Microsoft-Windows-LiveId
235 events across 2 channels
Event ID 1002: LsaApLogonUserEx2_Stop.
#Description
LsaApLogonUserEx2_Stop.Status: {Status}.
Message #
Fields #
| Name | Description |
|---|---|
Status | NTSTATUS reference |
Event ID 1004: SpOnProfileLoaded_Stop.
#Description
SpOnProfileLoaded_Stop.ServiceCalled: {ServiceCalled} Status: {Status}.
Message #
Fields #
| Name | Description |
|---|---|
ServiceCalled | |
Status | NTSTATUS reference |
Event ID 1006: ConnectIdentity_Stop.
#Event ID 1008: DisconnectIdentity_Stop.
#Event ID 1010: LiveDoCachedLogon_Stop.
#Event ID 1012: LiveAuthenticate_Stop.
#Description
LiveAuthenticate_Stop.Status: {Status}.
Message #
Fields #
| Name | Description |
|---|---|
Status | NTSTATUS reference |
Event ID 1014: NetworkCall_Stop.
#Event ID 1016: DeviceAuth_Stop.
#Event ID 1018: UserAuth_Stop.
#Event ID 1020: PromptForCredentials_Stop.
#Event ID 1021: SignOutUser_RegistryOpenOrReadFailure.
#Description
SignOutUser_RegistryOpenOrReadFailure.
Message #
Fields #
| Name | Description |
|---|---|
RegistryLocation UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 1022: SignOutUser_RegistryWriteFailure.
#Description
SignOutUser_RegistryWriteFailure.
Message #
Fields #
| Name | Description |
|---|---|
RegistryLocation UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 2016: CommandLinkClicked_Stop.
#Event ID 2018: UserImageGetBitmapValue_Stop.
#Event ID 2020: CredProvSetSerialization_Stop.
#Event ID 2022: CredProvGetSerialization_Stop.
#Event ID 2023: Operation: Operation.
#Description
Operation: Operation.
Message #
Fields #
| Name | Description |
|---|---|
Operation UnicodeString | Known values
|
Target UnicodeString | |
Result HexInt32 |
Event ID 2024: Operation: Operation.
#Description
Operation: Operation.
Message #
Fields #
| Name | Description |
|---|---|
Operation UnicodeString | Known values
|
Details UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LiveId",
"guid": "{05F02597-FE85-4E67-8542-69567AB8FD4F}",
"event_source_name": "",
"event_id": 2024,
"version": 0,
"level": 4,
"task": 101,
"opcode": 0,
"keywords": 4611686018427387920,
"time_created": "2026-06-13T05:46:27.8384879+00:00",
"event_record_id": 358,
"correlation": {},
"execution": {
"process_id": 5900,
"thread_id": 5832
},
"channel": "Microsoft-Windows-LiveId/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Operation": "Service stopped",
"Details": "The service has stopped.",
"Status": "0x0"
},
"message": "Operation: Service stopped\r\nDetails: The service has stopped.\r\nStatus: 0x0\r\n"
}
Event ID 2025: WLIDSvc service failed to start.
#Description
WLIDSvc service failed to start.
Message #
Fields #
| Name | Description |
|---|---|
Operation UnicodeString | Known values
|
Reason UnicodeString | |
Result HexInt32 |
Event ID 2026: Generic telemetry trigger event.
#Event ID 2027: User specific telemetry trigger event for CID cid.
#Event ID 2028: ErrorVerifier in function FunctionName encountered unexpected error code (ErrorCode).
#Description
ErrorVerifier in function FunctionName encountered unexpected error code (ErrorCode).
Message #
Fields #
| Name | Description |
|---|---|
FunctionName AnsiString | |
ErrorCode Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LiveId",
"guid": "{05F02597-FE85-4E67-8542-69567AB8FD4F}",
"event_source_name": "",
"event_id": 2028,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387907,
"time_created": "2026-05-27T14:22:01.4477439+00:00",
"event_record_id": 279,
"correlation": {
"ActivityID": "{03E78711-EDE2-0006-568F-E703E2EDDC01}"
},
"execution": {
"process_id": 5208,
"thread_id": 1188
},
"channel": "Microsoft-Windows-LiveId/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1000"
}
},
"event_data": {
"FunctionName": "Windows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::RetrieveDeviceData",
"ErrorCode": "-2147023584"
},
"message": "ErrorVerifier in function Windows::Internal::Security::WebAuthentication::UserHostAuthenticationOperation::RetrieveDeviceData encountered unexpected error code (A specified logon session does not exist. It may already have been terminated.)."
}
Event ID 2029: Assertion failure for expression ({Expression}) in function {FunctionName} @{FileName}_{LineNumber}.
#Event ID 3000: description @FileName_LineNumber.
#Event ID 3001: description @FileName_LineNumber.
#Event ID 3002: description @FileName_LineNumber.
#Event ID 3003: description @FileName_LineNumber.
#Event ID 3004: description @FileName_LineNumber.
#Event ID 3005: description @FileName_LineNumber.
#Event ID 3006: description @FileName_LineNumber.
#Event ID 3007: description @FileName_LineNumber.
#Event ID 3008: +.
#Event ID 3009: -.
#Event ID 3010: -.
#Event ID 3011: -.
#Event ID 3012: Process name ProcessName.
#Event ID 3013: IF_FAILEXIT failure: (Expression), hr = ErrorCode, in FunctionName @FileName_LineNumber.
#Event ID 3014: -.
#Event ID 3015: description @FileName_LineNumber.
#Event ID 3016: description @FileName_LineNumber.
#Event ID 4000: description @FileName_LineNumber.
#Event ID 4001: description @FileName_LineNumber.
#Event ID 4002: description @FileName_LineNumber.
#Event ID 4003: description @FileName_LineNumber.
#Event ID 4004: description @FileName_LineNumber.
#Event ID 4005: description @FileName_LineNumber.
#Event ID 4006: description @FileName_LineNumber.
#Event ID 4007: description @FileName_LineNumber.
#Event ID 4008: +.
#Event ID 4009: -.
#Event ID 4010: -.
#Event ID 4011: -.
#Event ID 4012: Process name ProcessName.
#Event ID 4013: IF_FAILEXIT failure: (Expression), hr = ErrorCode, in FunctionName @FileName_LineNumber.
#Event ID 4014: -.
#Event ID 4015: description @FileName_LineNumber.
#Event ID 4016: description @FileName_LineNumber.
#Event ID 5000: description @FileName_LineNumber.
#Event ID 5001: description @FileName_LineNumber.
#Event ID 5002: description @FileName_LineNumber.
#Event ID 5003: description @FileName_LineNumber.
#Event ID 5004: description @FileName_LineNumber.
#Event ID 5005: description @FileName_LineNumber.
#Event ID 5006: description @FileName_LineNumber.
#Event ID 5007: description @FileName_LineNumber.
#Event ID 5008: +.
#Event ID 5009: -.
#Event ID 5010: -.
#Event ID 5011: -.
#Event ID 5012: Process name ProcessName.
#Event ID 5013: IF_FAILEXIT failure: (Expression), hr = ErrorCode, in FunctionName @FileName_LineNumber.
#Event ID 5014: -.
#Event ID 5015: description @FileName_LineNumber.
#Event ID 5016: description @FileName_LineNumber.
#Event ID 6000: description @FileName_LineNumber.
#Event ID 6001: description @FileName_LineNumber.
#Event ID 6002: description @FileName_LineNumber.
#Event ID 6003: description @FileName_LineNumber.
#Event ID 6004: description @FileName_LineNumber.
#Event ID 6005: description @FileName_LineNumber.
#Event ID 6006: description @FileName_LineNumber.
#Event ID 6007: description @FileName_LineNumber.
#Event ID 6008: +.
#Event ID 6009: -.
#Event ID 6010: -.
#Event ID 6011: -.
#Event ID 6012: Process name ProcessName.
#Event ID 6013: IF_FAILEXIT failure: (Expression), hr = ErrorCode, in FunctionName @FileName_LineNumber.
#Event ID 6014: -.
#Event ID 6015: description @FileName_LineNumber.
#Event ID 6016: description @FileName_LineNumber.
#Event ID 6100: Service Create Context for [value].
#Event ID 6101: Token with target [TargetName] expired on ExpiryTime, Deleting it from CredMan.
#Event ID 6102: Certificate (target = [value]) has expired.
#Event ID 6103: RemoveCachedAuthInfo Deleting item for target [value] from CredMan.
#Event ID 6104: RemoveCachedAuthInfo ALL Deleting [value] items from CredMan.
#Event ID 6105: RemovePersistedTokens Deleting item for target [value] from CredMan.
#Event ID 6106: Attempting to delete for target [.
#Event ID 6107: Write to CredMan failed for target [.
#Event ID 6108: Writing Token for target [.
#Event ID 6109: CredEnumerateW failed for target [.
#Event ID 6110: CredEnumerateW found no match for target [.
#Event ID 6111: DeleteStoredCredential Deleting item for target [.
#Event ID 6112: CredMan activity skipped.
#Event ID 6113: RPC call to function FunctionName returned the following error code: ErrorCode.
#Description
RPC call to function FunctionName returned the following error code: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
FunctionName AnsiString | |
ErrorCode UInt32 | 1 returned the following error code. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LiveId",
"guid": "{05F02597-FE85-4E67-8542-69567AB8FD4F}",
"event_source_name": "",
"event_id": 6113,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 4611686018431584274,
"time_created": "2026-05-27T14:22:01.4475966+00:00",
"event_record_id": 277,
"correlation": {},
"execution": {
"process_id": 2252,
"thread_id": 6112
},
"channel": "Microsoft-Windows-LiveId/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"FunctionName": "WLIDCreateContext",
"ErrorCode": "2147943712"
},
"message": "RPC call to function WLIDCreateContext returned the following error code: 0x80070520."
}
Event ID 6114: SOAP Request of type RequestType for user CID 'cid' in MachineEnvironment environment received the following error code from the Microsoft Account server: ErrorCode.
#Description
SOAP Request of type RequestType for user CID 'cid' in MachineEnvironment environment received the following error code from the Microsoft Account server: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
RequestType UInt32 | |
cid AnsiString | |
ErrorCode UInt32 | 4 environment received the following error code from the Microsoft Account server. |
MachineEnvironment AnsiString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LiveId",
"guid": "{05F02597-FE85-4E67-8542-69567AB8FD4F}",
"event_source_name": "",
"event_id": 6114,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 4611686018429487122,
"time_created": "2026-05-28T22:43:17.9513552+00:00",
"event_record_id": 289,
"correlation": {},
"execution": {
"process_id": 4016,
"thread_id": 4032
},
"channel": "Microsoft-Windows-LiveId/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"RequestType": "1",
"cid": "NULL",
"ErrorCode": "2147769382",
"MachineEnvironment": "production"
},
"message": "SOAP Request of type Service for user CID 'NULL' in production environment received the following error code from the Microsoft Account server: 0x80045C26."
}
Event ID 6115: ## SOAP Request: Value.
#Description
## SOAP Request: Value.
Message #
Fields #
| Name | Description |
|---|---|
Value AnsiString | ## SOAP Request. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LiveId",
"guid": "{05F02597-FE85-4E67-8542-69567AB8FD4F}",
"event_source_name": "",
"event_id": 6115,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018429487104,
"time_created": "2026-06-13T05:43:09.1677172+00:00",
"event_record_id": 355,
"correlation": {},
"execution": {
"process_id": 5900,
"thread_id": 7412
},
"channel": "Microsoft-Windows-LiveId/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Value": "<s:Envelope><s:Header><wsa:Action s:mustUnderstand=\"1\">*</wsa:Action><wsa:To s:mustUnderstand=\"1\">*</wsa:To><wsa:MessageID>*</wsa:MessageID><ps:AuthInfo Id=\"PPAuthInfo\"><ps:HostingApp>{67082621-8D18-4333-9C64-10DE93676363}</ps:HostingApp><ps:BinaryVersion>35</ps:BinaryVersion><ps:UIVersion>1</ps:UIVersion><ps:InlineUX>TokenBroker</ps:InlineUX><ps:IsAdmin>1</ps:IsAdmin><ps:Cookies></ps:Cookies><ps:RequestParams>AQAAAAIAAABsYwQAAAAxMDMz</ps:RequestParams><ps:WindowsClientString>9J9iXygdRXfnfCJgrrzqVu+Vdt4ynPvKg/MJR3xBodE=</ps:WindowsClientString><ps:LicenseSignatureKeyVersion>*</ps:LicenseSignatureKeyVersion><ps:ClientCapabilities>1</ps:ClientCapabilities></ps:AuthInfo><wsse:Security><EncryptedData xmlns=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"devicesoftware\" Type=\"http://www.w3.org/2001/04/xmlenc#Element\"><EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#tripledes-cbc\"></EncryptionMethod><ds:KeyInfo><ds:KeyName>http://Passport.NET/STS</ds:KeyName></ds:KeyInfo><CipherData><CipherValue>*</CipherValue></CipherData></EncryptedData><wssc:DerivedKeyToken wsu:Id=\"SignKey\" Algorithm=\"urn:liveid:SP800108_CTR_HMAC_SHA256_DOUBLEDERIVED\"><wsse:RequestedTokenReference><wsse:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID\"/><wsse:Reference URI=\"\"/></wsse:RequestedTokenReference><wssc:Nonce>*</wssc:Nonce></wssc:DerivedKeyToken><wsu:Timestamp wsu:Id=\"Timestamp\"><wsu:Created>2026-06-13T05:43:08Z</wsu:Created><wsu:Expires>2026-06-13T05:48:08Z</wsu:Expires></wsu:Timestamp><Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><SignedInfo><CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></CanonicalizationMethod><SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256\"></SignatureMethod><Reference URI=\"#RST0\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference URI=\"#Timestamp\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference URI=\"#PPAuthInfo\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference></SignedInfo><SignatureValue>*</SignatureValue><KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI=\"#SignKey\"/></wsse:SecurityTokenReference></KeyInfo></Signature></wsse:Security></s:Header><s:Body><wst:RequestSecurityToken Id=\"RST0\"><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType><wsp:AppliesTo><wsa:EndpointReference><wsa:Address>https://watson.telemetry.microsoft.com</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wsp:PolicyReference URI=\"MBI_SSL\"></wsp:PolicyReference></wst:RequestSecurityToken></s:Body></s:Envelope>"
},
"message": "## SOAP Request: <s:Envelope><s:Header><wsa:Action s:mustUnderstand=\"1\">*</wsa:Action><wsa:To s:mustUnderstand=\"1\">*</wsa:To><wsa:MessageID>*</wsa:MessageID><ps:AuthInfo Id=\"PPAuthInfo\"><ps:HostingApp>{67082621-8D18-4333-9C64-10DE93676363}</ps:HostingApp><ps:BinaryVersion>35</ps:BinaryVersion><ps:UIVersion>1</ps:UIVersion><ps:InlineUX>TokenBroker</ps:InlineUX><ps:IsAdmin>1</ps:IsAdmin><ps:Cookies></ps:Cookies><ps:RequestParams>AQAAAAIAAABsYwQAAAAxMDMz</ps:RequestParams><ps:WindowsClientString>9J9iXygdRXfnfCJgrrzqVu+Vdt4ynPvKg/MJR3xBodE=</ps:WindowsClientString><ps:LicenseSignatureKeyVersion>*</ps:LicenseSignatureKeyVersion><ps:ClientCapabilities>1</ps:ClientCapabilities></ps:AuthInfo><wsse:Security><EncryptedData xmlns=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"devicesoftware\" Type=\"http://www.w3.org/2001/04/xmlenc#Element\"><EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#tripledes-cbc\"></EncryptionMethod><ds:KeyInfo><ds:KeyName>http://Passport.NET/STS</ds:KeyName></ds:KeyInfo><CipherData><CipherValue>*</CipherValue></CipherData></EncryptedData><wssc:DerivedKeyToken wsu:Id=\"SignKey\" Algorithm=\"urn:liveid:SP800108_CTR_HMAC_SHA256_DOUBLEDERIVED\"><wsse:RequestedTokenReference><wsse:KeyIdentifier ValueType=\"http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID\"/><wsse:Reference URI=\"\"/></wsse:RequestedTokenReference><wssc:Nonce>*</wssc:Nonce></wssc:DerivedKeyToken><wsu:Timestamp wsu:Id=\"Timestamp\"><wsu:Created>2026-06-13T05:43:08Z</wsu:Created><wsu:Expires>2026-06-13T05:48:08Z</wsu:Expires></wsu:Timestamp><Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><SignedInfo><CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></CanonicalizationMethod><SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256\"></SignatureMethod><Reference URI=\"#RST0\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference URI=\"#Timestamp\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference URI=\"#PPAuthInfo\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference></SignedInfo><SignatureValue>*</SignatureValue><KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI=\"#SignKey\"/></wsse:SecurityTokenReference></KeyInfo></Signature></wsse:Security></s:Header><s:Body><wst:RequestSecurityToken Id=\"RST0\"><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType><wsp:AppliesTo><wsa:EndpointReference><wsa:Address>https://watson.telemetry.microsoft.com</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wsp:PolicyReference URI=\"MBI_SSL\"></wsp:PolicyReference></wst:RequestSecurityToken></s:Body></s:Envelope>"
}
Community Notes #
Windows LiveId sign-in activity.
Event ID 6116: ## SOAP Response: Value.
#Description
## SOAP Response: Value.
Message #
Fields #
| Name | Description |
|---|---|
Value AnsiString | ## SOAP Response. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LiveId",
"guid": "{05F02597-FE85-4E67-8542-69567AB8FD4F}",
"event_source_name": "",
"event_id": 6116,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018429487104,
"time_created": "2026-06-13T05:43:09.3787050+00:00",
"event_record_id": 356,
"correlation": {},
"execution": {
"process_id": 5900,
"thread_id": 7412
},
"channel": "Microsoft-Windows-LiveId/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Value": "<S:Envelope><S:Header><wsa:Action wsu:Id=\"Action\" S:mustUnderstand=\"1\">*</wsa:Action><wsa:To wsu:Id=\"To\" S:mustUnderstand=\"1\">*</wsa:To><wsse:Security><wsu:Timestamp wsu:Id=\"TS\"><wsu:Created>2026-06-13T05:43:09Z</wsu:Created><wsu:Expires>2026-06-13T05:48:09Z</wsu:Expires></wsu:Timestamp><wssc:DerivedKeyToken wsu:Id=\"SignKey\" Algorithm=\"urn:liveid:SP800108_CTR_HMAC_SHA256_DOUBLEDERIVED\"><wsse:SecurityTokenReference><wsse:Reference URI=\"0ttIX4ltYOk74jhjCklfsDg38uc=\"></wsse:Reference></wsse:SecurityTokenReference><wssc:Nonce>*</wssc:Nonce></wssc:DerivedKeyToken><wssc:DerivedKeyToken wsu:Id=\"EncKey\" Algorithm=\"urn:liveid:SP800108_CTR_HMAC_SHA256_DOUBLEDERIVED\"><wsse:SecurityTokenReference><wsse:Reference URI=\"0ttIX4ltYOk74jhjCklfsDg38uc=\"></wsse:Reference></wsse:SecurityTokenReference><wssc:Nonce>*</wssc:Nonce></wssc:DerivedKeyToken><Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><SignedInfo><CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></CanonicalizationMethod><SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256\"></SignatureMethod><Reference URI=\"#EncPsf\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference URI=\"#Body\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference URI=\"#To\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference URI=\"#Action\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference URI=\"#TS\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference></SignedInfo><SignatureValue>*</SignatureValue><KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI=\"#SignKey\"></wsse:Reference></wsse:SecurityTokenReference></KeyInfo></Signature><e:ReferenceList xmlns:e=\"http://www.w3.org/2001/04/xmlenc#\"><e:DataReference URI=\"#RSTR\"/><e:DataReference URI=\"#EncPsf\"/></e:ReferenceList></wsse:Security><psf:EncryptedPP><EncryptedData xmlns=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"EncPsf\" Type=\"http://www.w3.org/2001/04/xmlenc#Element\"><EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"></EncryptionMethod><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><wsse:SecurityTokenReference><wsse:Reference URI=\"#EncKey\"></wsse:Reference></wsse:SecurityTokenReference></KeyInfo><CipherData><CipherValue>*</CipherValue></CipherData></EncryptedData></psf:EncryptedPP></S:Header><S:Body wsu:Id=\"Body\"><EncryptedData xmlns=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"RSTR\" Type=\"http://www.w3.org/2001/04/xmlenc#Element\"><EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"></EncryptionMethod><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><wsse:SecurityTokenReference><wsse:Reference URI=\"#EncKey\"></wsse:Reference></wsse:SecurityTokenReference></KeyInfo><CipherData><CipherValue>*</CipherValue></CipherData></EncryptedData></S:Body></S:Envelope>"
},
"message": "## SOAP Response: <S:Envelope><S:Header><wsa:Action wsu:Id=\"Action\" S:mustUnderstand=\"1\">*</wsa:Action><wsa:To wsu:Id=\"To\" S:mustUnderstand=\"1\">*</wsa:To><wsse:Security><wsu:Timestamp wsu:Id=\"TS\"><wsu:Created>2026-06-13T05:43:09Z</wsu:Created><wsu:Expires>2026-06-13T05:48:09Z</wsu:Expires></wsu:Timestamp><wssc:DerivedKeyToken wsu:Id=\"SignKey\" Algorithm=\"urn:liveid:SP800108_CTR_HMAC_SHA256_DOUBLEDERIVED\"><wsse:SecurityTokenReference><wsse:Reference URI=\"0ttIX4ltYOk74jhjCklfsDg38uc=\"></wsse:Reference></wsse:SecurityTokenReference><wssc:Nonce>*</wssc:Nonce></wssc:DerivedKeyToken><wssc:DerivedKeyToken wsu:Id=\"EncKey\" Algorithm=\"urn:liveid:SP800108_CTR_HMAC_SHA256_DOUBLEDERIVED\"><wsse:SecurityTokenReference><wsse:Reference URI=\"0ttIX4ltYOk74jhjCklfsDg38uc=\"></wsse:Reference></wsse:SecurityTokenReference><wssc:Nonce>*</wssc:Nonce></wssc:DerivedKeyToken><Signature xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><SignedInfo><CanonicalizationMethod Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></CanonicalizationMethod><SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256\"></SignatureMethod><Reference URI=\"#EncPsf\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference URI=\"#Body\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference URI=\"#To\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference URI=\"#Action\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference URI=\"#TS\"><Transforms><Transform Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"></Transform></Transforms><DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"></DigestMethod><DigestValue>*</DigestValue></Reference></SignedInfo><SignatureValue>*</SignatureValue><KeyInfo><wsse:SecurityTokenReference><wsse:Reference URI=\"#SignKey\"></wsse:Reference></wsse:SecurityTokenReference></KeyInfo></Signature><e:ReferenceList xmlns:e=\"http://www.w3.org/2001/04/xmlenc#\"><e:DataReference URI=\"#RSTR\"/><e:DataReference URI=\"#EncPsf\"/></e:ReferenceList></wsse:Security><psf:EncryptedPP><EncryptedData xmlns=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"EncPsf\" Type=\"http://www.w3.org/2001/04/xmlenc#Element\"><EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"></EncryptionMethod><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><wsse:SecurityTokenReference><wsse:Reference URI=\"#EncKey\"></wsse:Reference></wsse:SecurityTokenReference></KeyInfo><CipherData><CipherValue>*</CipherValue></CipherData></EncryptedData></psf:EncryptedPP></S:Header><S:Body wsu:Id=\"Body\"><EncryptedData xmlns=\"http://www.w3.org/2001/04/xmlenc#\" Id=\"RSTR\" Type=\"http://www.w3.org/2001/04/xmlenc#Element\"><EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"></EncryptionMethod><KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\"><wsse:SecurityTokenReference><wsse:Reference URI=\"#EncKey\"></wsse:Reference></wsse:SecurityTokenReference></KeyInfo><CipherData><CipherValue>*</CipherValue></CipherData></EncryptedData></S:Body></S:Envelope>"
}
Event ID 6117: Acquired Service token.
#Description
Acquired Service token.
Message #
Fields #
| Name | Description |
|---|---|
ResourceURI AnsiString | |
Created SYSTEMTIME | |
Expires SYSTEMTIME | |
TokenType AnsiString | |
AuthRequired Int32 | |
RequestStatus Int32 | |
HasFlowUrl Boolean | |
HasAuthUrl Boolean | |
HasEndAuthUrl Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LiveId",
"guid": "{05F02597-FE85-4E67-8542-69567AB8FD4F}",
"event_source_name": "",
"event_id": 6117,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018429487104,
"time_created": "2026-06-13T05:43:09.3799244+00:00",
"event_record_id": 357,
"correlation": {},
"execution": {
"process_id": 5900,
"thread_id": 7412
},
"channel": "Microsoft-Windows-LiveId/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ResourceURI": "https://watson.telemetry.microsoft.com",
"Created": "2026-06-13T05:43:09.0000000Z",
"Expires": "2026-06-14T05:43:09.0000000Z",
"TokenType": "urn:passport:delegationcompact",
"AuthRequired": "0",
"RequestStatus": "0",
"HasFlowUrl": "false",
"HasAuthUrl": "false",
"HasEndAuthUrl": "false"
},
"message": "Acquired Service token.\r\nResourceURI: https://watson.telemetry.microsoft.com\r\nCreated: 1601-01-03T22:32:45.068Z\r\nExpires: 1601-01-03T22:32:45.068Z\r\nTokenType: urn:passport:delegationcompact\r\nAuthRequired: The operation completed successfully.\r\nRequestStatus: The operation completed successfully.\r\nHasFlowUrl: false\r\nHasAuthUrl: false\r\nHasEndAuthUrl: false"
}
Community Notes #
Windows LiveId sign-in activity.
Event ID 7000: description @FileName_LineNumber.
#Event ID 7001: description @FileName_LineNumber.
#Event ID 7002: description @FileName_LineNumber.
#Event ID 7003: description @FileName_LineNumber.
#Event ID 7004: description @FileName_LineNumber.
#Event ID 7005: description @FileName_LineNumber.
#Event ID 7006: description @FileName_LineNumber.
#Event ID 7007: description @FileName_LineNumber.
#Event ID 7008: +.
#Event ID 7009: -.
#Event ID 7010: -.
#Event ID 7011: -.
#Event ID 7012: Process name ProcessName.
#Event ID 7013: IF_FAILEXIT failure: (Expression), hr = ErrorCode, in FunctionName @FileName_LineNumber.
#Event ID 7014: -.
#Event ID 7015: description @FileName_LineNumber.
#Event ID 7016: description @FileName_LineNumber.
#Event ID 7100: Cached ticket for site Uri and policy Policy found which is valid for another TimeToLive seconds.
#Event ID 7101: ApplicationId Overwritten [value1] becomes [value2].
#Event ID 7102: ApplicationId [value].
#Event ID 7103: Cached ticket for site value1 and policy value2 not found or has expired.
#Event ID 7104: Attempts = [Attempts], latestIterationResult = [latestIterationResult], continueRetry = [continueRetry], isConnected = [isConnected], flowUrl = [flowUrl], defaultUser = [defaultUser], promptType = ...
#Description
Attempts = [Attempts], latestIterationResult = [latestIterationResult], continueRetry = [continueRetry], isConnected = [isConnected], flowUrl = [flowUrl], defaultUser = [defaultUser], promptType = [promptType], authUrl = [authUrl], endAuthUrl = [authUrl].
Message #
Fields #
| Name | Description |
|---|---|
Attempts UInt32 | |
latestIterationResult UInt32 | |
continueRetry Boolean | |
isConnected Boolean | |
flowUrl UnicodeString | |
defaultUser UnicodeString | |
promptType UInt32 | |
authUrl UnicodeString | |
endAuthUrl UnicodeString |
Event ID 7105: WLIDCPersistCredential [value].
#Event ID 8000: description @FileName_LineNumber.
#Event ID 8001: description @FileName_LineNumber.
#Event ID 8002: description @FileName_LineNumber.
#Event ID 8003: description @FileName_LineNumber.
#Event ID 8004: description @FileName_LineNumber.
#Event ID 8005: description @FileName_LineNumber.
#Event ID 8006: description @FileName_LineNumber.
#Event ID 8007: description @FileName_LineNumber.
#Event ID 8008: +.
#Event ID 8009: -.
#Event ID 8010: -.
#Event ID 8011: -.
#Event ID 8012: Process name ProcessName.
#Event ID 8013: IF_FAILEXIT failure: (Expression), hr = ErrorCode, in FunctionName @FileName_LineNumber.
#Event ID 8014: -.
#Event ID 8015: description @FileName_LineNumber.
#Event ID 8016: description @FileName_LineNumber.
#Event ID 9000: description @FileName_LineNumber.
#Event ID 9001: description @FileName_LineNumber.
#Event ID 9002: description @FileName_LineNumber.
#Description
description @FileName_LineNumber
Message #
Fields #
| Name | Description |
|---|---|
FileName AnsiString | |
LineNumber UInt32 | |
description UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LiveId",
"guid": "{05F02597-FE85-4E67-8542-69567AB8FD4F}",
"event_source_name": "",
"event_id": 9002,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000004020",
"time_created": "2026-06-02T05:58:08.719+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 15568,
"thread_id": 9292
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"FileName": "systemstorelite.cpp",
"LineNumber": 284,
"description": "SystemStore property not found."
},
"message": ""
}
Event ID 9003: description @FileName_LineNumber.
#Event ID 9004: description @FileName_LineNumber.
#Event ID 9005: description @FileName_LineNumber.
#Event ID 9006: description @FileName_LineNumber.
#Event ID 9007: description @FileName_LineNumber.
#Event ID 9008: +.
#Description
+FunctionName@FileName_LineNumber
Message #
Fields #
| Name | Description |
|---|---|
FileName AnsiString | |
FunctionName AnsiString | |
LineNumber UInt32 | |
description UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LiveId",
"guid": "{05F02597-FE85-4E67-8542-69567AB8FD4F}",
"event_source_name": "",
"event_id": 9008,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000004008",
"time_created": "2026-06-02T05:58:08.717+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 15568,
"thread_id": 9292
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"FileName": "windowsliveprovider.cpp",
"FunctionName": "CWindowsLiveProvider::IsConnected",
"LineNumber": 1781,
"description": "NULL"
},
"message": ""
}
Event ID 9009: -.
#Description
-FunctionName=ErrorCode
Message #
Fields #
| Name | Description |
|---|---|
FunctionName AnsiString | |
ErrorCode Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LiveId",
"guid": "{05F02597-FE85-4E67-8542-69567AB8FD4F}",
"event_source_name": "",
"event_id": 9009,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000004008",
"time_created": "2026-06-02T05:58:08.718+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 15568,
"thread_id": 9292
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"ErrorCode": 0,
"FunctionName": "SystemStoreLite::GetCurrentUserSidString"
},
"message": ""
}
Event ID 9010: -.
#Event ID 9011: -.
#Event ID 9012: Process name ProcessName.
#Description
Process name ProcessName.
Message #
Fields #
| Name | Description |
|---|---|
ProcessName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LiveId",
"guid": "{05F02597-FE85-4E67-8542-69567AB8FD4F}",
"event_source_name": "",
"event_id": 9012,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000004002",
"time_created": "2026-06-02T05:58:08.717+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{72529F65-EE0F-0001-234C-90720FEEDC01}"
},
"execution": {
"process_id": 15568,
"thread_id": 9292
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessName": "C:\\WINDOWS\\system32\\taskhostw.exe"
},
"message": ""
}
Event ID 9013: IF_FAILEXIT failure: (Expression), hr = ErrorCode, in FunctionName @FileName_LineNumber.
#Event ID 9014: -.
#Description
-FunctionName=ErrorCode
Message #
Fields #
| Name | Description |
|---|---|
FunctionName AnsiString | |
ErrorCode Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LiveId",
"guid": "{05F02597-FE85-4E67-8542-69567AB8FD4F}",
"event_source_name": "",
"event_id": 9014,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000004028",
"time_created": "2026-06-02T05:58:08.719+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 15568,
"thread_id": 9292
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"ErrorCode": -2147023728,
"FunctionName": "SystemStoreLite::GetStoredIdentityProperty"
},
"message": ""
}
Event ID 9015: description @FileName_LineNumber.
#Description
description @FileName_LineNumber
Message #
Fields #
| Name | Description |
|---|---|
FileName AnsiString | |
LineNumber UInt32 | |
description UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LiveId",
"guid": "{05F02597-FE85-4E67-8542-69567AB8FD4F}",
"event_source_name": "",
"event_id": 9015,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000004000",
"time_created": "2026-06-02T05:58:08.719+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 15568,
"thread_id": 9292
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"FileName": "ErrorHandlingUtilities.h",
"LineNumber": 252,
"description": "Internal Error: 0x0, Collapsed Internal Error: 0x0, External Error: 0x0, isUserActionable: 0"
},
"message": ""
}
Event ID 9016: description @FileName_LineNumber.
#Event ID 9100: WLIDCPersistCredential [value].
#Event ID 10000: description @FileName_LineNumber.
#Event ID 10001: description @FileName_LineNumber.
#Event ID 10002: description @FileName_LineNumber.
#Event ID 10003: description @FileName_LineNumber.
#Event ID 10004: description @FileName_LineNumber.
#Event ID 10005: description @FileName_LineNumber.
#Event ID 10006: description @FileName_LineNumber.
#Event ID 10007: description @FileName_LineNumber.
#Event ID 10008: +.
#Event ID 10009: -.
#Event ID 10010: -.
#Event ID 10011: -.
#Event ID 10012: Process name ProcessName.
#Event ID 10013: IF_FAILEXIT failure: (Expression), hr = ErrorCode, in FunctionName @FileName_LineNumber.
#Event ID 10014: -.
#Event ID 10015: description @FileName_LineNumber.
#Event ID 10016: description @FileName_LineNumber.
#Event ID 11000: description @FileName_LineNumber.
#Event ID 11001: description @FileName_LineNumber.
#Event ID 11002: description @FileName_LineNumber.
#Event ID 11003: description @FileName_LineNumber.
#Event ID 11004: description @FileName_LineNumber.
#Event ID 11005: description @FileName_LineNumber.
#Event ID 11006: description @FileName_LineNumber.
#Event ID 11007: description @FileName_LineNumber.
#Event ID 11008: +.
#Event ID 11009: -.
#Event ID 11010: -.
#Event ID 11011: -.
#Event ID 11012: Process name ProcessName.
#Event ID 11013: IF_FAILEXIT failure: (Expression), hr = ErrorCode, in FunctionName @FileName_LineNumber.
#Event ID 11014: -.
#Event ID 11015: description @FileName_LineNumber.
#Event ID 11016: description @FileName_LineNumber.
#Event ID 12000: description @FileName_LineNumber.
#Event ID 12001: description @FileName_LineNumber.
#Event ID 12002: description @FileName_LineNumber.
#Event ID 12003: description @FileName_LineNumber.
#Event ID 12004: description @FileName_LineNumber.
#Event ID 12005: description @FileName_LineNumber.
#Event ID 12006: description @FileName_LineNumber.
#Event ID 12007: description @FileName_LineNumber.
#Event ID 12008: +.
#Event ID 12009: -.
#Event ID 12010: -.
#Event ID 12011: -.
#Event ID 12012: Process name ProcessName.
#Event ID 12013: IF_FAILEXIT failure: (Expression), hr = ErrorCode, in FunctionName @FileName_LineNumber.
#Event ID 12014: -.
#Event ID 12015: description @FileName_LineNumber.
#Event ID 12016: description @FileName_LineNumber.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {05F02597-FE85-4E67-8542-69567AB8FD4F}
Defined in wlidres.dll, which carries the event manifest.
Observed on:
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02