Microsoft-Windows-Install-Agent
9 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 2000 | Process Name: Process Name. | Operational | Y |
| 2001 | Function Error: Source Function: Error Source: Message (ErrorCode). | Operational | N |
| 2002 | Function Error: Source Function: Error Source: Message (ErrorCode). | Operational | N |
| 2003 | Function Error: Source Function: Error Source: Message (ErrorCode). | Operational | N |
| 2004 | Function Error: Source Function: Error Source: Message (ErrorCode). | Operational | N |
| 2005 | Message Error: Error Code Function: Function Source: Source (Line Number). | Operational | Y |
| 2006 | Message Error: Error Code Function: Function Source: Source (Line Number). | Operational | Y |
| 2007 | Message Error: Error Code Function: Function Source: Source (Line Number). | Operational | Y |
| 2008 | Message Error: Error Code Function: Function Source: Source (Line Number). | Operational | Y |
Event ID 2000: Process Name: Process Name.
#Description
Process Name: Process Name.
Message #
Fields #
| Name | Description |
|---|---|
Process Name | |
Module Name | |
Build Name | |
ProcessName | |
ModuleName | |
BuildName |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Install-Agent",
"guid": "{E0C6F6DE-258A-50E0-AC1A-103482D118BC}",
"event_source_name": "",
"event_id": 2000,
"version": 0,
"level": 4,
"task": 2000,
"opcode": 0,
"keywords": -9223372036317904896,
"time_created": "2026-06-13T12:05:31.3828960+00:00",
"event_record_id": 37743,
"correlation": {
"ActivityID": "{C62F76BC-EF88-0008-357D-2FC688EFDC01}"
},
"execution": {
"process_id": 11220,
"thread_id": 3096
},
"channel": "Microsoft-Windows-Store/Operational",
"computer": "telemetry-W11-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Process Name": "C:\\WINDOWS\\uus\\AMD64\\MoUsoCoreWorker.exe",
"Module Name": "C:\\Windows\\System32\\InstallService.dll",
"Build Name": "26100.1.amd64fre.ge_release.240331-1435, UBR: 6584"
},
"message": "Process Name: C:\\WINDOWS\\uus\\AMD64\\MoUsoCoreWorker.exe\r\nModule Name: C:\\Windows\\System32\\InstallService.dll\r\nBuild: 26100.1.amd64fre.ge_release.240331-1435, UBR: 6584\r\n"
}
Event ID 2001: Function Error: Source Function: Error Source: Message (ErrorCode).
#Event ID 2002: Function Error: Source Function: Error Source: Message (ErrorCode).
#Event ID 2003: Function Error: Source Function: Error Source: Message (ErrorCode).
#Event ID 2004: Function Error: Source Function: Error Source: Message (ErrorCode).
#Event ID 2005: Message Error: Error Code Function: Function Source: Source (Line Number).
#Description
Message Error: Error Code Function: Function Source: Source (Line Number)
Message #
Fields #
| Name | Description |
|---|---|
Message UnicodeString | |
Function AnsiString | |
Error Code | |
Source AnsiString | |
Line Number | |
CorrelationVector AnsiString | |
ProductId UnicodeString | |
ErrorCode | |
LineNumber |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Install-Agent",
"guid": "{E0C6F6DE-258A-50E0-AC1A-103482D118BC}",
"event_source_name": "",
"event_id": 2005,
"version": 0,
"level": 5,
"task": 2002,
"opcode": 15,
"keywords": -9223372036317904896,
"time_created": "2026-06-13T12:05:31.6576119+00:00",
"event_record_id": 37748,
"correlation": {
"ActivityID": "{C62F76BC-EF88-0008-357D-2FC688EFDC01}"
},
"execution": {
"process_id": 11220,
"thread_id": 3096
},
"channel": "Microsoft-Windows-Store/Operational",
"computer": "telemetry-W11-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message": "oneSettingsOnlineScanCooldownLength (in seconds) = 1800",
"Function": "InitializeInstallServiceConfiguration",
"Error Code": "-1",
"Source": "onecoreuap\\enduser\\winstore\\installservice\\lib\\settings.cpp",
"Line Number": "1014",
"CorrelationVector": "NULL",
"ProductId": "NULL"
},
"message": "oneSettingsOnlineScanCooldownLength (in seconds) = 1800\r\nError: Unknown HResult Error code: 0xefffffff\r\nFunction: InitializeInstallServiceConfiguration\r\nSource: onecoreuap\\enduser\\winstore\\installservice\\lib\\settings.cpp (1014)"
}
Event ID 2006: Message Error: Error Code Function: Function Source: Source (Line Number).
#Description
Message Error: Error Code Function: Function Source: Source (Line Number)
Message #
Fields #
| Name | Description |
|---|---|
Message UnicodeString | |
Function AnsiString | |
Error Code | |
Source AnsiString | |
Line Number | |
CorrelationVector AnsiString | |
ProductId UnicodeString | |
ErrorCode | |
LineNumber |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Install-Agent",
"guid": "{E0C6F6DE-258A-50E0-AC1A-103482D118BC}",
"event_source_name": "",
"event_id": 2006,
"version": 0,
"level": 4,
"task": 2002,
"opcode": 14,
"keywords": -9223372036317904896,
"time_created": "2026-06-13T12:05:31.3831276+00:00",
"event_record_id": 37744,
"correlation": {
"ActivityID": "{C62F76BC-EF88-0008-357D-2FC688EFDC01}"
},
"execution": {
"process_id": 11220,
"thread_id": 3096
},
"channel": "Microsoft-Windows-Store/Operational",
"computer": "telemetry-W11-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message": "Setting MSA Client Id for Token requests: {f0c62012-2cef-4831-b1f7-930682874c86}",
"Function": "",
"Error Code": "-2147467259",
"Source": "onecoreuap\\enduser\\winstore\\auth\\lib\\winstoreauth.cpp",
"Line Number": "206",
"CorrelationVector": "NULL",
"ProductId": "NULL"
},
"message": "Setting MSA Client Id for Token requests: {f0c62012-2cef-4831-b1f7-930682874c86}\r\nError: Unspecified error\r\nFunction: \r\nSource: onecoreuap\\enduser\\winstore\\auth\\lib\\winstoreauth.cpp (206)"
}
Event ID 2007: Message Error: Error Code Function: Function Source: Source (Line Number).
#Description
Message Error: Error Code Function: Function Source: Source (Line Number)
Message #
Fields #
| Name | Description |
|---|---|
Message UnicodeString | |
Function AnsiString | |
Error Code | |
Source AnsiString | |
Line Number | |
CorrelationVector AnsiString | |
ProductId UnicodeString | |
ErrorCode | |
LineNumber |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Install-Agent",
"guid": "{E0C6F6DE-258A-50E0-AC1A-103482D118BC}",
"event_source_name": "",
"event_id": 2007,
"version": 0,
"level": 3,
"task": 2002,
"opcode": 13,
"keywords": -9223372036317904896,
"time_created": "2026-06-13T09:28:36.2082075+00:00",
"event_record_id": 37555,
"correlation": {
"ActivityID": "{C9E5CB0E-A4DF-40FD-A948-956300000000}"
},
"execution": {
"process_id": 556,
"thread_id": 10192
},
"channel": "Microsoft-Windows-Store/Operational",
"computer": "telemetry-W11-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message": "InstallService InProc Caller. Current Thread not impersonating. Using current process (LocalSystem)",
"Function": "CallerContext::_getCallerToken",
"Error Code": "-1",
"Source": "onecoreuap\\enduser\\winstore\\installservice\\lib\\callercontext.cpp",
"Line Number": "85",
"CorrelationVector": "NULL",
"ProductId": "NULL"
},
"message": "InstallService InProc Caller. Current Thread not impersonating. Using current process (LocalSystem)\r\nError: Unknown HResult Error code: 0xefffffff\r\nFunction: CallerContext::_getCallerToken\r\nSource: onecoreuap\\enduser\\winstore\\installservice\\lib\\callercontext.cpp (85)"
}
Event ID 2008: Message Error: Error Code Function: Function Source: Source (Line Number).
#Description
Message Error: ErrorCode Function: Function Source: Source (LineNumber)
Message #
Fields #
| Name | Description |
|---|---|
Message UnicodeString | |
Function AnsiString | |
ErrorCode Int32 | |
Source AnsiString | |
LineNumber UInt32 | |
CorrelationVector AnsiString | |
ProductId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Install-Agent",
"guid": "E0C6F6DE-258A-50E0-AC1A-103482D118BC",
"event_source_name": "",
"event_id": 2008,
"version": 0,
"level": 2,
"task": 2002,
"opcode": 12,
"keywords": 9223372037391646720,
"time_created": "2026-03-12T00:24:04.559033+00:00",
"event_record_id": 32183,
"correlation": {
"ActivityID": "600E983C-BADA-43E1-802F-FD337EE8DF9F"
},
"execution": {
"process_id": 10328,
"thread_id": 10224
},
"channel": "Microsoft-Windows-Store/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message": "Failed to query app usage, Not Marking as Stub.HResult = -804847529, Identifer = S-1-5-21-1006758700-2167138679-1475694448-1105 ",
"Function": "Windows::Internal::InstallService::Control::ShouldPackageBeMarkedForStubification",
"Error Code": 0,
"Source": "onecoreuap\\enduser\\winstore\\installservice\\libqueue2\\stubs.cpp",
"Line Number": 346,
"CorrelationVector": "",
"ProductId": ""
},
"message": ""
}
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID e0c6f6de-258a-50e0-ac1a-103482d118bc
Defined in InstallService.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.3915, captured 2026-06-02