Microsoft-Windows-Store
9 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 8000 | Process Name: Process Name. | Operational | Y |
| 8001 | Message Function: Function Source: Source (Line Number). | Operational | Y |
| 8002 | Message Function: Function Source: Source (Line Number). | Operational | Y |
| 8003 | Message Function: Function Source: Source (Line Number). | Operational | Y |
| 8010 | StateMachine: ThreadID: StateMachineName: Enqueue: EventName. | Operational | N |
| 8011 | State Machine: Thread ID: State Machine Name: Dispatch: Event Name => Current … | Operational | Y |
| 8012 | State Machine: Thread ID: Current State Change: New State => State Machine Name. | Operational | Y |
| 8013 | StateMachine: ThreadID: StateMachineName Pumping: CurrentState. | Operational | N |
| 8014 | StateMachine: ThreadID: StateMachineName: Done: CurrentState. | Operational | N |
Event ID 8000: Process Name: Process Name.
#Description
Process Name: Process Name.
Message #
Fields #
| Name | Description |
|---|---|
Process Name | |
Module Name | |
Build Name | |
ProcessName | |
ModuleName | |
BuildName |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Store",
"guid": "{9C2A37F3-E5FD-5CAE-BCD1-43DAFEEE1FF0}",
"event_source_name": "",
"event_id": 8000,
"version": 0,
"level": 4,
"task": 8000,
"opcode": 0,
"keywords": -9223354444668731392,
"time_created": "2026-05-29T23:42:56.6143940+00:00",
"event_record_id": 473,
"correlation": {},
"execution": {
"process_id": 700,
"thread_id": 3064
},
"channel": "Microsoft-Windows-Store/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"Process Name": "C:\\Windows\\System32\\svchost.exe",
"Module Name": "c:\\windows\\system32\\LicenseManager.dll",
"Build Name": "20348.1.amd64fre.fe_release.210507-1500"
},
"message": "Process Name: C:\\Windows\\System32\\svchost.exe\r\nModule Name: c:\\windows\\system32\\LicenseManager.dll\r\nBuild: 20348.1.amd64fre.fe_release.210507-1500\r\n"
}
Event ID 8001: Message Function: Function Source: Source (Line Number).
#Description
Message Function: Function Source: Source (Line Number)
Message #
Fields #
| Name | Description |
|---|---|
Message UnicodeString | |
Function AnsiString | |
Source AnsiString | |
Line Number | |
LineNumber |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Store",
"guid": "{9C2A37F3-E5FD-5CAE-BCD1-43DAFEEE1FF0}",
"event_source_name": "",
"event_id": 8001,
"version": 0,
"level": 4,
"task": 8001,
"opcode": 14,
"keywords": -9223354444668731392,
"time_created": "2026-06-13T05:39:33.5889829+00:00",
"event_record_id": 494,
"correlation": {},
"execution": {
"process_id": 700,
"thread_id": 2744
},
"channel": "Microsoft-Windows-Store/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Message": "304 - no changes for killbit",
"Function": "OneStoreApplicationLicenseManager::RefreshBannedLicenses",
"Source": "onecoreuap\\enduser\\winstore\\licensemanager\\lib\\onestoreapplicensemanager.cpp",
"Line Number": "885"
},
"message": "304 - no changes for killbit\r\nFunction: OneStoreApplicationLicenseManager::RefreshBannedLicenses\r\nSource: onecoreuap\\enduser\\winstore\\licensemanager\\lib\\onestoreapplicensemanager.cpp (885)"
}
Event ID 8002: Message Function: Function Source: Source (Line Number).
#Description
Message Function: Function Source: Source (Line Number)
Message #
Fields #
| Name | Description |
|---|---|
Message UnicodeString | |
Function AnsiString | |
Source AnsiString | |
Line Number | |
LineNumber |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Store",
"guid": "{9C2A37F3-E5FD-5CAE-BCD1-43DAFEEE1FF0}",
"event_source_name": "",
"event_id": 8002,
"version": 0,
"level": 3,
"task": 8001,
"opcode": 13,
"keywords": -9223354444668731392,
"time_created": "2026-06-13T05:39:33.3530023+00:00",
"event_record_id": 492,
"correlation": {},
"execution": {
"process_id": 700,
"thread_id": 3484
},
"channel": "Microsoft-Windows-Store/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"Message": "No user tickets captured for S-1-5-21-1006758700-2167138679-1475694448-1105, so this might not end well.",
"Function": "SingleUserStoredIdentitySnapshot::CaptureIdentity",
"Source": "onecoreuap\\enduser\\winstore\\licensemanager\\lib\\identity.cpp",
"Line Number": "483"
},
"message": "No user tickets captured for S-1-5-21-1006758700-2167138679-1475694448-1105, so this might not end well.\r\nFunction: SingleUserStoredIdentitySnapshot::CaptureIdentity\r\nSource: onecoreuap\\enduser\\winstore\\licensemanager\\lib\\identity.cpp (483)"
}
Event ID 8003: Message Function: Function Source: Source (Line Number).
#Description
Message Function: Function Source: Source (Line Number)
Message #
Fields #
| Name | Description |
|---|---|
Message UnicodeString | |
Function AnsiString | |
Source AnsiString | |
Line Number | |
LineNumber |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Store",
"guid": "{9C2A37F3-E5FD-5CAE-BCD1-43DAFEEE1FF0}",
"event_source_name": "",
"event_id": 8003,
"version": 0,
"level": 2,
"task": 8001,
"opcode": 12,
"keywords": -9223354444668731392,
"time_created": "2026-05-30T00:21:36.6358283+00:00",
"event_record_id": 32695,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 7208
},
"channel": "Microsoft-Windows-Store/Operational",
"computer": "telemetry-W11-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"Message": "Service Fault: status: 401 code: InvalidDeviceAuthorizationToken: description: The Authorization header contained an invalid Device Authorization token. data: [] (Corr: sGFfpxq+QkWlCGvo.2, Svr: ent-6484956fb8-6t69q), token broker error: 0x80070520, number of MSA tickets: 0, number of AAD tickets: 0",
"Function": "LogServiceFault",
"Source": "onecoreuap\\enduser\\winstore\\licensemanager\\lib\\telemetry.cpp",
"Line Number": "134"
},
"message": "Service Fault: status: 401 code: InvalidDeviceAuthorizationToken: description: The Authorization header contained an invalid Device Authorization token. data: [] (Corr: sGFfpxq+QkWlCGvo.2, Svr: ent-6484956fb8-6t69q), token broker error: 0x80070520, number of MSA tickets: 0, number of AAD tickets: 0\r\nFunction: LogServiceFault\r\nSource: onecoreuap\\enduser\\winstore\\licensemanager\\lib\\telemetry.cpp (134)"
}
Event ID 8010: StateMachine: ThreadID: StateMachineName: Enqueue: EventName.
#Event ID 8011: State Machine: Thread ID: State Machine Name: Dispatch: Event Name => Current State.
#Description
State Machine: Thread ID: State Machine Name: Dispatch: Event Name => Current State.
Message #
Fields #
| Name | Description |
|---|---|
State Machine | |
Thread ID | |
State Machine Name | |
Event Name | |
Current State | |
StateMachine | |
ThreadID | |
StateMachineName | |
EventName | |
CurrentState |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Store",
"guid": "{9C2A37F3-E5FD-5CAE-BCD1-43DAFEEE1FF0}",
"event_source_name": "",
"event_id": 8011,
"version": 0,
"level": 5,
"task": 8002,
"opcode": 16,
"keywords": -9223336852482686976,
"time_created": "2026-06-13T14:18:35.8078387+00:00",
"event_record_id": 37949,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 5472
},
"channel": "Microsoft-Windows-Store/Operational",
"computer": "telemetry-W11-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"State Machine": "0x1e3d212b120",
"Thread ID": "5472",
"State Machine Name": "{DBE49263-95F5-1779-FB49-2AE16F591AEB}",
"Event Name": "Lease:Unregistered",
"Current State": "Lease:Valid"
},
"message": "0x1e3d212b120: 5472: {DBE49263-95F5-1779-FB49-2AE16F591AEB}: Dispatch: Lease:Unregistered => Lease:Valid"
}
Event ID 8012: State Machine: Thread ID: Current State Change: New State => State Machine Name.
#Description
State Machine: Thread ID: Current State Change: New State => State Machine Name.
Message #
Fields #
| Name | Description |
|---|---|
State Machine | |
Thread ID | |
Current State | |
New State | |
State Machine Name | |
StateMachine | |
ThreadID | |
CurrentState | |
NewState | |
StateMachineName |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Store",
"guid": "{9C2A37F3-E5FD-5CAE-BCD1-43DAFEEE1FF0}",
"event_source_name": "",
"event_id": 8012,
"version": 0,
"level": 5,
"task": 8002,
"opcode": 17,
"keywords": -9223336852482686976,
"time_created": "2026-06-13T14:18:35.8078686+00:00",
"event_record_id": 37950,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 5472
},
"channel": "Microsoft-Windows-Store/Operational",
"computer": "telemetry-W11-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"State Machine": "0x1e3d212b120",
"Thread ID": "5472",
"Current State": "Lease:Valid",
"New State": "Lease:Invalid",
"State Machine Name": "{DBE49263-95F5-1779-FB49-2AE16F591AEB}"
},
"message": "0x1e3d212b120: 5472: Lease:Valid Change: Lease:Invalid => {DBE49263-95F5-1779-FB49-2AE16F591AEB}"
}
Event ID 8013: StateMachine: ThreadID: StateMachineName Pumping: CurrentState.
#Event ID 8014: StateMachine: ThreadID: StateMachineName: Done: CurrentState.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 9c2a37f3-e5fd-5cae-bcd1-43dafeee1ff0
Defined in LicenseManager.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3451, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02