Microsoft-Windows-SecurityMitigationsBroker

30 events across 3 channels

Event	Title	Channel	Sample
1001	SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdateStart	Perf	N
1002	SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdateStop	Perf	N
1003	Failed to get the COM call context.	Operational	N
1004	Failed to get the calling process information.	Operational	N
1005	Failed to get the DX adapter driver capabilities.	Operational	N
1006	ACG status of the DX adapter driver, AdapterId=DriverId, capability=ACGState.	Admin	N
1007	Failed to get the mitigation status of the calling proces.	Operational	N
1008	Failed to set the mitigation status of the calling proces.	Operational	N
1009	Calling process ACG status, AdapterId=DriverId, ProcessId=ProcessId, ACG …	Admin	N
1010	Calling process is in ACG telemetry mode.	Admin	N
1011	Calling process is not in an AppContainer.	Admin	N
1012	Failed to adjust the calling process ACG status for the reported DX adapter …	Operational	N
1013	Finished applying the security protection policies for the reported DX adapter …	Admin	N
1014	Calling process does not have ACG turned on.	Admin	N
1015	ACG will be turned off for the calling process due to unsupportive DX adapter …	Admin	N
1016	Failed to create the DX object factory.	Operational	N
1017	Failed to enumerate the DX adapters.	Operational	N
1018	Failed to query the descriptor for the adapter id.	Operational	N
1019	Enumerated a DX adapter.	Admin	N
1020	Calling process uses the software rendering adapter.	Admin	N
1021	Failed to query the IDXGIAdapter2 interface from the enumerated adapter.	Operational	N
1022	Encountered a DX adapter that does not support ACG.	Admin	N
1023	Forced ACG on the DX Adapter which uses a WDDM 2.	Admin	N
1024	Calling process does not allow remote ACG downgrade.	Admin	N
1025	Remote downgrade is disabled through settings.	Admin	N
1026	Non-primary adapter ID is supplied.	Admin	N
1027	Remote downgrade is rejected since software rendering only policy is set.	Admin	N
1028	SecurityMitigationsBroker.Task.DisableAcgEnforcementStart	Perf	N
1029	SecurityMitigationsBroker.Task.DisableAcgEnforcementStop	Perf	N
1030	DisableAcgEnforcement is not enabled on current architecture.	Admin	N

Event ID 1001: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdateStart

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Perf
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate
Opcode: Start

Event ID 1002: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdateStop

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Perf
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate
Opcode: Stop

Event ID 1003: Failed to get the COM call context.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Operational
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to get the COM call context. AdapterId=DriverId, ErrorCode=ErrorCode.

Message #

Failed to get the COM call context. AdapterId=%1, ErrorCode=%2

Fields #

Name	Description
`DriverId` UInt64
`ErrorCode` UInt32

Event ID 1004: Failed to get the calling process information.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Operational
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to get the calling process information. AdapterId=DriverId, ErrorCode=ErrorCode.

Message #

Failed to get the calling process information. AdapterId=%1, ErrorCode=%2

Fields #

Name	Description
`DriverId` UInt64
`ErrorCode` UInt32

Event ID 1005: Failed to get the DX adapter driver capabilities.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Operational
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to get the DX adapter driver capabilities. AdapterId=DriverId, ErrorCode=ErrorCode.

Message #

Failed to get the DX adapter driver capabilities. AdapterId=%1, ErrorCode=%2

Fields #

Name	Description
`DriverId` UInt64
`ErrorCode` UInt32

Event ID 1006: ACG status of the DX adapter driver, AdapterId=DriverId, capability=ACGState.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

ACG status of the DX adapter driver, AdapterId=DriverId, capability=ACGState.

Message #

ACG status of the DX adapter driver, AdapterId=%1, capability=%2

Fields #

Name	Description
`DriverId` UInt64
`ACGState` UInt32

Event ID 1007: Failed to get the mitigation status of the calling proces.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Operational
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to get the mitigation status of the calling proces. AdapterId=DriverId, ProcessId=ProcessId, ErrorCode=ErrorCode.

Message #

Failed to get the mitigation status of the calling proces. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32
`ErrorCode` UInt32

Event ID 1008: Failed to set the mitigation status of the calling proces.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Operational
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to set the mitigation status of the calling proces. AdapterId=DriverId, ProcessId=ProcessId, ErrorCode=ErrorCode.

Message #

Failed to set the mitigation status of the calling proces. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32
`ErrorCode` UInt32

Event ID 1009: Calling process ACG status, AdapterId=DriverId, ProcessId=ProcessId, ACG status=ACGState.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Calling process ACG status, AdapterId=DriverId, ProcessId=ProcessId, ACG status=ACGState.

Message #

Calling process ACG status, AdapterId=%1, ProcessId=%2, ACG status=%3

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32
`ACGState` UInt32

Event ID 1010: Calling process is in ACG telemetry mode.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Calling process is in ACG telemetry mode. AdapterId=DriverId, ProcessId=ProcessId.

Message #

Calling process is in ACG telemetry mode. AdapterId=%1, ProcessId=%2

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32

Event ID 1011: Calling process is not in an AppContainer.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Calling process is not in an AppContainer. Driver=DriverId, ProcessId=ProcessId.

Message #

Calling process is not in an AppContainer. Driver=%1, ProcessId=%2

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32

Event ID 1012: Failed to adjust the calling process ACG status for the reported DX adapter change event.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Operational
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to adjust the calling process ACG status for the reported DX adapter change event. AdapterId=DriverId, ProcessId=ProcessId, ErrorCode=ErrorCode.

Message #

Failed to adjust the calling process ACG status for the reported DX adapter change event. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32
`ErrorCode` UInt32

Event ID 1013: Finished applying the security protection policies for the reported DX adapter change event.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Finished applying the security protection policies for the reported DX adapter change event. AdapterId=DriverId, ProcessId=ProcessId.

Message #

Finished applying the security protection policies for the reported DX adapter change event. AdapterId=%1, ProcessId=%2

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32

Event ID 1014: Calling process does not have ACG turned on.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Calling process does not have ACG turned on. AdapterId=DriverId, ProcessId=ProcessId.

Message #

Calling process does not have ACG turned on. AdapterId=%1, ProcessId=%2

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32

Event ID 1015: ACG will be turned off for the calling process due to unsupportive DX adapter driver.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

ACG will be turned off for the calling process due to unsupportive DX adapter driver. AdapterId=DriverId, ProcessId=ProcessId.

Message #

ACG will be turned off for the calling process due to unsupportive DX adapter driver. AdapterId=%1, ProcessId=%2

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32

Event ID 1016: Failed to create the DX object factory.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Operational
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to create the DX object factory. AdapterId=DriverId, ProcessId=ProcessId, ErrorCode=ErrorCode.

Message #

Failed to create the DX object factory. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32
`ErrorCode` UInt32

Event ID 1017: Failed to enumerate the DX adapters.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Operational
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to enumerate the DX adapters. AdapterId=DriverId, ProcessId=ProcessId, ErrorCode=ErrorCode.

Message #

Failed to enumerate the DX adapters. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32
`ErrorCode` UInt32

Event ID 1018: Failed to query the descriptor for the adapter id.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Operational
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to query the descriptor for the adapter id. AdapterId=DriverId, ProcessId=ProcessId, ErrorCode=ErrorCode.

Message #

Failed to query the descriptor for the adapter id. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32
`ErrorCode` UInt32

Event ID 1019: Enumerated a DX adapter.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Enumerated a DX adapter. AdapterId=DriverId1, enumerated AdapterId=DriverId2, ProcessId=ProcessId.

Message #

Enumerated a DX adapter. AdapterId=%1, enumerated AdapterId=%2, ProcessId=%3

Fields #

Name	Description
`DriverId1` UInt64
`DriverId2` UInt64
`ProcessId` UInt32

Event ID 1020: Calling process uses the software rendering adapter.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Calling process uses the software rendering adapter. Driver=DriverId, ProcessId=ProcessId.

Message #

Calling process uses the software rendering adapter. Driver=%1, ProcessId=%2

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32

Event ID 1021: Failed to query the IDXGIAdapter2 interface from the enumerated adapter.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Operational
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Failed to query the IDXGIAdapter2 interface from the enumerated adapter. AdapterId=DriverId, ProcessId=ProcessId, ErrorCode=ErrorCode.

Message #

Failed to query the IDXGIAdapter2 interface from the enumerated adapter. AdapterId=%1, ProcessId=%2, ErrorCode=%3

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32
`ErrorCode` UInt32

Event ID 1022: Encountered a DX adapter that does not support ACG.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Encountered a DX adapter that does not support ACG. Description:Description, VendorId:VendorId, DeviceId:DeviceId, AdapterId=DriverId, ProcessId=ProcessId.

Message #

Encountered a DX adapter that does not support ACG. Description:%1, VendorId:%2, DeviceId:%3, AdapterId=%4, ProcessId=%5

Fields #

Name	Description
`Description` UnicodeString
`VendorId` UInt32
`DeviceId` UInt32
`DriverId` UInt64
`ProcessId` UInt32

Event ID 1023: Forced ACG on the DX Adapter which uses a WDDM 2.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Forced ACG on the DX Adapter which uses a WDDM 2.0 and above driver from a supported vendor. Description:Description, VendorId:VendorId, DeviceId:DeviceId, AdapterId=DriverId, ProcessId=ProcessId.

Message #

Forced ACG on the DX Adapter which uses a WDDM 2.0 and above driver from a supported vendor. Description:%1, VendorId:%2, DeviceId:%3, AdapterId=%4, ProcessId=%5

Fields #

Name	Description
`Description` UnicodeString
`VendorId` UInt32
`DeviceId` UInt32
`DriverId` UInt64
`ProcessId` UInt32

Event ID 1024: Calling process does not allow remote ACG downgrade.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Calling process does not allow remote ACG downgrade. AdapterId=DriverId, ProcessId=ProcessId.

Message #

Calling process does not allow remote ACG downgrade. AdapterId=%1, ProcessId=%2

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32

Event ID 1025: Remote downgrade is disabled through settings.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Remote downgrade is disabled through settings. AdapterId=DriverId, ProcessId=ProcessId.

Message #

Remote downgrade is disabled through settings. AdapterId=%1, ProcessId=%2

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32

Event ID 1026: Non-primary adapter ID is supplied.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Non-primary adapter ID is supplied. Description:Description, VendorId:VendorId, DeviceId:DeviceId, AdapterId=DriverId, ProcessId=ProcessId.

Message #

Non-primary adapter ID is supplied. Description:%1, VendorId:%2, DeviceId:%3, AdapterId=%4, ProcessId=%5

Fields #

Name	Description
`Description` UnicodeString
`VendorId` UInt32
`DeviceId` UInt32
`DriverId` UInt64
`ProcessId` UInt32

Event ID 1027: Remote downgrade is rejected since software rendering only policy is set.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.NotifyDisplayDriverUpdate

Description

Remote downgrade is rejected since software rendering only policy is set. AdapterId=DriverId, ProcessId=ProcessId.

Message #

Remote downgrade is rejected since software rendering only policy is set. AdapterId=%1, ProcessId=%2

Fields #

Name	Description
`DriverId` UInt64
`ProcessId` UInt32

Event ID 1028: SecurityMitigationsBroker.Task.DisableAcgEnforcementStart

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Perf
Task: SecurityMitigationsBroker.Task.DisableAcgEnforcement
Opcode: Start

Event ID 1029: SecurityMitigationsBroker.Task.DisableAcgEnforcementStop

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Perf
Task: SecurityMitigationsBroker.Task.DisableAcgEnforcement
Opcode: Stop

Event ID 1030: DisableAcgEnforcement is not enabled on current architecture.

Provider: Microsoft-Windows-SecurityMitigationsBroker
Channel: Admin
Task: SecurityMitigationsBroker.Task.DisableAcgEnforcement

Description

DisableAcgEnforcement is not enabled on current architecture. ModuleName=ModuleName.

Message #

DisableAcgEnforcement is not enabled on current architecture. ModuleName=%1

Fields #

Name	Description
`ModuleName` UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID ea8cd8a5-78ff-4418-b292-aadc6a7181df

Defined in Windows.Internal.SecurityMitigationsBroker.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)