detection.wiki

Microsoft-Windows-ManagementTools-RegistryProvider

43 events across 2 channels

EventTitleChannelSample
1000Provider load start: arg0.OperationalN
1001Provider load stop: arg0.OperationalN
1002Provider load error: arg0.OperationalN
1003Provider unload start: arg0.OperationalN
1004Provider unload stop: arg0.OperationalN
1005Provider unload error: arg0.OperationalN
1100Start RegistryKey GetInstance: arg0.AnalyticN
1101Stop RegistryKey GetInstance: arg0.AnalyticN
1102Error RegistryKey GetInstance: arg0, arg1.OperationalN
1103Start RegistryKey CreateInstance: arg0.AnalyticN
1104Stop RegistryKey CreateInstance: arg0.AnalyticN
1105Error RegistryKey CreateInstance: arg0, arg1.OperationalN
1106Start RegistryKey DeleteInstance: arg0.AnalyticN
1107Stop RegistryKey DeleteInstance: arg0.AnalyticN
1108Error RegistryKey DeleteInstance: arg0, arg1.OperationalN
1109Start RegistryKey Rename: arg0 to arg1.AnalyticN
1110Stop RegistryKey Rename: arg0 to arg1.AnalyticN
1111Error RegistryKey Rename: arg0, arg1.OperationalN
1200Start RegistryValue GetInstance: arg0.AnalyticN
1201Stop RegistryValue GetInstance: arg0.AnalyticN
1202Error RegistryValue GetInstance: arg0, arg1.OperationalN
1203Start RegistryValue CreateInstance: arg0.AnalyticN
1204Stop RegistryValue CreateInstance: arg0.AnalyticN
1205Error RegistryValue CreateInstance: arg0, arg1.OperationalN
1206Start RegistryValue ModifyInstance: arg0.AnalyticN
1207Stop RegistryValue ModifyInstance: arg0.AnalyticN
1208Error RegistryValue ModifyInstance: arg0, arg1.OperationalN
1209Start RegistryValue DeleteInstance: arg0.AnalyticN
1210Stop RegistryValue DeleteInstance: arg0.AnalyticN
1211Error RegistryValue DeleteInstance: arg0, arg1.OperationalN
1212Start RegistryValue Rename: arg0 to arg1.AnalyticN
1213Stop RegistryValue Rename: arg0 to arg1.AnalyticN
1214Error RegistryValue Rename: arg0, arg1.OperationalN
1300Start RegistryKey GetSubKeys: arg0.AnalyticN
1301Stop RegistryKey GetSubKeys: arg0.AnalyticN
1302Error RegistryKey GetSubKeys: arg0, arg1.OperationalN
1303Start RegistryKey GetValues: arg0.AnalyticN
1304Stop RegistryKey GetValues: arg0.AnalyticN
1305Error RegistryKey GetValues: arg0, arg1.OperationalN
1306Start RegistryTasks Search: arg0, Value: arg1, Options: arg2.AnalyticN
1307Stop RegistryTasks Search: arg0, Value: arg1, Options: arg2.AnalyticN
1308Error RegistryTasks Search: arg0, arg1.OperationalN
1400Error: arg0, arg1.OperationalN

Event ID 1000: Provider load start: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Lifetime
Opcode
Start

Description

Provider load start: arg0.

Message #

Provider load start: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1001: Provider load stop: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Lifetime
Opcode
Stop

Description

Provider load stop: arg0.

Message #

Provider load stop: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1002: Provider load error: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Lifetime

Description

Provider load error: arg0.

Message #

Provider load error: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1003: Provider unload start: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Lifetime
Opcode
Start

Description

Provider unload start: arg0.

Message #

Provider unload start: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1004: Provider unload stop: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Lifetime
Opcode
Stop

Description

Provider unload stop: arg0.

Message #

Provider unload stop: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1005: Provider unload error: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Lifetime

Description

Provider unload error: arg0.

Message #

Provider unload error: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1100: Start RegistryKey GetInstance: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Lifetime
Opcode
Start

Description

Start RegistryKey GetInstance: arg0.

Message #

Start RegistryKey GetInstance: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1101: Stop RegistryKey GetInstance: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Lifetime
Opcode
Stop

Description

Stop RegistryKey GetInstance: arg0.

Message #

Stop RegistryKey GetInstance: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1102: Error RegistryKey GetInstance: arg0, arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Lifetime

Description

Error RegistryKey GetInstance: arg0, arg1.

Message #

Error RegistryKey GetInstance: %1, %2

Fields #

NameDescription
arg0 Int32
arg1 UnicodeString

Event ID 1103: Start RegistryKey CreateInstance: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Lifetime
Opcode
Start

Description

Start RegistryKey CreateInstance: arg0.

Message #

Start RegistryKey CreateInstance: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1104: Stop RegistryKey CreateInstance: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Lifetime
Opcode
Stop

Description

Stop RegistryKey CreateInstance: arg0.

Message #

Stop RegistryKey CreateInstance: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1105: Error RegistryKey CreateInstance: arg0, arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Lifetime

Description

Error RegistryKey CreateInstance: arg0, arg1.

Message #

Error RegistryKey CreateInstance: %1, %2

Fields #

NameDescription
arg0 Int32
arg1 UnicodeString

Event ID 1106: Start RegistryKey DeleteInstance: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Lifetime
Opcode
Start

Description

Start RegistryKey DeleteInstance: arg0.

Message #

Start RegistryKey DeleteInstance: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1107: Stop RegistryKey DeleteInstance: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Lifetime
Opcode
Stop

Description

Stop RegistryKey DeleteInstance: arg0.

Message #

Stop RegistryKey DeleteInstance: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1108: Error RegistryKey DeleteInstance: arg0, arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Lifetime

Description

Error RegistryKey DeleteInstance: arg0, arg1.

Message #

Error RegistryKey DeleteInstance: %1, %2

Fields #

NameDescription
arg0 Int32
arg1 UnicodeString

Event ID 1109: Start RegistryKey Rename: arg0 to arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Action
Opcode
Start

Description

Start RegistryKey Rename: arg0 to arg1.

Message #

Start RegistryKey Rename: %1 to %2.

Fields #

NameDescription
arg0 UnicodeString
arg1 UnicodeString

Event ID 1110: Stop RegistryKey Rename: arg0 to arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Action
Opcode
Stop

Description

Stop RegistryKey Rename: arg0 to arg1.

Message #

Stop RegistryKey Rename: %1 to %2.

Fields #

NameDescription
arg0 UnicodeString
arg1 UnicodeString

Event ID 1111: Error RegistryKey Rename: arg0, arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Action

Description

Error RegistryKey Rename: arg0, arg1.

Message #

Error RegistryKey Rename: %1, %2

Fields #

NameDescription
arg0 Int32
arg1 UnicodeString

Event ID 1200: Start RegistryValue GetInstance: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Lifetime
Opcode
Start

Description

Start RegistryValue GetInstance: arg0.

Message #

Start RegistryValue GetInstance: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1201: Stop RegistryValue GetInstance: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Lifetime
Opcode
Stop

Description

Stop RegistryValue GetInstance: arg0.

Message #

Stop RegistryValue GetInstance: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1202: Error RegistryValue GetInstance: arg0, arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Lifetime

Description

Error RegistryValue GetInstance: arg0, arg1.

Message #

Error RegistryValue GetInstance: %1, %2

Fields #

NameDescription
arg0 Int32
arg1 UnicodeString

Event ID 1203: Start RegistryValue CreateInstance: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Lifetime
Opcode
Start

Description

Start RegistryValue CreateInstance: arg0.

Message #

Start RegistryValue CreateInstance: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1204: Stop RegistryValue CreateInstance: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Lifetime
Opcode
Stop

Description

Stop RegistryValue CreateInstance: arg0.

Message #

Stop RegistryValue CreateInstance: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1205: Error RegistryValue CreateInstance: arg0, arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Lifetime

Description

Error RegistryValue CreateInstance: arg0, arg1.

Message #

Error RegistryValue CreateInstance: %1, %2

Fields #

NameDescription
arg0 Int32
arg1 UnicodeString

Event ID 1206: Start RegistryValue ModifyInstance: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Lifetime
Opcode
Start

Description

Start RegistryValue ModifyInstance: arg0.

Message #

Start RegistryValue ModifyInstance: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1207: Stop RegistryValue ModifyInstance: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Lifetime
Opcode
Stop

Description

Stop RegistryValue ModifyInstance: arg0.

Message #

Stop RegistryValue ModifyInstance: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1208: Error RegistryValue ModifyInstance: arg0, arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Lifetime

Description

Error RegistryValue ModifyInstance: arg0, arg1.

Message #

Error RegistryValue ModifyInstance: %1, %2

Fields #

NameDescription
arg0 Int32
arg1 UnicodeString

Event ID 1209: Start RegistryValue DeleteInstance: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Lifetime
Opcode
Start

Description

Start RegistryValue DeleteInstance: arg0.

Message #

Start RegistryValue DeleteInstance: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1210: Stop RegistryValue DeleteInstance: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Lifetime
Opcode
Stop

Description

Stop RegistryValue DeleteInstance: arg0.

Message #

Stop RegistryValue DeleteInstance: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1211: Error RegistryValue DeleteInstance: arg0, arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Lifetime

Description

Error RegistryValue DeleteInstance: arg0, arg1.

Message #

Error RegistryValue DeleteInstance: %1, %2

Fields #

NameDescription
arg0 Int32
arg1 UnicodeString

Event ID 1212: Start RegistryValue Rename: arg0 to arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Action
Opcode
Start

Description

Start RegistryValue Rename: arg0 to arg1.

Message #

Start RegistryValue Rename: %1 to %2.

Fields #

NameDescription
arg0 UnicodeString
arg1 UnicodeString

Event ID 1213: Stop RegistryValue Rename: arg0 to arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Action
Opcode
Stop

Description

Stop RegistryValue Rename: arg0 to arg1.

Message #

Stop RegistryValue Rename: %1 to %2.

Fields #

NameDescription
arg0 UnicodeString
arg1 UnicodeString

Event ID 1214: Error RegistryValue Rename: arg0, arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Action

Description

Error RegistryValue Rename: arg0, arg1.

Message #

Error RegistryValue Rename: %1, %2

Fields #

NameDescription
arg0 Int32
arg1 UnicodeString

Event ID 1300: Start RegistryKey GetSubKeys: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Action
Opcode
Start

Description

Start RegistryKey GetSubKeys: arg0.

Message #

Start RegistryKey GetSubKeys: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1301: Stop RegistryKey GetSubKeys: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Action
Opcode
Stop

Description

Stop RegistryKey GetSubKeys: arg0.

Message #

Stop RegistryKey GetSubKeys: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1302: Error RegistryKey GetSubKeys: arg0, arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Action

Description

Error RegistryKey GetSubKeys: arg0, arg1.

Message #

Error RegistryKey GetSubKeys: %1, %2

Fields #

NameDescription
arg0 Int32
arg1 UnicodeString

Event ID 1303: Start RegistryKey GetValues: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Action
Opcode
Start

Description

Start RegistryKey GetValues: arg0.

Message #

Start RegistryKey GetValues: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1304: Stop RegistryKey GetValues: arg0.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Action
Opcode
Stop

Description

Stop RegistryKey GetValues: arg0.

Message #

Stop RegistryKey GetValues: %1.

Fields #

NameDescription
arg0 UnicodeString

Event ID 1305: Error RegistryKey GetValues: arg0, arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Action

Description

Error RegistryKey GetValues: arg0, arg1.

Message #

Error RegistryKey GetValues: %1, %2

Fields #

NameDescription
arg0 Int32
arg1 UnicodeString

Event ID 1306: Start RegistryTasks Search: arg0, Value: arg1, Options: arg2.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Action
Opcode
Start

Description

Start RegistryTasks Search: arg0, Value: arg1, Options: arg2.

Message #

Start RegistryTasks Search: %1, Value: %2, Options: %3.

Fields #

NameDescription
arg0 UnicodeString
arg1 UnicodeString
arg2 Int32

Event ID 1307: Stop RegistryTasks Search: arg0, Value: arg1, Options: arg2.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Analytic
Task
Action
Opcode
Stop

Description

Stop RegistryTasks Search: arg0, Value: arg1, Options: arg2.

Message #

Stop RegistryTasks Search: %1, Value: %2, Options: %3.

Fields #

NameDescription
arg0 UnicodeString
arg1 UnicodeString
arg2 Int32

Event ID 1308: Error RegistryTasks Search: arg0, arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Action

Description

Error RegistryTasks Search: arg0, arg1.

Message #

Error RegistryTasks Search: %1, %2

Fields #

NameDescription
arg0 Int32
arg1 UnicodeString

Event ID 1400: Error: arg0, arg1.

#
Provider
Microsoft-Windows-ManagementTools-RegistryProvider
Channel
Operational
Task
Lifetime

Description

Error: arg0, arg1

Message #

Error: %1, %2

Fields #

NameDescription
arg0 Int32
arg1 UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 8656ea1b-e71c-4ec8-ab69-4ebff5bac0f3

Defined in regprov.dll, which carries the event manifest.

Observed on:

  • WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02

Downloads