Microsoft-Windows-LUA

45 events across 2 channels

Event	Title	Channel	Sample
15001	ConsentUI_GetUserDesktopSnapshotStart	Diagnostic	N
15002	ConsentUI_GetUserDesktopSnapshotStop	Diagnostic	N
15003	ConsentUI_WindowThreadStart	Diagnostic	N
15004	ConsentUI_WindowThreadStop	Diagnostic	N
15005	ConsentUI_WindowThread	Diagnostic	N
15006	ConsentUI_SwitchDesktopStart	Diagnostic	N
15007	ConsentUI_SwitchDesktopStop	Diagnostic	N
15008	ConsentUI_ReturnUserDesktopStart	Diagnostic	N
15009	ConsentUI_ReturnUserDesktopStop	Diagnostic	N
15010	ConsentUI_WindowThreadStart15010	Diagnostic	N
15011	ConsentUI_WindowThreadStop15011	Diagnostic	N
15012	ConsentUI_CheckActiveDesktopStart	Diagnostic	N
15013	ConsentUI_CheckActiveDesktopStop	Diagnostic	N
15014	ConsentUI_CheckActiveDesktopStart15014	Diagnostic	N
15015	ConsentUI_CheckActiveDesktopStop15015	Diagnostic	N
15016	ConsentUI_WindowThreadStart15016	Diagnostic	N
15017	ConsentUI_WindowThreadStop15017	Diagnostic	N
15018	ConsentUI_WindowThreadStart15018	Diagnostic	N
15019	ConsentUI_WindowThreadStop15019	Diagnostic	N
15020	ConsentUI_WindowThreadStart15020	Diagnostic	N
15021	ConsentUI_WindowThreadStop15021	Diagnostic	N
15022	ConsentUI_ExperienceStart	Diagnostic	N
15023	ConsentUI_ExperienceStop	Diagnostic	N
15024	ConsentUI_ExperienceStart15024	Diagnostic	N
15025	ConsentUI_ExperienceStop15025	Diagnostic	N
15026	ConsentUI_ExperienceStart15026	Diagnostic	N
15027	ConsentUI_ExperienceStop15027	Diagnostic	N
15028	ConsentUI_LEASVC	Diagnostic	N
15029	ConsentUI_AMScanStart	Diagnostic	N
15030	ConsentUI_AMScanStop	Diagnostic	N
15031	Success: Elevation prompt for executable FullCommandLine (ProgramName published …	Diagnostic	N
15031	Success: Elevation prompt for executable FullCommandLine (ProgramName published …	Elevation	N
15032	Elevation prompt for executable FullCommandLine (ProgramName published by …	Diagnostic	N
15032	Elevation prompt for executable FullCommandLine (ProgramName published by …	Elevation	N
16001	AppInfo_PerfTrack_ElevationPathStart	Diagnostic	N
16002	AppInfo_PerfTrack_ElevationPathStop	Diagnostic	N
16003	AppInfo_PerfTrack_ElevationPathStart16003	Diagnostic	N
16004	AppInfo_PerfTrack_ElevationPathStop16004	Diagnostic	N
16005	AppInfo_PerfTrack_ElevationPathStart16005	Diagnostic	N
16006	AppInfo_PerfTrack_ElevationPathStop16006	Diagnostic	N
16007	AppInfo_PerfTrack_ElevationPathStart16007	Diagnostic	N
16008	AppInfo_PerfTrack_ElevationPathStop16008	Diagnostic	N
16009	AppInfo_PerfTrack_ElevationPathStop16009	Diagnostic	N
16010	AppInfo_PerfTrack_ElevationPathStart16010	Diagnostic	N
16011	AppInfo_PerfTrack_ElevationPathStop16011	Diagnostic	N

Event ID 15001: ConsentUI_GetUserDesktopSnapshotStart

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_GetUserDesktopSnapshot
Opcode: Start

Event ID 15002: ConsentUI_GetUserDesktopSnapshotStop

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_GetUserDesktopSnapshot
Opcode: Stop

Event ID 15003: ConsentUI_WindowThreadStart

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_WindowThread
Opcode: Start

Event ID 15004: ConsentUI_WindowThreadStop

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_WindowThread
Opcode: Stop

Event ID 15005: ConsentUI_WindowThread

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_WindowThread

Event ID 15006: ConsentUI_SwitchDesktopStart

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_SwitchDesktop
Opcode: Start

Event ID 15007: ConsentUI_SwitchDesktopStop

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_SwitchDesktop
Opcode: Stop

Event ID 15008: ConsentUI_ReturnUserDesktopStart

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_ReturnUserDesktop
Opcode: Start

Event ID 15009: ConsentUI_ReturnUserDesktopStop

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_ReturnUserDesktop
Opcode: Stop

Event ID 15010: ConsentUI_WindowThreadStart15010

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_WindowThread
Opcode: Start

Event ID 15011: ConsentUI_WindowThreadStop15011

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_WindowThread
Opcode: Stop

Event ID 15012: ConsentUI_CheckActiveDesktopStart

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_CheckActiveDesktop
Opcode: Start

Event ID 15013: ConsentUI_CheckActiveDesktopStop

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_CheckActiveDesktop
Opcode: Stop

Event ID 15014: ConsentUI_CheckActiveDesktopStart15014

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_CheckActiveDesktop
Opcode: Start

Event ID 15015: ConsentUI_CheckActiveDesktopStop15015

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_CheckActiveDesktop
Opcode: Stop

Event ID 15016: ConsentUI_WindowThreadStart15016

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_WindowThread
Opcode: Start

Event ID 15017: ConsentUI_WindowThreadStop15017

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_WindowThread
Opcode: Stop

Event ID 15018: ConsentUI_WindowThreadStart15018

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_WindowThread
Opcode: Start

Event ID 15019: ConsentUI_WindowThreadStop15019

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_WindowThread
Opcode: Stop

Event ID 15020: ConsentUI_WindowThreadStart15020

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_WindowThread
Opcode: Start

Event ID 15021: ConsentUI_WindowThreadStop15021

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_WindowThread
Opcode: Stop

Event ID 15022: ConsentUI_ExperienceStart

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_Experience
Opcode: Start

Event ID 15023: ConsentUI_ExperienceStop

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_Experience
Opcode: Stop

Event ID 15024: ConsentUI_ExperienceStart15024

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_Experience
Opcode: Start

Event ID 15025: ConsentUI_ExperienceStop15025

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_Experience
Opcode: Stop

Event ID 15026: ConsentUI_ExperienceStart15026

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_Experience
Opcode: Start

Event ID 15027: ConsentUI_ExperienceStop15027

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_Experience
Opcode: Stop

Event ID 15028: ConsentUI_LEASVC

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_LEASVC

Fields #

Name	Description
`Parameters` Pointer

Event ID 15029: ConsentUI_AMScanStart

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_AMScan
Opcode: Start

Event ID 15030: ConsentUI_AMScanStop

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: ConsentUI_AMScan
Opcode: Stop

Event ID 15031: Success: Elevation prompt for executable FullCommandLine (ProgramName published by Publisher) answered by UserName, will elevate as

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: CredUI_Elevation

Description

Success: Elevation prompt for executable ( published by ) answered by , will elevate as .

Fields #

Name	Description
`ProgramName` UnicodeString
`Publisher` UnicodeString
`FullCommandLine` UnicodeString
`UserName` UnicodeString
`ShadowAdmin` UnicodeString
`ShadowAdminSID` UnicodeString
`ReturnCode` UInt32
`ReturnMessage` UnicodeString

Event ID 15031: Success: Elevation prompt for executable FullCommandLine (ProgramName published by Publisher) answered by UserName, will elevate as ShadowAdmin.

Provider: Microsoft-Windows-LUA
Channel: Elevation
Task: CredUI_Elevation

Description

Success: Elevation prompt for executable FullCommandLine (ProgramName published by Publisher) answered by UserName, will elevate as ShadowAdmin.

Message #

Success: Elevation prompt for executable %3 (%1 published by %2) answered by %4, will elevate as %5.

Fields #

Name	Description
`ProgramName` UnicodeString
`Publisher` UnicodeString
`FullCommandLine` UnicodeString
`UserName` UnicodeString
`ShadowAdmin` UnicodeString
`ShadowAdminSID` UnicodeString
`ReturnCode` UInt32
`ReturnMessage` UnicodeString

Event ID 15032: Elevation prompt for executable FullCommandLine (ProgramName published by Publisher) answered by

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: CredUI_Elevation_Failure

Description

Elevation prompt for executable ( published by ) answered by . Error : .

Fields #

Name	Description
`ProgramName` UnicodeString
`Publisher` UnicodeString
`FullCommandLine` UnicodeString
`UserName` UnicodeString
`ShadowAdmin` UnicodeString
`ShadowAdminSID` UnicodeString
`ReturnCode` UInt32
`ReturnMessage` UnicodeString

Event ID 15032: Elevation prompt for executable FullCommandLine (ProgramName published by Publisher) answered by UserName.

Provider: Microsoft-Windows-LUA
Channel: Elevation
Task: CredUI_Elevation_Failure

Description

Elevation prompt for executable FullCommandLine (ProgramName published by Publisher) answered by UserName. Error ReturnCode: ReturnMessage.

Message #

Elevation prompt for executable %3 (%1 published by %2) answered by %4. Error %7: %8.

Fields #

Name	Description
`ProgramName` UnicodeString
`Publisher` UnicodeString
`FullCommandLine` UnicodeString
`UserName` UnicodeString
`ShadowAdmin` UnicodeString
`ShadowAdminSID` UnicodeString
`ReturnCode` UInt32
`ReturnMessage` UnicodeString

Event ID 16001: AppInfo_PerfTrack_ElevationPathStart

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: AppInfo_PerfTrack_ElevationPath
Opcode: Start

Fields #

Name	Description
`EventId` UInt32
`UACElevateFileID` UnicodeString

Event ID 16002: AppInfo_PerfTrack_ElevationPathStop

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: AppInfo_PerfTrack_ElevationPath
Opcode: Stop

Fields #

Name	Description
`EventId` UInt32
`UACElevateFileID` UnicodeString

Event ID 16003: AppInfo_PerfTrack_ElevationPathStart16003

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: AppInfo_PerfTrack_ElevationPath
Opcode: Start

Fields #

Name	Description
`EventId` UInt32
`UACElevateFileID` UnicodeString

Event ID 16004: AppInfo_PerfTrack_ElevationPathStop16004

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: AppInfo_PerfTrack_ElevationPath
Opcode: Stop

Fields #

Name	Description
`EventId` UInt32
`UACElevateFileID` UnicodeString

Event ID 16005: AppInfo_PerfTrack_ElevationPathStart16005

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: AppInfo_PerfTrack_ElevationPath
Opcode: Start

Fields #

Name	Description
`EventId` UInt32
`UACElevateFileID` UnicodeString

Event ID 16006: AppInfo_PerfTrack_ElevationPathStop16006

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: AppInfo_PerfTrack_ElevationPath
Opcode: Stop

Fields #

Name	Description
`EventId` UInt32
`UACElevateFileID` UnicodeString

Event ID 16007: AppInfo_PerfTrack_ElevationPathStart16007

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: AppInfo_PerfTrack_ElevationPath
Opcode: Start

Fields #

Name	Description
`EventId` UInt32
`UACElevateFileID` UnicodeString

Event ID 16008: AppInfo_PerfTrack_ElevationPathStop16008

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: AppInfo_PerfTrack_ElevationPath
Opcode: Stop

Fields #

Name	Description
`EventId` UInt32
`UACElevateFileID` UnicodeString

Event ID 16009: AppInfo_PerfTrack_ElevationPathStop16009

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: AppInfo_PerfTrack_ElevationPath
Opcode: Stop

Fields #

Name	Description
`EventId` UInt32
`UACElevateFileID` UnicodeString

Event ID 16010: AppInfo_PerfTrack_ElevationPathStart16010

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: AppInfo_PerfTrack_ElevationPath
Opcode: Start

Fields #

Name	Description
`EventId` UInt32
`UACElevateFileID` UnicodeString

Event ID 16011: AppInfo_PerfTrack_ElevationPathStop16011

Provider: Microsoft-Windows-LUA
Channel: Diagnostic
Task: AppInfo_PerfTrack_ElevationPath
Opcode: Stop

Fields #

Name	Description
`EventId` UInt32
`UACElevateFileID` UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 93c05d69-51a3-485e-877f-1806a8731346

Defined in appinfo.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4484, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Windows-LUA

Event ID 15001: ConsentUI_GetUserDesktopSnapshotStart

Event ID 15002: ConsentUI_GetUserDesktopSnapshotStop

Event ID 15003: ConsentUI_WindowThreadStart

Event ID 15004: ConsentUI_WindowThreadStop

Event ID 15005: ConsentUI_WindowThread

Event ID 15006: ConsentUI_SwitchDesktopStart

Event ID 15007: ConsentUI_SwitchDesktopStop

Event ID 15008: ConsentUI_ReturnUserDesktopStart

Event ID 15009: ConsentUI_ReturnUserDesktopStop

Event ID 15010: ConsentUI_WindowThreadStart15010

Event ID 15011: ConsentUI_WindowThreadStop15011

Event ID 15012: ConsentUI_CheckActiveDesktopStart

Event ID 15013: ConsentUI_CheckActiveDesktopStop

Event ID 15014: ConsentUI_CheckActiveDesktopStart15014

Event ID 15015: ConsentUI_CheckActiveDesktopStop15015

Event ID 15016: ConsentUI_WindowThreadStart15016

Event ID 15017: ConsentUI_WindowThreadStop15017

Event ID 15018: ConsentUI_WindowThreadStart15018

Event ID 15019: ConsentUI_WindowThreadStop15019

Event ID 15020: ConsentUI_WindowThreadStart15020

Event ID 15021: ConsentUI_WindowThreadStop15021

Event ID 15022: ConsentUI_ExperienceStart

Event ID 15023: ConsentUI_ExperienceStop

Event ID 15024: ConsentUI_ExperienceStart15024

Event ID 15025: ConsentUI_ExperienceStop15025

Event ID 15026: ConsentUI_ExperienceStart15026

Event ID 15027: ConsentUI_ExperienceStop15027

Event ID 15028: ConsentUI_LEASVC

Fields #

Event ID 15029: ConsentUI_AMScanStart

Event ID 15030: ConsentUI_AMScanStop

Event ID 15031: Success: Elevation prompt for executable FullCommandLine (ProgramName published by Publisher) answered by UserName, will elevate as

Description

Fields #

Event ID 15031: Success: Elevation prompt for executable FullCommandLine (ProgramName published by Publisher) answered by UserName, will elevate as ShadowAdmin.

Description

Message #

Fields #

Event ID 15032: Elevation prompt for executable FullCommandLine (ProgramName published by Publisher) answered by

Description

Fields #

Event ID 15032: Elevation prompt for executable FullCommandLine (ProgramName published by Publisher) answered by UserName.

Description

Message #

Fields #

Event ID 16001: AppInfo_PerfTrack_ElevationPathStart

Fields #

Event ID 16002: AppInfo_PerfTrack_ElevationPathStop

Fields #

Event ID 16003: AppInfo_PerfTrack_ElevationPathStart16003

Fields #

Event ID 16004: AppInfo_PerfTrack_ElevationPathStop16004

Fields #

Event ID 16005: AppInfo_PerfTrack_ElevationPathStart16005

Fields #

Event ID 16006: AppInfo_PerfTrack_ElevationPathStop16006

Fields #

Event ID 16007: AppInfo_PerfTrack_ElevationPathStart16007

Fields #

Event ID 16008: AppInfo_PerfTrack_ElevationPathStop16008

Fields #

Event ID 16009: AppInfo_PerfTrack_ElevationPathStop16009

Fields #

Event ID 16010: AppInfo_PerfTrack_ElevationPathStart16010

Fields #

Event ID 16011: AppInfo_PerfTrack_ElevationPathStop16011

Fields #

Provenance

Downloads