Microsoft-Windows-LoadPerf
53 events across 1 channel
Event ID 1000: Performance counters for the WmiApRpl!
#Description
Performance counters for the () service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.
Message #
Fields #
| Name | Description |
|---|---|
EventXML.param1 | |
EventXML.param2 | |
EventXML.binaryDataSize | |
EventXML.binaryData | |
param1 | |
param2 | |
Size | |
BinaryData |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LoadPerf",
"guid": "{122EE297-BB47-41AE-B265-1CA8D1886D40}",
"event_source_name": "",
"event_id": 1000,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-29T16:37:17.5905632+00:00",
"event_record_id": 730,
"correlation": {},
"execution": {
"process_id": 3212,
"thread_id": 4892
},
"channel": "Application",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventXML": {
"param1": "WmiApRpl",
"param2": "WmiApRpl",
"binaryDataSize": "16",
"binaryData": "A42800004A290000A52800004B290000"
}
},
"message": "Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service."
}
Event ID 1001: Performance counters for the WmiApRpl!
#Description
Performance counters for the () service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Message #
Fields #
| Name | Description |
|---|---|
EventXML.param1 | |
EventXML.param2 | |
EventXML.binaryDataSize | |
EventXML.binaryData | |
param1 | |
param2 | |
Size | |
BinaryData |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LoadPerf",
"guid": "{122EE297-BB47-41AE-B265-1CA8D1886D40}",
"event_source_name": "",
"event_id": 1001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-29T16:37:17.4794721+00:00",
"event_record_id": 729,
"correlation": {},
"execution": {
"process_id": 3212,
"thread_id": 4892
},
"channel": "Application",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventXML": {
"param1": "WmiApRpl",
"param2": "WmiApRpl",
"binaryDataSize": "12",
"binaryData": "A2280000A3280000D2050000"
}
},
"message": "Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries."
}
Event ID 1002: Performance counters for the http://schemas.
#Description
Performance counters for the () service are already in the registry, no need to reinstall. This only happens when you install the same counter twice. The second time install will generate this event.
Message #
Fields #
| Name | Description |
|---|---|
param1 | |
param2 | |
Size | |
BinaryData |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LoadPerf",
"guid": "122EE297-BB47-41AE-B265-1CA8D1886D40",
"event_source_name": "",
"event_id": 1002,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2013-10-23T18:31:55.566626+00:00",
"event_record_id": 266,
"correlation": {},
"execution": {
"process_id": 836,
"thread_id": 3012
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventXML": {
"xmlns:auto-ns2": "http://schemas.microsoft.com/win/2004/08/events",
"param1": ".NET CLR Networking 4.0.0.0",
"param2": ".NET CLR Networking 4.0.0.0",
"binaryDataSize": 4,
"binaryData": "whIAAA=="
}
},
"message": "Performance counters for the http://schemas.microsoft.com/win/2004/08/events!s! (.NET CLR Networking 4.0.0.0!s!) service are already in the registry, no need to reinstall. This only happens when you install the same counter twice. The second time install will generate this event."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 2001: No MOF file param2 was created for the param1 service.
#Description
No MOF file param2 was created for the param1 service. Before the performance counters of this service can be collected by WMI, a MOF file will need to be created and loaded manually. Contact the vendor of this service for additional information.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString |
Event ID 2002: The MOF file created for the param1 service could not be loaded.
#Description
The MOF file created for the param1 service could not be loaded. The record data contains the error code returned by the MOF Compiler. Before the performance counters of this service can be collected by WMI, the MOF file will need to be loaded manually. Contact the vendor of this service for additional information.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString |
Event ID 2003: The MOF file created for the param1 service cannot be deleted as requested.
#Event ID 2004: The Performance registry value param1 string is corrupted.
#Event ID 2005: No COUNTER/HELP definition for Language param1.
#Event ID 2006: The LastCounter and LastHelp values of the performance registry are corrupted and need to be updated.
#Description
The LastCounter and LastHelp values of the performance registry are corrupted and need to be updated. The first and second DWORDs in the Data Section contain the original LastCounter and LastHelp values, respectively, while the third and fourth DWORDs in the Data Section contain the updated new values.
Message #
Event ID 2007: Cannot repair performance counters for param1 service.
#Event ID 3000: The performance strings in the registry do not match the index values stored in Performance registry key.
#Description
The performance strings in the registry do not match the index values stored in Performance registry key. The first DWORD in the Data section contains the last index value from performance registry key and the second DWORD in the Data section contains the index of the last string.
Message #
Event ID 3001: The performance counter name string value in the registry is not formatted correctly.
#Description
The performance counter name string value in the registry is not formatted correctly. The malformed string is param1. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
Size UInt32 | |
BinaryData Binary |
Event ID 3002: The performance counter explain text string value in the registry is not formatted correctly.
#Description
The performance counter explain text string value in the registry is not formatted correctly. The malformed string is param1. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
Size UInt32 | |
BinaryData Binary |
Event ID 3003: Unable to install counter strings because the param1 key could not be opened or accessed.
#Event ID 3004: Unable to read the param1 registry value.
#Event ID 3005: Unable to open the registry key for the performance counter strings defined for the param1 language ID.
#Event ID 3006: Unable to read the performance counter strings defined for the param1 language ID.
#Event ID 3007: Unable to read the performance counter explain text strings defined for the param1 language ID.
#Event ID 3008: Unable to allocate a required memory buffer.
#Description
Unable to allocate a required memory buffer.
Message #
Event ID 3009: Installing the performance counter strings for service param1 (param2) failed.
#Event ID 3011: Unloading the performance counter strings for service param1 (param2) failed.
#Event ID 3012: The performance strings in the Performance registry value is corrupted when process param1 extension counter provider.
#Description
The performance strings in the Performance registry value is corrupted when process param1 extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
Size UInt32 | |
BinaryData Binary |
Event ID 3013: Unable to update the performance counter strings defined for the param1 language ID.
#Event ID 3014: Unable to update the performance counter explain text strings of the param1 language ID.
#Event ID 3015: Index for param1 is corrupted.
#Event ID 3016: Cannot update param1 value of param2 key.
#Event ID 3017: Cannot update param1 value of param2 key.
#Event ID 3018: param1 index range of service param2 is corrupted.
#Description
param1 index range of service param2 is corrupted. The first DWORD in the Data section contains the first index value used and the second DWORD in the Data section contains last index value used.
Message #
Fields #
| Name | Description |
|---|---|
param1 UnicodeString | |
param2 UnicodeString | |
Size UInt32 | |
BinaryData Binary |
Event ID 1073742824: Performance counters for the {param1} ({param2}) service were loaded successfully.
#Description
Performance counters for the {param1} ({param2}) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.
Message #
Fields #
| Name | Description |
|---|---|
param1 | |
param2 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LoadPerf",
"event_id": 1000,
"level": 4,
"task": 0,
"opcode": 0,
"time_created": "2026-03-13T19:14:56.9297355+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Application"
},
"event_data": {
"param2": "WmiApRpl",
"binaryDataSize": "16",
"param1": "WmiApRpl",
"binaryData": "902B0000362C0000912B0000372C0000"
}
}
Event ID 1073742825: Performance counters for the {param1} ({param2}) service were removed successfully.
#Description
Performance counters for the {param1} ({param2}) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Message #
Fields #
| Name | Description |
|---|---|
param1 | |
param2 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LoadPerf",
"event_id": 1001,
"level": 4,
"task": 0,
"opcode": 0,
"time_created": "2026-03-13T19:14:56.8511348+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Application"
},
"event_data": {
"param2": "WmiApRpl",
"binaryDataSize": "12",
"param1": "WmiApRpl",
"binaryData": "8E2B00008F2B0000D2050000"
}
}
Event ID 1073742826: Performance counters for the {param1} ({param2}) service are already in the registry; no need to reinstall.
#Event ID 2147485649: No MOF file {param2} was created for the {param1} service.
#Event ID 2147485650: The MOF file created for the {param1} service could not be loaded.
#Event ID 2147485651: The MOF file created for the {param1} service cannot be deleted as requested.
#Event ID 2147485652: The Performance registry value {param1} string is corrupted.
#Event ID 2147485653: No COUNTER/HELP definition for Language {param1}.
#Event ID 2147485655: Cannot repair performance counters for {param1} service.
#Event ID 3221228473: The performance counter name string value in the registry is not formatted correctly.
#Event ID 3221228474: The performance counter explain text string value in the registry is not formatted correctly.
#Event ID 3221228475: Unable to install counter strings because the {param1} key could not be opened or accessed.
#Event ID 3221228476: Unable to read the {param1} registry value.
#Event ID 3221228477: Unable to open the registry key for the performance counter strings defined for the {param1} language ID.
#Event ID 3221228478: Unable to read the performance counter strings defined for the {param1} language ID.
#Event ID 3221228479: Unable to read the performance counter explain text strings defined for the {param1} language ID.
#Event ID 3221228481: Installing the performance counter strings for service {param1} ({param2}) failed.
#Event ID 3221228483: Unloading the performance counter strings for service {param1} ({param2}) failed.
#Event ID 3221228484: The performance strings in the Performance registry value is corrupted when process {param1} extension counter provider.
#Event ID 3221228485: Unable to update the performance counter strings defined for the {param1} language ID.
#Event ID 3221228486: Unable to update the performance counter explain text strings of the {param1} language ID.
#Event ID 3221228487: Index for {param1} is corrupted.
#Event ID 3221228488: Cannot update {param1} value of {param2} key.
#Event ID 3221228489: Cannot update {param1} value of {param2} key.
#Event ID 3221228490: {param1} index range of service {param2} is corrupted.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 122ee297-bb47-41ae-b265-1ca8d1886d40
Defined in loadperf.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02