Microsoft-Windows-SystemEventsBroker
5 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 15 | SystemEventsBroker CreateEvent called for Event ID BrokeredEventId, UserSID: … | SystemEventsBroker | N |
| 16 | SystemEventsBroker DeleteEvent called for Event ID BrokeredEventId. | SystemEventsBroker | N |
| 17 | SystemEventsBroker SignalEvent for Event ID BrokeredEventId. | SystemEventsBroker | N |
| 18 | SystemEventsBroker DropEvent for Event ID BrokeredEventId. | SystemEventsBroker | N |
| 19 | SystemEventsBroker SessionConnectedEvent, SessionID: SessionID. | SystemEventsBroker | N |
Event ID 15: SystemEventsBroker CreateEvent called for Event ID BrokeredEventId, UserSID: UserSID with Event Type EventType.
#Event ID 16: SystemEventsBroker DeleteEvent called for Event ID BrokeredEventId.
#Event ID 17: SystemEventsBroker SignalEvent for Event ID BrokeredEventId.
#Event ID 18: SystemEventsBroker DropEvent for Event ID BrokeredEventId.
#Event ID 19: SystemEventsBroker SessionConnectedEvent, SessionID: SessionID.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID b6bfcc79-a3af-4089-8d4d-0eecb1b80779
Defined in SystemEventsBrokerServer.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02