detection.wiki

Microsoft-Windows-Kernel-ShimEngine

21 events across 3 channels

EventTitleChannelSample
1task_0_V1DebugN
2task_02_V1DebugN
3ShimCount shim(s) were applied to driver [DriverName].OperationalY
4Flags [Flags] were applied to device [DeviceName] - class [DeviceClass].OperationalY
5task_05_V1OperationalN
6task_06_V1OperationalN
10task_010_V1DiagnosticN
11task_011_V1DiagnosticN
12task_012_V1DiagnosticN
13task_013_V1DiagnosticN
14task_014_V1DiagnosticN
15task_015_V1DiagnosticN
16task_016_V1DiagnosticN
17task_017_V1DiagnosticN
18task_018_V1DiagnosticN
19task_019_V1DiagnosticN
20task_020_V1DiagnosticN
21task_021_V1DiagnosticN
22task_022_V1DiagnosticN
23task_023_V1DiagnosticN
24task_024_V1DiagnosticN

Event ID 1: task_0_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Debug
Opcode
Info

Fields #

NameDescription
EventId UInt32
DebugMessage AnsiString

Event ID 2: task_02_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Debug
Opcode
Info

Fields #

NameDescription
EventId UInt32
DebugMessage AnsiString

Event ID 3: ShimCount shim(s) were applied to driver [DriverName].

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Operational
Level
Informational
Opcode
Info

Description

ShimCount shim(s) were applied to driver [DriverName].

Message #

%3 shim(s) were applied to driver [%1].

Shim(s) source: %2.

Shim GUID(s): %4.

Fields #

NameDescription
DriverName UnicodeString
ShimSource UInt32Shim(s) source.
ShimCount UInt32
AppliedGuids UnicodeStringShim GUID(s).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-ShimEngine",
    "guid": "0BF2FB94-7B60-4B4D-9766-E82F658DF540",
    "event_source_name": "",
    "event_id": 3,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-06T06:20:55.625365+00:00",
    "event_record_id": 23,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-ShimEngine/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DriverName": "storahci.sys",
    "ShimSource": 0,
    "ShimCount": 1,
    "AppliedGuids": "{434abafd-08fa-4c3d-a88d-d09a88e2ab17}"
  },
  "message": ""
}

References #

Event ID 4: Flags [Flags] were applied to device [DeviceName] - class [DeviceClass].

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Operational
Level
Informational
Opcode
Info

Description

Flags [Flags] were applied to device [DeviceName] - class [DeviceClass].

Message #

Flags [%4] were applied to device [%1] - class [%2].

Flags source: %3.

Fields #

NameDescription
DeviceName UnicodeString
DeviceClass UnicodeString
FlagSource UInt32Flags source.
Flags UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-ShimEngine",
    "guid": "0BF2FB94-7B60-4B4D-9766-E82F658DF540",
    "event_source_name": "",
    "event_id": 4,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-06T06:25:19.963498+00:00",
    "event_record_id": 27,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 224
    },
    "channel": "Microsoft-Windows-Kernel-ShimEngine/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DeviceName": "NDIS:PCI\\VEN_8086&DEV_100F",
    "DeviceClass": "NdisMp",
    "FlagSource": 1,
    "Flags": 1
  },
  "message": ""
}

References #

Event ID 5: task_05_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Operational
Opcode
Info

Fields #

NameDescription
DriverName UnicodeString
DriverBase Pointer
DriverSize UInt32
DriverTimeStamp UInt32
DriverCheckSum UInt32

Event ID 6: task_06_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Operational
Opcode
Info

Fields #

NameDescription
DriverObject Pointer
DriverBase Pointer

Event ID 10: task_010_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Diagnostic
Opcode
Info

Fields #

NameDescription
DriverName UnicodeString
DriverBase Pointer
DriverSize UInt32
DriverTimeStamp UInt32
DriverCheckSum UInt32

Event ID 11: task_011_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Diagnostic
Opcode
Info

Fields #

NameDescription
DriverObject Pointer
DriverBase Pointer

Event ID 12: task_012_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Diagnostic
Opcode
Info

Fields #

NameDescription
DriverBase Pointer
DriverSize UInt32
DriverObject Pointer
Pdo Pointer
Status UInt32NTSTATUS reference
ServiceName UnicodeString
HardwareId UnicodeString

Event ID 13: task_013_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Diagnostic
Opcode
Info

Fields #

NameDescription
Address Pointer
Caller Pointer
Type UInt32
Size Pointer
Tag UInt32

Event ID 14: task_014_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Diagnostic
Opcode
Info

Fields #

NameDescription
Address Pointer
Caller Pointer
Tag UInt32

Event ID 15: task_015_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Diagnostic
Opcode
Info

Fields #

NameDescription
DriverObject Pointer
Fdo Pointer
Irp Pointer

Event ID 16: task_016_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Diagnostic
Opcode
Info

Fields #

NameDescription
DriverObject Pointer
Fdo Pointer
DeviceType UInt32
DeviceCharacteristics UInt32
Exclusive UInt32
Status UInt32NTSTATUS reference

Event ID 17: task_017_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Diagnostic
Opcode
Info

Fields #

NameDescription
DriverObject Pointer
Fdo Pointer
Irp Pointer
MajorCode UInt32
Status UInt32NTSTATUS reference

Event ID 18: task_018_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Diagnostic
Opcode
Info

Fields #

NameDescription
DriverObject Pointer
Fdo Pointer
Irp Pointer
MinorCode UInt32
Status UInt32NTSTATUS reference

Event ID 19: task_019_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Diagnostic
Opcode
Info

Fields #

NameDescription
DriverObject Pointer
Fdo Pointer
Irp Pointer
Status UInt32NTSTATUS reference

Event ID 20: task_020_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Diagnostic
Opcode
Info

Fields #

NameDescription
DriverObject Pointer
Fdo Pointer
Irp Pointer
Status UInt32NTSTATUS reference

Event ID 21: task_021_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Diagnostic
Opcode
Info

Fields #

NameDescription
DriverObject Pointer
Fdo Pointer
Irp Pointer
MinorCode UInt32
PowerType UInt32
PowerState UInt32
Status UInt32NTSTATUS reference

Event ID 22: task_022_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Diagnostic
Opcode
Info

Fields #

NameDescription
DriverObject Pointer
Fdo Pointer
Irp Pointer
MinorCode UInt32
PowerType UInt32
PowerState UInt32
Status UInt32NTSTATUS reference

Event ID 23: task_023_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Diagnostic
Opcode
Info

Fields #

NameDescription
DriverObject Pointer
Fdo Pointer
Irp Pointer
MinorCode UInt32
PowerState UInt32
Status UInt32NTSTATUS reference

Event ID 24: task_024_V1

#
Provider
Microsoft-Windows-Kernel-ShimEngine
Channel
Diagnostic
Opcode
Info

Fields #

NameDescription
DriverObject Pointer
Fdo Pointer
Irp Pointer
Status UInt32NTSTATUS reference

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 0bf2fb94-7b60-4b4d-9766-e82f658df540

Defined in Microsoft-Windows-System-Events.dll, which carries the event manifest.

Observed on:

  • WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
  • Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02

Downloads