Microsoft-Windows-Kernel-Boot

261 events across 3 channels

Event	Title	Channel	Sample
1	System was booted in WidthxHeight@BitsPerPixelbpp.	Analytic	N
2	BootUX screen was displayed in WidthxHeight@BitsPerPixelbpp.	Analytic	N
3	Video bit transfer rate is BytesPerMs bytes per ms.	Analytic	N
4	Boot library accessed file FileName on Device DeviceID.	Analytic	N
5	File IO for boot application ApplicationGuid: Total Bytes Read = BytesRead, …	Analytic	N
6	Image ImageName failed IntegrityCheck reason is Reason.	Analytic	N
7	Bootmgr duration is BootmgrTime milliseconds.	Analytic	N
8	Image ImageName is not self-signed.	Analytic	N
9	A device (DriveNumber) that was enumerated by the BIOS was inaccessible to the …	Analytic	N
10	The system firmware has allocated a memory region previously determined to be …	System	N
11	The time elapsed before Bootmgr, based on the TSC, is PreBootMgrTime ms.	Analytic	N
12	Variable UefiVariableName requires Size bytes and was set with status Status.	Analytic	N
13	Element Element of application ApplicationGuid was not in policy.	Analytic	N
14	A Secure Boot Policy update resulted in status Status.	Analytic	N
15	A Secure Boot Revocation List update resulted in status Status.	Analytic	N
16	Windows failed to resume from hibernate with error status FailureStatus.	System	N
17	The boot manager multi OS selection screen was displayed.	System	N
18	There are EntryCount boot options on this system.	System	Y
19	There are ToolsCount boot tool options on this system.	System	N
20	The last shutdown's success status was LastShutdownGood.	System	Y
21	The OS loader advanced options menu was displayed and the user selected option …	System	N
22	The OS loader edit options menu was displayed.	System	N
23	The Windows key was pressed during boot.	System	N
24	The F8 key was pressed during boot.	System	N
25	The boot menu policy was BootMenuPolicy.	System	Y
26	A one-time boot sequence was used during this boot.	System	Y
27	The boot type was BootType.	System	Y
28	task_028	Operational	N
29	Windows failed fast startup with error status FailureStatus.	System	N
30	The firmware reported boot metrics.	System	N
31	Initialization of the firmware crypto hash provider resulted in status Status.	Analytic	N
32	The bootmgr spent BitlockerUserInputTime ms waiting for user input.	System	Y
33	The firmware update capsule (ImageName) failed to load with status …	Analytic	N
34	The PE/COFF image firmware update capsule (PeImageName) failed to load with …	Analytic	N
35	The Efi UpdateCapsule failed to apply updates with status UpdateCapsuleStatus.	Operational	N
36	Firmware update supported status is UpdateSupportedStatus.	Analytic	N
37	The firmware update capsule (ImageName) code integrity check failed with status …	Analytic	N
38	Windows failed to load the required system file ImageName with error status …	Operational	N
39	Windows failed to load the system registry file HiveName with error status …	Operational	N
40	Windows failed to initialize the ACPI with error status Status.	Operational	N
41	Windows failed to load with error status Status.	Operational	N
42	Windows failed to load image FailedPath imported from Path with error status …	Operational	N
43	Windows failed to import Import from image Path with error status Status.	Operational	N
44	Windows failed to provision VSM Identity Key.	Operational	N
45	VSM Identity Key Provisioning.	Operational	Y
46	Retrieving the driver list took RetrieveDriverListTime milliseconds.	Analytic	N
47	Loading the drivers took LoadDriversTime milliseconds.	Analytic	N
48	Loading hive Path took LoadHiveTime milliseconds.	Analytic	N
49	Windows system integrity policy does not allow to load the required system file …	Operational	N
50	Windows failed to provision VSM Master Encryption Key.	Operational	N
51	VSM Master Encryption Key Provisioning.	Operational	Y
52	The time elapsed loading ApplicationIdentifier was ApplicationLoadTime ms.	Analytic	N
53	The time elapsed executing ApplicationIdentifier was ApplicationExecutionTime …	Analytic	N
54	Building chunk table for WIM compressed file FileName failed with status: …	Analytic	N
55	Soft Restart failed to prepare target Operating System.	Analytic	N
56	Boot application failed to process persistent data with status: Status.	Analytic	N
57	Windows failed to provision the TPM Storage Root Key with error status.	Operational	N
58	Windows successfully provisioned the TPM Storage Root Key.	Operational	N
59	Windows failed to provision TPM binding information with error …	Operational	N
60	NFIT ACPI table is not properly formed, and could not be parsed.	Operational	N
61	MeasuredLaunchTxtLaunchPrepared	Analytic	N
62	Previous error detected while attempting to execute Measured Launch Environment.	Operational	N
63	MeasuredLaunchInvalidTxtSinitRange	Analytic	N
64	MeasuredLaunchInvalidTxtHeapRange	Analytic	N
65	MeasuredLaunchMleLoadFailure	Analytic	N
66	MeasuredLaunchMissingRsdpTable	Analytic	N
67	MeasuredLaunchNoSinitAcm	Analytic	N
68	MeasuredLaunchInvalidTxtHeapBiosDataSize	Analytic	N
69	MeasuredLaunchMleHeaderTooOld	Analytic	N
70	MeasuredLaunchComputePmrRangesFailure	Analytic	N
71	FileOpenOpenFailure	Operational	N
72	MeasuredLaunchPrepareLcpFailure	Analytic	N
73	Firmware provided SINIT ACM not used.	Operational	N
74	Windows failed to provision DRTM-bound VSM Master Encryption Key .	Operational	N
75	Windows successfully provisioned DRTM-bound VSM Master Encryption Key.	Operational	N
76	BootDebuggerBdEnabled	Operational	N
77	BootDebuggerBdInitFailure	Operational	N
78	KernelDebuggerKdInitFailure	Operational	N
79	KernelDebuggerKdEnabled	Operational	N
80	FASR Platform Verification.	Operational	Y
81	Windows skipped provisioning the TPM Storage Root Key because the …	Operational	N
82	Trace point: Function:Function Point:Point Status:NTStatus.	Operational	N
83	VSM Master Key Array Package Read and Unseal From Disk.	Operational	N
84	Seal and Store on Disk Status.	Operational	N
85	Read and Unseal Master Key Array Package Status.	Operational	Y
86	Get Plaintext Master Key Array Status.	Operational	N
87	Read and Unseal Master Key Array Package error.	Operational	N
88	Read and Unseal Master Key Array Package Status.	Operational	N
89	Create Sealed Encrypt Key Status.	Operational	N
90	Get Sealed Protector Status.	Operational	N
91	SRTM PCR Values.	Operational	N
92	Event ID 92	Operational	N
100	InitializeLibraryStart_V1	Operational	N
101	InitializeLibraryStop	Operational	N
102	PrepareTargetStart_V2	Operational	N
103	PrepareTargetStop	Operational	N
104	RebuildKernelMemoryMapStart	Operational	N
105	RebuildKernelMemoryMapStop	Operational	N
106	PersistMemoryStart	Operational	N
107	PersistMemoryStop	Operational	N
108	FatalError	Operational	N
109	CleanupPageDatabaseStart	Operational	N
110	CleanupPageDatabaseStop	Operational	N
111	FreePersistedMemoryStart	Operational	N
112	FreePersistedMemoryStop	Operational	N
113	ClaimPersistedMemoryStart	Operational	N
114	ClaimPersistedMemoryStop	Operational	N
115	Soft reboot cancellation started: Soft_reboot_cancellation_started.	System	N
116	Soft reboot cancellation finished: Soft_reboot_cancellation_finished.	System	N
117	AttachPersistentPageDatabaseStart	Operational	N
118	AttachPersistentPageDatabaseStop	Operational	N
119	MemoryBlockRundown	Operational	N
120	BuildKernelMemoryMapStart	Operational	N
121	BuildKernelMemoryMapStop	Operational	N
122	GetMemoryMapStart	Operational	N
123	GetMemoryMapStop	Operational	N
124	The virtualization-based security enablement policy check at phase Phase failed …	System	Y
126	AllocatePhysicalPagesForMdlStart	Operational	N
127	AllocatePhysicalPagesForMdlStop	Operational	N
128	ExecuteTransitionStart	Operational	N
129	DisconnectHypervisorStart	Operational	N
130	MemoryMapRundown	Operational	N
131	MemoryMapRundownStart	Operational	N
132	MemoryMapRundownStop	Operational	N
133	PhysicalPageAllocationFailure_V1	Operational	N
134	WaitForPartitionsRestoredStart	Operational	N
135	WaitForPartitionsRestoredStop	Operational	N
136	Soft Restart failed to complete with status: Status due to OutstandingCount …	Operational	N
137	MemoryPartitionRestoreStart	Operational	N
138	MemoryPartitionRestoreStop_V2	Operational	N
139	Soft Restart failed to restore memory partition Identifier with status: Status.	Operational	N
140	PersistMemoryPartitionStart	Operational	N
141	PersistMemoryPartitionStop_V1	Operational	N
142	Soft Restart failed to register with Soft Restart extension.	Operational	N
143	MemoryPartitionsRestored	Operational	N
144	QueryStatisticsStart	Operational	N
145	QueryStatisticsStop	Operational	N
146	Soft Restart failed to establish connection with secure load with status: …	Operational	N
147	FreePersistedMemoryBlockStart	Operational	N
148	FreePersistedMemoryBlockStop	Operational	N
149	PrepareNotificationStart	Operational	N
150	PrepareNotificationStop_V1	Operational	N
151	PartitionInitialAddMemoryStart_V2	Operational	N
152	PartitionInitialAddMemoryStop	Operational	N
153	Virtualization-based security (policies: VsmPolicy) is EnableDisableReason.	System	Y
154	Boot Policy Migration used an authenticated variable.	Operational	Y
155	Boot Policy Migration used an unauthenticated variable.	Operational	N
156	Virtualization-based security (policies: VsmPolicy) is EnableDisableReason with …	System	Y
157	Info: Info Status: Status.	Operational	N
158	Error: DiagCode Status: Status.	Operational	Y
159	RemoveEnclavePagesStart	Operational	N
160	CancelNotificationStart	Operational	N
161	CancelNotificationStop	Operational	N
162	GetSystemBootDevice	Operational	N
163	NormalizeBootOptionList	Operational	N
164	CreateLibraryParameters	Operational	N
165	InitializeLibrary	Operational	N
166	CreateDevices	Operational	N
167	SoftRestartHostCapability	Operational	N
168	EnumerateEnclavePages	Operational	N
169	InitializeMeasurementContextInitializationFailure_V1	Operational	N
170	Measured Boot Measurement Failure.	Operational	N
171	TPM Measurement Failure.	Operational	N
172	Failure to close TCG log.	Operational	N
173	CommitPendingEvents	Operational	N
174	CapTpmPcr	Operational	N
175	CapTpmPcr175	Operational	N
176	InitializeLibrary176	Operational	N
177	EfiVariableAccessGetEfiVariable	Operational	N
178	EfiVariableAccessSetEfiVariable	Operational	N
179	GetFirmwareInformation	Operational	N
180	VerifyBootEntry	Operational	N
181	Soft Restart driver failed to register itself as a filter with status: Status.	Operational	N
182	IoSpaceMemoryEnumerateFailure	Operational	N
183	BadMemoryPagesListInitializationFailure	Operational	N
184	InitializeMeasurementContextMeasurementsDisabled	Operational	N
185	Soft Restart driver failed to store BCD store when BCDCache is enabled with …	Operational	N
186	Soft Restart driver failed to query MEMDISK configuration from the current OS …	Operational	N
200	A command was submitted to the TPM.	Analytic	N
201	A command was submitted to the TPM.	Analytic	N
202	A command could not be submitted to the TPM.	Operational	N
203	A command could not be submitted to the TPM.	Operational	N
204	The TPM was found not to be useable for BitLocker.	Analytic	N
205	EFICapsuleCreationStart	Operational	N
206	EFICapsuleCreationStop	Operational	N
207	Measured Boot library was initialized.	Analytic	N
208	Measured Boot library encountered a failure and entered insecure state.	Operational	Y
209	DRTM Security Version Number check failed.	Operational	N
210	Intel TXT SENTER time: Intel_TXT_SENTER_time ms.	Operational	N
211	MiniFilterStartFailure	Operational	N
212	File modification detected after load: File_modification_detected_after_load.	Analytic	N
213	Registry modification detected after load: PathLength.	Analytic	N
214	Soft reboot prepare started (complete requested: TryComplete).	System	N
215	Soft reboot prepare finished: Soft_reboot_prepare_finished.	System	N
216	Soft reboot complete prepare started.	System	N
217	Soft reboot complete prepare finished: Soft_reboot_complete_prepare_finished.	System	N
218	Soft reboot call to checkpoint failed: Function (checkpoint: Status).	System	N
219	Intel TXT prepared.	Operational	N
220	System Guard enabled but not supported.	Operational	N
221	System drivers need update to support VBS launch.	System	N
222	SMM configuration failed validation.	System	N
223	IoSpaceMemoryAllocationFailure	Operational	N
224	IoSpaceMemoryAllocation	Operational	N
225	VBS is configured to disallow trustlets.	Operational	N
226	FinalizeMemoryMapStart	Operational	N
227	FinalizeMemoryMapStop	Operational	N
228	FinalizeMemoryMapStop228	Operational	N
229	RegisterHvloaderPersistenceInterface	Operational	N
230	LoadHvloaderForPersistence	Operational	N
231	Boot menu timer canceled due to key press.	Operational	N
232	MemoryPartitionFreeUnusedMemoryStart	Operational	N
233	MemoryPartitionFreeUnusedMemoryStop	Operational	N
234	MemoryPartitionRestoreStats	Operational	N
235	Windows boot environment failed to initialize TPM device.	Operational	Y
236	SMM isolation level decreased.	Operational	N
237	Hardware memory mirroring is not supported.	Operational	N
238	EFI time zone bias: EfiTimeZoneBias.	System	Y
239	MemoryAllocationBlMmAllocationFailure	Analytic	N
240	FinalizeNotificationStart	Operational	N
241	FinalizeNotificationStop	Operational	N
242	SMM isolation detected.	System	N
243	Hardware memory mirroring support is enabled.	Operational	N
244	MeasuredLaunchTxtSmmIsolationPerf	Analytic	N
245	UnpersistMemoryPartitionStart	Operational	N
246	UnpersistMemoryPartitionStop	Operational	N
247	Unable to load Pluton-Windows firmware.	System	Y
248	Previous error detected while attempting to execute Measured Launch Environment.	Operational	N
249	BindImportsFailure	Operational	N
250	SlabAllocationFailure	Operational	N
251	QuerySystemInformationFailure	Operational	N
252	This system has not supplied a valid framebuffer and the graphical boot menu is …	Operational	N
253	HotPatch %4 failed to apply with Status: %2 at failure point:	Analytic	N
253	HotPatch HotPatchPath failed to apply with Status: Status at failure point: …	Operational	N
254	GetPerformanceOptions	Operational	N
255	SnapshotPolicy	Operational	N
256	AMD DRTM Firmware Anti-Rollback Disabled.	System	N
257	Failed to build image path for dump stack module ModulePath.	Operational	N
258	Failed to load dump stack module ModulePath.	Operational	N
259	Early dump stack succesfully loaded by OS loader.	Operational	N
260	Early boot crash dump generation is not supported.	Operational	N
261	Soft restart prepare was vetoed by component Tag with status Status.	Operational	N
262	Soft restart finalize was vetoed by component Tag with status Status.	Operational	N
263	Early crash dump support is disabled by registry configuration.	Operational	N
264	Failed to query early dump enablement information from the registry with status …	Operational	N
265	Failed to query dedicated dump file name for the target OS with status Status.	Operational	N
266	Dedicated dump file names do not match (HostDumpFileName, TargetDumpFileName).	Operational	N
267	Failed to query dump module list.	Operational	N
268	Boot Application ApplicationIdentifier dropped EventsLostCount events during …	Operational	N
269	Trace point: Function:Function Point:Point Status:NTStatus.	Operational	N
270	Cached boot BCD store was loaded by the boot environment.	Operational	N
271	TPRs are supported, TPR setup will be requested while attempting to execute …	Operational	N
272	PPAM Manifest Info: PpamStatus.	System	N
273	BCD Option 'BcdOption' was not applied due to Secure Boot being enabled.	Operational	N
274	Bootmgr Security Version Number check failed.	System	N
275	ACM InfoTable version used: AcmInfoTableVersion.	Operational	N
276	Windows boot manager revocation policy version Version is applied.	Operational	N
277	Windows boot manager revocation policy version Version was not found.	Operational	N
291	Succeeded in updating the SBAT value in FW.	Operational	Y
292	Failed to update the SBAT value in FW.	Operational	Y
295	Secure Boot revoked boot app FileName with SVN LoadedBootAppSvn.	Operational	N
312	Failed to compose API Set schema extension with status: NTStatus.	Operational	N

Event ID 1: System was booted in WidthxHeight@BitsPerPixelbpp.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: FirmwareResolution

Description

System was booted in WidthxHeight@BitsPerPixelbpp.

Message #

System was booted in %1x%2@%3bpp.

Fields #

Name	Description
`Width` UInt32
`Height` UInt32
`BitsPerPixel` UInt32

Event ID 2: BootUX screen was displayed in WidthxHeight@BitsPerPixelbpp.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: BootEnvResolution

Description

BootUX screen was displayed in WidthxHeight@BitsPerPixelbpp.

Message #

BootUX screen was displayed in %1x%2@%3bpp.

Fields #

Name	Description
`Width` UInt32
`Height` UInt32
`BitsPerPixel` UInt32

Event ID 3: Video bit transfer rate is BytesPerMs bytes per ms.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

Video bit transfer rate is BytesPerMs bytes per ms.

Message #

Video bit transfer rate is %1 bytes per ms.

Fields #

Name	Description
`BytesPerMs` UInt32

Event ID 4: Boot library accessed file FileName on Device DeviceID.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: BootFileAccess

Description

Boot library accessed file FileName on Device DeviceID. Read BytesRead bytes and wrote BytesWritten bytes.

Message #

Boot library accessed file %2 on Device %1. Read %3 bytes and wrote %4 bytes.

Fields #

Name	Description
`DeviceID` UInt32
`FileName` UnicodeString
`BytesRead` UInt64
`BytesWritten` UInt64

Event ID 5: File IO for boot application ApplicationGuid: Total Bytes Read = BytesRead, Total Bytes Written = BytesWritten.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: BootTotalIo

Description

File IO for boot application ApplicationGuid: Total Bytes Read = BytesRead, Total Bytes Written = BytesWritten.

Message #

File IO for boot application %1: Total Bytes Read = %2, Total Bytes Written = %3.

Fields #

Name	Description
`ApplicationGuid` GUID
`BytesRead` UInt64
`BytesWritten` UInt64

Event ID 6: Image ImageName failed IntegrityCheck reason is Reason.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: ImageIntegrityCheck

Description

Image ImageName failed IntegrityCheck reason is Reason. Image flags are ImageFlags. Error ignored due to debugger ErrorIgnored.

Message #

Image %1 failed IntegrityCheck reason is %3. Image flags are %2. Error ignored due to debugger %4.

Fields #

Name	Description
`ImageName` UnicodeString
`ImageFlags` UInt32
`Reason` UInt32
`ErrorIgnored` UInt32

Event ID 7: Bootmgr duration is BootmgrTime milliseconds.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: BootManager

Description

Bootmgr duration is BootmgrTime milliseconds.

Message #

Bootmgr duration is %1 milliseconds.

Fields #

Name	Description
`BootmgrTime` UInt64

Event ID 8: Image ImageName is not self-signed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: ImageHashCheck

Description

Image ImageName is not self-signed.

Message #

Image %1 is not self-signed.

Fields #

Name	Description
`ImageName` UnicodeString

Event ID 9: A device (DriveNumber) that was enumerated by the BIOS was inaccessible to the boot environment.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

A device (DriveNumber) that was enumerated by the BIOS was inaccessible to the boot environment.

Message #

A device (%1) that was enumerated by the BIOS was inaccessible to the boot environment.

Fields #

Name	Description
`DriveNumber` UInt32

Event ID 10: The system firmware has allocated a memory region previously determined to be unreliable.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

The system firmware has allocated a memory region previously determined to be unreliable. This has the potential to cause system instability and/or data corruption.

Message #

The system firmware has allocated a memory region previously determined to be unreliable. This has the potential to cause system instability and/or data corruption.

Fields #

Name	Description
`FwStartPage` UInt64
`FwPageCount` UInt64
`FwMemoryType` UInt32
`FwMemoryAttributes` UInt32
`BlStartPage` UInt64
`BlPageCount` UInt64
`BlMemoryType` UInt32
`BlMemoryAttributes` UInt32

Event ID 11: The time elapsed before Bootmgr, based on the TSC, is PreBootMgrTime ms.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: PreBoot

Description

The time elapsed before Bootmgr, based on the TSC, is PreBootMgrTime ms.

Message #

The time elapsed before Bootmgr, based on the TSC, is %1 ms.

Fields #

Name	Description
`PreBootMgrTime` UInt64

Event ID 12: Variable UefiVariableName requires Size bytes and was set with status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: SecureBootVariableUsage

Description

Variable UefiVariableName requires Size bytes and was set with status Status.

Message #

Variable %1 requires %2 bytes and was set with status %3.

Fields #

Name	Description
`UefiVariableName` UnicodeString
`Size` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 13: Element Element of application ApplicationGuid was not in policy.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

Element Element of application ApplicationGuid was not in policy.

Message #

Element %2 of application %1 was not in policy.

Fields #

Name	Description
`ApplicationGuid` GUID
`Element` UInt32

Event ID 14: A Secure Boot Policy update resulted in status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

A Secure Boot Policy update resulted in status Status.

Message #

A Secure Boot Policy update resulted in status %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 15: A Secure Boot Revocation List update resulted in status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

A Secure Boot Revocation List update resulted in status Status.

Message #

A Secure Boot Revocation List update resulted in status %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 16: Windows failed to resume from hibernate with error status FailureStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

Windows failed to resume from hibernate with error status FailureStatus.

Message #

Windows failed to resume from hibernate with error status %1.

Fields #

Name	Description
`FailureStatus` UInt32
`FailureMsg` UnicodeString

Event ID 17: The boot manager multi OS selection screen was displayed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

The boot manager multi OS selection screen was displayed.

Message #

The boot manager multi OS selection screen was displayed.

Event ID 18: There are EntryCount boot options on this system.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Task: BootmgrEntryCount

Description

There are EntryCount boot options on this system.

Message #

There are %1 boot options on this system.

Fields #

Name	Description
`EntryCount` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}",
    "event_source_name": "",
    "event_id": 18,
    "version": 0,
    "level": 4,
    "task": 57,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T16:32:43.9805819+00:00",
    "event_record_id": 6665,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EntryCount": "1"
  },
  "message": "There are 0x1 boot options on this system."
}

Event ID 19: There are ToolsCount boot tool options on this system.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

There are ToolsCount boot tool options on this system.

Message #

There are %1 boot tool options on this system.

Fields #

Name	Description
`ToolsCount` UInt32

Event ID 20: The last shutdown's success status was LastShutdownGood.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Task: DirtyBootShutdown

Description

The last shutdown's success status was LastShutdownGood. The last boot's success status was LastBootGood.

Message #

The last shutdown's success status was %1. The last boot's success status was %2.

Fields #

Name	Description
`LastShutdownGood` Boolean
`LastBootGood` Boolean
`LastBootId` UInt32
`BootStatusPolicy` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}",
    "event_source_name": "",
    "event_id": 20,
    "version": 1,
    "level": 4,
    "task": 31,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T16:32:43.9804989+00:00",
    "event_record_id": 6662,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "LastShutdownGood": "false",
    "LastBootGood": "true",
    "LastBootId": "14",
    "BootStatusPolicy": "2"
  },
  "message": "The last shutdown's success status was false. The last boot's success status was true."
}

Event ID 21: The OS loader advanced options menu was displayed and the user selected option OptionSelected.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

The OS loader advanced options menu was displayed and the user selected option OptionSelected.

Message #

The OS loader advanced options menu was displayed and the user selected option %1.

Fields #

Name	Description
`OptionSelected` UInt32

Event ID 22: The OS loader edit options menu was displayed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

The OS loader edit options menu was displayed.

Message #

The OS loader edit options menu was displayed.

Event ID 23: The Windows key was pressed during boot.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

The Windows key was pressed during boot.

Message #

The Windows key was pressed during boot.

Event ID 24: The F8 key was pressed during boot.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

The F8 key was pressed during boot.

Message #

The F8 key was pressed during boot.

Event ID 25: The boot menu policy was BootMenuPolicy.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Task: BootMenuPolicy

Description

The boot menu policy was BootMenuPolicy.

Message #

The boot menu policy was %1.

Fields #

Name	Description
`BootMenuPolicy` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}",
    "event_source_name": "",
    "event_id": 25,
    "version": 0,
    "level": 4,
    "task": 32,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T16:32:43.9805444+00:00",
    "event_record_id": 6663,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "BootMenuPolicy": "0"
  },
  "message": "The boot menu policy was 0x0."
}

Event ID 26: A one-time boot sequence was used during this boot.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Opcode: Info

Description

A one-time boot sequence was used during this boot.

Message #

A one-time boot sequence was used during this boot.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "{15ca44ff-4d7a-4baa-bba5-0998955e531e}",
    "event_source_name": "",
    "event_id": 26,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223380832947798016,
    "time_created": "2026-04-17 21:27:00.757048+00:00",
    "event_record_id": 209,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "WIN11-25H2-X64",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": "A one-time boot sequence was used during this boot."
}

Event ID 27: The boot type was BootType.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Task: BootType

Description

The boot type was BootType.

Message #

The boot type was %1.

Fields #

Name	Description
`BootType` UInt32
`LoadOptions` AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}",
    "event_source_name": "",
    "event_id": 27,
    "version": 1,
    "level": 4,
    "task": 33,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T16:32:43.9805450+00:00",
    "event_record_id": 6664,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "BootType": "0",
    "LoadOptions": " NOEXECUTE=OPTOUT  FVEBOOT=2633728"
  },
  "message": "The boot type was 0x0."
}

Event ID 28: task_028

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SqmType` UInt32
`SqmSessionGuid` GUID
`SqmID` UInt32
`SqmStreamRowLength` UInt32
`SqmStreamRow` Int16

Event ID 29: Windows failed fast startup with error status FailureStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

Windows failed fast startup with error status FailureStatus.

Message #

Windows failed fast startup with error status %1.

Fields #

Name	Description
`FailureStatus` UInt32
`FailureMsg` UnicodeString

Event ID 30: The firmware reported boot metrics.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: FirmwareBootData

Description

The firmware reported boot metrics.

Message #

The firmware reported boot metrics.

Fields #

Name	Description
`ResetEndStart` UInt64
`LoadOSImageStart` UInt64
`StartOSImageStart` UInt64
`ExitBootServicesEntry` UInt64
`ExitBootServicesExit` UInt64

Event ID 31: Initialization of the firmware crypto hash provider resulted in status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

Initialization of the firmware crypto hash provider resulted in status Status.

Message #

Initialization of the firmware crypto hash provider resulted in status %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 32: The bootmgr spent BitlockerUserInputTime ms waiting for user input.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Task: UserInputTime

Description

The bootmgr spent BitlockerUserInputTime ms waiting for user input.

Message #

The bootmgr spent %1 ms waiting for user input.

Fields #

Name	Description
`BitlockerUserInputTime` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}",
    "event_source_name": "",
    "event_id": 32,
    "version": 0,
    "level": 4,
    "task": 58,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T16:32:43.9806134+00:00",
    "event_record_id": 6666,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "BitlockerUserInputTime": "0"
  },
  "message": "The bootmgr spent 0 ms waiting for user input."
}

Event ID 33: The firmware update capsule (ImageName) failed to load with status ImageLoadStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

The firmware update capsule (ImageName) failed to load with status ImageLoadStatus.

Message #

The firmware update capsule (%1) failed to load with status %2.

Fields #

Name	Description
`ImageName` UnicodeString
`ImageLoadStatus` UInt32

Event ID 34: The PE/COFF image firmware update capsule (PeImageName) failed to load with status PeImageLoadStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

The PE/COFF image firmware update capsule (PeImageName) failed to load with status PeImageLoadStatus.

Message #

The PE/COFF image firmware update capsule (%1) failed to load with status %2.

Fields #

Name	Description
`PeImageName` UnicodeString
`PeImageLoadStatus` UInt32

Event ID 35: The Efi UpdateCapsule failed to apply updates with status UpdateCapsuleStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

The Efi UpdateCapsule failed to apply updates with status UpdateCapsuleStatus.

Message #

The Efi UpdateCapsule failed to apply updates with status %1.

Fields #

Name	Description
`UpdateCapsuleStatus` UInt32

Event ID 36: Firmware update supported status is UpdateSupportedStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

Firmware update supported status is UpdateSupportedStatus. The BitLocker device flags are DeviceFlags and the PCR bitmap is PcrBitmap.

Message #

Firmware update supported status is %3. The BitLocker device flags are %1 and the PCR bitmap is %2.

Fields #

Name	Description
`DeviceFlags` UInt32
`PcrBitmap` UInt32
`UpdateSupportedStatus` UInt32

Event ID 37: The firmware update capsule (ImageName) code integrity check failed with status ImageLoadStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

The firmware update capsule (ImageName) code integrity check failed with status ImageLoadStatus.

Message #

The firmware update capsule (%1) code integrity check failed with status %2.

Fields #

Name	Description
`ImageName` UnicodeString
`ImageLoadStatus` UInt32

Event ID 38: Windows failed to load the required system file ImageName with error status ImageLoadStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: ImageLoadFailure

Description

Windows failed to load the required system file ImageName with error status ImageLoadStatus.

Message #

Windows failed to load the required system file %1 with error status %2.

Fields #

Name	Description
`ImageName` UnicodeString
`ImageLoadStatus` UInt32

Event ID 39: Windows failed to load the system registry file HiveName with error status HiveLoadStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows failed to load the system registry file HiveName with error status HiveLoadStatus.

Message #

Windows failed to load the system registry file %1 with error status %2.

Fields #

Name	Description
`HiveName` UnicodeString
`HiveLoadStatus` UInt32

Event ID 40: Windows failed to initialize the ACPI with error status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows failed to initialize the ACPI with error status Status.

Message #

Windows failed to initialize the ACPI with error status %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 41: Windows failed to load with error status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows failed to load with error status Status.

Message #

Windows failed to load with error status %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 42: Windows failed to load image FailedPath imported from Path with error status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows failed to load image FailedPath imported from Path with error status Status.

Message #

Windows failed to load image %2 imported from %1 with error status %3.

Fields #

Name	Description
`Path` UnicodeString
`FailedPath` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 43: Windows failed to import Import from image Path with error status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows failed to import Import from image Path with error status Status.

Message #

Windows failed to import %2 from image %1 with error status %3.

Fields #

Name	Description
`Path` UnicodeString
`Import` AnsiString
`Status` UInt32	NTSTATUS reference

Event ID 44: Windows failed to provision VSM Identity Key.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows failed to provision VSM Identity Key. Unsealing cached copy status: CachedCopyStatus. New key generation status: IdkGenerationStatus. Measuring to PCR status: MeasuringStatus. Sealing and caching status: SealingAndCachingStatus.

Message #

Windows failed to provision VSM Identity Key. Unsealing cached copy status: %1. New key generation status: %2. Measuring to PCR status: %3. Sealing and caching status: %4.

Fields #

Name	Description
`CachedCopyStatus` UInt32
`IdkGenerationStatus` UInt32
`MeasuringStatus` UInt32
`SealingAndCachingStatus` UInt32

Event ID 45: VSM Identity Key Provisioning.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Informational
Task: VsmIdkProvisioningStatus

Description

VSM Identity Key Provisioning. Unsealing cached copy status: CachedCopyStatus. New key generation status: IdkGenerationStatus. Measuring to PCR status: MeasuringStatus. Sealing and caching status: SealingAndCachingStatus.

Message #

VSM Identity Key Provisioning. Unsealing cached copy status: %1. New key generation status: %2. Measuring to PCR status: %3. Sealing and caching status: %4.

Fields #

Name	Description
`CachedCopyStatus` UInt32
`IdkGenerationStatus` UInt32
`MeasuringStatus` UInt32
`SealingAndCachingStatus` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 45,
    "version": 0,
    "level": 4,
    "task": 59,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-11T06:27:08.605376+00:00",
    "event_record_id": 61,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-Boot/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "CachedCopyStatus": 3221225487,
    "IdkGenerationStatus": 0,
    "MeasuringStatus": 1,
    "SealingAndCachingStatus": 0
  },
  "message": ""
}

Event ID 46: Retrieving the driver list took RetrieveDriverListTime milliseconds.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: RetrieveDriverListTime

Description

Retrieving the driver list took RetrieveDriverListTime milliseconds.

Message #

Retrieving the driver list took %1 milliseconds.

Fields #

Name	Description
`RetrieveDriverListTime` UInt64

Event ID 47: Loading the drivers took LoadDriversTime milliseconds.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: LoadDrivers

Description

Loading the drivers took LoadDriversTime milliseconds.

Message #

Loading the drivers took %1 milliseconds.

Fields #

Name	Description
`LoadDriversTime` UInt64

Event ID 48: Loading hive Path took LoadHiveTime milliseconds.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: LoadHive

Description

Loading hive Path took LoadHiveTime milliseconds.

Message #

Loading hive %1 took %2 milliseconds.

Fields #

Name	Description
`Path` UnicodeString
`LoadHiveTime` UInt64

Event ID 49: Windows system integrity policy does not allow to load the required system file ImageName with error status SiPolicyStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SiPolicyFailure

Description

Windows system integrity policy does not allow to load the required system file ImageName with error status SiPolicyStatus.

Message #

Windows system integrity policy does not allow to load the required system file %1 with error status %2.

Fields #

Name	Description
`ImageName` UnicodeString
`SiPolicyStatus` UInt32

Event ID 50: Windows failed to provision VSM Master Encryption Key.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Windows failed to provision VSM Master Encryption Key. Using cached copy status: CachedCopyStatus. Primary Blob Unseal Status: PrimaryBlobUnsealStatus. Backup Blob Unseal Status: BackupBlobUnsealStatus. Pca2023 Protector Unseal Status: Pca2023ProtectorUnsealStatus. Backup Blob Validity Check Status: BackupBlobValidityCheckStatus. Backup Blob Validity Check Result: BackupBlobStillValid. Pca2023 Protector Validity Check Status: Pca2023ProtectorValidityCheckStatus. Pca2023 Protector Validity Check Result: Pca2023ProtectorStillValid. Primary Blob Reseal Status: PrimaryBlobResealStatus. Backup Blob Reseal Status: BackupBlobResealStatus. Pca2023 Protector Reseal Status: Pca2023ProtectorResealStatus. New key generation status: KeyGenerationAndSaveStatus. Sealing status: SealingStatus. TPM PCR mask: TpmPcrMask. Tpm Counter validation status: TpmCounterOpStatus. Tpm Counter creation status: TpmCounterCreateStatus. Backup sealed blob used: BackupSealedBlobUsed. Pca2023 Protector cleaned up post upgrade status: Pca2023ProtectorCleanupPostUpgradeStatus. Need To Roll Lkey: NeedToRollLkey. CreationState Verified: CreationStateVerified. V2 Protectors Used: V2ProtectorsUsed. Legacy UEFI Var Query Status: LegacyUefiVarQueryStatus. Legacy UEFI Var Cleanup Status: LegacyUefiVarCleanupStatus. VBS Data Protection Enabled: VbsRollbackDataProtectionEnabled. Vbs Data Protection Opted In Registry: VbsRollbackDataProtectionOptedIn. Vbs Data Protection TPM Counter Status: VbsRollbackDataProtectionTpmCounterStatus. First Pkg Write To Disk: FirstWriteToDisk. Write Pkg To UEFI: WritePkgToUefi. Latched Protector Used: LatchedProtectorUsed. Update Latched Protectors: LatchTheUnlatched. Unsupported Rollback: UnsupportedRollback. Upgraded VBS Policy Exists: UpgradedVbsPolicyExists. TPM Counter Increment Status: TpmCounterIncrementStatus. Active Policy Version: ActivePolicyVersion. Latched Policy Version: LatchedPolicyVersion. Unlatched Policy Version: UnlatchedPolicyVersion. Latched Primary Blob Reseal Status: LatchedPrimaryBlobResealStatusV2. Latched Backup Blob Reseal Status: LatchedBackupBlobResealStatusV2. Latched Pca2023 Protector Reseal Status: LatchedPca2023ProtectorResealStatusV2. Latched Pca2023 Protector Cleanup PostUpgrade Status: LatchedPca2023ProtectorCleanupPostUpgradeStatusV2. Unlatched Primary Blob Reseal Status: UnlatchedPrimaryBlobResealStatusV2. Unlatched Backup Blob Reseal Status: UnlatchedBackupBlobResealStatusV2. Unlatched Pca2023 Protector Reseal Status: UnlatchedPca2023ProtectorResealStatusV2. Unlatched Pca2023 Protector Cleanup PostUpgrade Status: UnlatchedPca2023ProtectorCleanupPostUpgradeStatusV2.

Message #

Windows failed to provision VSM Master Encryption Key. Using cached copy status: %1. Unsealing cached copy status: %2. New key generation status: %3. Sealing status: %4. TPM PCR mask: %5. Protector-assisted unseal status: %6. Protector-assisted re-seal status: %7. Protector update status: %8. Tpm Counter validation status: %9. Tpm Counter creation status: %10. Backup sealed blob used: %11.

Fields #

Name	Description
`CachedCopyStatus` UInt32
`PrimaryBlobUnsealStatus` UInt32
`BackupBlobUnsealStatus` UInt32
`Pca2023ProtectorUnsealStatus` UInt32
`BackupBlobValidityCheckStatus` UInt32
`BackupBlobStillValid` Boolean
`Pca2023ProtectorValidityCheckStatus` UInt32
`Pca2023ProtectorStillValid` Boolean
`PrimaryBlobResealStatus` UInt32
`BackupBlobResealStatus` UInt32
`Pca2023ProtectorResealStatus` UInt32
`KeyGenerationAndSaveStatus` UInt32
`SealingStatus` UInt32
`TpmPcrMask` UInt32
`TpmCounterOpStatus` UInt32
`TpmCounterCreateStatus` UInt32
`BackupSealedBlobUsed` Boolean
`Pca2023ProtectorCleanupPostUpgradeStatus` UInt32
`NeedToRollLkey` UInt8
`CreationStateVerified` UInt8
`V2ProtectorsUsed` UInt8
`LegacyUefiVarQueryStatus` UInt32
`LegacyUefiVarCleanupStatus` UInt32
`VbsRollbackDataProtectionEnabled` UInt8
`VbsRollbackDataProtectionOptedIn` UInt8
`VbsRollbackDataProtectionTpmCounterStatus` UInt32
`FirstWriteToDisk` UInt8
`WritePkgToUefi` UInt8
`LatchedProtectorUsed` UInt8
`LatchTheUnlatched` UInt8
`UnsupportedRollback` UInt8
`UpgradedVbsPolicyExists` UInt8
`TpmCounterIncrementStatus` UInt32
`ActivePolicyVersion` UInt64
`LatchedPolicyVersion` UInt64
`UnlatchedPolicyVersion` UInt64
`LatchedPrimaryBlobResealStatusV2` UInt32
`LatchedBackupBlobResealStatusV2` UInt32
`LatchedPca2023ProtectorResealStatusV2` UInt32
`LatchedPca2023ProtectorCleanupPostUpgradeStatusV2` UInt32
`UnlatchedPrimaryBlobResealStatusV2` UInt32
`UnlatchedBackupBlobResealStatusV2` UInt32
`UnlatchedPca2023ProtectorResealStatusV2` UInt32
`UnlatchedPca2023ProtectorCleanupPostUpgradeStatusV2` UInt32

Event ID 51: VSM Master Encryption Key Provisioning.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Informational
Task: VsmLKeyProvisioningStatus

Description

VSM Master Encryption Key Provisioning. Using cached copy status: CachedCopyStatus. Primary Blob Unseal Status: PrimaryBlobUnsealStatus. Backup Blob Unseal Status: BackupBlobUnsealStatus. Pca2023 Protector Unseal Status: Pca2023ProtectorUnsealStatus. Backup Blob Validity Check Status: BackupBlobValidityCheckStatus. Backup Blob Validity Check Result: BackupBlobStillValid. Pca2023 Protector Validity Check Status: Pca2023ProtectorValidityCheckStatus. Pca2023 Protector Validity Check Result: Pca2023ProtectorStillValid. Primary Blob Reseal Status: PrimaryBlobResealStatus. Backup Blob Reseal Status: BackupBlobResealStatus. Pca2023 Protector Reseal Status: Pca2023ProtectorResealStatus. New key generation status: KeyGenerationAndSaveStatus. Sealing status: SealingStatus. TPM PCR mask: TpmPcrMask. Tpm Counter validation status: TpmCounterOpStatus. Tpm Counter creation status: TpmCounterCreateStatus. Backup sealed blob used: BackupSealedBlobUsed. Pca2023 Protector cleaned up post upgrade status: Pca2023ProtectorCleanupPostUpgradeStatus. Need To Roll Lkey: NeedToRollLkey. CreationState Verified: CreationStateVerified. V2 Protectors Used: V2ProtectorsUsed. Legacy UEFI Var Query Status: LegacyUefiVarQueryStatus. Legacy UEFI Var Cleanup Status: LegacyUefiVarCleanupStatus. VBS Data Protection Enabled: VbsRollbackDataProtectionEnabled. Vbs Data Protection Opted In Registry: VbsRollbackDataProtectionOptedIn. Vbs Data Protection TPM Counter Status: VbsRollbackDataProtectionTpmCounterStatus. First Pkg Write To Disk: FirstWriteToDisk. Write Pkg To UEFI: WritePkgToUefi. Latched Protector Used: LatchedProtectorUsed. Update Latched Protectors: LatchTheUnlatched. Unsupported Rollback: UnsupportedRollback. Upgraded VBS Policy Exists: UpgradedVbsPolicyExists. TPM Counter Increment Status: TpmCounterIncrementStatus. Active Policy Version: ActivePolicyVersion. Latched Policy Version: LatchedPolicyVersion. Unlatched Policy Version: UnlatchedPolicyVersion. Latched Primary Blob Reseal Status: LatchedPrimaryBlobResealStatusV2. Latched Backup Blob Reseal Status: LatchedBackupBlobResealStatusV2. Latched Pca2023 Protector Reseal Status: LatchedPca2023ProtectorResealStatusV2. Latched Pca2023 Protector Cleanup PostUpgrade Status: LatchedPca2023ProtectorCleanupPostUpgradeStatusV2. Unlatched Primary Blob Reseal Status: UnlatchedPrimaryBlobResealStatusV2. Unlatched Backup Blob Reseal Status: UnlatchedBackupBlobResealStatusV2. Unlatched Pca2023 Protector Reseal Status: UnlatchedPca2023ProtectorResealStatusV2. Unlatched Pca2023 Protector Cleanup PostUpgrade Status: UnlatchedPca2023ProtectorCleanupPostUpgradeStatusV2.

Message #

VSM Master Encryption Key Provisioning. Using cached copy status: %1. Unsealing cached copy status: %2. New key generation status: %3. Sealing status: %4. TPM PCR mask: %5. Protector-assisted unseal status: %6. Protector-assisted re-seal status: %7. Protector update status: %8. Tpm Counter validation status: %9. Tpm Counter creation status: %10. Backup sealed blob used: %11.

Fields #

Name	Description
`CachedCopyStatus` UInt32
`PrimaryBlobUnsealStatus` UInt32
`BackupBlobUnsealStatus` UInt32
`Pca2023ProtectorUnsealStatus` UInt32
`BackupBlobValidityCheckStatus` UInt32
`BackupBlobStillValid` Boolean
`Pca2023ProtectorValidityCheckStatus` UInt32
`Pca2023ProtectorStillValid` Boolean
`PrimaryBlobResealStatus` UInt32
`BackupBlobResealStatus` UInt32
`Pca2023ProtectorResealStatus` UInt32
`KeyGenerationAndSaveStatus` UInt32
`SealingStatus` UInt32
`TpmPcrMask` UInt32
`TpmCounterOpStatus` UInt32
`TpmCounterCreateStatus` UInt32
`BackupSealedBlobUsed` Boolean
`Pca2023ProtectorCleanupPostUpgradeStatus` UInt32
`NeedToRollLkey` UInt8
`CreationStateVerified` UInt8
`V2ProtectorsUsed` UInt8
`LegacyUefiVarQueryStatus` UInt32
`LegacyUefiVarCleanupStatus` UInt32
`VbsRollbackDataProtectionEnabled` UInt8
`VbsRollbackDataProtectionOptedIn` UInt8
`VbsRollbackDataProtectionTpmCounterStatus` UInt32
`FirstWriteToDisk` UInt8
`WritePkgToUefi` UInt8
`LatchedProtectorUsed` UInt8
`LatchTheUnlatched` UInt8
`UnsupportedRollback` UInt8
`UpgradedVbsPolicyExists` UInt8
`TpmCounterIncrementStatus` UInt32
`ActivePolicyVersion` UInt64
`LatchedPolicyVersion` UInt64
`UnlatchedPolicyVersion` UInt64
`LatchedPrimaryBlobResealStatusV2` UInt32
`LatchedBackupBlobResealStatusV2` UInt32
`LatchedPca2023ProtectorResealStatusV2` UInt32
`LatchedPca2023ProtectorCleanupPostUpgradeStatusV2` UInt32
`UnlatchedPrimaryBlobResealStatusV2` UInt32
`UnlatchedBackupBlobResealStatusV2` UInt32
`UnlatchedPca2023ProtectorResealStatusV2` UInt32
`UnlatchedPca2023ProtectorCleanupPostUpgradeStatusV2` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 51,
    "version": 0,
    "level": 4,
    "task": 81,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-11T06:27:08.605364+00:00",
    "event_record_id": 60,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-Boot/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "CachedCopyStatus": 3221226021,
    "UnsealingCachedCopyStatus": 1,
    "KeyGenerationAndSaveStatus": 0,
    "SealingStatus": 1,
    "TpmPcrMask": 0,
    "ProtectorAssistedUnsealStatus": 1,
    "ProtectorAssistedResealStatus": 1,
    "ProtectorSealUpdateStatus": 1,
    "TpmCounterOpStatus": 1,
    "TpmCounterCreateStatus": 1,
    "BackupSealedBlobUsed": 0
  },
  "message": ""
}

Event ID 52: The time elapsed loading ApplicationIdentifier was ApplicationLoadTime ms.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: BootAppLoadTime

Description

The time elapsed loading ApplicationIdentifier was ApplicationLoadTime ms.

Message #

The time elapsed loading %1 was %2 ms.

Fields #

Name	Description
`ApplicationIdentifier` GUID
`ApplicationLoadTime` UInt64

Event ID 53: The time elapsed executing ApplicationIdentifier was ApplicationExecutionTime ms.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: BootApplicationExecution

Description

The time elapsed executing ApplicationIdentifier was ApplicationExecutionTime ms.

Message #

The time elapsed executing %1 was %2 ms.

Fields #

Name	Description
`ApplicationIdentifier` GUID
`ApplicationExecutionTime` UInt64

Event ID 54: Building chunk table for WIM compressed file FileName failed with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

Building chunk table for WIM compressed file FileName failed with status: Status.

Message #

Building chunk table for WIM compressed file %2 failed with status: %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`FileName` UnicodeString

Event ID 55: Soft Restart failed to prepare target Operating System.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: PrepareTargetFailure

Description

Soft Restart failed to prepare target Operating System. Operation status: Status failure point: FailurePoint.

Message #

Soft Restart failed to prepare target Operating System. Operation status: %1 failure point: %2

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`FailurePoint` UInt32

Event ID 56: Boot application failed to process persistent data with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

Boot application failed to process persistent data with status: Status.

Message #

Boot application failed to process persistent data with status: %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 57: Windows failed to provision the TPM Storage Root Key with error status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows failed to provision the TPM Storage Root Key with error status:TpmSrkProvisioningStatus. Reading SrkPolicy status: TpmSrkPolicyReadStatus. SrkSymKeyPolicy value: TpmSrkSymKeyPolicyValue. TPM symmetric key capability: TpmSrkSymKeyCapability. AES bits used: TpmSrkAesBitsUsed. SrkAsymKeyPolicy value: TpmSrkAsymKeyPolicyValue. TPM asymmetric key capability: TpmSrkAsymKeyCapability. Rsa bits used: TpmSrkRsaBitsUsed.

Message #

Windows failed to provision the TPM Storage Root Key with error status:%1. Reading SrkPolicy status: %2. SrkSymKeyPolicy value: %3. TPM symmetric key capability: %4. AES bits used: %5. SrkAsymKeyPolicy value: %6. TPM asymmetric key capability: %7. Rsa bits used: %8.

Fields #

Name	Description
`TpmSrkProvisioningStatus` UInt32
`TpmSrkPolicyReadStatus` UInt32
`TpmSrkSymKeyPolicyValue` UInt32
`TpmSrkSymKeyCapability` UInt32
`TpmSrkAesBitsUsed` UInt32
`TpmSrkAsymKeyPolicyValue` UInt32
`TpmSrkAsymKeyCapability` UInt32
`TpmSrkRsaBitsUsed` UInt32

Event ID 58: Windows successfully provisioned the TPM Storage Root Key.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows successfully provisioned the TPM Storage Root Key. This operation took TpmSrkProvisioningTime milliseconds. Reading SrkPolicy status: TpmSrkPolicyReadStatus. SrkSymKeyPolicy value: TpmSrkSymKeyPolicyValue. TPM symmetric key capability: TpmSrkSymKeyCapability. AES bits used: TpmSrkAesBitsUsed. SrkAsymKeyPolicy value: TpmSrkAsymKeyPolicyValue. TPM asymmetric key capability: TpmSrkAsymKeyCapability. Rsa bits used: TpmSrkRsaBitsUsed.

Message #

Windows successfully provisioned the TPM Storage Root Key. This operation took %1 milliseconds. Reading SrkPolicy status: %2. SrkSymKeyPolicy value: %3. TPM symmetric key capability: %4. AES bits used: %5. SrkAsymKeyPolicy value: %6. TPM asymmetric key capability: %7. Rsa bits used: %8.

Fields #

Name	Description
`TpmSrkProvisioningTime` UInt64
`TpmSrkPolicyReadStatus` UInt32
`TpmSrkSymKeyPolicyValue` UInt32
`TpmSrkSymKeyCapability` UInt32
`TpmSrkAesBitsUsed` UInt32
`TpmSrkAsymKeyPolicyValue` UInt32
`TpmSrkAsymKeyCapability` UInt32
`TpmSrkRsaBitsUsed` UInt32

Event ID 59: Windows failed to provision TPM binding information with error status:TpmBindingProvisioningStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows failed to provision TPM binding information with error status:TpmBindingProvisioningStatus.

Message #

Windows failed to provision TPM binding information with error status:%1.

Fields #

Name	Description
`TpmBindingProvisioningStatus` UInt32

Event ID 60: NFIT ACPI table is not properly formed, and could not be parsed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: InvalidNfitTable

Description

NFIT ACPI table is not properly formed, and could not be parsed.

Message #

NFIT ACPI table is not properly formed, and could not be parsed.

Event ID 61: MeasuredLaunchTxtLaunchPrepared

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: TxtLaunchPrepared

Fields #

Name	Description
`PmrLowBase` UInt64
`PmrLowSize` UInt64
`PmrHighBase` UInt64
`PmrHighSize` UInt64
`FirmwareProvidedAcm` Boolean

Event ID 62: Previous error detected while attempting to execute Measured Launch Environment.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: PreviousTxtError

Description

Previous error detected while attempting to execute Measured Launch Environment. TXT error code: TxtErrorCode.

Message #

Previous error detected while attempting to execute Measured Launch Environment. TXT error code: %1.

Fields #

Name	Description
`TxtErrorCode` UInt32

Event ID 63: MeasuredLaunchInvalidTxtSinitRange

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: InvalidTxtSinitRange

Fields #

Name	Description
`Base` UInt64
`Size` UInt64

Event ID 64: MeasuredLaunchInvalidTxtHeapRange

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: InvalidTxtHeapRange

Fields #

Name	Description
`Base` UInt64
`Size` UInt64

Event ID 65: MeasuredLaunchMleLoadFailure

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: MleLoadFailure

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 66: MeasuredLaunchMissingRsdpTable

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: MissingRsdpTable

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 67: MeasuredLaunchNoSinitAcm

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: NoSinitAcm

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 68: MeasuredLaunchInvalidTxtHeapBiosDataSize

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: InvalidTxtHeapBiosDataSize

Fields #

Name	Description
`BiosDataSize` UInt64

Event ID 69: MeasuredLaunchMleHeaderTooOld

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: MleHeaderTooOld

Fields #

Name	Description
`AcmMinMleHeaderVer` UInt32
`MleHeaderVersion` UInt32

Event ID 70: MeasuredLaunchComputePmrRangesFailure

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: ComputePmrRangesFailure

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 71: FileOpenOpenFailure

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FileOpen
Opcode: OpenFailure

Fields #

Name	Description
`DeviceID` UInt32
`FileName` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 72: MeasuredLaunchPrepareLcpFailure

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: PrepareLcpFailure

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 73: Firmware provided SINIT ACM not used.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: TxtRejectedFirmwareAcm

Description

Firmware provided SINIT ACM not used. TxtStatus.

Message #

Firmware provided SINIT ACM not used. %1

Fields #

Name	Description
`TxtStatus` UInt32

Event ID 74: Windows failed to provision DRTM-bound VSM Master Encryption Key .

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Windows failed to provision DRTM-bound VSM Master Encryption Key . Using cached copy status: CachedCopyStatus. New key generation status: KeyGenerationStatus. Sealing status: SealAndSaveStatus. UEFI keys provided to Secure Kernel status: UEFIKeysStatus.

Message #

Windows failed to provision DRTM-bound VSM Master Encryption Key . Using cached copy status: %1. New key generation status: %2. Sealing status: %3. UEFI keys provided to Secure Kernel status: %4.

Fields #

Name	Description
`CachedCopyStatus` UInt32
`KeyGenerationStatus` UInt32
`SealAndSaveStatus` UInt32
`UEFIKeysStatus` UInt32
`UnLatchedCiPolicyVersion` UInt64
`LatchedCiPolicyVersion` UInt64
`LatchedAntiRollbackCounterValue` UInt64
`CurrentCiPolicyVersion` UInt64
`CurrentAntiRollbackCounterValue` UInt64
`MinimumUnsealCiPolicyVersion` UInt64
`AuthorizationIsDelegated` Boolean

Event ID 75: Windows successfully provisioned DRTM-bound VSM Master Encryption Key.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Windows successfully provisioned DRTM-bound VSM Master Encryption Key. Using cached copy status: CachedCopyStatus. New key generation status: KeyGenerationStatus. Sealing status: SealAndSaveStatus. UEFI keys provided to Secure Kernel status: UEFIKeysStatus.

Message #

Windows successfully provisioned DRTM-bound VSM Master Encryption Key. Using cached copy status: %1. New key generation status: %2. Sealing status: %3. UEFI keys provided to Secure Kernel status: %4.

Fields #

Name	Description
`CachedCopyStatus` UInt32
`KeyGenerationStatus` UInt32
`SealAndSaveStatus` UInt32
`UEFIKeysStatus` UInt32
`UnLatchedCiPolicyVersion` UInt64
`LatchedCiPolicyVersion` UInt64
`LatchedAntiRollbackCounterValue` UInt64
`CurrentCiPolicyVersion` UInt64
`CurrentAntiRollbackCounterValue` UInt64
`MinimumUnsealCiPolicyVersion` UInt64
`AuthorizationIsDelegated` Boolean

Event ID 76: BootDebuggerBdEnabled

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootDebugger
Opcode: BdEnabled

Event ID 77: BootDebuggerBdInitFailure

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootDebugger
Opcode: BdInitFailure

Fields #

Name	Description
`DebuggerStatus` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 78: KernelDebuggerKdInitFailure

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: KernelDebugger
Opcode: KdInitFailure

Fields #

Name	Description
`DebuggerStatus` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 79: KernelDebuggerKdEnabled

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: KernelDebugger
Opcode: KdEnabled

Event ID 80: FASR Platform Verification.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Informational
Task: VsmLKeyProvisioningStatus

Description

FASR Platform Verification. FASR cert present: IsFasrCertPresent. FASR cert signature validation status: ValidateFasrCertSignatureStatus. BootmgrAuthorityEventCount: BootmgrAuthorityEventCount. VerifiedMicrosoftAuthority: VerifiedMicrosoftAuthority. FASR PCR values validation status: ValidateFasrPcrValuesStatus. PCR mismatch index: PcrMismatchIndex. FASR cert size: FasrCertSize. FASR cert: FasrCertWithoutSignature. FASR signature size: FasrSignatureSize. FASR signature: FasrSignature.

Message #

FASR Platform Verification. FASR cert present: %1. FASR cert signature validation status: %2. BootmgrAuthorityEventCount: %3. VerifiedMicrosoftAuthority: %4. FASR PCR values validation status: %5. PCR mismatch index: %6. FASR cert size: %7. FASR cert: %8. FASR signature size: %9. FASR signature: %10.

Fields #

Name	Description
`IsFasrCertPresent` UInt8
`ValidateFasrCertSignatureStatus` UInt32
`BootmgrAuthorityEventCount` UInt32
`VerifiedMicrosoftAuthority` UInt8
`ValidateFasrPcrValuesStatus` UInt32
`PcrMismatchIndex` Int32
`FasrCertSize` UInt32
`FasrCertWithoutSignature` Binary
`FasrSignatureSize` UInt32
`FasrSignature` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 80,
    "version": 1,
    "level": 4,
    "task": 81,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-11T06:27:08.605349+00:00",
    "event_record_id": 59,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-Boot/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "IsFasrCertPresent": 0,
    "ValidateFasrCertSignatureStatus": 1,
    "BootmgrAuthorityEventCount": 0,
    "VerifiedMicrosoftAuthority": 0,
    "ValidateFasrPcrValuesStatus": 1,
    "PcrMismatchIndex": -1,
    "FasrCertSize": 0,
    "FasrCertWithoutSignature": "",
    "FasrSignatureSize": 0,
    "FasrSignature": ""
  },
  "message": ""
}

Event ID 81: Windows skipped provisioning the TPM Storage Root Key because the NoAutoProvision registry value was set.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows skipped provisioning the TPM Storage Root Key because the NoAutoProvision registry value was set.

Message #

Windows skipped provisioning the TPM Storage Root Key because the NoAutoProvision registry value was set.

Event ID 82: Trace point: Function:Function Point:Point Status:NTStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootDiag

Description

Trace point: Function:Function Point:Point Status:NTStatus.

Message #

Trace point: Function:%1 Point:%2 Status:%3

Fields #

Name	Description
`Function` AnsiString
`Point` UInt16
`NTStatus` UInt32	NTSTATUS reference

Event ID 83: VSM Master Key Array Package Read and Unseal From Disk.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

VSM Master Key Array Package Read and Unseal From Disk.

Message #

VSM Master Key Array Package Read and Unseal From Disk

Status: %1
OsDeviceId: %2
SystemRoot: %3
VsmLKeyRelPath: %4
LatchedUnsealPolicyRelPath: %5
UnlatchedUnsealPolicyRelPath: %6
LatchedPrimaryProtectorVariableName: %7
LatchedSecondaryProtectorVariableName: %8
UnlatchedPrimaryProtectorVariableName: %9
UnlatchedSecondaryProtectorVariableName: %10
LatchedProtectorUsedLocal: %11
LatchTheUnlatchedLocal: %12
UnsupportedRollbackLocal: %13
UpgradedAntirollbackPolicyExistsLocal: %14
PkgWasCorruptOrUnavailableLocal: %15
CreationStateVerifiedLocal: %16
PrimaryProtectorTargetPcrSealMaskLocal: %17
LatchedProtectorExists: %18
UnlatchedProtectorExists: %19
KeyPkgIdTpmCounterValue: %20
ActivePolicyVersion: %21
UseUnlatchedProtector: %22
NeedToResealPrimaryProtector: %23
NeedToResealSecondaryProtector: %24
NeedToResealPca2023Protector: %25

Substatus

PrimaryBlobUnsealStatus: %26
BackupBlobUnsealStatus: %27
Pca2023ProtectorUnsealStatus: %28
BackupBlobValidityCheckStatus: %29
BackupBlobStillValid: %30
Pca2023ProtectorValidityCheckStatus: %31
Pca2023ProtectorStillValid: %32
PrimaryBlobResealStatus: %33
BackupBlobResealStatus: %34
Pca2023ProtectorResealStatus: %35
V2ProtectorsUsed: %36
LegacyUefiVarQueryStatus: %37
LegacyUefiVarCleanupStatus: %38
ActivePolicyVersion: %39
LatchedPolicyVersion: %40
UnlatchedPolicyVersion: %41
LatchedUnsealPolicyValid: %42

Latched unseal policy

Version: %43
VarDataOffset: %44
StructureSize: %45
PolicyVersion: %46
PolicyHashLength: %47
WinloadSVN: %48
WinresumeSVN: %49
BootmgrSVN: %50
LKeyPkgId: %51
UnlatchedUnsealPolicyValid: %52

Unlatched unseal policy

Version: %53
VarDataOffset: %54
StructureSize: %55
PolicyVersion: %56
PolicyHashLength: %57
WinloadSVN: %58
WinresumeSVN: %59
BootmgrSVN: %60
LKeyPkgId: %61

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`OsDeviceId` UInt32
`SystemRoot` UnicodeString
`VsmLKeyRelPath` UnicodeString
`LatchedUnsealPolicyRelPath` UnicodeString
`UnlatchedUnsealPolicyRelPath` UnicodeString
`LatchedPrimaryProtectorVariableName` UnicodeString
`LatchedSecondaryProtectorVariableName` UnicodeString
`UnlatchedPrimaryProtectorVariableName` UnicodeString
`UnlatchedSecondaryProtectorVariableName` UnicodeString
`LatchedProtectorUsedLocal` UInt8
`LatchTheUnlatchedLocal` UInt8
`UnsupportedRollbackLocal` UInt8
`UpgradedAntirollbackPolicyExistsLocal` UInt8
`PkgWasCorruptOrUnavailableLocal` UInt8
`CreationStateVerifiedLocal` UInt8
`PrimaryProtectorTargetPcrSealMaskLocal` UInt32
`LatchedProtectorExists` UInt8
`UnlatchedProtectorExists` UInt8
`KeyPkgIdTpmCounterValue` UInt64
`ActivePolicyVersion` UInt64
`UseUnlatchedProtector` UInt8
`NeedToResealPrimaryProtector` UInt8
`NeedToResealSecondaryProtector` UInt8
`NeedToResealPca2023Protector` UInt8
`pSubStatusPrimaryBlobUnsealStatus` UInt32
`pSubStatusBackupBlobUnsealStatus` UInt32
`pSubStatusPca2023ProtectorUnsealStatus` UInt32
`pSubStatusBackupBlobValidityCheckStatus` UInt32
`pSubStatusBackupBlobStillValid` Boolean
`pSubStatusPca2023ProtectorValidityCheckStatus` UInt32
`pSubStatusPca2023ProtectorStillValid` Boolean
`pSubStatusPrimaryBlobResealStatus` UInt32
`pSubStatusBackupBlobResealStatus` UInt32
`pSubStatusPca2023ProtectorResealStatus` UInt32
`pSubStatusV2ProtectorsUsed` UInt8
`pSubStatusLegacyUefiVarQueryStatus` UInt32
`pSubStatusLegacyUefiVarCleanupStatus` UInt32
`pSubStatusActivePolicyVersion` UInt64
`pSubStatusLatchedPolicyVersion` UInt64
`pSubStatusUnlatchedPolicyVersion` UInt64
`LatchedUnsealPolicyValid` UInt8
`LatchedUnsealPolicyVersion` UInt16
`LatchedUnsealPolicyVarDataOffset` UInt16
`LatchedUnsealPolicyStructureSize` UInt32
`LatchedUnsealPolicyPolicyVersion` UInt64
`LatchedUnsealPolicyPolicyHashLength` UInt32
`LatchedUnsealPolicyWinloadSVN` UInt32
`LatchedUnsealPolicyWinresumeSVN` UInt32
`LatchedUnsealPolicyBootmgrSVN` UInt32
`LatchedUnsealPolicyLKeyPkgId` UInt64
`UnlatchedUnsealPolicyValid` UInt8
`UnlatchedUnsealPolicyVersion` UInt16
`UnlatchedUnsealPolicyVarDataOffset` UInt16
`UnlatchedUnsealPolicyStructureSize` UInt32
`UnlatchedUnsealPolicyPolicyVersion` UInt64
`UnlatchedUnsealPolicyPolicyHashLength` UInt32
`UnlatchedUnsealPolicyWinloadSVN` UInt32
`UnlatchedUnsealPolicyWinresumeSVN` UInt32
`UnlatchedUnsealPolicyBootmgrSVN` UInt32
`UnlatchedUnsealPolicyLKeyPkgId` UInt64

Event ID 84: Seal and Store on Disk Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Seal and Store on Disk Status.

Message #

Seal and Store on Disk Status

Status: %1
OsDeviceId: %2
SystemRoot: %3
PcrSealMask: %4
LatchTheUnlatched: %5
UpgradedAntirollbackPolicyExists: %6
EncryptionStatus: %7
KeyPkgIdTpmCounterValue: %8
EncryptedLKeyArrayPkgSize: %9
EncryptedLKeyPkgPdGuid: %10
UnlatchedUnsealPolicySize: %11
UnlatchedProtectorExists: %12
LatchedUnsealPolicySize: %13
LatchedProtectorExists: %14

Latched unseal policy

Version: %15
VarDataOffset: %16
StructureSize: %17
PolicyVersion: %18
PolicyHashLength: %19
WinloadSVN: %20
WinresumeSVN: %21
BootmgrSVN: %22
LKeyPkgId: %23

Unlatched unseal policy

Version: %24
VarDataOffset: %25
StructureSize: %26
PolicyVersion: %27
PolicyHashLength: %28
WinloadSVN: %29
WinresumeSVN: %30
BootmgrSVN: %31
LKeyPkgId: %32

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`OsDeviceId` UInt32
`SystemRoot` UnicodeString
`PcrSealMask` UInt32
`LatchTheUnlatched` UInt8
`UpgradedAntirollbackPolicyExists` UInt8
`EncryptionStatus` UInt32
`KeyPkgIdTpmCounterValue` UInt64
`EncryptedLKeyArrayPkgSize` UInt32
`EncryptedLKeyPkgPdGuid` GUID
`UnlatchedUnsealPolicySize` UInt32
`UnlatchedProtectorExists` UInt8
`LatchedUnsealPolicySize` UInt32
`LatchedProtectorExists` UInt8
`LatchedUnsealPolicyVersion` UInt16
`LatchedUnsealPolicyVarDataOffset` UInt16
`LatchedUnsealPolicyStructureSize` UInt32
`LatchedUnsealPolicyPolicyVersion` UInt64
`LatchedUnsealPolicyPolicyHashLength` UInt32
`LatchedUnsealPolicyWinloadSVN` UInt32
`LatchedUnsealPolicyWinresumeSVN` UInt32
`LatchedUnsealPolicyBootmgrSVN` UInt32
`LatchedUnsealPolicyLKeyPkgId` UInt64
`UnlatchedUnsealPolicyVersion` UInt16
`UnlatchedUnsealPolicyVarDataOffset` UInt16
`UnlatchedUnsealPolicyStructureSize` UInt32
`UnlatchedUnsealPolicyPolicyVersion` UInt64
`UnlatchedUnsealPolicyPolicyHashLength` UInt32
`UnlatchedUnsealPolicyWinloadSVN` UInt32
`UnlatchedUnsealPolicyWinresumeSVN` UInt32
`UnlatchedUnsealPolicyBootmgrSVN` UInt32
`UnlatchedUnsealPolicyLKeyPkgId` UInt64

Event ID 85: Read and Unseal Master Key Array Package Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Informational
Task: VsmLKeyProvisioningStatus

Description

Read and Unseal Master Key Array Package Status.

Message #

Read and Unseal Master Key Array Package Status

Status: %1
PrimarySealedBlobName: %2
SecondaryProtectorVariableName: %3
BlobFromUefiVariableSize: %4
UefiContentIsSealed: %5
UnsealedBlobSize: %6
Pcr7SealingUsed: %7
PkgTpmSealMaskLocal: %8
PkgTpmCreationMaskLocal: %9
NeedToResealKeyPkg: %10
NeedToResealBackup: %11
NeedToResealPca2023Backup: %12
PlaintextBlobSize: %13
PlaintextIsLegacyFormat: %14
UefiBlobIsCorrupt: %15
NewKeyID: %16
VerifiedMicrosoftAuthority: %17
ContainsAuthorityData: %18
BootmgrAuthorityEventCount: %19
Authority: %20

Substatus

PrimaryBlobUnsealStatus: %21
BackupBlobUnsealStatus: %22
Pca2023ProtectorUnsealStatus: %23
BackupBlobValidityCheckStatus: %24
BackupBlobStillValid: %25
Pca2023ProtectorValidityCheckStatus: %26
Pca2023ProtectorStillValid: %27
PrimaryBlobResealStatus: %28
BackupBlobResealStatus: %29
Pca2023ProtectorResealStatus: %30
V2ProtectorsUsed: %31
LegacyUefiVarQueryStatus: %32
LegacyUefiVarCleanupStatus: %33
ActivePolicyVersion: %34
LatchedPolicyVersion: %35
UnlatchedPolicyVersion: %36

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`PrimarySealedBlobName` UnicodeString
`SecondaryProtectorVariableName` UnicodeString
`BlobFromUefiVariableSize` UInt32
`UefiContentIsSealed` UInt8
`UnsealedBlobSize` UInt32
`Pcr7SealingUsed` UInt8
`PkgTpmSealMaskLocal` UInt32
`PkgTpmCreationMaskLocal` UInt32
`NeedToResealKeyPkg` UInt8
`NeedToResealBackup` UInt8
`NeedToResealPca2023Protector` UInt8
`PlaintextBlobSize` UInt32
`PlaintextIsLegacyFormat` UInt8
`UefiBlobIsCorrupt` UInt8
`NewKeyID` UInt32
`VerifiedMicrosoftAuthority` UInt8
`ContainsAuthorityData` UInt8
`BootmgrAuthorityEventCount` UInt32
`Authority` UInt32
`pSubStatusPrimaryBlobUnsealStatus` UInt32
`pSubStatusBackupBlobUnsealStatus` UInt32
`pSubStatusPca2023ProtectorUnsealStatus` UInt32
`pSubStatusBackupBlobValidityCheckStatus` UInt32
`pSubStatusBackupBlobStillValid` Boolean
`pSubStatusPca2023ProtectorValidityCheckStatus` UInt32
`pSubStatusPca2023ProtectorStillValid` Boolean
`pSubStatusPrimaryBlobResealStatus` UInt32
`pSubStatusBackupBlobResealStatus` UInt32
`pSubStatusPca2023ProtectorResealStatus` UInt32
`pSubStatusV2ProtectorsUsed` UInt8
`pSubStatusLegacyUefiVarQueryStatus` UInt32
`pSubStatusLegacyUefiVarCleanupStatus` UInt32
`pSubStatusActivePolicyVersion` UInt64
`pSubStatusLatchedPolicyVersion` UInt64
`pSubStatusUnlatchedPolicyVersion` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "event_id": 85,
    "level": 4,
    "task": 81,
    "opcode": 0,
    "time_created": "2026-05-27T19:31:42.4869837+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "Microsoft-Windows-Kernel-Boot"
  },
  "event_data": {
    "pSubStatus->PrimaryBlobResealStatus": "1",
    "pSubStatus->LatchedPolicyVersion": "0",
    "pSubStatus->Pca2023ProtectorStillValid": "false",
    "PlaintextBlobSize": "0",
    "NeedToResealBackup": "0",
    "pSubStatus->V2ProtectorsUsed": "0",
    "pSubStatus->Pca2023ProtectorValidityCheckStatus": "1",
    "NeedToResealKeyPkg": "0",
    "pSubStatus->Pca2023ProtectorUnsealStatus": "1",
    "pSubStatus->ActivePolicyVersion": "0",
    "Pcr7SealingUsed": "0",
    "SecondaryProtectorVariableName": "VsmLocalKeyProtector",
    "PkgTpmCreationMaskLocal": "0",
    "PlaintextIsLegacyFormat": "0",
    "NeedToResealPca2023Protector": "0",
    "pSubStatus->PrimaryBlobUnsealStatus": "1",
    "PrimarySealedBlobName": "VsmLocalKey2",
    "NewKeyID": "0",
    "VerifiedMicrosoftAuthority": "0",
    "BlobFromUefiVariableSize": "0",
    "UnsealedBlobSize": "0",
    "pSubStatus->BackupBlobResealStatus": "1",
    "Status": "3221226021",
    "pSubStatus->Pca2023ProtectorResealStatus": "1",
    "UefiContentIsSealed": "0",
    "PkgTpmSealMaskLocal": "0",
    "Authority": "0",
    "BootmgrAuthorityEventCount": "0",
    "pSubStatus->LegacyUefiVarQueryStatus": "1",
    "pSubStatus->BackupBlobValidityCheckStatus": "1",
    "pSubStatus->UnlatchedPolicyVersion": "0",
    "ContainsAuthorityData": "0",
    "pSubStatus->BackupBlobStillValid": "false",
    "pSubStatus->BackupBlobUnsealStatus": "1",
    "pSubStatus->LegacyUefiVarCleanupStatus": "1",
    "UefiBlobIsCorrupt": "1"
  }
}

Event ID 86: Get Plaintext Master Key Array Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Get Plaintext Master Key Array Status.

Message #

Get Plaintext Master Key Array Status

Status: %1
SecondaryProtectorVariableName: %2
NeedToResealPrimaryProtector: %3
NeedToResealSecondaryProtector: %4
NeedToResealPca2023Protector: %5
SealedBackupEncryptionKeySize: %6
SealedPca2023EncryptionKeySize: %7
UefiBlobIsCorrupt: %8
Pcr7SealingUsed: %9
CreationStateVerifiedLocal: %10
VerifiedMicrosoftAuthority: %11
ContainsAuthorityData: %12
BootmgrAuthorityEventCount: %13
PrimaryProtectorTargetPcrSealMaskLocal: %14
Authority: %15

Substatus

PrimaryBlobUnsealStatus: %16
BackupBlobUnsealStatus: %17
Pca2023ProtectorUnsealStatus: %18
BackupBlobValidityCheckStatus: %19
BackupBlobStillValid: %20
Pca2023ProtectorValidityCheckStatus: %21
Pca2023ProtectorStillValid: %22
PrimaryBlobResealStatus: %23
BackupBlobResealStatus: %24
Pca2023ProtectorResealStatus: %25
V2ProtectorsUsed: %26
LegacyUefiVarQueryStatus: %27
LegacyUefiVarCleanupStatus: %28
ActivePolicyVersion: %29
LatchedPolicyVersion: %30
UnlatchedPolicyVersion: %31

Validated Unseal Policy

Version: %32
VarDataOffset: %33
StructureSize: %34
PolicyVersion: %35
PolicyHashLength: %36
WinloadSVN: %37
WinresumeSVN: %38
BootmgrSVN: %39
LKeyPkgId: %40

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`SecondaryProtectorVariableName` UnicodeString
`NeedToResealPrimaryProtector` UInt8
`NeedToResealSecondaryProtector` UInt8
`NeedToResealPca2023Protector` UInt8
`SealedBackupEncryptionKeySize` UInt16
`SealedPca2023EncryptionKeySize` UInt16
`UefiBlobIsCorrupt` UInt8
`Pcr7SealingUsed` UInt8
`CreationStateVerifiedLocal` UInt8
`VerifiedMicrosoftAuthority` UInt8
`ContainsAuthorityData` UInt8
`BootmgrAuthorityEventCount` UInt32
`PrimaryProtectorTargetPcrSealMaskLocal` UInt32
`Authority` UInt32
`pSubStatusPrimaryBlobUnsealStatus` UInt32
`pSubStatusBackupBlobUnsealStatus` UInt32
`pSubStatusPca2023ProtectorUnsealStatus` UInt32
`pSubStatusBackupBlobValidityCheckStatus` UInt32
`pSubStatusBackupBlobStillValid` Boolean
`pSubStatusPca2023ProtectorValidityCheckStatus` UInt32
`pSubStatusPca2023ProtectorStillValid` Boolean
`pSubStatusPrimaryBlobResealStatus` UInt32
`pSubStatusBackupBlobResealStatus` UInt32
`pSubStatusPca2023ProtectorResealStatus` UInt32
`pSubStatusV2ProtectorsUsed` UInt8
`pSubStatusLegacyUefiVarQueryStatus` UInt32
`pSubStatusLegacyUefiVarCleanupStatus` UInt32
`pSubStatusActivePolicyVersion` UInt64
`pSubStatusLatchedPolicyVersion` UInt64
`pSubStatusUnlatchedPolicyVersion` UInt64
`ValidatedUnsealPolicyVersion` UInt16
`ValidatedUnsealPolicyVarDataOffset` UInt16
`ValidatedUnsealPolicyStructureSize` UInt32
`ValidatedUnsealPolicyPolicyVersion` UInt64
`ValidatedUnsealPolicyPolicyHashLength` UInt32
`ValidatedUnsealPolicyWinloadSVN` UInt32
`ValidatedUnsealPolicyWinresumeSVN` UInt32
`ValidatedUnsealPolicyBootmgrSVN` UInt32
`ValidatedUnsealPolicyLKeyPkgId` UInt64

Event ID 87: Read and Unseal Master Key Array Package error.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Read and Unseal Master Key Array Package error.

Message #

Read and Unseal Master Key Array Package error

LegacyMainBlobVariableName: %1
LegacySecondaryProtectorVariableName: %2
PkgWasCorruptOrUnavailableLocal: %3
KeysAreLegacyLocal: %4
CreationStateVerifiedLocal: %5
PrimaryProtectorTargetPcrSealMaskLocal: %6

Substatus

PrimaryBlobUnsealStatus: %7
BackupBlobUnsealStatus: %8
Pca2023ProtectorUnsealStatus: %9
BackupBlobValidityCheckStatus: %10
BackupBlobStillValid: %11
Pca2023ProtectorValidityCheckStatus: %12
Pca2023ProtectorStillValid: %13
PrimaryBlobResealStatus: %14
BackupBlobResealStatus: %15
Pca2023ProtectorResealStatus: %16
V2ProtectorsUsed: %17
LegacyUefiVarQueryStatus: %18
LegacyUefiVarCleanupStatus: %19
ActivePolicyVersion: %20
LatchedPolicyVersion: %21
UnlatchedPolicyVersion: %22

Fields #

Name	Description
`LegacyMainBlobVariableName` UnicodeString
`LegacySecondaryProtectorVariableName` UnicodeString
`PkgWasCorruptOrUnavailableLocal` UInt8
`KeysAreLegacyLocal` UInt8
`CreationStateVerifiedLocal` UInt8
`PrimaryProtectorTargetPcrSealMaskLocal` UInt32
`pSubStatusPrimaryBlobUnsealStatus` UInt32
`pSubStatusBackupBlobUnsealStatus` UInt32
`pSubStatusPca2023ProtectorUnsealStatus` UInt32
`pSubStatusBackupBlobValidityCheckStatus` UInt32
`pSubStatusBackupBlobStillValid` Boolean
`pSubStatusPca2023ProtectorValidityCheckStatus` UInt32
`pSubStatusPca2023ProtectorStillValid` Boolean
`pSubStatusPrimaryBlobResealStatus` UInt32
`pSubStatusBackupBlobResealStatus` UInt32
`pSubStatusPca2023ProtectorResealStatus` UInt32
`pSubStatusV2ProtectorsUsed` UInt8
`pSubStatusLegacyUefiVarQueryStatus` UInt32
`pSubStatusLegacyUefiVarCleanupStatus` UInt32
`pSubStatusActivePolicyVersion` UInt64
`pSubStatusLatchedPolicyVersion` UInt64
`pSubStatusUnlatchedPolicyVersion` UInt64

Event ID 88: Read and Unseal Master Key Array Package Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Read and Unseal Master Key Array Package Status.

Message #

Read and Unseal Master Key Array Package Status

Status: %1
OsDeviceId: %2
OsDataDeviceId: %3
SystemRoot: %4
VsmLKeyRelPath: %5
LatchedUnsealPolicyRelPath: %6
UnlatchedUnsealPolicyRelPath: %7
LatchedPrimaryProtectorVariableName: %8
LatchedSecondaryProtectorVariableName: %9
UnlatchedPrimaryProtectorVariableName: %10
UnlatchedSecondaryProtectorVariableName: %11
LegacyMainBlobVariableName: %12
LegacySecondaryProtectorVariableName: %13
LatchedProtectorUsedLocal: %14
LatchTheUnlatchedLocal: %15
UnsupportedRollbackLocal: %16
UpgradedAntirollbackPolicyExistsLocal: %17
FirstWriteToDiskLocal: %18
WritePkgToUefiLocal: %19
PkgWasCorruptOrUnavailableLocal: %20
KeysAreLegacyLocal: %21
CreationStateVerifiedLocal: %22
PrimaryProtectorTargetPcrSealMaskLocal: %23

Substatus

PrimaryBlobUnsealStatus: %24
BackupBlobUnsealStatus: %25
Pca2023ProtectorUnsealStatus: %26
BackupBlobValidityCheckStatus: %27
BackupBlobStillValid: %28
Pca2023ProtectorValidityCheckStatus: %29
Pca2023ProtectorStillValid: %30
PrimaryBlobResealStatus: %31
BackupBlobResealStatus: %32
Pca2023ProtectorResealStatus: %33
V2ProtectorsUsed: %34
LegacyUefiVarQueryStatus: %35
LegacyUefiVarCleanupStatus: %36
ActivePolicyVersion: %37
LatchedPolicyVersion: %38
UnlatchedPolicyVersion: %39

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`OsDeviceId` UInt32
`OsDataDeviceId` UInt32
`SystemRoot` UnicodeString
`VsmLKeyRelPath` UnicodeString
`LatchedUnsealPolicyRelPath` UnicodeString
`UnlatchedUnsealPolicyRelPath` UnicodeString
`LatchedPrimaryProtectorVariableName` UnicodeString
`LatchedSecondaryProtectorVariableName` UnicodeString
`UnlatchedPrimaryProtectorVariableName` UnicodeString
`UnlatchedSecondaryProtectorVariableName` UnicodeString
`LegacyMainBlobVariableName` UnicodeString
`LegacySecondaryProtectorVariableName` UnicodeString
`LatchedProtectorUsedLocal` UInt8
`LatchTheUnlatchedLocal` UInt8
`UnsupportedRollbackLocal` UInt8
`UpgradedAntirollbackPolicyExistsLocal` UInt8
`FirstWriteToDiskLocal` UInt8
`WritePkgToUefiLocal` UInt8
`PkgWasCorruptOrUnavailableLocal` UInt8
`KeysAreLegacyLocal` UInt8
`CreationStateVerifiedLocal` UInt8
`PrimaryProtectorTargetPcrSealMaskLocal` UInt32
`pSubStatusPrimaryBlobUnsealStatus` UInt32
`pSubStatusBackupBlobUnsealStatus` UInt32
`pSubStatusPca2023ProtectorUnsealStatus` UInt32
`pSubStatusBackupBlobValidityCheckStatus` UInt32
`pSubStatusBackupBlobStillValid` Boolean
`pSubStatusPca2023ProtectorValidityCheckStatus` UInt32
`pSubStatusPca2023ProtectorStillValid` Boolean
`pSubStatusPrimaryBlobResealStatus` UInt32
`pSubStatusBackupBlobResealStatus` UInt32
`pSubStatusPca2023ProtectorResealStatus` UInt32
`pSubStatusV2ProtectorsUsed` UInt8
`pSubStatusLegacyUefiVarQueryStatus` UInt32
`pSubStatusLegacyUefiVarCleanupStatus` UInt32
`pSubStatusActivePolicyVersion` UInt64
`pSubStatusLatchedPolicyVersion` UInt64
`pSubStatusUnlatchedPolicyVersion` UInt64

Event ID 89: Create Sealed Encrypt Key Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Create Sealed Encrypt Key Status.

Message #

Create Sealed Encrypt Key Status

Status: %1
PcrMask: %2
UnsealPolicyPdGuid: %3
SealingProtectorFixedBufferSize: %4
SealingProtectorUsedBufferSize: %5
SealedSecretBufferSize: %6
PcrInfoArrayElCount: %7

Unseal policy

Version: %8
VarDataOffset: %9
StructureSize: %10
PolicyVersion: %11
PolicyHashLength: %12
WinloadSVN: %13
WinresumeSVN: %14
BootmgrSVN: %15
LKeyPkgId: %16

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`PcrMask` UInt32
`UnsealPolicyPdGuid` GUID
`SealingProtectorFixedBufferSize` UInt32
`SealingProtectorUsedBufferSize` UInt32
`SealedSecretBufferSize` UInt32
`PcrInfoArrayElCount` UInt32
`UnsealPolicyVersion` UInt16
`UnsealPolicyVarDataOffset` UInt16
`UnsealPolicyStructureSize` UInt32
`UnsealPolicyPolicyVersion` UInt64
`UnsealPolicyPolicyHashLength` UInt32
`UnsealPolicyWinloadSVN` UInt32
`UnsealPolicyWinresumeSVN` UInt32
`UnsealPolicyBootmgrSVN` UInt32
`UnsealPolicyLKeyPkgId` UInt64

Event ID 90: Get Sealed Protector Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Get Sealed Protector Status.

Message #

Get Sealed Protector Status

Status: %1
ProtectorName: %2
SealedEncryptionKeySize: %3
ProtectorBlobFromUefiVariableSize: %4

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`ProtectorName` UnicodeString
`SealedEncryptionKeySize` UInt16
`ProtectorBlobFromUefiVariableSize` UInt32

Event ID 91: SRTM PCR Values.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

SRTM PCR Values.

Message #

SRTM PCR Values

algId: %1
digestLength:%2
PcrIndex: %3
PcrValue: %4

Fields #

Name	Description
`algID` UInt16
`digestLength` UInt16
`PcrIndex` UInt32
`PcrValue` UnicodeString

Event ID 92

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: DmaProtectedRangeAdjusted

Fields #

Name	Description
`RangeAltitude` UInt32
`RangeEndpoint` UInt32
`Address` UInt64
`AlignedAddress` UInt64
`OverlappedMemoryType` UInt32

Event ID 100: InitializeLibraryStart_V1

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: InitializeLibrary
Opcode: Start

Fields #

Name	Description
`Secure` Boolean

Event ID 101: InitializeLibraryStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: InitializeLibrary
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 102: PrepareTargetStart_V2

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PrepareTarget
Opcode: Start

Fields #

Name	Description
`SoftRestartCount` UInt32
`Secure` Boolean

Event ID 103: PrepareTargetStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PrepareTarget
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 104: RebuildKernelMemoryMapStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: RebuildKernelMemoryMap
Opcode: Start

Fields #

Name	Description
`ReserveDescriptors` UInt32

Event ID 105: RebuildKernelMemoryMapStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: RebuildKernelMemoryMap
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 106: PersistMemoryStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PersistMemory
Opcode: Start

Fields #

Name	Description
`ApplicationId` GUID
`RunCount` UInt32
`PageCount` UInt64

Event ID 107: PersistMemoryStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PersistMemory
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`BlockId` UInt64

Event ID 108: FatalError

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FatalError

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 109: CleanupPageDatabaseStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CleanupPageDatabase
Opcode: Start

Fields #

Name	Description
`FreePersistentPages` Boolean

Event ID 110: CleanupPageDatabaseStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CleanupPageDatabase
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 111: FreePersistedMemoryStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FreePersistedMemory
Opcode: Start

Fields #

Name	Description
`ApplicationId` GUID
`FreePersistentPages` Boolean

Event ID 112: FreePersistedMemoryStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FreePersistedMemory
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 113: ClaimPersistedMemoryStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: ClaimPersistedMemory
Opcode: Start

Fields #

Name	Description
`ApplicationId` GUID
`BlockId` UInt64
`Flags` UInt32

Event ID 114: ClaimPersistedMemoryStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: ClaimPersistedMemory
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`RunsClaimed` UInt32
`PageCount` UInt64

Event ID 115: Soft reboot cancellation started: Soft_reboot_cancellation_started.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: CancelBoot
Opcode: Start

Description

Soft reboot cancellation started: Soft_reboot_cancellation_started.

Message #

Soft reboot cancellation started: %1

Fields #

Name	Description
`FreePersistentPages` Boolean

Event ID 116: Soft reboot cancellation finished: Soft_reboot_cancellation_finished.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: CancelBoot
Opcode: Stop

Description

Soft reboot cancellation finished: Soft_reboot_cancellation_finished.

Message #

Soft reboot cancellation finished: %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 117: AttachPersistentPageDatabaseStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: AttachPersistentPageDatabase
Opcode: Start

Event ID 118: AttachPersistentPageDatabaseStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: AttachPersistentPageDatabase
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 119: MemoryBlockRundown

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryBlockRundown

Fields #

Name	Description
`ApplicationId` GUID
`BlockId` UInt64

Event ID 120: BuildKernelMemoryMapStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BuildKernelMemoryMap
Opcode: Start

Event ID 121: BuildKernelMemoryMapStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BuildKernelMemoryMap
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 122: GetMemoryMapStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: GetMemoryMap
Opcode: Start

Fields #

Name	Description
`Type` UInt32
`Flags` UInt32
`BufferSize` UInt32

Event ID 123: GetMemoryMapStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: GetMemoryMap
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`DataSize` UInt32
`BufferSize` UInt32

Event ID 124: The virtualization-based security enablement policy check at phase Phase failed with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Error
Task: VsmPolicyFailure

Description

The virtualization-based security enablement policy check at phase Phase failed with status: Status.

Message #

The virtualization-based security enablement policy check at phase %1 failed with status: %2

Fields #

Name	Description
`Phase` UInt8
`Status` UInt32	1 failed with status. NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 124,
    "version": 0,
    "level": 2,
    "task": 80,
    "opcode": 0,
    "keywords": 9223451201691975680,
    "time_created": "2023-11-06T06:24:56.254312+00:00",
    "event_record_id": 1629,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Phase": 0,
    "Status": 3221225659
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 126: AllocatePhysicalPagesForMdlStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: AllocatePhysicalPagesForMdl
Opcode: Start

Fields #

Name	Description
`LowAddress` UInt64
`HighAddress` UInt64
`SkipBytes` UInt64
`TotalBytes` UInt64
`CacheType` UInt32
`Flags` UInt32

Event ID 127: AllocatePhysicalPagesForMdlStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: AllocatePhysicalPagesForMdl
Opcode: Stop

Fields #

Name	Description
`Mdl` Pointer

Event ID 128: ExecuteTransitionStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: ExecuteTransition
Opcode: Start

Fields #

Name	Description
`StartTime` FILETIME

Event ID 129: DisconnectHypervisorStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: DisconnectHypervisor
Opcode: Start

Event ID 130: MemoryMapRundown

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryMapRundown

Fields #

Name	Description
`SequenceNumber` UInt32
`DescriptorCount` UInt32
`MemoryDescriptor` Int8

Event ID 131: MemoryMapRundownStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryMapRundown
Opcode: Start

Event ID 132: MemoryMapRundownStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryMapRundown
Opcode: Stop

Fields #

Name	Description
`DescriptorCount` UInt32

Event ID 133: PhysicalPageAllocationFailure_V1

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PhysicalPageAllocationFailure

Fields #

Name	Description
`Status` HexInt32	NTSTATUS reference
`PageCount` UInt64
`MemoryType` UInt32
`Attributes` UInt32
`LowAddress` UInt64
`HighAddress` UInt64
`Alignment` UInt32
`ProximityId` UInt32

Event ID 134: WaitForPartitionsRestoredStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: WaitForPartitionsRestored
Opcode: Start

Event ID 135: WaitForPartitionsRestoredStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: WaitForPartitionsRestored
Opcode: Stop

Event ID 136: Soft Restart failed to complete with status: Status due to OutstandingCount outstanding unclaimed allocations.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CleanupPageDatabase

Description

Soft Restart failed to complete with status: Status due to OutstandingCount outstanding unclaimed allocations.

Message #

Soft Restart failed to complete with status: %1 due to %2 outstanding unclaimed allocations

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`OutstandingCount` UInt64
`ApplicationsCount` UInt32
`AppId` GUID

Event ID 137: MemoryPartitionRestoreStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryPartitionRestore
Opcode: Start

Fields #

Name	Description
`Identifier` GUID
`PartitionId` UInt32

Event ID 138: MemoryPartitionRestoreStop_V2

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryPartitionRestore
Opcode: Stop

Fields #

Name	Description
`Identifier` GUID
`Status` UInt32	NTSTATUS reference
`NameLength` UInt16
`PartitoinName` UnicodeString
`MemoryRangeCount` UInt32
`MemorPageCount` UInt64
`IoSpaceRangeCount` UInt32
`IoSpacePageCount` UInt64
`AllocatedMemoryBlockCount` UInt64
`AllocatedMemoryRunCount` UInt64
`AllocatedMemoryPageCount` UInt64
`AllocatedIoSpaceBlockCount` UInt64
`AllocatedIoSpaceRunCount` UInt64
`AllocatedIoSpacePageCount` UInt64

Event ID 139: Soft Restart failed to restore memory partition Identifier with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryPartitionRestore

Description

Soft Restart failed to restore memory partition Identifier with status: Status.

Message #

Soft Restart failed to restore memory partition %1 with status: %2

Fields #

Name	Description
`Identifier` GUID
`Status` UInt32	NTSTATUS reference

Event ID 140: PersistMemoryPartitionStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PersistMemoryPartition
Opcode: Start

Fields #

Name	Description
`Identifier` GUID

Event ID 141: PersistMemoryPartitionStop_V1

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PersistMemoryPartition
Opcode: Stop

Fields #

Name	Description
`Identifier` GUID
`RunCount` UInt32
`PageCount` UInt64
`IoSpaceRunCount` UInt32
`IoSpacePageCount` UInt64
`Status` UInt32	NTSTATUS reference
`PartitionNameLength` UInt16
`PartitionName` UnicodeString

Event ID 142: Soft Restart failed to register with Soft Restart extension.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: RegisterLoader

Description

Soft Restart failed to register with Soft Restart extension. The versions are not compatible.

Message #

Soft Restart failed to register with Soft Restart extension. The versions are not compatible.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`ActualSize` UInt32
`ExpectedSize` UInt32
`Vtl` UInt8

Event ID 143: MemoryPartitionsRestored

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryPartitionsRestored

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 144: QueryStatisticsStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: QueryStatistics
Opcode: Start

Event ID 145: QueryStatisticsStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: QueryStatistics
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 146: Soft Restart failed to establish connection with secure load with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: ConnectSecureLoader

Description

Soft Restart failed to establish connection with secure load with status: Status.

Message #

Soft Restart failed to establish connection with secure load with status: %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 147: FreePersistedMemoryBlockStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FreePersistedMemoryBlock
Opcode: Start

Fields #

Name	Description
`ApplicationId` GUID
`BlockId` UInt64
`FreePersistentPages` Boolean

Event ID 148: FreePersistedMemoryBlockStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FreePersistedMemoryBlock
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 149: PrepareNotificationStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PrepareNotification
Opcode: Start

Event ID 150: PrepareNotificationStop_V1

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PrepareNotification
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`Tag` AnsiString

Event ID 151: PartitionInitialAddMemoryStart_V2

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PartitionInitialAddMemory
Opcode: Start

Fields #

Name	Description
`PartitionId` UInt32
`RunCount` UInt64
`PageCount` UInt64
`IoSpaceMemory` Boolean
`Allocated` Boolean

Event ID 152: PartitionInitialAddMemoryStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PartitionInitialAddMemory
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 153: Virtualization-based security (policies: VsmPolicy) is EnableDisableReason.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Task: VsmPolicyEnablement

Description

Virtualization-based security (policies: VsmPolicy) is EnableDisableReason.

Message #

Virtualization-based security (policies: %3) is %2.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`EnableDisableReason` UInt32
`VsmPolicy` UInt32	Virtualization-based security (policies.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}",
    "event_source_name": "",
    "event_id": 153,
    "version": 0,
    "level": 4,
    "task": 62,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T16:32:43.9804374+00:00",
    "event_record_id": 6661,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Status": "0",
    "EnableDisableReason": "0",
    "VsmPolicy": "0"
  },
  "message": "Virtualization-based security (policies: 0) is disabled."
}

Event ID 154: Boot Policy Migration used an authenticated variable.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Informational
Task: BootPolicyMigration

Description

Boot Policy Migration used an authenticated variable. Status: Status.

Message #

Boot Policy Migration used an authenticated variable.  Status: %1

Fields #

Name	Description
`Status` UInt32	Boot Policy Migration used an authenticated variable. Status. NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 154,
    "version": 0,
    "level": 4,
    "task": 44,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2023-11-06T06:20:49.064672+00:00",
    "event_record_id": 46,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-Boot/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Status": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 155: Boot Policy Migration used an unauthenticated variable.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootPolicyMigration

Description

Boot Policy Migration used an unauthenticated variable. Status: Status.

Message #

Boot Policy Migration used an unauthenticated variable.  Status: %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 156: Virtualization-based security (policies: VsmPolicy) is EnableDisableReason with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Warning
Opcode: Info

Description

Virtualization-based security (policies: VsmPolicy) is EnableDisableReason with status: Status.

Message #

Virtualization-based security (policies: %3) is %2 with status: %1

Fields #

Name	Description
`Status` UInt32	2 with status. NTSTATUS reference
`EnableDisableReason` UInt32
`VsmPolicy` UInt32	Virtualization-based security (policies.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 156,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:24:56.249721+00:00",
    "event_record_id": 1625,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Status": 3221225659,
    "EnableDisableReason": 6,
    "VsmPolicy": 515
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 157: Info: Info Status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootDiag

Description

Info: Info Status: Status.

Message #

Info: %1 Status: %2

Fields #

Name	Description
`DiagCode` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 158: Error: DiagCode Status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Error
Task: BootDiag

Description

Error: DiagCode Status: Status.

Message #

Error: %1 Status: %2

Fields #

Name	Description
`DiagCode` UInt32	Error.
`Status` UInt32	NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 158,
    "version": 0,
    "level": 2,
    "task": 53,
    "opcode": 0,
    "keywords": 2305851805306716160,
    "time_created": "2023-11-06T06:24:56.254284+00:00",
    "event_record_id": 49,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-Boot/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DiagCode": 1076887595,
    "Status": 3221225659
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 159: RemoveEnclavePagesStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: RemoveEnclavePages
Opcode: Start

Fields #

Name	Description
`BasePage` UInt64
`PageCount` UInt64

Event ID 160: CancelNotificationStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CancelNotification
Opcode: Start

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 161: CancelNotificationStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CancelNotification
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 162: GetSystemBootDevice

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: GetFirmwareBootDevice

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 163: NormalizeBootOptionList

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: NormalizeBootOptionList

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 164: CreateLibraryParameters

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CreateLibraryParameters

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 165: InitializeLibrary

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: InitializeLibrary

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 166: CreateDevices

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CreateDevices

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 167: SoftRestartHostCapability

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SoftRestartHostCapability

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 168: EnumerateEnclavePages

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: EnumerateEnclavePages

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 169: InitializeMeasurementContextInitializationFailure_V1

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: InitializeMeasurementContext
Opcode: InitializationFailure

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`FailurePoint` UInt32

Event ID 170: Measured Boot Measurement Failure.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: KsrMeasurement

Description

Measured Boot Measurement Failure. Status: Measured_Boot_Measurement_Failure_Status.

Message #

Measured Boot Measurement Failure. Status: %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 171: TPM Measurement Failure.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: TpmMeasurement

Description

TPM Measurement Failure. Status: TPM_Measurement_Failure_Status.

Message #

TPM Measurement Failure. Status: %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 172: Failure to close TCG log.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CloseMeasurementLog

Description

Failure to close TCG log. Status: Status.

Message #

Failure to close TCG log. Status: %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 173: CommitPendingEvents

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CommitPendingEvents

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 174: CapTpmPcr

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CapTpmPcr

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 175: CapTpmPcr175

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CapTpmPcr

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 176: InitializeLibrary176

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: InitializeLibrary

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 177: EfiVariableAccessGetEfiVariable

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: EfiVariableAccess
Opcode: GetEfiVariable

Fields #

Name	Description
`VendorGuid` GUID
`VariableName` UnicodeString
`Attributes` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 178: EfiVariableAccessSetEfiVariable

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: EfiVariableAccess
Opcode: SetEfiVariable

Fields #

Name	Description
`VendorGuid` GUID
`VariableName` UnicodeString
`Attributes` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 179: GetFirmwareInformation

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: GetFirmwareInformation

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 180: VerifyBootEntry

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VerifyBootEntry

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 181: Soft Restart driver failed to register itself as a filter with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: RegisterFilter

Description

Soft Restart driver failed to register itself as a filter with status: Status.

Message #

Soft Restart driver failed to register itself as a filter with status: %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 182: IoSpaceMemoryEnumerateFailure

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: IoSpaceMemory
Opcode: EnumerateFailure

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 183: BadMemoryPagesListInitializationFailure

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BadMemoryPages
Opcode: ListInitializationFailure

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 184: InitializeMeasurementContextMeasurementsDisabled

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: InitializeMeasurementContext
Opcode: MeasurementsDisabled

Fields #

Name	Description
`DisableReason` UInt32
`TcgLogStatus` UInt32

Event ID 185: Soft Restart driver failed to store BCD store when BCDCache is enabled with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PersistBcdFailure

Description

Soft Restart driver failed to store BCD store when BCDCache is enabled with status: Status.

Message #

Soft Restart driver failed to store BCD store when BCDCache is enabled with status: %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 186: Soft Restart driver failed to query MEMDISK configuration from the current OS with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: QueryMemdiskInformation

Description

Soft Restart driver failed to query MEMDISK configuration from the current OS with status: Status.

Message #

Soft Restart driver failed to query MEMDISK configuration from the current OS with status: %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 200: A command was submitted to the TPM.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: TpmCommandResponse

Description

A command was submitted to the TPM.

Message #

A command was submitted to the TPM.
Command code: %1.
Response code: %2.
Elapsed time: %3ms.

Fields #

Name	Description
`CommandCode` UInt32
`ResponseCode` UInt32
`ResponseMilliseconds` UInt64

Event ID 201: A command was submitted to the TPM.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: TpmCommandResponse

Description

A command was submitted to the TPM.

Message #

A command was submitted to the TPM.
Command code: %1.
Response code: %2.
Elapsed time: %3ms.

Fields #

Name	Description
`CommandCode` UInt32
`ResponseCode` UInt32
`ResponseMilliseconds` UInt64
`CommandSize` UInt32
`CommandData` Binary
`ResponseSize` UInt32
`ResponseData` Binary

Event ID 202: A command could not be submitted to the TPM.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: TpmSubmitError

Description

A command could not be submitted to the TPM.

Message #

A command could not be submitted to the TPM.
Command code: %1.
Error code: %2.
Elapsed time: %3ms.

Fields #

Name	Description
`CommandCode` UInt32
`ErrorCode` UInt32
`ResponseMilliseconds` UInt64

Event ID 203: A command could not be submitted to the TPM.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: TpmSubmitError

Description

A command could not be submitted to the TPM.

Message #

A command could not be submitted to the TPM.
Command code: %1.
Error code: %2.
Elapsed time: %3ms.

Fields #

Name	Description
`CommandCode` UInt32
`ErrorCode` UInt32
`ResponseMilliseconds` UInt64
`CommandSize` UInt32
`CommandData` Binary

Event ID 204: The TPM was found not to be useable for BitLocker.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: TpmBitLockerUsage

Description

The TPM was found not to be useable for BitLocker. Flags: FveGlobalDataFlags.

Message #

The TPM was found not to be useable for BitLocker. Flags: %1.

Fields #

Name	Description
`FveGlobalDataFlags` UInt32

Event ID 205: EFICapsuleCreationStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: EFICapsuleCreation
Opcode: Start

Event ID 206: EFICapsuleCreationStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: EFICapsuleCreation
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 207: Measured Boot library was initialized.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: BootSI
Opcode: InitStatus

Description

Measured Boot library was initialized. Phase: Phase, StatusCode: StatusCode.

Message #

Measured Boot library was initialized. Phase: %1, StatusCode: %2.

Fields #

Name	Description
`Phase` UInt32
`StatusCode` UInt32	NTSTATUS reference
`EnvironmentState` UInt32

Event ID 208: Measured Boot library encountered a failure and entered insecure state.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Error
Task: BootSI
Opcode: EnterInsecureState

Description

Measured Boot library encountered a failure and entered insecure state. InitState: InitState, StatusCode: StatusCode, Failure Address: FailureAddress, Reference Address: ReferenceAddress, Reason: ReasonCode.

Message #

Measured Boot library encountered a failure and entered insecure state. InitState: %1, StatusCode: %2, Failure Address: %3, Reference Address: %4, Reason: %5.

Fields #

Name	Description
`InitState` UInt32	Measured Boot library encountered a failure and entered insecure state. InitState.
`StatusCode` UInt32	NTSTATUS reference
`FailureAddress` UInt64
`ReferenceAddress` UInt64
`ReasonCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}",
    "event_source_name": "",
    "event_id": 208,
    "version": 0,
    "level": 2,
    "task": 78,
    "opcode": 12,
    "keywords": 2305851805306716160,
    "time_created": "2026-05-29T16:32:43.9805812+00:00",
    "event_record_id": 64,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-Boot/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "InitState": "1",
    "StatusCode": "3221225473",
    "FailureAddress": "4317743",
    "ReferenceAddress": "5031072",
    "ReasonCode": "1"
  },
  "message": "Measured Boot library encountered a failure and entered insecure state. InitState: 1, StatusCode: 0xC0000001, Failure Address: 0x41E22F, Reference Address: 0x4CC4A0, Reason: 1."
}

Event ID 209: DRTM Security Version Number check failed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootSI
Opcode: DrtmSvnCheck

Description

DRTM Security Version Number check failed. SvnCounterId: SvnCounterId, StatusCode: StatusCode, Svn Value: SvnValue, Previous SVN Value: PrevSvnValue.

Message #

DRTM Security Version Number check failed. SvnCounterId: %1, StatusCode: %2, Svn Value: %3, Previous SVN Value: %4.

Fields #

Name	Description
`SvnCounterId` UInt32
`StatusCode` UInt32	NTSTATUS reference
`SvnValue` UInt32
`PrevSvnValue` UInt32

Event ID 210: Intel TXT SENTER time: Intel_TXT_SENTER_time ms.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: SinitPerformance

Description

Intel TXT SENTER time: Intel_TXT_SENTER_time ms.

Message #

Intel TXT SENTER time: %1 ms.

Fields #

Name	Description
`SinitTimeMs` UInt64

Event ID 211: MiniFilterStartFailure

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MiniFilterStartFailure

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 212: File modification detected after load: File_modification_detected_after_load.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: FileModification

Description

File modification detected after load: File_modification_detected_after_load.

Message #

File modification detected after load: %1.

Fields #

Name	Description
`PathLength` UInt16
`Path` UnicodeString

Event ID 213: Registry modification detected after load: PathLength.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: RegistryModification

Description

Registry modification detected after load: PathLength.

Message #

Registry modification detected after load: %1.

Fields #

Name	Description
`PathLength` UInt16
`Path` UnicodeString

Event ID 214: Soft reboot prepare started (complete requested: TryComplete).

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: SoftReboot
Opcode: Start

Description

Soft reboot prepare started (complete requested: TryComplete).

Message #

Soft reboot prepare started (complete requested: %1).

Fields #

Name	Description
`TryComplete` Boolean

Event ID 215: Soft reboot prepare finished: Soft_reboot_prepare_finished.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: SoftReboot
Opcode: Stop

Description

Soft reboot prepare finished: Soft_reboot_prepare_finished.

Message #

Soft reboot prepare finished: %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 216: Soft reboot complete prepare started.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: SoftReboot
Opcode: Start

Description

Soft reboot complete prepare started.

Message #

Soft reboot complete prepare started.

Event ID 217: Soft reboot complete prepare finished: Soft_reboot_complete_prepare_finished.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: SoftReboot
Opcode: Stop

Description

Soft reboot complete prepare finished: Soft_reboot_complete_prepare_finished.

Message #

Soft reboot complete prepare finished: %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 218: Soft reboot call to checkpoint failed: Function (checkpoint: Status).

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: SoftReboot

Description

Soft reboot call to checkpoint failed: Function (checkpoint: Status).

Message #

Soft reboot call to %1 failed: %2 (checkpoint: %3).

Fields #

Name	Description
`Function` UnicodeString
`Status` UInt32	NTSTATUS reference
`Checkpoint` UInt32

Event ID 219: Intel TXT prepared.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: TxtInformation

Description

Intel TXT prepared. ACM date: AcmDateDay/Intel_TXT_prepared_ACM_date/AcmDateMonth.

Message #

Intel TXT prepared. ACM date: %2/%1/%3.

Fields #

Name	Description
`AcmDateDay` UInt8
`AcmDateMonth` UInt8
`AcmDateYear` UInt16

Event ID 220: System Guard enabled but not supported.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: DrtmNotSupported

Description

System Guard enabled but not supported. Reason: TxtStatus.

Message #

System Guard enabled but not supported. Reason: %1

Fields #

Name	Description
`TxtStatus` UInt32

Event ID 221: System drivers need update to support VBS launch.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: MeasuredLaunch
Opcode: DrtmDriversNotSupportVbs

Description

System drivers need update to support VBS launch.

Message #

System drivers need update to support VBS launch.

Event ID 222: SMM configuration failed validation.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: MeasuredLaunch
Opcode: PpamFailure

Description

SMM configuration failed validation. Reason: TxtStatus.

Message #

SMM configuration failed validation. Reason: %1

Fields #

Name	Description
`TxtStatus` UInt32
`Instance` UInt64
`Status` UInt64	NTSTATUS reference

Event ID 223: IoSpaceMemoryAllocationFailure

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: IoSpaceMemory
Opcode: AllocationFailure

Fields #

Name	Description
`Phase` UInt32
`Status` UInt32	NTSTATUS reference
`Tries` UInt32
`RemainingNodesCount` UInt32
`RemainingNodes` Int16

Event ID 224: IoSpaceMemoryAllocation

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: IoSpaceMemory
Opcode: Allocation

Fields #

Name	Description
`AllocatedRegions` UInt32
`Tries` UInt32

Event ID 225: VBS is configured to disallow trustlets.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmBootNoSecretsMode

Description

VBS is configured to disallow trustlets.

Message #

VBS is configured to disallow trustlets.

Event ID 226: FinalizeMemoryMapStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FinalizeMemoryMap
Opcode: Start

Event ID 227: FinalizeMemoryMapStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FinalizeMemoryMap
Opcode: Stop

Event ID 228: FinalizeMemoryMapStop228

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FinalizeMemoryMap
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 229: RegisterHvloaderPersistenceInterface

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: RegisterHvloaderPersistenceInterface

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 230: LoadHvloaderForPersistence

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadHvloaderForPersistence

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 231: Boot menu timer canceled due to key press.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootMenuTimerCanceled

Description

Boot menu timer canceled due to key press.

Message #

Boot menu timer canceled due to key press.

Fields #

Name	Description
`KeyType` UInt32	Known values `%%2499` Machine key `%%2500` User key
`Code` UInt32

Event ID 232: MemoryPartitionFreeUnusedMemoryStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryPartitionFreeUnusedMemory
Opcode: Start

Event ID 233: MemoryPartitionFreeUnusedMemoryStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryPartitionFreeUnusedMemory
Opcode: Stop

Fields #

Name	Description
`RangeCount` UInt64
`PageCount` UInt64
`MarkedAsBadRegularPages` UInt64
`MarkedAsBadIoSpacePages` UInt64
`MarkErrorsCount` UInt64

Event ID 234: MemoryPartitionRestoreStats

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryPartitionRestoreStats

Fields #

Name	Description
`Identifier` GUID
`PartitionId` UInt32
`AllocatedBlockCount` UInt64
`AllocatedRunCount` UInt64
`AllocatedPageCount` UInt64
`Status` UInt32	NTSTATUS reference

Event ID 235: Windows boot environment failed to initialize TPM device.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Error
Task: BootTpm
Opcode: TpmInit

Description

Windows boot environment failed to initialize TPM device. StatusCode: StatusCode, Position: Position.

Message #

Windows boot environment failed to initialize TPM device. StatusCode: %1, Position: %2.

Fields #

Name	Description
`StatusCode` UInt32	Windows boot environment failed to initialize TPM device. StatusCode. NTSTATUS reference
`Position` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}",
    "event_source_name": "",
    "event_id": 235,
    "version": 0,
    "level": 2,
    "task": 99,
    "opcode": 11,
    "keywords": 2305851805306716160,
    "time_created": "2026-05-29T16:32:43.9805806+00:00",
    "event_record_id": 63,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-Boot/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "StatusCode": "3221225474",
    "Position": "1"
  },
  "message": "Windows boot environment failed to initialize TPM device. StatusCode: 0xC0000002, Position: 1."
}

Event ID 236: SMM isolation level decreased.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: SmmLevelCheck

Description

SMM isolation level decreased. Reason: SMM_isolation_level_decreased_Reason.

Message #

SMM isolation level decreased. Reason: %1

Fields #

Name	Description
`TxtStatus` UInt32
`PolicyLevel` UInt32
`Argument1` UInt64
`Argument2` UInt64

Event ID 237: Hardware memory mirroring is not supported.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryMirroring
Opcode: NotSupported

Description

Hardware memory mirroring is not supported. MirrorStatus: MirrorStatus.

Message #

Hardware memory mirroring is not supported. MirrorStatus: %1

Fields #

Name	Description
`MirrorStatus` UInt32

Event ID 238: EFI time zone bias: EfiTimeZoneBias.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Task: EfiTimeZoneInformation

Description

EFI time zone bias: EfiTimeZoneBias. Daylight flags: EfiDaylightFlags.

Message #

EFI time zone bias: %1. Daylight flags: %2.

Fields #

Name	Description
`EfiTimeZoneBias` Int16
`EfiDaylightFlags` UInt8
`EfiTime` FILETIME

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "{15CA44FF-4D7A-4BAA-BBA5-0998955E531E}",
    "event_source_name": "",
    "event_id": 238,
    "version": 1,
    "level": 4,
    "task": 101,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T13:53:35.1705964+00:00",
    "event_record_id": 2621,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "telemetry-W11-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EfiTimeZoneBias": "2047",
    "EfiDaylightFlags": "0",
    "EfiTime": "2026-06-13T13:53:32.0000000Z"
  },
  "message": "EFI time zone bias: 2047. Daylight flags: 0. Firmware time: ‎2026‎-‎06‎-‎13T13:53:32.000000000Z."
}

Event ID 239: MemoryAllocationBlMmAllocationFailure

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MemoryAllocation
Opcode: BlMmAllocationFailure

Fields #

Name	Description
`Pages` UInt64
`MemoryType` UInt32
`Attributes` UInt32
`Alignment` UInt32
`Status` UInt32	NTSTATUS reference
`RangeMinimum` UInt64
`RangeMaximum` UInt64
`RangeFlags` UInt32

Event ID 240: FinalizeNotificationStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FinalizeNotification
Opcode: Start

Event ID 241: FinalizeNotificationStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FinalizeNotification
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`Tag` AnsiString

Event ID 242: SMM isolation detected.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: MeasuredLaunch
Opcode: SmmIsolation

Description

SMM isolation detected. Level: SMM_isolation_detected_Level.

Message #

SMM isolation detected. Level: %1

Fields #

Name	Description
`IsolationLevel` UInt32

Event ID 243: Hardware memory mirroring support is enabled.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryMirroring
Opcode: Enabled

Description

Hardware memory mirroring support is enabled.

Message #

Hardware memory mirroring support is enabled.

Fields #

Name	Description
`MirrorPercentage` UInt32

Event ID 244: MeasuredLaunchTxtSmmIsolationPerf

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: TxtSmmIsolationPerf

Fields #

Name	Description
`GetCapabilityTime` UInt64
`GetResourcesTime` UInt64
`ResourcesValidationTime` UInt64

Event ID 245: UnpersistMemoryPartitionStart

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: UnpersistMemoryPartition
Opcode: Start

Fields #

Name	Description
`Identifier` GUID

Event ID 246: UnpersistMemoryPartitionStop

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: UnpersistMemoryPartition
Opcode: Stop

Fields #

Name	Description
`Identifier` GUID
`Status` UInt32	NTSTATUS reference

Event ID 247: Unable to load Pluton-Windows firmware.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Task: BootTpm
Opcode: PlutonLoadFailure

Description

Unable to load Pluton-Windows firmware. StatusCode: Status, Reason: FailureReason.

Message #

Unable to load Pluton-Windows firmware. StatusCode: %1, Reason: %2

Fields #

Name Description

Status UInt32 NTSTATUS reference

FailureReason UInt32

Known values

%%2304: An Error occured during Logon.
%%2305: The specified user account has expired.
%%2306: The NetLogon component is not active.
%%2307: Account locked out.
%%2308: The user has not been granted the requested logon type at this machine.
%%2309: The specified account's password has expired.
%%2310: Account currently disabled.
%%2311: Account logon time restriction violation.
%%2312: User not allowed to logon at this computer.
%%2313: Unknown user name or bad password.
%%2314: Domain sid inconsistent.
%%2315: Smartcard logon is required and was not used.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "{15ca44ff-4d7a-4baa-bba5-0998955e531e}",
    "event_source_name": "",
    "event_id": 247,
    "version": 0,
    "level": 4,
    "task": 99,
    "opcode": 12,
    "keywords": 9223372036854775808,
    "time_created": "2026-04-18 00:24:00.564730+00:00",
    "event_record_id": 8,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "USERUSE-I0E7KUG",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Status": "0",
    "FailureReason": "4"
  },
  "message": "Unable to load Pluton-Windows firmware. StatusCode: STATUS_SUCCESS, Reason: Failed to apply firmware."
}

Event ID 248: Previous error detected while attempting to execute Measured Launch Environment.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: PreviousAmdSlError

Description

Previous error detected while attempting to execute Measured Launch Environment. Source: AmdSlErrorCode Error code: %2.

Message #

Previous error detected while attempting to execute Measured Launch Environment. Source: %1 Error code: %2.

Fields #

Name	Description
`AmdSlErrorCode` UInt32

Event ID 249: BindImportsFailure

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BindImportsFailure

Fields #

Name	Description
`Module` AnsiString
`Function` AnsiString
`Status` UInt32	NTSTATUS reference

Event ID 250: SlabAllocationFailure

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SlabAllocationFailure

Fields #

Name	Description
`PageCount` UInt64
`Status` UInt32	NTSTATUS reference
`MemoryType` UInt32
`Attributes` UInt32

Event ID 251: QuerySystemInformationFailure

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: QuerySystemInformationFailure

Fields #

Name	Description
`InformationClass` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 252: This system has not supplied a valid framebuffer and the graphical boot menu is not used.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootmgrBltDisplayMenu

Description

This system has not supplied a valid framebuffer and the graphical boot menu is not used.

Message #

This system has not supplied a valid framebuffer and the graphical boot menu is not used.

Event ID 253: HotPatch %4 failed to apply with Status: %2 at failure point:

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: HotPatch
Opcode: HotPatchApplyFailure

Description

HotPatch failed to apply with Status: at failure point: .

Event ID 253: HotPatch HotPatchPath failed to apply with Status: Status at failure point: FailurePoint.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: HotPatch
Opcode: HotPatchApplyFailure

Description

HotPatch HotPatchPath failed to apply with Status: Status at failure point: FailurePoint.

Message #

HotPatch %4 failed to apply with Status: %2 at failure point: %1.

Fields #

Name	Description
`FailurePoint` UInt32
`Status` UInt32	NTSTATUS reference
`HotPatchPathLength` UInt16
`HotPatchPath` UnicodeString

Event ID 254: GetPerformanceOptions

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: GetPerformanceOptions

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 255: SnapshotPolicy

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SnapshotPolicy

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 256: AMD DRTM Firmware Anti-Rollback Disabled.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

AMD DRTM Firmware Anti-Rollback Disabled.

Message #

AMD DRTM Firmware Anti-Rollback Disabled.

Event ID 257: Failed to build image path for dump stack module ModulePath.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: BuildImagePathFailure

Description

Failed to build image path for dump stack module ModulePath. Status: Status.

Message #

Failed to build image path for dump stack module %1. Status: %2.

Fields #

Name	Description
`ModulePath` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 258: Failed to load dump stack module ModulePath.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: LoadModuleFailure

Description

Failed to load dump stack module ModulePath. Status: Status.

Message #

Failed to load dump stack module %1. Status: %2.

Fields #

Name	Description
`ModulePath` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 259: Early dump stack succesfully loaded by OS loader.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport

Description

Early dump stack succesfully loaded by OS loader.

Message #

Early dump stack succesfully loaded by OS loader.

Event ID 260: Early boot crash dump generation is not supported.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: EarlyDumpNotSupported

Description

Early boot crash dump generation is not supported.

Message #

Early boot crash dump generation is not supported.

Event ID 261: Soft restart prepare was vetoed by component Tag with status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PrepareNotification
Opcode: Veto

Description

Soft restart prepare was vetoed by component Tag with status Status.

Message #

Soft restart prepare was vetoed by component %2 with status %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`Tag` AnsiString

Event ID 262: Soft restart finalize was vetoed by component Tag with status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FinalizeNotification
Opcode: Veto

Description

Soft restart finalize was vetoed by component Tag with status Status.

Message #

Soft restart finalize was vetoed by component %2 with status %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`Tag` AnsiString

Event ID 263: Early crash dump support is disabled by registry configuration.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: EarlyDumpDisabled

Description

Early crash dump support is disabled by registry configuration.

Message #

Early crash dump support is disabled by registry configuration.

Event ID 264: Failed to query early dump enablement information from the registry with status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: QueryEarlyDumpInitFailure

Description

Failed to query early dump enablement information from the registry with status Status.

Message #

Failed to query early dump enablement information from the registry with status %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 265: Failed to query dedicated dump file name for the target OS with status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: QueryDumpFileNameFailure

Description

Failed to query dedicated dump file name for the target OS with status Status. Early crash dump functinality will not be loaded.

Message #

Failed to query dedicated dump file name for the target OS with status %1. Early crash dump functinality will not be loaded.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 266: Dedicated dump file names do not match (HostDumpFileName, TargetDumpFileName).

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: DumpFileNameMismatch

Description

Dedicated dump file names do not match (HostDumpFileName, TargetDumpFileName). Early crash dump functinality will not be loaded.

Message #

Dedicated dump file names do not match (%1, %2). Early crash dump functinality will not be loaded.

Fields #

Name	Description
`HostDumpFileName` UnicodeString
`TargetDumpFileName` UnicodeString

Event ID 267: Failed to query dump module list.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: GetDriverListFailure

Description

Failed to query dump module list. Status: Status.

Message #

Failed to query dump module list. Status: %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 268: Boot Application ApplicationIdentifier dropped EventsLostCount events during logging.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootEventsLost

Description

Boot Application ApplicationIdentifier dropped EventsLostCount events during logging.

Message #

Boot Application %1 dropped %2 events during logging.

Fields #

Name	Description
`ApplicationIdentifier` GUID
`EventsLostCount` UInt32

Event ID 269: Trace point: Function:Function Point:Point Status:NTStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootDiag

Description

Trace point: Function:Function Point:Point Status:NTStatus.

Message #

Trace point: Function:%1 Point:%2 Status:%3

Fields #

Name	Description
`Function` AnsiString
`Point` UInt16
`NTStatus` UInt32	NTSTATUS reference

Event ID 270: Cached boot BCD store was loaded by the boot environment.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootBcdLoaded

Description

Cached boot BCD store was loaded by the boot environment.

Message #

Cached boot BCD store was loaded by the boot environment.

Event ID 271: TPRs are supported, TPR setup will be requested while attempting to execute Measured Launch Environment.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: TprSetupRequested

Description

TPRs are supported, TPR setup will be requested while attempting to execute Measured Launch Environment.

Message #

TPRs are supported, TPR setup will be requested while attempting to execute Measured Launch Environment.

Event ID 272: PPAM Manifest Info: PpamStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: MeasuredLaunch
Opcode: PpamManifestInfo

Description

PPAM Manifest Info: PpamStatus.

Message #

PPAM Manifest Info: %1

Fields #

Name	Description
`PpamStatus` UInt32

Event ID 273: BCD Option 'BcdOption' was not applied due to Secure Boot being enabled.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SecureBootMitigations

Description

BCD Option 'BcdOption' was not applied due to Secure Boot being enabled. Option: BcdElement.

Message #

BCD Option '%1' was not applied due to Secure Boot being enabled. Option: %2

Fields #

Name	Description
`BcdOption` UInt32
`BcdElement` HexInt64

Event ID 274: Bootmgr Security Version Number check failed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: BootSI
Opcode: BootmgrSvnCheck

Description

Bootmgr Security Version Number check failed. Svn Value: SvnValue, Previous SVN Value: PrevSvnValue.

Message #

Bootmgr Security Version Number check failed. Svn Value: %1, Previous SVN Value: %2.

Fields #

Name	Description
`SvnValue` UInt32
`PrevSvnValue` UInt32

Event ID 275: ACM InfoTable version used: AcmInfoTableVersion.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: AcmInfoTableInfo

Description

ACM InfoTable version used: AcmInfoTableVersion.

Message #

ACM InfoTable version used: %1.

Fields #

Name	Description
`AcmInfoTableVersion` UInt32

Event ID 276: Windows boot manager revocation policy version Version is applied.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SecureBootMitigations

Description

Windows boot manager revocation policy version Version is applied.

Message #

Windows boot manager revocation policy version %1 is applied.

Fields #

Name	Description
`Version` HexInt64

Event ID 277: Windows boot manager revocation policy version Version was not found.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SecureBootMitigations

Description

Windows boot manager revocation policy version Version was not found. It is recommended that it be redeployed.

Message #

Windows boot manager revocation policy version %1 was not found. It is recommended that it be redeployed.

Fields #

Name	Description
`Version` HexInt64

Event ID 291: Succeeded in updating the SBAT value in FW.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Informational
Task: SbatUpdate
Opcode: SbatUpdateSuccess

Description

Succeeded in updating the SBAT value in FW.

Message #

Succeeded in updating the SBAT value in FW.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`FailurePoint` UInt32
`UpdateStatusEnum` UInt32
`FwLevel` AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "event_id": 291,
    "level": 4,
    "task": 125,
    "opcode": 11,
    "time_created": "2026-04-18T00:30:15.7545513+00:00",
    "computer": "WIN11-25H2-X64",
    "channel": "Microsoft-Windows-Kernel-Boot"
  },
  "event_data": {
    "FailurePoint": "0",
    "Status": "0",
    "FwLevel": "sbat,1,2024010900\nshim,4\ngrub,3\ngrub.debian,4",
    "UpdateStatusEnum": "2"
  }
}

Event ID 292: Failed to update the SBAT value in FW.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Error
Task: SbatUpdate
Opcode: SbatUpdateFailure

Description

Failed to update the SBAT value in FW.

Message #

Failed to update the SBAT value in FW.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`FailurePoint` UInt32
`UpdateStatusEnum` UInt32
`FwLevel` AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "event_id": 292,
    "level": 2,
    "task": 125,
    "opcode": 12,
    "time_created": "2026-04-17T21:59:00.8110880+00:00",
    "computer": "DESKTOP-FF3N5XK",
    "channel": "Microsoft-Windows-Kernel-Boot"
  },
  "event_data": {
    "FailurePoint": "7",
    "Status": "3221225561",
    "FwLevel": "sbat,1,2024010900\nshim,4\ngrub,3\ngrub.debian,4",
    "UpdateStatusEnum": "3"
  }
}

Event ID 295: Secure Boot revoked boot app FileName with SVN LoadedBootAppSvn.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootAppRevocation
Opcode: BootAppRevoked

Description

Secure Boot revoked boot app FileName with SVN LoadedBootAppSvn. Min SVN required: EnforcedBootAppSvn. Status: Status.

Message #

Secure Boot revoked boot app %4 with SVN %1. Min SVN required: %2. Status: %3.

Fields #

Name	Description
`LoadedBootAppSvn` UInt32
`EnforcedBootAppSvn` UInt32
`Status` HexInt32	NTSTATUS reference
`FileName` UnicodeString

Event ID 312: Failed to compose API Set schema extension with status: NTStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: ApiSetSchemaComposition

Description

Failed to compose API Set schema extension with status: NTStatus.

Message #

Failed to compose API Set schema extension with status: %1

Fields #

Name	Description
`NTStatus` UInt32	NTSTATUS reference

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 15ca44ff-4d7a-4baa-bba5-0998955e531e

Defined in Microsoft-Windows-System-Events.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)