Microsoft-Windows-TerminalServices-PnPDevices
14 events across 4 channels
| Event | Title | Channel | Sample |
|---|---|---|---|
| 2 | message. | Debug | N |
| 3 | message. | Debug | N |
| 4 | message. | Analytic | N |
| 5 | message. | Analytic | N |
| 6 | message. | Debug | N |
| 7 | message. | Debug | N |
| 8 | message. | Analytic | N |
| 9 | message. | Analytic | N |
| 32 | Failed to create Physical Device Object for device deviceName in User mode bus … | Analytic | N |
| 33 | Failed to destroy Physical Device Object for device deviceName in User mode bus … | Analytic | N |
| 34 | Driver for device deviceName failed to load. | Analytic | N |
| 35 | Device deviceName is not supported on this machine, a generic driver is loaded. | Admin | N |
| 36 | Redirection of additional supported devices is disabled by policy. | Admin | Y |
| 37 | Device deviceName is successfully installed. | Operational | N |
Event ID 32: Failed to create Physical Device Object for device deviceName in User mode bus component.
#Event ID 33: Failed to destroy Physical Device Object for device deviceName in User mode bus component.
#Event ID 34: Driver for device deviceName failed to load.
#Event ID 35: Device deviceName is not supported on this machine, a generic driver is loaded.
#Event ID 36: Redirection of additional supported devices is disabled by policy.
#Description
Redirection of additional supported devices is disabled by policy.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-PnPDevices",
"guid": "27A8C1E2-EB19-463E-8424-B399DF27A216",
"event_source_name": "",
"event_id": 36,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:31:09.457281+00:00",
"event_record_id": 10,
"correlation": {},
"execution": {
"process_id": 2044,
"thread_id": 800
},
"channel": "Microsoft-Windows-TerminalServices-PnPDevices/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 37: Device deviceName is successfully installed.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 27a8c1e2-eb19-463e-8424-b399df27a216
Defined in umrdp.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02