Microsoft-Windows-Kernel-EventTracing
44 events across 3 channels
Event ID 0: Session "SessionName" failed to write to log file "FileName" with the following error: ErrorCode.
#Description
Session "SessionName" failed to write to log file "FileName" with the following error: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
SessionName UnicodeString | |
FileName UnicodeString | |
ErrorCode UInt32 | |
LoggingMode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-EventTracing",
"guid": "{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}",
"event_source_name": "",
"event_id": 0,
"version": 0,
"level": 2,
"task": 1,
"opcode": 10,
"keywords": -9223372036854775792,
"time_created": "2026-04-17T19:54:29.0311308+00:00",
"event_record_id": 218,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 11212
},
"channel": "Microsoft-Windows-Kernel-EventTracing/Admin",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SessionName": "SenseNdrEtw",
"FileName": "C:\\Windows\\system32\\Logfiles\\WMI\\RtBackup\\EtwRTSenseNdrEtw.etl",
"ErrorCode": "3221225626",
"LoggingMode": "8388864"
},
"message": "Session \"SenseNdrEtw\" failed to write to log file \"C:\\Windows\\system32\\Logfiles\\WMI\\RtBackup\\EtwRTSenseNdrEtw.etl\" with the following error: 0xC000009A"
}
Event ID 1: The backing-file for the real-time session "SessionName" has reached its maximum size.
#Description
The backing-file for the real-time session "SessionName" has reached its maximum size. As a result, new events will not be logged to this session until space becomes available. This error is often caused by starting a trace session in real-time mode without having any real-time consumers.
Message #
Fields #
| Name | Description |
|---|---|
SessionName UnicodeString | |
ErrorCode UInt32 | |
LoggingMode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-EventTracing",
"guid": "B675EC37-BDB6-4648-BC92-F3FDC74D3CA2",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 3,
"task": 1,
"opcode": 10,
"keywords": 9223372036854775824,
"time_created": "2023-11-06T00:46:15.355055+00:00",
"event_record_id": 16,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 5348
},
"channel": "Microsoft-Windows-Kernel-EventTracing/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SessionName": "EventLog-Microsoft-Windows-Sysmon-Operational",
"ErrorCode": 3221225864,
"LoggingMode": 427819392
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2: Session "SessionName" failed to start with the following error: ErrorCode.
#Description
Session "SessionName" failed to start with the following error: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
SessionName UnicodeString | |
FileName UnicodeString | |
ErrorCode UInt32 | 1" failed to start with the following error. |
LoggingMode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-EventTracing",
"guid": "{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 2,
"task": 2,
"opcode": 12,
"keywords": -9223372036854775792,
"time_created": "2026-06-13T14:24:32.2104962+00:00",
"event_record_id": 225,
"correlation": {},
"execution": {
"process_id": 3336,
"thread_id": 3004
},
"channel": "Microsoft-Windows-Kernel-EventTracing/Admin",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SessionName": "NetCfgTrace",
"FileName": "",
"ErrorCode": "3221225626",
"LoggingMode": "276824069"
},
"message": "Session \"NetCfgTrace\" failed to start with the following error: 0xC000009A"
}
Event ID 3: Session "SessionName" stopped due to the following error: ErrorCode.
#Description
Session "SessionName" stopped due to the following error: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
SessionName UnicodeString | |
FileName UnicodeString | |
ErrorCode UInt32 | |
LoggingMode UInt32 | |
FailureReason UInt32 | Known values
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-EventTracing",
"guid": "B675EC37-BDB6-4648-BC92-F3FDC74D3CA2",
"event_source_name": "",
"event_id": 3,
"version": 1,
"level": 2,
"task": 2,
"opcode": 14,
"keywords": 9223372036854775824,
"time_created": "2026-02-10T00:59:54.686730+00:00",
"event_record_id": 4,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 280
},
"channel": "Microsoft-Windows-Kernel-EventTracing/Admin",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SessionName": "ReadyBoot",
"FileName": "C:\\Windows\\Prefetch\\ReadyBoot\\ReadyBoot.etl",
"ErrorCode": 3221225864,
"LoggingMode": 276824064,
"FailureReason": 0
},
"message": ""
}
Event ID 4: The maximum file size for session "SessionName" has been reached.
#Description
The maximum file size for session "SessionName" has been reached. As a result, events might be lost (not logged) to file "FileName". The maximum files size is currently set to MaxFileSize bytes.
Message #
Fields #
| Name | Description |
|---|---|
SessionName UnicodeString | |
FileName UnicodeString | |
ErrorCode UInt32 | |
LoggingMode UInt32 | |
MaxFileSize UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-EventTracing",
"guid": "B675EC37-BDB6-4648-BC92-F3FDC74D3CA2",
"event_source_name": "",
"event_id": 4,
"version": 0,
"level": 3,
"task": 1,
"opcode": 10,
"keywords": 9223372036854775824,
"time_created": "2026-02-10T00:59:54.686726+00:00",
"event_record_id": 3,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 280
},
"channel": "Microsoft-Windows-Kernel-EventTracing/Admin",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SessionName": "ReadyBoot",
"FileName": "C:\\Windows\\Prefetch\\ReadyBoot\\ReadyBoot.etl",
"ErrorCode": 3221225864,
"LoggingMode": 276824064,
"MaxFileSize": 20971520
},
"message": ""
}
Event ID 5: An error was encountered while tracing session "FileName" was switching to the "SessionName" event log file.
#Event ID 8: Provider ProviderName was registered with Event Tracing for Windows.
#Description
Provider ProviderName was registered with Event Tracing for Windows.
Message #
Fields #
| Name | Description |
|---|---|
ProviderName GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-EventTracing",
"guid": "{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}",
"event_source_name": "",
"event_id": 8,
"version": 0,
"level": 5,
"task": 3,
"opcode": 16,
"keywords": "0x4000000000000220",
"time_created": "2026-06-02T05:26:17.676+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 22588,
"thread_id": 5920
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ProviderName": "{DB00DFB6-29F9-4A9C-9B3B-1F4F9E7D9770}"
},
"message": "ETW_TASK_PROVIDER"
}
Event ID 9: Provider ProviderName was unregistered from Event Tracing for Windows.
#Description
Provider ProviderName was unregistered from Event Tracing for Windows.
Message #
Fields #
| Name | Description |
|---|---|
ProviderName GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-EventTracing",
"guid": "{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}",
"event_source_name": "",
"event_id": 9,
"version": 0,
"level": 5,
"task": 3,
"opcode": 17,
"keywords": "0x4000000000000220",
"time_created": "2026-06-02T05:26:17.665+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 22880,
"thread_id": 17520
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ProviderName": "{C1160D05-83A4-4285-B67A-CC3BA2E3E05F}"
},
"message": "ETW_TASK_PROVIDER"
}
Event ID 10: Session "SessionName" was started.
#Event ID 11: Session "SessionName" was stopped.
#Description
Session "SessionName" was stopped.
Message #
Fields #
| Name | Description |
|---|---|
SessionGuid GUID | |
LoggerMode UInt32 | |
SessionName UnicodeString | |
LogFileName UnicodeString | |
MinimumBuffers UInt32 | |
MaximumBuffers UInt32 | |
BufferSize UInt32 | |
PeakBuffersCount UInt32 | |
CurrentBuffersCount UInt32 | |
FlushThreshold UInt32 | |
EventsLost UInt32 | |
BuffersLost UInt32 | |
RealTimeBuffersLost UInt32 | |
LoggerId UInt32 |
Event ID 12: The configuration of session "SessionName" has been modified.
#Event ID 13: The events from session "SessionName" have been flushed.
#Description
The events from session "SessionName" have been flushed.
Message #
Fields #
| Name | Description |
|---|---|
SessionGuid GUID | |
LoggerMode UInt32 | |
SessionName UnicodeString | |
LogFileName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-EventTracing",
"guid": "{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}",
"event_source_name": "",
"event_id": 13,
"version": 0,
"level": 5,
"task": 2,
"opcode": 15,
"keywords": "0x4000000000000010",
"time_created": "2026-06-02T05:26:17.847+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4656,
"thread_id": 23320
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"LogFileName": "C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MpWppCoreTracing-20260530-164425-00000003-100000000.bin",
"LoggerMode": 8388610,
"SessionGuid": "{C5883C74-5C46-11F1-9665-E6B5BF8AE55F}",
"SessionName": "MpWppCoreTracing-20260530-164425-00000003-100000000"
},
"message": "ETW_TASK_SESSION"
}
Event ID 14: Provider ProviderName has been enabled to session "SessionName".
#Description
Provider ProviderName has been enabled to session "SessionName".
Message #
Fields #
| Name | Description |
|---|---|
ProviderName GUID | |
SessionName UnicodeString | |
MatchAnyKeyword UInt64 | |
MatchAllKeyword UInt64 | |
EnableProperty UInt32 | |
Level UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-EventTracing",
"guid": "{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}",
"event_source_name": "",
"event_id": 14,
"version": 1,
"level": 5,
"task": 3,
"opcode": 18,
"keywords": "0x4000000000000420",
"time_created": "2026-06-02T05:26:17.480+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 19624,
"thread_id": 23376
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"EnableProperty": 65,
"Level": 255,
"MatchAllKeyword": 0,
"MatchAnyKeyword": 18446744073709551615,
"ProviderName": "{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}",
"SessionName": "etw-cap-driven-b19010"
},
"message": "ETW_TASK_PROVIDER"
}
Event ID 15: Provider ProviderName is no longer enabled to session "SessionName".
#Description
Provider ProviderName is no longer enabled to session "SessionName".
Message #
Fields #
| Name | Description |
|---|---|
ProviderName GUID | |
SessionName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-EventTracing",
"guid": "{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}",
"event_source_name": "",
"event_id": 15,
"version": 0,
"level": 5,
"task": 3,
"opcode": 19,
"keywords": "0x4000000000000420",
"time_created": "2026-06-02T05:26:27.724+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 11436,
"thread_id": 15308
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ProviderName": "{17D2A329-4539-5F4D-3435-F510634CE3B9}",
"SessionName": "etw-cap-driven-b19010"
},
"message": "ETW_TASK_PROVIDER"
}
Event ID 17: The security descriptor for session "SessionName" has been updated.
#Event ID 18: Stack correlation event.
#Description
Stack correlation event. This event contains a call stack which is associated with a prior event which is correlated by the MatchId.
Message #
Event ID 19: Lost Event
#Fields #
| Name | Description |
|---|---|
ProviderId GUID | |
StatusCode UInt32 | NTSTATUS reference |
EventId UInt16 | |
SessionName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-EventTracing",
"guid": "{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}",
"event_source_name": "",
"event_id": 19,
"version": 0,
"level": 2,
"task": 7,
"opcode": 0,
"keywords": "0x0000000000000040",
"time_created": "2026-06-02T05:26:17.481+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 22588,
"thread_id": 5920
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"EventId": 8,
"ProviderId": "{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}",
"SessionName": "etw-smoke",
"StatusCode": 3221225495
},
"message": "ETW_TASK_LOST_EVENT"
}
Event ID 20: Session
#Fields #
| Name | Description |
|---|---|
SessionGuid GUID | |
LoggerMode UInt32 | |
SessionName UnicodeString | |
LogFileName UnicodeString | |
MinimumBuffers UInt32 | |
MaximumBuffers UInt32 | |
BufferSize UInt32 | |
PeakBuffersCount UInt32 | |
CurrentBuffersCount UInt32 | |
FlushThreshold UInt32 | |
EventsLost UInt32 | |
BuffersLost UInt32 | |
RealTimeBuffersLost UInt32 | |
LoggerId UInt32 |
Event ID 21: SavePersistedLoggerStart_8_1
#Event ID 22: SavePersistedLoggerStop_8_2_V1
#Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
BufferSize UInt32 | |
BuffersPersisted UInt32 | |
BuffersWritten UInt32 | |
Status UInt32 | NTSTATUS reference |
BuffersLost UInt32 |
Event ID 23: Error saving soft restart persisted log "FileName" Error: Status.
#Description
Error saving soft restart persisted log "FileName" Error: Status.
Message #
Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
BufferSize UInt32 | |
BuffersPersisted UInt32 | |
BuffersWritten UInt32 | |
Status UInt32 | NTSTATUS reference |
BuffersLost UInt32 |
Event ID 25: Provider Group Entry
#Fields #
| Name | Description |
|---|---|
GUID GUID | |
FilterFlags UInt32 | |
LastEnableLoggerId UInt16 |
Event ID 26: Enable Info
#Fields #
| Name | Description |
|---|---|
GUID GUID | |
Index UInt8 | |
LoggerId UInt16 | |
MatchAnyKeyword UInt64 | |
MatchAllKeyword UInt64 | |
Level UInt8 | |
EnableProperty UInt32 |
Event ID 27: Provider
#Fields #
| Name | Description |
|---|---|
ProviderGUID GUID | |
GroupGUID GUID | |
Flags UInt16 | |
EnableMask UInt8 | |
GroupEnableMask UInt8 | |
ProcessId UInt32 |
Event ID 28: Error setting traits on Provider ProviderGuid.
#Description
Error setting traits on Provider ProviderGuid. Error: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
ProviderGuid GUID | |
ErrorCode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-EventTracing",
"guid": "B675EC37-BDB6-4648-BC92-F3FDC74D3CA2",
"event_source_name": "",
"event_id": 28,
"version": 0,
"level": 2,
"task": 3,
"opcode": 25,
"keywords": 9223372036854778400,
"time_created": "2026-03-11T06:27:22.550118+00:00",
"event_record_id": 54,
"correlation": {},
"execution": {
"process_id": 740,
"thread_id": 808
},
"channel": "Microsoft-Windows-Kernel-EventTracing/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ProviderGuid": "77811378-E885-4AC2-A580-BC86E4F1BC93",
"ErrorCode": 3221225477
},
"message": ""
}
Event ID 29: A registration for Provider ProviderGuid has joined Provider Group ProviderGroupGuid.
#Description
A registration for Provider ProviderGuid has joined Provider Group ProviderGroupGuid.
Message #
Fields #
| Name | Description |
|---|---|
ProviderGuid GUID | |
ProviderGroupGuid GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-EventTracing",
"guid": "{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}",
"event_source_name": "",
"event_id": 29,
"version": 0,
"level": 5,
"task": 3,
"opcode": 26,
"keywords": "0x4000000000000A20",
"time_created": "2026-06-02T05:26:17.679+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 22588,
"thread_id": 5920
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ProviderGroupGuid": "{4F50731A-89CF-4782-B3E0-DCE8C90476BA}",
"ProviderGuid": "{44E18DB2-6CFD-4A07-8FE7-6073794C531A}"
},
"message": "ETW_TASK_PROVIDER"
}
Event ID 30: Provider ProviderGuid from process ProcessId does not have permission to write events to session "SessionName".
#Description
Provider ProviderGuid from process ProcessId does not have permission to write events to session "SessionName". Error: Status.
Message #
Fields #
| Name | Description |
|---|---|
ProviderGuid GUID | |
SessionName UnicodeString | |
ProcessId UInt32 | |
Status UInt32 | NTSTATUS reference |
Event ID 31: ETW_TASK_LOST_TLG_EVENT
#Fields #
| Name | Description |
|---|---|
ProviderId GUID | |
StatusCode UInt32 | NTSTATUS reference |
EventName AnsiString | |
SessionName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-EventTracing",
"guid": "{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}",
"event_source_name": "",
"event_id": 31,
"version": 0,
"level": 2,
"task": 10,
"opcode": 0,
"keywords": "0x0000000000000040",
"time_created": "2026-06-02T05:54:45.135+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 9204,
"thread_id": 14120
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"EventName": "DCsInUseOnProcessExit",
"ProviderId": "{7E6B69B9-2AEC-4FB3-9426-69A0F2B61A86}",
"SessionName": "WinDiag-Realtime-Session",
"StatusCode": 3221225495
},
"message": "ETW_TASK_LOST_TLG_EVENT"
}
Event ID 32: Failed to read debug info for WPP provider ProviderGuid from process ProcessId for session "SessionName".
#Description
Failed to look up debug info for provider ProviderGuid from process ProcessId for session "SessionName". Error: Status. Either the debug data could not be found, or the debug data is inaccessible because the image registering the provider is malformed.
Message #
Fields #
| Name | Description |
|---|---|
ProviderGuid GUID | |
SessionName UnicodeString | |
ProcessId UInt32 | |
Status UInt32 | NTSTATUS reference |
Event ID 33: Lost WPP Event
#Fields #
| Name | Description |
|---|---|
MessageGuid GUID | |
MessageNumber UInt16 | |
StatusCode UInt32 | NTSTATUS reference |
SessionName UnicodeString |
Event ID 34: Lost System Event
#Fields #
| Name | Description |
|---|---|
HookId UInt16 | |
StatusCode UInt32 | NTSTATUS reference |
SessionName UnicodeString |
Event ID 40: The enable state for Provider ProviderName is about to change on session "SessionName".
#Event ID 41: Provider ProviderName is about to be disabled from session "SessionName".
#Description
Provider ProviderName is about to be disabled from session "SessionName".
Message #
Fields #
| Name | Description |
|---|---|
ProviderName GUID | |
SessionName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-EventTracing",
"guid": "{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}",
"event_source_name": "",
"event_id": 41,
"version": 0,
"level": 5,
"task": 3,
"opcode": 19,
"keywords": "0x4000000000000420",
"time_created": "2026-06-02T05:26:27.724+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 11436,
"thread_id": 15308
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"ProviderName": "{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}",
"SessionName": "etw-cap-driven-b19010"
},
"message": "ETW_TASK_PROVIDER"
}
Event ID 42: Capture state requested for provider GUID on session "LoggerId".
#Event ID 43: Session "SessionName" could not be started because LOGGER_FLAG_LARGE_MDL_PAGES is not supported.
#Event ID 44: Session "SessionName" could not be started because because the maximum MaximumAllowed logging sessions are already active on the system.
#Event ID 45: Session "SessionName" could not be started because because the maximum MaximumAllowed EVENT_TRACE_SYSTEM_LOGGER_MODE logging sessions are already active on the system.
#Event ID 46: Session "SessionName" could not be started because the process failed its access check to the SessionGuid.
#Description
Session "SessionName" could not be started because the process failed its access check to the SessionGuid.
Message #
Fields #
| Name | Description |
|---|---|
SessionName UnicodeString | |
SessionGuid GUID | |
DesiredAccess UInt32 | Process access rights reference |
Event ID 47: Session "SessionName" could not be started because the Memory Partition Handle MemoryPartitionHandle is invalid.
#Event ID 48: Session "SessionName" failed to create file FileName with error ErrorCode.
#Event ID 49: Session "SessionName" could not be started because the process lacks the profiling privilege.
#Event ID 50: Group Mask could not be updated for Session "SessionName", because the requested Group Mask is not supported.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}
Defined in Microsoft-Windows-System-Events.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.3932, captured 2026-06-02
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.5074, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02