Microsoft-Windows-Kernel-Process
27 events across 2 channels
Event ID 1: Process ProcessID started at time ProcessSequenceNumber by parent CreateTime running in session ParentProcessID with name ParentProcessSequenceNumber.
#Description
Process ProcessID started at time ProcessSequenceNumber by parent CreateTime running in session ParentProcessID with name ParentProcessSequenceNumber.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | |
ProcessSequenceNumber UInt64 | |
CreateTime FILETIME | |
ParentProcessID UInt32 | |
ParentProcessSequenceNumber UInt64 | |
SessionID UInt32 | |
Flags UInt32 | |
ProcessTokenElevationType UInt32 | |
ProcessTokenIsElevated UInt32 | |
MandatoryLabel SID | |
ImageName UnicodeString | |
ImageChecksum UInt32 | |
TimeDateStamp UInt32 | |
PackageFullName UnicodeString | |
PackageRelativeAppId UnicodeString | |
SecurityMitigations UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "1",
"version": "3",
"level": "4",
"task": "1",
"opcode": "1",
"keywords": 9223372036854775824,
"time_created": "2026-03-16T00:21:34.692445600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10736",
"thread_id": "11352"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 12824",
"ProcessSequenceNumber": "11445",
"CreateTime": "2026-03-16T00:21:34.692334100Z",
"ParentProcessID": " 10736",
"ParentProcessSequenceNumber": "11430",
"SessionID": " 0",
"Flags": " 0",
"ProcessTokenElevationType": " 1",
"ProcessTokenIsElevated": " 1",
"MandatoryLabel": "S-1-16-12288",
"ImageName": "\\Device\\HarddiskVolume4\\Windows\\System32\\logman.exe",
"ImageChecksum": "0x23D2D",
"TimeDateStamp": "0x4E0C0A88",
"PackageFullName": "",
"PackageRelativeAppId": ""
},
"message": ""
}
Event ID 2: Process ProcessID (which started at time CreateTime) stopped at time ExitTime with exit code ExitCode.
#Description
Process ProcessID (which started at time CreateTime) stopped at time ExitTime with exit code ExitCode.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | |
ProcessSequenceNumber UInt64 | |
CreateTime FILETIME | |
ExitTime FILETIME | |
ExitCode UInt32 | |
TokenElevationType UInt32 | Token elevation type (1=Default, 2=Full, 3=Limited). Known values
|
HandleCount UInt32 | |
CommitCharge UInt64 | |
CommitPeak UInt64 | |
CPUCycleCount UInt64 | |
ReadOperationCount UInt32 | |
WriteOperationCount UInt32 | |
ReadTransferKiloBytes UInt32 | |
WriteTransferKiloBytes UInt32 | |
HardFaultCount UInt32 | |
ImageName AnsiString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "2",
"version": "2",
"level": "4",
"task": "2",
"opcode": "2",
"keywords": 9223372036854775824,
"time_created": "2026-03-16T00:21:34.683819100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12260",
"thread_id": "12100"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 12260",
"ProcessSequenceNumber": "11443",
"CreateTime": "2026-03-16T00:21:34.308419900Z",
"ExitTime": "2026-03-16T00:21:34.682710100Z",
"ExitCode": " 0",
"TokenElevationType": " 1",
"HandleCount": " 122",
"CommitCharge": "1835008",
"CommitPeak": "2371584",
"CPUCycleCount": "365618549",
"ReadOperationCount": " 0",
"WriteOperationCount": " 1",
"ReadTransferKiloBytes": " 0",
"WriteTransferKiloBytes": " 0",
"HardFaultCount": " 0",
"ImageName": "logman.exe"
},
"message": ""
}
Event ID 3: Thread ThreadID (in Process ProcessID) started.
#Description
Thread ThreadID (in Process ProcessID) started.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | |
ThreadID UInt32 | |
StackBase Pointer | |
StackLimit Pointer | |
UserStackBase Pointer | |
UserStackLimit Pointer | |
StartAddr Pointer | |
Win32StartAddr Pointer | |
TebBase Pointer | |
SubProcessTag UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "3",
"version": "1",
"level": "4",
"task": "3",
"opcode": "1",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:21:34.697172400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10736",
"thread_id": "11352"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 12824",
"ThreadID": " 8012",
"StackBase": "0xFFFF95027FC38000",
"StackLimit": "0xFFFF95027FC32000",
"UserStackBase": "0xE6783B0000",
"UserStackLimit": "0xE6783AE000",
"StartAddr": "0x7FF7CE4D1BE0",
"Win32StartAddr": "0x7FF7CE4D1BE0",
"TebBase": "0xE6784AA000",
"SubProcessTag": " 0"
},
"message": ""
}
Event ID 4: Thread ThreadID (in Process ProcessID) stopped.
#Description
Thread ThreadID (in Process ProcessID) stopped.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | |
ThreadID UInt32 | |
StackBase Pointer | |
StackLimit Pointer | |
UserStackBase Pointer | |
UserStackLimit Pointer | |
StartAddr Pointer | |
Win32StartAddr Pointer | |
TebBase Pointer | |
SubProcessTag UInt32 | |
CycleTime UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "4",
"version": "1",
"level": "4",
"task": "4",
"opcode": "2",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:21:34.681762900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12260",
"thread_id": "10668"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 12260",
"ThreadID": " 10668",
"StackBase": "0xFFFF95027FBAB000",
"StackLimit": "0xFFFF95027FBA5000",
"UserStackBase": "0xF308500000",
"UserStackLimit": "0xF3084FE000",
"StartAddr": "0x7FFC84CA5720",
"Win32StartAddr": "0x7FFC84CA5720",
"TebBase": "0xF308318000",
"SubProcessTag": " 0",
"CycleTime": "0x7BC303"
},
"message": ""
}
Event ID 5: Process ProcessID had an image loaded with name ImageName.
#Description
Process ProcessID had an image loaded with name ImageName.
Message #
Fields #
| Name | Description |
|---|---|
ImageBase Pointer | |
ImageSize Pointer | |
ProcessID UInt32 | |
ImageCheckSum UInt32 | |
TimeDateStamp UInt32 | |
DefaultBase Pointer | |
ImageName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "5",
"version": "0",
"level": "4",
"task": "5",
"opcode": "0",
"keywords": 9223372036854775872,
"time_created": "2026-03-16T00:21:34.701692800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12824",
"thread_id": "8012"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ImageBase": "0x7FF7CE4C0000",
"ImageSize": "0x1E000",
"ProcessID": " 12824",
"ImageCheckSum": " 146733",
"TimeDateStamp": "1309411976",
"DefaultBase": "0x7FF7CE4C0000",
"ImageName": "\\Device\\HarddiskVolume4\\Windows\\System32\\logman.exe"
},
"message": ""
}
Event ID 6: Process ProcessID had an image unloaded with name ImageName.
#Description
Process ProcessID had an image unloaded with name ImageName.
Message #
Fields #
| Name | Description |
|---|---|
ImageBase Pointer | |
ImageSize Pointer | |
ProcessID UInt32 | |
ImageCheckSum UInt32 | |
TimeDateStamp UInt32 | |
DefaultBase Pointer | |
ImageName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "6",
"version": "0",
"level": "4",
"task": "6",
"opcode": "0",
"keywords": 9223372036854775872,
"time_created": "2026-03-16T00:21:34.680221700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12260",
"thread_id": "12100"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ImageBase": "0x7FFC81110000",
"ImageSize": "0x34000",
"ProcessID": " 12260",
"ImageCheckSum": " 240996",
"TimeDateStamp": "4066697849",
"DefaultBase": "0x7FFC81110000",
"ImageName": "\\Device\\HarddiskVolume4\\Windows\\System32\\ntmarta.dll"
},
"message": ""
}
Event ID 7: Base CPU priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
#Description
Base CPU priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | |
ThreadID UInt32 | |
OldPriority UInt8 | |
NewPriority UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "7",
"version": "0",
"level": "4",
"task": "7",
"opcode": "0",
"keywords": 9223372036854775936,
"time_created": "2026-03-16T00:21:34.685256600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "3668",
"thread_id": "9620"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 3668",
"ThreadID": " 9620",
"OldPriority": "14",
"NewPriority": "8"
},
"message": ""
}
Event ID 8: CPU priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
#Description
CPU priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | |
ThreadID UInt32 | |
OldPriority UInt8 | |
NewPriority UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "8",
"version": "0",
"level": "4",
"task": "8",
"opcode": "0",
"keywords": 9223372036854775936,
"time_created": "2026-03-16T00:21:34.751233600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "4168",
"thread_id": "6828"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 4168",
"ThreadID": " 6828",
"OldPriority": "8",
"NewPriority": "16"
},
"message": ""
}
Event ID 9: Page priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
#Description
Page priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | |
ThreadID UInt32 | |
OldPriority UInt8 | |
NewPriority UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "9",
"version": "0",
"level": "4",
"task": "9",
"opcode": "0",
"keywords": 9223372036854776064,
"time_created": "2026-03-16T00:21:34.685648100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "3264",
"thread_id": "3448"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 3264",
"ThreadID": " 3448",
"OldPriority": "5",
"NewPriority": "1"
},
"message": ""
}
Event ID 10: I/O priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
#Description
I/O priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | |
ThreadID UInt32 | |
OldPriority UInt8 | |
NewPriority UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "10",
"version": "0",
"level": "4",
"task": "10",
"opcode": "0",
"keywords": 9223372036854776064,
"time_created": "2026-03-16T00:22:35.850157400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "3752",
"thread_id": "5952"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 3752",
"ThreadID": " 5952",
"OldPriority": "2",
"NewPriority": "0"
},
"message": ""
}
Event ID 11: Execution of the process FrozenProcessID has been suspended.
#Event ID 12: Execution of the process FrozenProcessID has been resumed.
#Event ID 13: Job Container ID started with status code Job ID.
#Description
Job Container ID started with status code Job ID.
Message #
Fields #
| Name | Description |
|---|---|
ContainerID GUID | |
JobID UInt32 | |
StatusCode UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "13",
"version": "0",
"level": "4",
"task": "13",
"opcode": "1",
"keywords": 9223372036854776832,
"time_created": "2026-03-16T00:22:30.860225400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "7124",
"thread_id": "4244"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Container ID": "{b0b7d412-20cb-11f1-9fbf-00155d284e57}",
"Job ID": " 880",
"StatusCode": " 0"
},
"message": ""
}
Event ID 14: Job Container ID terminated with status code Job ID.
#Description
Job Container ID terminated with status code Job ID.
Message #
Fields #
| Name | Description |
|---|---|
ContainerID GUID | |
JobID UInt32 | |
StatusCode UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "14",
"version": "0",
"level": "4",
"task": "14",
"opcode": "2",
"keywords": 9223372036854776832,
"time_created": "2026-03-16T00:21:38.751901900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10736",
"thread_id": "12560"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Container ID": "{b0b7d3db-20cb-11f1-9fbf-00155d284e57}",
"Job ID": " 856",
"StatusCode": " 0"
},
"message": ""
}
Event ID 15: Enumerated process ProcessID had started at time ProcessSequenceNumber by parent CreateTime running in session ParentProcessID with name SessionID.
#Description
Enumerated process ProcessID had started at time ProcessSequenceNumber by parent CreateTime running in session ParentProcessID with name SessionID.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | |
ProcessSequenceNumber UInt64 | |
CreateTime FILETIME | |
ParentProcessID UInt32 | |
ParentProcessSequenceNumber UInt64 | |
SessionID UInt32 | |
Flags UInt32 | |
ProcessTokenElevationType UInt32 | |
ProcessTokenIsElevated UInt32 | |
MandatoryLabel SID | |
ImageName UnicodeString | |
ImageChecksum UInt32 | |
TimeDateStamp UInt32 | |
PackageFullName UnicodeString | |
PackageRelativeAppId UnicodeString | |
SecurityMitigations UInt32 |
Event ID 16: task_0
#Event ID 17: PsDiskIoAttributionStart
#Fields #
| Name | Description |
|---|---|
JobID UInt32 | |
DiskIoAttribution Pointer | |
StatusCode UInt32 | NTSTATUS reference |
Event ID 18: PsDiskIoAttributionStop
#Fields #
| Name | Description |
|---|---|
JobID UInt32 | |
DiskIoAttribution Pointer | |
StatusCode UInt32 | NTSTATUS reference |
Event ID 19: PsIoRateControlStart_V2
#Fields #
| Name | Description |
|---|---|
JobID UInt32 | |
IoRateControl Pointer | |
MaxIops UInt64 | |
MaxBandwidth UInt64 | |
MaxTimePercent UInt64 | |
ReservationIops UInt64 | |
ReservationBandwidth UInt64 | |
ReservationTimePercent UInt64 | |
CriticalReservationIops UInt64 | |
CriticalReservationBandwidth UInt64 | |
CriticalReservationTimePercent UInt64 | |
SoftMaxIops UInt64 | |
SoftMaxBandwidth UInt64 | |
SoftMaxTimePercent UInt64 | |
ControlFlags UInt32 | |
VolumeName UnicodeString | |
StatusCode UInt32 | NTSTATUS reference |
Event ID 20: PsIoRateControlStop_V2
#Fields #
| Name | Description |
|---|---|
JobID UInt32 | |
IoRateControl Pointer | |
MaxIops UInt64 | |
MaxBandwidth UInt64 | |
MaxTimePercent UInt64 | |
ReservationIops UInt64 | |
ReservationBandwidth UInt64 | |
ReservationTimePercent UInt64 | |
CriticalReservationIops UInt64 | |
CriticalReservationBandwidth UInt64 | |
CriticalReservationTimePercent UInt64 | |
SoftMaxIops UInt64 | |
SoftMaxBandwidth UInt64 | |
SoftMaxTimePercent UInt64 | |
ControlFlags UInt32 | |
VolumeName UnicodeString | |
StatusCode UInt32 | NTSTATUS reference |
Event ID 21: ThreadWorkOnBehalfUpdate
#Fields #
| Name | Description |
|---|---|
OldWorkOnBehalfThreadID UInt32 | |
NewWorkOnBehalfThreadID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "21",
"version": "0",
"level": "4",
"task": "18",
"opcode": "0",
"keywords": 9223372036854784000,
"time_created": "2026-03-16T00:21:34.678731600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "1356",
"thread_id": "12108"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"OldWorkOnBehalfThreadID": " 0",
"NewWorkOnBehalfThreadID": " 12100"
},
"message": ""
}
Event ID 23: JobServerSiloStart23
#Fields #
| Name | Description |
|---|---|
ContainerID GUID | |
JobID UInt32 | |
MonitorName UnicodeString |
Event ID 24: JobServerSiloStartStop
#Fields #
| Name | Description |
|---|---|
ContainerID GUID | |
JobID UInt32 | |
Status UInt32 | NTSTATUS reference |
MonitorName UnicodeString |
Event ID 25: JobServerSiloStart25
#Fields #
| Name | Description |
|---|---|
ContainerID GUID | |
JobID UInt32 | |
MonitorName UnicodeString |
Event ID 26: JobServerSiloStartStop26
#Fields #
| Name | Description |
|---|---|
ContainerID GUID | |
JobID UInt32 | |
MonitorName UnicodeString |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}
Defined in Microsoft-Windows-System-Events.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.3932, captured 2026-06-02
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.5074, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02