Microsoft-Windows-UniversalTelemetryClient
25 events across 1 channel
Event ID 1: Tenant IKey has been registered for telemetry usage.
#Description
Tenant IKey has been registered for telemetry usage.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | |
IKey UnicodeString | |
DiskSizeInBytes UInt32 | |
DailyUploadQuotaInBytes UInt32 | |
HRESULT UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "{6489B27F-7C43-5886-1D00-0A61BB2A375B}",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": -9223372036854710272,
"time_created": "2026-06-13T05:46:32.9108570+00:00",
"event_record_id": 214,
"correlation": {},
"execution": {
"process_id": 3544,
"thread_id": 1228
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"IKey": "P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425",
"DiskSizeInBytes": "8388608",
"DailyUploadQuotaInBytes": "0",
"HRESULT": "2147943642"
},
"message": "Tenant P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425 has been registered for telemetry usage."
}
Event ID 2: Tenant IKey has been unregistered for telemetry usage.
#Description
Tenant IKey has been unregistered for telemetry usage.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | |
IKey UnicodeString | |
HRESULT UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 4,
"task": 2,
"opcode": 0,
"keywords": 9223372036854841344,
"time_created": "2026-03-11T06:27:46.715428+00:00",
"event_record_id": 427,
"correlation": {
"ActivityID": "17404B55-CA54-4D65-932C-664EDEF08F62"
},
"execution": {
"process_id": 3532,
"thread_id": 5236
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"IKey": "P-WDATP",
"HRESULT": 2147943568
},
"message": ""
}
Event ID 3: The daily upload quota for IKey has been updated to DailyUploadQuotaInBytes bytes.
#Event ID 20: The upload URL has changed to Url .
#Event ID 21: Upload failed with the following HRESULT: HRESULT.
#Event ID 22: The daily upload quota for SENSE has crossed into a new tier.
#Description
The daily upload quota for SENSE has crossed into a new tier.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | |
BytesUploadedSoFar UInt64 | |
BytesAllowed UInt64 | |
PercentageUsed UInt32 | |
NewTier UInt32 | |
OldTier UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 22,
"version": 0,
"level": 4,
"task": 22,
"opcode": 0,
"keywords": 9223372036854906880,
"time_created": "2026-03-11T08:57:50.434811+00:00",
"event_record_id": 450,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 8160
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "InProcHost",
"BytesUploadedSoFar": 5198198,
"BytesAllowed": 103809024,
"PercentageUsed": 5,
"NewTier": 1,
"OldTier": 0
},
"message": ""
}
Event ID 23: Storage capacity for the SENSE tenant has changed to a new tier.
#Description
Storage capacity for the SENSE tenant has changed to a new tier.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | |
PercentageFullInEachRingBuffer UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"event_id": 23,
"level": "Information",
"task": null,
"opcode": "Info",
"time_created": "2026-05-24T02:15:27.0537825+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational"
},
"event_data": {
"Environment": "InProcHost",
"PercentageFullInEachRingBuffer": "5"
}
}
Event ID 24: An unknown and unconfigured dynamic Vortex region Region was attempted to be set.
#Event ID 25: The event storage for SENSE has been throttled.
#Event ID 26: The upload for SENSE has been throttled.
#Event ID 27: Connection state - All connections have succeeded since the previous period.
#Description
Connection state - All connections have succeeded since the previous period.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | |
EventsUploaded UInt32 | |
EventsDropped UInt32 | |
LastEventlogWrittenTime UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "{6489B27F-7C43-5886-1D00-0A61BB2A375B}",
"event_source_name": "",
"event_id": 27,
"version": 0,
"level": 4,
"task": 27,
"opcode": 0,
"keywords": -9223372036854644736,
"time_created": "2026-06-13T13:52:28.3510348+00:00",
"event_record_id": 231,
"correlation": {},
"execution": {
"process_id": 3544,
"thread_id": 7340
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"EventsUploaded": "1",
"EventsDropped": "63",
"LastEventlogWrittenTime": "134258305483084572"
},
"message": "Connection state - All connections have succeeded since the previous period."
}
Event ID 28: Connection state - Some connections have failed since the previous period.
#Description
Connection state - Some connections have failed since the previous period.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | |
EventsUploaded UInt32 | |
EventsDropped UInt32 | |
LastEventlogWrittenTime UInt64 | |
SuccessfulConnections UInt32 | |
FailedConnections UInt32 | |
LastHttpError UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "{6489B27F-7C43-5886-1D00-0A61BB2A375B}",
"event_source_name": "",
"event_id": 28,
"version": 0,
"level": 3,
"task": 28,
"opcode": 0,
"keywords": -9223372036854644736,
"time_created": "2026-05-30T00:11:33.8361916+00:00",
"event_record_id": 113,
"correlation": {},
"execution": {
"process_id": 3364,
"thread_id": 7000
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"EventsUploaded": "16",
"EventsDropped": "249",
"LastEventlogWrittenTime": "134245464938398258",
"SuccessfulConnections": "5",
"FailedConnections": "5",
"LastHttpError": "2147954407"
},
"message": "Connection state - Some connections have failed since the previous period."
}
Event ID 29: Connection state - Some connections have failed since the previous period.
#Description
Connection state - Some connections have failed since the previous period.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | |
EventsUploaded UInt32 | |
EventsDropped UInt32 | |
LastEventlogWrittenTime UInt64 | |
FailedConnections UInt32 | |
LastHttpError UInt32 | |
ProxySettingDetected Boolean | |
SslCertValidationFailures UInt32 | |
LastSslCertFailure UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 29,
"version": 0,
"level": 2,
"task": 29,
"opcode": 0,
"keywords": 9223372036854906880,
"time_created": "2022-04-07T08:14:43.748987+00:00",
"event_record_id": 19,
"correlation": {},
"execution": {
"process_id": 2704,
"thread_id": 3244
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"EventsUploaded": 0,
"EventsDropped": 1674,
"LastEventlogWrittenTime": 3545508526300415277,
"FailedConnections": 7,
"LastHttpError": 2147954407,
"ProxySettingDetected": false,
"SslCertValidationFailures": 0,
"LastSslCertFailure": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 50: The service has been started to the following state: Status.
#Description
The service has been started to the following state: Status.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "{6489B27F-7C43-5886-1D00-0A61BB2A375B}",
"event_source_name": "",
"event_id": 50,
"version": 0,
"level": 4,
"task": 50,
"opcode": 0,
"keywords": -9223372036854513664,
"time_created": "2026-05-29T16:33:04.6229645+00:00",
"event_record_id": 194,
"correlation": {},
"execution": {
"process_id": 3544,
"thread_id": 3736
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"Status": "3"
},
"message": "The service has been started to the following state: Updating Scenarios."
}
Event ID 55: Is the Internet available: State.
#Description
Is the Internet available: State.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | |
State Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "{6489B27F-7C43-5886-1D00-0A61BB2A375B}",
"event_source_name": "",
"event_id": 55,
"version": 0,
"level": 4,
"task": 55,
"opcode": 0,
"keywords": -9223372036854513664,
"time_created": "2026-05-29T16:33:35.5757326+00:00",
"event_record_id": 200,
"correlation": {},
"execution": {
"process_id": 3544,
"thread_id": 1016
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"State": "true"
},
"message": "Is the Internet available: true"
}
Event ID 56: Is a free network available: State.
#Description
Is a free network available: State.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | |
State Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "{6489B27F-7C43-5886-1D00-0A61BB2A375B}",
"event_source_name": "",
"event_id": 56,
"version": 0,
"level": 4,
"task": 56,
"opcode": 0,
"keywords": -9223372036854513664,
"time_created": "2026-05-29T16:33:35.5753573+00:00",
"event_record_id": 199,
"correlation": {},
"execution": {
"process_id": 3544,
"thread_id": 4152
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"State": "true"
},
"message": "Is a free network available: true"
}
Event ID 60: Is device on battery power: State.
#Description
Is device on battery power: State.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | |
State Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 60,
"version": 0,
"level": 4,
"task": 60,
"opcode": 0,
"keywords": 9223372036855037952,
"time_created": "2026-03-11T06:27:46.945847+00:00",
"event_record_id": 428,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 4212
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "InProcHost",
"State": false
},
"message": ""
}
Event ID 61: Is the Battery Saver state enabled: State.
#Description
Is the Battery Saver state enabled: State.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | |
State Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "{6489B27F-7C43-5886-1D00-0A61BB2A375B}",
"event_source_name": "",
"event_id": 61,
"version": 0,
"level": 4,
"task": 61,
"opcode": 0,
"keywords": -9223372036854513664,
"time_created": "2026-05-29T16:35:13.6212132+00:00",
"event_record_id": 201,
"correlation": {},
"execution": {
"process_id": 3544,
"thread_id": 2624
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"State": "false"
},
"message": "Is the Battery Saver state enabled: false"
}
Event ID 62: Is the device in connected standby: State.
#Description
Is the device in connected standby: State.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | |
State Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "{6489B27F-7C43-5886-1D00-0A61BB2A375B}",
"event_source_name": "",
"event_id": 62,
"version": 0,
"level": 4,
"task": 62,
"opcode": 0,
"keywords": -9223372036854513664,
"time_created": "2026-05-29T16:33:23.2504895+00:00",
"event_record_id": 197,
"correlation": {},
"execution": {
"process_id": 3544,
"thread_id": 1016
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"State": "false"
},
"message": "Is the device in connected standby: false"
}
Event ID 63: Has the service used more power than considered reasonable: State.
#Event ID 64: Diagnostic Data Collection Level
#Description
Diagnostic Data Collection Level.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | |
OldInfo UInt32 | |
NewInfo UInt32 | |
SettingAuthority Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 64,
"version": 0,
"level": 4,
"task": 64,
"opcode": 0,
"keywords": 9223372036855037952,
"time_created": "2023-11-06T06:25:44.333797+00:00",
"event_record_id": 92,
"correlation": {},
"execution": {
"process_id": 3712,
"thread_id": 3932
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"OldInfo": 0,
"NewInfo": 1,
"SettingAuthority": 2
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 65: The agent has transitioned to or from an idle state.
#Event ID 66: The diagnostic and feedback permission level has changed.
#Description
The diagnostic and feedback permission level has changed.
Message #
Fields #
| Name | Description |
|---|---|
OldLevel UInt32 | |
NewLevel UInt32 | |
Source UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 66,
"version": 0,
"level": 4,
"task": 66,
"opcode": 0,
"keywords": 9223372036854906880,
"time_created": "2025-12-31T19:32:58.269044+00:00",
"event_record_id": 12,
"correlation": {},
"execution": {
"process_id": 3076,
"thread_id": 3612
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"OldLevel": 1,
"NewLevel": 1,
"Source": "Api"
},
"message": ""
}
Event ID 67: You cannot enable a policy that causes your organization to manage all Windows diagnostic data without being AAD joined or setting a valid Commerci...
#Description
You cannot enable a policy that causes your organization to manage all Windows diagnostic data without being AAD joined or setting a valid CommercialId on the device.
Message #
Event ID 68: Invalid Processor mode configuration.
#Description
Invalid Processor mode configuration.
Message #
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 6489b27f-7c43-5886-1d00-0a61bb2a375b
Defined in diagtrack.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02