Microsoft-Windows-Search
258 events across 2 channels
Event ID 1003: The Windows Search Service started.
#Fields #
| Name | Description |
|---|---|
ExtraInfo |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "Windows Search Service",
"event_id": 1003,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T06:25:51.885710+00:00",
"event_record_id": 1450,
"correlation": {},
"execution": {
"process_id": 5004,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": {
"Name": "ExtraInfo",
"Value": "\n"
}
},
"message": "The Windows Search Service started.ExtraInfo"
}
Event ID 1003: The Windows Search Service started
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "",
"event_id": 1003,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-29T16:38:25.7177321+00:00",
"event_record_id": 4745,
"correlation": {},
"execution": {
"process_id": 7088,
"thread_id": 0
},
"channel": "Application",
"computer": "telemetry-W11-a.cell-a.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ExtraInfo": ""
},
"message": "The Windows Search Service started.\n"
}
Event ID 1004: The Windows Search service is creating the new search index {Reason: Full Index Reset}.
#Fields #
| Name | Description |
|---|---|
ExtraInfo | |
Reason |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "Windows Search Service",
"event_id": 1004,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T06:25:51.187482+00:00",
"event_record_id": 1447,
"correlation": {},
"execution": {
"process_id": 5004,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"ExtraInfo": "\n",
"Reason": "Full Index Reset"
},
"message": "The Windows Search service is creating the new search index {Reason: Full Index Reset}. \n"
}
Event ID 1004: The Windows Search service is creating the new search index {Reason: Reason}
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Reason UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "",
"event_id": 1004,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-04-18T00:27:20.5494469+00:00",
"event_record_id": 16,
"correlation": {},
"execution": {
"process_id": 928,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN11-25H2-X64",
"security": {
"user_id": ""
}
},
"event_data": {
"ExtraInfo": "",
"Reason": "Full Index Reset"
},
"message": "The Windows Search service is creating the new search index {Reason: Full Index Reset}. \n"
}
Event ID 1005: The Windows Search Service has successfully created the new search index.
#Fields #
| Name | Description |
|---|---|
ExtraInfo |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "Windows Search Service",
"event_id": 1005,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T06:25:51.828936+00:00",
"event_record_id": 1449,
"correlation": {},
"execution": {
"process_id": 5004,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": {
"Name": "ExtraInfo",
"Value": "\n"
}
},
"message": "The Windows Search Service has successfully created the new search index. ExtraInfo"
}
Event ID 1005: The Windows Search Service has successfully created the new search index
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "",
"event_id": 1005,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-04-18T00:27:20.6255220+00:00",
"event_record_id": 17,
"correlation": {},
"execution": {
"process_id": 928,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN11-25H2-X64",
"security": {
"user_id": ""
}
},
"event_data": {
"ExtraInfo": ""
},
"message": "The Windows Search Service has successfully created the new search index. \n"
}
Event ID 1006: The Windows Search Service has failed to create the new search index
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Phase UnicodeString | |
HR UnicodeString | |
DiagnosticsInfo UnicodeString |
Event ID 1007: The Windows Search Service was unable to allocate memory
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 1008: The Windows Search Service is starting up and attempting to remove the old search index {Reason: Full Index Reset}.
#Fields #
| Name | Description |
|---|---|
ExtraInfo | |
Reason |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "Windows Search Service",
"event_id": 1008,
"version": 0,
"level": 3,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T06:25:47.791114+00:00",
"event_record_id": 1444,
"correlation": {},
"execution": {
"process_id": 5004,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"ExtraInfo": "\n",
"Reason": "Full Index Reset"
},
"message": "The Windows Search Service is starting up and attempting to remove the old search index {Reason: Full Index Reset}. \n"
}
Event ID 1008: The Windows Search Service is starting up and attempting to remove the old search index {Reason: Reason}
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Reason UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "",
"event_id": 1008,
"version": 0,
"level": 3,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-04-18T00:27:19.5207507+00:00",
"event_record_id": 14,
"correlation": {},
"execution": {
"process_id": 928,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN11-25H2-X64",
"security": {
"user_id": ""
}
},
"event_data": {
"ExtraInfo": "",
"Reason": "Full Index Reset"
},
"message": "The Windows Search Service is starting up and attempting to remove the old search index {Reason: Full Index Reset}. \n"
}
Event ID 1009: An exception occurred in
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Address UnicodeString |
Event ID 1010: The Windows Search Service has successfully removed the old search index.
#Fields #
| Name | Description |
|---|---|
ExtraInfo |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "Windows Search Service",
"event_id": 1010,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-11-06T06:25:47.798155+00:00",
"event_record_id": 1445,
"correlation": {},
"execution": {
"process_id": 5004,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": {
"Name": "ExtraInfo",
"Value": "\n"
}
},
"message": "The Windows Search Service has successfully removed the old search index. ExtraInfo"
}
Event ID 1010: The Windows Search Service has successfully removed the old search index
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "",
"event_id": 1010,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-04-18T00:27:19.5234771+00:00",
"event_record_id": 15,
"correlation": {},
"execution": {
"process_id": 928,
"thread_id": 0
},
"channel": "Application",
"computer": "WIN11-25H2-X64",
"security": {
"user_id": ""
}
},
"event_data": {
"ExtraInfo": ""
},
"message": "The Windows Search Service has successfully removed the old search index. \n"
}
Event ID 1011: The Windows Search Service has failed to remove the old search index
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Phase UnicodeString | |
HR UnicodeString |
Event ID 1013: Windows Search Service stopped normally.
#Fields #
| Name | Description |
|---|---|
ExtraInfo |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "Windows Search Service",
"event_id": 1013,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2023-10-25T22:56:14.357450+00:00",
"event_record_id": 1432,
"correlation": {},
"execution": {
"process_id": 7916,
"thread_id": 0
},
"channel": "Application",
"computer": "WinDevEval",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": {
"Name": "ExtraInfo",
"Value": "\n"
}
},
"message": "Windows Search Service stopped normally.ExtraInfo"
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1013: Windows Search Service stopped normally
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"event_id": 1013,
"level": 4,
"task": 1,
"opcode": 0,
"time_created": "2026-05-27T21:12:09.8066660+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Application"
},
"event_data": {
"ExtraInfo": ""
}
}
Event ID 1014: The Windows Search Service has failed to create one or more path rules
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
DebugInfo UnicodeString |
Event ID 1015: Event ID EventID for the Windows Search Service has been suppressed RepeatCount time(s) since
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
EventID UnicodeString | |
RepeatCount UnicodeString | |
ReferenceTime UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "",
"event_id": 1015,
"version": 0,
"level": 3,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-30T14:07:06.2189579+00:00",
"event_record_id": 267219,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ExtraInfo": "",
"EventID": "1013",
"RepeatCount": "121",
"ReferenceTime": "1:07:03 PM"
},
"message": "Event ID 1013 for the Windows Search Service has been suppressed 121 time(s) since 1:07:03 PM. This event is used to suppress Windows Search Service events that have occurred frequently within a short period of time. See Event ID 1013 for further details on this event."
}
Event ID 1016: The Windows Search Service failed to move Index files from OldIndexPath to NewIndexPath with the following error: <Phase,ErrorCode>
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
OldIndexPath UnicodeString | |
NewIndexPath UnicodeString | |
Phase UnicodeString | |
ErrorCode UnicodeString |
Event ID 1017: The Windows Search Service successfully moved index files from OldIndexPath to
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
OldIndexPath UnicodeString | |
NewIndexPath UnicodeString |
Event ID 1018: While rolling back the index, the Windows Search Service encountered the following error: <Phase,ErrorCode>
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
OldIndexPath UnicodeString | |
NewIndexPath UnicodeString | |
Phase UnicodeString | |
ErrorCode UnicodeString |
Event ID 1019: Windows Search Service failed to process the list of included and excluded locations with the error <Phase, ErrorCode, "Path">
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Phase UnicodeString | |
ErrorCode UnicodeString | |
Path UnicodeString |
Event ID 1044: An error occurred in configuration file <FileName>
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
FileName UnicodeString |
Event ID 1053: The system exception Code occurred, and will be handled
#Fields #
| Name | Description |
|---|---|
Code UnicodeString | |
StackTrace UnicodeString |
Event ID 3006: Performance monitoring cannot be initialized for the gatherer service, because the counters are not loaded or the shared memory object cannot be opened
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3007: Performance monitoring cannot be initialized for the gatherer object, because the counters are not loaded or the shared memory object cannot be opened
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3008: The entry <Entry> cannot be inserted into the history
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Entry UnicodeString |
Event ID 3009: The transaction object cannot be created
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3010: The transaction cannot be appended to the queue
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
FilePath UnicodeString |
Event ID 3011: The transaction cannot be updated in the queue
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
FilePath UnicodeString |
Event ID 3013: The entry <Entry> in the hash map cannot be updated
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Entry UnicodeString |
Event ID 3020: Internal gatherer error ErrorCode occurred
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
ErrorCode UnicodeString |
Event ID 3023: The update cannot be started because all of the content sources were excluded by site path rules, or removed from the index configuration
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3024: The update cannot be started because the content sources cannot be accessed
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3025: Critical error ErrorCode occurred, and the index was shut down
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
ErrorCode UnicodeString |
Event ID 3027: The URL <URL> cannot be crawled
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
URL UnicodeString |
Event ID 3028: The gatherer object cannot be initialized
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3029: The plug-in in <Plugin> cannot be initialized
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Plugin UnicodeString |
Event ID 3030: The gatherer service cannot be initialized
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3034: The registry version does not match with the expected <ExpectedVersion>, or the registry cannot be accessed because the service account does not have the correct permissions
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
ExpectedVersion UnicodeString |
Event ID 3036: Crawl could not be completed on content source <URL>
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
URL UnicodeString |
Event ID 3037: Crawl could not be started on content source <URL>
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
URL UnicodeString |
Event ID 3038: The gatherer is unable to read the registry
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
RegPath UnicodeString |
Event ID 3039: A request to start the update has been ignored because the update is already in progress or is scheduled on one or more content sources
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3040: The status change request RequestedStatusMessage cannot be processed
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
RequestedStatusMessage UnicodeString |
Event ID 3045: The automatic description length was adjusted from OldLength to
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
OldLength UnicodeString | |
NewLength UnicodeString |
Event ID 3046: The update for the index cannot be started because the specified content sources were not configured for updates
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3048: No documents were accessed because no e-mail address is specified in the content index server properties
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3050: Unvisited items cannot be deleted from the history after a full update
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3053: The previous update was reset, or was otherwise interrupted
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3054: The update has been delayed because a disk is full
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3055: The gatherer property mapping file cannot be opened
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3056: The automatic description encoding tag value is invalid
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3057: The plug-in manager <PluginManager> cannot be initialized
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
PluginManager UnicodeString |
Event ID 3060: An update cannot begin because the content source <URL> is in use by another update already in progress
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
URL UnicodeString |
Event ID 3062: The word breaker for language <Locale> cannot be loaded
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Locale UnicodeString |
Event ID 3072: The gatherer is recovering after an improper shutdown
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3073: The gatherer detected pages in the history during recovery that cannot be read, and repaired them
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3078: The Windows Search service stopped the Protocol Host process because it was consuming too many resources
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3079: Notifications for the volume VolumeName are not active
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
VolumeName UnicodeString |
Event ID 3083: The protocol handler ProtocolHandler cannot be loaded
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
ProtocolHandler UnicodeString | |
ErrorMessage UnicodeString |
Event ID 3084: Failed to load protocol handler
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
ProtocolHandler UnicodeString | |
ErrorMessage UnicodeString |
Event ID 3085: The application network access account is invalid
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3087: The gatherer files cannot be flushed, and this action cannot be completed
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3088: The checkpoint record cannot be updated, and this action cannot be completed
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3089: The gatherer files cannot be saved, and this action cannot be completed
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3090: The gatherer files from the previous checkpoint cannot be restored, and this action cannot be completed
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3091: The checkpoint record cannot be read, and this action cannot be completed
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3092: The project cannot be initialized, because the checkpoint record cannot be read
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3093: The project cannot be initialized, because one of the checkpoint files is missing
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3095: The group Domain\Account contains Users members
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Domain UnicodeString | |
Account UnicodeString | |
Users UnicodeString | |
MaxUsers UnicodeString |
Event ID 3096: The local groups cache was flushed, because
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Reason UnicodeString |
Event ID 3097: The gatherer did not connect to the SQLServer instance
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3099: Unable to terminate notifications normally
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3100: Unable to initialize the filter host process
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3101: The filter host process could not be terminated
#Event ID 4103: ExtraInfoA master merge has completed for catalog
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
CatalogName UnicodeString |
Event ID 4104: ExtraInfoA master merge has been paused for catalog CatalogName due to error
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
CatalogName UnicodeString | |
ErrorMessage UnicodeString |
Event ID 4105: ExtraInfoA master merge cannot be started for catalog CatalogName due to error
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
CatalogName UnicodeString | |
ErrorMessage UnicodeString |
Event ID 4106: ExtraInfoA master merge cannot be re-started for catalog CatalogName due to error
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
CatalogName UnicodeString | |
ErrorMessage UnicodeString |
Event ID 4121: ExtraInfoA master merge has restarted for catalog
#Fields #
| Name | Description |
|---|---|
ExtraInfo | |
CatalogName |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "Windows Search Service",
"event_id": 4121,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2014-11-26T23:22:14.000000Z",
"event_record_id": 1157,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE10Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"ExtraInfo": "\n",
"CatalogName": "SystemIndex"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4121: ExtraInfoA master merge has restarted for catalog
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
CatalogName UnicodeString |
Event ID 4138: An index corruption was detected in component Component in catalog
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Component UnicodeString | |
CatalogName UnicodeString |
Event ID 4163: ExtraInfoA master merge has been paused for catalog CatalogName due to low disk space
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
CatalogName UnicodeString |
Event ID 4164: ExtraInfoCatalog:
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
CatalogName UnicodeString |
Event ID 4165: ExtraInfoCatalog:
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
CatalogName UnicodeString | |
IndexesPerMergeLevel UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 4166: ExtraInfoCatalog:
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
CatalogName UnicodeString | |
ExpectedDocCount UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 4167: ExtraInfoCatalog:
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
CatalogName UnicodeString | |
MasterMergeReason UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 4168: ExtraInfo Unable to create the query engine's first request item due to error
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
ErrorMessage UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 4169: Error ID Phase happened in Windows Search recovery stage, please restart the service
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Phase UnicodeString |
Event ID 7001: The schema file <SrcFile> cannot be copied to <DstFile>
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
SrcFile UnicodeString | |
DstFile UnicodeString |
Event ID 7010: The index cannot be initialized
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "",
"event_id": 7010,
"version": 0,
"level": 2,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-30T14:07:09.1120688+00:00",
"event_record_id": 267229,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ExtraInfo": "\n\nDetails:\n\t0x%08x (0x80040d06 - The specified object cannot be found. Specify the name of an existing object. (HRESULT : 0x80040d06))\n"
},
"message": "The index cannot be initialized.\n\nDetails:\n\t0x%08x (0x80040d06 - The specified object cannot be found. Specify the name of an existing object. (HRESULT : 0x80040d06))\n"
}
Event ID 7011: Directory location <Directory> is invalid
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Directory UnicodeString |
Event ID 7013: The update was paused because the disk <Directory> is full
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Directory UnicodeString |
Event ID 7040: The search service has detected corrupted data files in the index {id=CorruptionId}
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
CorruptionId UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "",
"event_id": 7040,
"version": 0,
"level": 2,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-30T14:07:06.4539724+00:00",
"event_record_id": 267224,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ExtraInfo": "\n\nDetails:\n\t 0x8e5e01f5 (0x8e5e01f5)\n",
"CorruptionId": "4810 - onecoreuap\\base\\appmodel\\search\\tquery\\fteutil\\jetutil.cpp (272)"
},
"message": "The search service has detected corrupted data files in the index {id=4810 - onecoreuap\\base\\appmodel\\search\\tquery\\fteutil\\jetutil.cpp (272)}. The service will attempt to automatically correct this problem by rebuilding the index.\n\nDetails:\n\t 0x8e5e01f5 (0x8e5e01f5)\n"
}
Event ID 7042: The Windows Search Service is being stopped because there is a problem with the indexer:
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Reason UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "",
"event_id": 7042,
"version": 0,
"level": 2,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-30T14:07:06.9226730+00:00",
"event_record_id": 267227,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ExtraInfo": "\n\nDetails:\n\tThe content index catalog is corrupt. 0xc0041801 (0xc0041801)\n",
"Reason": "The catalog is corrupt"
},
"message": "The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.\n\nDetails:\n\tThe content index catalog is corrupt. 0xc0041801 (0xc0041801)\n"
}
Event ID 7064: Performance monitoring cannot be initialized because the counters are not loaded or the shared memory object cannot be opened
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 7066: Configuration directory Directory is missing, and disaster recovery must be performed
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Directory UnicodeString |
Event ID 7068: The registry cannot be read, possibly because the registry keys for this index are missing
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 7070: The Windows Search Service added catalog
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 7071: The Windows Search Service removed index
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 9000: The Windows Search Service cannot open the Jet property store
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 9001: The Windows Search Service cannot create a Jet property store
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 9002: The Windows Search Service cannot load the property store information
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 9003: The Windows Search Service cannot initialize multi-instancing in Jet
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 10014: The noise file "OldNoiseFile"" cannot be renamed to ""NewNoiseFile""
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
OldNoiseFile UnicodeString | |
NewNoiseFile UnicodeString |
Event ID 10020: Performance Counters could not be loaded for Driver for instance InstanceName InstanceNum due to the following error:
#Fields #
| Name | Description |
|---|---|
Driver UnicodeString | |
InstanceName UnicodeString | |
InstanceNum UnicodeString | |
ErrorMessage UnicodeString |
Event ID 10021: Could not get performance counter registry info for Driver for instance InstanceName InstanceNum due to the following error:
#Fields #
| Name | Description |
|---|---|
Driver UnicodeString | |
InstanceName UnicodeString | |
InstanceNum UnicodeString | |
ErrorMessage UnicodeString |
Event ID 10022: Performance counters will not be loaded because the named objects (shared memory or events) are in use for Driver for instance InstanceName
#Fields #
| Name | Description |
|---|---|
Driver UnicodeString | |
InstanceName UnicodeString | |
InstanceNum UnicodeString |
Event ID 10023: The protocol host process ProtocolHostProcessID did not respond and is being forcibly terminated {filter host process FilterHostProcessID}
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
ProtocolHostProcessID UnicodeString | |
FilterHostProcessID UnicodeString |
Event ID 10024: The filter host process FilterHostProcessID did not respond and is being forcibly terminated
#Fields #
| Name | Description |
|---|---|
ExtraInfo | |
FilterHostProcessID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"guid": "{CA4E628D-8567-4896-AB6B-835B221F373F}",
"event_source_name": "Windows Search Service",
"event_id": 10024,
"version": 0,
"level": 3,
"task": 3,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2014-11-25T22:48:11.000000Z",
"event_record_id": 1044,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"ExtraInfo": "\n",
"FilterHostProcessID": "4008"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 10024: The filter host process FilterHostProcessID did not respond and is being forcibly terminated
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
FilterHostProcessID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"event_id": 10024,
"level": 3,
"task": 3,
"opcode": 0,
"time_created": "2026-05-27T20:09:27.3577890+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Application"
},
"event_data": {
"FilterHostProcessID": "7144",
"ExtraInfo": ""
}
}
Event ID 10025: The search service has failed to create database instance for the index {ExtraInfo} due to maximum number of instance reached
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 10026: The search service has failed to configure maximum number of database instance
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 10027: The search service has failed to create or load catalog for an user with SID {SID}
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
SID UnicodeString |
Event ID 10028: The search service has failed to unload catalog for an user with SID {SID}
#Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
SID UnicodeString |
Event ID 1073742827: The Windows Search Service started.
#Description
The Windows Search Service started.ExtraInfo.
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | The Windows Search Service started. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"event_id": 1003,
"level": 4,
"task": 1,
"opcode": 0,
"time_created": "2026-05-27T21:12:13.3924551+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Application"
},
"event_data": {
"ExtraInfo": ""
}
}
Event ID 1073742828: The Windows Search service is creating the new search index {Reason: Reason}.
#Description
The Windows Search service is creating the new search index {Reason: Reason}. ExtraInfo.
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Reason UnicodeString | The Windows Search service is creating the new search index {Reason |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"event_id": 1004,
"level": 4,
"task": 1,
"opcode": 0,
"time_created": "2026-04-18T00:27:20.5494469+00:00",
"computer": "WIN11-25H2-X64",
"channel": "Application"
},
"event_data": {
"Reason": "Full Index Reset",
"ExtraInfo": ""
}
}
Event ID 1073742829: The Windows Search Service has successfully created the new search index.
#Description
The Windows Search Service has successfully created the new search index. ExtraInfo.
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | The Windows Search Service has successfully created the new search index. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"event_id": 1005,
"level": 4,
"task": 1,
"opcode": 0,
"time_created": "2026-04-18T00:27:20.6255220+00:00",
"computer": "WIN11-25H2-X64",
"channel": "Application"
},
"event_data": {
"ExtraInfo": ""
}
}
Event ID 1073742834: The Windows Search Service has successfully removed the old search index.
#Description
The Windows Search Service has successfully removed the old search index. ExtraInfo.
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"event_id": 1010,
"level": 4,
"task": 1,
"opcode": 0,
"time_created": "2026-04-18T00:27:19.5234771+00:00",
"computer": "WIN11-25H2-X64",
"channel": "Application"
},
"event_data": {
"ExtraInfo": ""
}
}
Event ID 1073742837: Windows Search Service stopped normally.
#Description
Windows Search Service stopped normally.ExtraInfo.
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"event_id": 1013,
"level": 4,
"task": 1,
"opcode": 0,
"time_created": "2026-05-27T21:12:09.8066660+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Application"
},
"event_data": {
"ExtraInfo": ""
}
}
Event ID 1073742841: The Windows Search Service successfully moved index files from OldIndexPath to NewIndexPath.
#Event ID 1073744865: The index is being reset.
#Event ID 1073744868: The gatherer index resumed.
#Event ID 1073744876: The crawl was requested to be stopped.
#Event ID 1073744884: An update cannot begin because the content source <.
#Event ID 1073744919: The group Domain\Account contains Users members.
#Event ID 1073744920: The local groups cache was flushed, because Reason.
#Event ID 1073745927: ExtraInfoA master merge has completed for catalog CatalogName.
#Event ID 1073745928: ExtraInfoA master merge has been paused for catalog CatalogName due to error ErrorMessage.
#Event ID 1073745945: ExtraInfoA master merge has restarted for catalog CatalogName.
#Event ID 1073745962: An index corruption was detected in component Component in catalog CatalogName.
#Event ID 1073745987: ExtraInfoA master merge has been paused for catalog CatalogName due to low disk space.
#Event ID 1073745988: 1CatalogCatalog: ExtraInfo.
#Event ID 1073745989: 1CatalogCatalog: ExtraInfo.
#Event ID 1073745990: 1CatalogCatalog: ExtraInfo.
#Event ID 1073745991: 1CatalogCatalog: ExtraInfo.
#Event ID 1073748866: The Windows Search Service is being stopped because there is a problem with the indexer: Reason.
#Event ID 2147484656: The Windows Search Service is starting up and attempting to remove the old search index {Reason: Reason}.
#Description
The Windows Search Service is starting up and attempting to remove the old search index {Reason: Reason}. ExtraInfo.
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Reason UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"event_id": 1008,
"level": 3,
"task": 1,
"opcode": 0,
"time_created": "2026-04-18T00:27:19.5207507+00:00",
"computer": "WIN11-25H2-X64",
"channel": "Application"
},
"event_data": {
"Reason": "Full Index Reset",
"ExtraInfo": ""
}
}
Event ID 2147484662: The Windows Search Service has failed to create one or more path rules.
#Event ID 2147484663: Event ID EventID for the Windows Search Service has been suppressed RepeatCount time(s) since ReferenceTime.
#Description
Event ID EventID for the Windows Search Service has been suppressed RepeatCount time(s) since ReferenceTime. This event is used to suppress Windows Search Service events that have occurred frequently within a short period of time. See Event ID EventID for further details on this event.ExtraInfo
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
EventID UnicodeString | |
RepeatCount UnicodeString | |
ReferenceTime UnicodeString |
Event ID 2147484666: While rolling back the index, the Windows Search Service encountered the following error: <Phase,ErrorCode>.
#Description
While rolling back the index, the Windows Search Service encountered the following error: <Phase,ErrorCode>. Index files were not moved from OldIndexPath to NewIndexPath. ExtraInfo.
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
OldIndexPath UnicodeString | |
NewIndexPath UnicodeString | |
Phase UnicodeString | |
ErrorCode UnicodeString |
Event ID 2147484692: An error occurred in configuration file <FileName>.
#Event ID 2147484701: The system exception Code occurred, and will be handled.
#Event ID 2147486671: The update cannot be started because all of the content sources were excluded by site path rules, or removed from the index configuration.
#Event ID 2147486672: The update cannot be started because the content sources cannot be accessed.
#Event ID 2147486684: Crawl could not be completed on content source <URL>.
#Event ID 2147486685: Crawl could not be started on content source <URL>.
#Event ID 2147486686: The gatherer is unable to read the registry RegPath.
#Event ID 2147486687: A request to start the update has been ignored because the update is already in progress or is scheduled on one or more content sources.
#Event ID 2147486690: The index was paused.
#Event ID 2147486693: The automatic description length was adjusted from OldLength to NewLength.
#Event ID 2147486694: The update for the index cannot be started because the specified content sources were not configured for updates.
#Event ID 2147486701: The previous update was reset, or was otherwise interrupted.
#Event ID 2147486702: The update has been delayed because a disk is full.
#Description
The update has been delayed because a disk is full. Check the system default temp location and the drive on which search catalog is created. The system default temp location is used for creation of temporary files during crawling. If it is full, crawling pauses. If the system default temp location is full, change the location to a disk with more free space and restart the computer. Changes to the system temp location do not take effect for system services until the computer is restarted.ExtraInfo
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 2147486703: The gatherer property mapping file cannot be opened.
#Event ID 2147486704: The automatic description encoding tag value is invalid.
#Event ID 2147486709: The gatherer log cannot be created.
#Event ID 2147486710: The word breaker for language <Locale> cannot be loaded.
#Event ID 2147486720: The gatherer is recovering after an improper shutdown.
#Event ID 2147486721: The gatherer detected pages in the history during recovery that cannot be read, and repaired them.
#Description
The gatherer detected pages in the history during recovery that cannot be read, and repaired them. However, statistical data for some URLs may have been lost. This can be caused by restarting a computer without first shutting down Windows, or by disk failure.ExtraInfo
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 2147486726: The Windows Search service stopped the Protocol Host process because it was consuming too many resources.
#Event ID 2147486734: The system locale has changed.
#Event ID 2147487816: ExtraInfo Unable to create the query engine's first request item due to error ErrorMessage.
#Event ID 2147487817: Error ID Phase happened in Windows Search recovery stage, please restart the service.
#Event ID 2147492651: The Windows Search Service cannot initialize multi-instancing in Jet.
#Event ID 2147493661: The noise files cannot be renamed.
#Event ID 2147493662: The noise file "OldNoiseFile"" cannot be renamed to ""NewNoiseFile"".
#Event ID 2147493668: Performance Counters could not be loaded for Driver for instance InstanceName InstanceNum due to the following error: ErrorMessage.
#Event ID 2147493669: Could not get performance counter registry info for Driver for instance InstanceName InstanceNum due to the following error: ErrorMessage.
#Event ID 2147493670: Performance counters will not be loaded because the named objects (shared memory or events) are in use for Driver for instance InstanceName InstanceNum.
#Event ID 2147493671: The protocol host process ProtocolHostProcessID did not respond and is being forcibly terminated {filter host process FilterHostProcessID}.
#Event ID 2147493672: The filter host process FilterHostProcessID did not respond and is being forcibly terminated.
#Description
The filter host process FilterHostProcessID did not respond and is being forcibly terminated. ExtraInfo.
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
FilterHostProcessID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Search",
"event_id": 10024,
"level": 3,
"task": 3,
"opcode": 0,
"time_created": "2026-05-27T20:09:27.3577890+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Application"
},
"event_data": {
"FilterHostProcessID": "7144",
"ExtraInfo": ""
}
}
Event ID 2147493673: The search service has failed to create database instance for the index {ExtraInfo} due to maximum number of instance reached.
#Event ID 2147493674: The search service has failed to configure maximum number of database instance.
#Event ID 2147493675: The search service has failed to create or load catalog for an user with SID {.
#Description
The search service has failed to create or load catalog for an user with SID {SID}. Please inspect a profile directory for the user is accessible. You should re-start the search service after fixing any issue found from the profile directory. ExtraInfo
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
SID UnicodeString |
Event ID 2147493676: The search service has failed to unload catalog for an user with SID {SID}.
#Event ID 3221226478: The Windows Search Service has failed to create the new search index.
#Event ID 3221226479: The Windows Search Service was unable to allocate memory.
#Event ID 3221226481: An exception occurred in Address.
#Event ID 3221226483: The Windows Search Service has failed to remove the old search index.
#Event ID 3221226488: The Windows Search Service failed to move Index files from OldIndexPath to NewIndexPath with the following error: <Phase,ErrorCode>.
#Description
The Windows Search Service failed to move Index files from OldIndexPath to NewIndexPath with the following error: <Phase,ErrorCode>. This might be because the target directory is not empty, or because the SYSTEM account doesn't have write access to the target directory. ExtraInfo
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
OldIndexPath UnicodeString | |
NewIndexPath UnicodeString | |
Phase UnicodeString | |
ErrorCode UnicodeString |
Event ID 3221226491: Windows Search Service failed to process the list of included and excluded locations with the error <Phase, ErrorCode, "Path">.
#Event ID 3221228475: A configuration error occurred.
#Event ID 3221228478: Performance monitoring cannot be initialized for the gatherer service, because the counters are not loaded or the shared memory object cannot be op...
#Description
Performance monitoring cannot be initialized for the gatherer service, because the counters are not loaded or the shared memory object cannot be opened. This only affects availability of the perfmon counters. Restart the computer.ExtraInfo
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3221228479: Performance monitoring cannot be initialized for the gatherer object, because the counters are not loaded or the shared memory object cannot be ope...
#Description
Performance monitoring cannot be initialized for the gatherer object, because the counters are not loaded or the shared memory object cannot be opened. This only affects availability of the perfmon counters. Restart the computer.ExtraInfo
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3221228480: The entry <Entry> cannot be inserted into the history.
#Event ID 3221228481: The transaction object cannot be created.
#Event ID 3221228482: The transaction cannot be appended to the queue.
#Event ID 3221228483: The transaction cannot be updated in the queue.
#Event ID 3221228485: The entry <Entry> in the hash map cannot be updated.
#Event ID 3221228486: An exception occurred.
#Description
An exception occurred. ID: ID. This is an internal error. Reproduce the error with the debugger attached and enable exceptions, then contact product support. One of the components loaded in your system is bad. You may be able to avoid the problem by recreating the index.ExtraInfo
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
ID UnicodeString |
Event ID 3221228487: The transaction file cannot be read.
#Event ID 3221228492: Internal gatherer error ErrorCode occurred.
#Event ID 3221228497: Critical error ErrorCode occurred, and the index was shut down.
#Event ID 3221228498: Advise Status Change failed.
#Event ID 3221228499: The URL <URL> cannot be crawled.
#Event ID 3221228500: The gatherer object cannot be initialized.
#Event ID 3221228501: The plug-in in <Plugin> cannot be initialized.
#Event ID 3221228502: The gatherer service cannot be initialized.
#Event ID 3221228503: A document ID cannot be allocated.
#Event ID 3221228504: A document ID cannot be freed.
#Event ID 3221228505: A new queue file cannot be created.
#Event ID 3221228506: The registry version does not match with the expected <.
#Description
The registry version does not match with the expected <ExpectedVersion>, or the registry cannot be accessed because the service account does not have the correct permissions. Uninstall the previous version before installing the new one.ExtraInfo
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
ExpectedVersion UnicodeString |
Event ID 3221228512: The status change request RequestedStatusMessage cannot be processed.
#Event ID 3221228520: No documents were accessed because no e-mail address is specified in the content index server properties.
#Event ID 3221228522: Unvisited items cannot be deleted from the history after a full update.
#Event ID 3221228529: The plug-in manager <PluginManager> cannot be initialized.
#Event ID 3221228530: The application cannot be initialized.
#Event ID 3221228531: The update cannot be initialized.
#Event ID 3221228551: Notifications for the volume VolumeName are not active.
#Event ID 3221228555: The protocol handler ProtocolHandler cannot be loaded.
#Event ID 3221228556: Failed to load protocol handler ProtocolHandler.
#Event ID 3221228557: The application network access account is invalid.
#Event ID 3221228559: The gatherer files cannot be flushed, and this action cannot be completed.
#Description
The gatherer files cannot be flushed, and this action cannot be completed. The gatherer will attempt to flush files again. If the problem persists, restart the service, free system resources or verify that your hardware is working properly. ExtraInfo
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3221228560: The checkpoint record cannot be updated, and this action cannot be completed.
#Description
The checkpoint record cannot be updated, and this action cannot be completed. The gatherer will attempt to update the checkpoint record again. If the problem persists, restart the service, free system resources or verify that your hardware is working properly. ExtraInfo
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3221228561: The gatherer files cannot be saved, and this action cannot be completed.
#Description
The gatherer files cannot be saved, and this action cannot be completed. The gatherer will attempt to save the files again. If the problem persists, restart the service, free system resources or verify that your hardware is working properly. ExtraInfo
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3221228562: The gatherer files from the previous checkpoint cannot be restored, and this action cannot be completed.
#Description
The gatherer files from the previous checkpoint cannot be restored, and this action cannot be completed. The gatherer will attempt to restore the files again. If the problem persists, restart the service, free system resources or verify that your hardware is working properly. ExtraInfo
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3221228563: The checkpoint record cannot be read, and this action cannot be completed.
#Event ID 3221228564: The project cannot be initialized, because the checkpoint record cannot be read.
#Event ID 3221228565: The project cannot be initialized, because one of the checkpoint files is missing.
#Description
The project cannot be initialized, because one of the checkpoint files is missing. The data structures on the disk will be reset. Check to see if someone is manually deleting files, and verify that your hardware is working properly. ExtraInfo
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString |
Event ID 3221228569: The gatherer did not connect to the SQLServer instance.
#Event ID 3221228571: Unable to terminate notifications normally.
#Event ID 3221228572: Unable to initialize the filter host process.
#Event ID 3221228573: The filter host process could not be terminated.
#Description
The filter host process could not be terminated.
Message #
Event ID 3221229577: ExtraInfoA master merge cannot be started for catalog CatalogName due to error ErrorMessage.
#Event ID 3221229578: ExtraInfoA master merge cannot be re-started for catalog CatalogName due to error ErrorMessage.
#Event ID 3221232473: The schema file <SrcFile> cannot be copied to <DstFile>.
#Event ID 3221232482: The index cannot be initialized.
#Event ID 3221232483: Directory location <Directory> is invalid.
#Event ID 3221232485: The update was paused because the disk <Directory> is full.
#Event ID 3221232512: The search service has detected corrupted data files in the index {id=CorruptionId}.
#Event ID 3221232515: The index cannot be loaded.
#Event ID 3221232536: Performance monitoring cannot be initialized because the counters are not loaded or the shared memory object cannot be opened.
#Event ID 3221232538: Configuration directory Directory is missing, and disaster recovery must be performed.
#Description
Configuration directory Directory is missing, and disaster recovery must be performed. If there are existing indexes, they must be restored from the last backup. If there is no backup of index data, then delete the catalogs and recreate them.ExtraInfo
Message #
Fields #
| Name | Description |
|---|---|
ExtraInfo UnicodeString | |
Directory UnicodeString |
Event ID 3221232540: The registry cannot be read, possibly because the registry keys for this index are missing.
#Event ID 3221232542: The Windows Search Service added catalog ExtraInfo.
#Event ID 3221232543: The Windows Search Service removed index ExtraInfo.
#Event ID 3221234472: The Windows Search Service cannot open the Jet property store.
#Event ID 3221234473: The Windows Search Service cannot create a Jet property store.
#Event ID 3221234474: The Windows Search Service cannot load the property store information.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID ca4e628d-8567-4896-ab6b-835b221f373f
Defined in tquery.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 7.0.20348.2849, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 7.0.26100.4946, captured 2026-06-02