Microsoft-Windows-Shell-Core
2380 events across 5 channels
Event ID 3: AggregatePropertyProvider_GetValueObjectStart
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Event ID 4: AggregatePropertyProvider_GetValueObjectStop
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Event ID 103: AutoplayCPL_CreateStart
#Event ID 104: AutoplayCPL_CreateStop
#Event ID 105: AutoplayCPL_LayoutInitializedStart
#Event ID 106: AutoplayCPL_LayoutInitializedStop
#Event ID 107: DeskCPL_ShowDialogStart
#Event ID 108: DeskCPL_ShowDialogStop
#Event ID 109: DeskCPL_ShowDialog
#Event ID 110: DeskCPL_ShowDialog110
#Event ID 501: AutoListEditor_Controls_RenderingStart
#Event ID 502: AutoListEditor_Controls_RenderingStop
#Event ID 503: AutoListEditor_FilterConditions_RenderingStart
#Event ID 504: AutoListEditor_FilterConditions_RenderingStop
#Event ID 505: AutoListEditor_Filter_ChangeNotifyStart
#Event ID 506: AutoListEditor_Filter_ChangeNotifyStop
#Event ID 507: AutoListEditor_Filters_RenderingStart
#Event ID 508: AutoListEditor_Filters_RenderingStop
#Event ID 509: AutoListEditor_Scopes_RenderingStart
#Event ID 510: AutoListEditor_Scopes_RenderingStop
#Event ID 1001: AutoLists_QueryDefaultLocationStart
#Event ID 1002: AutoLists_QueryDefaultLocationStop
#Event ID 1003: AutoLists_QueryResultsDisplayedStart
#Event ID 1004: AutoLists_QueryResultsDisplayedStop
#Event ID 1005: AutoLists_QueryResultsExecutedStart
#Event ID 1006: AutoLists_QueryResultsExecutedStop
#Event ID 1007: AutoLists_QueryResultsStackedStart
#Event ID 1008: AutoLists_QueryResultsStackedStop
#Event ID 1011: AutoLists_GetRemoteFolderPathStart
#Event ID 1012: AutoLists_GetRemoteFolderPathStop
#Event ID 1013: AutoLists_LoadFromXMLStart
#Event ID 1014: AutoLists_LoadFromXMLStop
#Event ID 1015: AutoLists_LoadFromStreamStart
#Event ID 1016: AutoLists_LoadFromStreamStop
#Event ID 1017: AutoLists_LoadComponentChainStart
#Event ID 1018: AutoLists_LoadComponentChainStop
#Event ID 1019: AutoLists_GetWorkgroupNetInfoStart
#Event ID 1020: AutoLists_GetWorkgroupNetInfoStop
#Event ID 1023: AutoLists_ProcessNextBatchStart
#Event ID 1024: AutoLists_ProcessNextBatchStop
#Event ID 1025: AutoLists_MergeEnumToViewStart
#Event ID 1026: AutoLists_MergeEnumToViewStop
#Event ID 1027: AutoLists_MSSQueryAddResultsToQueueStart
#Event ID 1029: InfoBar_Click_Count_AddToIndex
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 1033: InfoBar_Display_Count_Indexer_Busy
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 1035: InfoBar_Display_Count_Indexer_Disabled
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 1037: InfoBar_NonIndexed_Location_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 1038: DataLayer_CreateResultSetsStart
#Event ID 1039: DataLayer_CreateResultSetsStop
#Event ID 1048: DataLayer_RowsetGetRowsStart
#Fields #
| Name | Description |
|---|---|
ProviderId GUID | |
Index UInt32 | |
Count UInt32 |
Event ID 1050: DataLayer_RowsetGetDataStart
#Event ID 1051: DataLayer_RowsetGetDataStop
#Event ID 1056: DataLayer_ExtractPropertiesStart
#Event ID 1057: DataLayer_ExtractPropertiesStop
#Event ID 1058: DataLayer_RowsetGetReferencedRowsetStart
#Event ID 1059: DataLayer_RowsetGetReferencedRowsetStop
#Event ID 1066: DataLayer_GetRowsetPropertiesStart
#Event ID 1067: DataLayer_GetRowsetPropertiesStop
#Event ID 1068: DataLayer_RowsetFindIndexStart
#Event ID 1069: DataLayer_RowsetFindIndexStop
#Event ID 1070: DataLayer_RowsetCountForGroupStart
#Event ID 1072: DataLayer_CollectionImmediateIndexStart
#Event ID 1074: DataLayer_CollectionLeafIndexStart
#Event ID 1076: DataLayer_RSMImmediateIndexStart
#Event ID 1078: DataLayer_RSMLeafIndexStart
#Event ID 1080: DataLayer_CollectionMemberOfGroupStart
#Event ID 1081: DataLayer_CollectionMemberOfGroupStop
#Event ID 1083: DataLayer_CollectionCountStop
#Fields #
| Name | Description |
|---|---|
Type UInt32 | |
Count UInt32 | |
State UInt32 |
Event ID 1087: DataLayer_CountTaskStop
#Fields #
| Name | Description |
|---|---|
Type UInt32 | |
Cookie UInt32 | |
HRESULT UInt32 | |
Count UInt32 | |
fWaitingOnRealization UInt32 |
Event ID 1092: DataLayer_CollectionGetResultCached
#Fields #
| Name | Description |
|---|---|
Index UInt32 | |
Version UInt32 |
Event ID 1093: DataLayer_GetResultTaskStart
#Fields #
| Name | Description |
|---|---|
Index UInt32 | |
Version UInt32 | |
Cookie UInt32 |
Event ID 1094: DataLayer_GetResultTaskStop
#Fields #
| Name | Description |
|---|---|
Index UInt32 | |
Version UInt32 | |
Cookie UInt32 |
Event ID 1095: DataLayer_GetResultTaskQueued
#Fields #
| Name | Description |
|---|---|
Index UInt32 | |
Version UInt32 | |
Cookie UInt32 |
Event ID 1102: DataLayer_RSMRealizationCancelled
#Event ID 1104: DataLayer_RSMGetGroupManagerStart
#Event ID 1105: DataLayer_RSMGetGroupManagerStop
#Event ID 1107: DataLayer_ResultSetRealizeStop
#Event ID 1110: DataLayer_ResultSetEnumStart
#Event ID 1111: DataLayer_ResultSetEnumStop
#Event ID 1112: DataLayer_ResultSetWaitForResultsStart
#Event ID 1117: DataLayer_ResultSetSortResultsStop
#Event ID 1119: DataLayer_ResultSetGroupResultsStop
#Event ID 1122: DataLayer_GenerateSnippetStart
#Event ID 1123: DataLayer_GenerateSnippetStop
#Event ID 1124: DataLayer_CalculateStackThumbnailCacheIdStart
#Event ID 1125: DataLayer_CalculateStackThumbnailCacheIdStop
#Event ID 1126: DataLayer_BuildStackThumbnailStart
#Event ID 1127: DataLayer_BuildStackThumbnailStop
#Event ID 1129: DataLayer_ReuseFirstBatchStop
#Event ID 1131: DataLayer_ReuseCachedStop
#Event ID 1132: DataLayer_StackThumbnails_RenderingStart
#Event ID 1133: DataLayer_StackThumbnails_RenderingStop
#Event ID 1134: DataLayer_StackThumbnails_PickPicturesStart
#Event ID 1135: DataLayer_StackThumbnails_PickPicturesStop
#Event ID 1140: DataLayer_GetRowsAtStart
#Event ID 1141: DataLayer_GetRowsAtStop
#Event ID 1142: DataLayer_GetRowFromHROWStart
#Event ID 1143: DataLayer_GetRowFromHROWStop
#Event ID 1144: DataLayer_ItemRealizeItemStart
#Event ID 1145: DataLayer_ItemRealizeItemStop
#Event ID 1146: DataLayer_ItemCompareItemStart
#Event ID 1147: DataLayer_ItemCompareItemStop
#Event ID 1148: DataLayer_ItemCompareItemIdentityStart
#Event ID 1149: DataLayer_ItemCompareItemIdentityStop
#Event ID 1150: DataLayer_ItemGetValueStart
#Event ID 1151: DataLayer_ItemGetValueStop
#Event ID 1401: OpenSearch_RowsetInitializeStart
#Event ID 1402: OpenSearch_RowsetInitializeStop
#Event ID 1403: OpenSearch_GetRowsAtStart
#Event ID 1404: OpenSearch_GetRowsAtStop
#Event ID 1405: OpenSearch_FillCachedPageStart
#Event ID 1406: OpenSearch_FillCachedPageStop
#Event ID 1409: OpenSearch_NormalizeResultsPageStart
#Event ID 1410: OpenSearch_NormalizeResultsPageStop
#Event ID 1411: OpenSearch_ParseResultsPageStart
#Event ID 1412: OpenSearch_ParseResultsPageStop
#Event ID 1413: OpenSearch_PreConnectStart
#Event ID 1414: OpenSearch_PreConnectStop
#Event ID 1415: OpenSearch_Http_Response
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 1417: OpenSearch_Description_Installed
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 1419: OpenSearch_Provider_Queried
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 1500: ShellTask_UdfFormatter_FormatThreadStart
#Event ID 1501: ShellTask_UdfFormatter_FormatThreadStop
#Event ID 1502: ShellTask_ShellLink_VerifyPathThreadStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "1502",
"version": "0",
"level": "4",
"task": "1502",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:15.031275500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8672"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 1503: ShellTask_ShellLink_VerifyPathThreadStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "1503",
"version": "0",
"level": "4",
"task": "1502",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:15.032217300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8672"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 1504: ShellTask_RunDialog_CheckRunInSeparateThreadStart
#Event ID 1505: ShellTask_RunDialog_CheckRunInSeparateThreadStop
#Event ID 1506: ShellTask_Restart_ShutdownThreadStart
#Event ID 1507: ShellTask_Restart_ShutdownThreadStop
#Event ID 1508: ShellTask_MountPoint_RegisterThreadStart
#Event ID 1509: ShellTask_MountPoint_RegisterThreadStop
#Event ID 1510: ShellTask_Format_FormatThreadStart
#Event ID 1511: ShellTask_Format_FormatThreadStop
#Event ID 1512: ShellTask_FileFldr_GetFindDataThreadStart
#Event ID 1513: ShellTask_FileFldr_GetFindDataThreadStop
#Event ID 1514: ShellTask_CloseSession_TipThreadStart
#Event ID 1515: ShellTask_CloseSession_TipThreadStop
#Event ID 1518: ShellTask_UserLibrary_RestoreLibrariesThreadStart
#Event ID 1519: ShellTask_UserLibrary_RestoreLibrariesThreadStop
#Event ID 1520: ShellTask_Options_SetupAndRunPropertySheetThreadStart
#Event ID 1521: ShellTask_Options_SetupAndRunPropertySheetThreadStop
#Event ID 1522: ShellTask_Desktop_LocalServerThreadStart
#Event ID 1523: ShellTask_Desktop_LocalServerThreadStop
#Event ID 1524: ShellTask_BackPropSheet_SizeCheckerThreadStart
#Event ID 1525: ShellTask_BackPropSheet_SizeCheckerThreadStop
#Event ID 1526: ShellTask_Undo_UndoThreadStart
#Event ID 1527: ShellTask_Undo_UndoThreadStop
#Event ID 1528: ShellTask_PropSheet_PropSheetThreadStart
#Event ID 1529: ShellTask_PropSheet_PropSheetThreadStop
#Event ID 1530: ShellTask_PropSheet_FormatThreadStart
#Event ID 1531: ShellTask_PropSheet_FormatThreadStop
#Event ID 1532: ShellTask_ShellLink_SearchThreadStart
#Event ID 1533: ShellTask_ShellLink_SearchThreadStop
#Event ID 1534: ShellTask_Encrypt_EncryptThreadStart
#Event ID 1535: ShellTask_Encrypt_EncryptThreadStop
#Event ID 1536: ShellTask_SDSPatch_FindPrinterThreadStart
#Event ID 1537: ShellTask_SDSPatch_FindPrinterThreadStop
#Event ID 1538: ShellTask_ChangeNotify_ChangeNotifyThreadStart
#Event ID 1539: ShellTask_ChangeNotify_ChangeNotifyThreadStop
#Event ID 1540: ShellTask_Schedule_ShellTaskThreadStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "1540",
"version": "0",
"level": "4",
"task": "1540",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.452962100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13268"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 1541: ShellTask_Schedule_ShellTaskThreadStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "1541",
"version": "0",
"level": "4",
"task": "1540",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:18.682797800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "11516"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 1542: ShellTask_RunAsNewUser_RunAsThreadStart
#Event ID 1543: ShellTask_RunAsNewUser_RunAsThreadStop
#Event ID 1544: ShellTask_RichPreview_PreviewThreadStart
#Event ID 1545: ShellTask_RichPreview_PreviewThreadStop
#Event ID 1546: ShellTask_PostBootReminder_ReminderThreadStart
#Event ID 1547: ShellTask_PostBootReminder_ReminderThreadStop
#Event ID 1548: ShellTask_RegFldr_DisconnectDialogThreadStart
#Event ID 1549: ShellTask_RegFldr_DisconnectDialogThreadStop
#Event ID 1550: ShellTask_ProgressDialog_DialogThreadStart
#Event ID 1551: ShellTask_ProgressDialog_DialogThreadStop
#Event ID 1552: ShellTask_ProgressDialog_SyncDialogThreadStart
#Event ID 1553: ShellTask_ProgressDialog_SyncDialogThreadStop
#Event ID 1554: ShellTask_PlacesFldr_RestoreFavoritesThreadStart
#Event ID 1555: ShellTask_PlacesFldr_RestoreFavoritesThreadStop
#Event ID 1556: ShellTask_OtherUsersBarrier_WizardThreadStart
#Event ID 1557: ShellTask_OtherUsersBarrier_WizardThreadStop
#Event ID 1558: ShellTask_OpenContainingMenu_InvokeThreadStart
#Event ID 1559: ShellTask_OpenContainingMenu_InvokeThreadStop
#Event ID 1560: ShellTask_NamespaceWalk_AsyncWalkThreadStart
#Event ID 1561: ShellTask_NamespaceWalk_AsyncWalkThreadStop
#Event ID 1562: ShellTask_NetApi_NetConnectThreadStart
#Event ID 1563: ShellTask_NetApi_NetConnectThreadStop
#Event ID 1564: ShellTask_MulPropSheet_SizeThreadStart
#Event ID 1565: ShellTask_MulPropSheet_SizeThreadStop
#Event ID 1566: ShellTask_MulPropSheet_ApplySingleThreadStart
#Event ID 1567: ShellTask_MulPropSheet_ApplySingleThreadStop
#Event ID 1568: ShellTask_MulPropSheet_AppluMultipleThreadStart
#Event ID 1569: ShellTask_MulPropSheet_AppluMultipleThreadStop
#Event ID 1570: ShellTask_MountPointLocal_EjectThreadStart
#Event ID 1571: ShellTask_MountPointLocal_EjectThreadStop
#Event ID 1572: ShellTask_Autorun_AutorunPromptThreadStart
#Event ID 1573: ShellTask_Autorun_AutorunPromptThreadStop
#Event ID 1574: ShellTask_MenuBand_FadeTaskThreadStart
#Event ID 1575: ShellTask_MenuBand_FadeTaskThreadStop
#Event ID 1576: ShellTask_LinkProp_LinkCheckThreadStart
#Event ID 1577: ShellTask_LinkProp_LinkCheckThreadStop
#Event ID 1578: ShellTask_Library_OpenLocationThreadStart
#Event ID 1579: ShellTask_Library_OpenLocationThreadStop
#Event ID 1580: ShellTask_Library_RemoveLocationThreadStart
#Event ID 1581: ShellTask_Library_RemoveLocationThreadStop
#Event ID 1582: ShellTask_Library_RunTaskThreadStart
#Event ID 1583: ShellTask_Library_RunTaskThreadStop
#Event ID 1584: ShellTask_Library_SetPinUnpinThreadStart
#Event ID 1585: ShellTask_Library_SetPinUnpinThreadStop
#Event ID 1586: ShellTask_Library_AddLocationThreadStart
#Event ID 1587: ShellTask_Library_AddLocationThreadStop
#Event ID 1588: ShellTask_ItemHandlerCache_MessagePumpThreadStart
#Event ID 1589: ShellTask_ItemHandlerCache_MessagePumpThreadStop
#Event ID 1590: ShellTask_FSDropTarget_DoDropThreadStart
#Event ID 1591: ShellTask_FSDropTarget_DoDropThreadStop
#Event ID 1592: ShellTask_CheckDiskDialog_DialogThreadStart
#Event ID 1593: ShellTask_CheckDiskDialog_DialogThreadStop
#Event ID 1594: ShellTask_Enum_EnumThreadStart
#Event ID 1595: ShellTask_Enum_EnumThreadStop
#Event ID 1596: ShellTask_DrvX_MakeConnectionThreadStart
#Event ID 1597: ShellTask_DrvX_MakeConnectionThreadStop
#Event ID 1598: ShellTask_DrvX_DrvSizeThreadStart
#Event ID 1599: ShellTask_DrvX_DrvSizeThreadStop
#Event ID 1600: ShellTask_DefCM_DeleteItemsThreadStart
#Event ID 1601: ShellTask_DefCM_DeleteItemsThreadStop
#Event ID 1602: ShellTask_CopyFGD_CopyThreadStart
#Event ID 1603: ShellTask_CopyFGD_CopyThreadStop
#Event ID 1604: ShellTask_Collection_RealizeThreadStart
#Event ID 1605: ShellTask_Collection_RealizeThreadStop
#Event ID 1606: ShellTask_CloseSession_CloseThreadStart
#Event ID 1607: ShellTask_CloseSession_CloseThreadStop
#Event ID 1608: ShellTask_CDBurn_NotifyThreadStart
#Event ID 1609: ShellTask_CDBurn_NotifyThreadStop
#Event ID 1610: ShellTask_CDBurn_DropThreadStart
#Event ID 1611: ShellTask_CDBurn_DropThreadStop
#Event ID 1612: ShellTask_CDBurn_WizardThreadStart
#Event ID 1613: ShellTask_CDBurn_WizardThreadStop
#Event ID 1614: ShellTask_CDBurn_EraseThreadStart
#Event ID 1615: ShellTask_CDBurn_EraseThreadStop
#Event ID 1616: ShellTask_CDBurn_BurnThreadStart
#Event ID 1617: ShellTask_CDBurn_BurnThreadStop
#Event ID 1618: ShellTask_BitBucket_DispatchThreadStart
#Event ID 1619: ShellTask_BitBucket_DispatchThreadStop
#Event ID 1620: ShellTask_BitBucket_PurgeAllThreadStart
#Event ID 1621: ShellTask_BitBucket_PurgeAllThreadStop
#Event ID 1622: ShellTask_AsyncInvoke_InvokeThreadStart
#Event ID 1623: ShellTask_AsyncInvoke_InvokeThreadStop
#Event ID 1628: ShellTask_ResultSetFactory_EnumThreadStart
#Event ID 1629: ShellTask_ResultSetFactory_EnumThreadStop
#Event ID 1630: ShellTask_IndexClusionCache_HandleNetworkPathThreadStart
#Event ID 1631: ShellTask_IndexClusionCache_HandleNetworkPathThreadStop
#Event ID 1632: ShellTask_IndexClusionCache_HandlePathThreadStart
#Event ID 1633: ShellTask_IndexClusionCache_HandlePathThreadStop
#Event ID 1634: ShellTask_Notify_StartupThreadStart
#Event ID 1635: ShellTask_Notify_StartupThreadStop
#Event ID 1636: ShellTask_PublishedItems_EnumItemsThreadStart
#Event ID 1637: ShellTask_PublishedItems_EnumItemsThreadStop
#Event ID 1640: ShellTask_Library_ShareUnshareLocationThreadStart
#Event ID 1641: ShellTask_Library_ShareUnshareLocationThreadStop
#Event ID 1642: ShellTask_ItemHandler_GetHandlerThreadStart
#Event ID 1643: ShellTask_ItemHandler_GetHandlerThreadStop
#Event ID 1644: ShellTask_ItemHandler_SetHandlerThreadStart
#Event ID 1645: ShellTask_ItemHandler_SetHandlerThreadStop
#Event ID 1646: ShellTask_SearchHelpers_InitIndexDataThreadStart
#Event ID 1647: ShellTask_SearchHelpers_InitIndexDataThreadStop
#Event ID 1648: ShellTask_SearchHelpers_CheckCrawlScopeThreadStart
#Event ID 1649: ShellTask_SearchHelpers_CheckCrawlScopeThreadStop
#Event ID 1650: ShellTask_Library_CommitScopeChangesThreadStart
#Event ID 1651: ShellTask_Library_CommitScopeChangesThreadStop
#Event ID 1652: ShellTask_ItemsView_SendReentrancyReportThreadStart
#Event ID 1653: ShellTask_ItemsView_SendReentrancyReportThreadStop
#Event ID 1654: ShellTask_MtPtRemote_UpdateInfoThreadStart
#Event ID 1655: ShellTask_MtPtRemote_UpdateInfoThreadStop
#Event ID 1656: ShellTask_Timeout_CallwithTimeoutThreadStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "1656",
"version": "0",
"level": "4",
"task": "1656",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-16T00:21:39.181590000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11272"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 1657: ShellTask_Timeout_CallwithTimeoutThreadStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "1657",
"version": "0",
"level": "4",
"task": "1656",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-16T00:21:39.182071900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11272"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 1658: ShellTask_ShellBrowser_CancelNavigationReportThreadStart
#Event ID 1659: ShellTask_ShellBrowser_CancelNavigationReportThreadStop
#Event ID 1660: ShellTask_PerfTrack_LogStartEventThreadStart
#Event ID 1661: ShellTask_PerfTrack_LogStartEventThreadStop
#Event ID 1662: ShellTask_WSDPublisher_PublishMessageThreadStart
#Event ID 1663: ShellTask_WSDPublisher_PublishMessageThreadStop
#Event ID 1664: ShellTask_WSDPublisher_CleanUpThreadStart
#Event ID 1665: ShellTask_WSDPublisher_CleanUpThreadStop
#Event ID 1666: ShellTask_WSDPublisher_InitThreadStart
#Event ID 1667: ShellTask_WSDPublisher_InitThreadStop
#Event ID 1668: ShellTask_ShellUrl_AsyncParseThreadStart
#Event ID 1669: ShellTask_ShellUrl_AsyncParseThreadStop
#Event ID 1672: ShellTask_RecycleBin_CompactAndPurgeThreadStart
#Event ID 1673: ShellTask_RecycleBin_CompactAndPurgeThreadStop
#Event ID 1674: ShellTask_PublishedItems_UpdatePublishedItemsThreadStart
#Event ID 1675: ShellTask_PublishedItems_UpdatePublishedItemsThreadStop
#Event ID 1676: ShellTask_PublishedItems_UpdateLibrariesThreadStart
#Event ID 1677: ShellTask_PublishedItems_UpdateLibrariesThreadStop
#Event ID 1678: ShellTask_PrivateProfile_AsyncUpdateCacheThreadStart
#Event ID 1679: ShellTask_PrivateProfile_AsyncUpdateCacheThreadStop
#Event ID 1680: ShellTask_MultiComplete_WorkThreadStart
#Event ID 1681: ShellTask_MultiComplete_WorkThreadStop
#Event ID 1682: ShellTask_MountPoint_InitLocalDriveThreadStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "1682",
"version": "0",
"level": "4",
"task": "1682",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-16T00:21:39.181373700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "4384"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 1683: ShellTask_MountPoint_InitLocalDriveThreadStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "1683",
"version": "0",
"level": "4",
"task": "1682",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-16T00:21:39.187943800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "4384"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 1684: ShellTask_Library_UpdateLocationSupportStatusThreadStart
#Event ID 1685: ShellTask_Library_UpdateLocationSupportStatusThreadStop
#Event ID 1686: ShellTask_LowDisk_WorkThreadStart
#Event ID 1687: ShellTask_LowDisk_WorkThreadStop
#Event ID 1688: ShellTask_LowDisk_CheckDiskSpaceThreadStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "1688",
"version": "0",
"level": "4",
"task": "1688",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:00.138341600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13176"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 1689: ShellTask_LowDisk_CheckDiskSpaceThreadStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "1689",
"version": "0",
"level": "4",
"task": "1688",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:00.141903300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13176"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 1690: ShellTask_Library_UpdateScopeOnRenameThreadStart
#Event ID 1691: ShellTask_Library_UpdateScopeOnRenameThreadStop
#Event ID 1692: ShellTask_Library_GetLibraryDescriptionThreadStart
#Event ID 1693: ShellTask_Library_GetLibraryDescriptionThreadStop
#Event ID 1694: ShellTask_Library_ValidateAndResolveLocationsThreadStart
#Event ID 1695: ShellTask_Library_ValidateAndResolveLocationsThreadStop
#Event ID 1696: ShellTask_EnumFiles_CheckDiskForInsertThreadStart
#Event ID 1697: ShellTask_EnumFiles_CheckDiskForInsertThreadStop
#Event ID 1698: ShellTask_SearchIndexNotificationsQueue_FlushNotificationsThreadStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "1698",
"version": "0",
"level": "4",
"task": "1698",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.371230500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13268"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 1699: ShellTask_SearchIndexNotificationsQueue_FlushNotificationsThreadStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "1699",
"version": "0",
"level": "4",
"task": "1698",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.373954100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13268"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 1700: ShellTask_BitBucket_UpdateRecycleBinIconThreadStart
#Event ID 1701: ShellTask_BitBucket_UpdateRecycleBinIconThreadStop
#Event ID 1702: ShellTask_AutoPlay_ProcessDevicesEventsThreadStart
#Event ID 1703: ShellTask_AutoPlay_ProcessDevicesEventsThreadStop
#Event ID 1704: ShellTask_ACThread_GenerationCompletionListThreadStart
#Event ID 1705: ShellTask_ACThread_GenerationCompletionListThreadStop
#Event ID 1706: ShellTask_CollectionLock_AddTaskTimerThreadStart
#Event ID 1707: ShellTask_CollectionLock_AddTaskTimerThreadStop
#Event ID 1708: ShellTask_ShellExecute_ExecuteThreadStart
#Event ID 1709: ShellTask_ShellExecute_ExecuteThreadStop
#Event ID 1710: ShellTask_ExecUnknown_InstallAppThreadStart
#Event ID 1711: ShellTask_ExecUnknown_InstallAppThreadStop
#Event ID 1712: ShellTask_InvokeCommand_DoInvokeThreadStart
#Event ID 1713: ShellTask_InvokeCommand_DoInvokeThreadStop
#Event ID 1714: ShellTask_ProfsvcPostBootReminder_ReminderThreadStart
#Event ID 1715: ShellTask_ProfsvcPostBootReminder_ReminderThreadStop
#Event ID 2001: Browseui_CBrowserFrame_CreateInstanceStart
#Event ID 2002: Browseui_CBrowserFrame_CreateInstanceStop
#Event ID 2003: Browseui_CBrowserFrame_CloseStart
#Event ID 2004: Browseui_CBrowserFrame_CloseStop
#Event ID 2005: Browseui_FeedViewer_PreviewStreamStart
#Event ID 2006: Browseui_FeedViewer_PreviewStreamStop
#Event ID 2007: Browseui_Tabs_CloseTabStart
#Event ID 2008: Browseui_Tabs_CloseTabStop
#Event ID 2009: Browseui_Tabs_SwitchTabsStart
#Event ID 2010: Browseui_Tabs_SwitchTabsStop
#Event ID 2011: Browseui_Tabs_CloseOtherTabsStart
#Event ID 2012: Browseui_Tabs_CloseOtherTabsStop
#Event ID 2013: Browseui_SHOpenFolderWindowStart
#Event ID 2014: Browseui_SHOpenFolderWindowStop
#Event ID 2015: Browseui_FrameMessagePump_Return
#Event ID 2017: Browseui_FrameMessagePump_Back
#Event ID 2019: Browseui_FrameMessagePump_Next
#Event ID 2021: Browseui_FrameMessagePump_Prior
#Event ID 2025: Browseui_Tabs_AddTabButton
#Event ID 2027: Browseui_Tabs_TabReadyForNavigate
#Event ID 2029: Browseui_Tabs_AddTabAPI
#Event ID 2031: Browseui_CAddressEditBox_OnEndEditA
#Event ID 2033: Browseui_Breadcrumb_Dropdown_Click
#Event ID 2035: Browseui_Breadcrumb_Dropdown_Show
#Event ID 2037: Browseui_WndProcBS_Restore
#Event ID 2039: Browseui_WndProcBS_Minimize
#Event ID 2041: Browseui_WndProcBS_Maximize
#Event ID 2043: Browseui_CShellBrowser2_BrowseObject
#Event ID 2045: Browseui_Back_Button_Clicked
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 2047: Browseui_Forward_Button_Clicked
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 2049: Browseui_NavBar_CreateBandsStart
#Event ID 2050: Browseui_NavBar_CreateBandsStop
#Event ID 2051: Browseui_AddressBand_PositionChildWindowsStart
#Event ID 2052: Browseui_AddressBand_PositionChildWindowsStop
#Event ID 2053: Browseui_SearchControl_PositionChildWindowsStart
#Event ID 2054: Browseui_SearchControl_PositionChildWindowsStop
#Event ID 2055: Browseui_AddressBand_OnBackgroundStateChangedStart
#Event ID 2056: Browseui_AddressBand_OnBackgroundStateChangedStop
#Event ID 2059: Browseui_AutoComplete_UpdateCompletionStart
#Fields #
| Name | Description |
|---|---|
Path UnicodeString |
Event ID 2063: Browseui_AutoComplete_OnSearchCompleteStart
#Fields #
| Name | Description |
|---|---|
Path UnicodeString |
Event ID 2066: Browseui_AddressEditBox_ParsePathStop
#Event ID 2069: Browseui_Browser_NavigateStart
#Event ID 2070: Browseui_Browser_NavigateStop
#Event ID 2071: Browseui_Breadcrumb_RebuildToolbarStart
#Event ID 2072: Browseui_Breadcrumb_RebuildToolbarStop
#Event ID 3001: ComCtl32_CommandLinks_CreateStart
#Event ID 3002: ComCtl32_CommandLinks_CreateStop
#Event ID 3003: ComCtl32_CommandLinks_RenderingStart
#Event ID 3004: ComCtl32_CommandLinks_RenderingStop
#Event ID 3005: Comctl32_ImageList_DrawStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "3005",
"version": "0",
"level": "4",
"task": "4005",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:18.461884100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 3006: Comctl32_ImageList_DrawStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "3006",
"version": "0",
"level": "4",
"task": "4005",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:18.461897000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 3007: ComCtl32_PropertyPage_CreatePropertySheetPage
#Fields #
| Name | Description |
|---|---|
dwFlags UInt32 | |
pszTemplate UnicodeString |
Event ID 3009: ComCtl32_TaskDialog_OpenStart
#Event ID 3010: ComCtl32_TaskDialog_OpenStop
#Event ID 3011: ComCtl32_Wizard_OpenStart
#Event ID 3012: ComCtl32_Wizard_OpenStop
#Event ID 3013: ComCtl32_Wizard_UserDismissStart
#Event ID 3014: ComCtl32_Wizard_UserDismissStop
#Event ID 3015: Comctl32_ImageList_RebuildStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "3015",
"version": "0",
"level": "4",
"task": "4015",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:51.145462700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10312",
"thread_id": "14168"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 3016: Comctl32_ImageList_RebuildStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "3016",
"version": "0",
"level": "4",
"task": "4015",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:51.145464900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10312",
"thread_id": "14168"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 4003: CTray_MessageLoop_Return
#Event ID 4009: CTray_MessageLoop_Return4009
#Event ID 5001: Comdlg32_FileDialog_ReadyStart
#Event ID 5002: Comdlg32_FileDialog_ReadyStop
#Event ID 5003: Comdlg32_FileDialog_FrameFirstVisible
#Event ID 5004: Comdlg32_FileDialog_FrameFirstRedrawStart
#Event ID 5005: Comdlg32_FileDialog_FrameFirstRedrawStop
#Event ID 6001: CommandModule_ChangeNotifyStart
#Event ID 6002: CommandModule_ChangeNotifyStop
#Event ID 6201: Thumbnails_ExtractStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6201",
"version": "0",
"level": "4",
"task": "6201",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.067714800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 6202: Thumbnails_ExtractStop
#Fields #
| Name | Description |
|---|---|
HRESULT UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6202",
"version": "0",
"level": "4",
"task": "6201",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.108720300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"HRESULT": "2147791360"
},
"message": ""
}
Event ID 6203: Thumbnails_FastExtractStart
#Event ID 6205: Thumbnails_CacheLookupStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6205",
"version": "0",
"level": "4",
"task": "6205",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.066983600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 6206: Thumbnails_CacheLookupStop
#Fields #
| Name | Description |
|---|---|
HRESULT UInt32 | |
LowQuality Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6206",
"version": "0",
"level": "4",
"task": "6205",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.067060500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"HRESULT": "2147680258",
"LowQuality": "true"
},
"message": ""
}
Event ID 6207: Thumbnails_AdornmentStart
#Event ID 6208: Thumbnails_AdornmentStop
#Event ID 6209: Thumbnails_ExtractNoCacheStart
#Event ID 6210: Thumbnails_ExtractNoCacheStop
#Event ID 6211: Thumbnails_FolderThumbnailRenderStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6211",
"version": "0",
"level": "4",
"task": "6211",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.106203200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 6212: Thumbnails_FolderThumbnailRenderStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6212",
"version": "0",
"level": "4",
"task": "6211",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.121868900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 6213: Thumbnails_ResizeCacheStart
#Event ID 6214: Thumbnails_ResizeCacheStop
#Event ID 6215: Thumbnails_InitializeStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6215",
"version": "0",
"level": "4",
"task": "6215",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:03.188230900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13268"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 6216: Thumbnails_InitializeStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6216",
"version": "0",
"level": "4",
"task": "6215",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:03.189901400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13268"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 6217: Thumbnails_GetThumbnailStart
#Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
RequestSize UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6217",
"version": "0",
"level": "4",
"task": "6217",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.066737800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FileName": "automaton",
"RequestSize": " 48"
},
"message": ""
}
Event ID 6218: Thumbnails_GetThumbnailStop
#Fields #
| Name | Description |
|---|---|
HRESULT UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6218",
"version": "0",
"level": "4",
"task": "6217",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.067219200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"HRESULT": "2147791363"
},
"message": ""
}
Event ID 6219: Thumbnails_SetThumbnailStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6219",
"version": "0",
"level": "4",
"task": "6219",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.108897500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 6220: Thumbnails_SetThumbnailStop
#Fields #
| Name | Description |
|---|---|
HRESULT UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6220",
"version": "0",
"level": "4",
"task": "6219",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.109603500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"HRESULT": " 0"
},
"message": ""
}
Event ID 6221: Thumbnails_GetAspectRatioStart
#Event ID 6222: Thumbnails_GetAspectRatioStop
#Event ID 6223: Thumbnails_DiskCleanupStart
#Event ID 6224: Thumbnails_DiskCleanupStop
#Event ID 6225: Thumbnails_ReadThumbsDBStart
#Event ID 6227: Thumbnails_LoadFromThumbsDBStart
#Event ID 6229: Thumbnails_WriteThumbsDBStart
#Event ID 6231: Thumbnails_CropLookupSize
#Fields #
| Name | Description |
|---|---|
CropLookupSize UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6231",
"version": "0",
"level": "4",
"task": "6231",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.109604500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"CropLookupSize": " 2560"
},
"message": ""
}
Event ID 6233: Thumbnails_HostSelfDestruct
#Event ID 6235: Thumbnails_ExtractionTimeout
#Event ID 6236: RemoteThumbsDb_SQM
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 6237: RemoteThumbsDb_SQM6237
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 6238: RemoteThumbsDb_SQM6238
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 6239: Thumbnails_FullExtractionFailed
#Fields #
| Name | Description |
|---|---|
HRESULT Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6239",
"version": "0",
"level": "2",
"task": "6239",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.107825200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"HRESULT": "-2147175936"
},
"message": ""
}
Event ID 6240: Thumbnails_CacheDataFile_GetThumbnailStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6240",
"version": "0",
"level": "4",
"task": "6240",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:15.027004100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 6241: Thumbnails_CacheDataFile_GetThumbnailStop
#Fields #
| Name | Description |
|---|---|
HRESULT UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "6241",
"version": "0",
"level": "4",
"task": "6240",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:15.027088300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"HRESULT": " 0"
},
"message": ""
}
Event ID 6242: Thumbnails_GetThumbnailStreamStart
#Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
RequestSize Int32 | |
WTSFlags UInt32 |
Event ID 6243: Thumbnails_GetThumbnailStreamStop
#Fields #
| Name | Description |
|---|---|
HRESULT Int32 | |
CacheFlags UInt32 | |
SizeX Int32 | |
SizeY Int32 | |
StreamType Int32 |
Event ID 6501: CommonFileDialog_ApplyPropertiesStart
#Event ID 6502: CommonFileDialog_ApplyPropertiesStop
#Event ID 6503: CommonFileDialog_ControlsChangeNotifyStart
#Event ID 6504: CommonFileDialog_ControlsChangeNotifyStop
#Event ID 6505: CommonFileDialog_DetectSlowNetworkLocationStart
#Event ID 6506: CommonFileDialog_DetectSlowNetworkLocationStop
#Event ID 6507: CommonFileDialog_ExecuteOpenStart
#Event ID 6508: CommonFileDialog_ExecuteOpenStop
#Event ID 6509: CommonFileDialog_OpenStart
#Event ID 6511: CommonFileDialog_PlacesBar_RenderingStart
#Event ID 6512: CommonFileDialog_PlacesBar_RenderingStop
#Event ID 6513: CommonFileDialog_PopulateControlsStart
#Event ID 6514: CommonFileDialog_PopulateControlsStop
#Event ID 6515: CommonFileDialog_SQM
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 6516: CommonFileDialog_SQM6516
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 6517: CommonFileDialog_SQM6517
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 6518: CommonFileDialog_SQM6518
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 7001: ConflictResolution_CRUD_OpenStart
#Event ID 7002: ConflictResolution_CRUD_OpenStop
#Event ID 7003: ConflictResolution_RenderingStart
#Event ID 7004: ConflictResolution_RenderingStop
#Event ID 7005: ConflictResolution_UserIgnoreChangeNotifyStart
#Event ID 7006: ConflictResolution_UserIgnoreChangeNotifyStop
#Event ID 8001: DetailsPropertyPage_AddPagesStart
#Event ID 8002: DetailsPropertyPage_AddPagesStop
#Event ID 8003: DetailsPropertyPage_OpenStart
#Event ID 8004: DetailsPropertyPage_OpenStop
#Event ID 8005: DetailsPropertyPage_SaveStart
#Event ID 8006: DetailsPropertyPage_SaveStop
#Event ID 9501: Explorer_StartMenu_Open
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9503: Explorer_StartMenu_Ready
#Event ID 9505: Explorer_StartPane_AllProgram_Folder_OpenStart
#Event ID 9506: Explorer_StartPane_AllProgram_Folder_OpenStop
#Event ID 9509: Explorer_StartPane_AllPrograms_ShowStart
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9510: Explorer_StartPane_AllPrograms_ShowStop
#Event ID 9511: Explorer_StartPane_Cascade_ShowStart
#Event ID 9512: Explorer_StartPane_Cascade_ShowStop
#Event ID 9515: Explorer_StartPane_OpenBox_Launch
#Event ID 9517: Explorer_StartPane_OpenBox_SearchReady
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 9519: Explorer_StartMenu_ShowStart
#Event ID 9520: Explorer_StartMenu_ShowStop
#Event ID 9521: Explorer_StartMenu_HideStart
#Event ID 9522: Explorer_StartMenu_HideStop
#Event ID 9523: Explorer_StartPane_OpenBox_TopMatchReady
#Event ID 9525: Explorer_StartMenu_ControlPanel_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9526: Explorer_StartMenu_ControlPanel_LaunchStop
#Event ID 9527: Explorer_StartMenu_Favorites_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9529: Explorer_StartMenu_RecentItems_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9531: Explorer_StartMenu_Help_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9533: Explorer_StartMenu_Network_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9535: Explorer_StartMenu_Printers_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9539: Explorer_StartMenu_SPAD_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9541: Explorer_StartMenu_AdminTools_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9543: Explorer_StartMenu_Run_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9545: Explorer_StartMenu_MFU_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9547: Explorer_StartMenu_Pinned_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9549: Explorer_StartMenu_ConnectTo_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9551: Explorer_StartPane_AllPrograms_BackButton
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9553: ExplorerFrame_OpenComputer
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9555: ExplorerFrame_OpenDocuments
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9557: ExplorerFrame_OpenMusic
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9559: ExplorerFrame_OpenPictures
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9560: ExplorerFrame_NavigateDataSource
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 9561: Explorer_StartMenu_Visible_Menu_Items
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9563: Explorer_StartMenu_Mode
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9565: Explorer_StartMenu_Pinned_Item_Added
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9567: Explorer_StartMenu_Pinned_Item_Removed
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9568: Explorer_StartMenu_Pinned_Items_Rearranged
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9569: Explorer_StartPane_AllPrograms_Launched
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9571: Explorer_StartMenu_Pinned_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9573: Explorer_StartMenu_MFU_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9575: Explorer_StartPane_AllPrograms_Folder_Opened
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9577: Explorer_StartPane_AllPrograms_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9581: Explorer_StartMenu_NetworkCons_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9583: Explorer_Is_Mobile_PC
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9585: Explorer_Is_Joined_To_Domain
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9587: Explorer_StartMenu_Cascading_Menu_Items
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9589: Explorer_User_Account_Type
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9591: Explorer_Breadcrumbbar_Selected_Navigation
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9593: Explorer_Breadcrumbbar_Edited_Navigation
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9595: Explorer_WordWheel_Activated
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9597: ExplorerFrame_OpenProfile
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9599: Explorer_Help_Launched
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 9601: Explorer_InitializingExplorerStart
#Event ID 9602: Explorer_InitializingExplorerStop
#Event ID 9603: Explorer_CreateTrayStart
#Event ID 9604: Explorer_CreateTrayStop
#Event ID 9607: Explorer_CreateTrayWindowStart
#Event ID 9608: Explorer_CreateTrayWindowStop
#Event ID 9609: Explorer_InitStartButtonStart
#Event ID 9610: Explorer_InitStartButtonStop
#Event ID 9611: Explorer_CreateDesktopStart
#Event ID 9612: Explorer_CreateDesktopStop
#Event ID 9615: Explorer_FolderSettings
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9617: Explorer_Start
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9619: Explorer_StartMenu_Games_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 9621: Explorer_MessageLoopStart
#Event ID 9622: Explorer_MessageLoopStop
#Event ID 9623: Explorer_KickedOffDelayedBootWork
#Event ID 9627: Explorer_PlaySoundExecuteStart
#Event ID 9628: Explorer_PlaySoundExecuteStop
#Event ID 9629: Explorer_PlaySoundWaitStart
#Event ID 9630: Explorer_PlaySoundWaitStop
#Event ID 9637: Explorer_LoadingIconCacheStart
#Event ID 9638: Explorer_LoadingIconCacheStop
#Event ID 9643: Explorer_Roaming_SyncAtLogonStart
#Event ID 9644: Explorer_Roaming_SyncAtLogonStop
#Event ID 9645: Explorer_Roaming_WaitAtLogonStart
#Event ID 9646: Explorer_Roaming_WaitAtLogonStop
#Event ID 9648: Explorer_Startup_StepStart
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 9648,
"version": 0,
"level": 4,
"task": 9648,
"opcode": 1,
"keywords": 2305843009280868352,
"time_created": "2026-05-29T16:34:25.4110953+00:00",
"event_record_id": 2013,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 6472
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"psz": "Finalize"
},
"message": ""
}
Event ID 9649: Explorer_Startup_StepStop
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 9649,
"version": 0,
"level": 4,
"task": 9648,
"opcode": 2,
"keywords": 2305843009280868352,
"time_created": "2026-05-29T16:34:25.4113033+00:00",
"event_record_id": 2014,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 6472
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"psz": "Finalize"
},
"message": ""
}
Event ID 9650: Explorer_Startup_SerializationWaitStart
#Event ID 9651: Explorer_Startup_SerializationWaitStop
#Event ID 9652: Explorer_Startup_ParallelStepStart
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 9652,
"version": 0,
"level": 4,
"task": 9652,
"opcode": 1,
"keywords": 2305843009280868352,
"time_created": "2026-05-29T16:34:13.6720826+00:00",
"event_record_id": 1995,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 6472
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"psz": "FinalTasks"
},
"message": ""
}
Event ID 9653: Explorer_Startup_ParallelStepStop
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 9653,
"version": 0,
"level": 4,
"task": 9652,
"opcode": 2,
"keywords": 2305843009280868352,
"time_created": "2026-05-29T16:34:13.6784121+00:00",
"event_record_id": 1997,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 6472
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"psz": "DesktopFinalTasks"
},
"message": ""
}
Event ID 9662: Explorer_Roaming_BootstrapRestoreStart
#Event ID 9663: Explorer_WriteDataForOEMAppStart
#Event ID 9664: Explorer_WriteDataForOEMAppStop
#Event ID 9665: Explorer_WriteDataForOEMApp_ShellTaskStart
#Event ID 9666: Explorer_WriteDataForOEMApp_ShellTaskStop
#Event ID 9699: Explorer_Startup_InitializeDesktopStop
#Event ID 9701: Explorer_ProcessRunOnceExStart
#Event ID 9702: Explorer_ProcessRunOnceExStop
#Event ID 9703: RunOnce commands started.
#Description
RunOnce commands started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "30336ED4-E327-447C-9DE0-51B652C86108",
"event_source_name": "",
"event_id": 9703,
"version": 0,
"level": 4,
"task": 9703,
"opcode": 1,
"keywords": 2305843009280868352,
"time_created": "2023-11-05T22:29:04.086498+00:00",
"event_record_id": 1725,
"correlation": {},
"execution": {
"process_id": 6020,
"thread_id": 5856
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 9704: RunOnce commands finished.
#Description
RunOnce commands finished.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "30336ED4-E327-447C-9DE0-51B652C86108",
"event_source_name": "",
"event_id": 9704,
"version": 0,
"level": 4,
"task": 9703,
"opcode": 2,
"keywords": 2305843009280868352,
"time_created": "2023-11-05T22:29:38.761932+00:00",
"event_record_id": 1898,
"correlation": {},
"execution": {
"process_id": 6020,
"thread_id": 5856
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 9705: Started enumeration of commands for registry key 'KeyName'.
#Description
Started enumeration of commands for registry key 'KeyName'.
Message #
Fields #
| Name | Description |
|---|---|
KeyName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 9705,
"version": 0,
"level": 4,
"task": 9705,
"opcode": 1,
"keywords": 2305843009280868352,
"time_created": "2026-05-29T16:34:25.4023661+00:00",
"event_record_id": 2008,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 3524
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"KeyName": "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
},
"message": "Started enumeration of commands for registry key 'Software\\Microsoft\\Windows\\CurrentVersion\\Run'."
}
Event ID 9706: Finished enumeration of commands for registry key 'KeyName'.
#Description
Finished enumeration of commands for registry key 'KeyName'.
Message #
Fields #
| Name | Description |
|---|---|
KeyName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 9706,
"version": 0,
"level": 4,
"task": 9705,
"opcode": 2,
"keywords": 2305843009280868352,
"time_created": "2026-05-29T16:34:25.4023837+00:00",
"event_record_id": 2009,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 3524
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"KeyName": "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
},
"message": "Finished enumeration of commands for registry key 'Software\\Microsoft\\Windows\\CurrentVersion\\Run'."
}
Event ID 9707: Started execution of command 'Command'.
#Description
Started execution of command 'Command'.
Message #
Fields #
| Name | Description |
|---|---|
Command UnicodeString | Full command line for the command that was executed |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 9707,
"version": 0,
"level": 4,
"task": 9707,
"opcode": 1,
"keywords": 2305843009280868352,
"time_created": "2026-05-29T16:34:24.3801347+00:00",
"event_record_id": 2005,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 3524
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Command": "set-bg.ps1\""
},
"message": "Started execution of command 'set-bg.ps1\"'."
}
References #
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/evtx-9707-shell-core.md
Event ID 9708: Finished execution of command 'Command' (PID PID).
#Description
Finished execution of command 'Command' (PID PID).
Message #
Fields #
| Name | Description |
|---|---|
PID UInt32 | |
Command UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 9708,
"version": 0,
"level": 4,
"task": 9707,
"opcode": 2,
"keywords": 2305843009280868352,
"time_created": "2026-05-29T16:34:25.4022529+00:00",
"event_record_id": 2006,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 3524
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"PID": "3256",
"Command": "set-bg.ps1\""
},
"message": "Finished execution of command 'set-bg.ps1\"' (PID 3256)."
}
Event ID 9710: Explorer_ExecutingFromRunKeyAsJobStop
#Fields #
| Name | Description |
|---|---|
PID UInt32 | |
Command UnicodeString |
Event ID 9713: Explorer_StartupAppName
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 9716: Explorer_Startup_Run6432_Stats
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 9717: Explorer_Startup_Run6432_Failed
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 9801: Explorer_MinimizeAllThread
#Event ID 9802: Explorer_StartMenu_RunDialogStart
#Event ID 9803: Explorer_StartMenu_RunDialogStop
#Event ID 9804: Explorer_StartMenu_AppTile_Hover
#Event ID 9805: Explorer_DestinationList_Close
#Event ID 9806: Explorer_DestinationList_Launch
#Event ID 9808: EXPLORER_NAVIGATE
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 9810: EXPLORER_DRAG_DROP
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 9811: Explorer_PinDefaultItems_RetrievePidlFailure
#Fields #
| Name | Description |
|---|---|
AppID UnicodeString | |
HRESULT UInt32 |
Event ID 9901: SearchFolder_StartMenu_BaseQueryStart
#Event ID 9902: SearchFolder_StartMenu_BaseQueryStop
#Event ID 9903: ExplorerFrame_FirstPage_RealizeGroupPass1Start
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Event ID 9904: ExplorerFrame_FirstPage_RealizeGroupPass1Stop
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Event ID 9905: ExplorerFrame_FirstPage_RealizeGroupPass2Start
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Event ID 9906: ExplorerFrame_FirstPage_RealizeGroupPass2Stop
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Event ID 9909: SearchFolder_CreateItemCollectionStart
#Event ID 9911: Shell32_ObservableCollection_OnCollectionChanged
#Event ID 9912: Shell32_ObservableCollection_OnGetCountDone
#Event ID 9913: Shell32_ObservableCollection_OnPrepareDone
#Event ID 9914: Shell32_ObservableCollection_OnItemsAdded
#Event ID 9915: Shell32_ObservableCollection_OnItemsDeleted
#Event ID 9916: Shell32_ObservableCollection_OnItemMoved
#Event ID 9917: Shell32_ObservableCollection_OnItemTranslated
#Event ID 9918: Shell32_ObservableCollection_OnUniqueLeafCountChanged
#Event ID 9919: Shell32_ObservableCollection_OnCancelled
#Event ID 10001: ExplorerTemplates_ChangeNotifyStart
#Event ID 10002: ExplorerTemplates_ChangeNotifyStop
#Event ID 11001: FilterControl_ApplyingFilter
#Event ID 11003: FilterControl_PopulateFiltersStart
#Event ID 11004: FilterControl_PopulateFiltersStop
#Event ID 11005: FilterControl_ShowStart
#Event ID 11006: FilterControl_ShowStop
#Event ID 11007: FilterControl_UserCheckedFilter
#Event ID 11009: FilterControl_InsertFiltersStart
#Event ID 11010: FilterControl_InsertFiltersStop
#Event ID 11015: ListViewPopup_SizeToContentStart
#Event ID 11016: ListViewPopup_SizeToContentStop
#Event ID 11017: FilterControl_Stack
#Event ID 12001: Shlwapi_SHRegisterValidateTemplate
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 12101: Shlwapi_SHGetSignatureInfoStart
#Event ID 12102: Shlwapi_SHGetSignatureInfoStop
#Event ID 12103: Shlwapi_SHGetSignatureInfo_AuthenticodeStart
#Event ID 12104: Shlwapi_SHGetSignatureInfo_AuthenticodeStop
#Event ID 12105: Shlwapi_SHGetSignatureInfo_CatalogStart
#Event ID 12106: Shlwapi_SHGetSignatureInfo_CatalogStop
#Event ID 12107: Shlwapi_SHGetSignatureInfo_WinVerifyTrustStart
#Event ID 12108: Shlwapi_SHGetSignatureInfo_WinVerifyTrustStop
#Event ID 12109: Shlwapi_SHGetSignatureInfo_VersionInfoStart
#Event ID 12110: Shlwapi_SHGetSignatureInfo_VersionInfoStop
#Event ID 12111: Shlwapi_SHGetSignatureInfo_OSCheckStart
#Event ID 12112: Shlwapi_SHGetSignatureInfo_OSCheckStop
#Event ID 12113: Shlwapi_SHGetSignatureInfo_CheckChainToMSRootStart
#Event ID 12114: Shlwapi_SHGetSignatureInfo_CheckChainToMSRootStop
#Event ID 13001: NamespaceControl_ChangeNotifyStart
#Event ID 13002: NamespaceControl_ChangeNotifyStop
#Event ID 13003: NamespaceControl_ExpandStart
#Event ID 13004: NamespaceControl_ExpandStop
#Event ID 13005: NamespaceControl_Plus_CalculationStart
#Event ID 13006: NamespaceControl_Plus_CalculationStop
#Event ID 13007: NamespaceControl_RenderingStart
#Event ID 13008: NamespaceControl_RenderingStop
#Event ID 13101: Feed_SearchStart
#Event ID 13102: Feed_SearchStop
#Event ID 13501: Notification_UserDismissStart
#Event ID 13502: Notification_UserDismissStop
#Event ID 13503: Notification_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 13505: Notification_Displayed
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 13507: Notification_While_Busy
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 13509: Notification_While_Inactive
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 13511: Notification_Dismissed
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 13513: Notification_TimedOut
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 13515: Notification_Settings
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 13517: Notification_WrenchDismissed
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 14001: PreviewPane_CommitChangeStart
#Event ID 14002: PreviewPane_CommitChangeStop
#Event ID 14003: PreviewPane_UpdateSelectionStart
#Event ID 14005: PreviewPane_MetadataExtractorDoWorkStart
#Event ID 14006: PreviewPane_MetadataExtractorDoWorkStop
#Event ID 14007: PreviewPane_MetadataExtractorDispatchStart
#Event ID 14008: PreviewPane_MetadataExtractorDispatchStop
#Event ID 14009: PreviewPane_SQM
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 14101: StatusBarModule_GetPropertiesWorkItemDoWorkStart
#Event ID 14102: StatusBarModule_GetPropertiesWorkItemDoWorkStop
#Event ID 14103: StatusBarModule_GetPropertiesWorkItemDispatchStart
#Event ID 14104: StatusBarModule_GetPropertiesWorkItemDispatchStop
#Event ID 14215: TypeAhead_SearchHistoryStoreStart
#Event ID 14216: TypeAhead_SearchHistoryStoreStop
#Event ID 14217: TypeAhead_SearchHistoryCleared
#Event ID 14219: TypeAhead_CancelQuery
#Event ID 14501: Properties_BaseControl_CreateStart
#Event ID 14502: Properties_BaseControl_CreateStop
#Event ID 14503: Properties_BaseControl_WindowlessDrawStart
#Event ID 14504: Properties_BaseControl_WindowlessDrawStop
#Event ID 14505: Properties_CalendarControl_CreateStart
#Event ID 14506: Properties_CalendarControl_CreateStop
#Event ID 14507: Properties_CalendarControl_GetValueStart
#Event ID 14508: Properties_CalendarControl_GetValueStop
#Event ID 14509: Properties_CalendarControl_SetValueStart
#Event ID 14510: Properties_CalendarControl_SetValueStop
#Event ID 14511: Properties_DrawPercentFull_WindowlessDrawStart
#Event ID 14512: Properties_DrawPercentFull_WindowlessDrawStop
#Event ID 14513: Properties_DrawProgressBar_WindowlessDrawStart
#Event ID 14514: Properties_DrawProgressBar_WindowlessDrawStop
#Event ID 14515: Properties_DropListControl_CreateStart
#Event ID 14516: Properties_DropListControl_CreateStop
#Event ID 14517: Properties_DropListControl_GetValueStart
#Event ID 14518: Properties_DropListControl_GetValueStop
#Event ID 14519: Properties_DropListControl_SetValueStart
#Event ID 14520: Properties_DropListControl_SetValueStop
#Event ID 14521: Properties_MVPControl_CreateStart
#Event ID 14522: Properties_MVPControl_CreateStop
#Event ID 14523: Properties_MVPControl_GetValueStart
#Event ID 14524: Properties_MVPControl_GetValueStop
#Event ID 14525: Properties_MVPControl_SetValueStart
#Event ID 14526: Properties_MVPControl_SetValueStop
#Event ID 14527: Properties_MVPControl_WindowlessDrawStart
#Event ID 14528: Properties_MVPControl_WindowlessDrawStop
#Event ID 14529: Properties_MultiLineEditControl_CreateStart
#Event ID 14530: Properties_MultiLineEditControl_CreateStop
#Event ID 14531: Properties_MultiLineEditControl_GetValueStart
#Event ID 14532: Properties_MultiLineEditControl_GetValueStop
#Event ID 14533: Properties_MultiLineEditControl_SetValueStart
#Event ID 14534: Properties_MultiLineEditControl_SetValueStop
#Event ID 14535: Properties_NavDropDownControl_CreateStart
#Event ID 14536: Properties_NavDropDownControl_CreateStop
#Event ID 14537: Properties_NavDropDownControl_GetValueStart
#Event ID 14538: Properties_NavDropDownControl_GetValueStop
#Event ID 14539: Properties_NavDropDownControl_SetValueStart
#Event ID 14540: Properties_NavDropDownControl_SetValueStop
#Event ID 14541: Properties_RatingsControl_CreateStart
#Event ID 14542: Properties_RatingsControl_CreateStop
#Event ID 14543: Properties_RatingsControl_GetValueStart
#Event ID 14544: Properties_RatingsControl_GetValueStop
#Event ID 14545: Properties_RatingsControl_SetValueStart
#Event ID 14546: Properties_RatingsControl_SetValueStop
#Event ID 14547: Properties_RatingsControl_WindowlessDrawStart
#Event ID 14548: Properties_RatingsControl_WindowlessDrawStop
#Event ID 14549: Properties_SingleLineEditControl_CreateStart
#Event ID 14550: Properties_SingleLineEditControl_CreateStop
#Event ID 14551: Properties_SingleLineEditControl_GetValueStart
#Event ID 14552: Properties_SingleLineEditControl_GetValueStop
#Event ID 14553: Properties_SingleLineEditControl_SetValueStart
#Event ID 14554: Properties_SingleLineEditControl_SetValueStop
#Event ID 14555: Properties_MultiComplete_PopulateStart
#Event ID 14556: Properties_MultiComplete_PopulateStop
#Event ID 14557: Properties_MultiComplete_QueryStart
#Event ID 14558: Properties_MultiComplete_QueryStop
#Event ID 14559: Properties_MultiComplete_MatchStart
#Event ID 14560: Properties_MultiComplete_MatchStop
#Event ID 14561: Properties_PropVariantChangeType_Coercion
#Fields #
| Name | Description |
|---|---|
VARTYPEFrom UInt16 | |
VARTYPETo UInt16 | |
HRESULT UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "14561",
"version": "0",
"level": "4",
"task": "14561",
"opcode": "0",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358171500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"VARTYPEFrom": "8",
"VARTYPETo": "31",
"HRESULT": " 0"
},
"message": ""
}
Event ID 14563: Properties_PropVariantHelper_Coercion
#Fields #
| Name | Description |
|---|---|
VARTYPEFrom UInt16 | |
VARTYPETo UInt16 | |
HRESULT UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "14563",
"version": "0",
"level": "4",
"task": "14563",
"opcode": "0",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.304818400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"VARTYPEFrom": "8",
"VARTYPETo": "72",
"HRESULT": " 0"
},
"message": ""
}
Event ID 14564: Properties_VariantHelper_Coercion
#Fields #
| Name | Description |
|---|---|
VARTYPEFrom UInt16 | |
VARTYPETo UInt16 | |
HRESULT UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "14564",
"version": "0",
"level": "4",
"task": "14565",
"opcode": "0",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:21:14.994735200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13880"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"VARTYPEFrom": "8",
"VARTYPETo": "72",
"HRESULT": " 0"
},
"message": ""
}
Event ID 15001: PropertyApply_DoOperationStart
#Event ID 15002: PropertyApply_DoOperationStop
#Event ID 15003: PropertyApply_SHApplyPropertiesToItemStart
#Event ID 15004: PropertyApply_SHApplyPropertiesToItemStop
#Event ID 15501: PropertyDescription_FormatForDisplayStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "15501",
"version": "0",
"level": "4",
"task": "15501",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.397443500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 15502: PropertyDescription_FormatForDisplayStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "15502",
"version": "0",
"level": "4",
"task": "15501",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.397448000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 15503: PropertyDescription_SHFormatForDisplayStart
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "15503",
"version": "0",
"level": "4",
"task": "15503",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.397440300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{b725f130-47ef-101a-a5f1-02608c9eebac}",
"PID": " 10"
},
"message": ""
}
Event ID 15504: PropertyDescription_SHFormatForDisplayStop
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "15504",
"version": "0",
"level": "4",
"task": "15503",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.397448500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{b725f130-47ef-101a-a5f1-02608c9eebac}",
"PID": " 10"
},
"message": ""
}
Event ID 15505: PropertyDescription_SHGetPropertyDescriptionStart
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "15505",
"version": "0",
"level": "4",
"task": "15505",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:18.461203300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3}",
"PID": " 3"
},
"message": ""
}
Event ID 15506: PropertyDescription_SHGetPropertyDescriptionStop
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "15506",
"version": "0",
"level": "4",
"task": "15505",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:18.461208500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3}",
"PID": " 3"
},
"message": ""
}
Event ID 15507: PropertyDescription_SHGetPropertyDescriptionByNameStart
#Fields #
| Name | Description |
|---|---|
CanonicalName UnicodeString |
Event ID 15508: PropertyDescription_SHGetPropertyDescriptionByNameStop
#Fields #
| Name | Description |
|---|---|
CanonicalName UnicodeString |
Event ID 15509: PropertyDescription_SHGetPropertyDescriptionListFromStringStart
#Event ID 15510: PropertyDescription_SHGetPropertyDescriptionListFromStringStop
#Event ID 15511: PropertyDescription_CoerceToCanonicalValueStart
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "15511",
"version": "0",
"level": "4",
"task": "15511",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358169000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{41cf5ae0-f75a-4806-bd87-59c7d9248eb9}",
"PID": " 100"
},
"message": ""
}
Event ID 15512: PropertyDescription_CoerceToCanonicalValueStop
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "15512",
"version": "0",
"level": "4",
"task": "15511",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358173200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{41cf5ae0-f75a-4806-bd87-59c7d9248eb9}",
"PID": " 100"
},
"message": ""
}
Event ID 15513: PropertyDescription_IsValueCanonicalStart
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "15513",
"version": "0",
"level": "4",
"task": "15513",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.362688800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "5416"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{32bcb03c-7f34-4e3f-bbb2-ebe63629f5e4}",
"PID": " 100"
},
"message": ""
}
Event ID 15514: PropertyDescription_IsValueCanonicalStop
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "15514",
"version": "0",
"level": "4",
"task": "15513",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.362689700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "5416"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{32bcb03c-7f34-4e3f-bbb2-ebe63629f5e4}",
"PID": " 100"
},
"message": ""
}
Event ID 15515: PropertySchema_LoadFromSavedBinaryFormStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "15515",
"version": "0",
"level": "4",
"task": "15515",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:22:59.123831800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "9500",
"thread_id": "11152"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 15516: PropertySchema_LoadFromSavedBinaryFormStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "15516",
"version": "0",
"level": "4",
"task": "15515",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:22:59.123833300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "9500",
"thread_id": "11152"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 15517: PropertySchema_SaveAsBinaryFormStart
#Event ID 15518: PropertySchema_SaveAsBinaryFormStop
#Event ID 15519: SemanticType_PSGetSemanticTypeByNameStart
#Fields #
| Name | Description |
|---|---|
CanonicalName UnicodeString |
Event ID 15520: SemanticType_PSGetSemanticTypeByNameStop
#Fields #
| Name | Description |
|---|---|
CanonicalName UnicodeString |
Event ID 16501: PropertyProvider_CommitStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16501",
"version": "0",
"level": "4",
"task": "16501",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:22:59.123848800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "9500",
"thread_id": "11152"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16502: PropertyProvider_CommitStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16502",
"version": "0",
"level": "4",
"task": "16501",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:22:59.124672400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "9500",
"thread_id": "11152"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16503: PropertyProvider_GetValueStart
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16503",
"version": "0",
"level": "4",
"task": "16503",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358148500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{41cf5ae0-f75a-4806-bd87-59c7d9248eb9}",
"PID": " 100"
},
"message": ""
}
Event ID 16504: PropertyProvider_GetValueStop
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16504",
"version": "0",
"level": "4",
"task": "16503",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358173700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{41cf5ae0-f75a-4806-bd87-59c7d9248eb9}",
"PID": " 100"
},
"message": ""
}
Event ID 16507: PropertyProvider_SetValueStart
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16507",
"version": "0",
"level": "4",
"task": "16507",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.362684000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "5416"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{32bcb03c-7f34-4e3f-bbb2-ebe63629f5e4}",
"PID": " 100"
},
"message": ""
}
Event ID 16508: PropertyProvider_SetValueStop
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16508",
"version": "0",
"level": "4",
"task": "16507",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.362691800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "5416"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{32bcb03c-7f34-4e3f-bbb2-ebe63629f5e4}",
"PID": " 100"
},
"message": ""
}
Event ID 16509: PropertyStoreOverPropertySetStorage_GetValueStart
#Event ID 16510: PropertyStoreOverPropertySetStorage_GetValueStop
#Event ID 16511: PropertyStoreOverPropertySetStorage_SetValueStart
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Event ID 16512: PropertyStoreOverPropertySetStorage_SetValueStop
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Event ID 16513: PropertyStoreOverPropertySetStorage_CommitStart
#Event ID 16514: PropertyStoreOverPropertySetStorage_CommitStop
#Event ID 16600: FilePropertyStoreFactory_GetPropertyHandlerStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16600",
"version": "0",
"level": "4",
"task": "16600",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:23:22.277790300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "1452",
"thread_id": "9352"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16601: FilePropertyStoreFactory_GetPropertyHandlerStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16601",
"version": "0",
"level": "4",
"task": "16600",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:23:22.455705100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "1452",
"thread_id": "9352"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16602: FilePropertyStoreFactory_GetInnateStoreStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16602",
"version": "0",
"level": "4",
"task": "16602",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358126500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16603: FilePropertyStoreFactory_GetInnateStoreStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16603",
"version": "0",
"level": "4",
"task": "16602",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358130400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16604: FilePropertyStoreFactory_GetFallbackStoreStart
#Event ID 16605: FilePropertyStoreFactory_GetFallbackStoreStop
#Event ID 16606: FilePropertyStoreFactory_GetDesktopIniStoreStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16606",
"version": "0",
"level": "4",
"task": "16606",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:23:22.277805100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "1452",
"thread_id": "9352"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16607: FilePropertyStoreFactory_GetDesktopIniStoreStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16607",
"version": "0",
"level": "4",
"task": "16606",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:23:22.277819000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "1452",
"thread_id": "9352"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16608: FileFolderInnateStore_GetValueStart
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16608",
"version": "0",
"level": "4",
"task": "16608",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358159100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{41cf5ae0-f75a-4806-bd87-59c7d9248eb9}",
"PID": " 100"
},
"message": ""
}
Event ID 16609: FileFolderInnateStore_GetValueStop
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16609",
"version": "0",
"level": "4",
"task": "16608",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358162800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{41cf5ae0-f75a-4806-bd87-59c7d9248eb9}",
"PID": " 100"
},
"message": ""
}
Event ID 16610: FileFolderInnateStore_GetCountStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16610",
"version": "0",
"level": "4",
"task": "16610",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:21:39.172229400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16611: FileFolderInnateStore_GetCountStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16611",
"version": "0",
"level": "4",
"task": "16610",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:21:39.172245400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16612: FileFolderInnateStore_GetAtStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16612",
"version": "0",
"level": "4",
"task": "16612",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:21:39.172261200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16613: FileFolderInnateStore_GetAtStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16613",
"version": "0",
"level": "4",
"task": "16612",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:21:39.172279700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16616: FileFolderFallbackStore_GetCountStart
#Event ID 16617: FileFolderFallbackStore_GetCountStop
#Event ID 16618: FileFolderFallbackStore_GetAtStart
#Event ID 16619: FileFolderFallbackStore_GetAtStop
#Event ID 16620: FilePropertyStoreFactory_GetPropertyHandler
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Event ID 16700: ShellItem_GetPropertyStoreStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16700",
"version": "0",
"level": "4",
"task": "16700",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358263800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16701: ShellItem_GetPropertyStoreStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16701",
"version": "0",
"level": "4",
"task": "16700",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358357700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16702: ShellItem_GetPropertyStoreForKeysStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16702",
"version": "0",
"level": "4",
"task": "16702",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358066600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16703: ShellItem_GetPropertyStoreForKeysStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16703",
"version": "0",
"level": "4",
"task": "16702",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358147300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16704: ShellItem_GetPropertyStoreWithCreateObjectStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16704",
"version": "0",
"level": "4",
"task": "16704",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:21:39.099905900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16705: ShellItem_GetPropertyStoreWithCreateObjectStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16705",
"version": "0",
"level": "4",
"task": "16704",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:21:39.171889800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16706: ShellItem_GetPropertyDescriptionListStart
#Event ID 16707: ShellItem_GetPropertyDescriptionListStop
#Event ID 16708: ShellItem_CreatePropertyProviderHelperStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16708",
"version": "0",
"level": "4",
"task": "16708",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358133900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16709: ShellItem_CreatePropertyProviderHelperStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16709",
"version": "0",
"level": "4",
"task": "16708",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358146400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16710: ShellItemArray_GetPropertyStoreStart
#Event ID 16711: ShellItemArray_GetPropertyStoreStop
#Event ID 16712: ShellItemArray_GetPropertyDescriptionListStart
#Event ID 16713: ShellItemArray_GetPropertyDescriptionListStop
#Event ID 16714: CachedShellItem_GetPropertyStoreStart
#Event ID 16715: CachedShellItem_GetPropertyStoreStop
#Event ID 16716: ItemFallbackStore_GetValueStart
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16716",
"version": "0",
"level": "4",
"task": "16716",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.360917200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{9b174b35-40ff-11d2-a27e-00c04fc30871}",
"PID": " 10"
},
"message": ""
}
Event ID 16717: ItemFallbackStore_GetValueStop
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16717",
"version": "0",
"level": "4",
"task": "16716",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.360918600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{9b174b35-40ff-11d2-a27e-00c04fc30871}",
"PID": " 10"
},
"message": ""
}
Event ID 16718: ItemFallbackStore_GetCountStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16718",
"version": "0",
"level": "4",
"task": "16718",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:21:39.173847300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16719: ItemFallbackStore_GetCountStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16719",
"version": "0",
"level": "4",
"task": "16718",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:21:39.199083000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16720: ItemFallbackStore_GetAtStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16720",
"version": "0",
"level": "4",
"task": "16720",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:21:39.199113800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16721: ItemFallbackStore_GetAtStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16721",
"version": "0",
"level": "4",
"task": "16720",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:21:39.199126900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16722: ItemStoreOverFolder_GetValueStart
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16722",
"version": "0",
"level": "4",
"task": "16722",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358150300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{41cf5ae0-f75a-4806-bd87-59c7d9248eb9}",
"PID": " 100"
},
"message": ""
}
Event ID 16723: ItemStoreOverFolder_GetValueStop
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16723",
"version": "0",
"level": "4",
"task": "16722",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.358151500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{41cf5ae0-f75a-4806-bd87-59c7d9248eb9}",
"PID": " 100"
},
"message": ""
}
Event ID 16724: ItemStoreOverFolder_GetValueFromDetailsExStart
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16724",
"version": "0",
"level": "4",
"task": "16724",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.360195000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{9b174b35-40ff-11d2-a27e-00c04fc30871}",
"PID": " 10"
},
"message": ""
}
Event ID 16725: ItemStoreOverFolder_GetValueFromDetailsExStop
#Fields #
| Name | Description |
|---|---|
FMTID GUID | |
PID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16725",
"version": "0",
"level": "4",
"task": "16724",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.360371200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FMTID": "{b2f9b9d6-fec4-4dd5-94d7-8957488c807b}",
"PID": " 2"
},
"message": ""
}
Event ID 16726: ItemStoreOverFolder_GetCountStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16726",
"version": "0",
"level": "4",
"task": "16726",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:21:39.172072600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16727: ItemStoreOverFolder_GetCountStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16727",
"version": "0",
"level": "4",
"task": "16726",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:21:39.172086200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16728: ItemStoreOverFolder_GetAtStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16728",
"version": "0",
"level": "4",
"task": "16728",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:21:39.172099800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16729: ItemStoreOverFolder_GetAtStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "16729",
"version": "0",
"level": "4",
"task": "16728",
"opcode": "2",
"keywords": 9223372036854906880,
"time_created": "2026-03-16T00:21:39.172112200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 16801: Library_SQM_CreateLibrary
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 16803: Library_SQM_AddFolderStart
#Event ID 16804: Library_SQM_AddFolderStop
#Event ID 16805: Library_Location_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 16807: Library_InUsersRoot_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 16809: Library_Save_Location
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 16811: Library_Add_Location
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 16813: Library_Remove_Location
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 16815: Library_Has_Reordered_Locations
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 16817: Add_Library_Location_EntryPoint
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 16901: PHLocationCreator_ScanSearchRootsStart
#Event ID 16902: PHLocationCreator_ScanSearchRootsStop
#Event ID 16903: PHLocationCreator_CreateSearchRootLocationsStart
#Event ID 16904: PHLocationCreator_CreateSearchRootLocationsStop
#Event ID 16905: PHLocationCreator_RemoveSearchRootLocationsStart
#Event ID 16906: PHLocationCreator_RemoveSearchRootLocationsStop
#Event ID 16907: PHLocationCreator_SQM_CreateLibrary
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 17001: Scope_FlattenStart
#Event ID 17002: Scope_FlattenStop
#Event ID 17003: ScopePicker_OpenStart
#Event ID 17004: ScopePicker_OpenStop
#Event ID 17005: ScopePicker_Folders_RenderingStart
#Event ID 17006: ScopePicker_Folders_RenderingStop
#Event ID 17007: Scope_Load_From_XMLStart
#Event ID 17009: Scope_Load_From_StreamStart
#Event ID 17010: Scope_Load_From_StreamStop
#Event ID 17101: Shake_MinimizeStart
#Event ID 17103: Shake_MinimizeStop
#Event ID 17105: Shake_MinimizeWorkerStart
#Event ID 17107: Shake_MinimizeWorkerStop
#Event ID 17109: Shake_RestoreStart
#Event ID 17111: Shake_RestoreStop
#Event ID 17113: Shake_RestoreWorkerStart
#Event ID 17115: Shake_RestoreWorkerStop
#Event ID 17119: Shake_MinimizeEnabled
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 17121: Shake_DetectionCount
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 17501: ResolveUserNames_ResolveSidsStart
#Event ID 17502: ResolveUserNames_ResolveSidsStop
#Event ID 17503: ResolveUserNames_ResolveStringSidStart
#Event ID 17504: ResolveUserNames_ResolveStringSidStop
#Event ID 17505: ResolveUserNames_SHResolveUserNamesStart
#Event ID 17506: ResolveUserNames_SHResolveUserNamesStop
#Event ID 17507: ResolveUserNames_FriendlyNameLookupStart
#Event ID 17508: ResolveUserNames_FriendlyNameLookupStop
#Event ID 17509: ResolveUserNames_SingleSidToNameLookupStart
#Event ID 17510: ResolveUserNames_SingleSidToNameLookupStop
#Event ID 17511: ResolveUserNames_MultipleSidsToNamesLookupStart
#Event ID 17512: ResolveUserNames_MultipleSidsToNamesLookupStop
#Event ID 17513: ResolveUserNames_CachedFriendlyNameLookupStart
#Event ID 17514: ResolveUserNames_CachedFriendlyNameLookupStop
#Event ID 17515: GetCorrectOwnerSid_LookupStart
#Fields #
| Name | Description |
|---|---|
Success UInt32 | |
Path UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "17515",
"version": "0",
"level": "4",
"task": "17515",
"opcode": "1",
"keywords": 9223372036854906880,
"time_created": "2026-03-15T04:20:38.364128200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Success": " 1",
"Path": "C:\\Users\\domainadmin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles"
},
"message": ""
}
Event ID 17516: GetCorrectOwnerSid_LookupStop
#Fields #
| Name | Description |
|---|---|
Success UInt32 | |
Path UnicodeString |
Event ID 17517: GetCorrectOwnerSid_LookupFromRegistryStart
#Event ID 17518: GetCorrectOwnerSid_LookupFromRegistryStop
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18001: Shdocvw_BaseBrowser_DocumentComplete
#Event ID 18003: Shdocvw_BaseBrowser_ExplorerWindowReady
#Event ID 18005: Shdocvw_BaseBrowser_NavigateStart
#Event ID 18006: Shdocvw_BaseBrowser_NavigateStop
#Event ID 18007: Shdocvw_PanningTool_ScrollElementByStart
#Event ID 18008: Shdocvw_PanningTool_ScrollElementByStop
#Event ID 18009: Shdocvw_PanningTool_GetPanningPropertiesStart
#Event ID 18010: Shdocvw_PanningTool_GetPanningPropertiesStop
#Event ID 18011: Shdocvw_PanningTool_SinglePan
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18012: Shdocvw_PanningTool_Change_PanningMode
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 18013: Shdocvw_BaseBrowser_Explorer_Search_Query_Stream
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 18015: ExplorerFrame_FrameFirstVisible
#Event ID 18017: ExplorerFrame_FrameFirstRedrawStart
#Event ID 18018: ExplorerFrame_FrameFirstRedrawStop
#Event ID 18501: Shell32_AutoListEditor_CommitSearch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18503: Shell32_AutoListEditor_Displayed
#Event ID 18505: Shell32_AutoListEditor_FillScopesStart
#Event ID 18506: Shell32_AutoListEditor_FillScopesStop
#Event ID 18507: Shell32_AutoListEditor_GetPropertyListStart
#Event ID 18508: Shell32_AutoListEditor_GetPropertyListStop
#Event ID 18509: Shell32_AutoListEditor_LaunchSearch
#Event ID 18511: Shell32_AutoPlay_IDynamicHWHandlerStart
#Event ID 18512: Shell32_AutoPlay_IDynamicHWHandlerStop
#Event ID 18513: Shell32_AutoPlay_IHWNotificationHandlerStart
#Event ID 18514: Shell32_AutoPlay_IHWNotificationHandlerStop
#Event ID 18515: Shell32_AutoPlay_IQueryCancelAutoPlayStart
#Event ID 18516: Shell32_AutoPlay_IQueryCancelAutoPlayStop
#Event ID 18517: Shell32_AutoPlay_LogicStart
#Event ID 18518: Shell32_AutoPlay_LogicStop
#Event ID 18521: Shell32_AutoPlay_SniffStart
#Event ID 18522: Shell32_AutoPlay_SniffStop
#Event ID 18524: Shell32_CDesktopBrowser_ShellReady
#Event ID 18525: Shell32_CExplorerBrowser_BrowseObjectInternalStart
#Event ID 18526: Shell32_CExplorerBrowser_BrowseObjectInternalStop
#Event ID 18527: Shell32_CFindCmd_DoSearchStart
#Event ID 18528: Shell32_CFindCmd_DoSearchStop
#Event ID 18529: Shell32_CGrepQuery_CrawlStart
#Event ID 18530: Shell32_CGrepQuery_CrawlStop
#Event ID 18531: Shell32_CommandModule_SelectionChangeStart
#Event ID 18532: Shell32_CommandModule_SelectionChangeStop
#Event ID 18533: Shell32_ControlPanel_CategoryView_InitStart
#Event ID 18534: Shell32_ControlPanel_CategoryView_InitStop
#Event ID 18535: Shell32_ControlPanel_CategoryView_LoadTasksStart
#Event ID 18536: Shell32_ControlPanel_CategoryView_LoadTasksStop
#Event ID 18537: Shell32_ControlPanel_CategoryView_SearchStart
#Event ID 18538: Shell32_ControlPanel_CategoryView_SearchStop
#Event ID 18539: Shell32_ControlPanel_NavPane_InitStart
#Event ID 18540: Shell32_ControlPanel_NavPane_InitStop
#Event ID 18541: Shell32_PinnedApplications_SQMStream
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 18543: Shell32_AutoPlay_Proximity_SniffStart
#Event ID 18544: Shell32_AutoPlay_Proximity_SniffStop
#Event ID 18545: Shell32_DefView_LoadImageStart
#Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
ImageQualityFlags UInt32 |
Event ID 18547: Shell32_DefView_AutoSizeColumnsStart
#Event ID 18548: Shell32_DefView_AutoSizeColumnsStop
#Event ID 18549: Shell32_DefView_EnumerationStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18549",
"version": "0",
"level": "4",
"task": "18549",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:14.993884500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13880"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18550: Shell32_DefView_EnumerationStop
#Fields #
| Name | Description |
|---|---|
Count UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18550",
"version": "0",
"level": "4",
"task": "18549",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:15.000893300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13880"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Count": " 13"
},
"message": ""
}
Event ID 18551: Shell32_DefView_FilterStart
#Event ID 18552: Shell32_DefView_FilterStop
#Event ID 18553: Shell32_DefView_Filter_GenerationStart
#Event ID 18554: Shell32_DefView_Filter_GenerationStop
#Event ID 18555: Shell32_DefView_FirstBatchStart
#Event ID 18556: Shell32_DefView_FirstBatchStop
#Event ID 18557: Shell32_DefView_GroupStart
#Event ID 18558: Shell32_DefView_GroupStop
#Event ID 18559: Shell32_DefView_Initial_SortStart
#Fields #
| Name | Description |
|---|---|
LoopCount UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18559",
"version": "0",
"level": "4",
"task": "18559",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:15.000979300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13880"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"LoopCount": " 13"
},
"message": ""
}
Event ID 18560: Shell32_DefView_Initial_SortStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18560",
"version": "0",
"level": "4",
"task": "18559",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:15.001230400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13880"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18561: Shell32_DefView_ListViewDone
#Fields #
| Name | Description |
|---|---|
Count UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18561",
"version": "0",
"level": "4",
"task": "18561",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:15.030524900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Count": " 4"
},
"message": ""
}
Event ID 18563: Shell32_DefView_PropertiesDone
#Event ID 18565: Shell32_DefView_RightClickContextMenu
#Event ID 18567: Shell32_DefView_StackStart
#Event ID 18568: Shell32_DefView_StackStop
#Event ID 18569: Shell32_DefView_Thumbnail_ExtractStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18569",
"version": "0",
"level": "4",
"task": "18569",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.067361900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18570: Shell32_DefView_Thumbnail_ExtractStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18570",
"version": "0",
"level": "4",
"task": "18569",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.123063100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18571: Shell32_CollectionLock_GetSingleQueueItem
#Fields #
| Name | Description |
|---|---|
TaskID GUID | |
QueueItemCount Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18571",
"version": "0",
"level": "4",
"task": "18571",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.891644800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"TaskID": "{05cdcb31-adfd-4d5a-9c4e-1a5650fe0867}",
"QueueItemCount": "0"
},
"message": ""
}
Event ID 18573: Shell32_CollectionLock_GetQueueItems
#Fields #
| Name | Description |
|---|---|
TaskID GUID | |
QueueItemCount Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18573",
"version": "0",
"level": "4",
"task": "18573",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.066811200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13268"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"TaskID": "{76119f10-b9e3-11d1-a7f4-006008059382}",
"QueueItemCount": "1"
},
"message": ""
}
Event ID 18575: Shell32_DefView_Thumbnail_UpdateStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18575",
"version": "0",
"level": "4",
"task": "18575",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.067220300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18576: Shell32_DefView_Thumbnail_UpdateStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18576",
"version": "0",
"level": "4",
"task": "18575",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.067237800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18577: Shell32_DefView_Thumbnail_UpdateviewStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18577",
"version": "0",
"level": "4",
"task": "18577",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.067349200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18578: Shell32_DefView_Thumbnail_UpdateviewStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18578",
"version": "0",
"level": "4",
"task": "18577",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.067356700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18579: Shell32_DefView_ViewModeChangeStart
#Fields #
| Name | Description |
|---|---|
Mode UInt32 | |
IconSize UInt32 |
Event ID 18580: Shell32_DefView_ViewModeChangeStop
#Fields #
| Name | Description |
|---|---|
Mode UInt32 | |
IconSize UInt32 |
Event ID 18582: Shell32_Defview_SortStop
#Event ID 18583: Shell32_GeneratingContextMenuStart
#Event ID 18584: Shell32_GeneratingContextMenuStop
#Event ID 18585: Shell32_InvokingContextMenuStart
#Event ID 18586: Shell32_InvokingContextMenuStop
#Event ID 18587: Shell32_KnownFolderManager_GetEnumKnownFoldersStart
#Event ID 18588: Shell32_KnownFolderManager_GetEnumKnownFoldersStop
#Event ID 18589: Shell32_KnownFolder_GetLocationStart
#Event ID 18590: Shell32_KnownFolder_GetLocationStop
#Event ID 18591: Shell32_KnownFolder_GetPathStart
#Event ID 18592: Shell32_KnownFolder_GetPathStop
#Event ID 18593: Shell32_KnownFolder_SetPathStart
#Event ID 18594: Shell32_KnownFolder_SetPathStop
#Event ID 18595: Shell32_List_AddStart
#Event ID 18596: Shell32_List_AddStop
#Event ID 18597: Shell32_List_EnumStart
#Event ID 18598: Shell32_List_EnumStop
#Event ID 18599: Shell32_List_RemoveStart
#Event ID 18600: Shell32_List_RemoveStop
#Event ID 18601: Shell32_MountPoint_SHHardwareEventStart
#Event ID 18602: Shell32_MountPoint_SHHardwareEventStop
#Event ID 18603: Shell32_MountPoint_SHHardwareEvent_DeviceArrivedStart
#Event ID 18604: Shell32_MountPoint_SHHardwareEvent_DeviceArrivedStop
#Event ID 18605: Shell32_MountPoint_SHHardwareEvent_DeviceRemovedStart
#Event ID 18606: Shell32_MountPoint_SHHardwareEvent_DeviceRemovedStop
#Event ID 18607: Shell32_MountPoint_SHHardwareEvent_DeviceUpdatedStart
#Event ID 18608: Shell32_MountPoint_SHHardwareEvent_DeviceUpdatedStop
#Event ID 18609: Shell32_MountPoint_SHHardwareEvent_MountPointArrivedStart
#Event ID 18610: Shell32_MountPoint_SHHardwareEvent_MountPointArrivedStop
#Event ID 18611: Shell32_MountPoint_SHHardwareEvent_MountPointRemovedStart
#Event ID 18612: Shell32_MountPoint_SHHardwareEvent_MountPointRemovedStop
#Event ID 18613: Shell32_MountPoint_SHHardwareEvent_VolumeArrivedStart
#Event ID 18614: Shell32_MountPoint_SHHardwareEvent_VolumeArrivedStop
#Event ID 18615: Shell32_MountPoint_SHHardwareEvent_VolumeDismountedStart
#Event ID 18616: Shell32_MountPoint_SHHardwareEvent_VolumeDismountedStop
#Event ID 18617: Shell32_MountPoint_SHHardwareEvent_VolumeMountedStart
#Event ID 18618: Shell32_MountPoint_SHHardwareEvent_VolumeMountedStop
#Event ID 18619: Shell32_MountPoint_SHHardwareEvent_VolumeRemovedStart
#Event ID 18620: Shell32_MountPoint_SHHardwareEvent_VolumeRemovedStop
#Event ID 18621: Shell32_MountPoint_SHHardwareEvent_VolumeUpdatedStart
#Event ID 18622: Shell32_MountPoint_SHHardwareEvent_VolumeUpdatedStop
#Event ID 18623: Shell32_MountPoint_WMDeviceChangeStart
#Event ID 18624: Shell32_MountPoint_WMDeviceChangeStop
#Event ID 18625: Shell32_MountPoint_WMDeviceChange_MediaArrivalStart
#Event ID 18626: Shell32_MountPoint_WMDeviceChange_MediaArrivalStop
#Event ID 18627: Shell32_MountPoint_WMDeviceChange_MediaRemovalStart
#Event ID 18628: Shell32_MountPoint_WMDeviceChange_MediaRemovalStop
#Event ID 18629: Shell32_MountPoint_WMDeviceChange_MountPointArrivalStart
#Event ID 18630: Shell32_MountPoint_WMDeviceChange_MountPointArrivalStop
#Event ID 18631: Shell32_MountPoint_WMDeviceChange_MountPointRemovalStart
#Event ID 18632: Shell32_MountPoint_WMDeviceChange_MountPointRemovalStop
#Event ID 18633: Shell32_MountPoint_WMDeviceChange_NetShareArrivalStart
#Event ID 18634: Shell32_MountPoint_WMDeviceChange_NetShareArrivalStop
#Event ID 18635: Shell32_MountPoint_WMDeviceChange_NetShareRemovalStart
#Event ID 18636: Shell32_MountPoint_WMDeviceChange_NetShareRemovalStop
#Event ID 18637: Shell32_PSC_Autolist_ShowStart
#Event ID 18638: Shell32_PSC_Autolist_ShowStop
#Event ID 18639: Shell32_PSC_Explorer_Template_ChangeStart
#Event ID 18640: Shell32_PSC_Explorer_Template_ChangeStop
#Event ID 18641: Shell32_SHGetFolderLocationStart
#Event ID 18642: Shell32_SHGetFolderLocationStop
#Event ID 18645: Shell32_SHGetFolderPathStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18645",
"version": "0",
"level": "4",
"task": "18645",
"opcode": "1",
"keywords": 9223372036855824384,
"time_created": "2026-03-15T04:20:20.624939600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{d73f5340-b345-000c-cd30-43d745b3dc01}"
},
"execution": {
"process_id": "14792",
"thread_id": "10916"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18646: Shell32_SHGetFolderPathStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18646",
"version": "0",
"level": "4",
"task": "18645",
"opcode": "2",
"keywords": 9223372036855824384,
"time_created": "2026-03-15T04:20:20.624951100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{d73f5340-b345-000c-cd30-43d745b3dc01}"
},
"execution": {
"process_id": "14792",
"thread_id": "10916"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18649: Shell32_SHSetFolderPathStart
#Event ID 18650: Shell32_SHSetFolderPathStop
#Event ID 18653: Shell32_DefView_Keydown
#Event ID 18654: Shell32_DefView_NoIShellFolder2
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 18657: Shell32_ControlPanel_SQM_LinkClicked
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 18658: Shell32_ControlPanel_SQM_ViewMode
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18659: Shell32_ControlPanel_FloppyOrCD_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18660: Shell32_ControlPanel_SQM_ViewChange
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18663: Shell32_DefView_HighQualityStretchStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18663",
"version": "0",
"level": "4",
"task": "18663",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.123504800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18664: Shell32_DefView_HighQualityStretchStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18664",
"version": "0",
"level": "4",
"task": "18663",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.123659000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18665: Shell32_DefView_Scroll
#Event ID 18669: Shell32_DefView_Filtering_Clicked
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18675: Shell32_Search_Index_Enabled
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18676: Shell32_List_LaunchInBasket
#Event ID 18677: Shell32_ItemThumbnail_SetItemsStart
#Event ID 18678: Shell32_ItemThumbnail_SetItemsStop
#Event ID 18679: Shell32_ItemThumbnail_PrefetchStart
#Event ID 18680: Shell32_ItemThumbnail_PrefetchStop
#Event ID 18681: Shell32_ItemThumbnail_DrawStart
#Event ID 18682: Shell32_ItemThumbnail_DrawStop
#Event ID 18685: Shell32_NetFolder_ParseUNCNameStart
#Event ID 18686: Shell32_NetFolder_ParseUNCNameStop
#Event ID 18687: Shell32_NetFolder_SHWNetGetResourceInformationAllocStart
#Event ID 18688: Shell32_NetFolder_SHWNetGetResourceInformationAllocStop
#Event ID 18689: Shell32_NetFolder_WNetGetResourceParentStart
#Event ID 18690: Shell32_NetFolder_WNetGetResourceParentStop
#Event ID 18691: Shell32_NetFolder_WNetUseConnectionStart
#Event ID 18692: Shell32_NetFolder_WNetUseConnectionStop
#Event ID 18693: Shell32_DefView_Property_ExtractionStart
#Event ID 18694: Shell32_DefView_Property_ExtractionStop
#Event ID 18696: Shell32_DefView_Property_ExtractStop
#Event ID 18697: Shell32_DefView_Property_ReadAsOneBatchStart
#Event ID 18698: Shell32_DefView_Property_ReadAsOneBatchStop
#Event ID 18699: Shell32_DefView_GetEnumeratorStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18699",
"version": "0",
"level": "4",
"task": "18699",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:14.993151600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13880"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18700: Shell32_DefView_GetEnumeratorStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18700",
"version": "0",
"level": "4",
"task": "18699",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:14.993869800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13880"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18701: Shell32_DefView_Thumbnail_EnumLookupStart
#Event ID 18702: Shell32_DefView_Thumbnail_EnumLookupStop
#Event ID 18703: Shell32_Autoplay_Master_Switch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18705: Shell32_Autoplay_Default_Handler
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStringDatapointValue UnicodeString |
Event ID 18707: Shell32_StartMenuQueryFactory_WaitForNextResultStart
#Event ID 18708: Shell32_StartMenuQueryFactory_WaitForNextResultStop
#Event ID 18709: Shell32_StartMenuQueryFactory_ProgramsStart
#Event ID 18710: Shell32_StartMenuQueryFactory_ProgramsStop
#Event ID 18711: Shell32_StartMenuQueryFactory_Programs_GrepStart
#Event ID 18712: Shell32_StartMenuQueryFactory_Programs_GrepStop
#Event ID 18713: Shell32_StartMenuQueryFactory_Programs_RunStart
#Event ID 18714: Shell32_StartMenuQueryFactory_Programs_RunStop
#Event ID 18715: Shell32_StartMenuQueryFactory_Programs_ControlPanelsStart
#Event ID 18716: Shell32_StartMenuQueryFactory_Programs_ControlPanelsStop
#Event ID 18717: Shell32_StartMenuQueryFactory_InternetStart
#Event ID 18718: Shell32_StartMenuQueryFactory_InternetStop
#Event ID 18719: Shell32_StartMenuQueryFactory_Internet_RunStart
#Event ID 18720: Shell32_StartMenuQueryFactory_Internet_RunStop
#Event ID 18721: Shell32_StartMenuQueryFactory_Internet_FavoritesStart
#Event ID 18722: Shell32_StartMenuQueryFactory_Internet_FavoritesStop
#Event ID 18723: Shell32_StartMenuQueryFactory_Internet_HistoryStart
#Event ID 18724: Shell32_StartMenuQueryFactory_Internet_HistoryStop
#Event ID 18725: Shell32_StartMenuQueryFactory_FilesStart
#Event ID 18726: Shell32_StartMenuQueryFactory_FilesStop
#Event ID 18727: Shell32_StartMenuQueryFactory_Files_RecentStart
#Event ID 18728: Shell32_StartMenuQueryFactory_Files_RecentStop
#Event ID 18729: Shell32_StartMenuQueryFactory_Files_DisplayNameStart
#Event ID 18730: Shell32_StartMenuQueryFactory_Files_DisplayNameStop
#Event ID 18731: Shell32_StartMenuQueryFactory_Files_FullTextStart
#Event ID 18732: Shell32_StartMenuQueryFactory_Files_FullTextStop
#Event ID 18733: Shell32_StartMenuQueryFactory_CommunicationsStart
#Event ID 18734: Shell32_StartMenuQueryFactory_CommunicationsStop
#Event ID 18735: Shell32_StartMenuQueryFactory_Communications_ContactsStart
#Event ID 18736: Shell32_StartMenuQueryFactory_Communications_ContactsStop
#Event ID 18737: Shell32_StartMenuQueryFactory_Communications_FullTextStart
#Event ID 18738: Shell32_StartMenuQueryFactory_Communications_FullTextStop
#Event ID 18739: Shell32_IsElevationRequiredStart
#Fields #
| Name | Description |
|---|---|
ExecutableName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18739",
"version": "0",
"level": "4",
"task": "18739",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:15.029195800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13880"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ExecutableName": "\\\\FAKEHOST@80\\share\\execute.exe"
},
"message": ""
}
Event ID 18740: Shell32_IsElevationRequiredStop
#Fields #
| Name | Description |
|---|---|
ExecutableName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18740",
"version": "0",
"level": "4",
"task": "18739",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:21:15.030696200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13880"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ExecutableName": "\\\\FAKEHOST@80\\share\\execute.exe"
},
"message": ""
}
Event ID 18741: Shell32_IndexInfoCache_RefreshStart
#Event ID 18742: Shell32_IndexInfoCache_RefreshStop
#Event ID 18743: Shell32_DefView_FireFolderChanged
#Event ID 18745: Shell32_DefView_FireContentsChanged
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18745",
"version": "0",
"level": "4",
"task": "18745",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.049543600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18747: Shell32_DUIFrame_SendContentsChanged
#Event ID 18749: Shell32_DUIFrame_SendFolderChanged
#Event ID 18751: Shell32_SHExtCoCreateInstance_Valid
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 18752: Shell32_DefView_AddColumn
#Event ID 18753: Shell32_ItemStore_ExtractPropertyStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18753",
"version": "0",
"level": "4",
"task": "18753",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.049480200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18755: Shell32_ItemStore_ExtractPropertyStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18755",
"version": "0",
"level": "4",
"task": "18753",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.049502100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18761: Shell32_KnownFolderManager_RedirectStart
#Event ID 18762: Shell32_KnownFolderManager_RedirectStop
#Event ID 18763: Shell32_KnownFolderManager_Redirect_CopyStart
#Event ID 18764: Shell32_KnownFolderManager_Redirect_CopyStop
#Event ID 18765: Shell32_CDesktopBrowser_DesktopIconLayoutRestoreStart
#Event ID 18766: Shell32_CDesktopBrowser_DesktopIconLayoutRestoreStop
#Fields #
| Name | Description |
|---|---|
HRESULT UInt32 |
Event ID 18767: Shell32_CDesktopBrowser_DesktopIconLayoutRestore
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 18768: Shell32_CDesktopBrowser_DesktopAutoArrange
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18769: Shell32_CDesktopBrowser_DesktopAlignToGrid
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18770: Shell32_CDesktopBrowser_DesktopIconSize
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18771: Shell32_PrivProf_CacheCount
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18773: Shell32_CollectionLock_InsertQueueItem
#Fields #
| Name | Description |
|---|---|
TaskID GUID | |
QueueItemCount Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18773",
"version": "0",
"level": "4",
"task": "18773",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.891582400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"TaskID": "{05cdcb31-adfd-4d5a-9c4e-1a5650fe0867}",
"QueueItemCount": "1"
},
"message": ""
}
Event ID 18775: Shell32_CGrepQuery_EvaluateItemStart
#Event ID 18776: Shell32_CGrepQuery_EvaluateItemStop
#Event ID 18777: Shell32_CConditionEvaluator_DoesItemMatchConditionStart
#Event ID 18778: Shell32_CConditionEvaluator_DoesItemMatchConditionStop
#Event ID 18779: Shell32_CGrepConditionEvaluator_DoesContentMatchConditionStart
#Event ID 18780: Shell32_CGrepConditionEvaluator_DoesContentMatchConditionStop
#Event ID 18781: Shell32_GrepDoesItemMatchConditionStart
#Event ID 18782: Shell32_GrepDoesItemMatchConditionStop
#Event ID 18783: Shell32_SubCommandMenu_EnumerateStart
#Event ID 18784: Shell32_SubCommandMenu_EnumerateStop
#Event ID 18787: Shell32_MountPoint_InitLocalDrivesStart
#Event ID 18788: Shell32_MountPoint_InitLocalDrivesStop
#Event ID 18789: CDesktopBrowser_WallpaperAnimation_SetupStart
#Event ID 18790: CDesktopBrowser_WallpaperAnimation_SetupStop
#Event ID 18791: CDesktopBrowser_WallpaperAnimation_CleanupStart
#Event ID 18792: CDesktopBrowser_WallpaperAnimation_CleanupStop
#Event ID 18793: Shell32_CDesktopBrowser_SortyBy
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18794: Shell32_CDesktopBrowser_IconPositions
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 18795: Shell32_CDesktopBrowser_WindowRegItem
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18796: Shell32_CDesktopBrowser_NonWindowRegItem
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18797: Shell32_CDesktopBrowser_ItemCount
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18798: Shell32_CDesktopBrowser_UsageTime
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18799: Shell32_DefView_LoadColumnsStart
#Event ID 18800: Shell32_DefView_LoadColumnsStop
#Event ID 18801: Shell32_CopyEngine_FileOperationStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18801",
"version": "0",
"level": "4",
"task": "18801",
"opcode": "1",
"keywords": 9223372036863164416,
"time_created": "2026-03-15T04:20:38.365211700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18802: Shell32_CopyEngine_FileOperationStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18802",
"version": "0",
"level": "4",
"task": "18801",
"opcode": "2",
"keywords": 9223372036863164416,
"time_created": "2026-03-15T04:20:38.366382800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18803: Shell32_CopyEngine_OverallOperationStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18803",
"version": "0",
"level": "4",
"task": "18803",
"opcode": "1",
"keywords": 9223372036863164416,
"time_created": "2026-03-15T04:20:38.357798200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18804: Shell32_CopyEngine_OverallOperationStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18804",
"version": "0",
"level": "4",
"task": "18803",
"opcode": "2",
"keywords": 9223372036863164416,
"time_created": "2026-03-15T04:20:38.398240700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18805: Shell32_CopyEngine_OverallTransferStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18805",
"version": "0",
"level": "4",
"task": "18805",
"opcode": "1",
"keywords": 9223372036863164416,
"time_created": "2026-03-15T04:20:38.362240100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18806: Shell32_CopyEngine_OverallTransferStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18806",
"version": "0",
"level": "4",
"task": "18805",
"opcode": "2",
"keywords": 9223372036863164416,
"time_created": "2026-03-15T04:20:38.371202700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18807: Shell32_CopyEngine_ConfirmedDelete
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18807",
"version": "0",
"level": "4",
"task": "18807",
"opcode": "0",
"keywords": 9223372036863164416,
"time_created": "2026-03-15T04:20:38.358768300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18809: Shell32_CopyEngine_WillRecycleToBinStart
#Event ID 18810: Shell32_CopyEngine_WillRecycleToBinStop
#Event ID 18811: Shell32_CopyEngine_RecycleItemStart
#Event ID 18812: Shell32_CopyEngine_RecycleItemStop
#Event ID 18813: Shell32_CopyEngine_FileOpenStart
#Event ID 18814: Shell32_CopyEngine_FileOpenStop
#Event ID 18815: Shell32_CopyEngine_CallMoveFileStart
#Event ID 18816: Shell32_CopyEngine_CallMoveFileStop
#Event ID 18817: Shell32_CommonPlaces_Drop
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18818: Shell32_ReadingPaneModule_LoadStart
#Event ID 18819: Shell32_ReadingPaneModule_LoadStop
#Event ID 18820: Shell32_CopyEngine_FileOperation
#Fields #
| Name | Description |
|---|---|
CompletionDelta UInt64 | |
SecondTimeDelta Double | |
WindowSumOfRates Double | |
CalculatedRate Double |
Event ID 18821: Shell32_LinkTracking
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 18823: Shell32_CopyEngine_SQMStream
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 18825: Shell32_AppDestList_Custom_CommitStart
#Event ID 18826: Shell32_AppDestList_Custom_CommitStop
#Event ID 18827: Shell32_AppDestList_Custom_LoadStart
#Event ID 18828: Shell32_AppDestList_Custom_LoadStop
#Event ID 18829: Shell32_AppDestList_Custom_LoadRemovedStart
#Event ID 18830: Shell32_AppDestList_Custom_LoadRemovedStop
#Event ID 18831: Shell32_AppDestList_Custom_RemoveDestStart
#Event ID 18832: Shell32_AppDestList_Custom_RemoveDestStop
#Event ID 18833: Shell32_UA_FireEventStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18833",
"version": "0",
"level": "4",
"task": "18833",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:22:47.404632000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4124"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18834: Shell32_UA_FireEventStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18834",
"version": "0",
"level": "4",
"task": "18833",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:22:47.405040600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4124"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18835: Shell32_UA_UpdateLoggerStateStart
#Event ID 18836: Shell32_UA_UpdateLoggerStateStop
#Event ID 18837: Shell32_UA_SetEntryStart
#Event ID 18838: Shell32_UA_SetEntryStop
#Event ID 18841: Shell32_UA_GarbageCollectScheduled
#Event ID 18843: Shell32_UA_GarbageCollectStart
#Event ID 18844: Shell32_UA_GarbageCollectStop
#Event ID 18845: Shell32_UA_SnapRValuesScheduled
#Event ID 18847: Shell32_UA_SnapRValuesStart
#Event ID 18848: Shell32_UA_SnapRValuesStop
#Event ID 18849: Shell32_UA_DeleteEntryStart
#Event ID 18850: Shell32_UA_DeleteEntryStop
#Event ID 18851: Shell32_UA_RenameEntryStart
#Event ID 18852: Shell32_UA_RenameEntryStop
#Event ID 18853: Shell32_UA_ReplaceNMaxCandidate
#Event ID 18855: Shell32_UA_RebuildSessionScheduled
#Event ID 18857: Shell32_UA_RebuildSessionStart
#Event ID 18858: Shell32_UA_RebuildSessionStop
#Event ID 18859: Shell32_AutoDestList_GetListStart
#Event ID 18860: Shell32_AutoDestList_GetListStop
#Event ID 18861: Shell32_AutoDestList_AddUsagePointStart
#Event ID 18862: Shell32_AutoDestList_AddUsagePointStop
#Event ID 18863: Shell32_AutoDestList_PinItemStart
#Event ID 18864: Shell32_AutoDestList_PinItemStop
#Event ID 18867: Shell32_AutoDestList_IsPinnedStart
#Event ID 18868: Shell32_AutoDestList_IsPinnedStop
#Event ID 18869: Shell32_AutoDestList_CalculateDecayStart
#Event ID 18870: Shell32_AutoDestList_CalculateDecayStop
#Event ID 18871: Shell32_AutoDestList_GarbageCollecting
#Event ID 18877: Shell32_FilterDestByAssocStart
#Event ID 18878: Shell32_FilterDestByAssocStop
#Event ID 18879: Shell32_AppDestList_Custom_AppendCategoryStart
#Event ID 18880: Shell32_AppDestList_Custom_AppendCategoryStop
#Event ID 18881: Shell32_DefView_CreateNewCollectionStart
#Event ID 18882: Shell32_DefView_CreateNewCollectionStop
#Event ID 18883: Shell32_DefView_ExecStopStart
#Event ID 18884: Shell32_DefView_ExecStop
#Event ID 18885: Shell32_DefView_ExecRefreshStart
#Event ID 18886: Shell32_DefView_ExecRefreshStop
#Event ID 18887: Shell32_CopyEngine_UAC_CopyEngine_Elevation
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 18888: Shell32_ItemThumbnail_Prefetch_DispatchStop
#Event ID 18901: Shell32_CopyEngine_FileCreateStart
#Event ID 18902: Shell32_CopyEngine_FileCreateStop
#Event ID 18903: Shell32_CopyEngine_ProgressUpdate
#Fields #
| Name | Description |
|---|---|
PointsCurrent UInt64 | |
PointsTotal UInt64 | |
SizeCurrent UInt64 | |
SizeTotal UInt64 | |
ItemsCurrent UInt64 | |
ItemsTotal UInt64 |
Event ID 18905: Shell32_CopyEngine_FileOperation_Info
#Fields #
| Name | Description |
|---|---|
pszSource UnicodeString | |
pszDest UnicodeString | |
SourceType UInt32 | |
DestinationType UInt32 | |
FileOp UInt32 | |
FileSize UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18905",
"version": "0",
"level": "4",
"task": "18905",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.366379600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"pszSource": "C:\\Users\\domainadmin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles",
"pszDest": "NULL",
"SourceType": " 3",
"DestinationType": " 0",
"FileOp": " 3",
"FileSize": "0"
},
"message": ""
}
Event ID 18907: Shell32_CopyEngine_ProgressUpdateSkipped
#Event ID 18909: Shell32_CopyEngine_ProgressData
#Fields #
| Name | Description |
|---|---|
WorkDone UInt64 | |
TimeElapsed UInt64 |
Event ID 18911: Shell32_CopyEngine_ProgressEstimate
#Fields #
| Name | Description |
|---|---|
NewMean UInt64 | |
AverageMean UInt64 | |
Estimate UInt64 |
Event ID 18913: Shell32_CopyEngine_ProgressSpeed
#Fields #
| Name | Description |
|---|---|
Speed UInt64 | |
IsBytesPerSecond UInt32 |
Event ID 18915: Shell32_CopyEngine_MoveAsCopyDelete
#Event ID 18917: Shell32_DragDropHelper_AddInfoToWindowStart
#Event ID 18918: Shell32_DragDropHelper_AddInfoToWindowStop
#Event ID 18919: Shell32_DragDropHelper_ExtractThumbnailStart
#Event ID 18920: Shell32_DragDropHelper_ExtractThumbnailStop
#Event ID 18922: Shell32_AutoPlay_DXPStart
#Event ID 18924: Shell32_AutoPlay_DXPStop
#Event ID 18925: Shell32_AutoPlay_DXPStop18925
#Event ID 18927: Shell32_PerfMarker1
#Event ID 18929: Shell32_PerfMarker2
#Event ID 18931: Shell32_PerfMarker3Start
#Event ID 18932: Shell32_PerfMarker3Stop
#Event ID 18933: Shell32_NewMenu_Folder
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18934: Shell32_NewMenu_Shortcut
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18935: Shell32_NewMenu_Other
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18936: Shell32_DesktopContextMenu_Personalize
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18937: Shell32_DesktopContextMenu_Display
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18939: Shell32_SCFFileUsage_SQM
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 18941: Shell32_ExternalOverlayDllLoad
#Event ID 18943: Shell32_RunFileDlgDisplayed
#Event ID 18950: Shell32_SHChangeNotify_Register_ClientStart
#Event ID 18951: Shell32_SHChangeNotify_Register_ClientStop
#Fields #
| Name | Description |
|---|---|
ID UInt32 | |
HWND UInt32 |
Event ID 18952: Shell32_SHChangeNotify_Register_NotifyThreadStart
#Event ID 18953: Shell32_SHChangeNotify_Register_NotifyThreadStop
#Fields #
| Name | Description |
|---|---|
ID UInt32 | |
HWND UInt32 |
Event ID 18955: Shell32_SHChangeNotify_Deregister_ClientStop
#Event ID 18956: Shell32_SHChangeNotify_Deregister_NotifyThreadStart
#Fields #
| Name | Description |
|---|---|
ID UInt32 |
Event ID 18957: Shell32_SHChangeNotify_Deregister_NotifyThreadStop
#Event ID 18958: Shell32_SHChangeNotify_Notify_ClientStart
#Fields #
| Name | Description |
|---|---|
Event UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18958",
"version": "0",
"level": "4",
"task": "18958",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.369560800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Event": "0x4"
},
"message": ""
}
Event ID 18959: Shell32_SHChangeNotify_Notify_ClientStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18959",
"version": "0",
"level": "4",
"task": "18958",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.369636400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18960: Shell32_SHChangeNotify_Notify_NotifyThreadStart
#Fields #
| Name | Description |
|---|---|
Event UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18960",
"version": "0",
"level": "4",
"task": "18960",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.369661700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "5416"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Event": "0x4"
},
"message": ""
}
Event ID 18961: Shell32_SHChangeNotify_Notify_NotifyThreadStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18961",
"version": "0",
"level": "4",
"task": "18960",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.369718200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "5416"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18962: Shell32_SHChangeNotify_SendNotification_NotifyThreadStart
#Fields #
| Name | Description |
|---|---|
Event UInt32 | |
ID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18962",
"version": "0",
"level": "4",
"task": "18962",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.891479100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "5416"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Event": "0x1000",
"ID": " 1"
},
"message": ""
}
Event ID 18963: Shell32_SHChangeNotify_SendNotification_NotifyThreadStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "18963",
"version": "0",
"level": "4",
"task": "18962",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.891496600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "5416"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 18964: Shell32_SHChangeNotify_HungApp
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 18970: UndoNode_PreItemChanged
#Fields #
| Name | Description |
|---|---|
pszOperationSource UnicodeString | |
pszOperationDestination UnicodeString | |
FileOp UInt32 | |
IsOperationUndo Boolean | |
UndoFlags UInt32 |
Event ID 18972: UndoNode_PostItemChanged
#Fields #
| Name | Description |
|---|---|
pszOperationSource UnicodeString | |
pszOperationDestination UnicodeString | |
FileOp UInt32 | |
IsOperationUndo Boolean | |
UndoFlags UInt32 |
Event ID 18974: UndoNode_PostLeave
#Fields #
| Name | Description |
|---|---|
pszOperationSource UnicodeString | |
pszOperationDestination UnicodeString | |
FileOp UInt32 | |
IsOperationUndo Boolean | |
UndoFlags UInt32 |
Event ID 18976: UndoNode_Cleanup
#Fields #
| Name | Description |
|---|---|
pszOperationSource UnicodeString | |
pszOperationDestination UnicodeString | |
FileOp UInt32 | |
IsOperationUndo Boolean | |
UndoFlags UInt32 |
Event ID 18978: CopyEngine_PerformUndo
#Fields #
| Name | Description |
|---|---|
pszOperationSource UnicodeString | |
pszOperationDestination UnicodeString | |
FileOp UInt32 | |
IsOperationUndo Boolean | |
UndoFlags UInt32 |
Event ID 18980: CopyEngine_ClearUndo
#Event ID 19003: ShellTraceId_TaskScheduler_RunTaskStart
#Fields #
| Name | Description |
|---|---|
TOID GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19003",
"version": "0",
"level": "4",
"task": "19003",
"opcode": "1",
"keywords": 9223372036871553024,
"time_created": "2026-03-15T04:20:38.353817300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"TOID": "{c0d04af2-0d2d-48ad-b93f-cdf1d27437c3}"
},
"message": ""
}
Event ID 19004: ShellTraceId_TaskScheduler_RunTaskStop
#Fields #
| Name | Description |
|---|---|
TOID GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19004",
"version": "0",
"level": "4",
"task": "19003",
"opcode": "2",
"keywords": 9223372036871553024,
"time_created": "2026-03-15T04:20:38.398314600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"TOID": "{c0d04af2-0d2d-48ad-b93f-cdf1d27437c3}"
},
"message": ""
}
Event ID 19007: ShellTraceId_TaskScheduler_AddTask
#Fields #
| Name | Description |
|---|---|
TOID GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19007",
"version": "0",
"level": "4",
"task": "19009",
"opcode": "0",
"keywords": 9223372036871553024,
"time_created": "2026-03-15T04:20:38.353789900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"TOID": "{c0d04af2-0d2d-48ad-b93f-cdf1d27437c3}"
},
"message": ""
}
Event ID 19201: LUA_Elevation_Attempts
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 19203: LUA_Elevation_Attempts19203
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 19205: LUA_Elevation_Attempts19205
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 19207: LUA_Elevation_Attempts19207
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 19209: LUA_Elevation_Attempts19209
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 19211: LUA_Elevation_Attempts19211
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 19401: FileClassStore_LookupFileClassIntStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19401",
"version": "0",
"level": "4",
"task": "19411",
"opcode": "1",
"keywords": 9223372036855037952,
"time_created": "2026-03-15T04:20:37.111778000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10312",
"thread_id": "14168"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19403: FileClassStore_LookupFileClassIntStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19403",
"version": "0",
"level": "4",
"task": "19411",
"opcode": "2",
"keywords": 9223372036855037952,
"time_created": "2026-03-15T04:20:37.111779100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10312",
"thread_id": "14168"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19405: FileClassStore_LookupFileClassStringStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19405",
"version": "0",
"level": "4",
"task": "19409",
"opcode": "1",
"keywords": 9223372036855037952,
"time_created": "2026-03-16T00:21:39.199862900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19407: FileClassStore_LookupFileClassStringStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19407",
"version": "0",
"level": "4",
"task": "19409",
"opcode": "2",
"keywords": 9223372036855037952,
"time_created": "2026-03-16T00:21:39.199914400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19409: FileClassStore_LookupFileClassHandlerStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19409",
"version": "0",
"level": "4",
"task": "19407",
"opcode": "1",
"keywords": 9223372036855037952,
"time_created": "2026-03-15T04:20:38.358119100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19411: FileClassStore_LookupFileClassHandlerStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19411",
"version": "0",
"level": "4",
"task": "19407",
"opcode": "2",
"keywords": 9223372036855037952,
"time_created": "2026-03-15T04:20:38.358124100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4164"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19413: FileClassStore_SetFileClassIntStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19413",
"version": "0",
"level": "4",
"task": "19403",
"opcode": "1",
"keywords": 9223372036855037952,
"time_created": "2026-03-15T04:20:50.033567700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "5416"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19415: FileClassStore_SetFileClassIntStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19415",
"version": "0",
"level": "4",
"task": "19403",
"opcode": "2",
"keywords": 9223372036855037952,
"time_created": "2026-03-15T04:20:50.033570500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "5416"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19417: FileClassStore_SetFileClassStringStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19417",
"version": "0",
"level": "4",
"task": "19405",
"opcode": "1",
"keywords": 9223372036855037952,
"time_created": "2026-03-16T00:21:39.219215800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19419: FileClassStore_SetFileClassStringStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19419",
"version": "0",
"level": "4",
"task": "19405",
"opcode": "2",
"keywords": 9223372036855037952,
"time_created": "2026-03-16T00:21:39.219230300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19421: FileClassStore_SetFileClassHandlerStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19421",
"version": "0",
"level": "4",
"task": "19401",
"opcode": "1",
"keywords": 9223372036855037952,
"time_created": "2026-03-16T00:21:39.169995200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19423: FileClassStore_SetFileClassHandlerStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19423",
"version": "0",
"level": "4",
"task": "19401",
"opcode": "2",
"keywords": 9223372036855037952,
"time_created": "2026-03-16T00:21:39.170012800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19425: IconCache_LookupIconStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19425",
"version": "0",
"level": "4",
"task": "19413",
"opcode": "1",
"keywords": 9223372036855037952,
"time_created": "2026-03-15T04:20:18.999180400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10312",
"thread_id": "14168"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19427: IconCache_LookupIconStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19427",
"version": "0",
"level": "4",
"task": "19413",
"opcode": "2",
"keywords": 9223372036855037952,
"time_created": "2026-03-15T04:20:18.999187900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10312",
"thread_id": "14168"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19429: IconCache_AddIconStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19429",
"version": "0",
"level": "4",
"task": "19415",
"opcode": "1",
"keywords": 9223372036855037952,
"time_created": "2026-03-15T04:20:51.144814400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10312",
"thread_id": "14168"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19431: IconCache_AddIconStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19431",
"version": "0",
"level": "4",
"task": "19415",
"opcode": "2",
"keywords": 9223372036855037952,
"time_created": "2026-03-15T04:20:51.144816400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10312",
"thread_id": "14168"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19433: IconCache_RemoveIconStart
#Event ID 19435: IconCache_RemoveIconStop
#Event ID 19437: IconCache_GetFileOverlayInfoStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19437",
"version": "0",
"level": "4",
"task": "19419",
"opcode": "1",
"keywords": 9223372036855037952,
"time_created": "2026-03-15T04:20:50.066943000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13268"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19439: IconCache_GetFileOverlayInfoStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19439",
"version": "0",
"level": "4",
"task": "19419",
"opcode": "2",
"keywords": 9223372036855037952,
"time_created": "2026-03-15T04:20:50.067581200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13268"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19441: IconCache_CacheMiss
#Fields #
| Name | Description |
|---|---|
PathToIcon UnicodeString | |
IconOffset Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19441",
"version": "0",
"level": "4",
"task": "19421",
"opcode": "0",
"keywords": 9223372036855037952,
"time_created": "2026-03-15T04:20:51.144804100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10312",
"thread_id": "14168"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"PathToIcon": "C:\\Windows\\System32\\PING.EXE",
"IconOffset": "0"
},
"message": ""
}
Event ID 19443: IconCache_ScaleImage
#Fields #
| Name | Description |
|---|---|
PathToIcon UnicodeString | |
IconOffset Int32 | |
FromIconSize Int32 | |
ToIconSize Int32 |
Event ID 19501: CDesktopFolder_ParseDisplayNameStart
#Fields #
| Name | Description |
|---|---|
Name UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19501",
"version": "0",
"level": "4",
"task": "19501",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:37.111299600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10312",
"thread_id": "14168"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Name": "C:\\Program Files\\Git\\usr\\bin\\bash.exe"
},
"message": ""
}
Event ID 19502: CDesktopFolder_ParseDisplayNameStop
#Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
HRESULT UInt32 | |
PIDL_out UInt64 | |
HWND UInt32 | |
IBindCtx UInt64 | |
cbEaten UInt32 | |
dwAttributes UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19502",
"version": "0",
"level": "4",
"task": "19501",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:37.111768200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10312",
"thread_id": "14168"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Name": "C:\\Program Files\\Git\\usr\\bin\\bash.exe",
"HRESULT": "0x0",
"PIDL_out": "0x1E332146560",
"HWND": "0x0",
"IBindCtx": "0x1E335296560",
"cbEaten": "4294967295",
"dwAttributes": "0xFFFFFFFF"
},
"message": ""
}
Event ID 19503: CDesktopFolder_GetDisplayNameOfStart
#Fields #
| Name | Description |
|---|---|
Address UInt64 | |
Depth UInt32 | |
Children Int8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19503",
"version": "0",
"level": "4",
"task": "19503",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.047254400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 19504: CDesktopFolder_GetDisplayNameOfStop
#Fields #
| Name | Description |
|---|---|
Address UInt64 | |
HRESULT UInt32 | |
Flags UInt32 | |
Name UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "19504",
"version": "0",
"level": "4",
"task": "19503",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.047257200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Address": "0xC7E4250",
"HRESULT": "0x0",
"Flags": "0x8001",
"Name": "automaton"
},
"message": ""
}
Event ID 19601: Shell32_ControlPanel_HomePage_InitStart
#Event ID 19602: Shell32_ControlPanel_HomePage_InitStop
#Event ID 19603: Shell32_ControlPanel_LoadAppletsStart
#Event ID 19604: Shell32_ControlPanel_LoadAppletsStop
#Event ID 19605: Shell32_ControlPanel_LoadTasksStart
#Event ID 19606: Shell32_ControlPanel_LoadTasksStop
#Event ID 19607: Shell32_ControlPanel_SearchStart
#Event ID 19608: Shell32_ControlPanel_SearchStop
#Event ID 19611: Shell32_ControlPanel_Search_NoResults
#Event ID 19617: Shell32_ControlPanel_TaskStateCondition
#Fields #
| Name | Description |
|---|---|
pszName UnicodeString | |
fVal UInt32 |
Event ID 19621: Shell32_ControlPanel_NavPane_TransitionAnimation
#Fields #
| Name | Description |
|---|---|
uAnimationType UInt32 |
Event ID 19625: Shell32_ControlPanel_TypeAheadSearch_Timeout
#Event ID 19627: Shell32_ControlPanel_TypeAheadSearch_NotFound
#Event ID 19635: Explorer_ControlPanel_Settings_SyncStart
#Event ID 19636: Explorer_ControlPanel_Settings_SyncStop
#Event ID 19801: ShowDesktop_Usage
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 19803: ShowDesktop_RaiseDesktopStart
#Event ID 19804: ShowDesktop_RaiseDesktopStop
#Event ID 19805: ShowDesktop_RegistryWrite
#Event ID 20001: StartMenu_OpenContextMenuStart
#Event ID 20002: StartMenu_OpenContextMenuStop
#Event ID 20003: StartMenu_PinItemToMenuStart
#Event ID 20004: StartMenu_PinItemToMenuStop
#Event ID 20005: StartMenu_Fill_MenuCacheStart
#Event ID 20006: StartMenu_Fill_MenuCacheStop
#Event ID 20007: StartMenu_Left_Control_Button_Split_Open
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20009: StartMenu_Right_Control_Button_Split_Open
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20011: StartMenu_Left_Control_Button_Label
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20013: StartMenu_Right_Control_Button_Label
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20015: StartMenu_Logoff_Usage_Stream
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 20017: StartMenu_Username_Clicked
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20019: StartMenu_UserTile_Clicked
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20021: StartMenu_Search_Usage
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20023: StartMenu_AllPrograms_Search_Usage
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20025: StartMenu_Search_TopResult_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20027: StartMenu_Advanced_Search_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20029: StartMenu_Search_Result_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20031: StartMenu_Search_UNC_Path
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20033: StartMenu_WordWheel_Activated
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20035: StartMenu_Search_Computer_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20037: StartMenu_Search_Internet_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20039: StartMenu_Search_URL_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20041: StartMenu_Search_Dropdown_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20043: StartMenu_Search_Group_Usage
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 20045: StartMenu_Applications_Launched
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 20047: Rearranging_StartMenuTaskbar
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 20049: Pinned_Applications
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 20051: DestinationRemoval_StartMenuTaskbar
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 20053: Pinned_Destinations_StartMenuTaskbar
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 20055: Destination_Menu_Usage_StartMenuTaskbar
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 20057: Start_Menu_Recent_Items_Menu
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20059: StartMenu_MFU_Application_Removal
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 20061: Application_Launches_StartMenuTaskbar
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 20063: TurnOffUsageTrackingStartMenuTaskbar
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 20065: Taskbar_DestinationList_PrepopulateStart
#Event ID 20066: Taskbar_DestinationList_PrepopulateStop
#Event ID 20067: StartMenu_DestinationList_RefreshStart
#Event ID 20068: StartMenu_DestinationList_RefreshStop
#Event ID 20069: StartMenu_DestinationList_EnumDataStart
#Event ID 20070: StartMenu_DestinationList_EnumDataStop
#Event ID 20071: Destination_Menu_Action_StartMenuTaskbar
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 20072: Destination_Menu_Layout_StartMenuTaskbar
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 20073: Destination_Removal_StartMenuTaskbar
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 20075: StartMenu_AnimationStart
#Event ID 20102: StartMenuCPL_LoadStart
#Event ID 20103: StartMenuCPL_LoadStop
#Event ID 20104: StartMenuCPL_ApplyStart
#Event ID 20105: StartMenuCPL_ApplyStop
#Event ID 20106: TaskbarCPL_LoadStart
#Event ID 20107: TaskbarCPL_LoadStop
#Event ID 20108: TaskbarCPL_ApplyStart
#Event ID 20109: TaskbarCPL_ApplyStop
#Event ID 20111: StartMenu_ByUsage_EnumItemsStart
#Event ID 20112: StartMenu_ByUsage_EnumItemsStop
#Event ID 20900: UserTile_Taskbar_Control_InitializeStart
#Event ID 20901: UserTile_Taskbar_Control_InitializeStop
#Event ID 20902: UserTile_Store_CommitStart
#Event ID 20903: UserTile_Store_CommitStop
#Event ID 20905: UserTile_Store_GetImageStart
#Event ID 20906: UserTile_Store_GetImageStop
#Event ID 20907: UserTile_Store_SetImageFromFileStart
#Event ID 20908: UserTile_Store_SetImageFromFileStop
#Event ID 20909: UserTile_Store_SetImageFromStreamStart
#Event ID 20910: UserTile_Store_SetImageFromStreamStop
#Event ID 20911: UserTile_Store_SetImageFromBitmapStart
#Event ID 20912: UserTile_Store_SetImageFromBitmapStop
#Event ID 20914: UserTile_DynamicTile_InitStart
#Event ID 20915: UserTile_DynamicTile_InitStop
#Event ID 20916: UserTile_DynamicTile_PlaybackStart
#Event ID 20917: UserTile_DynamicTile_PlaybackStop
#Event ID 20918: UserTile_Taskbar_Control_DelayInitializeStart
#Event ID 20919: UserTile_Taskbar_Control_DelayInitializeStop
#Event ID 21002: SystemTray_ChangeNotifyStop
#Event ID 21003: SystemTray_UserClickedChevon_ChangeNotifyStart
#Event ID 21004: SystemTray_UserClickedChevon_ChangeNotifyStop
#Event ID 21006: SystemTray_OverflowShownStop
#Event ID 21007: SystemTray_IconAdded
#Fields #
| Name | Description |
|---|---|
TrayCode UInt32 | |
guid GUID | |
uID UInt32 | |
HWND UInt32 |
Event ID 21009: SystemTray_IconRemoved
#Fields #
| Name | Description |
|---|---|
TrayCode UInt32 | |
guid GUID | |
uID UInt32 | |
HWND UInt32 | |
uReasonForDelete UInt32 |
Event ID 21011: SystemTray_IconModified
#Fields #
| Name | Description |
|---|---|
TrayCode UInt32 | |
guid GUID | |
uID UInt32 | |
HWND UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "21011",
"version": "0",
"level": "4",
"task": "21011",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:19.002368900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"TrayCode": " 1",
"guid": "{00000000-0000-0000-0000-000000000000}",
"uID": " 0",
"HWND": "0x51054A"
},
"message": ""
}
Event ID 21013: SystemTray_SystemPromote
#Fields #
| Name | Description |
|---|---|
guid GUID | |
uID UInt32 | |
HWND UInt32 | |
Result UInt32 |
Event ID 21015: SystemTray_ShowBalloon
#Fields #
| Name | Description |
|---|---|
guid GUID | |
uID UInt32 | |
HWND UInt32 | |
Result UInt32 |
Event ID 21017: SystemTray_RearrangeIconStart
#Event ID 22001: Taskbar_GroupState_ChangeNotifyStart
#Event ID 22002: Taskbar_GroupState_ChangeNotifyStop
#Event ID 22003: Taskbar_LockState_ChangeNotifyStart
#Event ID 22004: Taskbar_LockState_ChangeNotifyStop
#Event ID 22005: Taskbar_Click
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22006: StarterEdition_AppLimitViolations
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22007: Taskbar_Settings
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22009: Taskbar_Location
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22011: Taskbar_Size
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22013: Taskbar_Quicklaunch_Item_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22014: New_Taskbar_Pinned_Items_Rearranged
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22015: Taskbar_Glomming_Enabled
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22017: Taskbar_Quicklaunch_Enabled
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22018: Taskbar_RegisterThumbnailStart
#Fields #
| Name | Description |
|---|---|
HWNDSrc Pointer | |
HWNDThumbnail Pointer |
Event ID 22019: Taskbar_RegisterThumbnailStop
#Fields #
| Name | Description |
|---|---|
HWNDSrc Pointer | |
HWNDThumbnail Pointer |
Event ID 22022: Taskbar_Glomming_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 22023: Taskbar_Window_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 22028: Taskbar_ButtonGroup_Added
#Fields #
| Name | Description |
|---|---|
hwndTaskBand Pointer | |
pTBGroup Pointer | |
pszExePath UnicodeString | |
tbgType UInt32 | |
x Int32 | |
y Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "22028",
"version": "0",
"level": "4",
"task": "22030",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:22:41.468372200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"hwndTaskBand": "0x20144",
"pTBGroup": "0xC910520",
"pszExePath": "C:\\Windows\\System32\\msdtc.exe",
"tbgType": " 1",
"x": "249",
"y": "1"
},
"message": ""
}
Event ID 22029: Taskbar_ButtonGroup_GlomStateChange
#Fields #
| Name | Description |
|---|---|
hwndTaskBand Pointer | |
pTBGroup Pointer | |
pszExePath UnicodeString | |
tbgType UInt32 | |
x Int32 | |
y Int32 |
Event ID 22030: Taskbar_ButtonGroup_Removed
#Fields #
| Name | Description |
|---|---|
hwndTaskBand Pointer | |
pTBGroup Pointer | |
pszExePath UnicodeString | |
tbgType UInt32 | |
x Int32 | |
y Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "22030",
"version": "0",
"level": "4",
"task": "22032",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:22:41.489988000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"hwndTaskBand": "0x20144",
"pTBGroup": "0xC910520",
"pszExePath": "C:\\Windows\\System32\\msdtc.exe",
"tbgType": " 0",
"x": "249",
"y": "1"
},
"message": ""
}
Event ID 22031: Taskbar_Window_Added
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
hwndTaskBand Pointer | |
pTBGroup Pointer | |
pszExePath UnicodeString | |
tbgType UInt32 | |
x Int32 | |
y Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "22031",
"version": "0",
"level": "4",
"task": "22033",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:22:41.468376600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"hwnd": "0x380680",
"hwndTaskBand": "0x20144",
"pTBGroup": "0xC910520",
"pszExePath": "C:\\Windows\\System32\\msdtc.exe",
"tbgType": " 1",
"x": "249",
"y": "1"
},
"message": ""
}
Event ID 22032: Taskbar_Window_Active
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
hwndTaskBand Pointer | |
pTBGroup Pointer | |
pszExePath UnicodeString | |
tbgType UInt32 | |
x Int32 | |
y Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "22032",
"version": "0",
"level": "4",
"task": "22034",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:22:41.468405400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"hwnd": "0x380680",
"hwndTaskBand": "0x20144",
"pTBGroup": "0xC910520",
"pszExePath": "C:\\Windows\\System32\\msdtc.exe",
"tbgType": " 1",
"x": "249",
"y": "1"
},
"message": ""
}
Event ID 22033: Taskbar_Window_Removed
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
hwndTaskBand Pointer | |
pTBGroup Pointer | |
pszExePath UnicodeString | |
tbgType UInt32 | |
x Int32 | |
y Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "22033",
"version": "0",
"level": "4",
"task": "22035",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:22:41.489787000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"hwnd": "0x380680",
"hwndTaskBand": "0x20144",
"pTBGroup": "0xC910520",
"pszExePath": "C:\\Windows\\System32\\msdtc.exe",
"tbgType": " 1",
"x": "249",
"y": "1"
},
"message": ""
}
Event ID 22035: Taskbar_Item_Created
#Fields #
| Name | Description |
|---|---|
hwndItem Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "22035",
"version": "0",
"level": "4",
"task": "22037",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:22:41.461680100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"hwndItem": "0x380680"
},
"message": ""
}
Event ID 22036: Taskbar_Item_Destroyed
#Fields #
| Name | Description |
|---|---|
hwndItem Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "22036",
"version": "0",
"level": "4",
"task": "22038",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:22:41.490201700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"hwndItem": "0x380680"
},
"message": ""
}
Event ID 22037: Taskbar_Group_Created
#Fields #
| Name | Description |
|---|---|
pszGroup UnicodeString | |
hwndItem Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "22037",
"version": "0",
"level": "4",
"task": "22039",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:22:41.465049300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"pszGroup": "C:\\Windows\\System32\\msdtc.exe",
"hwndItem": "0x0"
},
"message": ""
}
Event ID 22038: Taskbar_Group_Destroyed
#Fields #
| Name | Description |
|---|---|
pszGroup UnicodeString | |
hwndItem Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "22038",
"version": "0",
"level": "4",
"task": "22040",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:22:41.490199000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"pszGroup": "C:\\Windows\\System32\\msdtc.exe",
"hwndItem": "0x0"
},
"message": ""
}
Event ID 22039: Taskbar_Group_AddItem
#Fields #
| Name | Description |
|---|---|
pszGroup UnicodeString | |
hwndItem Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "22039",
"version": "0",
"level": "4",
"task": "22041",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:22:41.461697100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"pszGroup": "NULL",
"hwndItem": "0x380680"
},
"message": ""
}
Event ID 22040: Taskbar_Group_RemoveItem
#Fields #
| Name | Description |
|---|---|
pszGroup UnicodeString | |
hwndItem Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "22040",
"version": "0",
"level": "4",
"task": "22042",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:22:41.464943600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"pszGroup": "NULL",
"hwndItem": "0x380680"
},
"message": ""
}
Event ID 22043: Taskbar_AnimFrameStart
#Event ID 22044: Taskbar_AnimFrameStop
#Event ID 22045: Taskbar_ComputeLayout
#Fields #
| Name | Description |
|---|---|
nVisibleRow UInt32 | |
nRequiredRow UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "22045",
"version": "0",
"level": "4",
"task": "22045",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:22:41.468159300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"nVisibleRow": " 1",
"nRequiredRow": " 1"
},
"message": ""
}
Event ID 22046: Taskbar_Compute_Row_Layout
#Fields #
| Name | Description |
|---|---|
nTotalWidth UInt32 | |
nTotalFixedWidth UInt32 | |
iGroupStart UInt32 | |
iItemStart UInt32 | |
iGroupEnd UInt32 | |
iItemEnd UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "22046",
"version": "0",
"level": "4",
"task": "22046",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:22:41.468192400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"nTotalWidth": " 1101",
"nTotalFixedWidth": " 221",
"iGroupStart": " 0",
"iItemStart": "4294967295",
"iGroupEnd": " 5",
"iItemEnd": "4294967295"
},
"message": ""
}
Event ID 22047: Taskbar_ButtonGroup_Rearranged
#Fields #
| Name | Description |
|---|---|
hwndTaskBand Pointer | |
pTBGroup Pointer | |
pszExePath UnicodeString | |
tbgType UInt32 | |
x Int32 | |
y Int32 |
Event ID 22048: Taskbar_Switcher_Context_Menu
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 22049: Taskbar_Scrolling_Stream
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 22050: Taskbar_Window_Picker_Triggers
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 22051: Thumbnail_Window_Picker_Interaction_Stream
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 22052: Legacy_Glom_Interaction_Stream
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 22053: Taskbar_Compute_Column_Layout
#Fields #
| Name | Description |
|---|---|
nTotalHeight UInt32 | |
nTotalFixedHeight UInt32 | |
iGroupStart UInt32 | |
iItemStart UInt32 | |
iGroupEnd UInt32 | |
iItemEnd UInt32 |
Event ID 22054: Taskbar_Taskband_Icon_Size
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22055: Progress_Bars_Customers
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 22056: Progress_Bars_Glom_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22057: Progress_Bars_Paused_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22064: Taskbar_Item_Flashing
#Fields #
| Name | Description |
|---|---|
HWND Pointer | |
IsFlashed UInt32 | |
SourceType UInt32 |
Event ID 22065: Taskbar_OpenWindowContextMenuStart
#Event ID 22066: Taskbar_OpenWindowContextMenuStop
#Event ID 22067: Taskbar_UserActivityTracker
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 22068: Taskbar_RunAsAdmin_ShiftCtrl_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22069: Taskbar_NewInstanceContextMenu_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22070: Taskbar_NewInstanceContextMenu_RunAsAdmin_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22071: Taskbar_DeskbandStream
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 22072: Thumbnail_Toolbar_Stream
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 22073: Taskbar_NumberOfRows
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22074: ApplicationOverlays
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 22075: Taskbar_Secondary_Glomming_Enabled
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22076: Taskbar_Multimon_Configuration
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22077: Number_Of_Displays
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 22078: Taskbar_Multimon_Window_Count
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 22079: Taskbar_Settings_Changed
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "22079",
"version": "0",
"level": "4",
"task": "22079",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.364159200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 22080: Taskbar_Immersive_Show
#Event ID 22081: Taskbar_Immersive_Hide
#Event ID 22082: Taskbar_PinInitialItemsStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 22082,
"version": 0,
"level": 4,
"task": 22082,
"opcode": 1,
"keywords": 2305843009213759488,
"time_created": "2026-05-28T11:13:11.4691230+00:00",
"event_record_id": 751,
"correlation": {},
"execution": {
"process_id": 5200,
"thread_id": 6792
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": ""
}
Event ID 22083: Taskbar_PinInitialItemsStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 22083,
"version": 0,
"level": 4,
"task": 22082,
"opcode": 2,
"keywords": 2305843009213759488,
"time_created": "2026-05-28T11:13:11.4733911+00:00",
"event_record_id": 752,
"correlation": {},
"execution": {
"process_id": 5200,
"thread_id": 6792
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": ""
}
Event ID 23001: ViewControl_UserSplitButtonClickStart
#Event ID 23002: ViewControl_UserSplitButtonClickStop
#Event ID 23003: ViewControl_UserViewModeSelectStart
#Event ID 23004: ViewControl_UserViewModeSelectStop
#Event ID 23005: ViewControl_ViewModeChangeNotifyStart
#Event ID 23006: ViewControl_ViewModeChangeNotifyStop
#Event ID 23007: ViewControl_SQMStream
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 23008: TopView_Usage
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 23009: TopView_Save
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 23010: ViewMode_Change
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 23011: Sort_Change
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 23012: Stack_Change
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 23013: Group_Change
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 23110: SendTo_PopulateStart
#Event ID 23111: SendTo_PopulateStop
#Event ID 23201: Glass_Colorization
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 23203: Glass_Composition_Enabled
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 23205: Glass_Theme_Active
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 26001: CTrackEvents_OperationEventStart
#Fields #
| Name | Description |
|---|---|
Operation UnicodeString | Known values
|
Type UInt32 | |
Event UInt32 |
Event ID 26002: CTrackEvents_OperationQueueInfo
#Fields #
| Name | Description |
|---|---|
Operation UnicodeString | Known values
|
PendingCount UInt32 | |
EventReadyState UInt32 |
Event ID 26003: CTrackEvents_StartTimedOperationStart
#Event ID 26004: CTrackEvents_StartTimedOperationStop
#Event ID 26005: CTrackEvents_StopTimedOperationStart
#Event ID 26006: CTrackEvents_StopTimedOperationStop
#Event ID 26007: CTrackEvents_OperationEventEnd
#Fields #
| Name | Description |
|---|---|
Operation UnicodeString | Known values
|
Type UInt32 | |
Event UInt32 |
Event ID 26009: Shell32_AdviseCollectionStart
#Fields #
| Name | Description |
|---|---|
Caller UnicodeString | |
IItemCollection Pointer | |
ICollectionEventSink Pointer | |
Cookie UInt32 | |
HRESULT UInt32 |
Event ID 26010: Shell32_AdviseCollectionStop
#Fields #
| Name | Description |
|---|---|
Caller UnicodeString | |
IItemCollection Pointer | |
ICollectionEventSink Pointer | |
Cookie UInt32 | |
HRESULT UInt32 |
Event ID 26011: Shell32_CDefViewSink_PostMessage
#Fields #
| Name | Description |
|---|---|
RetVal UInt32 | |
HWND Pointer | |
Message UInt64 | |
WPARAM UInt64 | |
LPARAM UInt64 | |
GetLastError UInt32 |
Event ID 27002: PerfTrack_DesktopBackgroundCplStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27004: PerfTrack_ColorSchemeCplStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27005: PerfTrack_StartPane_AllPrograms_ShowStart
#Event ID 27006: PerfTrack_StartPane_AllPrograms_ShowStop
#Event ID 27007: PerfTrack_StartPane_AllPrograms_BackButtonStart
#Event ID 27008: PerfTrack_StartPane_AllPrograms_BackButtonStop
#Event ID 27009: PerfTrack_StartPane_ShowItemStart
#Event ID 27010: PerfTrack_StartPane_ShowItemStop
#Event ID 27011: PerfTrack_StartPane_SearchItemStart
#Event ID 27012: PerfTrack_StartPane_SearchItemStop
#Event ID 27013: PerfTrack_StartPane_LogOffMenuStart
#Event ID 27014: PerfTrack_StartPane_LogOffMenuStop
#Event ID 27015: PerfTrack_StartPane_TopMatchReadyStart
#Event ID 27016: PerfTrack_StartPane_TopMatchReadyStop
#Event ID 27018: PerfTrack_Explorer_DocumentsLibrary_Local_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27020: PerfTrack_Explorer_DocumentsLibrary_Local_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27022: PerfTrack_Explorer_DocumentsLibrary_Network_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27024: PerfTrack_Explorer_DocumentsLibrary_Network_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27026: PerfTrack_Explorer_DocumentsLibrary_OpenSearch_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27028: PerfTrack_Explorer_DocumentsLibrary_OpenSearch_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27030: PerfTrack_Explorer_PicturesLibrary_Local_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27032: PerfTrack_Explorer_PicturesLibrary_Local_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27034: PerfTrack_Explorer_PicturesLibrary_Network_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27036: PerfTrack_Explorer_PicturesLibrary_Network_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27038: PerfTrack_Explorer_PicturesLibrary_OpenSearch_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27040: PerfTrack_Explorer_PicturesLibrary_OpenSearch_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27042: PerfTrack_Explorer_MusicLibrary_Local_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27044: PerfTrack_Explorer_MusicLibrary_Local_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27046: PerfTrack_Explorer_MusicLibrary_Network_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27048: PerfTrack_Explorer_MusicLibrary_Network_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27050: PerfTrack_Explorer_MusicLibrary_OpenSearch_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27052: PerfTrack_Explorer_MusicLibrary_OpenSearch_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27054: PerfTrack_Explorer_VideosLibrary_Local_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27056: PerfTrack_Explorer_VideosLibrary_Local_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27058: PerfTrack_Explorer_VideosLibrary_Network_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27060: PerfTrack_Explorer_VideosLibrary_Network_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27062: PerfTrack_Explorer_VideosLibrary_OpenSearch_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27064: PerfTrack_Explorer_VideosLibrary_OpenSearch_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27078: PerfTrack_Explorer_UsersFiles_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27080: PerfTrack_Explorer_UsersFiles_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27082: PerfTrack_CFD_DocumentsLibrary_Local_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27084: PerfTrack_CFD_DocumentsLibrary_Local_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27086: PerfTrack_CFD_DocumentsLibrary_Network_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27088: PerfTrack_CFD_DocumentsLibrary_Network_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27090: PerfTrack_CFD_DocumentsLibrary_OpenSearch_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27092: PerfTrack_CFD_DocumentsLibrary_OpenSearch_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27094: PerfTrack_CFD_PicturesLibrary_Local_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27096: PerfTrack_CFD_PicturesLibrary_Local_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27098: PerfTrack_CFD_PicturesLibrary_Network_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27100: PerfTrack_CFD_PicturesLibrary_Network_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27102: PerfTrack_CFD_PicturesLibrary_OpenSearch_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27104: PerfTrack_CFD_PicturesLibrary_OpenSearch_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27106: PerfTrack_CFD_MusicLibrary_Local_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27108: PerfTrack_CFD_MusicLibrary_Local_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27110: PerfTrack_CFD_MusicLibrary_Network_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27112: PerfTrack_CFD_MusicLibrary_Network_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27114: PerfTrack_CFD_MusicLibrary_OpenSearch_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27116: PerfTrack_CFD_MusicLibrary_OpenSearch_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27118: PerfTrack_CFD_VideosLibrary_Local_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27120: PerfTrack_CFD_VideosLibrary_Local_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27122: PerfTrack_CFD_VideosLibrary_Network_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27124: PerfTrack_CFD_VideosLibrary_Network_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27126: PerfTrack_CFD_VideosLibrary_OpenSearch_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27128: PerfTrack_CFD_VideosLibrary_OpenSearch_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27142: PerfTrack_CFD_UsersFiles_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27144: PerfTrack_CFD_UsersFiles_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27145: PerfTrack_StartMenu_Search_PageDisplayedStart
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 |
Event ID 27146: PerfTrack_StartMenu_Search_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27147: PerfTrack_StartMenu_Search_PageCompletedStart
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 |
Event ID 27148: PerfTrack_StartMenu_Search_PageCompletedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27149: PerfTrack_Taskbar_LaunchStart
#Event ID 27151: PerfTrack_HoverUI_FadeInStart
#Event ID 27152: PerfTrack_HoverUI_FadeInStop
#Event ID 27153: PerfTrack_StartMenu_ControlPanelStart
#Event ID 27154: PerfTrack_StartMenu_ControlPanelStop
#Event ID 27155: PerfTrack_StartMenu_PicturesStart
#Event ID 27156: PerfTrack_StartMenu_PicturesStop
#Event ID 27157: PerfTrack_StartMenu_MusicStart
#Event ID 27158: PerfTrack_StartMenu_MusicStop
#Event ID 27159: PerfTrack_StartMenu_DocumentsStart
#Event ID 27160: PerfTrack_StartMenu_DocumentsStop
#Event ID 27161: PerfTrack_SearchBox_CharactersTypedStart
#Event ID 27162: PerfTrack_SearchBox_CharactersTypedStop
#Event ID 27163: PerfTrack_Taskbar_DestinationList_UpStart
#Event ID 27164: PerfTrack_Taskbar_DestinationList_UpStop
#Event ID 27165: PerfTrack_StartMenu_DestinationList_UpStart
#Event ID 27166: PerfTrack_StartMenu_DestinationList_UpStop
#Event ID 27168: PerfTrack_Explorer_NetworkFileFolderViewStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27170: PerfTrack_Explorer_NetworkFolderHighDPIStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27172: PerfTrack_Explorer_LocalFolderHighDPIStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27173: PerfTrack_Explorer_FrameCloseStart
#Event ID 27174: PerfTrack_Explorer_FrameCloseStop
#Event ID 27176: PerfTrack_Explorer_Templates_GroupedViewStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27178: PerfTrack_Explorer_Templates_StackedViewStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27180: PerfTrack_Explorer_Templates_ThumbnailViewStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27182: PerfTrack_Explorer_Templates_SearchGroupedViewStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27184: PerfTrack_Explorer_Templates_SearchStackedViewStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27186: PerfTrack_Explorer_Templates_SearchThumbnailViewStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27188: PerfTrack_Explorer_Templates_SearchGrepViewStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27190: PerfTrack_Explorer_Templates_OpenSearchViewStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27191: PerfTrack_FilterMenu_EnumeratesTypeValuesStart
#Event ID 27192: PerfTrack_FilterMenu_EnumeratesTypeValuesStop
#Event ID 27193: PerfTrack_FilterMenu_ListEnumeratesRangeStart
#Event ID 27194: PerfTrack_FilterMenu_ListEnumeratesRangeStop
#Event ID 27195: PerfTrack_FilterMenu_MRUEnumerateValuesStart
#Event ID 27196: PerfTrack_FilterMenu_MRUEnumerateValuesStop
#Event ID 27197: PerfTrack_FilterMenu_MRUListEnumeratesRangesStart
#Event ID 27198: PerfTrack_FilterMenu_MRUListEnumeratesRangesStop
#Event ID 27199: PerfTrack_FilterMenu_MRUControlRendersStart
#Event ID 27200: PerfTrack_FilterMenu_MRUControlRendersStop
#Event ID 27202: PerfTrack_HomeGroup_EnumInViewStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27203: PerfTrack_HomeGroup_EnumInNavPaneStart
#Event ID 27204: PerfTrack_HomeGroup_EnumInNavPaneStop
#Event ID 27206: PerfTrack_HomeGroup_RemotePC_EnumInViewStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27208: PerfTrack_HomeGroup_PublishedItem_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27209: PerfTrack_OpenSearch_QueryServerStart
#Event ID 27210: PerfTrack_OpenSearch_QueryServerStop
#Event ID 27211: PerfTrack_Explorer_ItemsView_PageScrollStart
#Event ID 27212: PerfTrack_Explorer_ItemsView_PageScrollStop
#Event ID 27213: PerfTrack_Shell32_CopyEngine_CancelDlgStart
#Event ID 27214: PerfTrack_Shell32_CopyEngine_CancelDlgStop
#Event ID 27215: PerfTrack_LibraryLocation_AddedToLibStart
#Event ID 27216: PerfTrack_LibraryLocation_AddedToLibStop
#Event ID 27221: PerfTrack_FilterMenu_FilterSuggestInitialStart
#Event ID 27222: PerfTrack_FilterMenu_FilterSuggestInitialStop
#Event ID 27223: PerfTrack_FilterMenu_FilterSuggestFinalStart
#Event ID 27224: PerfTrack_FilterMenu_FilterSuggestFinalStop
#Event ID 27226: PerfTrack_Taskbar_Launch_ExplorerStop
#Event ID 27227: PerfTrack_StartPane_TopMatchReadyStop27227
#Event ID 27229: PerfTrack_Explorer_Templates_SearchIndexedViewStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27230: PerfTrack_Explorer_ExplorerStartToDesktopReadyStart
#Event ID 27231: PerfTrack_Explorer_ExplorerStartToDesktopReadyStop
#Event ID 27233: PerfTrack_HomeGroup_PublishedItem_PageCompleteStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27234: Delayed_Filter_Contents
#Event ID 27235: PerfTrack_Explorer_Invoke_CancelledStop
#Event ID 27236: PerfTrack_StartMenu_Pictures_NetworkStop
#Event ID 27237: PerfTrack_StartMenu_Music_NetworkStop
#Event ID 27238: PerfTrack_StartMenu_Documents_NetworkStop
#Event ID 27239: PerfTrack_ControlPanel_CategoryNavigationStart
#Event ID 27240: PerfTrack_ControlPanel_CategoryNavigationStop
#Event ID 27241: PerfTrack_StartMenu_SystemControlPanel_LaunchStart
#Event ID 27242: PerfTrack_StartMenu_SystemControlPanel_LaunchStop
#Event ID 27248: PerfTrack_HomeGroup_User_EnumInViewStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27250: PerfTrack_HomeGroup_KnownLibrary_PageCompleteStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27252: PerfTrack_HomeGroup_KnownLibrary_PageDisplayedStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27254: PerfTrack_HomeGroup_LocalPC_EnumInViewStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 27255: PerfTrack_Launcher_LoginStart
#Event ID 27256: PerfTrack_Launcher_LoginStop
#Fields #
| Name | Description |
|---|---|
RenderedTileCount UInt32 | |
RealizedTileCount UInt32 |
Event ID 27257: PerfTrack_DeviceUX_DeviceCenter_EnumInViewStop
#Fields #
| Name | Description |
|---|---|
BrowserId UInt32 | |
ItemCount UInt32 |
Event ID 28003: Shell32_AppResolver_GetAppIDForWindowStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "28003",
"version": "0",
"level": "4",
"task": "28163",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.453753500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "13268"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 28004: Shell32_AppResolver_GetAppIDForWindowStop
#Event ID 28017: AppResolver Scan Started.
#Description
AppResolver Scan Started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 28017,
"version": 0,
"level": 4,
"task": 28177,
"opcode": 1,
"keywords": 2305843009213759488,
"time_created": "2026-06-13T05:45:39.5271430+00:00",
"event_record_id": 2015,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 2528
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": "AppResolver Scan Started."
}
Event ID 28018: AppResolver Scan Stopped.
#Description
AppResolver Scan Stopped.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 28018,
"version": 0,
"level": 4,
"task": 28177,
"opcode": 2,
"keywords": 2305843009213759488,
"time_created": "2026-06-13T05:45:39.6235328+00:00",
"event_record_id": 2018,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 2528
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": "AppResolver Scan Stopped."
}
Event ID 28019: AppResolver Cache Committed.
#Description
AppResolver Cache Committed.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 28019,
"version": 0,
"level": 4,
"task": 28179,
"opcode": 0,
"keywords": 2305843009213759488,
"time_created": "2026-06-13T05:45:39.6320164+00:00",
"event_record_id": 2019,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 2528
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": "AppResolver Cache Committed."
}
Event ID 28026: Shell32_AppResolverCache_ImportShortcut
#Fields #
| Name | Description |
|---|---|
AppID UnicodeString | |
Code UInt32 |
Event ID 28027: Shell32_LauncherLayoutManager_ChangeNotify
#Fields #
| Name | Description |
|---|---|
AppID UnicodeString | |
Event Int32 |
Event ID 28028: Shell32_RegistryPackageChangeListener_RescanStart
#Fields #
| Name | Description |
|---|---|
Identity UnicodeString |
Event ID 28029: Shell32_RegistryPackageChangeListener_RescanStop
#Fields #
| Name | Description |
|---|---|
InstalledVersion Int32 | |
HRESULT UInt32 |
Event ID 28030: Shell32_RegistryPackageChangeListener_Rescan
#Fields #
| Name | Description |
|---|---|
StoreVersion Int32 | |
InstalledVersion Int32 |
Event ID 28031: Shell32_RegistryPackageChangeListener_ApplyChange
#Fields #
| Name | Description |
|---|---|
AppID UnicodeString | |
Event Int32 |
Event ID 28032: AppResolver has parsed the visual elements manifest for a tile.
#Description
AppResolver has parsed the visual elements manifest for a tile.
Message #
Fields #
| Name | Description |
|---|---|
Filename UnicodeString | |
SchemaType UInt32 | |
ErrorCode UInt32 | |
Failure reason | |
Failurereason |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 28032,
"version": 0,
"level": 4,
"task": 28180,
"opcode": 0,
"keywords": 2305843009213759488,
"time_created": "2026-06-13T05:45:39.6090765+00:00",
"event_record_id": 2016,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 2528
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Filename": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.VisualElementsManifest.xml",
"SchemaType": "2",
"ErrorCode": "0",
"Failure reason": "NULL"
},
"message": "AppResolver has parsed the visual elements manifest for a tile."
}
Event ID 28101: Shell32_WindowPropStore_SetValue
#Event ID 28103: Shell32_WindowPropStore_GetValue
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "28103",
"version": "0",
"level": "4",
"task": "28185",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:18.461180100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "4760"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 28105: Shell32_WindowPropStore_ValueRemoved
#Event ID 28107: Shell32_AppResolver_DualModeDisallowed
#Fields #
| Name | Description |
|---|---|
AppID UnicodeString | |
Code UInt32 |
Event ID 28109: Application AppID state changed from OldState to NewState due to package PackageName having state Value in registry list.
#Event ID 28111: Application AppID state changed from OldState to NewState due to package PackageName being removed from registry list.
#Event ID 28113: Change notified on {Filename} with event {Event}.
#Event ID 28115: Shortcut for application Name with ID AppID and flags Flags is added to app resolver cache.
#Description
Shortcut for application Name with ID AppID and flags Flags is added to app resolver cache.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
Name UnicodeString | 4 detection rules | |
AppID UnicodeString | 4 detection rules | |
Flags UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 28115,
"version": 0,
"level": 4,
"task": 28141,
"opcode": 0,
"keywords": 2305843009213759488,
"time_created": "2026-05-29T06:21:57.9179109+00:00",
"event_record_id": 1784,
"correlation": {},
"execution": {
"process_id": 2752,
"thread_id": 6412
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Name": "7-Zip Help",
"AppID": "{6D809377-6AF0-444B-8957-A3773F02200E}\\7-Zip\\7-zip.chm",
"Flags": "544"
},
"message": "Shortcut for application 7-Zip Help with ID {6D809377-6AF0-444B-8957-A3773F02200E}\\7-Zip\\7-zip.chm and flags 0x220 is added to app resolver cache."
}
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Event ID 28116: Shortcut for application Name with ID AppID and flags Flags is removed from app resolver cache.
#Event ID 28117: Shortcut for application Name with ID AppID and flags Flags is updated in app resolver cache.
#Description
Shortcut for application Name with ID AppID and flags Flags is updated in app resolver cache.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
AppID UnicodeString | |
Flags UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 28117,
"version": 0,
"level": 4,
"task": 28143,
"opcode": 0,
"keywords": 2305843009213759488,
"time_created": "2026-06-13T05:45:39.6168610+00:00",
"event_record_id": 2017,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 2528
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Name": "Microsoft Edge",
"AppID": "MSEdge",
"Flags": "49"
},
"message": "Shortcut for application Microsoft Edge with ID MSEdge and flags 0x31 is updated in app resolver cache."
}
Event ID 28119: Start screen loaded layout which contains Groups groups and Tiles tiles (including Placeholders placeholders), Flags=Flags.
#Event ID 28121: Start screen loaded persisted layout which contains {Groups} groups and {Tiles} tiles (including {Placeholders} placeholders).
#Event ID 28123: Updated start screen layout: ItemsExisting items initially; ItemsAdded added; ItemsRemoved removed; ItemsRemoved updated.
#Event ID 28125: Starting to refresh app resolver cache for scenario Scenario with flags Flags.
#Description
Starting to refresh app resolver cache for scenario Scenario with flags Flags.
Message #
Fields #
| Name | Description |
|---|---|
Scenario Int32 | |
Flags Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 28125,
"version": 0,
"level": 4,
"task": 28137,
"opcode": 0,
"keywords": 2305843009213759488,
"time_created": "2026-05-29T16:34:06.9496834+00:00",
"event_record_id": 1944,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 6472
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Scenario": "1",
"Flags": "2316"
},
"message": "Starting to refresh app resolver cache for scenario 1 with flags 2316."
}
Event ID 28127: Shell32_StateStoreCommitRetry
#Fields #
| Name | Description |
|---|---|
UpdateSource Int32 | |
RetryCount Int32 | |
ErrorCode UInt32 |
Event ID 28189: AppResolver_AppInstallation
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 28191: Shell32_OperationTile_SQMStream
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 28193: Shell32_OperationManager_SQMStream
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 28195: Shell32_ConflictUI_SQMStream
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 50001: ShellLib_AdjustImageStart
#Event ID 50002: ShellLib_AdjustImageStop
#Event ID 50101: ShutdownUX_ShowMenuStart
#Event ID 50102: ShutdownUX_ShowMenuStop
#Event ID 50103: ShutdownUX_DefaultButtonPressStart
#Event ID 50104: ShutdownUX_DefaultButtonPressStop
#Event ID 50105: ShutdownUX_SelectMenuItemStart
#Event ID 50106: ShutdownUX_SelectMenuItemStop
#Event ID 50107: ShutdownUX_StartMenuCriticalPathStart
#Event ID 50108: ShutdownUX_StartMenuCriticalPathStop
#Event ID 50201: CDBurn_SQM_PrepareDisc_Launch
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 50202: CDBurn_SQM_PrepareDisc_Mastered
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 50203: CDBurn_SQM_PrepareDisc_LiveFS
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 50204: CDBurn_SQM_Mastered_Session
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 50205: CDBurn_SQM_SessionOpenOnEject_Multi
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 50206: CDBurn_SQM_SessionOpenOnEject_Single
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 50207: CDBurn_SQM_IsoBurn_Session
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 50208: CDBurn_SQM_CloseSession_Command
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 50209: CDBurn_IsoBurn_Launch
#Event ID 50210: CDBurn_IsoBurn_TaskStart
#Event ID 50211: CDBurn_IsoBurn_TaskStop
#Event ID 60000: IE_HistoryBrokerStartupStart
#Event ID 60001: IE_HistoryBrokerStartupStop
#Event ID 60002: IE_HistoryBrokerShutdownStart
#Event ID 60003: IE_HistoryBrokerShutdownStop
#Event ID 60004: IE_AddToHistoryStart
#Event ID 60005: IE_AddToHistoryStop
#Event ID 60006: IE_QueryHistoryStart
#Event ID 60007: IE_QueryHistoryStop
#Event ID 60008: IE_EnumHistoryRecordsStart
#Event ID 60009: IE_EnumHistoryRecordsStop
#Event ID 60010: IE_LegacyHistoryAddStart
#Event ID 60011: IE_LegacyHistoryAddStop
#Event ID 60012: IE_LegacyHistoryQueryStart
#Event ID 60013: IE_LegacyHistoryQueryStop
#Event ID 60014: IE_LegacyHistoryEnumStart
#Event ID 60015: IE_LegacyHistoryEnumStop
#Event ID 60016: IE_CreateThumbnailStart
#Event ID 60017: IE_CreateThumbnailStop
#Event ID 60018: IE_ScaleThumbnailStart
#Event ID 60019: IE_ScaleThumbnailStop
#Event ID 60020: IE_CompressThumbnailStart
#Event ID 60021: IE_CompressThumbnailStop
#Event ID 60022: IE_GenerateThumbnailStart
#Event ID 60023: IE_GenerateThumbnailStop
#Event ID 60025: IE_LButtonAction
#Event ID 60026: IE_ExtensionCreateStart
#Event ID 60027: IE_ExtensionCreateStop
#Event ID 60028: IE_ExtensionSetSiteStart
#Event ID 60029: IE_ExtensionSetSiteStop
#Event ID 60030: IE_ExtensionShowDWStart
#Event ID 60031: IE_ExtensionShowDWStop
#Event ID 60032: IE_ExtensionCloseDWStart
#Event ID 60033: IE_ExtensionCloseDWStop
#Event ID 60034: IE_ExtensionSetSiteNullStart
#Event ID 60035: IE_ExtensionSetSiteNullStop
#Event ID 60036: IE_ExtensionReleaseStart
#Event ID 60037: IE_ExtensionReleaseStop
#Event ID 60101: StructuredQuery_ParseTextStart
#Event ID 60102: StructuredQuery_ParseTextStop
#Event ID 60103: StructuredQuery_ResolveStart
#Event ID 60104: StructuredQuery_ResolveStop
#Event ID 60105: StructuredQuery_InitQueryParserStart
#Event ID 60106: StructuredQuery_InitQueryParserStop
#Event ID 60107: StructuredQuery_RestateQueryStart
#Event ID 60108: StructuredQuery_RestateQueryStop
#Event ID 60109: StructuredQuery_CreateSchemaBinaryStart
#Event ID 60110: StructuredQuery_CreateSchemaBinaryStop
#Event ID 60111: StructuredQuery_LoadSchemaBinaryStart
#Event ID 60112: StructuredQuery_LoadSchemaBinaryStop
#Event ID 60113: StructuredQuery_SaveSchemaBinaryStart
#Event ID 60114: StructuredQuery_SaveSchemaBinaryStop
#Event ID 60115: StructuredQuery_FindMatchesStart
#Event ID 60116: StructuredQuery_FindMatchesStop
#Event ID 60117: StructuredQuery_CreateWordBreakerStart
#Event ID 60118: StructuredQuery_CreateWordBreakerStop
#Event ID 60119: StructuredQuery_InitWordBreakerStart
#Event ID 60120: StructuredQuery_InitWordBreakerStop
#Event ID 60201: SearchBox_ColorAQSStart
#Event ID 60202: SearchBox_ColorAQSStop
#Event ID 60203: SearchBox_Popup_ShowStart
#Event ID 60204: SearchBox_Popup_ShowStop
#Event ID 60205: SearchBox_MRU_PopulateStart
#Event ID 60206: SearchBox_MRU_PopulateStop
#Event ID 60213: SearchBox_MRU_PopulateStart60213
#Event ID 60214: SearchBox_MRU_PopulateStop60214
#Event ID 60215: SearchBox_Acquired_Focus
#Event ID 60216: SearchBox_LinguisticAlternativeGenerator_GenerateAlternativesStart
#Fields #
| Name | Description |
|---|---|
CLSIDTextService GUID | |
LangId UInt32 | |
LangProfile GUID |
Event ID 60217: SearchBox_LinguisticAlternativeGenerator_GenerateAlternativesStop
#Fields #
| Name | Description |
|---|---|
CLSIDTextService GUID | |
LangId UInt32 | |
LangProfile GUID | |
HRESULT UInt32 | |
QueryLen UInt32 | |
AltCount UInt32 | |
ReasonCode UInt32 |
Event ID 60220: SearchBox_SearchConversionList_BeginUIElement
#Fields #
| Name | Description |
|---|---|
ElemId UInt32 | |
IsUILess Boolean | |
IsIntegratable Boolean |
Event ID 60221: SearchBox_SearchConversionList_UpdateUIElement
#Fields #
| Name | Description |
|---|---|
ElemId UInt32 | |
Flags UInt32 |
Event ID 60301: TryHarder_Draw_AllStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "60301",
"version": "0",
"level": "4",
"task": "60301",
"opcode": "1",
"keywords": 9225623836668526592,
"time_created": "2026-03-15T04:21:15.003422300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 60302: TryHarder_Draw_AllStop
#Event ID 60303: TryHarder_Calculate_ScopesStart
#Event ID 60304: TryHarder_Calculate_ScopesStop
#Event ID 60305: TryHarder_Calculate_Search_File_ContentsStart
#Event ID 60306: TryHarder_Calculate_Search_File_ContentsStop
#Event ID 60307: TryHarder_Calculate_Search_SubfoldersStart
#Event ID 60308: TryHarder_Calculate_Search_SubfoldersStop
#Event ID 60309: TryHarder_Start_New_SearchStart
#Event ID 60310: TryHarder_Start_New_SearchStop
#Event ID 60311: TryHarder_Internet_RolloverStart
#Event ID 60312: TryHarder_Internet_RolloverStop
#Event ID 60401: NetworkUX_NewNetCountMaxReached
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmDWORDDatapointValue UInt32 |
Event ID 60501: NAVPANE_ACTION
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 60503: NAVIGATIONPANE_ITEMCOUNTS
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 60601: ItemsView_UIItemsView_BatchFirstEvent
#Event ID 60605: ItemsView_UIItemsView_FlushBatchStart
#Event ID 60607: ItemsView_UIItemsView_EndBatching
#Event ID 60609: ItemsView_UIItemsView_NotifyContentsChangedStart
#Event ID 60610: ItemsView_UIItemsView_NotifyContentsChangedStop
#Event ID 60611: ItemsView_UIItemsView_PreProcessEventQueueStart
#Event ID 60612: ItemsView_UIItemsView_PreProcessEventQueueStop
#Fields #
| Name | Description |
|---|---|
Flushed UInt32 | |
Skipped UInt32 | |
Batched UInt32 |
Event ID 60613: ItemsView_UIItem_OnItemEventStart
#Event ID 60614: ItemsView_UIItem_OnItemEventStop
#Event ID 60615: ItemsView_UICollection_OnCollectionEventStart
#Event ID 60616: ItemsView_UICollection_OnCollectionEventStop
#Event ID 60617: ItemsView_UIItemsView_PaintStart
#Event ID 60618: ItemsView_UIItemsView_PaintStop
#Event ID 60619: ItemsView_LineScroller_RealizeContentStart
#Event ID 60620: ItemsView_LineScroller_RealizeContentStop
#Event ID 60621: ItemsView_LineScroller_LayoutPassStart
#Event ID 60622: ItemsView_LineScroller_LayoutPassStop
#Event ID 60623: ItemsView_LineScroller_DesiredSizePassStart
#Event ID 60624: ItemsView_LineScroller_DesiredSizePassStop
#Event ID 60625: ItemsView_ItemDevirtualizer_ForegroundFullDevirtualization
#Event ID 60626: ItemsView_UIColumnHeader_SortColumnStart
#Event ID 60627: ItemsView_UIColumnHeader_SortColumnStop
#Event ID 60628: ItemsView_SelectionState_SelectionChangeStart
#Event ID 60629: ItemsView_SelectionState_SelectionChangeStop
#Event ID 60631: ItemsView_AnimationManager_SetupAnimationStart
#Fields #
| Name | Description |
|---|---|
ANIMATIONTYPE UInt32 |
Event ID 60632: ItemsView_AnimationManager_SetupAnimationStop
#Fields #
| Name | Description |
|---|---|
ANIMATIONTYPE UInt32 |
Event ID 60633: ItemsView_AnimationManager_FinishAnimationSetupStart
#Fields #
| Name | Description |
|---|---|
ANIMATIONTYPE UInt32 |
Event ID 60634: ItemsView_AnimationManager_FinishAnimationSetupStop
#Fields #
| Name | Description |
|---|---|
ANIMATIONTYPE UInt32 |
Event ID 60635: ItemsView_AnimationManager_AllocateHBITMAPStart
#Event ID 60636: ItemsView_AnimationManager_AllocateHBITMAPStop
#Fields #
| Name | Description |
|---|---|
HRESULT UInt32 | |
Width UInt32 | |
Height UInt32 |
Event ID 60637: ItemsView_AnimationManager_AnimationLoopStart
#Event ID 60638: ItemsView_AnimationManager_AnimationLoopStop
#Fields #
| Name | Description |
|---|---|
AnimationTime UInt32 | |
Frames UInt32 | |
Framerate Double | |
BackBuffersUsed UInt32 |
Event ID 60639: ItemsView_AnimationManager_PaintStart
#Event ID 60640: ItemsView_AnimationManager_PaintStop
#Event ID 60641: ItemsView_SQM
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 60643: ItemsView_UIItemsView_PrefetchStart
#Event ID 60644: ItemsView_UIItemsView_PrefetchStop
#Event ID 60645: ItemsView_UIItemsView_PreparePrefetchStart
#Event ID 60646: ItemsView_UIItemsView_PreparePrefetchStop
#Event ID 60647: ItemsView_UIItemsView_BlockRedrawStart
#Event ID 60649: ItemsView_UIItemsView_RunFirstPageResultsStart
#Event ID 60650: ItemsView_UIItemsView_RunFirstPageResultsStop
#Event ID 60651: ItemsView_ItemDevirtualizer_FullDevirtualization
#Event ID 60652: ItemsView_ItemDevirtualizer_PartialDevirtualization
#Event ID 60655: ItemsView_UIItemsView_StartBatchTimer
#Event ID 60657: ItemsView_UIItemsView_PostEvent
#Event ID 60659: Shell32_CDesktopBrowser_PaintWallpaper
#Fields #
| Name | Description |
|---|---|
MonitorID UInt32 | |
Left Int32 | |
Top Int32 | |
Right Int32 | |
Bottom Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "60659",
"version": "0",
"level": "4",
"task": "60659",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.361259000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"MonitorID": " 0",
"Left": "0",
"Top": "0",
"Right": "1760",
"Bottom": "2048"
},
"message": ""
}
Event ID 60701: Shell_DesktopBackgroundSlideshow_TickStart
#Event ID 60702: Shell_DesktopBackgroundSlideshow_TickStop
#Event ID 60705: Shell_DesktopBackgroundSlideshow_Workitem
#Fields #
| Name | Description |
|---|---|
WorkItem UnicodeString | |
HRESULT UInt32 | |
TimeToNextTick UInt32 | |
Paused UInt32 |
Event ID 60708: Shell32_CDesktopBrowser_Slideshow_Tick_Timer
#Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 |
Event ID 60709: Shell32_CDesktopBrowser_Slideshow_Tick_Manual
#Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 |
Event ID 60711: Shell32_AutoColorization_ColorChosen
#Fields #
| Name | Description |
|---|---|
dwColorChosen UInt32 | |
pszFilePath UnicodeString |
Event ID 60712: Shell32_AutoColorization_AnalysisStart
#Event ID 60713: Shell32_AutoColorization_AnalysisStop
#Event ID 60714: Shell32_CDesktopWallpaper_AutoSpan
#Fields #
| Name | Description |
|---|---|
pszFilePath UnicodeString | |
uImageWidth UInt32 | |
uImageHeight UInt32 |
Event ID 60715: Shell32_CDesktopWallpaper_AutoDecision
#Fields #
| Name | Description |
|---|---|
fFillChosenOverFit Boolean | |
pszFilePath UnicodeString | |
uImageWidth UInt32 | |
uImageHeight UInt32 | |
uMonitorWidth UInt32 | |
uMonitorHeight UInt32 |
Event ID 60716: Shell32_CDesktopWallpaper_WallpaperPosition
#Fields #
| Name | Description |
|---|---|
uPicturePosition UInt32 | |
pszFilePath UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "60716",
"version": "0",
"level": "4",
"task": "60716",
"opcode": "0",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:38.361835200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "8552"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"uPicturePosition": " 1",
"pszFilePath": "C:\\Users\\DOMAIN~1\\AppData\\Local\\Temp\\3\\BGInfo.bmp"
},
"message": ""
}
Event ID 60751: Shell32_ActiveSetupStart
#Event ID 60752: Shell32_ActiveSetupStop
#Event ID 60753: Shell32_ActiveSetup_RunInstallUninstallStubsWorkerStart
#Fields #
| Name | Description |
|---|---|
pszBranchToRun UnicodeString |
Event ID 60754: Shell32_ActiveSetup_RunInstallUninstallStubsWorkerStop
#Fields #
| Name | Description |
|---|---|
pszBranchToRun UnicodeString |
Event ID 60755: Shell32_ActiveSetup_RunOneInstallStubStart
#Fields #
| Name | Description |
|---|---|
pszKeyName UnicodeString | |
activeSetupDisabled Boolean | |
allowTaskOverride Boolean | |
taskEnabled Boolean |
Event ID 60756: Shell32_ActiveSetup_RunOneInstallStubStop
#Fields #
| Name | Description |
|---|---|
pszKeyName UnicodeString | |
activeSetupDisabled Boolean | |
allowTaskOverride Boolean | |
taskEnabled Boolean |
Event ID 60757: Shell32_ActiveSetup_RunPendingGPOsStart
#Event ID 60758: Shell32_ActiveSetup_RunPendingGPOsStop
#Event ID 60759: Shell32_ActiveSetup_RunSetupCommandStart
#Fields #
| Name | Description |
|---|---|
pszPathName UnicodeString |
Event ID 60760: Shell32_ActiveSetup_RunSetupCommandStop
#Fields #
| Name | Description |
|---|---|
pszPathName UnicodeString |
Event ID 60801: ShellLib_DUIControls_CandidateList_Show
#Event ID 60802: ShellLib_DUIControls_CandidateList_Hide
#Event ID 60803: ShellLib_DUIControls_CandidateList_DataSourceChanged
#Fields #
| Name | Description |
|---|---|
Value UInt32 |
Event ID 60804: ShellLib_DUIControls_CandidateList_UIReady
#Event ID 60805: ShellLib_DUIControls_CandidateList_PageChanged
#Fields #
| Name | Description |
|---|---|
PageIndex Int32 | |
InteractionType UInt32 |
Event ID 60806: ShellLib_DUIControls_CandidateList_CandidateFocusChanged
#Fields #
| Name | Description |
|---|---|
Index Int32 |
Event ID 60807: ShellLib_DUIControls_CandidateList_CloseButtonPressed
#Event ID 60809: ShellLib_DUIControls_CandidateList_FillInterrupted
#Fields #
| Name | Description |
|---|---|
CandidateCount Int32 | |
CandidateToFocusIndex Int32 | |
PageToFocusIndex Int32 | |
InteractionType UInt32 |
Event ID 60810: ShellLib_DUIControls_CandidateList_ResumeFill
#Event ID 60811: ShellLib_DUIControls_CandidateList_ForcedPageBreak
#Fields #
| Name | Description |
|---|---|
Index Int32 |
Event ID 60812: ShellLib_DUIControls_CandidateList_RealizePageStart
#Fields #
| Name | Description |
|---|---|
PageCount Int32 | |
CandidateCount Int32 |
Event ID 60813: ShellLib_DUIControls_CandidateList_RealizePageStop
#Fields #
| Name | Description |
|---|---|
PageCount Int32 | |
CandidateCount Int32 |
Event ID 60814: ShellLib_DUIControls_CandidateList_PageLayoutStart
#Fields #
| Name | Description |
|---|---|
Index Int32 |
Event ID 60815: ShellLib_DUIControls_CandidateList_PageLayoutStop
#Fields #
| Name | Description |
|---|---|
Index Int32 |
Event ID 60816: ShellLib_DUIControls_CandidateList_RealizationComplete
#Fields #
| Name | Description |
|---|---|
PageCount Int32 | |
CandidateCount Int32 |
Event ID 60817: ShellLib_DUIControls_CandidateList_RedoPaging
#Event ID 60818: ShellLib_DUIControls_CandidateList_PagingComplete
#Fields #
| Name | Description |
|---|---|
PageCount Int32 | |
CandidateCount Int32 |
Event ID 60819: ShellLib_DUIControls_CandidateList_ButtonPressed
#Fields #
| Name | Description |
|---|---|
ButtonType Int32 |
Event ID 60820: ShellLib_DUIControls_CandidateList_ButtonReleased
#Fields #
| Name | Description |
|---|---|
ButtonType Int32 |
Event ID 60821: ShellLib_DUIControls_CandidateList_PagingAnimationStart
#Event ID 60822: ShellLib_DUIControls_CandidateList_PagingAnimationStop
#Event ID 60823: ShellLib_DUIControls_CandidateList_TouchPanStart
#Event ID 60824: ShellLib_DUIControls_CandidateList_TouchPanStop
#Event ID 60825: ShellLib_DUIControls_CandidateList_ViewRenderStart
#Fields #
| Name | Description |
|---|---|
PageIndex Int32 | |
Type UInt32 |
Event ID 60826: ShellLib_DUIControls_CandidateList_ViewRenderStop
#Fields #
| Name | Description |
|---|---|
PageIndex Int32 | |
HRESULT UInt32 |
Event ID 60903: ShellTask_ExecAssoc_ReputationTelemetryStart
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Event ID 60904: ShellTask_ExecAssoc_ReputationTelemetryStop
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Event ID 60905: ShellTask_ExecAssoc_ScrubZoneIdentifierStart
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Event ID 60906: ShellTask_ExecAssoc_ScrubZoneIdentifierStop
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Event ID 60907: ShellTask_ExecAssoc_ZoneCheckFileStop
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "60907",
"version": "0",
"level": "4",
"task": "60907",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-16T00:23:22.271226300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "1452",
"thread_id": "9352"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"psz": "C:\\Windows\\system32\\notepad.exe"
},
"message": ""
}
Event ID 60908: ShellTask_ExecAssoc_ZoneCheckFileStop60908
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "60908",
"version": "0",
"level": "4",
"task": "60907",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-16T00:23:22.273243300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "1452",
"thread_id": "9352"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"psz": "C:\\Windows\\system32\\notepad.exe"
},
"message": ""
}
Event ID 60911: ShellTask_ExecAssoc_ZoneCheckFileStop60911
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "60911",
"version": "0",
"level": "4",
"task": "60907",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-16T00:23:22.273257900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "1452",
"thread_id": "9352"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"psz": "C:\\Windows\\system32\\notepad.exe"
},
"message": ""
}
Event ID 60913: task_0Stop
#Event ID 61001: Shell32_UnknownFileDialog_CreateStart
#Event ID 61002: Shell32_UnknownFileDialog_CreateStop
#Event ID 61003: Shell32_DefaultAssociationsProfileHandler_OnCreate_OEMStart
#Event ID 61004: Shell32_DefaultAssociationsProfileHandler_OnCreate_OEMStop
#Fields #
| Name | Description |
|---|---|
HRESULT Int32 |
Event ID 61005: Shell32_DefaultAssociationsProfileHandler_OnLoad_GroupPolicyStart
#Event ID 61006: Shell32_DefaultAssociationsProfileHandler_OnLoad_GroupPolicyStop
#Fields #
| Name | Description |
|---|---|
HRESULT Int32 |
Event ID 61201: Shell32_SyncIntegration_Manager_InitializeStart
#Event ID 61202: Shell32_SyncIntegration_Manager_InitializeStop
#Event ID 61203: Shell32_SyncIntegration_Manager_Initialize
#Event ID 61204: Shell32_SyncIntegration_Manager_Initialize61204
#Fields #
| Name | Description |
|---|---|
CLSID GUID | |
Name UnicodeString | |
Description UnicodeString | |
AppliesTo UnicodeString | |
State UInt32 |
Event ID 61205: Shell32_SyncIntegration_Manager_Initialize61205
#Fields #
| Name | Description |
|---|---|
CLSID GUID | |
HRESULT UInt32 |
Event ID 61206: Shell32_SyncIntegration_Manager_Initialize61206
#Event ID 61210: Shell32_SyncIntegration_Manager_Notifications
#Fields #
| Name | Description |
|---|---|
CLSID GUID | |
State UInt32 |
Event ID 61211: Shell32_SyncIntegration_Manager_Notifications61211
#Fields #
| Name | Description |
|---|---|
CLSID GUID | |
ItemPath UnicodeString | |
ScopeAffetcedItems UInt32 | |
ItemSyncState UInt32 | |
ItemSyncStatus UnicodeString | |
ItemSyncStatusDescription UnicodeString | |
ItemSyncStatusAction UnicodeString |
Event ID 61212: Shell32_SyncIntegration_Manager_Notifications61212
#Fields #
| Name | Description |
|---|---|
ItemPath UnicodeString | |
HRESULT UInt32 |
Event ID 61213: Shell32_SyncIntegration_Manager_Notifications61213
#Fields #
| Name | Description |
|---|---|
ItemPath UnicodeString | |
HRESULT UInt32 |
Event ID 61214: Shell32_SyncIntegration_Manager_Notifications61214
#Fields #
| Name | Description |
|---|---|
psz UnicodeString |
Event ID 61220: Shell32_SyncIntegration_Manager_GetStatus
#Fields #
| Name | Description |
|---|---|
CLSID GUID | |
State UInt32 |
Event ID 61221: Shell32_SyncIntegration_Manager_GetStatus61221
#Fields #
| Name | Description |
|---|---|
CLSID GUID | |
ItemPath UnicodeString |
Event ID 61301: Shell32_DiscImage_MountVerb_SQMStream
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 61302: Shell32_DiscImage_MountVerbStart
#Event ID 61303: Shell32_DiscImage_MountVerbStop
#Event ID 61320: Shell32_LibraryManagementDialog_CreateIconStart
#Event ID 61321: Shell32_LibraryManagementDialog_CreateIconStop
#Event ID 61322: Shell32_LibraryManagementDialog_SaveChangesStart
#Event ID 61323: Shell32_LibraryManagementDialog_SaveChangesStop
#Event ID 61324: Shell32_LibraryGroupPolicy_EnforceInSSOStart
#Event ID 61325: Shell32_LibraryGroupPolicy_EnforceInSSOStop
#Event ID 61326: Shell32_LibraryGroupPolicy_CreateKnownFolderStart
#Event ID 61327: Shell32_LibraryGroupPolicy_CreateKnownFolderStop
#Event ID 61342: OperationManager_TileStateChanged
#Fields #
| Name | Description |
|---|---|
OldState UInt32 | |
NewState UInt32 |
Event ID 61343: OperationManager_TileCancelled
#Event ID 61345: OperationManager_EnthusiastMode_TileRateChartProgressStart
#Fields #
| Name | Description |
|---|---|
TileID UInt32 |
Event ID 61346: OperationManager_EnthusiastMode_TileRateChartRescale
#Fields #
| Name | Description |
|---|---|
TileID UInt32 |
Event ID 61347: OperationManager_EnthusiastMode_TileRateChartUpdate
#Fields #
| Name | Description |
|---|---|
TileID UInt32 |
Event ID 61360: FileAccessAPI_EnumerationStart
#Fields #
| Name | Description |
|---|---|
TopViewId GUID | |
NumExtensionFilters UInt32 | |
AppQuery UnicodeString | |
UserQuery UnicodeString | |
FolderDepth UInt32 | |
IndexerOption UInt32 | |
NumSortEntries UInt32 |
Event ID 61364: FileAccessAPI_Enumeration_GetViewStart
#Fields #
| Name | Description |
|---|---|
StartIndex UInt32 | |
Count UInt32 |
Event ID 61366: FileAccessAPI_Enumeration_GetAtStart
#Event ID 61368: FileAccessAPI_Enumeration_GetCountStart
#Event ID 61369: FileAccessAPI_Enumeration_GetCountStop
#Fields #
| Name | Description |
|---|---|
Count UInt32 | |
HRESULT UInt32 |
Event ID 61370: FileAccessAPI_StreamAccess_GetStreamStart
#Event ID 61372: FileAccessAPI_StreamAccess_ReadStart
#Fields #
| Name | Description |
|---|---|
CountBytesRequested UInt32 |
Event ID 61374: FileAccessAPI_StreamAccess_WriteStart
#Fields #
| Name | Description |
|---|---|
CountBytesRequested UInt32 |
Event ID 61376: FileAccessAPI_StreamAccess_CommitStart
#Event ID 61380: FileAccessAPI_PropertyAccess_GetPropertiesStart
#Event ID 61381: FileAccessAPI_PropertyAccess_GetPropertiesStop
#Fields #
| Name | Description |
|---|---|
HRESULT UInt32 |
Event ID 61386: FileAccessAPI_PropertyAccess_CommitStart
#Event ID 61390: FileAccessAPI_GetKnownItemStart
#Event ID 61391: FileAccessAPI_GetKnownItemStop
#Fields #
| Name | Description |
|---|---|
KnownItemRequested GUID | |
HRESULT UInt32 |
Event ID 61400: FileAccessAPI_GetThumbnailStart
#Fields #
| Name | Description |
|---|---|
RequestedSize UInt32 | |
Options UInt32 |
Event ID 61410: FileAccessAPI_CreateStart
#Event ID 61412: FileAccessAPI_DeleteStart
#Event ID 61414: FileAccessAPI_RenameStart
#Event ID 61420: FileAccessAPI_AddPersistedItemStart
#Event ID 61421: FileAccessAPI_AddPersistedItemStop
#Fields #
| Name | Description |
|---|---|
Token UnicodeString | |
LifetimeOption UInt32 | |
HRESULT UInt32 |
Event ID 61422: FileAccessAPI_AddReplacePersistedItemStart
#Event ID 61423: FileAccessAPI_AddReplacePersistedItemStop
#Fields #
| Name | Description |
|---|---|
Token UnicodeString | |
LifetimeOption UInt32 | |
HRESULT UInt32 |
Event ID 61424: FileAccessAPI_RemovePersistedItemStart
#Event ID 61425: FileAccessAPI_RemovePersistedItemStop
#Fields #
| Name | Description |
|---|---|
Token UnicodeString | |
LifetimeOption UInt32 | |
HRESULT UInt32 |
Event ID 61426: FileAccessAPI_ClearAllPersistedItemsStart
#Event ID 61428: FileAccessAPI_GetPersistedItemStart
#Fields #
| Name | Description |
|---|---|
Token UnicodeString | |
LifetimeOption UInt32 |
Event ID 61430: FileAccessAPI_EnumeratePersistedItemTokensStart
#Event ID 61431: FileAccessAPI_EnumeratePersistedItemTokensStop
#Fields #
| Name | Description |
|---|---|
Count UInt32 | |
LifetimeOption UInt32 | |
HRESULT UInt32 |
Event ID 61432: FileAccessAPI_GetItemFromPathStart
#Event ID 61434: FileAccessAPI_GetMusicPropertiesStart
#Event ID 61436: FileAccessAPI_GetVideoPropertiesStart
#Event ID 61438: FileAccessAPI_GetImagePropertiesStart
#Event ID 61440: FileAccessAPI_GetDocumentPropertiesStart
#Event ID 61442: FileAccessAPI_StreamedFile_DataRequestStart
#Event ID 61444: FileAccessAPI_StreamedFile_WriteStreamStart
#Event ID 61445: FileAccessAPI_StreamedFile_WriteStreamStop
#Event ID 61446: FileAccessAPI_StreamedFile_Abandoned
#Event ID 61448: FileAccessAPI_CopyStart
#Event ID 61450: FileAccessAPI_MoveStart
#Event ID 61452: FileAccessAPI_GetBasicPropertiesStart
#Event ID 61455: FileAccessAPI_ValidatePathStop
#Fields #
| Name | Description |
|---|---|
HRESULT UInt32 | |
HasAccess Boolean |
Event ID 61457: DataLayerCacheFlush
#Fields #
| Name | Description |
|---|---|
SqmSessionGuid GUID | |
SqmID UInt32 | |
SqmType UInt32 | |
SqmStreamRowLength UInt32 | |
SqmStreamRow Int16 |
Event ID 61460: ShellOplocks_NotGranted
#Fields #
| Name | Description |
|---|---|
Signature UInt64 | |
szFilename UnicodeString |
Event ID 61461: ShellOplocks_Broken
#Event ID 61462: ShellOplocks_BrokenAndWaitingStart
#Fields #
| Name | Description |
|---|---|
Signature UInt64 | |
szFilename UnicodeString |
Event ID 61463: ShellOplocks_BrokenAndWaitingStop
#Fields #
| Name | Description |
|---|---|
Signature UInt64 | |
szFilename UnicodeString |
Event ID 61464: ShellOplocks_AcknowledgedStart
#Fields #
| Name | Description |
|---|---|
Signature UInt64 | |
szFilename UnicodeString |
Event ID 61465: ShellOplocks_AcknowledgedStop
#Fields #
| Name | Description |
|---|---|
Signature UInt64 | |
szFilename UnicodeString |
Event ID 61501: SetUserDefaults_ProgramListPopulatedStart
#Event ID 61502: SetUserDefaults_ProgramListPopulatedStop
#Event ID 61503: SetUserDefaults_ProgramAssociationsPopulatedStart
#Event ID 61504: SetUserDefaults_ProgramAssociationsPopulatedStop
#Event ID 61505: SetUserDefaults_DefaultSetStart
#Event ID 61506: SetUserDefaults_DefaultSetStop
#Event ID 61600: DataPackage_GetPropertiesStart
#Event ID 61601: DataPackage_GetPropertiesStop
#Event ID 61602: DataPackage_GetAvailableFormatsStart
#Event ID 61603: DataPackage_GetAvailableFormatsStop
#Event ID 61604: DataPackage_ContainsStart
#Event ID 61605: DataPackage_ContainsStop
#Event ID 61606: DataPackage_GetDataAsyncStart
#Event ID 61607: DataPackage_GetDataAsyncStop
#Event ID 61608: DataPackage_GetResourceMapAsyncStart
#Event ID 61609: DataPackage_GetResourceMapAsyncStop
#Event ID 61610: DataPackage_SetDataStart
#Event ID 61611: DataPackage_SetDataStop
#Event ID 61612: DataPackage_InvokeDataProviderHandlerStart
#Event ID 61613: DataPackage_InvokeDataProviderHandlerStop
#Event ID 61614: DataPackage_GetTextStart
#Event ID 61615: DataPackage_GetTextStop
#Event ID 61616: DataPackage_SetTextStart
#Event ID 61617: DataPackage_SetTextStop
#Event ID 61622: DataPackage_GetHtmlStart
#Event ID 61623: DataPackage_GetHtmlStop
#Event ID 61624: DataPackage_SetHtmlStart
#Event ID 61625: DataPackage_SetHtmlStop
#Event ID 61626: DataPackage_GetUriStart
#Event ID 61627: DataPackage_GetUriStop
#Event ID 61628: DataPackage_SetUriStart
#Event ID 61629: DataPackage_SetUriStop
#Event ID 61630: DataPackage_GetRtfStart
#Event ID 61631: DataPackage_GetRtfStop
#Event ID 61632: DataPackage_SetRtfStart
#Event ID 61633: DataPackage_SetRtfStop
#Event ID 61634: DataPackage_GetBitmapStart
#Event ID 61635: DataPackage_GetBitmapStop
#Event ID 61636: DataPackage_SetBitmapStart
#Event ID 61637: DataPackage_SetBitmapStop
#Event ID 61638: DataPackage_GetStorageItemsAsyncStart
#Event ID 61639: DataPackage_GetStorageItemsAsyncStop
#Event ID 61640: HtmlFormatHelper_GetStaticFragmentStart
#Event ID 61642: DataPackage_SetStorageItemsStart
#Event ID 61643: DataPackage_SetStorageItemsStop
#Event ID 61644: DataObjectProvider_GetDataObjectStart
#Event ID 61645: DataObjectProvider_GetDataObjectStop
#Event ID 61646: DataObjectProvider_SetDataObjectStart
#Event ID 61647: DataObjectProvider_SetDataObjectStop
#Event ID 61648: HtmlFormatHelper_CreateHtmlFormatStart
#Event ID 61650: Clipboard_GetContentStart
#Event ID 61651: Clipboard_GetContentStop
#Event ID 61652: Clipboard_SetContentStart
#Event ID 61653: Clipboard_SetContentStop
#Event ID 62000: PlaylistFolder_DataSource_Created
#Event ID 62001: PlaylistFolder_DataSource_ItemEnumerationStart
#Event ID 62002: PlaylistFolder_DataSource_ItemEnumerationStop
#Event ID 62003: PlaylistFolder_DataSource_DocumentParseStart
#Event ID 62004: PlaylistFolder_DataSource_DocumentParseStop
#Event ID 62028: PlaylistFolder_Document_MoveStart
#Fields #
| Name | Description |
|---|---|
IndexFrom UInt32 | |
IndexTo UInt32 |
Event ID 62030: PlaylistFolder_Document_CommitStart
#Event ID 62032: PlaylistFolder_Document_SaveStart
#Fields #
| Name | Description |
|---|---|
psiFolder Pointer | |
szPlaylistName UnicodeString | |
flags UInt32 |
Event ID 62050: Shell32_MountPoint_VolumeAddedOrUpdatedStart
#Event ID 62051: Shell32_MountPoint_VolumeAddedOrUpdatedStop
#Event ID 62052: Shell32_MountPoint_VolumeRemovedStart
#Event ID 62053: Shell32_MountPoint_VolumeRemovedStop
#Event ID 62054: Shell32_MountPoint_CreateEventForVolumeArrivalStart
#Event ID 62055: Shell32_MountPoint_CreateEventForVolumeArrivalStop
#Event ID 62056: Shell32_MountPoint_GetAndRemoveVolumeAndItsMtPtsStart
#Event ID 62057: Shell32_MountPoint_GetAndRemoveVolumeAndItsMtPtsStop
#Event ID 62058: Shell32_MountPoint_UpdateVolumeRegInfoStart
#Event ID 62059: Shell32_MountPoint_UpdateVolumeRegInfoStop
#Event ID 62060: Shell32_MountPoint_CreateVolumeObjectStart
#Event ID 62061: Shell32_MountPoint_CreateVolumeObjectStop
#Event ID 62062: Shell32_MountPoint_GetLabelStart
#Event ID 62063: Shell32_MountPoint_GetLabelStop
#Event ID 62064: Shell32_MountPoint_MountPointAddedStart
#Event ID 62065: Shell32_MountPoint_MountPointAddedStop
#Event ID 62066: Shell32_MountPoint_CreateMtPtLocalWithVolumeStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "62066",
"version": "0",
"level": "4",
"task": "62066",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-16T00:21:39.181172000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 62067: Shell32_MountPoint_CreateMtPtLocalWithVolumeStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "62067",
"version": "0",
"level": "4",
"task": "62066",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-16T00:21:39.181195800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "5680",
"thread_id": "11856"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 62068: Shell32_MountPoint_OnMountPointArrivalStart
#Event ID 62069: Shell32_MountPoint_OnMountPointArrivalStop
#Event ID 62070: Shell32_MountPoint_GetMountPointStart
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "62070",
"version": "0",
"level": "4",
"task": "62070",
"opcode": "1",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.066796100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 62071: Shell32_MountPoint_GetMountPointStop
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ed4-e327-447c-9de0-51b652c86108}",
"event_source_name": "",
"event_id": "62071",
"version": "0",
"level": "4",
"task": "62070",
"opcode": "2",
"keywords": 9223372036854841344,
"time_created": "2026-03-15T04:20:50.066799200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12840",
"thread_id": "800"
},
"channel": "Microsoft-Windows-Shell-Core/Diagnostic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": ""
}
Event ID 62072: OperationManager_TileAnimation_Started
#Fields #
| Name | Description |
|---|---|
TileAutomationID UInt32 | |
TransitionType UInt32 |
Event ID 62073: OperationManager_TileAnimation_Frame_Updated
#Fields #
| Name | Description |
|---|---|
TileAutomationID UInt32 | |
TransitionType UInt32 |
Event ID 62074: OperationManager_TileAnimation_Terminated
#Fields #
| Name | Description |
|---|---|
TileAutomationID UInt32 | |
TransitionType UInt32 | |
AnimationStatus UInt32 |
Event ID 62078: Shell32_MountPoint_SendQueryCancelAutoPlayMessageStart
#Event ID 62079: Shell32_MountPoint_SendQueryCancelAutoPlayMessageStop
#Event ID 62100: Shell_Scaling_Cache_Updated
#Fields #
| Name | Description |
|---|---|
Device UInt32 | |
GotRealDevice UInt32 | |
VerticalResolution UInt32 | |
HorizontalResolution UInt32 | |
VerticalSize UInt32 | |
HorizontalSize UInt32 | |
ComputedScaleFactor UInt32 | |
ComputedDPI UInt32 | |
ChangedFlags UInt32 |
Event ID 62120: TileManagement_PackageInfo_LoadFromManifestStart
#Fields #
| Name | Description |
|---|---|
PackageFamilyName UnicodeString |
Event ID 62121: TileManagement_PackageInfo_LoadFromManifestStop
#Fields #
| Name | Description |
|---|---|
HRESULT UInt32 |
Event ID 62122: TileManagement_PackageInfo_LoadFromDiskStart
#Fields #
| Name | Description |
|---|---|
PackageFamilyName UnicodeString |
Event ID 62124: TileManagement_PackageInfo_VerifyInformationStart
#Fields #
| Name | Description |
|---|---|
PackageFamilyName UnicodeString |
Event ID 62125: TileManagement_PackageInfo_VerifyInformationStop
#Fields #
| Name | Description |
|---|---|
HRESULT UInt32 |
Event ID 62126: TileManagement_PackageInfo_RevertStart
#Fields #
| Name | Description |
|---|---|
PackageFamilyName UnicodeString |
Event ID 62128: TileManagement_PackageInfo_CommitStart
#Fields #
| Name | Description |
|---|---|
PackageFamilyName UnicodeString |
Event ID 62130: TileManagement_PackageInfo_Commit_InstallTileStart
#Fields #
| Name | Description |
|---|---|
PackageFamilyName UnicodeString |
Event ID 62131: TileManagement_PackageInfo_Commit_InstallTileStop
#Fields #
| Name | Description |
|---|---|
HRESULT UInt32 |
Event ID 62132: TileManagement_AppTileInfo_InitContentTileRoamingStart
#Fields #
| Name | Description |
|---|---|
ParentShortcutPath UnicodeString |
Event ID 62133: TileManagement_AppTileInfo_InitContentTileRoamingStop
#Fields #
| Name | Description |
|---|---|
HRESULT UInt32 |
Event ID 62134: TileManagement_AppTileInfo_VerifyInformationStart
#Fields #
| Name | Description |
|---|---|
AppUserModelID UnicodeString |
Event ID 62135: TileManagement_AppTileInfo_VerifyInformationStop
#Fields #
| Name | Description |
|---|---|
HRESULT UInt32 |
Event ID 62136: TileManagement_AppTileInfo_RevertStart
#Fields #
| Name | Description |
|---|---|
AppUserModelID UnicodeString |
Event ID 62138: TileManagement_AppTileInfo_CommitStart
#Fields #
| Name | Description |
|---|---|
AppUserModelID UnicodeString |
Event ID 62140: TileManagement_AppTileInfo_PopulateShortcutStart
#Fields #
| Name | Description |
|---|---|
AppUserModelID UnicodeString |
Event ID 62141: TileManagement_AppTileInfo_PopulateShortcutStop
#Fields #
| Name | Description |
|---|---|
HRESULT UInt32 |
Event ID 62142: TileManagement_AppTileInfo_CommitShortcutStart
#Fields #
| Name | Description |
|---|---|
AppUserModelID UnicodeString |
Event ID 62144: Updating install state of package PackageFamilyName to 'InstallState' with HRESULT ErrorCode.
#Description
Updating install state of package PackageFamilyName to 'InstallState' with HRESULT ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
PackageFamilyName UnicodeString | |
InstallState UnicodeString | |
ErrorCode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 62144,
"version": 0,
"level": 4,
"task": 62132,
"opcode": 0,
"keywords": 2305843009213759488,
"time_created": "2026-05-28T18:29:53.1902975+00:00",
"event_record_id": 881,
"correlation": {},
"execution": {
"process_id": 1912,
"thread_id": 2028
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"PackageFamilyName": "MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy",
"InstallState": "Completed",
"ErrorCode": "0"
},
"message": "Updating install state of package MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy to 'Completed' with HRESULT 0."
}
Event ID 62145: On commit, creation of shortcut with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62146: On commit, update of shortcut with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62147: On commit, deletion of shortcut with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62148: On commit, creation of temporary shortcut with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62149: On commit, changing property values in shortcut with AppUserModelId AppUserModelID failed as the shortcut file does not exist.
#Event ID 62150: On revert, creation of shortcut with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62151: On revert, update of shortcut with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62152: On revert, deletion of shortcut with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62153: Removing folder for package PackageFamilyName with HRESULT ErrorCode.
#Event ID 62154: Incremented last write time of shortcut with AppUserModelId AppUserModelID by 2 seconds with HRESULT ErrorCode.
#Event ID 62155: Updated lockscreen notifications badge registration of app with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62156: On revert, updated lockscreen notifications badge registration of app with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62157: Removed lockscreen notifications badge registration of app with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62158: Updated lockscreen notifications tile registration of app with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62159: On revert, updated lockscreen notifications tile registration of app with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62160: Removed lockscreen notifications tile registration of app with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62161: The namespace extension guid will be loaded in the File Picker.
#Event ID 62162: The namespace extension guid will not be loaded in the File Picker.
#Event ID 62163: Failed to merge PRI for Package PackageFamilyName at path Path with HRESULT ErrorCode.
#Event ID 62164: Package PackageFamilyName failed to install with HRESULT ErrorCode.
#Description
Package PackageFamilyName failed to install with HRESULT ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
PackageFamilyName UnicodeString | |
ErrorCode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "30336ED4-E327-447C-9DE0-51B652C86108",
"event_source_name": "",
"event_id": 62164,
"version": 0,
"level": 4,
"task": 62350,
"opcode": 0,
"keywords": 2305843009213759488,
"time_created": "2023-11-05T22:33:30.815908+00:00",
"event_record_id": 2208,
"correlation": {},
"execution": {
"process_id": 4952,
"thread_id": 7932
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"PackageFamilyName": "Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe",
"ErrorCode": 2147942450
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 62170: Logon task 'TaskName' started with flags LogonType.
#Description
Logon task 'TaskName' started with flags LogonType.
Message #
Fields #
| Name | Description |
|---|---|
LogonType UInt32 | Logon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive). Logon type reference |
TaskName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 62170,
"version": 0,
"level": 4,
"task": 62170,
"opcode": 1,
"keywords": 2306124492780339200,
"time_created": "2026-05-29T16:34:10.5388348+00:00",
"event_record_id": 1970,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 6600
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"LogonType": "8",
"TaskName": "LaunchInputDialListenerPostStart"
},
"message": "Logon task 'LaunchInputDialListenerPostStart' started with flags 8."
}
Event ID 62171: Logon task 'TaskName' finished with flags LogonType.
#Description
Logon task 'TaskName' finished with flags LogonType.
Message #
Fields #
| Name | Description |
|---|---|
LogonType UInt32 | Logon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive). Logon type reference |
TaskName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 62171,
"version": 0,
"level": 4,
"task": 62170,
"opcode": 2,
"keywords": 2306124492780339200,
"time_created": "2026-05-29T16:34:10.5525034+00:00",
"event_record_id": 1978,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 6820
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"LogonType": "8",
"TaskName": "ARSFirstRunTelemetry"
},
"message": "Logon task 'ARSFirstRunTelemetry' finished with flags 8."
}
Event ID 62200: Failed to register for licensing policy change event.
#Event ID 62201: Failed to create the watermark window.
#Event ID 62202: Failed to render the watermark.
#Event ID 62203: Failed to get genuine status.
#Event ID 62204: Activation_Watermark_InitStart
#Event ID 62205: Activation_Watermark_InitStop
#Event ID 62250: Updated lockscreen alarm registration of app with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62251: On revert, updated lockscreen alarm registration of app with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62252: Removed lockscreen alarm registration of app with AppUserModelId AppUserModelID with HRESULT ErrorCode.
#Event ID 62300: DataPackage_GetApplicationLinkStart
#Event ID 62301: DataPackage_GetApplicationLinkStop
#Event ID 62302: DataPackage_SetApplicationLinkStart
#Event ID 62303: DataPackage_SetApplicationLinkStop
#Event ID 62321: FilePlaceholder_SaveStop
#Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
HRESULT UInt32 |
Event ID 62322: FilePlaceholder_ClearPrimaryStreamStart
#Event ID 62324: FilePlaceholder_SetPlaceholderStatesStart
#Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
NewValues UInt32 | |
ValuesToChange UInt32 |
Event ID 62325: FilePlaceholder_SetPlaceholderStatesStop
#Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
HRESULT UInt32 |
Event ID 62327: ExtrinsicPropertyStore_CommitStop
#Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
HRESULT UInt32 |
Event ID 62328: FilePlaceholder_StreamResolver_VerifyFileVersionStart
#Fields #
| Name | Description |
|---|---|
FileName UnicodeString |
Event ID 62329: FilePlaceholder_StreamResolver_VerifyFileVersionStop
#Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
HRESULT UInt32 |
Event ID 62330: FilePlaceholder_StreamResolver_RetrievePrimaryStreamStart
#Fields #
| Name | Description |
|---|---|
Position UInt64 | |
Size UInt64 |
Event ID 62331: FilePlaceholder_StreamResolver_RetrievePrimaryStreamStop
#Fields #
| Name | Description |
|---|---|
Position UInt64 | |
Size UInt64 | |
HRESULT UInt32 |
Event ID 62334: FileChunkMap_DeleteStart
#Event ID 62335: FileChunkMap_SetFileCompletionStateStart
#Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
FileCompletionState UInt32 |
Event ID 62336: FileChunkMap_SetFileCompletionStateStop
#Fields #
| Name | Description |
|---|---|
FileName UnicodeString | |
FileCompletionState UInt32 | |
HRESULT UInt32 |
Event ID 62337: Fileplaceholder hydration times out.
#Description
Fileplaceholder hydration times out.
Message #
Event ID 62380: StartMenuFeedback
#Fields #
| Name | Description |
|---|---|
QuestionID Int32 | |
ResponseType UnicodeString | |
QuestionType UnicodeString | |
Answer UnicodeString | |
FollowupAnswer UnicodeString |
Event ID 62400: CloudExperienceHost App Activity started.
#Description
CloudExperienceHost App Activity started. Source: 'Source', Experience: 'Experience'.
Message #
Fields #
| Name | Description |
|---|---|
Source UnicodeString | |
Experience UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "30336ED4-E327-447C-9DE0-51B652C86108",
"event_source_name": "",
"event_id": 62400,
"version": 0,
"level": 4,
"task": 62400,
"opcode": 1,
"keywords": 2305843043573497856,
"time_created": "2026-03-09T18:20:52.260063+00:00",
"event_record_id": 4620,
"correlation": {
"ActivityID": "16C17DEB-9C73-44F6-B6EA-3B3069AE939F"
},
"execution": {
"process_id": 7268,
"thread_id": 7952
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"Source": "ms-cxh://mosetMDMconnecttowork/",
"Experience": "{\"source\":\"ms-cxh://mosetMDMconnecttowork/\",\"protocol\":\"ms-cxh\",\"host\":\"mosetMDMconnecttowork\",\"port\":\"\",\"params\":{},\"file\":\"\",\"hash\":\"\",\"path\":\"/\",\"segments\":[\"\"]}"
},
"message": ""
}
Event ID 62401: CloudExperienceHost App Activity stopped.
#Description
CloudExperienceHost App Activity stopped. Result: 'Result'.
Message #
Fields #
| Name | Description |
|---|---|
Result UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "30336ED4-E327-447C-9DE0-51B652C86108",
"event_source_name": "",
"event_id": 62401,
"version": 0,
"level": 4,
"task": 62400,
"opcode": 2,
"keywords": 2305843043573497856,
"time_created": "2026-03-09T18:21:10.189353+00:00",
"event_record_id": 4667,
"correlation": {
"ActivityID": "E1341ABB-3BA3-4E91-B44B-1D9432DAB913"
},
"execution": {
"process_id": 7268,
"thread_id": 7952
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"Result": "success"
},
"message": ""
}
Event ID 62402: CloudExperienceHost App Event 1.
#Description
CloudExperienceHost App Event 1. Name: 'Name'.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "30336ED4-E327-447C-9DE0-51B652C86108",
"event_source_name": "",
"event_id": 62402,
"version": 0,
"level": 4,
"task": 62402,
"opcode": 0,
"keywords": 2305843043573497856,
"time_created": "2026-03-09T18:20:52.256168+00:00",
"event_record_id": 4619,
"correlation": {
"ActivityID": "FEE5CECA-D7C0-4D50-B57D-0A85ED531ABB"
},
"execution": {
"process_id": 7268,
"thread_id": 7952
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"Name": "ClearTemporaryWebDataAsyncSucceeded"
},
"message": ""
}
Event ID 62403: CloudExperienceHost App Event 2.
#Description
CloudExperienceHost App Event 2. Name: 'Name', Value: 'Value'.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Value UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "30336ED4-E327-447C-9DE0-51B652C86108",
"event_source_name": "",
"event_id": 62403,
"version": 0,
"level": 4,
"task": 62403,
"opcode": 0,
"keywords": 2305843043573497856,
"time_created": "2026-03-09T18:20:52.876162+00:00",
"event_record_id": 4630,
"correlation": {
"ActivityID": "77230D5B-4D6A-43D1-90F6-F955540E96C3"
},
"execution": {
"process_id": 7268,
"thread_id": 7952
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"Name": "FirstWebAppVisible",
"Value": "Work"
},
"message": ""
}
Event ID 62404: CloudExperienceHost Web App Activity started.
#Description
CloudExperienceHost Web App Activity started. CXID: 'CXID'.
Message #
Fields #
| Name | Description |
|---|---|
CXID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "30336ED4-E327-447C-9DE0-51B652C86108",
"event_source_name": "",
"event_id": 62404,
"version": 0,
"level": 4,
"task": 62404,
"opcode": 1,
"keywords": 2305843043573497856,
"time_created": "2026-03-09T18:21:07.739590+00:00",
"event_record_id": 4655,
"correlation": {
"ActivityID": "EB476454-99B3-4A1B-A3F5-F070716C4F29"
},
"execution": {
"process_id": 7268,
"thread_id": 7952
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"CXID": "MDMEnrollmentFinished"
},
"message": ""
}
Event ID 62405: CloudExperienceHost Web App Activity stopped.
#Description
CloudExperienceHost Web App Activity stopped. Result: 'Result'.
Message #
Fields #
| Name | Description |
|---|---|
Result UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "30336ED4-E327-447C-9DE0-51B652C86108",
"event_source_name": "",
"event_id": 62405,
"version": 0,
"level": 4,
"task": 62404,
"opcode": 2,
"keywords": 2305843043573497856,
"time_created": "2026-03-09T18:21:10.189010+00:00",
"event_record_id": 4666,
"correlation": {
"ActivityID": "DE4FD34D-5A8A-4230-80D6-9EDDABC9FB2C"
},
"execution": {
"process_id": 7268,
"thread_id": 7952
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"Result": "success"
},
"message": ""
}
Event ID 62406: CloudExperienceHost Web App Event 1.
#Description
CloudExperienceHost Web App Event 1. Name: 'Name'.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"event_id": 62406,
"level": 4,
"task": 62406,
"opcode": 0,
"time_created": "2026-04-17T22:14:17.3553573+00:00",
"computer": "DESKTOP-FF3N5XK",
"channel": "Microsoft-Windows-Shell-Core"
},
"event_data": {
"Name": "UnifiedEnrollment_LaunchDj"
}
}
Event ID 62407: CloudExperienceHost Web App Event 2.
#Description
CloudExperienceHost Web App Event 2. Name: 'Name', Value: 'Value'.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Value UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "30336ED4-E327-447C-9DE0-51B652C86108",
"event_source_name": "",
"event_id": 62407,
"version": 0,
"level": 4,
"task": 62407,
"opcode": 0,
"keywords": 2305843043573497856,
"time_created": "2026-03-09T18:21:10.188681+00:00",
"event_record_id": 4665,
"correlation": {
"ActivityID": "73C6F5B7-A06D-40B1-A1D3-C103166D9BF0"
},
"execution": {
"process_id": 7268,
"thread_id": 7952
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"Name": "Done",
"Value": "success"
},
"message": ""
}
Event ID 62408: Started execution of command 'Command'.
#Description
Started execution of command 'Command'.
Message #
Fields #
| Name | Description |
|---|---|
Command UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "30336ED4-E327-447C-9DE0-51B652C86108",
"event_source_name": "",
"event_id": 62408,
"version": 0,
"level": 4,
"task": 62408,
"opcode": 1,
"keywords": 2305878193652957184,
"time_created": "2026-02-10T01:03:05.779137+00:00",
"event_record_id": 1106,
"correlation": {},
"execution": {
"process_id": 5640,
"thread_id": 7848
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"Command": "msteams_autostarter.exe"
},
"message": ""
}
Event ID 62409: Finished execution of command 'Command' (PID PID).
#Description
Finished execution of command 'Command' (PID PID).
Message #
Fields #
| Name | Description |
|---|---|
PID UInt32 | |
Command UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "30336ED4-E327-447C-9DE0-51B652C86108",
"event_source_name": "",
"event_id": 62409,
"version": 0,
"level": 4,
"task": 62408,
"opcode": 2,
"keywords": 2305878193652957184,
"time_created": "2026-02-10T01:03:06.583842+00:00",
"event_record_id": 1107,
"correlation": {},
"execution": {
"process_id": 5640,
"thread_id": 7848
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"PID": 9824,
"Command": "msteams_autostarter.exe"
},
"message": ""
}
Event ID 62421: Finished looking for Restore Profiles.
#Event ID 62422: Adding Profile.
#Event ID 62423: Set Restore Profile to Hardware Id: HardwareId.
#Event ID 62440: Hash mismatch detected for: ExtOrUriScheme.
#Description
Hash mismatch detected for: ExtOrUriScheme. ProgId: ProgId. UserSid: UserSid. HashInRegistry: HashInRegistry. ComputedHash: ComputedHash. Date: SystemDatewYear : SystemDatewMonth: SystemDatewDayOfWeek : SystemDatewDay : SystemDatewHour : SystemDatewMinute.
Message #
Fields #
| Name | Description |
|---|---|
ExtOrUriScheme UnicodeString | |
ProgId UnicodeString | |
UserSid UnicodeString | |
HashInRegistry UnicodeString | |
ComputedHash UnicodeString | |
SystemDatewYear UInt16 | |
SystemDatewMonth UInt16 | |
SystemDatewDayOfWeek UInt16 | |
SystemDatewDay UInt16 | |
SystemDatewHour UInt16 | |
SystemDatewMinute UInt16 |
Event ID 62441: User choice has been reset to prog id ProgId for ExtOrUriScheme.
#Event ID 62442: Upgraded to prog id ProgId from prog id CurrentDefaultProgId for ExtOrUriScheme.
#Event ID 62443: AppDefault Info: Info.
#Description
AppDefault Info: Info.
Message #
Fields #
| Name | Description |
|---|---|
Info UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "{30336ED4-E327-447C-9DE0-51B652C86108}",
"event_source_name": "",
"event_id": 62443,
"version": 0,
"level": 4,
"task": 62443,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-06-13T14:08:49.3527860+00:00",
"event_record_id": 1786,
"correlation": {},
"execution": {
"process_id": 1956,
"thread_id": 7312
},
"channel": "Microsoft-Windows-Shell-Core/AppDefaults",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Info": "AppDefaults-Logon-UserProfileLoaded"
},
"message": "AppDefault Info: AppDefaults-Logon-UserProfileLoaded"
}
Event ID 62444: Missing Hash -- ProgId: ProgId FileExtOrUriScheme: ExtOrUriScheme.
#Event ID 62445: Migration Info: Info.
#Event ID 62460: OOBE Health Monitor.
#Description
OOBE Health Monitor. Version: DataVersion, Health flags: HealthStateFlags, Census flags: CensusFlags, Seconds since boot: SecondsSinceBoot, Image identifier: 'ImageIdentifier', Detailed info: 'TrackingInfo'.
Message #
Fields #
| Name | Description |
|---|---|
DataVersion Int32 | |
HealthStateFlags UInt64 | |
CensusFlags UInt64 | |
SecondsSinceBoot UInt64 | |
ImageIdentifier UnicodeString | |
TrackingInfo UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Shell-Core",
"guid": "30336ED4-E327-447C-9DE0-51B652C86108",
"event_source_name": "",
"event_id": 62460,
"version": 0,
"level": 4,
"task": 62460,
"opcode": 0,
"keywords": 2305843146652712960,
"time_created": "2023-11-06T06:25:35.337008+00:00",
"event_record_id": 1692,
"correlation": {},
"execution": {
"process_id": 1424,
"thread_id": 1428
},
"channel": "Microsoft-Windows-Shell-Core/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DataVersion": 14,
"HealthStateFlags": 0,
"CensusFlags": 14,
"SecondsSinceBoot": 59,
"ImageIdentifier": "",
"TrackingInfo": "{ 0; 1; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0; 0;}"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 63200: Application calls obsolete Shell APIs.
#Description
Application calls obsolete Shell APIs.
Message #
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {30336ED4-E327-447C-9DE0-51B652C86108}
Defined in shsvcs.dll, which carries the event manifest.
Observed on:
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02