Microsoft-Windows-Hyper-V-Hypervisor

118 events across 4 channels

Event	Title	Channel	Sample
1	Hypervisor successfully started.	System	Y
2	Hypervisor scheduler type is SchedulerType.	System	Y
3	Hypervisor Eventlog for global system events could not be created!	System	N
5	Hypervisor launch has been disabled through the hypervisorlaunchtype bcdedit …	System	N
10	Hypervisor Eventlog creation failed!	Microsoft-Windows-Hyper-V-Hypervisor-Operational	N
11	Hypervisor Eventlog deletion failed!	Microsoft-Windows-Hyper-V-Hypervisor-Operational	N
12	Host processor features mask: Host_processor_features_mask.	Microsoft-Windows-Hyper-V-Hypervisor-Operational	N
13	Hypervisor fails to start ETW tracing session.	System	N
14	Hypervisor Eventlog flush failed!	Microsoft-Windows-Hyper-V-Hypervisor-Operational	N
20	Hypervisor launch failed; sleep and hibernate could not be disabled (status …	System	N
26	Hypervisor launch failed; the hypervisor boot loader's internal logic failed …	System	N
27	Hypervisor launch failed; the hypervisor boot loader was unable to allocate …	System	N
28	Hypervisor launch failed; the hypervisor boot loader does not support the vendor …	System	N
29	Hypervisor launch failed; at least one of the processors in the system does not …	System	N
31	Hyper-V launch failed; the system does not appear to have a sufficient level of …	System	N
32	Hypervisor launch failed; at least one of the processors in the system does not …	System	N
33	Hyper-V launch failed; the image {ImageName} could not be accessed (status …	System	N
34	Hyper-V launch failed; the image ImageName could not be loaded (status Status).	System	N
35	Hyper-V launch failed; the image {ImageName} could not be read (status …	System	N
36	Hypervisor launch failed; the image ImageName failed code integrity checks, and …	System	N
37	Hypervisor launch failed; the image ImageName does not contain the image …	System	N
38	Hyper-V launch failed; at least one of the processors in the system was unable …	System	N
39	Hypervisor Load Options - LoadOptions.	Microsoft-Windows-Hyper-V-Hypervisor-Admin	Y
40	Hypervisor launch failed; the hypervisor image is revision HypervisorVersion, …	System	N
41	Hypervisor launch failed; Either VMX not present or not enabled in BIOS.	System	Y
42	Hypervisor launch failed; Either SVM not present or not enabled in BIOS.	System	N
43	Hypervisor launch failed; EL2 not present.	System	N
44	Hypervisor launch failed; Either No Execute feature (NX) not present or not …	System	N
46	Hypervisor launch failed; Processor does not support the minimum features …	System	N
47	Hypervisor launch failed; Processor does not provide the features necessary to …	System	N
48	Hypervisor launch failed; Processor does not provide the features necessary to …	System	N
54	Hypervisor launch failed; Hypervisor image does not match the platform being run …	System	N
55	Hypervisor launch failed; Required firmware table not found.	System	N
56	Hypervisor launch failed; Encountered invalid firmware information.	System	N
59	Hypervisor launch failed; Second Level Address Translation is required to launch …	System	N
60	Hypervisor launch failed; Secure Mode Extensions have been enabled by the BIOS.	System	N
61	Hypervisor launch failed; Minimum CPUID leaves required by the hypervisor are …	System	N
62	Hypervisor launch failed; The physical address limit supported has been …	System	N
63	Hypervisor launch failed; The hypervisor was unable to initialize successfully …	System	N
64	Hypervisor launch failed; Too many runtime services memory ranges described by …	System	N
65	Hypervisor launch failed; Memory ranges validation failure (BalStatus: …	System	N
80	Hypervisor launch failed; The operating systems boot loader failed with error …	System	N
81	Hypervisor launch failed; The operating system boot loader was unable to locate …	System	N
82	Hypervisor launch failed; The operating system boot loader detected a persistent …	System	N
83	Hypervisor launch failed; The operating system boot loader was unable to …	System	N
84	Hypervisor launch failed; The operating system boot loader was unable to …	System	N
85	Hypervisor launch failed; The operating system boot loader detected a memory map …	System	N
86	Hypervisor launch failed; the version of the microcode update dll does not match …	System	N
96	Hypervisor processor startup failed (APIC ID CPU, status ErrorCode).	System	N
97	Hypervisor processor startup failed (APIC ID CPU) due to CPUID feature …	System	N
129	Hypervisor initialized I/O remapping.	System	Y
130	Hypervisor I/O remapping is forcibly enabled by policy (the …	System	N
131	There is an I/O remapping problem with the sytem BIOS.	System	N
144	A device is operating with reduced performance because of a problem with the …	System	N
145	A device will not work correctly because of a problem with the system BIOS.	System	N
146	A device will not work correctly because the hypervisor does not have enough …	System	N
147	A device will not work correctly because of a problem with the system BIOS.	System	N
148	A device could not be used by a child partition because of a limitation of the …	System	N
149	A device could not be used by a child partition because of a limitation of the …	System	N
150	The image {ImageName} could not be accessed (status {Status}).	System	N
151	The image {ImageName} could not be loaded (status {Status}).	System	N
152	The image ImageName could not be read (status Status).	System	N
153	The image ImageName failed code integrity checks, and cannot be used.	System	N
154	Hypervisor failed to properly synchronize TSC across logical processors (Max …	System	N
155	Host processor features mask: BankCount.	Microsoft-Windows-Hyper-V-Hypervisor-Admin	Y
156	Hypervisor initial page allocation NUMA policy: .	Microsoft-Windows-Hyper-V-Hypervisor-Admin	Y
156	Hypervisor configured mitigations for CVE-2018-3646 for virtual machines.	System	Y
157	The hypervisor did not enable mitigations for side channel vulnerabilities for …	System	N
158	The queried interface version Max is not supported (Min : CurrentVersion, Max : …	System	N
159	The queried interface is incomplete.	System	N
160	Partition persistence services will be unavailable.	System	N
161	The configured Minroot settings are not compatible with the hypervisor core …	System	N
162	Failed to unregister the remote hypercall interface (status NtStatus).	System	N
163	The hypervisor encountered an internal error: nested NMI (processor Processor).	Microsoft-Windows-Hyper-V-Hypervisor-Operational	N
164	The hypervisor encountered an internal error: IPI timeout (processor Processor).	Microsoft-Windows-Hyper-V-Hypervisor-Operational	N
165	Hypervisor configured mitigations for CVE-2019-11091, CVE-2018-12126, …	System	Y
166	Hypervisor Load Options are conflicting - LoadOptions, LoadFlags.	Microsoft-Windows-Hyper-V-Hypervisor-Admin	N
167	The hypervisor did not enable mitigations for side channel vulnerabilities for …	System	N
168	AMD PSP PCI device discovered.	System	N
169	Secure firmware update status: Secure_firmware_update_status.	System	N
170	Secure firmware image invalid.	System	N
171	Secure firmware version: Secure_firmware_version.	System	N
172	Features are enabled that require all processors be started.	Microsoft-Windows-Hyper-V-Hypervisor-Admin	N
173	On the prior boot session, the root partition did not respond to the synthetic …	System	N
8451	Hyper-V failed creating a new partition (status Error)!	Microsoft-Windows-Hyper-V-Hypervisor-Operational	N
12288	RegisterInterface	Operational	N
12289	HvldrIoctl	Operational	N
12290	RemoteHypercall	Operational	N
12291	HvldrCreatePartition	Operational	N
12292	RegisterPartitionId	Operational	N
12293	HvldrDeletePartition	Operational	N
12294	HvldrDepositMemory	Operational	N
12295	HvldrMapGpaPages	Operational	N
12296	HvldrUnmapGpaSpace	Operational	N
12297	HvldrNumaDistributedAllocation	Operational	N
12298	HvldrGetLpRegisterMsr	Operational	N
12299	HvldrGetLpRegisterCpuid	Operational	N
12300	HvldrReadSystemMemory	Operational	N
12301	HvldrGetMtrrs	Operational	N
12302	HvldrGetPlatformCaps	Operational	N
12303	HvldrHsrInUse	Operational	N
12304	HvldrConfigureIommuLiveHandoff	Operational	N
12305	HvldrGetIdleStateConfig	Operational	N
12306	HvldrGetVpRegisters	Operational	N
12307	HvldrGetLogicalProcessorProperty	Operational	N
12308	HvldrDisableHypervisor	Operational	N
12309	HvldrDisableHypervisor12309	Operational	N
12310	HvldrPrepareProtoHypervisor	Operational	N
12311	HvldrImageLoadInfo	Operational	N
12312	HvldrReadHvRegister	Operational	N
12313	HvldrProcessInterruptControllers	Operational	N
12314	HvldrHsrMirroringInUse	Operational	N
12315	HvldrDebugMsg	Operational	N
12316	HvldrDebugMsg12316	Operational	N
12317	HvldrFailureLocation	Operational	N
12550	Hyper-V detected access to a restricted MSR.	Microsoft-Windows-Hyper-V-Hypervisor-Operational	N
16641	Hyper-V successfully created a new partition (partition PartitionId).	Microsoft-Windows-Hyper-V-Hypervisor-Operational	Y
16642	Hyper-V successfully deleted a partition (partition PartitionId).	Microsoft-Windows-Hyper-V-Hypervisor-Operational	Y

Event ID 1: Hypervisor successfully started.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Level: Informational
Opcode: Info

Description

Hypervisor successfully started.

Message #

Hypervisor successfully started.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Hyper-V-Hypervisor",
    "guid": "52FC89F8-995E-434C-A91E-199986449890",
    "event_source_name": "",
    "event_id": 1,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223442405598953472,
    "time_created": "2026-03-11T06:27:08.616827+00:00",
    "event_record_id": 2708,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 2: Hypervisor scheduler type is SchedulerType.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Level: Informational
Opcode: Info

Description

Hypervisor scheduler type is SchedulerType.

Message #

Hypervisor scheduler type is %1.

Fields #

Name	Description
`SchedulerType` HexInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Hyper-V-Hypervisor",
    "guid": "52FC89F8-995E-434C-A91E-199986449890",
    "event_source_name": "",
    "event_id": 2,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223442405598953472,
    "time_created": "2026-03-11T06:27:08.616840+00:00",
    "event_record_id": 2709,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "SchedulerType": "0x4"
  },
  "message": ""
}

Event ID 3: Hypervisor Eventlog for global system events could not be created!

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor Eventlog for global system events could not be created!

Message #

Hypervisor Eventlog for global system events could not be created!

Event ID 5: Hypervisor launch has been disabled through the hypervisorlaunchtype bcdedit setting.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch has been disabled through the hypervisorlaunchtype bcdedit setting.

Message #

Hypervisor launch has been disabled through the hypervisorlaunchtype bcdedit setting.

Event ID 10: Hypervisor Eventlog creation failed!

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Microsoft-Windows-Hyper-V-Hypervisor-Operational
Opcode: Info

Description

Hypervisor Eventlog creation failed!

Message #

Hypervisor Eventlog creation failed!

Fields #

Name	Description
`Error` HexInt64

Event ID 11: Hypervisor Eventlog deletion failed!

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Microsoft-Windows-Hyper-V-Hypervisor-Operational
Opcode: Info

Description

Hypervisor Eventlog deletion failed!

Message #

Hypervisor Eventlog deletion failed!

Fields #

Name	Description
`Error` HexInt64

Event ID 12: Host processor features mask: Host_processor_features_mask.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Microsoft-Windows-Hyper-V-Hypervisor-Operational
Opcode: Info

Description

Host processor features mask: Host_processor_features_mask.

Message #

Host processor features mask: %1

Host xsave features mask: %2

Host cache line flush size: %3 bytes

Fields #

Name	Description
`BankCount` UInt8
`ProcessorFeatures` HexInt64
`XsaveFeatures` HexInt64
`CLFlushSize` UInt32

Event ID 13: Hypervisor fails to start ETW tracing session.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor fails to start ETW tracing session.

Message #

Hypervisor fails to start ETW tracing session.

Event ID 14: Hypervisor Eventlog flush failed!

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Microsoft-Windows-Hyper-V-Hypervisor-Operational
Opcode: Info

Description

Hypervisor Eventlog flush failed!

Message #

Hypervisor Eventlog flush failed!

Fields #

Name	Description
`Error` HexInt64

Event ID 20: Hypervisor launch failed; sleep and hibernate could not be disabled (status ErrorCode).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; sleep and hibernate could not be disabled (status ErrorCode).

Message #

Hypervisor launch failed; sleep and hibernate could not be disabled (status %1).

Fields #

Name	Description
`ErrorCode` HexInt32

Event ID 26: Hypervisor launch failed; the hypervisor boot loader's internal logic failed (BalStatus BalStatus, sub-status Error).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; the hypervisor boot loader's internal logic failed (BalStatus BalStatus, sub-status Error).

Message #

Hypervisor launch failed; the hypervisor boot loader's internal logic failed (BalStatus %1, sub-status %2).

Fields #

Name	Description
`BalStatus` HexInt64
`Error` HexInt32

Event ID 27: Hypervisor launch failed; the hypervisor boot loader was unable to allocate sufficient resources to perform the launch.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; the hypervisor boot loader was unable to allocate sufficient resources to perform the launch.

Message #

Hypervisor launch failed; the hypervisor boot loader was unable to allocate sufficient resources to perform the launch.

Event ID 28: Hypervisor launch failed; the hypervisor boot loader does not support the vendor of at least one of the processors in the system.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; the hypervisor boot loader does not support the vendor of at least one of the processors in the system.

Message #

Hypervisor launch failed; the hypervisor boot loader does not support the vendor of at least one of the processors in the system.

Event ID 29: Hypervisor launch failed; at least one of the processors in the system does not appear to support the features required by the hypervisor.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System

Message #

Hypervisor launch failed; at least one of the processors in the system does not appear to support the features required by the hypervisor.  (leaf: {Leaf}; required features: {FeaturesRequired}; features available: {FeaturesPresent})

Fields #

Name	Description
`Leaf`
`FeaturesRequired`
`FeaturesPresent`

Event ID 31: Hyper-V launch failed; the system does not appear to have a sufficient level of ACPI support to launch the hypervisor.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hyper-V launch failed; the system does not appear to have a sufficient level of ACPI support to launch the hypervisor.

Message #

Hyper-V launch failed; the system does not appear to have a sufficient level of ACPI support to launch the hypervisor.

Event ID 32: Hypervisor launch failed; at least one of the processors in the system does not appear to provide a virtualization platform supported by the hyperv...

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; at least one of the processors in the system does not appear to provide a virtualization platform supported by the hypervisor.

Message #

Hypervisor launch failed; at least one of the processors in the system does not appear to provide a virtualization platform supported by the hypervisor.

Event ID 33: Hyper-V launch failed; the image {ImageName} could not be accessed (status {Status}).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System

Description

Hyper-V launch failed; the image {ImageName} could not be accessed (status {Status}).

Message #

Hyper-V launch failed; the image {ImageName} could not be accessed (status {Status}).

Fields #

Name	Description
`ImageName`
`Status`	NTSTATUS reference

Event ID 34: Hyper-V launch failed; the image ImageName could not be loaded (status Status).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hyper-V launch failed; the image ImageName could not be loaded (status Status).

Message #

Hyper-V launch failed; the image %1 could not be loaded (status %2).

Fields #

Name	Description
`ImageName` UnicodeString
`Status` HexInt32	NTSTATUS reference

Event ID 35: Hyper-V launch failed; the image {ImageName} could not be read (status {Status}).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System

Description

Hyper-V launch failed; the image {ImageName} could not be read (status {Status}).

Message #

Hyper-V launch failed; the image {ImageName} could not be read (status {Status}).

Fields #

Name	Description
`ImageName`
`Status`	NTSTATUS reference

Event ID 36: Hypervisor launch failed; the image ImageName failed code integrity checks, and cannot be used.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; the image ImageName failed code integrity checks, and cannot be used.

Message #

Hypervisor launch failed; the image %1 failed code integrity checks, and cannot be used.

Fields #

Name	Description
`ImageName` UnicodeString

Event ID 37: Hypervisor launch failed; the image ImageName does not contain the image description datastructures, and cannot be used.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; the image ImageName does not contain the image description datastructures, and cannot be used.

Message #

Hypervisor launch failed; the image %1 does not contain the image description datastructures, and cannot be used.

Fields #

Name	Description
`ImageName` UnicodeString

Event ID 38: Hyper-V launch failed; at least one of the processors in the system was unable to launch the hypervisor (status BalStatus).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hyper-V launch failed; at least one of the processors in the system was unable to launch the hypervisor (status BalStatus).

Message #

Hyper-V launch failed; at least one of the processors in the system was unable to launch the hypervisor (status %1).

Fields #

Name	Description
`BalStatus` HexInt64

Event ID 39: Hypervisor Load Options - LoadOptions.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Microsoft-Windows-Hyper-V-Hypervisor-Admin
Level: Informational
Opcode: Info

Description

Hypervisor Load Options - LoadOptions.

Message #

Hypervisor Load Options - %1.

Fields #

Name	Description
`LoadOptions` AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Hyper-V-Hypervisor",
    "guid": "52FC89F8-995E-434C-A91E-199986449890",
    "event_source_name": "",
    "event_id": 39,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-14T01:39:45.534226+00:00",
    "event_record_id": 3,
    "correlation": {
      "ActivityID": "E6C8E93F-24DF-B4AB-98D2-D123EDC8427C"
    },
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Hyper-V-Hypervisor-Admin",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "LoadOptions": " IGNOREMEMPART=1 "
  },
  "message": ""
}

Event ID 40: Hypervisor launch failed; the hypervisor image is revision HypervisorVersion, but the currently installed virtualization software only supports launching revision...

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; the hypervisor image is revision HypervisorVersion, but the currently installed virtualization software only supports launching revision VersionSupported hypervisor images.

Message #

Hypervisor launch failed; the hypervisor image is revision %1, but the currently installed virtualization software only supports launching revision %2 hypervisor images.

Fields #

Name	Description
`HypervisorVersion` UInt32
`VersionSupported` UInt32

Event ID 41: Hypervisor launch failed; Either VMX not present or not enabled in BIOS.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Level: Error
Opcode: Info

Description

Hypervisor launch failed; Either VMX not present or not enabled in BIOS.

Message #

Hypervisor launch failed; Either VMX not present or not enabled in BIOS.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Hyper-V-Hypervisor",
    "guid": "52FC89F8-995E-434C-A91E-199986449890",
    "event_source_name": "",
    "event_id": 41,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223442405598953472,
    "time_created": "2023-11-06T06:24:56.254005+00:00",
    "event_record_id": 1627,
    "correlation": {
      "ActivityID": "A94F03D9-96B8-C53E-D5D7-00FBA9067B3F"
    },
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 42: Hypervisor launch failed; Either SVM not present or not enabled in BIOS.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; Either SVM not present or not enabled in BIOS.

Message #

Hypervisor launch failed; Either SVM not present or not enabled in BIOS.

Event ID 43: Hypervisor launch failed; EL2 not present.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; EL2 not present.

Message #

Hypervisor launch failed; EL2 not present.

Event ID 44: Hypervisor launch failed; Either No Execute feature (NX) not present or not enabled in BIOS.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; Either No Execute feature (NX) not present or not enabled in BIOS.

Message #

Hypervisor launch failed; Either No Execute feature (NX) not present or not enabled in BIOS.

Event ID 46: Hypervisor launch failed; Processor does not support the minimum features required to run the hypervisor.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; Processor does not support the minimum features required to run the hypervisor (MSR index MSRIndex, allowed bits AllowedZeroes, required bits AllowedOnes).

Message #

Hypervisor launch failed; Processor does not support the minimum features required to run the hypervisor (MSR index %1, allowed bits %2, required bits %3).

Fields #

Name	Description
`MSRIndex` HexInt32
`AllowedZeroes` HexInt64
`AllowedOnes` HexInt64

Event ID 47: Hypervisor launch failed; Processor does not provide the features necessary to run the hypervisor.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System

Message #

Hypervisor launch failed; Processor does not provide the features necessary to run the hypervisor (BalStatus {BalStatus}; leaf1 EAX {Leaf1Eax}; VMCR MS EAX {VmCrMsrValue}; SVM CPUID features {SvmFeatureEax}; has working SMM {HasWorkingSmm}).

Fields #

Name	Description
`BalStatus`
`Leaf1Eax`
`VmCrMsrValue`
`SvmFeatureEax`
`HasWorkingSmm`

Event ID 48: Hypervisor launch failed; Processor does not provide the features necessary to run the hypervisor.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; Processor does not provide the features necessary to run the hypervisor (leaf Leaf, register Register: features needed FeaturesNeeded, features supported FeaturesSupported).

Message #

Hypervisor launch failed; Processor does not provide the features necessary to run the hypervisor (leaf %1, register %2: features needed %3, features supported %4).

Fields #

Name	Description
`Leaf` HexInt32
`Register` HexInt32
`FeaturesNeeded` HexInt32
`FeaturesSupported` HexInt32

Event ID 54: Hypervisor launch failed; Hypervisor image does not match the platform being run on.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; Hypervisor image does not match the platform being run on.

Message #

Hypervisor launch failed; Hypervisor image does not match the platform being run on.

Event ID 55: Hypervisor launch failed; Required firmware table not found.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; Required firmware table not found.

Message #

Hypervisor launch failed; Required firmware table not found.

Event ID 56: Hypervisor launch failed; Encountered invalid firmware information.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; Encountered invalid firmware information.

Message #

Hypervisor launch failed; Encountered invalid firmware information.

Event ID 59: Hypervisor launch failed; Second Level Address Translation is required to launch the hypervisor.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; Second Level Address Translation is required to launch the hypervisor.

Message #

Hypervisor launch failed; Second Level Address Translation is required to launch the hypervisor.

Event ID 60: Hypervisor launch failed; Secure Mode Extensions have been enabled by the BIOS.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; Secure Mode Extensions have been enabled by the BIOS. Please disable Secure Mode Extensions in the BIOS to launch Hyper-V.

Message #

Hypervisor launch failed; Secure Mode Extensions have been enabled by the BIOS. Please disable Secure Mode Extensions in the BIOS to launch Hyper-V.

Event ID 61: Hypervisor launch failed; Minimum CPUID leaves required by the hypervisor are not supported on the system.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; Minimum CPUID leaves required by the hypervisor are not supported on the system.

Message #

Hypervisor launch failed; Minimum CPUID leaves required by the hypervisor are not supported on the system.

Event ID 62: Hypervisor launch failed; The physical address limit supported has been exceeded.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; The physical address limit supported has been exceeded.

Message #

Hypervisor launch failed; The physical address limit supported has been exceeded.

Event ID 63: Hypervisor launch failed; The hypervisor was unable to initialize successfully (phase Phase), and was not started.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; The hypervisor was unable to initialize successfully (phase Phase), and was not started. This initialization failure may be the result of a platform configuration or firmware issue. Contact your system vendor for more information or updated firmware.

Message #

Hypervisor launch failed; The hypervisor was unable to initialize successfully (phase %1), and was not started.  This initialization failure may be the result of a platform configuration or firmware issue.  Contact your system vendor for more information or updated firmware.

Fields #

Name	Description
`Phase` HexInt32

Event ID 64: Hypervisor launch failed; Too many runtime services memory ranges described by firmware.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; Too many runtime services memory ranges described by firmware.

Message #

Hypervisor launch failed; Too many runtime services memory ranges described by firmware.

Event ID 65: Hypervisor launch failed; Memory ranges validation failure (BalStatus: BalStatus, BalInternalError: BalInternalError, Line: Line, MemoryRangesCount: MemoryRangesCount).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System

Description

Hypervisor launch failed; Memory ranges validation failure (BalStatus: BalStatus, BalInternalError: BalInternalError, Line: Line, MemoryRangesCount: MemoryRangesCount).

Message #

Hypervisor launch failed; Memory ranges validation failure (BalStatus: %1, BalInternalError: %2, Line: %3, MemoryRangesCount: %4).

Fields #

Name	Description
`BalStatus` HexInt64
`BalInternalError` UInt32
`Line` UInt16
`MemoryRangesCount` UInt32
`MemoryRanges` Int16

Event ID 80: Hypervisor launch failed; The operating systems boot loader failed with error NtStatus.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; The operating systems boot loader failed with error NtStatus.

Message #

Hypervisor launch failed; The operating systems boot loader failed with error %1.

Fields #

Name	Description
`NtStatus` HexInt32

Event ID 81: Hypervisor launch failed; The operating system boot loader was unable to locate a required resource.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; The operating system boot loader was unable to locate a required resource.

Message #

Hypervisor launch failed; The operating system boot loader was unable to locate a required resource.

Event ID 82: Hypervisor launch failed; The operating system boot loader detected a persistent memory failure.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; The operating system boot loader detected a persistent memory failure.

Message #

Hypervisor launch failed; The operating system boot loader detected a persistent memory failure.

Event ID 83: Hypervisor launch failed; The operating system boot loader was unable to allocate sufficient memory to complete the operation.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; The operating system boot loader was unable to allocate sufficient memory to complete the operation.

Message #

Hypervisor launch failed; The operating system boot loader was unable to allocate sufficient memory to complete the operation.

Event ID 84: Hypervisor launch failed; The operating system boot loader was unable to allocate sufficient resources to complete the operation.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; The operating system boot loader was unable to allocate sufficient resources to complete the operation.

Message #

Hypervisor launch failed; The operating system boot loader was unable to allocate sufficient resources to complete the operation.

Event ID 85: Hypervisor launch failed; The operating system boot loader detected a memory map conflict.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; The operating system boot loader detected a memory map conflict.

Message #

Hypervisor launch failed; The operating system boot loader detected a memory map conflict.

Event ID 86: Hypervisor launch failed; the version of the microcode update dll does not match the current operating system.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor launch failed; the version of the microcode update dll does not match the current operating system.

Message #

Hypervisor launch failed; the version of the microcode update dll does not match the current operating system.

Fields #

Name	Description
`ExpectedVersion` UInt32
`ActualVersion` UInt32
`ExpectedFunctionTableSize` UInt32
`ActualFunctionTableSize` UInt32
`UpdateDllName` UnicodeString

Event ID 96: Hypervisor processor startup failed (APIC ID CPU, status ErrorCode).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor processor startup failed (APIC ID CPU, status ErrorCode). Further processors in the system were not started.

Message #

Hypervisor processor startup failed (APIC ID %1, status %2). Further processors in the system were not started.

Fields #

Name	Description
`CPU` HexInt32
`ErrorCode` HexInt32

Event ID 97: Hypervisor processor startup failed (APIC ID CPU) due to CPUID feature validation error.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor processor startup failed (APIC ID CPU) due to CPUID feature validation error. Further processors in the system were not started. Leaf LeafNumber, register Register feature mismatch: BSP has features APCpuidData; AP has features BSPCpuidData

Message #

Hypervisor processor startup failed (APIC ID %1) due to CPUID feature validation error. Further processors in the system were not started. Leaf %2, register %3 feature mismatch: BSP has features %5; AP has features %4

Fields #

Name	Description
`CPU` HexInt32
`LeafNumber` HexInt64
`Register` HexInt64
`BSPCpuidData` HexInt64
`APCpuidData` HexInt64

Event ID 129: Hypervisor initialized I/O remapping.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Level: Informational
Opcode: Info

Description

Hypervisor initialized I/O remapping.

Message #

Hypervisor initialized I/O remapping.

Hardware present: %1
Hardware enabled: %2
Policy: %3
Enabled features: %4
Internal information: %5
Problems: %6
Additional information: %7

Fields #

Name	Description
`HardwarePresent` Boolean
`HardwareEnabled` Boolean
`Policy` HexInt64
`EnabledFeatures` HexInt64
`InternalInfo` HexInt64
`Problems` HexInt64
`AdditionalInfo` HexInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Hyper-V-Hypervisor",
    "guid": "52FC89F8-995E-434C-A91E-199986449890",
    "event_source_name": "",
    "event_id": 129,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223442405598953472,
    "time_created": "2026-03-11T06:27:08.616876+00:00",
    "event_record_id": 2710,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "HardwarePresent": false,
    "HardwareEnabled": false,
    "Policy": "0x0",
    "EnabledFeatures": "0x0",
    "InternalInfo": "0x0",
    "Problems": "0x0",
    "AdditionalInfo": "0x0"
  },
  "message": ""
}

Event ID 130: Hypervisor I/O remapping is forcibly enabled by policy (the hypervisoriommupolicy BCD option is set to enable).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor I/O remapping is forcibly enabled by policy (the hypervisoriommupolicy BCD option is set to enable). If the system exhibits instability or reduced performance, consider restoring the default policy.

Message #

Hypervisor I/O remapping is forcibly enabled by policy (the hypervisoriommupolicy BCD option is set to enable). If the system exhibits instability or reduced performance, consider restoring the default policy.

Event ID 131: There is an I/O remapping problem with the sytem BIOS.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

There is an I/O remapping problem with the sytem BIOS.

Message #

There is an I/O remapping problem with the sytem BIOS.

Problems: %1

Fields #

Name	Description
`Problems` HexInt64

Event ID 144: A device is operating with reduced performance because of a problem with the system BIOS.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System

Description

A device is operating with reduced performance because of a problem with the system BIOS.

Message #

A device is operating with reduced performance because of a problem with the system BIOS.



The device is not reported under the scope of a unique I/O remapping unit.



Device ID: %1

Partition ID: %2

Fields #

Name	Description
`DeviceId` HexInt64
`PartitionId` UInt64

Event ID 145: A device will not work correctly because of a problem with the system BIOS.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System

Description

A device will not work correctly because of a problem with the system BIOS.

Message #

A device will not work correctly because of a problem with the system BIOS.



The Requester IDs reported for the device overlap with those reported for another device.



Device ID: %1

Partition ID: %2

Fields #

Name	Description
`DeviceId` HexInt64
`PartitionId` UInt64

Event ID 146: A device will not work correctly because the hypervisor does not have enough resources.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System

Description

A device will not work correctly because the hypervisor does not have enough resources.

Message #

A device will not work correctly because the hypervisor does not have enough resources.



Device ID: %1

Partition ID: %2

Fields #

Name	Description
`DeviceId` HexInt64
`PartitionId` UInt64

Event ID 147: A device will not work correctly because of a problem with the system BIOS.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System

Description

A device will not work correctly because of a problem with the system BIOS.

Message #

A device will not work correctly because of a problem with the system BIOS.



An IOAPIC is not correctly reported.



IOAPIC ID: %1

Fields #

Name	Description
`IoApicId` UInt8

Event ID 148: A device could not be used by a child partition because of a limitation of the system hardware and BIOS.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System

Description

A device could not be used by a child partition because of a limitation of the system hardware and BIOS.

Message #

A device could not be used by a child partition because of a limitation of the system hardware and BIOS.



The I/O remapping unit that controls the device does not have sufficient capabilities.



Device ID: %1

I/O remapping unit base address: %2

Partition ID: %3

Fields #

Name	Description
`DeviceId` HexInt64
`UnitBaseAddress` HexInt64
`PartitionId` UInt64

Event ID 149: A device could not be used by a child partition because of a limitation of the system hardware and BIOS.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System

Description

A device could not be used by a child partition because of a limitation of the system hardware and BIOS.

Message #

A device could not be used by a child partition because of a limitation of the system hardware and BIOS.



The device cannot be securely used by a child partition.



Device ID: %1

Partition ID: %2

Fields #

Name	Description
`DeviceId` HexInt64
`PartitionId` UInt64

Event ID 150: The image {ImageName} could not be accessed (status {Status}).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System

Description

The image {ImageName} could not be accessed (status {Status}).

Message #

The image {ImageName} could not be accessed (status {Status}).

Fields #

Name	Description
`ImageName`
`Status`	NTSTATUS reference

Event ID 151: The image {ImageName} could not be loaded (status {Status}).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System

Description

The image {ImageName} could not be loaded (status {Status}).

Message #

The image {ImageName} could not be loaded (status {Status}).

Fields #

Name	Description
`ImageName`
`Status`	NTSTATUS reference

Event ID 152: The image ImageName could not be read (status Status).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

The image ImageName could not be read (status Status).

Message #

The image %1 could not be read (status %2).

Fields #

Name	Description
`ImageName` UnicodeString
`Status` HexInt32	NTSTATUS reference

Event ID 153: The image ImageName failed code integrity checks, and cannot be used.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

The image ImageName failed code integrity checks, and cannot be used.

Message #

The image %1 failed code integrity checks, and cannot be used.

Fields #

Name	Description
`ImageName` UnicodeString

Event ID 154: Hypervisor failed to properly synchronize TSC across logical processors (Max delta: MaxDelta, Min delta: MinDelta).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Hypervisor failed to properly synchronize TSC across logical processors (Max delta: MaxDelta, Min delta: MinDelta).

Message #

Hypervisor failed to properly synchronize TSC across logical processors (Max delta: %1, Min delta: %2).

Fields #

Name	Description
`MaxDelta` Int64
`MinDelta` Int64

Event ID 155: Host processor features mask: BankCount.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Microsoft-Windows-Hyper-V-Hypervisor-Admin
Level: Informational
Opcode: Info

Description

Host processor features mask: BankCount.

Message #

Host processor features mask: %1

Host xsave features mask: %2

Host cache line flush size: %3 bytes

Fields #

Name	Description
`BankCount` UInt8
`ProcessorFeatures` HexInt64
`XsaveFeatures` HexInt64
`CLFlushSize` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Hyper-V-Hypervisor",
    "guid": "52FC89F8-995E-434C-A91E-199986449890",
    "event_source_name": "",
    "event_id": 155,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-11T06:27:24.431418+00:00",
    "event_record_id": 2,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 364
    },
    "channel": "Microsoft-Windows-Hyper-V-Hypervisor-Admin",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "BankCount": 2,
    "ProcessorFeatures": "0x800040",
    "XsaveFeatures": "0x1f",
    "CLFlushSize": 64
  },
  "message": ""
}

Event ID 156: Hypervisor initial page allocation NUMA policy: .

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Microsoft-Windows-Hyper-V-Hypervisor-Admin
Level: Informational
Opcode: Info

Description

Hypervisor configured mitigations for CVE-2018-3646 for virtual machines.

Message #

Hypervisor initial page allocation NUMA policy: %1

Fields #

Name	Description
`InitialAllocationNumaPolicy` UInt32	Hypervisor initial page allocation NUMA policy.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Hyper-V-Hypervisor",
    "guid": "52FC89F8-995E-434C-A91E-199986449890",
    "event_source_name": "",
    "event_id": 156,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-06T06:24:56.253950+00:00",
    "event_record_id": 6,
    "correlation": {
      "ActivityID": "A94F03D9-96B8-C53E-D5D7-00FBA9067B3F"
    },
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Hyper-V-Hypervisor-Admin",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "InitialAllocationNumaPolicy": 0
  },
  "message": ""
}

Event ID 156: Hypervisor configured mitigations for CVE-2018-3646 for virtual machines.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Level: Informational
Opcode: Info

Description

Hypervisor configured mitigations for CVE-2018-3646 for virtual machines.

Message #

Hypervisor configured mitigations for CVE-2018-3646 for virtual machines.

Processor not affected: %1
Processor family not affected: %2
Processor supports cache flush: %3
HyperThreading enabled: %4
Parent hypervisor applies mitigations: %5
Mitigations disabled by bcdedit: %6
Mitigations enabled: %7
Cache flush needed: %8

Fields #

Name	Description
`InitialAllocationNumaPolicy` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Hyper-V-Hypervisor",
    "guid": "{52FC89F8-995E-434C-A91E-199986449890}",
    "event_source_name": "",
    "event_id": 156,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-06-13T13:53:35.1686229+00:00",
    "event_record_id": 21,
    "correlation": {
      "ActivityID": "{1852914D-A1EE-1312-1B27-5880A2868F7E}"
    },
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Hyper-V-Hypervisor-Admin",
    "computer": "telemetry-W11-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "InitialAllocationNumaPolicy": "2"
  },
  "message": "Hypervisor initial page allocation NUMA policy: Proportional NUMA distribution"
}

Event ID 157: The hypervisor did not enable mitigations for side channel vulnerabilities for virtual machines because HyperThreading is enabled and the hyperviso...

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

The hypervisor did not enable mitigations for CVE-2018-3646, CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, and CVE-2018-12130 for virtual machines because HyperThreading is enabled and the hypervisor core scheduler is not enabled. To enable mitigations for virtual machines, enable the core scheduler by running "bcdedit /set hypervisorschedulertype core" from an elevated command prompt and reboot.

Message #

The hypervisor did not enable mitigations for side channel vulnerabilities for virtual machines because HyperThreading is enabled and the hypervisor core scheduler is not enabled. To enable mitigations for virtual machines, enable the core scheduler by running "bcdedit /set hypervisorschedulertype core" from an elevated command prompt and reboot.

Event ID 158: The queried interface version Max is not supported (Min : CurrentVersion, Max : MinVersion).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

The queried interface version Max is not supported (Min : CurrentVersion, Max : MinVersion).

Message #

The queried interface version %1 is not supported (Min : %2, Max : %3).

Fields #

Name	Description
`CurrentVersion` UInt8
`MinVersion` UInt8
`MaxVersion` UInt8

Event ID 159: The queried interface is incomplete.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

The queried interface is incomplete.

Message #

The queried interface is incomplete.

Event ID 160: Partition persistence services will be unavailable.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Partition persistence services will be unavailable.

Message #

Partition persistence services will be unavailable.

Event ID 161: The configured Minroot settings are not compatible with the hypervisor core scheduler and have been overriden.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

The configured Minroot settings are not compatible with the hypervisor core scheduler and have been overriden. This may expose a different number of logical processors to the root partition.

Message #

The configured Minroot settings are not compatible with the hypervisor core scheduler and have been overriden. This may expose a different number of logical processors to the root partition.

Event ID 162: Failed to unregister the remote hypercall interface (status NtStatus).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Failed to unregister the remote hypercall interface (status NtStatus).

Message #

Failed to unregister the remote hypercall interface (status %1).

Fields #

Name	Description
`NtStatus` HexInt32

Event ID 163: The hypervisor encountered an internal error: nested NMI (processor Processor).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Microsoft-Windows-Hyper-V-Hypervisor-Operational

Description

The hypervisor encountered an internal error: nested NMI (processor Processor).

Message #

The hypervisor encountered an internal error: nested NMI (processor %1).

Fields #

Name	Description
`Processor` UInt32

Event ID 164: The hypervisor encountered an internal error: IPI timeout (processor Processor).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Microsoft-Windows-Hyper-V-Hypervisor-Operational

Description

The hypervisor encountered an internal error: IPI timeout (processor Processor).

Message #

The hypervisor encountered an internal error: IPI timeout (processor %1).

Fields #

Name	Description
`Processor` UInt32

Event ID 165: Hypervisor configured mitigations for CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130 for virtual machines.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Level: Informational
Opcode: Info

Description

Hypervisor configured mitigations for CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130 for virtual machines.

Message #

Hypervisor configured mitigations for CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130 for virtual machines.

Processor not affected: %1
Processor family not affected: %2
Processor supports microarchitectural buffer flush: %3
Buffer flush needed: %4

Fields #

Name	Description
`NotAffectedMdsNo` Boolean
`NotAffectedAtom` Boolean
`MdClearSupported` Boolean
`BufferFlushNeeded` Boolean

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Hyper-V-Hypervisor",
    "guid": "52FC89F8-995E-434C-A91E-199986449890",
    "event_source_name": "",
    "event_id": 165,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223442405598953472,
    "time_created": "2026-03-11T06:27:08.616931+00:00",
    "event_record_id": 2712,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NotAffectedMdsNo": false,
    "NotAffectedAtom": false,
    "MdClearSupported": true,
    "BufferFlushNeeded": true
  },
  "message": ""
}

Event ID 166: Hypervisor Load Options are conflicting - LoadOptions, LoadFlags.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Microsoft-Windows-Hyper-V-Hypervisor-Admin
Opcode: Info

Description

Hypervisor Load Options are conflicting - LoadOptions, LoadFlags.

Message #

Hypervisor Load Options are conflicting - %1, %2.

Fields #

Name	Description
`LoadOptions` AnsiString
`LoadFlags` HexInt64

Event ID 167: The hypervisor did not enable mitigations for side channel vulnerabilities for virtual machines because HyperThreading is enabled.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

The hypervisor did not enable mitigations for side channel vulnerabilities for virtual machines because HyperThreading is enabled. To enable mitigations for virtual machines, disable HyperThreading.

Message #

The hypervisor did not enable mitigations for side channel vulnerabilities for virtual machines because HyperThreading is enabled. To enable mitigations for virtual machines, disable HyperThreading.

Event ID 168: AMD PSP PCI device discovered.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

AMD PSP PCI device discovered. Segment: AMD_PSP_PCI_device_discovered_Segment, bus: bus, device: device, function: function.

Message #

AMD PSP PCI device discovered. Segment: %1, bus: %2, device: %3, function: %4.

Fields #

Name	Description
`Segment` UInt16
`Bus` UInt8
`Device` UInt8
`Function` UInt8

Event ID 169: Secure firmware update status: Secure_firmware_update_status.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Secure firmware update status: Secure_firmware_update_status.

Message #

Secure firmware update status: %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 170: Secure firmware image invalid.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Secure firmware image invalid.

Message #

Secure firmware image invalid.

Event ID 171: Secure firmware version: Secure_firmware_version.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

Secure firmware version: Secure_firmware_version.

Message #

Secure firmware version: %1.

Fields #

Name	Description
`Version` UInt64

Event ID 172: Features are enabled that require all processors be started.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Microsoft-Windows-Hyper-V-Hypervisor-Admin
Opcode: Info

Description

Features are enabled that require all processors be started. RunningProcessors of AvailableProcessors processors currently running.

Message #

Features are enabled that require all processors be started. %1 of %2 processors currently running.

Fields #

Name	Description
`RunningProcessors` UInt32
`AvailableProcessors` UInt32

Event ID 173: On the prior boot session, the root partition did not respond to the synthetic watchdog in time, triggering a hardware watchdog reboot.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: System
Opcode: Info

Description

On the prior boot session, the root partition did not respond to the synthetic watchdog in time, triggering a hardware watchdog reboot.

Message #

On the prior boot session, the root partition did not respond to the synthetic watchdog in time, triggering a hardware watchdog reboot.

Event ID 8451: Hyper-V failed creating a new partition (status Error)!

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Microsoft-Windows-Hyper-V-Hypervisor-Operational
Opcode: Info

Description

Hyper-V failed creating a new partition (status Error)!

Message #

Hyper-V failed creating a new partition (status %1)!

Fields #

Name	Description
`Error` HexInt64

Event ID 12288: RegisterInterface

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: RegisterInterface

Fields #

Name	Description
`FailurePhase` UInt32
`NtStatus` UInt32

Event ID 12289: HvldrIoctl

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrIoctl

Fields #

Name	Description
`AuxData` UInt64
`NtStatus` UInt32

Event ID 12290: RemoteHypercall

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: RemoteHypercall

Fields #

Name	Description
`AuxData` UInt64
`NtStatus` UInt32

Event ID 12291: HvldrCreatePartition

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrCreatePartition

Fields #

Name	Description
`PartitionId` UInt64
`NtStatus` UInt32
`AuxiliaryData` UInt64

Event ID 12292: RegisterPartitionId

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: RegisterPartitionId

Fields #

Name	Description
`PartitionId` UInt64
`NtStatus` UInt32
`AuxiliaryData` UInt64

Event ID 12293: HvldrDeletePartition

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrDeletePartition

Fields #

Name	Description
`PartitionId` UInt64
`NtStatus` UInt32
`AuxiliaryData` UInt64

Event ID 12294: HvldrDepositMemory

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrDepositMemory

Fields #

Name	Description
`PartitionId` UInt64
`NtStatus` UInt32
`AuxiliaryData` UInt64

Event ID 12295: HvldrMapGpaPages

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrMapGpaPages

Fields #

Name	Description
`PartitionId` UInt64
`NtStatus` UInt32
`AuxiliaryData` UInt64

Event ID 12296: HvldrUnmapGpaSpace

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrUnmapGpaSpace

Fields #

Name	Description
`PartitionId` UInt64
`NtStatus` UInt32
`AuxiliaryData` UInt64

Event ID 12297: HvldrNumaDistributedAllocation

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrNumaDistributedAllocation

Fields #

Name	Description
`TotalSystemPages` HexInt64
`TotalPagesRequested` HexInt32
`Policy` UInt32
`ProximityDomainCount` UInt32
`AllocationPass` UInt32
`ProximityDomainIndex` UInt32
`ProximityDomainId` HexInt32
`TotalDomainPages` HexInt64
`PagesRequested` HexInt32
`BalStatus` HexInt64
`PagesAllocated` HexInt32

Event ID 12298: HvldrGetLpRegisterMsr

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrGetLpRegisterMsr

Fields #

Name	Description
`AuxData` UInt64
`NtStatus` UInt32

Event ID 12299: HvldrGetLpRegisterCpuid

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrGetLpRegisterCpuid

Fields #

Name	Description
`AuxData` UInt64
`NtStatus` UInt32

Event ID 12300: HvldrReadSystemMemory

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrReadSystemMemory

Fields #

Name	Description
`AuxData` UInt64
`NtStatus` UInt32

Event ID 12301: HvldrGetMtrrs

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrGetMtrrs

Fields #

Name	Description
`AuxData` UInt64
`NtStatus` UInt32

Event ID 12302: HvldrGetPlatformCaps

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrGetPlatformCaps

Fields #

Name	Description
`BalStatus` HexInt64

Event ID 12303: HvldrHsrInUse

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrHsrInUse

Fields #

Name	Description
`HsrInUse` Boolean
`Reason` UInt32

Event ID 12304: HvldrConfigureIommuLiveHandoff

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrConfigureIommuLiveHandoff

Fields #

Name	Description
`AuxData` UInt64
`NtStatus` UInt32

Event ID 12305: HvldrGetIdleStateConfig

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrGetIdleStateConfig

Fields #

Name	Description
`AuxData` UInt64
`NtStatus` UInt32

Event ID 12306: HvldrGetVpRegisters

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrGetVpRegisters

Fields #

Name	Description
`AuxData` UInt64
`NtStatus` UInt32

Event ID 12307: HvldrGetLogicalProcessorProperty

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrGetLogicalProcessorProperty

Fields #

Name	Description
`AuxData` UInt64
`NtStatus` UInt32

Event ID 12308: HvldrDisableHypervisor

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrDisableHypervisor

Fields #

Name	Description
`AuxData` UInt64
`NtStatus` UInt32

Event ID 12309: HvldrDisableHypervisor12309

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrDisableHypervisor

Fields #

Name	Description
`AuxData` UInt64
`NtStatus` UInt32

Event ID 12310: HvldrPrepareProtoHypervisor

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrPrepareProtoHypervisor

Fields #

Name	Description
`AuxData` UInt64
`NtStatus` UInt32

Event ID 12311: HvldrImageLoadInfo

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrImageLoadInfo

Fields #

Name	Description
`ImageName` UnicodeString
`Checksum` UInt32
`Timestamp` UInt32
`NtStatus` UInt32

Event ID 12312: HvldrReadHvRegister

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrReadHvRegister

Fields #

Name	Description
`AuxData` UInt64
`NtStatus` UInt32

Event ID 12313: HvldrProcessInterruptControllers

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrProcessInterruptControllers

Fields #

Name	Description
`AuxData` UInt64
`NtStatus` UInt32

Event ID 12314: HvldrHsrMirroringInUse

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrHsrMirroringInUse

Fields #

Name	Description
`HsrInUse` Boolean
`Reason` UInt32

Event ID 12315: HvldrDebugMsg

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrDebugMsg

Fields #

Name	Description
`LoadOptions` AnsiString

Event ID 12316: HvldrDebugMsg12316

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrDebugMsg

Fields #

Name	Description
`LoadOptions` AnsiString

Event ID 12317: HvldrFailureLocation

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Operational
Task: HvldrFailureLocation

Fields #

Name	Description
`BaseLocation` AnsiString
`Line` UInt32
`BalStatus` HexInt64
`AuxData` UInt64

Event ID 12550: Hyper-V detected access to a restricted MSR.

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Microsoft-Windows-Hyper-V-Hypervisor-Operational
Opcode: Info

Description

Hyper-V detected access to a restricted MSR (Msr: Msr, IsWrite: IsWrite, MsrValue: MsrValue, AccessStatus: AccessStatus, Pc: Pc, ImageBase: ImageBase, ImageChecksum: ImageChecksum, ImageTimestamp: ImageTimestamp, ImageName: ImageName).

Message #

Hyper-V detected access to a restricted MSR (Msr: %1, IsWrite: %2, MsrValue: %3, AccessStatus: %4, Pc: %5, ImageBase: %6, ImageChecksum: %7, ImageTimestamp: %8, ImageName: %9).

Fields #

Name	Description
`Msr` HexInt32
`IsWrite` UInt8
`MsrValue` HexInt64
`AccessStatus` UInt16
`Pc` HexInt64
`ImageBase` HexInt64
`ImageChecksum` HexInt32
`ImageTimestamp` HexInt32
`ImageName` AnsiString

Event ID 16641: Hyper-V successfully created a new partition (partition PartitionId).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Microsoft-Windows-Hyper-V-Hypervisor-Operational
Level: Informational
Opcode: Info

Description

Hyper-V successfully created a new partition (partition PartitionId).

Message #

Hyper-V successfully created a new partition (partition %1).

Fields #

Name	Description
`PartitionId` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Hyper-V-Hypervisor",
    "guid": "52FC89F8-995E-434C-A91E-199986449890",
    "event_source_name": "",
    "event_id": 16641,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-11T06:32:05.545260+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 2472
    },
    "channel": "Microsoft-Windows-Hyper-V-Hypervisor-Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PartitionId": 2
  },
  "message": ""
}

Event ID 16642: Hyper-V successfully deleted a partition (partition PartitionId).

Provider: Microsoft-Windows-Hyper-V-Hypervisor
Channel: Microsoft-Windows-Hyper-V-Hypervisor-Operational
Level: Informational
Opcode: Info

Description

Hyper-V successfully deleted a partition (partition PartitionId).

Message #

Hyper-V successfully deleted a partition (partition %1).

Fields #

Name	Description
`PartitionId` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Hyper-V-Hypervisor",
    "guid": "52FC89F8-995E-434C-A91E-199986449890",
    "event_source_name": "",
    "event_id": 16642,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-13T20:09:16.550106+00:00",
    "event_record_id": 2,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 424
    },
    "channel": "Microsoft-Windows-Hyper-V-Hypervisor-Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PartitionId": 2
  },
  "message": ""
}

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 52fc89f8-995e-434c-a91e-199986449890

Defined in hvservice.sys, the binary that emits these events.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)