Microsoft-Windows-Kernel-Power
353 events across 5 channels
Event ID 2: PowerTransitionStop
#Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
Time FILETIME | |
WakeSourceTypeLength UInt16 | |
WakeSourceSubTypeLength UInt16 | |
WakeSourceLength UInt16 | |
WakeSourceContextLength UInt16 | |
WakeSourceType UnicodeString | |
WakeSourceSubType UnicodeString | |
WakeSource UnicodeString | |
WakeSourceContext UnicodeString |
Event ID 3: QueryAppsPhaseStart
#Event ID 4: QueryAppsPhaseStop
#Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
Event ID 5: QueryServicesPhaseStart
#Event ID 6: QueryServicesPhaseStop
#Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
Event ID 7: IrpStart_V1
#Fields #
| Name | Description |
|---|---|
Irp Pointer | |
PowerStateType UInt32 | |
MinorFunction UInt8 | |
TargetDevice Pointer | |
InstanceNameLength UInt16 | |
InstanceName UnicodeString | |
PowerState UInt8 |
Event ID 8: IrpStop
#Fields #
| Name | Description |
|---|---|
Irp Pointer | |
Status UInt32 | NTSTATUS reference |
FailedDriver UnicodeString |
Event ID 9: The application AppName stopped the power transition.
#Event ID 10: The service ServiceName stopped the power transition.
#Event ID 22: SuspendAppsPhaseStart
#Event ID 23: SuspendAppsPhaseStop
#Event ID 24: SuspendServicesPhaseStart
#Event ID 25: SuspendServicesPhaseStop
#Event ID 26: ResumeAppsPhaseStart
#Event ID 27: ResumeServicesPhaseStart
#Event ID 30: QueryFailedApps
#Event ID 31: QueryFailedServices
#Event ID 34: Hibernate
#Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
Event ID 35: SuspendDevicesPhaseStart
#Fields #
| Name | Description |
|---|---|
Query Boolean | |
TargetState UInt32 | |
EffectiveState UInt32 |
Event ID 36: SuspendDevicesPhaseStop
#Event ID 37: WakeDevicesPhaseStart
#Event ID 38: WakeDevicesPhaseStop
#Event ID 39: PowerTransition_V1
#Fields #
| Name | Description |
|---|---|
SleepTime UInt32 | |
ResumeTime UInt32 | |
DriverWakeTime UInt32 | |
HiberWriteTime UInt32 | |
HiberReadTime UInt32 | |
HiberPagesWritten UInt32 | |
BiosInitTime UInt32 | |
CheckpointTime UInt32 |
Event ID 40: The driver DriverName for device InstanceName stopped the power transition.
#Event ID 41: The last sleep transition was unsuccessful.
#Description
The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.
Message #
Fields #
| Name | Description |
|---|---|
BugcheckCode UInt32 | |
BugcheckParameter1 Pointer | |
BugcheckParameter2 Pointer | |
BugcheckParameter3 Pointer | |
BugcheckParameter4 Pointer | |
SleepInProgress UInt32 | |
PowerButtonTimestamp UInt64 | |
BootAppStatus UInt32 | |
Checkpoint UInt8 | |
ConnectedStandbyInProgress Boolean | |
SystemSleepTransitionsToOn UInt32 | |
CsEntryScenarioInstanceId UInt8 | |
BugcheckInfoFromEFI Boolean | |
CheckpointStatus UInt8 | |
CsEntryScenarioInstanceIdV2 UInt64 | |
LongPowerButtonPressDetected Boolean | |
LidReliability Boolean | |
InputSuppressionState UInt8 | |
PowerButtonSuppressionState UInt8 | |
LidState UInt8 | |
WHEABootErrorCount UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "{331C3B3A-2005-44C2-AC5E-77220C37D6B4}",
"event_source_name": "",
"event_id": 41,
"version": 8,
"level": 1,
"task": 63,
"opcode": 0,
"keywords": -9223301668110598142,
"time_created": "2026-05-29T16:32:46.0446910+00:00",
"event_record_id": 6681,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"BugcheckCode": "0",
"BugcheckParameter1": "0x0",
"BugcheckParameter2": "0x0",
"BugcheckParameter3": "0x0",
"BugcheckParameter4": "0x0",
"SleepInProgress": "0",
"PowerButtonTimestamp": "0",
"BootAppStatus": "0",
"Checkpoint": "0",
"ConnectedStandbyInProgress": "false",
"SystemSleepTransitionsToOn": "0",
"CsEntryScenarioInstanceId": "0",
"BugcheckInfoFromEFI": "false",
"CheckpointStatus": "0",
"CsEntryScenarioInstanceIdV2": "0",
"LongPowerButtonPressDetected": "false"
},
"message": "The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly."
}
Event ID 42: The system is entering sleep.
#Description
The system is entering sleep.
Message #
Fields #
| Name | Description |
|---|---|
TargetState UInt32 | |
EffectiveState UInt32 | |
Reason UInt32 | |
Flags UInt32 | |
TransitionsToOn |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "331C3B3A-2005-44C2-AC5E-77220C37D6B4",
"event_source_name": "",
"event_id": 42,
"version": 2,
"level": 4,
"task": 64,
"opcode": 0,
"keywords": 9223372036854775812,
"time_created": "2016-08-18T16:22:13.389648Z",
"event_record_id": 5523,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 60
},
"channel": "System",
"computer": "IE10Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetState": 2,
"EffectiveState": 2,
"Reason": 7,
"Flags": 0
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 43: ZeroHiberFileStart
#Event ID 44: ZeroHiberFileStop
#Event ID 45: FlushVolumesStart
#Event ID 46: FlushVolumesStop
#Event ID 47: GracefulShutdownStart
#Event ID 48: GracefulShutdownStop
#Event ID 49: ZeroPageFileStart
#Event ID 50: ZeroPageFileStop
#Event ID 51: IoShutdownSystemStart
#Event ID 52: IoShutdownSystemStop
#Event ID 53: WaitForProcessesStart
#Event ID 54: WaitForProcessesStop
#Event ID 55: CmShutdownSystemStart
#Event ID 56: CmShutdownSystemStop
#Event ID 57: ShowUIPhaseStart
#Event ID 58: ShowUIPhaseStop
#Event ID 59: The system is entering Away Mode.
#Description
The system is entering Away Mode.
Message #
Event ID 62: The application or service AppName has overridden user power management settings with a code of ExecutionState.
#Event ID 63: The application or service AppNameLength is attempting to update the system timer resolution to a value of RequestedResolution.
#Event ID 64: SuperfetchPhaseStart
#Event ID 65: SuperfetchPhaseStop
#Event ID 66: WinlogonPhaseStart
#Event ID 67: WinlogonPhaseStop
#Event ID 68: PreSleepCallbacksPhaseStart
#Event ID 69: PreSleepCallbacksPhaseStop
#Event ID 70: HideUIPhaseStart
#Event ID 71: HideUIPhaseStop
#Event ID 72: IdleCheck
#Fields #
| Name | Description |
|---|---|
Threshold UInt32 | |
LowestIdleness UInt32 | |
AverageIdleness UInt32 | |
AccruedIdleTime UInt32 | |
NonIdleIgnored Boolean | |
IdleToSleep Boolean | |
NonIdleReferences Boolean |
Event ID 75: DeviceIdle
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "{331C3B3A-2005-44C2-AC5E-77220C37D6B4}",
"event_source_name": "",
"event_id": 75,
"version": 0,
"level": 4,
"task": 73,
"opcode": 1,
"keywords": "0x4000000000000010",
"time_created": "2026-06-02T05:56:05.349+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 11208
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "DeviceIdle"
}
Event ID 76: DeviceIdle
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "{331C3B3A-2005-44C2-AC5E-77220C37D6B4}",
"event_source_name": "",
"event_id": 76,
"version": 0,
"level": 4,
"task": 73,
"opcode": 2,
"keywords": "0x4000000000000010",
"time_created": "2026-06-02T05:56:05.349+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 11208
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "DeviceIdle"
}
Event ID 77: DeviceIdleCheck
#Fields #
| Name | Description |
|---|---|
Device Pointer | |
Pdo Pointer | |
InstancePathLength UInt16 | |
InstancePath UnicodeString | |
ConservativeTimeout UInt32 | |
PerformanceTimeout UInt32 | |
IdleTime UInt32 | |
BusyCount UInt32 | |
TotalBusyCount UInt32 | |
IdlePowerState UInt8 | |
CurrentPowerState UInt8 |
Event ID 78: DiskIdleCheck
#Fields #
| Name | Description |
|---|---|
Device Pointer | |
Timeout UInt32 | |
IgnoreThreshold UInt32 | |
IdleTime UInt32 | |
NonIdleTime UInt32 |
Event ID 79: Timer tick distribution policy.
#Event ID 80: ACPI thermal zone ThermalZoneDeviceInstance has changed to CoolingMode cooling.
#Event ID 81: ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
#Description
ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | |
ThermalZoneDeviceInstance UnicodeString | |
EventTime FILETIME | |
PassiveCoolingStateLength UInt16 | |
PassiveCoolingState UnicodeString | |
AffinityCount UInt16 | |
_PSV UInt32 | |
_TMP UInt32 | |
_TC1 UInt32 | |
_TC2 UInt32 | |
_TSP UInt32 | |
DeltaP Int32 | |
_PSL Boolean |
Event ID 82: ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
#Description
ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | |
ThermalZoneDeviceInstance UnicodeString | |
EventTime FILETIME | |
PassiveCoolingStateLength UInt16 | |
PassiveCoolingState UnicodeString | |
AffinityCount UInt16 | |
_PSV UInt32 | |
_TMP UInt32 | |
_TC1 UInt32 | |
_TC2 UInt32 | |
_TSP UInt32 | |
DeltaP Int32 | |
_PSL Boolean |
Event ID 83: ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
#Description
ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | |
ThermalZoneDeviceInstance UnicodeString | |
EventTime FILETIME | |
ActiveCoolingStateLength UInt16 | |
ActiveCoolingState UnicodeString | |
_AC0 UInt32 | |
_AC1 UInt32 | |
_AC2 UInt32 | |
_AC3 UInt32 | |
_AC4 UInt32 | |
_AC5 UInt32 | |
_AC6 UInt32 | |
_AC7 UInt32 | |
_AC8 UInt32 | |
_AC9 UInt32 | |
_TMP UInt32 |
Event ID 84: ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
#Description
ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | |
ThermalZoneDeviceInstance UnicodeString | |
EventTime FILETIME | |
ActiveCoolingStateLength UInt16 | |
ActiveCoolingState UnicodeString | |
_AC0 UInt32 | |
_AC1 UInt32 | |
_AC2 UInt32 | |
_AC3 UInt32 | |
_AC4 UInt32 | |
_AC5 UInt32 | |
_AC6 UInt32 | |
_AC7 UInt32 | |
_AC8 UInt32 | |
_AC9 UInt32 | |
_TMP UInt32 |
Event ID 85: The system was shut down due to a critical thermal event.
#Event ID 86: The system was shut down due to a critical thermal event.
#Event ID 87: The system was hibernated due to a critical thermal event.
#Event ID 88: The system was hibernated due to a critical thermal event.
#Event ID 89: ACPI thermal zone ThermalZoneDeviceInstance has been enumerated.
#Description
ACPI thermal zone ThermalZoneDeviceInstance has been enumerated.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | |
ThermalZoneDeviceInstance UnicodeString | |
AffinityCount UInt16 | |
_PSV UInt32 | |
_TC1 UInt32 | |
_TC2 UInt32 | |
_TSP UInt32 | |
_AC0 UInt32 | |
_AC1 UInt32 | |
_AC2 UInt32 | |
_AC3 UInt32 | |
_AC4 UInt32 | |
_AC5 UInt32 | |
_AC6 UInt32 | |
_AC7 UInt32 | |
_AC8 UInt32 | |
_AC9 UInt32 | |
_CRT UInt32 | |
_HOT UInt32 | |
_PSL HexInt32 |
Event ID 90: Processor ProcessorId was throttled by an entity other than the kernel power manager.
#Event ID 91: Processor ProcessorId was throttled by an entity other than the kernel power manager.
#Event ID 92: CreatePowerRequest_V1
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Type UInt32 | |
ProcessID UInt32 | |
SessionID UInt32 | |
Legacy Boolean | |
SystemAllowed Boolean | |
DisplayAllowed Boolean | |
AwayModeAllowed Boolean | |
SystemCount UInt32 | |
DisplayCount UInt32 | |
AwayModeCount UInt32 | |
CallerLength UInt16 | |
ContextLength UInt16 | |
Caller UnicodeString | |
Context UnicodeString | |
ExecutionRequiredAllowed Boolean | |
PerformanceBoostAllowed Boolean | |
FullScreenVideoAllowed Boolean | |
ExecutionRequiredCount UInt32 | |
PerformanceBoostCount UInt32 | |
FullScreenVideoCount UInt32 |
Event ID 93: ChangePowerRequest_V1
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
SystemCount UInt32 | |
DisplayCount UInt32 | |
AwayModeCount UInt32 | |
ExecutionRequiredCount UInt32 | |
PerformanceBoostCount UInt32 | |
FullScreenVideoCount UInt32 |
Event ID 95: The system timer resolution has changed to a value of NewResolution.
#Event ID 96: The system timer resolution currently has a value of CurrentPeriod.
#Event ID 97: The system timer resolution currently has a value of RequestedPeriod.
#Event ID 98: A driver is attempting to update the system timer resolution to a value of RequestedResolution.
#Event ID 99: PowerRequestRundown_V1
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Type UInt32 | |
ProcessID UInt32 | |
SessionID UInt32 | |
Legacy Boolean | |
SystemAllowed Boolean | |
DisplayAllowed Boolean | |
AwayModeAllowed Boolean | |
SystemCount UInt32 | |
DisplayCount UInt32 | |
AwayModeCount UInt32 | |
CallerLength UInt16 | |
ContextLength UInt16 | |
Caller UnicodeString | |
Context UnicodeString | |
ExecutionRequiredAllowed Boolean | |
PerformanceBoostAllowed Boolean | |
FullScreenVideoAllowed Boolean | |
ExecutionRequiredCount UInt32 | |
PerformanceBoostCount UInt32 | |
FullScreenVideoCount UInt32 |
Event ID 100: FlushAllPagesPhaseStart
#Event ID 101: FlushAllPagesPhaseStop
#Event ID 102: BuildNotifyListPhaseStart
#Event ID 103: BuildNotifyListPhaseStop
#Event ID 104: SleepDisableReasonRundown
#Fields #
| Name | Description |
|---|---|
AffectedState UInt8 | |
PowerReasonCode UInt32 | |
PowerReasonLength UInt32 | |
PowerReasonInfo Binary |
Event ID 105: Power source change.
#Event ID 107: The system has resumed from sleep
#Description
The system has resumed from sleep.
Fields #
| Name | Description |
|---|---|
TargetState UInt32 | |
EffectiveState UInt32 | |
WakeFromState UInt32 | |
ProgrammedWakeTimeAc | |
ProgrammedWakeTimeDc | |
WakeRequesterTypeAc | |
WakeRequesterTypeDc |
Event ID 107: The system has resumed from sleep.
#Event ID 108: PowerTransition108
#Fields #
| Name | Description |
|---|---|
CopyBytes UInt64 | |
ElapsedTime UInt32 | |
IoTime UInt32 | |
InitTime UInt32 | |
CopyTime UInt32 | |
PagesWritten UInt32 | |
PagesProcessed UInt32 | |
DumpCount UInt32 | |
FileRuns UInt32 | |
ReadTime UInt32 | |
ResumeAppTime UInt32 | |
CompressTime UInt32 |
Event ID 109: The kernel power manager has initiated a shutdown transition.
#Description
The kernel power manager has initiated a shutdown transition.
Message #
Fields #
| Name | Description |
|---|---|
ShutdownActionType UInt32 | Action. |
ShutdownEventCode UInt32 | Event Code. |
ShutdownReason UInt32 | Reason. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "{331C3B3A-2005-44C2-AC5E-77220C37D6B4}",
"event_source_name": "",
"event_id": 109,
"version": 0,
"level": 4,
"task": 103,
"opcode": 0,
"keywords": -9223301668110597116,
"time_created": "2026-06-13T05:22:39.4639734+00:00",
"event_record_id": 7415,
"correlation": {},
"execution": {
"process_id": 712,
"thread_id": 716
},
"channel": "System",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ShutdownActionType": "5",
"ShutdownEventCode": "0",
"ShutdownReason": "5"
},
"message": "The kernel power manager has initiated a shutdown transition.\r\n\r\nShutdown Reason: Kernel API"
}
Event ID 110: SystemTimerResolutionStackRundown
#Fields #
| Name | Description |
|---|---|
RequestedPeriod UInt32 | |
Pid UInt32 | |
AppNameLength UInt16 | |
AppName UnicodeString | |
StackSize UInt32 | |
Stack Pointer |
Event ID 111: PowerSettingRundown_V1
#Fields #
| Name | Description |
|---|---|
SettingGuid GUID | |
DataSize UInt32 | |
Data Binary | |
Override Boolean |
Event ID 112: PowerSettingChange_V1
#Fields #
| Name | Description |
|---|---|
SettingGuid GUID | |
DataSize UInt32 | |
Data Binary | |
Override Boolean |
Event ID 113: ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
#Description
ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | |
ThermalZoneDeviceInstance UnicodeString | |
EventTime FILETIME | |
PassiveCoolingState UInt16 | |
_PSV UInt32 | |
_TMP UInt32 | |
_TC1 UInt32 | |
_TC2 UInt32 | |
_TSP UInt32 | |
DeltaP Int32 | |
MinimumThrottle Int32 |
Event ID 114: ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
#Description
ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | |
ThermalZoneDeviceInstance UnicodeString | |
EventTime FILETIME | |
PassiveCoolingState UInt16 | |
_PSV UInt32 | |
_TMP UInt32 | |
_TC1 UInt32 | |
_TC2 UInt32 | |
_TSP UInt32 | |
DeltaP Int32 | |
MinimumThrottle Int32 |
Event ID 115: ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
#Description
ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | |
ThermalZoneDeviceInstance UnicodeString | |
EventTime FILETIME | |
ActiveCoolingState UInt16 | |
_AC0 UInt32 | |
_AC1 UInt32 | |
_AC2 UInt32 | |
_AC3 UInt32 | |
_AC4 UInt32 | |
_AC5 UInt32 | |
_AC6 UInt32 | |
_AC7 UInt32 | |
_AC8 UInt32 | |
_AC9 UInt32 | |
_TMP UInt32 |
Event ID 116: ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
#Description
ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | |
ThermalZoneDeviceInstance UnicodeString | |
EventTime FILETIME | |
ActiveCoolingState UInt16 | |
_AC0 UInt32 | |
_AC1 UInt32 | |
_AC2 UInt32 | |
_AC3 UInt32 | |
_AC4 UInt32 | |
_AC5 UInt32 | |
_AC6 UInt32 | |
_AC7 UInt32 | |
_AC8 UInt32 | |
_AC9 UInt32 | |
_TMP UInt32 |
Event ID 117: PowerTransition117_V2
#Fields #
| Name | Description |
|---|---|
TotalResumeTime UInt32 | |
POSTTime UInt32 | |
ResumeBootMgrTime UInt32 | |
ResumeAppTime UInt32 | |
ResumeAppStartTime UInt32 | |
ResumeLibraryInitTime UInt32 | |
ResumeInitTime UInt32 | |
ResumeHiberFileTime UInt32 | |
ResumeRestoreImageStartTimestamp UInt32 | |
ResumeIoTime UInt32 | |
ResumeDecompressTime UInt32 | |
ResumeMapTime UInt32 | |
ResumeUnmapTime UInt32 | |
ResumeUserInOutTime UInt32 | |
ResumeAllocateTime UInt32 | |
ResumeKernelSwitchTimestamp UInt32 | |
KernelReturnFromHandlerTimestamp UInt32 | |
SleeperThreadEndTimestamp UInt32 | |
TimeStampCounterAtSwitchTime UInt32 | |
KernelReturnSystemPowerStateTimestamp UInt32 | |
HiberHiberFileTime UInt32 | |
InitTime UInt32 | |
HiberSharedBufferTime UInt32 | |
TotalHibernateTime UInt32 | |
KernelResumeHiberFileTime UInt32 | |
KernelResumeInitTime UInt32 | |
KernelResumeSharedBufferTime UInt32 | |
DeviceResumeTime UInt32 | |
KernelAnimationTime UInt32 | |
KernelPagesProcessed UInt32 | |
KernelPagesWritten UInt64 | |
BootPagesProcessed UInt32 | |
BootPagesWritten UInt64 | |
HiberWriteRate UInt32 | |
HiberCompressRate UInt32 | |
ResumeReadRate UInt32 | |
ResumeDecompressRate UInt32 | |
FileRuns UInt32 | |
NoMultiStageResumeReason UInt32 | |
MaxHuffRatio UInt32 | |
SecurePagesProcessed UInt32 | |
HiberChecksumTime UInt32 | |
HiberChecksumIoTime UInt32 | |
ResumeChecksumTime UInt32 | |
ResumeChecksumIoTime UInt32 | |
KernelChecksumTime UInt32 | |
KernelChecksumIoTime UInt32 | |
WinresumeExitTimestamp UInt32 | |
TcbLoaderStartTimestamp UInt32 | |
TcbLoaderEndTimestamp UInt32 | |
RemappedPageLookupCycles UInt32 | |
TcbLaunchPrepareCycles UInt32 | |
TcbLaunchPrepareDataCycles UInt32 | |
DecryptVsmPagesPhase0Cycles UInt32 | |
DecryptVsmPagesPhase1Cycles UInt32 | |
DecryptVsmPagesPhase2Cycles UInt32 | |
TcbLoaderAuthenticateCycles UInt32 | |
TcbLoaderDecryptCycles UInt32 | |
TcbLoaderValidateCycles UInt32 |
Event ID 118: Idle resiliency activated with requested clock period: RequestedResolution(Internal flags:Flags, Ticks:Ticks).
#Event ID 119: Idle resiliency deactivated (Internal flags:Flags).
#Event ID 120: PowerTransition120
#Fields #
| Name | Description |
|---|---|
HiberfileSizeKB UInt32 | |
TotalHibernateTime UInt32 | |
HiberHiberFileTime UInt32 |
Event ID 121: PowerTransition121_V1
#Fields #
| Name | Description |
|---|---|
DriverWakeTime UInt32 | |
TotalResumeTime UInt32 | |
BiosInitTime UInt32 | |
ResumeAppsTime UInt32 | |
ResumeServicesTime UInt32 |
Event ID 122: PowerTransition122
#Fields #
| Name | Description |
|---|---|
TotalResumeTime UInt32 | |
PhasePagesWrittenMB UInt32 | |
ResumeAppAndKernelResumeHiberFileTime UInt32 | |
POSTAndDeviceResumeTime UInt32 | |
RatesAndResumeAppsServicesTime UInt32 | |
PhasePagesProcessedMB UInt32 |
Event ID 123: PowerTransition123_V1
#Fields #
| Name | Description |
|---|---|
HiberfileSize UInt32 | |
TotalHybridShutdownTime UInt32 | |
HiberfileCreateTime UInt32 | |
SystemShutdownTime UInt32 |
Event ID 124: PowerTransition124
#Fields #
| Name | Description |
|---|---|
TotalResumeTime UInt32 | |
PhasePagesWrittenMB UInt32 | |
ResumeAppAndKernelResumeHiberFileTime UInt32 | |
POSTAndDeviceResumeTime UInt32 | |
RatesAndResumeAppsServicesTime UInt32 | |
PhasePagesProcessedMB UInt32 |
Event ID 125: ACPI thermal zone ThermalZoneDeviceInstance has been enumerated.
#Description
ACPI thermal zone ThermalZoneDeviceInstance has been enumerated.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | |
ThermalZoneDeviceInstance UnicodeString | |
_PSV UInt32 | |
_TC1 UInt32 | |
_TC2 UInt32 | |
_TSP UInt32 | |
_AC0 UInt32 | |
_AC1 UInt32 | |
_AC2 UInt32 | |
_AC3 UInt32 | |
_AC4 UInt32 | |
_AC5 UInt32 | |
_AC6 UInt32 | |
_AC7 UInt32 | |
_AC8 UInt32 | |
_AC9 UInt32 | |
_CRT UInt32 | |
_HOT UInt32 | |
MinimumThrottle Int32 | |
_CR3 UInt32 | |
OverThrottleThreshold UInt32 | |
DescriptionLength UInt16 | |
Description UnicodeString | |
_TZP UInt32 |
Event ID 130: Firmware S3 times.
#Event ID 131: Firmware S3 times.
#Event ID 133: ResumeAppsPhaseStop
#Event ID 134: ResumeServicesPhaseStop
#Event ID 136: DeviceRundown
#Fields #
| Name | Description |
|---|---|
DeviceNode Pointer | |
PowerState UInt8 | |
InstancePathLength UInt16 | |
InstancePath UnicodeString | |
FriendlyNameLength UInt16 | |
FriendlyName UnicodeString |
Event ID 137: The system firmware has changed the processor's memory type range registers (MTRRs) across a sleep state transition (SSleepState).
#Event ID 138: ThermalPerfTrack
#Fields #
| Name | Description |
|---|---|
Throttle UInt32 | |
Temperature UInt32 | |
ZoneLength UInt16 | |
Zone UnicodeString |
Event ID 139: ThermalDurationPerfTrack
#Fields #
| Name | Description |
|---|---|
ThrottleDuration UInt32 | |
ZoneLength UInt16 | |
Zone UnicodeString |
Event ID 140: CsConsumptionPerfTrack
#Fields #
| Name | Description |
|---|---|
EnergyDrain UInt32 | |
Duration UInt32 | |
DripsTransitions UInt32 | |
Flags UInt32 |
Event ID 142: The system has rebooted without cleanly shutting down first.
#Event ID 143: CsDripsWatchdogPerfTrack
#Fields #
| Name | Description |
|---|---|
ResiliencyPhaseNonActivatedNoDripsMs UInt32 | |
NonActivatedCpuTimeMs UInt32 | |
DurationThisPeriodMs UInt32 | |
ActionsTakenAndOnAc UInt32 |
Event ID 144: ThermalEvent
#Fields #
| Name | Description |
|---|---|
InitiatorLength UInt16 | |
Initiator UnicodeString | |
Type UInt32 | |
Temperature UInt32 | |
TripPointTemperature UInt32 |
Event ID 145: ThermalZoneRundown_V2
#Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | |
ThermalZoneDeviceInstance UnicodeString | |
ActiveCoolingState UInt16 | |
ActivePoint Int32 | |
PassiveCoolingState UInt16 | |
ThrottleLimit Int32 | |
ThermalStandby Boolean | |
OverThrottled Boolean | |
DescriptionLength UInt16 | |
Description UnicodeString |
Event ID 146: PowerSettingCallbackStart
#Fields #
| Name | Description |
|---|---|
Callback Pointer | |
SettingGuid GUID | |
DataSize UInt32 | |
Data Binary |
Event ID 151: CoolingExtensionAdd
#Fields #
| Name | Description |
|---|---|
PassiveSupported Boolean | |
ActiveSupported Boolean | |
Throttle UInt8 | |
ActiveEngaged Boolean | |
Token Pointer | |
DeviceIdLength UInt16 | |
DeviceId UnicodeString |
Event ID 152: CoolingExtensionRundown
#Fields #
| Name | Description |
|---|---|
PassiveSupported Boolean | |
ActiveSupported Boolean | |
Throttle UInt8 | |
ActiveEngaged Boolean | |
Token Pointer | |
DeviceIdLength UInt16 | |
DeviceId UnicodeString |
Event ID 153: CoolingExtensionRemove
#Fields #
| Name | Description |
|---|---|
PassiveSupported Boolean | |
ActiveSupported Boolean | |
Throttle UInt8 | |
ActiveEngaged Boolean | |
Token Pointer | |
DeviceIdLength UInt16 | |
DeviceId UnicodeString |
Event ID 155: CoolingExtensionActiveUpdate
#Fields #
| Name | Description |
|---|---|
ActiveEngaged Boolean | |
Token Pointer |
Event ID 156: ThermalRequestAdd
#Fields #
| Name | Description |
|---|---|
Throttle UInt8 | |
ActiveEngaged Boolean | |
Token Pointer | |
DeviceIdLength UInt16 | |
CallerLength UInt16 | |
ContextLength UInt16 | |
PolicyLength UInt16 | |
DeviceId UnicodeString | |
Caller UnicodeString | |
Context UnicodeString | |
Policy Binary |
Event ID 157: ThermalRequestRundown
#Fields #
| Name | Description |
|---|---|
Throttle UInt8 | |
ActiveEngaged Boolean | |
Token Pointer | |
DeviceIdLength UInt16 | |
CallerLength UInt16 | |
ContextLength UInt16 | |
PolicyLength UInt16 | |
DeviceId UnicodeString | |
Caller UnicodeString | |
Context UnicodeString | |
Policy Binary |
Event ID 158: ThermalRequestRemove
#Fields #
| Name | Description |
|---|---|
Throttle UInt8 | |
ActiveEngaged Boolean | |
Token Pointer | |
DeviceIdLength UInt16 | |
CallerLength UInt16 | |
ContextLength UInt16 | |
PolicyLength UInt16 | |
DeviceId UnicodeString | |
Caller UnicodeString | |
Context UnicodeString | |
Policy Binary |
Event ID 161: CsDripsWatchdog_V3
#Fields #
| Name | Description |
|---|---|
ResiliencyPhaseNonActivatedNoDripsMs UInt32 | |
NonActivatedCpuTimeMs UInt32 | |
DurationThisPeriodMs UInt32 | |
OnAc Boolean | |
EnergyDrainMw UInt32 | |
DeviceConstraint Boolean | |
ActionsTaken UInt32 | |
DeviceServiceNameLength UInt16 | |
DeviceServiceName UnicodeString | |
ChildServiceNameLength UInt16 | |
ChildServiceName UnicodeString | |
PepPreVeto UInt32 | |
InvocationCount UInt32 |
Event ID 162: ThermalZoneThermalStandbyUpdate
#Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | |
ThermalZoneDeviceInstance UnicodeString | |
Engaged Boolean |
Event ID 163: ThermalZoneOverthrottledUpdate
#Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | |
ThermalZoneDeviceInstance UnicodeString | |
Engaged Boolean |
Event ID 164: ThermalStandbyNotification
#Event ID 165: SystemIdle_V1
#Fields #
| Name | Description |
|---|---|
IdleInformationUpdated Boolean | |
TimeoutSource UInt32 | |
Action UInt32 | |
MinState UInt32 | |
Timeout UInt32 | |
Flags UInt32 | |
Reason UInt32 |
Event ID 166: SystemIdle166_V1
#Fields #
| Name | Description |
|---|---|
AccumulatedIdleTime UInt32 | |
SystemIdle Boolean | |
Flags UInt32 | |
Action UInt32 | |
MinState UInt32 | |
DozeS4Timeout UInt32 | |
PredictedUserReturnTime FILETIME |
Event ID 167: SystemIdle167
#Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
S0LowPowerDozeTimerCancelled Boolean |
Event ID 171: CsDeepSleepWatchdog_V1
#Fields #
| Name | Description |
|---|---|
ResiliencyPhaseNonActivatedNoDeepSleepMs UInt32 | |
NonActivatedCpuTimeMs UInt32 | |
DurationThisPeriodMs UInt32 | |
OnAc Boolean | |
ActionsTaken UInt32 | |
PowerSettingPending Boolean |
Event ID 172: Connectivity state in standby: State, Reason: Reason.
#Description
Connectivity state in standby: State, Reason: Reason.
Message #
Fields #
| Name | Description |
|---|---|
State UInt32 | Connectivity state in standby. |
Reason UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "{331C3B3A-2005-44C2-AC5E-77220C37D6B4}",
"event_source_name": "",
"event_id": 172,
"version": 0,
"level": 4,
"task": 203,
"opcode": 0,
"keywords": -9223372036854774780,
"time_created": "2026-05-29T16:32:46.0451209+00:00",
"event_record_id": 6682,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 456
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"State": "2",
"Reason": "6"
},
"message": "Connectivity state in standby: Disconnected, Reason: NIC compliance"
}
Event ID 173: FlushSleepStudyLoggerStart
#Event ID 174: FlushSleepStudyLoggerStop
#Event ID 178: Background Activity Policy updated from PreviousPolicy to NewPolicy.
#Event ID 183: DeepSleepConstraintRundown
#Fields #
| Name | Description |
|---|---|
ConstraintCount UInt16 | |
Constraints AnsiString |
Event ID 184: IRTimerExpiries
#Fields #
| Name | Description |
|---|---|
ExpiryCount UInt32 | |
RelativeId UInt16 | |
ComponentName UnicodeString |
Event ID 185: RtcWakeInfo
#Fields #
| Name | Description |
|---|---|
WokeSystem Boolean | |
RejectReason UInt32 | |
Uncertain Boolean | |
Spurious Boolean | |
FixedWakeSourceMask UInt32 | |
AcAlarmSignaled Boolean | |
DcAlarmSignaled Boolean | |
RtcSignaled Boolean | |
AcProgrammedTime FILETIME | |
DcProgrammedTime FILETIME | |
UsingAcTime Boolean | |
WakeTime FILETIME | |
AdjustedWakeTime FILETIME | |
FullWake Boolean |
Event ID 187: User-mode process attempted to change the system state by calling SetSuspendState or SetSystemPowerState APIs.
#Event ID 188: PrepareSleepStart
#Event ID 189: PrepareSleepStop
#Event ID 190: TimerResolutionRequestIgnoreChange
#Fields #
| Name | Description |
|---|---|
RequestIgnored Boolean | |
Pid UInt32 |
Event ID 200: task_0
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmSid SID | |
SqmWindowsSessionId UInt32 | |
SqmSessionFlags UInt32 |
Event ID 202: task_0202
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 203: task_0Stop
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 204: task_0204
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 205: task_0205
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 206: task_0206
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 207: task_0207
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmStringDatapointValue UnicodeString |
Event ID 208: task_0208
#Fields #
| Name | Description |
|---|---|
SqmType UInt32 | |
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 302: DevicePreparation
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Plugin Pointer | |
IdLength UInt16 | |
Id UnicodeString | |
Prepared Boolean |
Event ID 303: DeviceRegistration_V1
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Plugin Pointer | |
PowerState UInt8 | |
Status UInt32 | NTSTATUS reference |
IdLength UInt16 | |
Id UnicodeString | |
ComponentCount UInt32 | |
VetoMasks UInt32 |
Event ID 304: DeviceRegistrationRundown_V1
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Plugin Pointer | |
PowerState UInt8 | |
Status UInt32 | NTSTATUS reference |
IdLength UInt16 | |
Id UnicodeString | |
ComponentCount UInt32 | |
VetoMasks UInt32 |
Event ID 307: DevicePowerRequirementToDevice
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
PowerRequired Boolean |
Event ID 310: ComponentRegistration_V1
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Component UInt32 | |
Active Boolean | |
IdleState UInt32 | |
IdleStateCount UInt32 | |
IdleStates UInt16 |
Event ID 311: ComponentRegistrationRundown_V1
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Component UInt32 | |
Active Boolean | |
IdleState UInt32 | |
IdleStateCount UInt32 | |
IdleStates UInt16 |
Event ID 313: ComponentIdleState
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Component UInt32 | |
IdleState UInt32 |
Event ID 315: ComponentResidency
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Component UInt32 | |
Residency UInt64 |
Event ID 316: ComponentWake
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Component UInt32 | |
ArmedForWake Boolean |
Event ID 317: DevicePowerRequirementFromPep
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
PowerRequired Boolean |
Event ID 318: DeviceIdleConstraints
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
StateCount UInt32 | |
MinimumDStates UInt32 |
Event ID 319: ComponentIdleConstraints
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Component UInt32 | |
StateCount UInt32 | |
MinimumFStates UInt32 |
Event ID 320: DeviceVerboseRundown_V3
#Fields #
| Name | Description |
|---|---|
DeviceNode Pointer | |
DeviceIdLength UInt16 | |
DeviceId UnicodeString | |
InstancePathLength UInt16 | |
InstancePath UnicodeString | |
ServiceNameLength UInt16 | |
ServiceName UnicodeString | |
PlatformStateDependents UInt32 | |
Pdo Pointer | |
ParentDeviceNode Pointer | |
Flags UInt32 | |
FriendlyNameLength UInt16 | |
FriendlyName UnicodeString | |
DripsRequiredState UInt32 |
Event ID 321: PerformanceStateRegistration
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Component UInt32 | |
SetCount UInt32 |
Event ID 322: PerformanceStateRegistrationRundown
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Component UInt32 | |
SetCount UInt32 |
Event ID 323: PerformanceStateSetRegistration
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Component UInt32 | |
Set UInt32 | |
NameLength UInt16 | |
Name UnicodeString | |
Type UInt32 | |
Unit UInt32 | |
Minimum UInt64 | |
Maximum UInt64 | |
StateCount UInt32 | |
StateValues UInt64 | |
CurrentState UInt64 |
Event ID 324: PerformanceStateSetRegistrationRundown
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Component UInt32 | |
Set UInt32 | |
NameLength UInt16 | |
Name UnicodeString | |
Type UInt32 | |
Unit UInt32 | |
Minimum UInt64 | |
Maximum UInt64 | |
StateCount UInt32 | |
StateValues UInt64 | |
CurrentState UInt64 |
Event ID 325: ComponentPerformanceState
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Component UInt32 | |
PerformanceStateSetCount UInt32 | |
PerformanceStateSets UInt8 |
Event ID 326: ComponentPerformanceState326
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Component UInt32 | |
Progress UInt32 |
Event ID 327: ComponentPerformanceState327
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Component UInt32 | |
Succeeded Boolean |
Event ID 328: ComponentPerformanceState328
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
Component UInt32 | |
DeviceTransition Boolean | |
PowerState UInt32 | |
PerformanceStateSetCount UInt32 | |
PerformanceStateSets UInt16 |
Event ID 329: DebuggerTransitionRequirements
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
StateCount UInt32 | |
TransitionRequired UInt8 |
Event ID 331: DefaultPepWorkerStop
#Fields #
| Name | Description |
|---|---|
EndDevice Pointer | |
WorkType Int8 | |
Phase UInt8 | |
NumberExtraDevices UInt8 |
Event ID 332: DefaultPepWorkerDeviceRecovered
#Fields #
| Name | Description |
|---|---|
EndDevice Pointer | |
WorkType Int8 | |
Phase UInt8 | |
NumberExtraDevices UInt8 |
Event ID 333: DefaultPepWorkerDeviceOrphaned
#Fields #
| Name | Description |
|---|---|
EndDevice Pointer | |
WorkType Int8 | |
Phase UInt8 | |
NumberExtraDevices UInt8 |
Event ID 400: SessionId: SessionId, Console:Console.
#Event ID 401: SessionId: SessionId, Console:Console.
#Event ID 402: SessionId: SessionId, Console:Console.
#Event ID 403: SessionId: SessionId, Console:Console.
#Event ID 404: SessionId: SessionId, Console:Console.
#Event ID 405: SessionId: SessionId, Console:Console.
#Event ID 406: SessionId: SessionId, Console:Console.
#Event ID 407: SessionId: SessionId, Console:Console.
#Event ID 408: User presence:User_presence.
#Event ID 409: Reason code:Reason_code.
#Event ID 412: Session Id:Session_Id, Value: Value.
#Event ID 413: Session Id:Session_Id, Value: Value.
#Event ID 414: Session Id:Session_Id, Value: Value.
#Event ID 415: Old value:Old_value, New value: New_value.
#Event ID 416: Value:Value, Zeroed: Zeroed, Computed: Computed.
#Event ID 417: Value:Value, Zeroed: Zeroed, Computed: Computed.
#Event ID 418: Value:Value, Zeroed: Zeroed, Computed: Computed.
#Event ID 500: IO coalescing activated with spindown period: SpindownTimeout, Timer:TimerInterval, Flush:FlushInterval, Flags:Flags.
#Event ID 502: IO coalescing flush command generated.
#Description
IO coalescing flush command generated.
Message #
Event ID 503: IO coalescing disk device DiskDeviceObject is about to be spun down.
#Event ID 506: The system is entering Modern Standby Reason.
#Event ID 507: The system is exiting Modern Standby Reason.
#Description
The system is exiting Modern Standby.
Message #
Fields #
| Name | Description |
|---|---|
EnergyDrain UInt32 | |
ActiveResidencyInUs UInt64 | |
NonDripsTimeActivatedInUs UInt64 | |
FirstDripsEntryInUs UInt64 | |
DripsResidencyInUs UInt64 | |
DurationInUs UInt64 | |
DripsTransitions UInt32 | |
FullChargeCapacityRatio UInt8 | |
AudioPlaying Boolean | |
Reason UInt32 | |
AudioPlaybackInUs UInt64 | |
NonActivatedCpuInUs UInt64 | |
PowerStateAc Boolean | |
HwDripsResidencyInUs UInt64 | |
ExitLatencyInUs UInt64 | |
DisconnectedStandby Boolean | |
AoAcCompliantNic Boolean | |
NonAttributedCpuInUs UInt64 | |
ModernSleepEnabledActionsBitmask UInt32 | |
ModernSleepAppliedActionsBitmask UInt32 | |
LidOpenState Boolean | |
ExternalMonitorConnectedState Boolean | |
ScenarioInstanceId UInt8 | |
IsCsSessionInProgressOnExit Boolean | |
BatteryRemainingCapacityOnExit UInt32 | |
BatteryFullChargeCapacityOnExit UInt32 | |
ScenarioInstanceIdV2 UInt64 | |
BootId UInt32 | |
InputSuppressionActionCount UInt32 | |
NonResiliencyTimeInUs UInt64 | |
ResiliencyDripsTimeInUs UInt64 | |
ResiliencyHwDripsTimeInUs UInt64 | |
GdiOnTime UInt64 | |
DwmSyncFlushTime UInt64 | |
MonitorPowerOnTime UInt64 | |
SleepEntered Boolean | |
ScreenOffEnergyCapacityAtStart UInt32 | |
ScreenOffEnergyCapacityAtEnd UInt32 | |
ScreenOffDurationInUs UInt64 | |
SleepEnergyCapacityAtStart UInt32 | |
SleepEnergyCapacityAtEnd UInt32 | |
SleepDurationInUs UInt64 | |
ScreenOffFullEnergyCapacityAtStart UInt32 | |
ScreenOffFullEnergyCapacityAtEnd UInt32 | |
SleepFullEnergyCapacityAtStart UInt32 | |
SleepFullEnergyCapacityAtEnd UInt32 | |
PowerSchemeInfo UInt32 | |
PowerButtonSuppressionActionCount UInt32 | |
ScreenOffSwDripsResidencyInUs UInt64 | |
ScreenOffHwDripsResidencyInUs UInt64 | |
SleepSwDripsResidencyInUs UInt64 | |
SleepHwDripsResidencyInUs UInt64 |
Event ID 508: The system has been constrained to a periodic tick Reason.
#Event ID 510: Scenario Power Manager (SPM) policy framework has current status: SpmStatus.
#Event ID 512: SpmPolicyAliasRundown
#Fields #
| Name | Description |
|---|---|
PolicyGuid GUID | |
PolicyAliasLength UInt16 | |
PolicyAlias UnicodeString |
Event ID 513: SpmScenarioPolicyRundown
#Fields #
| Name | Description |
|---|---|
ScenarioGuid GUID | |
ScenarioNameLength UInt16 | |
ScenarioName UnicodeString | |
Flags UInt32 | |
DefaultSettingsScenarioGuid GUID | |
PolicyCount UInt16 | |
PolicySettings Int32 |
Event ID 518: IoShutdownFileSystemsStart
#Event ID 519: IoShutdownFileSystemsStop
#Event ID 520: The brightness on this system is managed by high-precision brightness aware service.
#Description
The brightness on this system is managed by high-precision brightness aware service.
Message #
Event ID 521: Active battery count change.
#Description
Active battery count change.
Message #
Fields #
| Name | Description |
|---|---|
ValidBatteryCount UInt32 | |
ErrorBatteryCount UInt32 | |
AbandonedBatteryCount UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "331C3B3A-2005-44C2-AC5E-77220C37D6B4",
"event_source_name": "",
"event_id": 521,
"version": 0,
"level": 4,
"task": 220,
"opcode": 0,
"keywords": 9223372036854776836,
"time_created": "2022-04-04T13:11:11.019552+00:00",
"event_record_id": 1541,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 260
},
"channel": "System",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ValidBatteryCount": 1,
"ErrorBatteryCount": 0,
"AbandonedBatteryCount": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 522: CsDripsDivergence
#Fields #
| Name | Description |
|---|---|
HwDripsTotalTimeValid Boolean | |
DripsTotalTimeThisPeriodUs UInt64 | |
HwDripsTotalTimeThisPeriodUs UInt64 | |
PopDripsSwHwDivergenceThreshold UInt32 |
Event ID 523: Irp
#Fields #
| Name | Description |
|---|---|
Irp Pointer | |
Status UInt32 | NTSTATUS reference |
FailedDriver UnicodeString | |
ElapsedTime UInt64 |
Event ID 524: Index Battery Trigger Met.
#Description
Index Battery Trigger Met.
Message #
Fields #
| Name | Description |
|---|---|
Index UInt32 | |
ActiveBatteryCount UInt32 | |
RemainingPercentage UInt32 | |
IsAcOnline UInt32 | |
BatteryActionInternalFlags HexInt32 | |
IsPowerActionCallIgnored UInt32 | |
IsPowerPolicyEnabled UInt32 | |
PowerPolicyAction UInt32 | |
PowerPolicyBatteryLevel UInt32 | |
PowerPolicyEventCode UInt32 | |
PowerPolicyMinState UInt32 |
Event ID 526: NetRefreshTimerDisarmed
#Event ID 529: PowerAggregatorQueueOverflow
#Fields #
| Name | Description |
|---|---|
Intent UInt32 | |
Class UInt32 | |
PowerEvent UInt32 |
Event ID 530: PowerAggregatorRequest
#Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
RequestQueueId UInt32 | |
Intent UInt32 | |
Class UInt32 | |
PowerEvent UInt32 | |
VetoReason UInt32 |
Event ID 531: PowerAggregatorValidationEvent
#Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
Action UInt32 | |
Result UInt32 |
Event ID 533: PowerAggregatorSessionBegin
#Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
PowerEvent UInt32 | |
Action UInt32 | |
AudioActivity Boolean | |
DisconnectedStandbyMode UInt32 | |
DsEnabled Boolean |
Event ID 535: DirectedDripsEngaged_V1
#Fields #
| Name | Description |
|---|---|
CsSessionId UInt8 | |
Engaged Boolean | |
CsSessionIdV2 UInt64 |
Event ID 536: DirectedDripsWorker_V1
#Fields #
| Name | Description |
|---|---|
CsSessionId UInt8 | |
WorkFlags UInt64 | |
CsSessionIdV2 UInt64 |
Event ID 538: DirectedDripsNotifyAppsAndServices_V1
#Fields #
| Name | Description |
|---|---|
CsSessionId UInt8 | |
Suspended Boolean | |
Result UInt32 | |
DurationMs UInt64 | |
CsSessionIdV2 UInt64 |
Event ID 539: DirectedDripsNotifyDevices_V1
#Fields #
| Name | Description |
|---|---|
CsSessionId UInt8 | |
Suspended Boolean | |
Result UInt32 | |
DurationMs UInt64 | |
CsSessionIdV2 UInt64 |
Event ID 540: DirectedDripsInitialization
#Fields #
| Name | Description |
|---|---|
EnableResult UInt32 | |
InitializationResult UInt32 |
Event ID 541: SIdleUpdateNotificationWorker
#Fields #
| Name | Description |
|---|---|
SystemIdle Boolean | |
Status UInt32 | NTSTATUS reference |
TimeoutSource UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "{331C3B3A-2005-44C2-AC5E-77220C37D6B4}",
"event_source_name": "",
"event_id": 541,
"version": 1,
"level": 4,
"task": 240,
"opcode": 0,
"keywords": "0x4000000000000004",
"time_created": "2026-06-02T05:56:05.349+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 11208
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Status": 0,
"SystemIdle": false,
"TimeoutSource": 5
},
"message": "SIdleUpdateNotificationWorker"
}
Event ID 542: PowerAggregatorInvalidRequestIndex
#Fields #
| Name | Description |
|---|---|
RequestIndex UInt32 | |
NumberOfRequests UInt32 | |
QueueSize UInt32 |
Event ID 544: DirectedDripsDisengageMaskChange
#Fields #
| Name | Description |
|---|---|
OldMask UInt32 | |
NewMask UInt32 | |
SetFlags UInt32 | |
ClearedFlags UInt32 |
Event ID 545: DirectedDripsDeviceVisit_V1
#Fields #
| Name | Description |
|---|---|
BroadcastTreeId UInt32 | |
IsRootDevice Boolean | |
DeviceNode Pointer | |
InstancePathLength UInt32 | |
InstancePath UnicodeString | |
VisitType UInt32 |
Event ID 546: DirectedDripsProblemDevice
#Fields #
| Name | Description |
|---|---|
BroadcastTreeId UInt32 | |
DeviceNode Pointer | |
Reason UInt32 |
Event ID 547: DirectedPowerTransitionStart
#Fields #
| Name | Description |
|---|---|
DeviceNode Pointer | |
PowerDown Boolean |
Event ID 548: DirectedPowerTransitionEnd_V1
#Fields #
| Name | Description |
|---|---|
DeviceNode Pointer | |
PowerDown Boolean | |
DevicePowerState UInt32 |
Event ID 549: SystemIdleAssessment
#Fields #
| Name | Description |
|---|---|
IdleTimeout UInt32 | |
NotIdleEvents UInt32 | |
IsSystemIdle Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "{331C3B3A-2005-44C2-AC5E-77220C37D6B4}",
"event_source_name": "",
"event_id": 549,
"version": 0,
"level": 4,
"task": 251,
"opcode": 0,
"keywords": "0x4000000000000004",
"time_created": "2026-06-02T05:56:05.349+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 11208
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"IdleTimeout": 0,
"IsSystemIdle": false,
"NotIdleEvents": 14
},
"message": "SystemIdleAssessment"
}
Event ID 550: SystemIdleEventAssessment
#Fields #
| Name | Description |
|---|---|
EventType UInt32 | |
TimeSinceEvent UInt32 | |
IdleTimeout UInt32 | |
WasIgnored Boolean | |
BusyReason UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "{331C3B3A-2005-44C2-AC5E-77220C37D6B4}",
"event_source_name": "",
"event_id": 550,
"version": 0,
"level": 4,
"task": 252,
"opcode": 0,
"keywords": "0x4000000000000004",
"time_created": "2026-06-02T05:56:05.349+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 11208
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"BusyReason": 0,
"EventType": 0,
"IdleTimeout": 0,
"TimeSinceEvent": 121456,
"WasIgnored": true
},
"message": "SystemIdleEventAssessment"
}
Event ID 552: SystemIdleContextUpdate
#Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
PreviousTimeoutSource UInt32 | |
PreviousTimeout UInt32 | |
NewTimeoutSource UInt32 | |
NewTimeout UInt32 |
Event ID 553: DirectedFxPowerStateFailure
#Fields #
| Name | Description |
|---|---|
FxDevice Pointer | |
DeviceNode Pointer | |
InstancePathLength UInt32 | |
InstancePath UnicodeString |
Event ID 554: DirectedDripsDeviceStats
#Fields #
| Name | Description |
|---|---|
CsSessionId UInt8 | |
DeviceNode Pointer | |
FriendlyNameLength UInt32 | |
FriendlyName UnicodeString | |
HardwareIdLength UInt32 | |
HardwareId UnicodeString | |
DeviceClassNameLength UInt32 | |
DeviceClassName UnicodeString | |
DeviceClassGuidLength UInt32 | |
DeviceClassGuid UnicodeString | |
BroadcastTreeId UInt32 | |
DfxTransitionCount UInt32 | |
Ps4TransitionCount UInt32 | |
Flags UInt32 |
Event ID 555: ExecutePowerAction
#Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
TriggerFlags UInt32 | |
UserNotify UInt32 | |
PowerAction UInt32 | |
PowerActionFlags UInt32 | |
PowerActionEventCode UInt32 | |
MinState UInt32 | |
SubstitutionPolicy UInt32 | |
LocalPowerAction UInt32 | |
LocalPowerActionFlags UInt32 | |
LocalPowerActionEventCode UInt32 | |
Disabled Boolean | |
RequesterNameLength UInt32 | |
RequesterName AnsiString |
Event ID 556: DirectedDripsErrorRecord
#Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
RootDeviceNode Pointer | |
ErrorDeviceNode Pointer | |
ReasonCode UInt32 | |
Count UInt32 |
Event ID 557: A driver is attempting to update the system timer resolution to a value of RequestedResolution.
#Description
A driver is attempting to update the system timer resolution to a value of RequestedResolution.
Message #
Fields #
| Name | Description |
|---|---|
RequestedResolution UInt32 | |
Tag UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "{331C3B3A-2005-44C2-AC5E-77220C37D6B4}",
"event_source_name": "",
"event_id": 557,
"version": 0,
"level": 4,
"task": 259,
"opcode": 0,
"keywords": "0x4000000000000004",
"time_created": "2026-06-02T05:27:45.331+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 14928
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"RequestedResolution": 65000,
"Tag": 1397707336
},
"message": "SystemTimeResolutionKernelChangeInternal"
}
Event ID 558: PowerAggregatorHandleIntent_V1
#Fields #
| Name | Description |
|---|---|
Intent UInt32 | |
Class UInt32 | |
Cause UInt32 | |
Status UInt32 | NTSTATUS reference |
CurrentTargetState UInt32 | |
NextTargetState UInt32 | |
PartA_PrivTags UInt64 | |
TriageContextLength UInt32 | |
TriageContext Binary |
Event ID 559: PowerAggregatorWorkerStart
#Event ID 560: PowerAggregatorWorkerEnd
#Event ID 561: PowerAggregatorInternalStateChange
#Fields #
| Name | Description |
|---|---|
CurrentInternalState UInt32 | |
NextInternalState UInt32 |
Event ID 562: PowerAggregatorHandlerInvoke
#Fields #
| Name | Description |
|---|---|
CurrentTargetState UInt32 | |
CurrentInternalState UInt32 |
Event ID 563: PowerAggregatorPdcPhasesExited
#Event ID 564: PowerAggregatorPdcSleepTransition
#Fields #
| Name | Description |
|---|---|
IsSleepEnter Boolean | |
Token UInt32 | |
CurrentTargetState UInt32 | |
CurrentInternalState UInt32 | |
Status UInt32 | NTSTATUS reference |
Event ID 565: PowerAggregatorSuspendResume
#Fields #
| Name | Description |
|---|---|
Suspended Boolean | |
SuspendCount Int32 |
Event ID 566: The system session has transitioned from PreviousSessionId to NextSessionId.
#Description
The system session has transitioned from PreviousSessionId to NextSessionId.
Message #
Fields #
| Name | Description |
|---|---|
BootId UInt32 | |
Reason UInt32 | |
PreviousSessionId UInt64 | |
PreviousSessionType UInt32 | |
PreviousSessionDurationInUs UInt64 | |
PreviousEnergyCapacityAtStart UInt32 | |
PreviousFullEnergyCapacityAtStart UInt32 | |
PreviousEnergyCapacityAtEnd UInt32 | |
PreviousFullEnergyCapacityAtEnd UInt32 | |
NextSessionId UInt64 | |
NextSessionType UInt32 | |
PowerStateAc Boolean | |
MonitorReason UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "{331C3B3A-2005-44C2-AC5E-77220C37D6B4}",
"event_source_name": "",
"event_id": 566,
"version": 0,
"level": 4,
"task": 268,
"opcode": 0,
"keywords": -9223372036854774268,
"time_created": "2026-05-28T03:43:33.2479340+00:00",
"event_record_id": 1658,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4644
},
"channel": "System",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"BootId": "4",
"Reason": "32",
"PreviousSessionId": "1",
"PreviousSessionType": "1",
"PreviousSessionDurationInUs": "10032016120",
"PreviousEnergyCapacityAtStart": "0",
"PreviousFullEnergyCapacityAtStart": "0",
"PreviousEnergyCapacityAtEnd": "0",
"PreviousFullEnergyCapacityAtEnd": "0",
"NextSessionId": "3",
"NextSessionType": "0",
"PowerStateAc": "true",
"MonitorReason": "32"
},
"message": "The system session has transitioned from 1 to 3.\r\n\r\nReason: 4"
}
Event ID 567: SuspendAppsNotificationPhaseStart
#Event ID 568: SuspendAppsNotificationPhaseStop
#Event ID 569: SuspendServicesNotificationPhaseStart
#Event ID 570: SuspendServicesNotificationPhaseStop
#Event ID 571: ResumeAppsNotificationPhaseStart
#Event ID 572: ResumeAppsNotificationPhaseStop
#Event ID 573: ResumeServicesNotificationPhaseStart
#Event ID 574: ResumeServicesNotificationPhaseStop
#Event ID 575: DripsWakeSourceMapping
#Fields #
| Name | Description |
|---|---|
Token UInt32 | |
ReasonDescriptionLength UInt32 | |
ReasonDescription UnicodeString |
Event ID 576: AdaptiveSessionState_V1
#Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
LastInputTimestamp UInt64 | |
LastDisplayOffTimestamp UInt64 | |
SessionDisplayState UInt32 | |
DisplayTimeout UInt32 | |
InputTimeout UInt32 | |
NotifyOnNextUserInput Boolean | |
DisplayTimeoutSource UInt32 | |
DimTimeout UInt32 | |
DimTimeoutSource UInt32 |
Event ID 577: The system has prepared for a system initiated reboot from AdaptiveTargetState.
#Description
The system has prepared for a system initiated reboot from AdaptiveTargetState.
Message #
Fields #
| Name | Description |
|---|---|
AdaptiveTargetState UInt32 | |
IsUnattended Boolean | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "{331C3B3A-2005-44C2-AC5E-77220C37D6B4}",
"event_source_name": "",
"event_id": 577,
"version": 0,
"level": 4,
"task": 280,
"opcode": 0,
"keywords": -9223372036854775804,
"time_created": "2026-06-13T13:53:28.1336123+00:00",
"event_record_id": 2614,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 3184
},
"channel": "System",
"computer": "telemetry-W11-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"AdaptiveTargetState": "0",
"IsUnattended": "false",
"Status": "279"
},
"message": "The system has prepared for a system initiated reboot from Active."
}
Event ID 578: The system has detected a system initiated reboot from AdaptiveTargetState.
#Description
The system has detected a system initiated reboot from AdaptiveTargetState.
Message #
Fields #
| Name | Description |
|---|---|
AdaptiveTargetState UInt32 | |
IsUnattended Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "331C3B3A-2005-44C2-AC5E-77220C37D6B4",
"event_source_name": "",
"event_id": 578,
"version": 0,
"level": 4,
"task": 281,
"opcode": 0,
"keywords": 9223372036854775812,
"time_created": "2026-03-14T01:39:48.147324+00:00",
"event_record_id": 2398,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8
},
"channel": "System",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"AdaptiveTargetState": 6,
"IsUnattended": false
},
"message": ""
}
Event ID 579: StateTransitionFailure
#Fields #
| Name | Description |
|---|---|
ThreadToken Pointer | |
Status UInt32 | NTSTATUS reference |
FailurePoint UInt32 |
Event ID 580: NotifyConsoleUserPresent
#Fields #
| Name | Description |
|---|---|
Result UInt8 | |
VirtualConsole UInt8 | |
SessionId UInt32 | |
MonitorOnReason UInt32 |
Event ID 581: Win32kCallout
#Fields #
| Name | Description |
|---|---|
ParamToken Pointer | |
AttachMode UInt8 | |
IsSingleSession UInt8 | |
SessionId UInt32 | |
Type UInt8 | |
IsSync UInt8 |
Event ID 582: Win32kCallout582
#Fields #
| Name | Description |
|---|---|
ParamToken Pointer | |
PsStatus UInt32 | |
SkipReason UInt32 |
Event ID 583: Win32kCallout583
#Fields #
| Name | Description |
|---|---|
ParamToken Pointer | |
AttachMode UInt8 | |
IsSingleSession UInt8 | |
SessionId UInt32 | |
EventNumber UInt8 | |
EventCode Pointer |
Event ID 584: Win32kCallout584
#Fields #
| Name | Description |
|---|---|
ParamToken Pointer | |
PsStatus UInt32 | |
SkipReason UInt32 |
Event ID 585: Win32kCallout585
#Fields #
| Name | Description |
|---|---|
ParameterToken Pointer | |
AttachMode UInt8 | |
IsSingleSession UInt8 | |
SessionId UInt32 | |
PowerAction UInt32 | |
MinState UInt32 | |
PowerActionFlags UInt32 | |
PowerStateTask UInt32 |
Event ID 586: Win32kCallout586
#Fields #
| Name | Description |
|---|---|
ParamToken Pointer | |
PsStatus UInt32 | |
SkipReason UInt32 |
Event ID 587: IrpWatchdogTriggered
#Fields #
| Name | Description |
|---|---|
Irp Pointer | |
DeviceInstancePathLength UInt32 | |
DeviceInstancePath UnicodeString |
Event ID 591: PowerLimitRequestAdd
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
DeviceIdLength UInt32 | |
DeviceId UnicodeString | |
CallerLength UInt32 | |
Caller UnicodeString | |
ContextLength UInt32 | |
Context UnicodeString | |
ReasonLength UInt32 | |
Reason Binary | |
LimitCount UInt32 | |
Values Float |
Event ID 592: PowerLimitRequestRemove
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
DeviceIdLength UInt32 | |
DeviceId UnicodeString | |
CallerLength UInt32 | |
Caller UnicodeString | |
ContextLength UInt32 | |
Context UnicodeString | |
ReasonLength UInt32 | |
Reason Binary | |
LimitCount UInt32 | |
Values Float |
Event ID 593: PowerLimitRequestRundown
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
DeviceIdLength UInt32 | |
DeviceId UnicodeString | |
CallerLength UInt32 | |
Caller UnicodeString | |
ContextLength UInt32 | |
Context UnicodeString | |
ReasonLength UInt32 | |
Reason Binary | |
LimitCount UInt32 | |
Values Float |
Event ID 594: PowerLimitRequestUpdate
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
ReasonLength UInt32 | |
Reason Binary | |
LimitCount UInt32 | |
Values Int16 |
Event ID 595: PowerLimitExtensionAdd
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
DeviceIdLength UInt32 | |
DeviceId UnicodeString | |
LimitCount UInt32 | |
Attributes Int16 |
Event ID 596: PowerLimitExtensionRemove
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
DeviceIdLength UInt32 | |
DeviceId UnicodeString | |
LimitCount UInt32 | |
Attributes Int16 |
Event ID 597: PowerLimitExtensionRundown
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
DeviceIdLength UInt32 | |
DeviceId UnicodeString | |
LimitCount UInt32 | |
Attributes Int16 |
Event ID 598: PowerLimitExtensionUpdate
#Fields #
| Name | Description |
|---|---|
Token Pointer | |
LimitCount UInt32 | |
Values Int8 |
Event ID 600: SetHiberFileFailure
#Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
FailurePoint UInt32 |
Event ID 601: Hibernate was disabled because invalid system binaries were detected
#Description
Hibernate was disabled because invalid system binaries were detected. Min SVN required was , Actual SVN is . OS version of Invalid Binary: .
Fields #
| Name | Description |
|---|---|
MinSVN UInt32 | |
HiberrsmSVN UInt32 | |
HiberrsmOSVersion UInt32 |
Event ID 601: Hibernate was disabled because invalid system binaries were detected.
#Event ID 602: ModernStandbyNotification
#Fields #
| Name | Description |
|---|---|
PrevState UInt32 | |
TargetState UInt32 | |
Promoted UInt32 | |
Entered UInt32 | |
SettingGuid GUID | |
NewSettingValue UInt32 |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {331C3B3A-2005-44C2-AC5E-77220C37D6B4}
Defined in microsoft-windows-kernel-power-events.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.3932, captured 2026-06-02
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.4652, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4652, captured 2026-06-02