Microsoft-Windows-Kernel-PnP
196 events across 9 channels
Event ID 202: Begin system start drivers phase
#Description
Begin system start drivers phase.
Message #
Event ID 204: OS Loader Start: OS_Loader_Start.
#Description
OS Loader Start: OS_Loader_Start.
Message #
Fields #
| Name | Description |
|---|---|
OSLoaderStart UInt64 | |
OSLoaderEnd UInt64 | |
PreloadEndTime UInt64 | |
TcbLoaderStartTime UInt64 | |
LoadHypervisorTime UInt64 | |
LaunchHypervisorTime UInt64 | |
LoadVsmTime UInt64 | |
LaunchVsmTime UInt64 | |
ExecuteTransitionStartTime UInt64 | |
ExecuteTransitionEndTime UInt64 | |
PerformanceDataFrequency UInt64 |
Event ID 205: EarlyLaunchAntiMalwareStart
#Fields #
| Name | Description |
|---|---|
ElamDriverNameLength UInt16 | |
ElamDriverName UnicodeString |
Event ID 206: EarlyLaunchAntiMalwareStop
#Fields #
| Name | Description |
|---|---|
ElamDriverNameLength UInt16 | |
ElamDriverName UnicodeString |
Event ID 209: EarlyLaunchAntiMalware
#Fields #
| Name | Description |
|---|---|
Classification UInt32 | |
Policy UInt32 | |
Result UInt32 |
Event ID 210: Begin initializing boot start driver DriverName.
#Event ID 211: End initializing boot start driver DriverName.
#Description
End initializing boot start driver DriverName. Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
DriverNameLength UInt16 | |
DriverName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 212: Begin loading driver DriverName.
#Event ID 213: End loading driver DriverName.
#Description
End loading driver DriverName. Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
ServiceNameLength UInt16 | |
ServiceName UnicodeString | |
Status UInt32 | NTSTATUS reference |
DriverNameLength UInt16 | |
DriverName UnicodeString | |
Version UInt32 |
Event ID 214: Begin unloading driver DriverName.
#Event ID 215: End unloading driver DriverName.
#Description
End unloading driver DriverName. Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
ServiceNameLength UInt16 | |
ServiceName UnicodeString | |
Status UInt32 | NTSTATUS reference |
DriverNameLength UInt16 | |
DriverName UnicodeString | |
Version UInt32 |
Event ID 216: Begin starting device DriverName.
#Event ID 217: Pending start of device DriverName.
#Event ID 218: End starting device DriverName using driver FailureName.
#Description
End starting device DriverName using driver FailureName. Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
DriverNameLength UInt16 | |
DriverName UnicodeString | |
Status UInt32 | NTSTATUS reference |
FailureNameLength UInt16 | |
FailureName UnicodeString | |
Version UInt32 |
Event ID 219: The driver FailureName failed to load.
#Description
The driver FailureName failed to load.
Message #
Fields #
| Name | Description |
|---|---|
DriverNameLength UInt16 | |
DriverName UnicodeString | |
Status UInt32 | NTSTATUS reference |
FailureNameLength UInt16 | |
FailureName UnicodeString | |
Version UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "9C205A39-1250-487D-ABD7-E831C6290539",
"event_source_name": "",
"event_id": 219,
"version": 0,
"level": 3,
"task": 212,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T06:25:19.591886+00:00",
"event_record_id": 1645,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 224
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DriverNameLength": 15,
"DriverName": "ROOT\\VMBus\\0000",
"Status": 3221226341,
"FailureNameLength": 14,
"FailureName": "\\Driver\\vmbusr",
"Version": 0
},
"message": ""
}
References #
Event ID 220: Begin querying bus relations for device DriverName.
#Event ID 221: Pending querying bus relations for device DriverName.
#Event ID 222: End querying bus relations for device DriverName.
#Event ID 223: Begin attempting to eject device DriverName.
#Event ID 224: End attempting to eject device DriverName.
#Description
End attempting to eject device DriverName. Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
DriverNameLength UInt16 | |
DriverName UnicodeString | |
Status UInt32 | NTSTATUS reference |
FailureNameLength UInt16 | |
FailureName UnicodeString | |
Version UInt32 |
Event ID 225: The application ProcessName with process id ProcessId stopped the removal or ejection for the device DeviceInstance.
#Description
The application ProcessName with process id ProcessId stopped the removal or ejection for the device DeviceInstance.
Message #
Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | |
ProcessNameLength UInt16 | |
ProcessName UnicodeString | |
DeviceInstanceLength UInt16 | |
DeviceInstance UnicodeString | |
CommandLineLength UInt16 | |
CommandLine UnicodeString | |
VetoingDevicesLength UInt16 | |
VetoingDevices UnicodeString |
Event ID 226: Begin calling driver initialization routine for driver DriverName.
#Event ID 227: End calling driver initialization routine for driver DriverName.
#Description
End calling driver initialization routine for driver DriverName. Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
DriverNameLength UInt16 | |
DriverName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 228: task_0
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmSid SID | |
SqmWindowsSessionId UInt32 | |
SqmSessionFlags UInt32 |
Event ID 230: task_0230
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 231: task_0Stop
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 232: task_0232
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 233: task_0233
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 234: task_0234
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 235: task_0235
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmStringDatapointValue UnicodeString |
Event ID 236: task_0236
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 240: A partition unit replace operation has been initiated.
#Event ID 241: A partition unit replace operation has failed.
#Description
A partition unit replace operation has failed.
Message #
Fields #
| Name | Description |
|---|---|
TargetPath UnicodeString | |
SparePath UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Location UInt32 | |
ExtendedStatus UInt32 |
Event ID 242: A partition unit has been successfully replaced.
#Description
A partition unit has been successfully replaced.
Message #
Fields #
| Name | Description |
|---|---|
TargetPath UnicodeString | |
TargetAffinity HexInt64 | |
TargetProcessorCount UInt32 | |
TargetMemoryCount UInt32 | |
TargetMemorySize HexInt64 | |
SparePath UnicodeString | |
SpareProcessorCount UInt32 | |
SpareMemoryCount UInt32 | |
SpareMemorySize HexInt64 | |
TimeTotal UInt32 | |
TimeToQuiesce UInt32 | |
TimeQuiesced UInt32 | |
TimeToWake UInt32 | |
TargetProcessors FILETIME | |
TargetMemoryRanges SYSTEMTIME | |
SpareProcessors HexInt32 | |
SpareMemoryRanges HexInt64 |
Event ID 250: Begin configuration of device DeviceInstance.
#Event ID 251: Pending configuration of device DeviceInstance.
#Event ID 252: End configuration of device DeviceInstance.
#Description
End configuration of device DeviceInstance. Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceLength UInt16 | |
DeviceInstance UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 260: Begin starting system start drivers part 1
#Description
Begin starting system start drivers part 1.
Message #
Event ID 261: End starting system start drivers part 1
#Description
End starting system start drivers part 1.
Message #
Event ID 262: Begin starting system start drivers part 2
#Description
Begin starting system start drivers part 2.
Message #
Event ID 263: End starting system start drivers part 2
#Description
End starting system start drivers part 2.
Message #
Event ID 264: Begin processing reinitialization requests for boot start drivers
#Description
Begin processing reinitialization requests for boot start drivers.
Message #
Event ID 265: End processing reinitialization requests for boot start drivers
#Description
End processing reinitialization requests for boot start drivers.
Message #
Event ID 266: Begin processing reinitialization requests for system start drivers
#Description
Begin processing reinitialization requests for system start drivers.
Message #
Event ID 267: End processing reinitialization requests for system start drivers
#Description
End processing reinitialization requests for system start drivers.
Message #
Event ID 270: Begin loading driver database DriverName.
#Event ID 271: Pending loading driver database DriverName.
#Event ID 272: End loading driver database DriverName.
#Description
End loading driver database DriverName.
Message #
Fields #
| Name | Description |
|---|---|
DriverNameLength UInt16 | |
DriverName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 273: Begin unloading driver database DriverName.
#Event ID 274: Pending unloading driver database DriverName.
#Event ID 275: End unloading driver database DriverName.
#Description
End unloading driver database DriverName.
Message #
Fields #
| Name | Description |
|---|---|
DriverNameLength UInt16 | |
DriverName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 276: DriverDatabaseLoadedStart
#Fields #
| Name | Description |
|---|---|
DriverNameLength UInt16 | |
DriverName UnicodeString |
Event ID 277: DriverDatabaseLoadedStop
#Fields #
| Name | Description |
|---|---|
DriverNameLength UInt16 | |
DriverName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 300: Begin starting initialization of drivers
#Description
Begin starting initialization of drivers.
Message #
Event ID 301: End starting initialization of drivers
#Description
End starting initialization of drivers.
Message #
Event ID 400: Device DeviceInstanceId was configured.
#Description
Device DeviceInstanceId was configured.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
DriverName UnicodeString | |
ClassGuid GUID | |
DriverDate UnicodeString | |
DriverVersion UnicodeString | |
DriverProvider UnicodeString | |
DriverInbox Boolean | |
DriverSection UnicodeString | |
DriverRank HexInt32 | |
MatchingDeviceId UnicodeString | |
OutrankedDrivers UnicodeString | |
DeviceUpdated Boolean | |
Status HexInt32 | NTSTATUS reference |
ParentDeviceInstanceId UnicodeString | Parent Device. |
DriverPackageId |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "{9C205A39-1250-487D-ABD7-E831C6290539}",
"event_source_name": "",
"event_id": 400,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-06-13T05:12:15.8137445+00:00",
"event_record_id": 143,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8188
},
"channel": "Microsoft-Windows-Kernel-PnP/Configuration",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DeviceInstanceId": "ROOT\\VBUS\\0000",
"DriverName": "vbus.inf",
"ClassGuid": "{4d36e97d-e325-11ce-bfc1-08002be10318}",
"DriverDate": "06/21/2006",
"DriverVersion": "10.0.20348.469",
"DriverProvider": "Microsoft",
"DriverInbox": "true",
"DriverSection": "Vbus_Device.NT",
"DriverRank": "0xff0000",
"MatchingDeviceId": "ROOT\\vbus",
"OutrankedDrivers": "",
"DeviceUpdated": "false",
"Status": "0x0",
"ParentDeviceInstanceId": "HTREE\\ROOT\\0"
},
"message": "Device ROOT\\VBUS\\0000 was configured.\r\n\r\nDriver Name: vbus.inf\r\nClass Guid: {4d36e97d-e325-11ce-bfc1-08002be10318}\r\nDriver Date: 06/21/2006\r\nDriver Version: 10.0.20348.469\r\nDriver Provider: Microsoft\r\nDriver Section: Vbus_Device.NT\r\nDriver Rank: 0xFF0000\r\nMatching Device Id: ROOT\\vbus\r\nOutranked Drivers: \r\nDevice Updated: false\r\nParent Device: HTREE\\ROOT\\0"
}
Event ID 401: Device Driver_Name failed configuration.
#Description
Device Driver_Name failed configuration.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
DriverName UnicodeString | |
ClassGuid GUID | |
DriverDate UnicodeString | |
DriverVersion UnicodeString | |
DriverProvider UnicodeString | |
DriverInbox Boolean | |
DriverSection UnicodeString | |
DriverRank HexInt32 | |
MatchingDeviceId UnicodeString | |
OutrankedDrivers UnicodeString | |
DeviceUpdated Boolean | |
Status HexInt32 | Outranked Drivers. NTSTATUS reference |
ParentDeviceInstanceId UnicodeString | |
DriverPackageId UnicodeString |
Event ID 402: Device Driver_Name had its configuration blocked by policy.
#Description
Device Driver_Name had its configuration blocked by policy.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
DriverName UnicodeString | |
ClassGuid GUID | |
DriverDate UnicodeString | |
DriverVersion UnicodeString | |
DriverProvider UnicodeString | |
DriverInbox Boolean | |
DriverSection UnicodeString | |
DriverRank HexInt32 | |
MatchingDeviceId UnicodeString | |
OutrankedDrivers UnicodeString | |
DeviceUpdated Boolean | |
Status HexInt32 | Outranked Drivers. NTSTATUS reference |
ParentDeviceInstanceId UnicodeString | |
DriverPackageId UnicodeString |
Event ID 403: Device DeviceInstanceId requires a system reboot to complete configuration.
#Description
Device DeviceInstanceId requires a system reboot to complete configuration.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
DriverName UnicodeString | |
ClassGuid GUID | |
DriverDate UnicodeString | |
DriverVersion UnicodeString | |
DriverProvider UnicodeString | |
DriverInbox Boolean | |
DriverSection UnicodeString | |
DriverRank HexInt32 | |
MatchingDeviceId UnicodeString | |
OutrankedDrivers UnicodeString | |
DeviceUpdated Boolean | |
Status HexInt32 | NTSTATUS reference |
ParentDeviceInstanceId UnicodeString | Parent Device. |
DriverPackageId |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "9C205A39-1250-487D-ABD7-E831C6290539",
"event_source_name": "",
"event_id": 403,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-10-26T04:16:19.107877+00:00",
"event_record_id": 112,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 248
},
"channel": "Microsoft-Windows-Kernel-PnP/Configuration",
"computer": "WIN-OQ6R0RVA4NF",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DeviceInstanceId": "ROOT\\VOLMGR\\0000",
"DriverName": "volmgr.inf",
"ClassGuid": "4D36E97D-E325-11CE-BFC1-08002BE10318",
"DriverDate": "06/21/2006",
"DriverVersion": "10.0.22621.608",
"DriverProvider": "Microsoft",
"DriverInbox": true,
"DriverSection": "Volmgr",
"DriverRank": "0xff0000",
"MatchingDeviceId": "ROOT\\VOLMGR",
"OutrankedDrivers": "",
"DeviceUpdated": false,
"Status": "0x0",
"ParentDeviceInstanceId": "HTREE\\ROOT\\0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 410: Device DeviceInstanceId was started.
#Description
Device DeviceInstanceId was started.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
DriverName UnicodeString | |
ClassGuid GUID | |
ServiceName UnicodeString | Service. |
LowerFilters UnicodeString | |
UpperFilters UnicodeString | |
Problem HexInt32 | |
Status HexInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "{9C205A39-1250-487D-ABD7-E831C6290539}",
"event_source_name": "",
"event_id": 410,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-06-13T05:12:16.5253427+00:00",
"event_record_id": 145,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 2340
},
"channel": "Microsoft-Windows-Kernel-PnP/Configuration",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DeviceInstanceId": "ROOT\\NETFT\\0000",
"DriverName": "netft.inf",
"ClassGuid": "{4d36e972-e325-11ce-bfc1-08002be10318}",
"ServiceName": "Netft",
"LowerFilters": "",
"UpperFilters": "",
"Problem": "0x0",
"Status": "0x0"
},
"message": "Device ROOT\\NETFT\\0000 was started.\r\n\r\nDriver Name: netft.inf\r\nClass Guid: {4d36e972-e325-11ce-bfc1-08002be10318}\r\nService: Netft\r\nLower Filters: \r\nUpper Filters: "
}
Event ID 411: Device DeviceInstanceId had a problem starting.
#Description
Device DeviceInstanceId had a problem starting.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
DriverName UnicodeString | |
ClassGuid GUID | |
ServiceName UnicodeString | Service. |
LowerFilters UnicodeString | |
UpperFilters UnicodeString | |
Problem HexInt32 | |
Status HexInt32 | Problem Status. NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "9C205A39-1250-487D-ABD7-E831C6290539",
"event_source_name": "",
"event_id": 411,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-10-26T04:17:42.366175+00:00",
"event_record_id": 168,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 52
},
"channel": "Microsoft-Windows-Kernel-PnP/Configuration",
"computer": "WIN-OQ6R0RVA4NF",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DeviceInstanceId": "PCI\\VEN_8086&DEV_100F&SUBSYS_075015AD&REV_01\\4&bbf9765&0&0088",
"DriverName": "nete1g3e.inf",
"ClassGuid": "4D36E972-E325-11CE-BFC1-08002BE10318",
"ServiceName": "E1G60",
"LowerFilters": "",
"UpperFilters": "",
"Problem": "0x0",
"Status": "0xc00000e5"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 412: Device Driver_Name requires a system reboot before it can be started.
#Description
Device Driver_Name requires a system reboot before it can be started.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
DriverName UnicodeString | |
ClassGuid GUID | |
ServiceName UnicodeString | |
LowerFilters UnicodeString | |
UpperFilters UnicodeString | |
Problem HexInt32 | |
Status HexInt32 | NTSTATUS reference |
Event ID 420: Device DeviceInstanceId was deleted.
#Description
Device DeviceInstanceId was deleted.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
ClassGuid GUID | |
Problem HexInt32 | |
Status HexInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "9C205A39-1250-487D-ABD7-E831C6290539",
"event_source_name": "",
"event_id": 420,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-13T17:24:14.944455+00:00",
"event_record_id": 226,
"correlation": {},
"execution": {
"process_id": 3668,
"thread_id": 7476
},
"channel": "Microsoft-Windows-Kernel-PnP/Configuration",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DeviceInstanceId": "SWD\\PRINTENUM\\{01F312F1-DACA-4AA7-96B1-5CE1A11685FD}",
"ClassGuid": "1ED2BBF9-11F0-4084-B21F-AD83A8E6DCDC",
"Problem": "0x2d",
"Status": "0x0"
},
"message": ""
}
Event ID 421: Device Class_Guid could not be deleted.
#Description
Device Class_Guid could not be deleted.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
ClassGuid GUID | |
Problem HexInt32 | |
Status HexInt32 | NTSTATUS reference |
Event ID 430: Device DeviceInstanceId requires further installation.
#Description
Device DeviceInstanceId requires further installation.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "9C205A39-1250-487D-ABD7-E831C6290539",
"event_source_name": "",
"event_id": 430,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-10-26T04:16:49.350000+00:00",
"event_record_id": 160,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 248
},
"channel": "Microsoft-Windows-Kernel-PnP/Configuration",
"computer": "WIN-OQ6R0RVA4NF",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DeviceInstanceId": "PCI\\VEN_8086&DEV_100F&SUBSYS_075015AD&REV_01\\4&bbf9765&0&0888"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 440: Device settings for Last_Device_Instance_Id were migrated from previous OS installation.
#Description
Device settings for Last_Device_Instance_Id were migrated from previous OS installation.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
LastDeviceInstanceId UnicodeString | |
ClassGuid GUID | |
LocationPath UnicodeString | |
MigrationRank HexInt64 | |
Present Boolean | |
Status HexInt32 | NTSTATUS reference |
Event ID 441: Device settings for Last_Device_Instance_Id could not be migrated from previous OS installation.
#Description
Device settings for Last_Device_Instance_Id could not be migrated from previous OS installation.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
LastDeviceInstanceId UnicodeString | |
ClassGuid GUID | |
LocationPath UnicodeString | |
MigrationRank HexInt64 | |
Present Boolean | |
Status HexInt32 | NTSTATUS reference |
Event ID 442: Device settings for Last_Device_Instance_Id were not migrated from previous OS installation due to partial or ambiguous device match.
#Description
Device settings for Last_Device_Instance_Id were not migrated from previous OS installation due to partial or ambiguous device match.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
LastDeviceInstanceId UnicodeString | |
ClassGuid GUID | |
LocationPath UnicodeString | |
MigrationRank HexInt64 | |
Present Boolean | |
Status HexInt32 | NTSTATUS reference |
Event ID 500: DevQuery_QueryProcessing
#Fields #
| Name | Description |
|---|---|
QueryAddress Pointer | |
ProcessId UInt32 | |
ObjectType UnicodeString | |
QueryType UnicodeString | |
ObjectId UnicodeString | |
QueryFlags UnicodeString | |
PreferredLanguages UnicodeString | |
RequestedProperties UnicodeString | |
FilterExpression UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "{9C205A39-1250-487D-ABD7-E831C6290539}",
"event_source_name": "",
"event_id": 500,
"version": 0,
"level": 4,
"task": 500,
"opcode": 10,
"keywords": "0x0000000001200000",
"time_created": "2026-06-02T05:27:16.405+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0002-0E59-828753F0DC01}"
},
"execution": {
"process_id": 16540,
"thread_id": 23192
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"FilterExpression": "NULL",
"ObjectId": "NULL",
"ObjectType": "Device",
"PreferredLanguages": "NULL",
"ProcessId": 16540,
"QueryAddress": "0xFFFF878DC7348210",
"QueryFlags": "",
"QueryType": "Type",
"RequestedProperties": "NULL"
},
"message": "DevQuery_QueryProcessing"
}
Event ID 503: DevQuery_QueryProcessing
#Fields #
| Name | Description |
|---|---|
QueryAddress Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "{9C205A39-1250-487D-ABD7-E831C6290539}",
"event_source_name": "",
"event_id": 503,
"version": 0,
"level": 4,
"task": 500,
"opcode": 11,
"keywords": "0x0000000001200000",
"time_created": "2026-06-02T05:27:16.407+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0002-0E59-828753F0DC01}"
},
"execution": {
"process_id": 16540,
"thread_id": 17996
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"QueryAddress": "0xFFFF878DC7348210"
},
"message": "DevQuery_QueryProcessing"
}
Event ID 600: A start type override of StartType was set for driver Driver in hardware configuration HardwareConfigurationId.
#Event ID 700: CfgMgr_DeviceList
#Fields #
| Name | Description |
|---|---|
Filter UnicodeString | |
FilterBy UnicodeString | |
OnlyPresent Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "{9C205A39-1250-487D-ABD7-E831C6290539}",
"event_source_name": "",
"event_id": 700,
"version": 0,
"level": 4,
"task": 700,
"opcode": 1,
"keywords": "0x0000000001400000",
"time_created": "2026-06-02T05:27:15.299+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4028,
"thread_id": 17828
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Filter": "{6bdd1fc5-810f-11d0-bec7-08002be2092f}",
"FilterBy": "Class",
"OnlyPresent": true
},
"message": "CfgMgr_DeviceList"
}
Event ID 701: CfgMgr_DeviceList
#Fields #
| Name | Description |
|---|---|
Result HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "{9C205A39-1250-487D-ABD7-E831C6290539}",
"event_source_name": "",
"event_id": 701,
"version": 0,
"level": 4,
"task": 700,
"opcode": 2,
"keywords": "0x0000000001400000",
"time_created": "2026-06-02T05:27:15.299+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4028,
"thread_id": 17828
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Result": "00000000"
},
"message": "CfgMgr_DeviceList"
}
Event ID 702: CfgMgr_DeviceInterfaceList
#Fields #
| Name | Description |
|---|---|
Class GUID | |
Device UnicodeString | |
OnlyPresent Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "{9C205A39-1250-487D-ABD7-E831C6290539}",
"event_source_name": "",
"event_id": 702,
"version": 0,
"level": 4,
"task": 702,
"opcode": 1,
"keywords": "0x0000000001400000",
"time_created": "2026-06-02T05:27:15.469+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 11204,
"thread_id": 17268
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Class": "{53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}",
"Device": "NULL",
"OnlyPresent": false
},
"message": "CfgMgr_DeviceInterfaceList"
}
Event ID 703: CfgMgr_DeviceInterfaceList
#Fields #
| Name | Description |
|---|---|
Result HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "{9C205A39-1250-487D-ABD7-E831C6290539}",
"event_source_name": "",
"event_id": 703,
"version": 0,
"level": 4,
"task": 702,
"opcode": 2,
"keywords": "0x0000000001400000",
"time_created": "2026-06-02T05:27:15.469+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 11204,
"thread_id": 17268
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Result": "00000000"
},
"message": "CfgMgr_DeviceInterfaceList"
}
Event ID 704: CfgMgr_QueryRemoveStart
#Fields #
| Name | Description |
|---|---|
QueryRemoveType HexInt32 | |
Device UnicodeString |
Event ID 800: Begin processing new device (DeviceNode).
#Event ID 801: Processing device DeviceInstancePath (DeviceNode).
#Event ID 802: End processing new device (DeviceNode).
#Event ID 803: Begin processing phase Phase of starting device Device.
#Event ID 804: End processing phase Phase of starting device Device.
#Event ID 805: Begin processing phase Phase of restarting device Device.
#Event ID 806: End processing phase Phase of restarting device Device.
#Event ID 807: Begin device add operation for driver DriverName, device DeviceInstancePath.
#Description
Begin device add operation for driver DriverName, device DeviceInstancePath.
Message #
Fields #
| Name | Description |
|---|---|
ServiceType UInt32 | Known values
|
DriverNameLength UInt16 | |
DriverName UnicodeString | |
DeviceInstancePath UnicodeString |
Event ID 808: End device add, status (Status).
#Description
End device add, status (Status).
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
Event ID 809: Duplicate device instance reported by BusId and DeviceId.
#Event ID 810: Reenumeration of device tree below Device has been queued.
#Event ID 811: Begin reenumeration of device tree below Device.
#Event ID 812: End reenumeration of device tree below Device.
#Event ID 813: Reenumeration of Device has been queued.
#Event ID 814: Begin reenumeration of Device.
#Event ID 815: End reenumeration of Device.
#Event ID 816: Configuration of device Device for configuration type RequestType has been queued.
#Event ID 817: Begin configuration of device Device for configuration type RequestType.
#Event ID 818: End configuration of device Device for configuration type RequestType.
#Description
End configuration of device Device for configuration type RequestType. Result is Status.
Message #
Fields #
| Name | Description |
|---|---|
Device UnicodeString | |
RequestType HexInt32 | |
Status UInt32 | NTSTATUS reference |
Event ID 820: GenericDeviceActionStart
#Fields #
| Name | Description |
|---|---|
Device UnicodeString | |
RequestType HexInt32 |
Event ID 821: GenericDeviceActionStop
#Fields #
| Name | Description |
|---|---|
Device UnicodeString | |
RequestType HexInt32 | |
Status UInt32 | NTSTATUS reference |
Event ID 830: Removal of Device has been queued.
#Event ID 831: Begin removal of Device.
#Event ID 832: End removal of Device.
#Event ID 840: Begin resetting device DeviceInstance.
#Event ID 841: End resetting device DeviceInstance with status Status, veto type VetoType, veto name VetoName.
#Description
End resetting device DeviceInstance with status Status, veto type VetoType, veto name VetoName.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceLength UInt16 | |
DeviceInstance UnicodeString | |
Status UInt32 | NTSTATUS reference |
VetoType UInt32 | |
VetoNameLength UInt16 | |
VetoName UnicodeString |
Event ID 850: Begin assigning resources to device tree below Device.
#Event ID 851: End assigning resources to device tree below Device.
#Event ID 852: Begin rebalancing resources for device DeviceInstance.
#Event ID 853: End rebalancing resources for device DeviceInstance.
#Description
End rebalancing resources for device DeviceInstance.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceLength UInt16 | |
DeviceInstance UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 860: Updated problem code on device DeviceInstanceId.
#Event ID 900: A long running thread for the device event queue was detected.
#Description
A long running thread for the device event queue was detected. The thread has been running for ThreadId milliseconds.
Message #
Fields #
| Name | Description |
|---|---|
ThreadId HexInt64 | |
DeviceInstanceId UnicodeString | |
ServiceName UnicodeString | |
ElapsedTimeMs UInt64 | |
EventCategory UInt32 | |
EventGuid GUID | |
EventArgument HexInt32 | |
EventArgumentStatus HexInt32 | |
CategorySpecificData_Guid GUID | |
CategorySpecificData_String UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "{9C205A39-1250-487D-ABD7-E831C6290539}",
"event_source_name": "",
"event_id": 900,
"version": 1,
"level": 3,
"task": 900,
"opcode": 1,
"keywords": 144115188075855872,
"time_created": "2026-05-30T02:07:59.6698259+00:00",
"event_record_id": 3,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 424
},
"channel": "Microsoft-Windows-Kernel-PnP/Driver Watchdog",
"computer": "WIN11-25H2-X64",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ThreadId": "0x108",
"DeviceInstanceId": "",
"ServiceName": "",
"ElapsedTimeMs": "3003",
"EventCategory": "2",
"EventGuid": "{cb3a4004-46f0-11d0-b08f-00609713053f}",
"EventArgument": "0x0",
"EventArgumentStatus": "0x0",
"CategorySpecificData_Guid": "{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"CategorySpecificData_String": "\\??\\STORAGE#Volume#{4769a76b-3ac5-11f1-a6b7-806e6f6e6963}#0000000021100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
},
"message": "A long running thread for the device event queue was detected. The thread has been running for 3003 milliseconds.\r\nThread ID: 0x108\r\nDevice: \r\nService: \r\nEvent Category: 2\r\nEvent GUID: {cb3a4004-46f0-11d0-b08f-00609713053f}\r\nEvent Argument: 0x0\r\nArgument Status: 0x0\r\nCategory Specific Data:\r\n{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\r\n\\??\\STORAGE#Volume#{4769a76b-3ac5-11f1-a6b7-806e6f6e6963}#0000000021100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
}
Event ID 901: A long running thread for the device event queue has been completed.
#Description
A long running thread for the device event queue has been completed.
Message #
Fields #
| Name | Description |
|---|---|
ThreadId HexInt64 | |
DeviceInstanceId UnicodeString | |
ServiceName UnicodeString | |
ElapsedTimeMs UInt64 | |
EventCategory UInt32 | |
EventGuid GUID | |
EventArgument HexInt32 | |
EventArgumentStatus HexInt32 | |
CategorySpecificData_Guid GUID | |
CategorySpecificData_String UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "{9C205A39-1250-487D-ABD7-E831C6290539}",
"event_source_name": "",
"event_id": 901,
"version": 1,
"level": 4,
"task": 900,
"opcode": 2,
"keywords": 144115188075855872,
"time_created": "2026-05-30T02:07:59.7719600+00:00",
"event_record_id": 4,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 264
},
"channel": "Microsoft-Windows-Kernel-PnP/Driver Watchdog",
"computer": "WIN11-25H2-X64",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ThreadId": "0x108",
"DeviceInstanceId": "",
"ServiceName": "",
"ElapsedTimeMs": "3105",
"EventCategory": "2",
"EventGuid": "{cb3a4004-46f0-11d0-b08f-00609713053f}",
"EventArgument": "0x0",
"EventArgumentStatus": "0x0",
"CategorySpecificData_Guid": "{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"CategorySpecificData_String": "\\??\\STORAGE#Volume#{4769a76b-3ac5-11f1-a6b7-806e6f6e6963}#0000000021100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
},
"message": "A long running thread for the device event queue has been completed.\r\nThread ID: 0x108\r\nDevice: \r\nService: \r\nEvent Category: 2\r\nEvent GUID: {cb3a4004-46f0-11d0-b08f-00609713053f}\r\nEvent Argument: 0x0\r\nArgument Status: 0x0\r\nCategory Specific Data:\r\n{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\r\n\\??\\STORAGE#Volume#{4769a76b-3ac5-11f1-a6b7-806e6f6e6963}#0000000021100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\r\n\r\nTotal run time in milliseconds: 3105"
}
Event ID 902: A long running thread for device start processing was detected.
#Description
A long running thread for device start processing was detected. The thread has been running for ThreadId milliseconds.
Message #
Fields #
| Name | Description |
|---|---|
ThreadId HexInt64 | |
DeviceInstanceId UnicodeString | |
ServiceName UnicodeString | |
ElapsedTimeMs UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"event_id": 902,
"level": 3,
"task": 900,
"opcode": 1,
"time_created": "2026-04-18T00:24:03.8885756+00:00",
"computer": "USERUSE-I0E7KUG",
"channel": "Microsoft-Windows-Kernel-PnP"
},
"event_data": {
"ThreadId": "0x8",
"DeviceInstanceId": "PCIIDE\\IDEChannel\\4&403bef5&0&1",
"ElapsedTimeMs": "3001",
"ServiceName": "atapi"
}
}
Event ID 903: A long running thread for device start processing has been completed.
#Description
A long running thread for device start processing has been completed.
Message #
Fields #
| Name | Description |
|---|---|
ThreadId HexInt64 | |
DeviceInstanceId UnicodeString | |
ServiceName UnicodeString | |
ElapsedTimeMs UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"event_id": 903,
"level": 4,
"task": 900,
"opcode": 2,
"time_created": "2026-04-18T00:24:03.8892545+00:00",
"computer": "USERUSE-I0E7KUG",
"channel": "Microsoft-Windows-Kernel-PnP"
},
"event_data": {
"ThreadId": "0x8",
"DeviceInstanceId": "PCIIDE\\IDEChannel\\4&403bef5&0&1",
"ElapsedTimeMs": "3001",
"ServiceName": "atapi"
}
}
Event ID 904: A long running thread for device removal was detected.
#Event ID 905: A long running thread for device removal has been completed.
#Event ID 906: A long running thread for device add routine was detected.
#Event ID 907: A long running thread for device add routine has been completed.
#Event ID 908: A long running thread for driver entry was detected.
#Description
A long running thread for driver entry was detected. The thread has been running for ElapsedTimeMs milliseconds.
Message #
Fields #
| Name | Description |
|---|---|
ThreadId HexInt64 | |
DeviceInstanceId UnicodeString | |
DriverName UnicodeString | Driver. |
ElapsedTimeMs UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "9C205A39-1250-487D-ABD7-E831C6290539",
"event_source_name": "",
"event_id": 908,
"version": 0,
"level": 3,
"task": 900,
"opcode": 1,
"keywords": 144115188075855872,
"time_created": "2023-11-06T00:25:57.930157+00:00",
"event_record_id": 1,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 2352
},
"channel": "Microsoft-Windows-Kernel-PnP/Driver Watchdog",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ThreadId": "0x2ba4",
"DeviceInstanceId": "",
"DriverName": "avgSP",
"ElapsedTimeMs": 10005
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 909: A long running thread for driver entry routine has been completed.
#Description
A long running thread for driver entry routine has been completed.
Message #
Fields #
| Name | Description |
|---|---|
ThreadId HexInt64 | |
DeviceInstanceId UnicodeString | |
DriverName UnicodeString | Driver. |
ElapsedTimeMs UInt64 | Total run time in milliseconds. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "9C205A39-1250-487D-ABD7-E831C6290539",
"event_source_name": "",
"event_id": 909,
"version": 0,
"level": 4,
"task": 900,
"opcode": 2,
"keywords": 144115188075855872,
"time_created": "2023-11-06T00:26:29.468233+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 11172
},
"channel": "Microsoft-Windows-Kernel-PnP/Driver Watchdog",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ThreadId": "0x2ba4",
"DeviceInstanceId": "",
"DriverName": "avgSP",
"ElapsedTimeMs": 41546
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 930: Timed out waiting for response from user mode clients to synchronous notification EventGuid.
#Event ID 931: Responses from user mode clients to synchronous notification EventGuid took TimeMs milliseconds.
#Event ID 932: Synchronous notification EventGuid to process ProcessId (ProcessImageName) was removed after ElapsedTimeMs milliseconds.
#Description
Synchronous notification EventGuid to process ProcessId (ProcessImageName) was removed after ElapsedTimeMs milliseconds.
Message #
Fields #
| Name | Description |
|---|---|
FilterType UInt32 | |
ProcessId UInt32 | |
ProcessImageName UnicodeString | |
QueueDepth UInt32 | |
DropCount UInt32 | |
RegistrationTeardown Boolean | |
EventGuid GUID | |
EventCategory UInt32 | |
DeviceInstanceId UnicodeString | |
CategorySpecificData_Guid GUID | |
CategorySpecificData_String UnicodeString | |
Synchronous Boolean | |
NotificationReceivedByClient Boolean | |
ElapsedTimeMs UInt64 |
Event ID 933: Notification EventGuid to driver DriverName took ElapsedTimeMs milliseconds.
#Description
Notification EventGuid to driver DriverName took ElapsedTimeMs milliseconds.
Message #
Fields #
| Name | Description |
|---|---|
EventCategory UInt32 | |
DriverNameLength UInt16 | |
DriverName UnicodeString | |
EventGuid GUID | |
ElapsedTimeMs UInt64 | |
NotificationSpecific_Guid GUID | |
UnicodeStringLength UInt16 | |
NotificationSpecific_UnicodeString UnicodeString |
Event ID 1000: Device DeviceInstanceId could not be query removed as the removal was vetoed.
#Description
Device DeviceInstanceId could not be query removed as the removal was vetoed.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
VetoType UInt32 | |
VetoName UnicodeString | Vetoed By. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "9C205A39-1250-487D-ABD7-E831C6290539",
"event_source_name": "",
"event_id": 1000,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 72057594037927936,
"time_created": "2023-10-25T22:50:39.854895+00:00",
"event_record_id": 10,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 384
},
"channel": "Microsoft-Windows-Kernel-PnP/Device Management",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DeviceInstanceId": "ACPI\\PNP0303\\4&1bd7f811&0",
"VetoType": 6,
"VetoName": "ACPI\\PNP0303\\4&1bd7f811&0\\Driver\\i8042prt"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1010: Device DeviceInstanceId has been surprise removed as it is reported as missing on the bus.
#Description
Device DeviceInstanceId has been surprise removed as it is reported as missing on the bus.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
DeviceCount UInt32 | Count of devices removed. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "{9C205A39-1250-487D-ABD7-E831C6290539}",
"event_source_name": "",
"event_id": 1010,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 72057594037927936,
"time_created": "2026-06-13T05:22:34.5416180+00:00",
"event_record_id": 5,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8144
},
"channel": "Microsoft-Windows-Kernel-PnP/Device Management",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DeviceInstanceId": "UMB\\UMB\\1&841921d&0&TERMINPUT_BUS",
"DeviceCount": "1"
},
"message": "Device UMB\\UMB\\1&841921d&0&TERMINPUT_BUS has been surprise removed as it is reported as missing on the bus.\r\nCount of devices removed: 1"
}
Event ID 1011: Device DeviceInstanceId has been surprise removed as it was reported to be failing.
#Description
Device DeviceInstanceId has been surprise removed as it was reported to be failing.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
DeviceCount UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-PnP",
"guid": "{9C205A39-1250-487D-ABD7-E831C6290539}",
"event_source_name": "",
"event_id": 1011,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 72057594037927936,
"time_created": "2026-04-15T21:23:59.3712212+00:00",
"event_record_id": 696,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 6568
},
"channel": "Microsoft-Windows-Kernel-PnP/Device Management",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DeviceInstanceId": "SWD\\RemoteDisplayEnum\\RdpIdd_IndirectDisplay&SessionId_0001",
"DeviceCount": "2"
},
"message": "Device SWD\\RemoteDisplayEnum\\RdpIdd_IndirectDisplay&SessionId_0001 has been surprise removed as it was reported to be failing.\r\nCount of devices removed: 2"
}
Event ID 1020: A resource rebalance operation has succeeded.
#Description
A resource rebalance operation has succeeded.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
ServiceName UnicodeString | |
DeviceCount UInt32 | |
Phase UInt32 | |
SubtreeRootInstanceId UnicodeString | |
SubtreeIncludesRoot Boolean | |
RebalanceDueToDynamicPartitioning Boolean | |
RebalanceReason UInt32 | |
ConflictResourceType UInt8 | |
DurationInMs UInt64 | |
ResetDeviceWhileStopped Boolean |
Event ID 1021: A resource rebalance operation has failed.
#Description
A resource rebalance operation has failed.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
ServiceName UnicodeString | |
DeviceCount UInt32 | |
Phase UInt32 | |
SubtreeRootInstanceId UnicodeString | |
SubtreeIncludesRoot Boolean | |
RebalanceDueToDynamicPartitioning Boolean | |
RebalanceReason UInt32 | |
ConflictResourceType UInt8 | |
RebalanceFailure UInt32 | |
VetoReason UInt32 | |
VetoNodeInstanceId UnicodeString | |
DurationInMs UInt64 | |
ResetDeviceWhileStopped Boolean |
Event ID 1030: Device Device has been assigned to a guest partition.
#Event ID 1031: Device Device is no longer assigned to a guest partition.
#Event ID 1040: Device Flags has requested a platform-level device reset.
#Event ID 1041: Device Veto_type has completed a platform-level device reset.
#Description
Device Veto_type has completed a platform-level device reset.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstanceLength UInt16 | |
DeviceInstance UnicodeString | |
Status UInt32 | NTSTATUS reference |
VetoType UInt32 | |
VetoNameLength UInt16 | |
VetoName UnicodeString |
Event ID 1050: Failed to create driver package defined child device of Child_Instance_ID.
#Description
Failed to create driver package defined child device of Child_Instance_ID.
Message #
Fields #
| Name | Description |
|---|---|
ParentDeviceInstancePath UnicodeString | |
InstanceId UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 1060: Failed to create computer device derived from firmware information.
#Description
Failed to create computer device derived from firmware information. Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1065: Device DeviceInstanceId with problem code ProblemCode and problem status ProblemStatus requires the system to be rebooted.
#Event ID 1070: Failed to open DeviceStackLocation driver service ServiceName for device DeviceInstance.
#Description
Failed to open DeviceStackLocation driver service ServiceName for device DeviceInstance. Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
DeviceInstance UnicodeString | |
ServiceName UnicodeString | |
DeviceStackLocation UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 1080: The driver FailureName failed to unload.
#Description
The driver FailureName failed to unload.
Message #
Fields #
| Name | Description |
|---|---|
DriverNameLength UInt16 | |
DriverName UnicodeString | |
Status UInt32 | NTSTATUS reference |
FailureNameLength UInt16 | |
FailureName UnicodeString | |
Version UInt32 |
Event ID 1100: SwDevice_IrpCreateStart
#References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1100
Event ID 1101: SwDevice_IrpCreateStop
#Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1101
Event ID 1102: SwDevice_KernelCreateStart
#Fields #
| Name | Description |
|---|---|
EnumeratorName UnicodeString | |
InstanceId UnicodeString | |
ParentDeviceInstanceId UnicodeString |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1102
Event ID 1103: SwDevice_KernelCreateStop
#Fields #
| Name | Description |
|---|---|
EnumeratorName UnicodeString | |
InstanceId UnicodeString | |
ParentDeviceInstanceId UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 1104: task_01104
#Fields #
| Name | Description |
|---|---|
EnumeratorName UnicodeString | |
InstanceId UnicodeString | |
ParentDeviceInstanceId UnicodeString | |
CapabilityFlags HexInt32 | |
DeviceDescription UnicodeString | |
DeviceLocation UnicodeString | |
NumProperties UInt32 |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1104
Event ID 1105: task_01105
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1105
Event ID 1107: task_01107
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
RemovedFromBus Boolean | |
HasPrimaryDeviceObject Boolean |
Event ID 1108: SwDevice_InstanceTable_Add
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
AlreadyExists Boolean |
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1108
Event ID 1109: SwDevice_InstanceTable_Remove
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString |
Event ID 1110: SwDevice_DeviceEnumeratedStart
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
DeviceInstancePath UnicodeString |
Event ID 1111: SwDevice_DeviceEnumeratedStop
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 1120: SwDevice_RelationAddStart
#Event ID 1121: SwDevice_RelationAddStop
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
ParentDeviceInstanceId UnicodeString | |
Status HexInt32 | NTSTATUS reference |
References #
Event ID 1122: SwDevice_RelationRemove
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
ParentDeviceInstanceId UnicodeString |
Event ID 1130: SwDevice_LifetimeChangeStart
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString |
Event ID 1131: SwDevice_LifetimeChangeStop
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 1132: SwDevice_LifetimeChange
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
OldLifetime UInt32 | |
NewLifetime UInt32 |
Event ID 1140: SwDevice_RegisterInterfaceStart
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString |
Event ID 1141: SwDevice_RegisterInterfaceStop
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 1142: SwDevice_RegisterInterface
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
SymbolicLink UnicodeString |
Event ID 1143: SwDevice_SetInterfaceState
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
SymbolicLink UnicodeString | |
Enable Boolean |
Event ID 1144: SwDevice_SetInterfaceStateStart
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString |
Event ID 1145: SwDevice_SetInterfaceStateStop
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 1150: SwDevice_SetDevicePropertyStart
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString |
Event ID 1151: SwDevice_SetDevicePropertyStop
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 1160: SwDevice_SetInterfacePropertyStart
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString |
Event ID 1161: SwDevice_SetInterfacePropertyStop
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 1170: SwDevice_IrpCloseStart
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString |
Event ID 1171: SwDevice_IrpCloseStop
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
DeviceClosed Boolean |
Event ID 1172: SwDevice_KernelCloseStart
#Fields #
| Name | Description |
|---|---|
ParentDeviceInstanceId UnicodeString | |
EnumeratorName UnicodeString | |
InstanceId UnicodeString |
Event ID 1173: SwDevice_KernelCloseStop
#Fields #
| Name | Description |
|---|---|
ParentDeviceInstanceId UnicodeString | |
EnumeratorName UnicodeString | |
InstanceId UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 1174: SwDevice_CloseDescendants
#Fields #
| Name | Description |
|---|---|
ParentDeviceInstanceId UnicodeString |
Event ID 1175: SwDevice_CloseDevice
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString |
Event ID 1176: SwDevice_ProcessRemove
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
DeviceInstanceId UnicodeString | |
KeepActive Boolean | |
SwDeviceFlags HexInt32 | |
DeviceExtensionFlags HexInt32 |
Event ID 1177: SwDevice_ProcessParentRemove
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
DeviceInstanceId UnicodeString | |
ParentDeviceInstanceId UnicodeString | |
SwDeviceFlags HexInt32 | |
DeviceExtensionFlags HexInt32 |
Event ID 1178: SwDevice_UninstallDevice
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
DeviceInstanceId UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 1190: SwDevice_GetChildPdoStart
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
ParentDeviceInstanceId UnicodeString | |
SwDeviceFlags HexInt32 |
Event ID 1191: SwDevice_GetChildPdoStop
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
PdoReported Boolean | |
NewPdo Boolean |
Event ID 1192: SwDevice_GetChildPdo
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
SkipCount UInt32 |
Event ID 1200: SwDevice_AttributesChangeStart
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString |
Event ID 1201: SwDevice_AttributesChangeStop
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 1202: SwDevice_AttributesChange
#Fields #
| Name | Description |
|---|---|
DeviceId UnicodeString | |
InstanceId UnicodeString | |
OldAttributes UInt32 | |
NewAttributes UInt32 |
Event ID 1300: task_01300
#Fields #
| Name | Description |
|---|---|
FilterType UInt32 | |
ProcessId UInt32 | |
ProcessImageName UnicodeString | |
QueueDepth UInt32 | |
DropCount UInt32 | |
EventGuid GUID | |
EventCategory UInt32 | |
DeviceInstanceId UnicodeString | |
CategorySpecificData_Guid GUID | |
CategorySpecificData_String UnicodeString | |
Synchronous Boolean | |
ElapsedTimeMs UInt64 |
Event ID 1301: task_01301
#Fields #
| Name | Description |
|---|---|
FilterType UInt32 | |
ProcessId UInt32 | |
ProcessImageName UnicodeString | |
QueueDepth UInt32 | |
DropCount UInt32 | |
EventGuid GUID | |
EventCategory UInt32 | |
DeviceInstanceId UnicodeString | |
CategorySpecificData_Guid GUID | |
CategorySpecificData_String UnicodeString | |
Synchronous Boolean | |
ElapsedTimeMs UInt64 |
Event ID 1302: task_01302
#Fields #
| Name | Description |
|---|---|
FilterType UInt32 | |
ProcessId UInt32 | |
ProcessImageName UnicodeString | |
QueueDepth UInt32 | |
DropCount UInt32 | |
EventGuid GUID | |
EventCategory UInt32 | |
DeviceInstanceId UnicodeString | |
CategorySpecificData_Guid GUID | |
CategorySpecificData_String UnicodeString | |
Synchronous Boolean | |
Status HexInt32 | NTSTATUS reference |
Event ID 1303: task_01303
#Fields #
| Name | Description |
|---|---|
FilterType UInt32 | |
ProcessId UInt32 | |
ProcessImageName UnicodeString | |
QueueDepth UInt32 | |
DropCount UInt32 | |
EventGuid GUID | |
EventCategory UInt32 | |
DeviceInstanceId UnicodeString | |
CategorySpecificData_Guid GUID | |
CategorySpecificData_String UnicodeString | |
Synchronous Boolean | |
Status HexInt32 | NTSTATUS reference |
Event ID 1304: task_01304
#Fields #
| Name | Description |
|---|---|
FilterType UInt32 | |
ProcessId UInt32 | |
ProcessImageName UnicodeString | |
QueueDepth UInt32 | |
DropCount UInt32 | |
RegistrationTeardown Boolean | |
EventGuid GUID | |
EventCategory UInt32 | |
DeviceInstanceId UnicodeString | |
CategorySpecificData_Guid GUID | |
CategorySpecificData_String UnicodeString | |
Synchronous Boolean | |
NotificationReceivedByClient Boolean | |
ElapsedTimeMs UInt64 |
Event ID 1400: Begin serializing boot with PnP device enumeration
#Description
Begin serializing boot with PnP device enumeration.
Message #
Event ID 1401: End serializing boot with PnP device enumeration
#Description
End serializing boot with PnP device enumeration.
Message #
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {9C205A39-1250-487D-ABD7-E831C6290539}
Defined in microsoft-windows-kernel-pnp-events.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02