Microsoft-Windows-Kernel-LiveDump

60 events across 2 channels

Event	Title	Channel	Sample
1	Live Dump Capture Dump Data API started.	Analytic	N
2	Live Dump Capture Dump Data API ended.	Operational	N
3	Writing dump file started.	Operational	N
4	Writing dump file ended.	Operational	N
5	Live Dump request aborted due to memory pressure on system	Analytic	N
6	LiveDump Event Generic	Operational	N
101	Sizing Workflow: Mirroring started.	Operational	N
102	Sizing Workflow: Mirroring Phase 0 ended.	Analytic	N
103	Sizing Workflow: Mirroring Phase 1 ended.	Analytic	N
104	Sizing Workflow: System Quiesce started.	Operational	N
105	Sizing Workflow: System Quiesce ended.	Operational	N
106	Sizing Workflow: Estimation.	Operational	N
107	Sizing Workflow: Allocation.	Operational	N
108	Sizing Workflow: RemovePages Callbacks started.	Analytic	N
109	Sizing Workflow: RemovePages Callbacks ended.	Analytic	N
110	Sizing Workflow: RemovePages Callback CallbackIdentifier started.	Analytic	N
111	Sizing Workflow: RemovePages Callback CallbackIdentifier ended.	Analytic	N
112	Sizing Workflow: RemovePages Callback CallbackIdentifier failed.	Analytic	N
113	Sizing workflow: Sizing_workflow pages estimated to be allocated and …	Operational	N
114	Sizing Workflow: Query Hvl for dump size failed.	Operational	N
115	Sizing Workflow: Open VM memory partition failed.	Operational	N
116	Sizing Workflow: Buffer allocation from the VM memory partition failed.	Operational	N
117	Sizing Workflow: Capture processor context when the system is quiesced.	Analytic	N
118	Sizing Workflow: Mark required dump data when system is quiesced.	Analytic	N
119	Sizing Workflow: Mark important dump data when system is quiesced.	Analytic	N
120	Sizing Workflow: Populate bitmap for dump when system is quiesced.	Analytic	N
121	Sizing Workflow: Corral processors to quiesce the system.	Analytic	N
122	Sizing Workflow: Uncorral processors to quiesce the system.	Analytic	N
123	Sizing Workflow: MmDuplicateMemory failed.	Operational	N
124	IO space utilization disabled when HV/SK pages requested, NoSecrets mode …	Operational	N
125	Callout for Callout (included Included).	Operational	N
126	Sizing Workflow: Call to Hvl for preparing livedump descriptor failed.	Operational	N
151	Capture Pages Workflow: Mirroring started.	Analytic	N
152	Capture Pages Workflow: Mirroring Phase 0 ended.	Analytic	N
153	Capture Pages Workflow: Mirroring Phase 1 ended.	Analytic	N
154	Capture Pages Workflow: System Quiesce started.	Operational	N
155	Capture Pages Workflow: System Quiesce ended.	Operational	N
156	Capture Pages Workflow: Copy memory pages started.	Operational	N
157	Capture Pages Workflow: Copy memory pages ended.	Operational	N
158	Capture Pages Workflow: Capture processor context when the system is quiesced.	Analytic	N
159	Capture Pages Workflow: Mark required dump data when system is quiesced.	Analytic	N
160	Capture Pages Workflow: Mark important dump data when system is quiesced.	Analytic	N
161	Capture Pages Workflow: Populate bitmap for dump when system is quiesced.	Analytic	N
162	Capture Pages Workflow: Collect Hvl dump when system is quiesced.	Analytic	N
163	Capture Pages Workflow: Generate Ipt secondary data when system is quiesced.	Analytic	N
164	Capture Pages Workflow: Initiate state change to copy contents of marked pages …	Analytic	N
165	Capture Pages Workflow: Corral processors to quiesce the system.	Analytic	N
166	Capture Pages Workflow: Uncorral processors to quiesce the system.	Analytic	N
167	Capture Pages Workflow: Capture memory pages.	Operational	N
168	Capture Pages Workflow: MmDuplicateMemory failed.	Operational	N
169	Callout for Callout (included Included).	Operational	N
201	Live Dump Write Deferred Dump Data API started.	Analytic	N
202	Live Dump Write Deferred Dump Data API ended.	Operational	N
203	Write deferred dump data to file started.	Operational	N
204	Write deferred dump data to file ended.	Operational	N
251	Live Dump Discard Deferred Dump Data API started.	Analytic	N
252	Live Dump Discard Deferred Dump Data API ended.	Operational	N
271	AllowLiveDump policy: AllowLiveDump_policy.	Operational	N
272	AllowLiveDump policy value changed (AllowLiveDump = PolicyValue).	Operational	N
273	LiveDump disabled on boot by policy (AllowLiveDump = PolicyValue).	Operational	N

Event ID 1: Live Dump Capture Dump Data API started.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: LiveDumpCaptureDumpDataAPI
Opcode: APIStart

Description

Live Dump Capture Dump Data API started. Flags: ControlFlags. AddPagesControl: AddPagesControl.

Message #

Live Dump Capture Dump Data API started.  Flags: %1.  AddPagesControl: %2

Fields #

Name	Description
`ControlFlags` UInt64
`AddPagesControl` UInt64

Event ID 2: Live Dump Capture Dump Data API ended.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: Live Dump Capture Dump Data API
Opcode: API End

Description

Live Dump Capture Dump Data API ended. NT Status: NTStatus. BugcheckCode: BugcheckCode. BugcheckParameter1: BugCheckParameter1. BugcheckParameter2: BugCheckParameter2. BugcheckParameter3: BugCheckParameter3. BugcheckParameter4: BugCheckParameter4. AbortIfMemoryPressure: AbortIfMemoryPressure. DumpCaptureDuration: DumpCaptureDuration_msms. SelectiveDump: SelectiveDump. DynamicLowMemoryThreshold: DynamicLowMemoryThresholdBytes bytes. AvailablePhysicalMemory: AvailablePhysicalMemoryInBytes bytes. TotalPhysicalMemory: TotalPhysicalMemoryInBytes bytes. IOSpaceEnabled: IOSpaceEnabled.

Message #

Live Dump Capture Dump Data API ended. NT Status: %1.  BugcheckCode: %2. BugcheckParameter1: %3. BugcheckParameter2: %4. BugcheckParameter3: %5. BugcheckParameter4: %6. AbortIfMemoryPressure: %7. DumpCaptureDuration: %8ms. SelectiveDump: %9. DynamicLowMemoryThreshold: %10 bytes.  AvailablePhysicalMemory: %11 bytes.  TotalPhysicalMemory: %12 bytes.  IOSpaceEnabled: %13.

Fields #

Name	Description
`NTStatus` UInt32	NTSTATUS reference
`BugcheckCode` UInt32
`BugCheckParameter1` Pointer
`BugCheckParameter2` Pointer
`BugCheckParameter3` Pointer
`BugCheckParameter4` Pointer
`AbortIfMemoryPressure` UInt32
`DumpCaptureDuration_ms` UInt64
`SelectiveDump` UInt32
`DynamicLowMemoryThresholdBytes` UInt64
`AvailablePhysicalMemoryInBytes` UInt64
`TotalPhysicalMemoryInBytes` UInt64
`IOSpaceEnabled` Boolean

Event ID 3: Writing dump file started.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: LiveDumpCaptureDumpDataAPI
Opcode: DumpFileWriteStart

Description

Writing dump file started.

Message #

Writing dump file started.

Event ID 4: Writing dump file ended.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: LiveDumpCaptureDumpDataAPI
Opcode: DumpFileWriteEnd

Description

Writing dump file ended. NT Status: Writing_dump_file_ended_NT_Status. Total NTStatus bytes (Header|Primary|Secondary: TotalBytes|HeaderBytes|PrimaryDataBytes bytes). DumpWriteDuration: SecondaryDataBytesms.

Message #

Writing dump file ended. NT Status: %1. Total %2 bytes (Header|Primary|Secondary: %3|%4|%5 bytes). DumpWriteDuration: %6ms.

Fields #

Name	Description
`NTStatus` UInt32	NTSTATUS reference
`TotalBytes` UInt64
`HeaderBytes` UInt64
`PrimaryDataBytes` UInt64
`SecondaryDataBytes` UInt64
`DumpWriteDuration_ms` UInt64

Event ID 5: Live Dump request aborted due to memory pressure on system

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: LiveDumpCaptureDumpDataAPI
Opcode: BufferAllocationData

Description

Live Dump request aborted due to memory pressure on system.

Message #

Live Dump request aborted due to memory pressure on system

Event ID 6: LiveDump Event Generic

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: SizingWorkflow

Description

LiveDump Event Generic.

Message #

LiveDump Event Generic

Fields #

Name	Description
`LiveDumpEventDescription` UnicodeString
`Parameter1Name` UnicodeString
`Parameter1Value` UInt64
`Parameter2Name` UnicodeString
`Parameter2Value` UInt64
`Parameter3Name` UnicodeString
`Parameter3Value` UInt64
`Parameter4Name` UnicodeString
`Parameter4Value` UInt64
`Parameter5Name` UnicodeString
`Parameter5Value` UInt64
`Parameter6Name` UnicodeString
`Parameter6Value` UInt64
`Parameter7Name` UnicodeString
`Parameter7Value` UInt64
`Parameter8Name` UnicodeString
`Parameter8Value` UInt64

Event ID 101: Sizing Workflow: Mirroring started.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: SizingWorkflow
Opcode: MirroringStart

Description

Sizing Workflow: Mirroring started.

Message #

Sizing Workflow: Mirroring started.

Event ID 102: Sizing Workflow: Mirroring Phase 0 ended.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: SizingWorkflow
Opcode: MirroringPhase0End

Description

Sizing Workflow: Mirroring Phase 0 ended.

Message #

Sizing Workflow: Mirroring Phase 0 ended.

Event ID 103: Sizing Workflow: Mirroring Phase 1 ended.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: SizingWorkflow
Opcode: MirroringPhase1End

Description

Sizing Workflow: Mirroring Phase 1 ended.

Message #

Sizing Workflow: Mirroring Phase 1 ended.

Event ID 104: Sizing Workflow: System Quiesce started.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: SizingWorkflow
Opcode: SystemQuiesceStart

Description

Sizing Workflow: System Quiesce started.

Message #

Sizing Workflow: System Quiesce started.

Event ID 105: Sizing Workflow: System Quiesce ended.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: SizingWorkflow
Opcode: SystemQuiesceEnd

Description

Sizing Workflow: System Quiesce ended.

Message #

Sizing Workflow: System Quiesce ended.

Event ID 106: Sizing Workflow: Estimation.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: SizingWorkflow
Opcode: BufferEstimationData

Description

Sizing Workflow: Estimation. NT: NtEstimatedRequiredPrimaryDataBytes bytes (Minimum Sizing_Workflow_Estimation_NT bytes). Hypervisor: Primary NtEstimatedPrimaryDataBytes bytes. Secondary HvEstimatedPrimaryDataBytes bytes.

Message #

Sizing Workflow: Estimation. NT: %2 bytes (Minimum %1 bytes). Hypervisor: Primary %3 bytes. Secondary %4 bytes.

Fields #

Name	Description
`NtEstimatedRequiredPrimaryDataBytes` UInt64
`NtEstimatedPrimaryDataBytes` UInt64
`HvEstimatedPrimaryDataBytes` UInt64
`HvEstimatedSecondaryDataBytes` UInt64
`SkEstimatedPrimaryDataBytes` UInt64
`MemoryEstimationDuration_ms` UInt64
`SystemQuiescedDuration_ms` UInt64
`EndMirroringPhasesDuration_ms` UInt64
`MirrorPhysicalMemoryDuration_ms` UInt64
`MirrorPhysicalMemorySizeInBytes` UInt64
`HvlCalculateLiveDumpSizeDuration_ms` UInt64

Event ID 107: Sizing Workflow: Allocation.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: SizingWorkflow
Opcode: BufferAllocationData

Description

Sizing Workflow: Allocation. NT: Sizing_Workflow_Allocation_NT bytes. Hypervisor: Primary NtPrimaryDataBytes bytes. Secondary HvPrimaryDataBytes bytes.

Message #

Sizing Workflow: Allocation. NT: %1 bytes. Hypervisor: Primary %2 bytes. Secondary %3 bytes.

Fields #

Name	Description
`NtPrimaryDataBytes` UInt64
`HvPrimaryDataBytes` UInt64
`HvSecondaryDataBytes` UInt64
`SkPrimaryDataBytes` UInt64
`AllocateDumpBuffersDuration_ms` UInt64
`AllocateExtraBuffersDuration_ms` UInt64
`HvlPrepareLivedumpDescriptorDuration_ms` UInt64

Event ID 108: Sizing Workflow: RemovePages Callbacks started.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: SizingWorkflow
Opcode: RemovePagesCallbacks

Description

Sizing Workflow: RemovePages Callbacks started.

Message #

Sizing Workflow: RemovePages Callbacks started.

Event ID 109: Sizing Workflow: RemovePages Callbacks ended.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: SizingWorkflow
Opcode: RemovePagesCallbacks

Description

Sizing Workflow: RemovePages Callbacks ended.

Message #

Sizing Workflow: RemovePages Callbacks ended.

Event ID 110: Sizing Workflow: RemovePages Callback CallbackIdentifier started.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: SizingWorkflow
Opcode: RemovePagesCallbacks

Description

Sizing Workflow: RemovePages Callback CallbackIdentifier started.

Message #

Sizing Workflow: RemovePages Callback %1 started.

Fields #

Name	Description
`CallbackIdentifier` AnsiString

Event ID 111: Sizing Workflow: RemovePages Callback CallbackIdentifier ended.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: SizingWorkflow
Opcode: RemovePagesCallbacks

Description

Sizing Workflow: RemovePages Callback CallbackIdentifier ended.

Message #

Sizing Workflow: RemovePages Callback %1 ended.

Fields #

Name	Description
`CallbackIdentifier` AnsiString

Event ID 112: Sizing Workflow: RemovePages Callback CallbackIdentifier failed.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: SizingWorkflow
Opcode: RemovePagesCallbacks

Description

Sizing Workflow: RemovePages Callback CallbackIdentifier failed. NT Status: NTStatus.

Message #

Sizing Workflow: RemovePages Callback %1 failed. NT Status: %2.

Fields #

Name	Description
`CallbackIdentifier` AnsiString
`NTStatus` UInt32	NTSTATUS reference

Event ID 113: Sizing workflow: Sizing_workflow pages estimated to be allocated and Dump_file_size_limit pages allocated.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: SizingWorkflow
Opcode: BufferEstimationData

Description

Sizing workflow: EstimatedPageCount pages estimated to be allocated and AllocatedPageCount pages allocated (VM memory partition's IOSpace|VM memory partition|System partition's IOSpace|System partition: VMMemoryPartitionIOSpaceAllocatedPages|VMMemoryPartitionAllocatedPages|SystemPartitionIOSpaceAllocatedPages|SystemPartitionAllocatedPages pages). Limit dump file size: LimitDumpFileSize. Dump file size limit: DumpFileSizeLimitInBytes bytes. Dump file size limit reached: DumpFileSizeLimitReached. Aborted while buffer allocation: AbortWhileBufferAllocation.

Message #

Sizing workflow: %1 pages estimated to be allocated and %2 pages allocated (VM memory partition's IOSpace|VM memory partition|System partition's IOSpace|System partition: %3|%4|%5|%6 pages). Limit dump file size: %7. Dump file size limit: %8 bytes. Dump file size limit reached: %9. Aborted while buffer allocation: %10.

Fields #

Name	Description
`EstimatedPageCount` UInt64
`AllocatedPageCount` UInt64
`VMMemoryPartitionIOSpaceAllocatedPages` UInt64
`VMMemoryPartitionAllocatedPages` UInt64
`SystemPartitionIOSpaceAllocatedPages` UInt64
`SystemPartitionAllocatedPages` UInt64
`LimitDumpFileSize` UInt32
`DumpFileSizeLimitInBytes` UInt64
`DumpFileSizeLimitReached` UInt32
`AbortWhileBufferAllocation` UInt32

Event ID 114: Sizing Workflow: Query Hvl for dump size failed.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: SizingWorkflow
Opcode: BufferEstimationData

Description

Sizing Workflow: Query Hvl for dump size failed. NT Status: NTStatus.

Message #

Sizing Workflow: Query Hvl for dump size failed. NT Status: %1.

Fields #

Name	Description
`NTStatus` UInt32	NTSTATUS reference

Event ID 115: Sizing Workflow: Open VM memory partition failed.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: SizingWorkflow
Opcode: BufferAllocationData

Description

Sizing Workflow: Open VM memory partition failed. NT Status: NTStatus.

Message #

Sizing Workflow: Open VM memory partition failed. NT Status: %1

Fields #

Name	Description
`NTStatus` UInt32	NTSTATUS reference

Event ID 116: Sizing Workflow: Buffer allocation from the VM memory partition failed.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: SizingWorkflow
Opcode: BufferAllocationData

Description

Sizing Workflow: Buffer allocation from the VM memory partition failed. NT Status: NTStatus.

Message #

Sizing Workflow: Buffer allocation from the VM memory partition failed. NT Status: %1

Fields #

Name	Description
`NTStatus` UInt32	NTSTATUS reference

Event ID 117: Sizing Workflow: Capture processor context when the system is quiesced.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: SizingWorkflow
Opcode: CaptureProcessorContext

Description

Sizing Workflow: Capture processor context when the system is quiesced. Duration: Duration_msms.

Message #

Sizing Workflow: Capture processor context when the system is quiesced. Duration: %1ms.

Fields #

Name	Description
`Duration_ms` UInt64

Event ID 118: Sizing Workflow: Mark required dump data when system is quiesced.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: SizingWorkflow
Opcode: MarkRequiredDumpData

Description

Sizing Workflow: Mark required dump data when system is quiesced. Duration: MarkRequiredDumpDataDuration_msms.

Message #

Sizing Workflow: Mark required dump data when system is quiesced. Duration: %1ms.

Fields #

Name	Description
`MarkRequiredDumpDataDuration_ms` UInt64

Event ID 119: Sizing Workflow: Mark important dump data when system is quiesced.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: SizingWorkflow
Opcode: MarkImportantDumpData

Description

Sizing Workflow: Mark important dump data when system is quiesced. Duration: MarkImportantDumpDataDuration_msms.

Message #

Sizing Workflow: Mark important dump data when system is quiesced. Duration: %1ms.

Fields #

Name	Description
`MarkImportantDumpDataDuration_ms` UInt64

Event ID 120: Sizing Workflow: Populate bitmap for dump when system is quiesced.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: SizingWorkflow
Opcode: PopulateBitmapForDump

Description

Sizing Workflow: Populate bitmap for dump when system is quiesced. PopulateBitmapForDumpDuration: PopulateBitmapForDumpDuration_msms. RemoveSystemCacheFromDumpDuration RemoveSystemCacheFromDumpDuration_msms.

Message #

Sizing Workflow: Populate bitmap for dump when system is quiesced. PopulateBitmapForDumpDuration: %1ms. RemoveSystemCacheFromDumpDuration %2ms.

Fields #

Name	Description
`PopulateBitmapForDumpDuration_ms` UInt64
`RemoveSystemCacheFromDumpDuration_ms` UInt64

Event ID 121: Sizing Workflow: Corral processors to quiesce the system.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: SizingWorkflow
Opcode: CorralProcessors

Description

Sizing Workflow: Corral processors to quiesce the system. CorralDuration: CorralDuration_msms. DisableInterruptsDuration: DisableInterruptsDuration_msms. SaveSupervisorStateDuration: SaveSupervisorStateDuration_msms. SuspendClockTimerDuration: SuspendClockTimerDuration_msms.

Message #

Sizing Workflow: Corral processors to quiesce the system. CorralDuration: %1ms. DisableInterruptsDuration: %2ms. SaveSupervisorStateDuration: %3ms. SuspendClockTimerDuration: %4ms.

Fields #

Name	Description
`CorralDuration_ms` UInt64
`DisableInterruptsDuration_ms` UInt64
`SaveSupervisorStateDuration_ms` UInt64
`SuspendClockTimerDuration_ms` UInt64

Event ID 122: Sizing Workflow: Uncorral processors to quiesce the system.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: SizingWorkflow
Opcode: UncorralProcessors

Description

Sizing Workflow: Uncorral processors to quiesce the system. UncorralDuration: UncorralDuration_msms. EnableInterruptsDuration: EnableInterruptsDuration_msms. RestoreSupervisorStateDuration: RestoreSupervisorStateDuration_msms. ResumeClockTimerDuration: ResumeClockTimerDuration_msms.

Message #

Sizing Workflow: Uncorral processors to quiesce the system. UncorralDuration: %1ms. EnableInterruptsDuration: %2ms. RestoreSupervisorStateDuration: %3ms. ResumeClockTimerDuration: %4ms.

Fields #

Name	Description
`UncorralDuration_ms` UInt64
`EnableInterruptsDuration_ms` UInt64
`RestoreSupervisorStateDuration_ms` UInt64
`ResumeClockTimerDuration_ms` UInt64

Event ID 123: Sizing Workflow: MmDuplicateMemory failed.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: SizingWorkflow
Opcode: MmDuplicateMemoryFailure

Description

Sizing Workflow: MmDuplicateMemory failed. NT Status: NTStatus. MirrorInProgress: MirrorInProgress.

Message #

Sizing Workflow: MmDuplicateMemory failed. NT Status: %1. MirrorInProgress: %2.

Fields #

Name	Description
`NTStatus` UInt32	NTSTATUS reference
`MirrorInProgress` UInt64

Event ID 124: IO space utilization disabled when HV/SK pages requested, NoSecrets mode disabled, and SK running.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: SizingWorkflow
Opcode: LiveDumpDisableIOSpaceUtilization

Description

IO space utilization disabled when HV/SK pages requested, NoSecrets mode disabled, and SK running.

Message #

IO space utilization disabled when HV/SK pages requested, NoSecrets mode disabled, and SK running.

Event ID 125: Callout for Callout (included Included).

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: SizingWorkflow
Opcode: LiveDumpFeatureCallout

Description

Callout for Callout (included Included).

Message #

Callout for %1 (included %2).

Fields #

Name	Description
`Callout` UInt32
`Included` Boolean

Event ID 126: Sizing Workflow: Call to Hvl for preparing livedump descriptor failed.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: SizingWorkflow
Opcode: HvlPrepareLiveDumpDescriptorFailure

Description

Sizing Workflow: Call to Hvl for preparing livedump descriptor failed. NT Status: NTStatus.

Message #

Sizing Workflow: Call to Hvl for preparing livedump descriptor failed. NT Status: %1

Fields #

Name	Description
`NTStatus` UInt32	NTSTATUS reference

Event ID 151: Capture Pages Workflow: Mirroring started.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: CapturePagesWorkflow
Opcode: MirroringStart

Description

Capture Pages Workflow: Mirroring started.

Message #

Capture Pages Workflow: Mirroring started.

Event ID 152: Capture Pages Workflow: Mirroring Phase 0 ended.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: CapturePagesWorkflow
Opcode: MirroringPhase0End

Description

Capture Pages Workflow: Mirroring Phase 0 ended.

Message #

Capture Pages Workflow: Mirroring Phase 0 ended.

Event ID 153: Capture Pages Workflow: Mirroring Phase 1 ended.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: CapturePagesWorkflow
Opcode: MirroringPhase1End

Description

Capture Pages Workflow: Mirroring Phase 1 ended.

Message #

Capture Pages Workflow: Mirroring Phase 1 ended.

Event ID 154: Capture Pages Workflow: System Quiesce started.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: CapturePagesWorkflow
Opcode: SystemQuiesceStart

Description

Capture Pages Workflow: System Quiesce started.

Message #

Capture Pages Workflow: System Quiesce started.

Event ID 155: Capture Pages Workflow: System Quiesce ended.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: CapturePagesWorkflow
Opcode: SystemQuiesceEnd

Description

Capture Pages Workflow: System Quiesce ended.

Message #

Capture Pages Workflow: System Quiesce ended.

Event ID 156: Capture Pages Workflow: Copy memory pages started.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: CapturePagesWorkflow
Opcode: CopyingMemoryPagesStart

Description

Capture Pages Workflow: Copy memory pages started.

Message #

Capture Pages Workflow: Copy memory pages started.

Event ID 157: Capture Pages Workflow: Copy memory pages ended.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: CapturePagesWorkflow
Opcode: CopyingMemoryPagesEnd

Description

Capture Pages Workflow: Copy memory pages ended.

Message #

Capture Pages Workflow: Copy memory pages ended.

Event ID 158: Capture Pages Workflow: Capture processor context when the system is quiesced.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: CapturePagesWorkflow
Opcode: CaptureProcessorContext

Description

Capture Pages Workflow: Capture processor context when the system is quiesced. Duration: Duration_msms.

Message #

Capture Pages Workflow: Capture processor context when the system is quiesced. Duration: %1ms.

Fields #

Name	Description
`Duration_ms` UInt64

Event ID 159: Capture Pages Workflow: Mark required dump data when system is quiesced.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: CapturePagesWorkflow
Opcode: MarkRequiredDumpData

Description

Capture Pages Workflow: Mark required dump data when system is quiesced. Duration: MarkRequiredDumpDataDuration_msms.

Message #

Capture Pages Workflow: Mark required dump data when system is quiesced. Duration: %1ms.

Fields #

Name	Description
`MarkRequiredDumpDataDuration_ms` UInt64

Event ID 160: Capture Pages Workflow: Mark important dump data when system is quiesced.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: CapturePagesWorkflow
Opcode: MarkImportantDumpData

Description

Capture Pages Workflow: Mark important dump data when system is quiesced. Duration: MarkImportantDumpDataDuration_msms.

Message #

Capture Pages Workflow: Mark important dump data when system is quiesced. Duration: %1ms.

Fields #

Name	Description
`MarkImportantDumpDataDuration_ms` UInt64

Event ID 161: Capture Pages Workflow: Populate bitmap for dump when system is quiesced.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: CapturePagesWorkflow
Opcode: PopulateBitmapForDump

Description

Capture Pages Workflow: Populate bitmap for dump when system is quiesced. PopulateBitmapForDumpDuration: PopulateBitmapForDumpDuration_msms. RemoveSystemCacheFromDumpDuration RemoveSystemCacheFromDumpDuration_msms.

Message #

Capture Pages Workflow: Populate bitmap for dump when system is quiesced. PopulateBitmapForDumpDuration: %1ms. RemoveSystemCacheFromDumpDuration %2ms.

Fields #

Name	Description
`PopulateBitmapForDumpDuration_ms` UInt64
`RemoveSystemCacheFromDumpDuration_ms` UInt64

Event ID 162: Capture Pages Workflow: Collect Hvl dump when system is quiesced.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: LIVEDUMP_TASK_CAPTURE_PAGES_WORKFLOW
Opcode: HvlCollectLiveDump

Description

Capture Pages Workflow: Collect Hvl dump when system is quiesced. Duration: Duration_msms.

Message #

Capture Pages Workflow: Collect Hvl dump when system is quiesced. Duration: %1ms.

Fields #

Name	Description
`Duration_ms` UInt64

Event ID 163: Capture Pages Workflow: Generate Ipt secondary data when system is quiesced.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: CapturePagesWorkflow
Opcode: GenerateIptSecondaryData

Description

Capture Pages Workflow: Generate Ipt secondary data when system is quiesced. Duration: Duration_msms.

Message #

Capture Pages Workflow: Generate Ipt secondary data when system is quiesced. Duration: %1ms.

Fields #

Name	Description
`Duration_ms` UInt64

Event ID 164: Capture Pages Workflow: Initiate state change to copy contents of marked pages when system is quiesced.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: LIVEDUMP_TASK_CAPTURE_PAGES_WORKFLOW
Opcode: DumpDataBuffering

Description

Capture Pages Workflow: Initiate state change to copy contents of marked pages when system is quiesced. Duration: Duration_msms.

Message #

Capture Pages Workflow: Initiate state change to copy contents of marked pages when system is quiesced. Duration: %1ms.

Fields #

Name	Description
`Duration_ms` UInt64

Event ID 165: Capture Pages Workflow: Corral processors to quiesce the system.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: CapturePagesWorkflow
Opcode: CorralProcessors

Description

Capture Pages Workflow: Corral processors to quiesce the system. CorralDuration: CorralDuration_msms. DisableInterruptsDuration: DisableInterruptsDuration_msms. SaveSupervisorStateDuration: SaveSupervisorStateDuration_msms. SuspendClockTimerDuration: SuspendClockTimerDuration_msms.

Message #

Capture Pages Workflow: Corral processors to quiesce the system. CorralDuration: %1ms. DisableInterruptsDuration: %2ms. SaveSupervisorStateDuration: %3ms. SuspendClockTimerDuration: %4ms.

Fields #

Name	Description
`CorralDuration_ms` UInt64
`DisableInterruptsDuration_ms` UInt64
`SaveSupervisorStateDuration_ms` UInt64
`SuspendClockTimerDuration_ms` UInt64

Event ID 166: Capture Pages Workflow: Uncorral processors to quiesce the system.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: CapturePagesWorkflow
Opcode: UncorralProcessors

Description

Capture Pages Workflow: Uncorral processors to quiesce the system. UncorralDuration: UncorralDuration_msms. EnableInterruptsDuration: EnableInterruptsDuration_msms. RestoreSupervisorStateDuration: RestoreSupervisorStateDuration_msms. ResumeClockTimerDuration: ResumeClockTimerDuration_msms.

Message #

Capture Pages Workflow: Uncorral processors to quiesce the system. UncorralDuration: %1ms. EnableInterruptsDuration: %2ms. RestoreSupervisorStateDuration: %3ms. ResumeClockTimerDuration: %4ms.

Fields #

Name	Description
`UncorralDuration_ms` UInt64
`EnableInterruptsDuration_ms` UInt64
`RestoreSupervisorStateDuration_ms` UInt64
`ResumeClockTimerDuration_ms` UInt64

Event ID 167: Capture Pages Workflow: Capture memory pages.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: CapturePagesWorkflow
Opcode: CaptureMemoryPages

Description

Capture Pages Workflow: Capture memory pages. MemoryCaptureDuration: MemoryCaptureDuration_msms. SystemQuiescedDuration: SystemQuiescedDuration_msms. EndMirroringPhasesDuration: EndMirroringPhasesDuration_msms. MirrorPhysicalMemoryDuration: MirrorPhysicalMemoryDuration_msms. MirrorPhysicalMemorySizeInBytes: MirrorPhysicalMemorySizeInBytes bytes. HvlCollectLivedumpDuration: HvlCollectLivedumpDuration_msms. DumpDataBufferingDuration: DumpDataBufferingDuration_msms.

Message #

Capture Pages Workflow: Capture memory pages. MemoryCaptureDuration: %1ms. SystemQuiescedDuration: %2ms. EndMirroringPhasesDuration: %3ms. MirrorPhysicalMemoryDuration: %4ms. MirrorPhysicalMemorySizeInBytes: %5 bytes. HvlCollectLivedumpDuration: %6ms. DumpDataBufferingDuration: %7ms.

Fields #

Name	Description
`MemoryCaptureDuration_ms` UInt64
`SystemQuiescedDuration_ms` UInt64
`EndMirroringPhasesDuration_ms` UInt64
`MirrorPhysicalMemoryDuration_ms` UInt64
`MirrorPhysicalMemorySizeInBytes` UInt64
`HvlCollectLivedumpDuration_ms` UInt64
`DumpDataBufferingDuration_ms` UInt64

Event ID 168: Capture Pages Workflow: MmDuplicateMemory failed.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: CapturePagesWorkflow
Opcode: MmDuplicateMemoryFailure

Description

Capture Pages Workflow: MmDuplicateMemory failed. NT Status: NTStatus. MirrorInProgress: MirrorInProgress.

Message #

Capture Pages Workflow: MmDuplicateMemory failed. NT Status: %1. MirrorInProgress: %2.

Fields #

Name	Description
`NTStatus` UInt32	NTSTATUS reference
`MirrorInProgress` UInt64

Event ID 169: Callout for Callout (included Included).

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: CapturePagesWorkflow
Opcode: LiveDumpFeatureCallout

Description

Callout for Callout (included Included).

Message #

Callout for %1 (included %2).

Fields #

Name	Description
`Callout` UInt32
`Included` Boolean

Event ID 201: Live Dump Write Deferred Dump Data API started.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: LiveDumpWriteDeferredDumpDataAPI
Opcode: APIStart

Description

Live Dump Write Deferred Dump Data API started.

Message #

Live Dump Write Deferred Dump Data API started.

Event ID 202: Live Dump Write Deferred Dump Data API ended.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: Live Dump Write Deferred Dump Data API
Opcode: API End

Description

Live Dump Write Deferred Dump Data API ended. NT Status: NTStatus. BugcheckCode: BugcheckCode. BugcheckParameter1: BugCheckParameter1. BugcheckParameter2: BugCheckParameter2. BugcheckParameter3: BugCheckParameter3. BugcheckParameter4: BugCheckParameter4. DumpWriteDuration: DumpCaptureDuration_msms. SelectiveDump: SelectiveDump. DynamicLowMemoryThreshold: DynamicLowMemoryThresholdBytes bytes. AvailablePhysicalMemory: AvailablePhysicalMemoryInBytes bytes. TotalPhysicalMemory: TotalPhysicalMemoryInBytes bytes. IOSpaceEnabled: IOSpaceEnabled.

Message #

Live Dump Write Deferred Dump Data API ended. NT Status: %1. BugcheckCode: %2. BugcheckParameter1: %3. BugcheckParameter2: %4. BugcheckParameter3: %5. BugcheckParameter4: %6. DumpWriteDuration: %8ms.  SelectiveDump: %9. DynamicLowMemoryThreshold: %10 bytes.  AvailablePhysicalMemory: %11 bytes.  TotalPhysicalMemory: %12 bytes.  IOSpaceEnabled: %13.

Fields #

Name	Description
`NTStatus` UInt32	NTSTATUS reference
`BugcheckCode` UInt32
`BugCheckParameter1` Pointer
`BugCheckParameter2` Pointer
`BugCheckParameter3` Pointer
`BugCheckParameter4` Pointer
`AbortIfMemoryPressure` UInt32
`DumpCaptureDuration_ms` UInt64
`SelectiveDump` UInt32
`DynamicLowMemoryThresholdBytes` UInt64
`AvailablePhysicalMemoryInBytes` UInt64
`TotalPhysicalMemoryInBytes` UInt64
`IOSpaceEnabled` Boolean

Event ID 203: Write deferred dump data to file started.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: LiveDumpWriteDeferredDumpDataAPI
Opcode: DumpFileWriteStart

Description

Write deferred dump data to file started.

Message #

Write deferred dump data to file started.

Event ID 204: Write deferred dump data to file ended.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: LiveDumpWriteDeferredDumpDataAPI
Opcode: DumpFileWriteEnd

Description

Write deferred dump data to file ended. NT Status: NTStatus. Total TotalBytes bytes (Header|Primary|Secondary: HeaderBytes|PrimaryDataBytes|SecondaryDataBytes bytes). DumpWriteDuration: DumpWriteDuration_msms.

Message #

Write deferred dump data to file ended. NT Status: %1. Total %2 bytes (Header|Primary|Secondary: %3|%4|%5 bytes). DumpWriteDuration: %6ms.

Fields #

Name	Description
`NTStatus` UInt32	NTSTATUS reference
`TotalBytes` UInt64
`HeaderBytes` UInt64
`PrimaryDataBytes` UInt64
`SecondaryDataBytes` UInt64
`DumpWriteDuration_ms` UInt64

Event ID 251: Live Dump Discard Deferred Dump Data API started.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Analytic
Task: LiveDumpDiscardDeferredDumpDataAPI
Opcode: APIStart

Description

Live Dump Discard Deferred Dump Data API started.

Message #

Live Dump Discard Deferred Dump Data API started.

Event ID 252: Live Dump Discard Deferred Dump Data API ended.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: Live Dump Discard Deferred Dump Data API
Opcode: API End

Description

Live Dump Discard Deferred Dump Data API ended. NT Status: NTStatus. BugcheckCode: BugcheckCode. BugcheckParameter1: BugCheckParameter1. BugcheckParameter2: BugCheckParameter2. BugcheckParameter3: BugCheckParameter3. BugcheckParameter4: BugCheckParameter4.

Message #

Live Dump Discard Deferred Dump Data API ended. NT Status: %1. BugcheckCode: %2. BugcheckParameter1: %3. BugcheckParameter2: %4. BugcheckParameter3: %5. BugcheckParameter4: %6.

Fields #

Name	Description
`NTStatus` UInt32	NTSTATUS reference
`BugcheckCode` UInt32
`BugCheckParameter1` Pointer
`BugCheckParameter2` Pointer
`BugCheckParameter3` Pointer
`BugCheckParameter4` Pointer
`AbortIfMemoryPressure` UInt32
`DumpCaptureDuration_ms` UInt64
`SelectiveDump` UInt32
`DynamicLowMemoryThresholdBytes` UInt64
`AvailablePhysicalMemoryInBytes` UInt64
`TotalPhysicalMemoryInBytes` UInt64
`IOSpaceEnabled` Boolean

Event ID 271: AllowLiveDump policy: AllowLiveDump_policy.

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: LiveDumpPolicy
Opcode: PolicyOperationFailed

Description

AllowLiveDump policy: AllowLiveDump_policy.

Message #

AllowLiveDump policy: %1.

Fields #

Name	Description
`OperationType` AnsiString	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time

Event ID 272: AllowLiveDump policy value changed (AllowLiveDump = PolicyValue).

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: LiveDumpPolicy
Opcode: PolicyValueChanged

Description

AllowLiveDump policy value changed (AllowLiveDump = PolicyValue). Configure live dump. NT status: NTStatus.

Message #

AllowLiveDump policy value changed (AllowLiveDump = %1). Configure live dump. NT status: %2

Fields #

Name	Description
`PolicyValue` UInt32
`NTStatus` UInt32	NTSTATUS reference

Event ID 273: LiveDump disabled on boot by policy (AllowLiveDump = PolicyValue).

Provider: Microsoft-Windows-Kernel-LiveDump
Channel: Operational
Task: LiveDumpPolicy
Opcode: LiveDumpDisabledOnBoot

Description

LiveDump disabled on boot by policy (AllowLiveDump = PolicyValue).

Message #

LiveDump disabled on boot by policy (AllowLiveDump = %1).

Fields #

Name	Description
`PolicyValue` UInt32

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID bef2aa8e-81cd-11e2-a7bb-5eac6188709b

Defined in Microsoft-Windows-System-Events.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)