheMissLatency Trace

Fields #

Name	Description
`ifmp` UInt32
`pgno` UInt32
`dwUserId` UInt32
`bOperationId` UInt8
`bOperationType` UInt8
`bClientType` UInt8
`bFlags` UInt8
`dwCorrelationId` UInt32
`iorp` UInt8
`iors` UInt8
`iort` UInt8
`ioru` UInt8
`iorf` UInt8
`tce` UInt8
`usecsWait` UInt64
`bftcmr` UInt8
`bUserPriorityTag` UInt8

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 150,
    "version": 0,
    "level": 4,
    "task": 50,
    "opcode": 0,
    "keywords": "0x0000000000002020",
    "time_created": "2026-06-02T05:23:25.389+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{5FF741DB-F0E3-4F6E-BD7E-A0D869BCBAEE}"
    },
    "execution": {
      "process_id": 1748,
      "thread_id": 19708
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "bClientType": 0,
    "bFlags": 0,
    "bOperationId": 0,
    "bOperationType": 0,
    "bUserPriorityTag": 0,
    "bftcmr": 5,
    "dwCorrelationId": 0,
    "dwUserId": 2147483648,
    "ifmp": 2,
    "iorf": 0,
    "iorp": 33,
    "iors": 3,
    "iort": 1,
    "ioru": 29,
    "pgno": 11611,
    "tce": 0,
    "usecsWait": 5
  },
  "message": "ESE_CacheMissLatency_Trace"
}

Event ID 151: ESE BTreePrereadPageRequest Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_BTreePrereadPageRequest_Trace

Description

ESE BTreePrereadPageRequest Trace.

Message #

ESE BTreePrereadPageRequest Trace

Fields #

Name	Description
`ifmp` UInt32
`pgno` UInt32
`dwUserId` UInt32
`bOperationId` UInt8
`bOperationType` UInt8
`bClientType` UInt8
`bFlags` UInt8
`dwCorrelationId` UInt32
`iorp` UInt8
`iors` UInt8
`iort` UInt8
`ioru` UInt8
`iorf` UInt8
`tce` UInt8
`fOpFlags` UInt8

Event ID 152: ESE DiskFlushFileBuffers Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_DiskFlushFileBuffers_Trace

Description

ESE DiskFlushFileBuffers Trace.

Message #

ESE DiskFlushFileBuffers Trace

Fields #

Name	Description
`Disk` UInt32
`wszFileName` UnicodeString
`iofr` UInt32
`cioreqFileFlushing` UInt64
`usFfb` UInt64
`error` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 152,
    "version": 0,
    "level": 4,
    "task": 52,
    "opcode": 0,
    "keywords": "0x0000000000000040",
    "time_created": "2026-06-02T05:23:26.724+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 12112,
      "thread_id": 7804
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Disk": 0,
    "cioreqFileFlushing": 1,
    "error": 0,
    "iofr": 2,
    "usFfb": 893,
    "wszFileName": "Svc.log"
  },
  "message": "ESE_DiskFlushFileBuffers_Trace"
}

Event ID 153: ESE DiskFlushFileBuffersBegin Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_DiskFlushFileBuffersBegin_Trace

Description

ESE DiskFlushFileBuffersBegin Trace.

Message #

ESE DiskFlushFileBuffersBegin Trace

Fields #

Name	Description
`dwDisk` UInt32
`hFile` UInt64
`iofr` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 153,
    "version": 0,
    "level": 4,
    "task": 53,
    "opcode": 0,
    "keywords": "0x0000000000000040",
    "time_created": "2026-06-02T05:23:26.641+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 21260,
      "thread_id": 12752
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "dwDisk": 0,
    "hFile": 1204,
    "iofr": 2147483680
  },
  "message": "ESE_DiskFlushFileBuffersBegin_Trace"
}

Event ID 154: ESE CacheFirstDirtyPage Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_CacheFirstDirtyPage_Trace

Description

ESE CacheFirstDirtyPage Trace.

Message #

ESE CacheFirstDirtyPage Trace

Fields #

Name	Description
`tick` UInt32
`ifmp` UInt32
`pgno` UInt32
`objid` UInt32
`fFlags` UInt32
`bfdfNew` UInt32
`lgposModify` UInt64
`dwUserId` UInt32
`bOperationId` UInt8
`bOperationType` UInt8
`bClientType` UInt8
`bFlags` UInt8
`dwCorrelationId` UInt32
`iorp` UInt8
`iors` UInt8
`iort` UInt8
`ioru` UInt8
`iorf` UInt8
`tce` UInt8

Event ID 155: ESE SysStationId Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_SysStationId_Trace

Description

ESE SysStationId Trace.

Message #

ESE SysStationId Trace

Fields #

Name	Description
`tsidr` UInt8
`dwImageVerMajor` UInt32
`dwImageVerMinor` UInt32
`dwImageBuildMajor` UInt32
`dwImageBuildMinor` UInt32
`wszDisplayName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 155,
    "version": 0,
    "level": 4,
    "task": 55,
    "opcode": 0,
    "keywords": "0x0000000000000800",
    "time_created": "2026-06-02T05:23:25.389+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{5FF741DB-F0E3-4F6E-BD7E-A0D869BCBAEE}"
    },
    "execution": {
      "process_id": 1748,
      "thread_id": 19708
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "dwImageBuildMajor": 20348,
    "dwImageBuildMinor": 0,
    "dwImageVerMajor": 10,
    "dwImageVerMinor": 0,
    "tsidr": 1,
    "wszDisplayName": "svchost.exe"
  },
  "message": "ESE_SysStationId_Trace"
}

Event ID 156: ESE InstStationId Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_InstStationId_Trace

Description

ESE InstStationId Trace.

Message #

ESE InstStationId Trace

Fields #

Name	Description
`tsidr` UInt8
`iInstance` UInt32
`perfstatusEvent` UInt8
`wszInstanceName` UnicodeString
`wszDisplayName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 156,
    "version": 0,
    "level": 4,
    "task": 56,
    "opcode": 0,
    "keywords": "0x0000000000000800",
    "time_created": "2026-06-02T05:23:25.389+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{5FF741DB-F0E3-4F6E-BD7E-A0D869BCBAEE}"
    },
    "execution": {
      "process_id": 1748,
      "thread_id": 19708
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "iInstance": 1,
    "perfstatusEvent": 3,
    "tsidr": 1,
    "wszDisplayName": "NULL",
    "wszInstanceName": "Catalog Database"
  },
  "message": "ESE_InstStationId_Trace"
}

Event ID 157: ESE FmpStationId Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_FmpStationId_Trace

Description

ESE FmpStationId Trace.

Message #

ESE FmpStationId Trace

Fields #

Name	Description
`tsidr` UInt8
`ifmp` UInt32
`iInstance` UInt32
`dbid` UInt8
`wszDatabaseName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 157,
    "version": 0,
    "level": 4,
    "task": 57,
    "opcode": 0,
    "keywords": "0x0000000000000800",
    "time_created": "2026-06-02T05:23:25.389+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{5FF741DB-F0E3-4F6E-BD7E-A0D869BCBAEE}"
    },
    "execution": {
      "process_id": 1748,
      "thread_id": 19708
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "dbid": 2,
    "iInstance": 1,
    "ifmp": 2,
    "tsidr": 1,
    "wszDatabaseName": "C:\\Windows\\system32\\CatRoot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb"
  },
  "message": "ESE_FmpStationId_Trace"
}

Event ID 158: ESE DiskStationId Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_DiskStationId_Trace

Description

ESE DiskStationId Trace.

Message #

ESE DiskStationId Trace

Fields #

Name	Description
`tsidr` UInt8
`dwDiskNumber` UInt32
`wszDiskPathId` UnicodeString
`szDiskModel` AnsiString
`szDiskFirmwareRev` AnsiString
`szDiskSerialNumber` AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 158,
    "version": 0,
    "level": 4,
    "task": 58,
    "opcode": 0,
    "keywords": "0x0000000000000800",
    "time_created": "2026-06-02T05:23:26.626+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 21260,
      "thread_id": 12752
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "dwDiskNumber": 0,
    "szDiskFirmwareRev": "0001",
    "szDiskModel": "VirtIO",
    "szDiskSerialNumber": "",
    "tsidr": 1,
    "wszDiskPathId": "MBR:77AC4D73"
  },
  "message": "ESE_DiskStationId_Trace"
}

Event ID 159: ESE FileStationId Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_FileStationId_Trace

Description

ESE FileStationId Trace.

Message #

ESE FileStationId Trace

Fields #

Name	Description
`tsidr` UInt8
`hFile` UInt64
`dwDiskNumber` UInt32
`dwEngineFileType` UInt32
`qwEngineFileId` UInt64
`fmf` UInt32
`cbFileSize` UInt64
`wszAbsPath` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 159,
    "version": 0,
    "level": 4,
    "task": 59,
    "opcode": 0,
    "keywords": "0x0000000000000800",
    "time_created": "2026-06-02T05:23:26.584+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 21260,
      "thread_id": 12752
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "cbFileSize": 0,
    "dwDiskNumber": 0,
    "dwEngineFileType": 3,
    "fmf": 1,
    "hFile": 1204,
    "qwEngineFileId": 4611686022722355201,
    "tsidr": 2,
    "wszAbsPath": "C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\edbtmp.jtx"
  },
  "message": "ESE_FileStationId_Trace"
}

Event ID 160: ESE IsamDbfilehdrInfo Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_IsamDbfilehdrInfo_Trace

Description

ESE IsamDbfilehdrInfo Trace.

Message #

ESE IsamDbfilehdrInfo Trace

Fields #

Name	Description
`tsidr` UInt8
`ifmp` UInt32
`filetype` UInt32
`ulMagic` UInt32
`ulChecksum` UInt32
`cbPageSize` UInt32
`ulDbFlags` UInt32
`psignDb` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 160,
    "version": 0,
    "level": 4,
    "task": 60,
    "opcode": 0,
    "keywords": "0x0000000000000800",
    "time_created": "2026-06-02T05:23:25.389+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{5FF741DB-F0E3-4F6E-BD7E-A0D869BCBAEE}"
    },
    "execution": {
      "process_id": 1748,
      "thread_id": 19708
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "cbPageSize": 4096,
    "filetype": 1,
    "ifmp": 2,
    "psignDb": "9D812947341F131F0C7D1F0400000000000000000000000000000000",
    "tsidr": 1,
    "ulChecksum": 3391831584,
    "ulDbFlags": 0,
    "ulMagic": 2309737967
  },
  "message": "ESE_IsamDbfilehdrInfo_Trace"
}

Event ID 161: ESE DiskOsDiskCacheInfo Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_DiskOsDiskCacheInfo_Trace

Description

ESE DiskOsDiskCacheInfo Trace.

Message #

ESE DiskOsDiskCacheInfo Trace

Fields #

Name	Description
`tsidr` UInt8
`posdci` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 161,
    "version": 0,
    "level": 4,
    "task": 61,
    "opcode": 0,
    "keywords": "0x0000000000000800",
    "time_created": "2026-06-02T05:23:26.626+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 21260,
      "thread_id": 12752
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "posdci": "000101000000000000000000000000000000000000000000",
    "tsidr": 1
  },
  "message": "ESE_DiskOsDiskCacheInfo_Trace"
}

Event ID 162: ESE DiskOsStorageWriteCacheProp Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_DiskOsStorageWriteCacheProp_Trace

Description

ESE DiskOsStorageWriteCacheProp Trace.

Message #

ESE DiskOsStorageWriteCacheProp Trace

Fields #

Name	Description
`tsidr` UInt8
`posswcp` Binary

Event ID 163: ESE DiskOsDeviceSeekPenaltyDesc Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_DiskOsDeviceSeekPenaltyDesc_Trace

Description

ESE DiskOsDeviceSeekPenaltyDesc Trace.

Message #

ESE DiskOsDeviceSeekPenaltyDesc Trace

Fields #

Name	Description
`tsidr` UInt8
`posdspd` Binary

Event ID 164: ESE DirtyPage2Deprecated Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_DirtyPage2Deprecated_Trace

Description

ESE DirtyPage2Deprecated Trace.

Message #

ESE DirtyPage2Deprecated Trace

Event ID 165: ESE IOCompletion2 Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_IOCompletion2_Trace

Description

ESE IOCompletion2 Trace.

Message #

ESE IOCompletion2 Trace

Fields #

Name	Description
`wszFilename` UnicodeString
`fMultiIor` UInt32
`fWrite` UInt8
`dwUserId` UInt32
`bOperationId` UInt8
`bOperationType` UInt8
`bClientType` UInt8
`bFlags` UInt8
`dwCorrelationId` UInt32
`iorp` UInt8
`iors` UInt8
`iort` UInt8
`ioru` UInt8
`iorf` UInt8
`tce` UInt8
`szClientComponent` AnsiString
`szClientAction` AnsiString
`szClientActionContext` AnsiString
`guidActivityId` GUID
`ibOffset` UInt64
`cbTransfer` UInt32
`dwError` UInt32
`qosHighestFirst` UInt32
`cmsecIOElapsed` Double
`dtickQueueDelay` UInt32
`tidAlloc` UInt32
`dwEngineFileType` UInt32
`dwEngineFileId` UInt64
`fmfFile` UInt32
`dwDiskNumber` UInt32
`dwEngineObjid` UInt32
`dwTraceFlags` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 165,
    "version": 0,
    "level": 4,
    "task": 65,
    "opcode": 0,
    "keywords": "0x0000000000008000",
    "time_created": "2026-06-02T05:23:26.626+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 21260,
      "thread_id": 12752
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "bClientType": 0,
    "bFlags": 0,
    "bOperationId": 0,
    "bOperationType": 0,
    "cbTransfer": 0,
    "cmsecIOElapsed": 41,
    "dtickQueueDelay": 5,
    "dwCorrelationId": 0,
    "dwDiskNumber": 0,
    "dwEngineFileId": 4611686022722355201,
    "dwEngineFileType": 3,
    "dwEngineObjid": 0,
    "dwError": 0,
    "dwUserId": 4294967295,
    "fMultiIor": 262144,
    "fWrite": 1,
    "fmfFile": 1,
    "guidActivityId": "{00000000-0000-0000-0000-000000000000}",
    "ibOffset": 1048576,
    "iorf": 0,
    "iorp": 80,
    "iors": 0,
    "iort": 9,
    "ioru": 98,
    "qosHighestFirst": 16,
    "szClientAction": "",
    "szClientActionContext": "",
    "szClientComponent": "",
    "tce": 0,
    "tidAlloc": 12752,
    "wszFilename": "C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\edbtmp.jtx"
  },
  "message": "ESE_IOCompletion2_Trace"
}

Event ID 166: ESE FCBPurgeFailure Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_FCBPurgeFailure_Trace

Description

ESE FCBPurgeFailure Trace.

Message #

ESE FCBPurgeFailure Trace

Fields #

Name	Description
`iInstance` UInt32
`grbitPurgeFlags` UInt8
`fcbpfr` UInt8
`tce` UInt8

Event ID 167: ESE IOLatencySpikeNotice Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_IOLatencySpikeNotice_Trace

Description

ESE IOLatencySpikeNotice Trace.

Message #

ESE IOLatencySpikeNotice Trace

Fields #

Name	Description
`dwDiskNumber` UInt32
`dtickSpikeLength` UInt32

Event ID 168: ESE IOCompletion2Sess Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_IOCompletion2Sess_Trace

Description

ESE IOCompletion2Sess Trace.

Message #

ESE IOCompletion2Sess Trace

Fields #

Name	Description
`wszFilename` UnicodeString
`fMultiIor` UInt32
`fWrite` UInt8
`dwUserId` UInt32
`bOperationId` UInt8
`bOperationType` UInt8
`bClientType` UInt8
`bFlags` UInt8
`dwCorrelationId` UInt32
`iorp` UInt8
`iors` UInt8
`iort` UInt8
`ioru` UInt8
`iorf` UInt8
`tce` UInt8
`szClientComponent` AnsiString
`szClientAction` AnsiString
`szClientActionContext` AnsiString
`guidActivityId` GUID
`ibOffset` UInt64
`cbTransfer` UInt32
`dwError` UInt32
`qosHighestFirst` UInt32
`cmsecIOElapsed` Double
`dtickQueueDelay` UInt32
`tidAlloc` UInt32
`dwEngineFileType` UInt32
`dwEngineFileId` UInt64
`fmfFile` UInt32
`dwDiskNumber` UInt32
`dwEngineObjid` UInt32
`dwTraceFlags` UInt32

Event ID 169: ESE IOIssueThreadPost Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_IOIssueThreadPost_Trace

Description

ESE IOIssueThreadPost Trace.

Message #

ESE IOIssueThreadPost Trace

Fields #

Name	Description
`p_osf` Pointer
`cioDiskEnqueued` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 169,
    "version": 0,
    "level": 4,
    "task": 69,
    "opcode": 0,
    "keywords": "0x0000000000000040",
    "time_created": "2026-06-02T05:23:26.626+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 21260,
      "thread_id": 12752
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "cioDiskEnqueued": 0,
    "p_osf": "0x1D6262A5B90"
  },
  "message": "ESE_IOIssueThreadPost_Trace"
}

Event ID 170: ESE IOIssueThreadPosted Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_IOIssueThreadPosted_Trace

Description

ESE IOIssueThreadPosted Trace.

Message #

ESE IOIssueThreadPosted Trace

Fields #

Name	Description
`p_osf` Pointer
`cDispatchAttempts` UInt32
`usPosted` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 170,
    "version": 0,
    "level": 4,
    "task": 70,
    "opcode": 0,
    "keywords": "0x0000000000000040",
    "time_created": "2026-06-02T05:23:26.626+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 21260,
      "thread_id": 12752
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "cDispatchAttempts": 0,
    "p_osf": "0x1D6262A5B90",
    "usPosted": 2
  },
  "message": "ESE_IOIssueThreadPosted_Trace"
}

Event ID 171: ESE IOThreadIssueStart Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Level: Informational
Task: ESE_IOThreadIssueStart_Trace

Description

ESE IOThreadIssueStart Trace.

Message #

ESE IOThreadIssueStart Trace

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 171,
    "version": 0,
    "level": 4,
    "task": 71,
    "opcode": 0,
    "keywords": "0x0000000000000040",
    "time_created": "2026-06-02T05:23:26.762+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 12112,
      "thread_id": 1804
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": "ESE_IOThreadIssueStart_Trace"
}

Event ID 172: ESE IOThreadIssuedDisk Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_IOThreadIssuedDisk_Trace

Description

ESE IOThreadIssuedDisk Trace.

Message #

ESE IOThreadIssuedDisk Trace

Fields #

Name	Description
`dwDiskId` UInt32
`fFromCompletion` UInt8
`ipass` Int64
`err` Int32
`cioProcessed` UInt32
`usRuntime` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 172,
    "version": 0,
    "level": 4,
    "task": 72,
    "opcode": 0,
    "keywords": "0x0000000000000040",
    "time_created": "2026-06-02T05:23:26.762+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 12112,
      "thread_id": 1804
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "cioProcessed": 1,
    "dwDiskId": 0,
    "err": 0,
    "fFromCompletion": 0,
    "ipass": 24779,
    "usRuntime": 62
  },
  "message": "ESE_IOThreadIssuedDisk_Trace"
}

Event ID 173: ESE IOThreadIssueProcessedIO Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: ESE_IOThreadIssueProcessedIO_Trace

Description

ESE IOThreadIssueProcessedIO Trace.

Message #

ESE IOThreadIssueProcessedIO Trace

Fields #

Name	Description
`err` Int32
`cDisksProcessed` UInt32
`usRuntime` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 173,
    "version": 0,
    "level": 4,
    "task": 73,
    "opcode": 0,
    "keywords": "0x0000000000000040",
    "time_created": "2026-06-02T05:23:26.762+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 12112,
      "thread_id": 1804
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "cDisksProcessed": 1,
    "err": 0,
    "usRuntime": 65
  },
  "message": "ESE_IOThreadIssueProcessedIO_Trace"
}

Event ID 174: ESE IOIoreqCompletion Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_IOIoreqCompletion_Trace

Description

ESE IOIoreqCompletion Trace.

Message #

ESE IOIoreqCompletion Trace

Fields #

Name	Description
`fWrite` UInt8
`iFile` UInt64
`ibOffset` UInt64
`cbData` UInt32
`dwDiskNumber` UInt32
`tidAlloc` UInt32
`qos` UInt64
`iIoreq` UInt32
`err` UInt32
`usCompletionDelay` UInt64

Event ID 175: ESE CacheMemoryUsage Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_CacheMemoryUsage_Trace

Description

ESE CacheMemoryUsage Trace.

Message #

ESE CacheMemoryUsage Trace

Fields #

Name	Description
`wszFilename` UnicodeString
`tce` UInt8
`dwEngineFileType` UInt32
`dwEngineFileId` UInt64
`cbMemory` UInt64
`cmsecReferenceIntervalMax` UInt32
`cbDirty` UInt64

Event ID 176: ESE CacheSetLgposModify Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Task: ESE_CacheSetLgposModify_Trace

Description

ESE CacheSetLgposModify Trace.

Message #

ESE CacheSetLgposModify Trace

Fields #

Name	Description
`tick` UInt32
`ifmp` UInt32
`pgno` UInt32
`lgposModify` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ESE",
    "guid": "{478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}",
    "event_source_name": "",
    "event_id": 176,
    "version": 0,
    "level": 5,
    "task": 76,
    "opcode": 0,
    "keywords": "0x0000000000000420",
    "time_created": "2026-06-02T05:23:25.374+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4820,
      "thread_id": 7912
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ifmp": 1,
    "lgposModify": 1816803083672,
    "pgno": 141,
    "tick": 35249546
  },
  "message": "ESE_CacheSetLgposModify_Trace"
}

Event ID 177: ESE CacheFirstDirtyPage2 Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_CacheFirstDirtyPage2_Trace

Description

ESE CacheFirstDirtyPage2 Trace.

Message #

ESE CacheFirstDirtyPage2 Trace

Fields #

Name	Description
`tick` UInt32
`wszFilename` UnicodeString
`ifmp` UInt32
`iofile` UInt32
`pgno` UInt32
`objid` UInt32
`fFlags` UInt32
`bfdfNew` UInt32
`lgposModify` UInt64
`dwUserId` UInt32
`bOperationId` UInt8
`bOperationType` UInt8
`bClientType` UInt8
`bFlags` UInt8
`dwCorrelationId` UInt32
`iorp` UInt8
`iors` UInt8
`iort` UInt8
`ioru` UInt8
`iorf` UInt8
`tce` UInt8
`szClientComponent` AnsiString
`szClientAction` AnsiString
`szClientActionContext` AnsiString
`guidActivityId` GUID

Event ID 178: ESE DBScanPageSpace Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_DBScanPageSpace_Trace

Description

ESE DBScanPageSpace Trace.

Message #

ESE DBScanPageSpace Trace

Fields #

Name	Description
`wszDatabaseName` UnicodeString
`pgno` UInt32
`objid` UInt32
`flags` UInt32
`cbPageFree` UInt16
`cLines` UInt16
`bSeekPenalty` UInt8

Event ID 200: ESE tagNull Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagNull_Trace

Description

ESE tagNull Trace.

Message #

ESE tagNull Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 201: ESE tagInformation Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagInformation_Trace

Description

ESE tagInformation Trace.

Message #

ESE tagInformation Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 202: ESE tagErrors Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagErrors_Trace

Description

ESE tagErrors Trace.

Message #

ESE tagErrors Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 203: ESE tagAsserts Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagAsserts_Trace

Description

ESE tagAsserts Trace.

Message #

ESE tagAsserts Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 204: ESE tagAPI Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagAPI_Trace

Description

ESE tagAPI Trace.

Message #

ESE tagAPI Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 205: ESE tagInitTerm Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagInitTerm_Trace

Description

ESE tagInitTerm Trace.

Message #

ESE tagInitTerm Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 206: ESE tagBufferManager Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagBufferManager_Trace

Description

ESE tagBufferManager Trace.

Message #

ESE tagBufferManager Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 207: ESE tagBufferManagerHashedLatches Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagBufferManagerHashedLatches_Trace

Description

ESE tagBufferManagerHashedLatches Trace.

Message #

ESE tagBufferManagerHashedLatches Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 208: ESE tagIO Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagIO_Trace

Description

ESE tagIO Trace.

Message #

ESE tagIO Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 209: ESE tagMemory Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagMemory_Trace

Description

ESE tagMemory Trace.

Message #

ESE tagMemory Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 210: ESE tagVersionStore Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagVersionStore_Trace

Description

ESE tagVersionStore Trace.

Message #

ESE tagVersionStore Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 211: ESE tagVersionStoreOOM Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagVersionStoreOOM_Trace

Description

ESE tagVersionStoreOOM Trace.

Message #

ESE tagVersionStoreOOM Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 212: ESE tagVersionCleanup Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagVersionCleanup_Trace

Description

ESE tagVersionCleanup Trace.

Message #

ESE tagVersionCleanup Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 213: ESE tagCatalog Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagCatalog_Trace

Description

ESE tagCatalog Trace.

Message #

ESE tagCatalog Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 214: ESE tagDDLRead Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagDDLRead_Trace

Description

ESE tagDDLRead Trace.

Message #

ESE tagDDLRead Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 215: ESE tagDDLWrite Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagDDLWrite_Trace

Description

ESE tagDDLWrite Trace.

Message #

ESE tagDDLWrite Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 216: ESE tagDMLRead Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagDMLRead_Trace

Description

ESE tagDMLRead Trace.

Message #

ESE tagDMLRead Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 217: ESE tagDMLWrite Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagDMLWrite_Trace

Description

ESE tagDMLWrite Trace.

Message #

ESE tagDMLWrite Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 218: ESE tagDMLConflicts Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagDMLConflicts_Trace

Description

ESE tagDMLConflicts Trace.

Message #

ESE tagDMLConflicts Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 219: ESE tagInstances Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagInstances_Trace

Description

ESE tagInstances Trace.

Message #

ESE tagInstances Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 220: ESE tagDatabases Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagDatabases_Trace

Description

ESE tagDatabases Trace.

Message #

ESE tagDatabases Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 221: ESE tagSessions Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagSessions_Trace

Description

ESE tagSessions Trace.

Message #

ESE tagSessions Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 222: ESE tagCursors Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagCursors_Trace

Description

ESE tagCursors Trace.

Message #

ESE tagCursors Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 223: ESE tagCursorNavigation Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagCursorNavigation_Trace

Description

ESE tagCursorNavigation Trace.

Message #

ESE tagCursorNavigation Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 224: ESE tagCursorPageRefs Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagCursorPageRefs_Trace

Description

ESE tagCursorPageRefs Trace.

Message #

ESE tagCursorPageRefs Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 225: ESE tagBtree Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagBtree_Trace

Description

ESE tagBtree Trace.

Message #

ESE tagBtree Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 226: ESE tagSpace Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagSpace_Trace

Description

ESE tagSpace Trace.

Message #

ESE tagSpace Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 227: ESE tagFCBs Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagFCBs_Trace

Description

ESE tagFCBs Trace.

Message #

ESE tagFCBs Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 228: ESE tagTransactions Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagTransactions_Trace

Description

ESE tagTransactions Trace.

Message #

ESE tagTransactions Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 229: ESE tagLogging Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagLogging_Trace

Description

ESE tagLogging Trace.

Message #

ESE tagLogging Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 230: ESE tagRecovery Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagRecovery_Trace

Description

ESE tagRecovery Trace.

Message #

ESE tagRecovery Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 231: ESE tagBackup Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagBackup_Trace

Description

ESE tagBackup Trace.

Message #

ESE tagBackup Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 232: ESE tagRestore Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagRestore_Trace

Description

ESE tagRestore Trace.

Message #

ESE tagRestore Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 233: ESE tagOLD Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagOLD_Trace

Description

ESE tagOLD Trace.

Message #

ESE tagOLD Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 234: ESE tagEventlog Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagEventlog_Trace

Description

ESE tagEventlog Trace.

Message #

ESE tagEventlog Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 235: ESE tagBufferManagerMaintTasks Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagBufferManagerMaintTasks_Trace

Description

ESE tagBufferManagerMaintTasks Trace.

Message #

ESE tagBufferManagerMaintTasks Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 236: ESE tagSpaceManagement Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagSpaceManagement_Trace

Description

ESE tagSpaceManagement Trace.

Message #

ESE tagSpaceManagement Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 237: ESE tagSpaceInternal Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagSpaceInternal_Trace

Description

ESE tagSpaceInternal Trace.

Message #

ESE tagSpaceInternal Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 238: ESE tagIOQueue Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagIOQueue_Trace

Description

ESE tagIOQueue Trace.

Message #

ESE tagIOQueue Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 239: ESE tagDiskVolumeManagement Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagDiskVolumeManagement_Trace

Description

ESE tagDiskVolumeManagement Trace.

Message #

ESE tagDiskVolumeManagement Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 240: ESE tagCallbacks Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagCallbacks_Trace

Description

ESE tagCallbacks Trace.

Message #

ESE tagCallbacks Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 241: ESE tagIOProblems Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagIOProblems_Trace

Description

ESE tagIOProblems Trace.

Message #

ESE tagIOProblems Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 242: ESE tagUpgrade Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagUpgrade_Trace

Description

ESE tagUpgrade Trace.

Message #

ESE tagUpgrade Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 243: ESE tagRecoveryValidation Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagRecoveryValidation_Trace

Description

ESE tagRecoveryValidation Trace.

Message #

ESE tagRecoveryValidation Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 244: ESE tagBufferManagerBufferCacheState Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagBufferManagerBufferCacheState_Trace

Description

ESE tagBufferManagerBufferCacheState Trace.

Message #

ESE tagBufferManagerBufferCacheState Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 245: ESE tagBufferManagerBufferDirtyState Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagBufferManagerBufferDirtyState_Trace

Description

ESE tagBufferManagerBufferDirtyState Trace.

Message #

ESE tagBufferManagerBufferDirtyState Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 246: ESE tagTimerQueue Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagTimerQueue_Trace

Description

ESE tagTimerQueue Trace.

Message #

ESE tagTimerQueue Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 247: ESE tagSortPerf Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagSortPerf_Trace

Description

ESE tagSortPerf Trace.

Message #

ESE tagSortPerf Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 248: ESE tagOLDRegistration Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagOLDRegistration_Trace

Description

ESE tagOLDRegistration Trace.

Message #

ESE tagOLDRegistration Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 249: ESE tagOLDWork Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagOLDWork_Trace

Description

ESE tagOLDWork Trace.

Message #

ESE tagOLDWork Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 250: ESE tagSysInitTerm Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagSysInitTerm_Trace

Description

ESE tagSysInitTerm Trace.

Message #

ESE tagSysInitTerm Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 251: ESE tagVersionAndStagingChecks Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagVersionAndStagingChecks_Trace

Description

ESE tagVersionAndStagingChecks Trace.

Message #

ESE tagVersionAndStagingChecks Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 252: ESE tagFile Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagFile_Trace

Description

ESE tagFile Trace.

Message #

ESE tagFile Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 253: ESE tagFlushFileBuffers Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagFlushFileBuffers_Trace

Description

ESE tagFlushFileBuffers Trace.

Message #

ESE tagFlushFileBuffers Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 254: ESE tagCheckpointUpdate Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagCheckpointUpdate_Trace

Description

ESE tagCheckpointUpdate Trace.

Message #

ESE tagCheckpointUpdate Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 255: ESE tagDiagnostics Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagDiagnostics_Trace

Description

ESE tagDiagnostics Trace.

Message #

ESE tagDiagnostics Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 256: ESE tagBlockCache Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagBlockCache_Trace

Description

ESE tagBlockCache Trace.

Message #

ESE tagBlockCache Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 257: ESE tagRBS Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagRBS_Trace

Description

ESE tagRBS Trace.

Message #

ESE tagRBS Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 258: ESE tagRBSCleaner Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagRBSCleaner_Trace

Description

ESE tagRBSCleaner Trace.

Message #

ESE tagRBSCleaner Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 259: ESE tagBlockCacheOperations Trace

Provider: Microsoft-Windows-ESE
Channel: Operational
Task: ESE_tagBlockCacheOperations_Trace

Description

ESE tagBlockCacheOperations Trace.

Message #

ESE tagBlockCacheOperations Trace

Fields #

Name	Description
`szTrace` AnsiString

Event ID 5000: ESE Compression Experiment Trace

Provider: Microsoft-Windows-ESE
Channel: Operational

Description

ESE Compression Experiment Trace.

Message #

ESE Compression Experiment Trace

Fields #

Name	Description
`TableClass` UInt8
`OrigSize` UInt16
`XpressSize` UInt16
`Xpress9Size` UInt16
`usecXpressTime` UInt32
`usecXpress9Time` UInt32
`ShannonEntropy` Double
`ChiSquared` Double

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {478EA8A8-00BE-4BA6-8E75-8B9DC7DB9F78}

Defined in ETWESEProviderResources.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)