Microsoft-Windows-TimeBroker
4 events across 1 channel
Event ID 1: Event ID BrokeredEventId changed state from OldState to NewState.
#Event ID 2: Event ID BrokeredEventId is set to fire between StartTime and EndTime.
#Event ID 3: TimeBroker CreateEvent called for Event ID BrokeredEventId with Event Type EventType returned Status.
#Description
TimeBroker CreateEvent called for Event ID BrokeredEventId with Event Type EventType returned Status.
Message #
Fields #
| Name | Description |
|---|---|
BrokeredEventId GUID | |
EventType UInt32 | |
Status HexInt32 | NTSTATUS reference |
Event ID 4: TimeBroker DeleteEvent called for Event ID BrokeredEventId and returned Status.
#Description
TimeBroker DeleteEvent called for Event ID BrokeredEventId and returned Status.
Message #
Fields #
| Name | Description |
|---|---|
BrokeredEventId GUID | |
Status HexInt32 | NTSTATUS reference |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 0657adc1-9ae8-4e18-932d-e6079cda5ab3
Defined in TimeBrokerServer.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02