Microsoft-Windows-User Profiles Service
123 events across 4 channels
Event ID 1: Recieved user logon notification on session Session.
#Description
Recieved user logon notification on session Session.
Message #
Fields #
| Name | Description |
|---|---|
Session UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-User Profiles Service",
"guid": "{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-29T16:33:48.1913361+00:00",
"event_record_id": 2552,
"correlation": {},
"execution": {
"process_id": 1956,
"thread_id": 2076
},
"channel": "Microsoft-Windows-User Profile Service/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Session": "1"
},
"message": "Recieved user logon notification on session 1."
}
Event ID 2: Finished processing user logon notification on session Session.
#Description
Finished processing user logon notification on session Session.
Message #
Fields #
| Name | Description |
|---|---|
Session UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-User Profiles Service",
"guid": "{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-29T16:33:56.4458392+00:00",
"event_record_id": 2556,
"correlation": {},
"execution": {
"process_id": 1956,
"thread_id": 2076
},
"channel": "Microsoft-Windows-User Profile Service/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Session": "1"
},
"message": "Finished processing user logon notification on session 1."
}
Event ID 3: Recieved user logoff notification on session Session.
#Description
Recieved user logoff notification on session Session.
Message #
Fields #
| Name | Description |
|---|---|
Session UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-User Profiles Service",
"guid": "{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}",
"event_source_name": "",
"event_id": 3,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-06-13T05:22:33.7590478+00:00",
"event_record_id": 1443,
"correlation": {},
"execution": {
"process_id": 1852,
"thread_id": 7840
},
"channel": "Microsoft-Windows-User Profile Service/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Session": "1"
},
"message": "Recieved user logoff notification on session 1."
}
Event ID 4: Finished processing user logoff notification on session Session.
#Description
Finished processing user logoff notification on session Session.
Message #
Fields #
| Name | Description |
|---|---|
Session UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-User Profiles Service",
"guid": "{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}",
"event_source_name": "",
"event_id": 4,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-06-13T05:22:33.8528968+00:00",
"event_record_id": 1444,
"correlation": {},
"execution": {
"process_id": 1852,
"thread_id": 7840
},
"channel": "Microsoft-Windows-User Profile Service/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Session": "1"
},
"message": "Finished processing user logoff notification on session 1."
}
Event ID 5: Registry file File is loaded at HKU\Key.
#Description
Registry file File is loaded at HKU\Key.
Message #
Fields #
| Name | Description |
|---|---|
File UnicodeString | |
Key UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-User Profiles Service",
"guid": "{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}",
"event_source_name": "",
"event_id": 5,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-30T01:01:44.4866856+00:00",
"event_record_id": 2567,
"correlation": {},
"execution": {
"process_id": 1956,
"thread_id": 3940
},
"channel": "Microsoft-Windows-User Profile Service/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"File": "C:\\Users\\localuser\\AppData\\Local\\Microsoft\\Windows\\\\UsrClass.dat",
"Key": "S-1-5-21-1006758700-2167138679-1475694448-1000_Classes"
},
"message": "Registry file C:\\Users\\localuser\\AppData\\Local\\Microsoft\\Windows\\\\UsrClass.dat is loaded at HKU\\S-1-5-21-1006758700-2167138679-1475694448-1000_Classes."
}
Event ID 6: Starting synchronize profile from Source to Target.
#Event ID 7: Finished synchronize profile from Source to Target.
#Event ID 50: Background hive upload for user UserSid started.
#Event ID 51: Background hive upload for user UserSid succeeded.
#Event ID 52: Background hive upload for user UserSid failed.
#Event ID 53: Cannot delete file File.
#Event ID 54: Open user regisry root key for UserSid failed.
#Event ID 55: Save user hive to file File failed.
#Event ID 56: Save user hive to file File succeeded.
#Event ID 57: Enable background user hive upload task succeeded.
#Description
Enable background user hive upload task succeeded.
Message #
Event ID 58: Failed to enable background user hive upload task.
#Event ID 59: Disable background user hive upload task succeeded.
#Description
Disable background user hive upload task succeeded.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-User Profiles Service",
"guid": "{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}",
"event_source_name": "",
"event_id": 59,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-29T06:21:48.6520908+00:00",
"event_record_id": 2486,
"correlation": {},
"execution": {
"process_id": 1840,
"thread_id": 1952
},
"channel": "Microsoft-Windows-User Profile Service/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "Disable background user hive upload task succeeded."
}
Event ID 60: Failed to disable background user hive upload task.
#Event ID 61: Slow network connection detected, abort background user hive upload task.
#Description
Slow network connection detected, abort background user hive upload task.
Message #
Event ID 62: Windows was unable to successfully evaluate whether this computer is a primary computer for this user.
#Description
Windows was unable to successfully evaluate whether this computer is a primary computer for this user. This may be due to failing to access the Active Directory server at this time. The user's roaming profile will be applied as configured. Contact the Administrator for more assistance. Error: Error
Message #
Fields #
| Name | Description |
|---|---|
Error HexInt32 |
Event ID 63: This computer Result a primary computer for this user.
#Event ID 64: The primary computer relationship for this computer and this user was not evaluated due to EnvIssue.
#Event ID 65: The attempt to create or open the profile key for the user failed with error Error.
#Event ID 66: Creating the local profile for the user failed with error Error.
#Event ID 67: Logon type: LogonType.
#Description
Logon type: LogonType.
Message #
Fields #
| Name | Description |
|---|---|
LogonType UnicodeString | Logon type code (2=Interactive, 3=Network, 4=Batch, 5=Service, 7=Unlock, 8=NetworkCleartext, 9=NewCredentials, 10=RemoteInteractive, 11=CachedInteractive). Logon type reference |
LocalPath UnicodeString | |
ProfileType UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-User Profiles Service",
"guid": "{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}",
"event_source_name": "",
"event_id": 67,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-30T01:01:44.4879394+00:00",
"event_record_id": 2568,
"correlation": {},
"execution": {
"process_id": 1956,
"thread_id": 3940
},
"channel": "Microsoft-Windows-User Profile Service/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"LogonType": "Regular",
"LocalPath": "C:\\Users\\localuser",
"ProfileType": "Regular"
},
"message": "Logon type: Regular \r\nLocal profile location: C:\\Users\\localuser \r\nProfile type: Regular"
}
Event ID 68: LastDownloadTime: DownloadTime.
#Event ID 70: Waiting on network arrivals.
#Event ID 71: After waiting Timeout ms, a network with the necessary capabilities was not ready for use.
#Event ID 72: Terminating wait due to unexpected failure Result.
#Event ID 73: Wait complete due to connectivity event but network not ready.
#Description
Wait complete due to connectivity event but network not ready.
Message #
Event ID 74: Wait completed due to network connectivity or determination that no viable network connection is likely to become available.
#Description
Wait completed due to network connectivity or determination that no viable network connection is likely to become available. Allowing profile load to proceed.
Message #
Event ID 75: Roaming Profiles configuration is being controlled by Group Policy.
#Description
Roaming Profiles configuration is being controlled by Group Policy.
Message #
Event ID 76: Roaming Profiles configuration is being controlled by WMI configuration classes Win32_RoamingProfileUserConfiguration and Win32_RoamingProfileMachi...
#Description
Roaming Profiles configuration is being controlled by WMI configuration classes Win32_RoamingProfileUserConfiguration and Win32_RoamingProfileMachineConfiguration.
Message #
Event ID 1001: Begin new user profile creation.
#Description
Begin new user profile creation.
Message #
Event ID 1002: New user profile creation complete.
#Description
New user profile creation complete.
Message #
Event ID 1003: A network latency of MeasuredLatency milliseconds has been detected.
#Event ID 1004: A network bandwidth of MeasuredBandwidth kilobits per second has been detected.
#Event ID 1005: Delete cached profile ProfilePath since it is older than AgeLimitInDays days.
#Event ID 1500: Windows cannot log you on because your profile cannot be loaded.
#Event ID 1501: Windows cannot create a temporary profile directory.
#Event ID 1502: Windows cannot load the locally stored profile.
#Event ID 1503: Windows cannot set security on your registry.
#Event ID 1504: Windows cannot update your roaming profile completely.
#Description
Windows cannot update your roaming profile completely. Check previous events for more details.
Message #
Event ID 1505: Windows cannot load the user's profile but has logged you on with the default profile for the system.
#Event ID 1506: Your roaming profile is not available.
#Description
Your roaming profile is not available. You are logged on with the locally stored profile. Changes to the profile will not be copied to the server. Possible causes of this error include network problems or insufficient security rights. DETAIL - Error
Message #
Fields #
| Name | Description |
|---|---|
Error UnicodeString |
Event ID 1508: Windows was unable to load the registry.
#Event ID 1509: Windows was unable to load File.
#Description
Windows was unable to load File.
Message #
Fields #
| Name | Description |
|---|---|
File UnicodeString | |
Status UInt32 | NTSTATUS reference |
MachineKeys UnicodeString | |
UserKeys UnicodeString |
Event ID 1510: Windows cannot load your profile because it appears to be corrupted.
#Description
Windows cannot load your profile because it appears to be corrupted.
Message #
Event ID 1511: Windows cannot find the local profile and is logging you on with a temporary profile.
#Description
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
Message #
Event ID 1512: Windows cannot unload your registry file.
#Description
Windows cannot unload your registry file. The memory used by the registry has not been freed. This problem is often caused by services running as a user account. Try configuring services to run in either the LocalService or NetworkService account. DETAIL - Error
Message #
Fields #
| Name | Description |
|---|---|
Error UnicodeString |
Event ID 1513: Windows cannot copy your profile because it contains encrypted files or directories.
#Description
Windows cannot copy your profile because it contains encrypted files or directories. The keys to decrypt the files or directories are also stored in the profile and are not available now. Decrypt the files and try again.
Message #
Event ID 1514: The roaming profile path File is too long.
#Event ID 1515: Windows has backed up this user profile.
#Description
Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
Message #
Event ID 1517: Windows saved user UserSid registry while an application or service was still using the registry when the user logged off.
#Description
Windows saved user UserSid registry while an application or service was still using the registry when the user logged off. The memory used by the user registry has not been freed. The registry will be unloaded when it is no longer in use. This error may be caused by services running as a user account. Try configuring services to run in either the LocalService or NetworkService account.
Message #
Fields #
| Name | Description |
|---|---|
UserSid UnicodeString |
Event ID 1518: Windows cannot create a local profile and is logging you on with a temporary profile.
#Description
Windows cannot create a local profile and is logging you on with a temporary profile. This profile will be deleted when you log off. This problem may be caused by incorrect file system permissions or network problems.
Message #
Event ID 1519: Windows cannot locate your roaming mandatory profile and is attempting to log you on with your local profile.
#Event ID 1520: Windows cannot log you on because your roaming mandatory profile is not available.
#Event ID 1521: Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile.
#Description
Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights. DETAIL - Error
Message #
Fields #
| Name | Description |
|---|---|
Error UnicodeString |
Event ID 1522: Windows cannot locate your roaming profile (read only) and is attempting to log you on with your local profile.
#Event ID 1523: Your roaming profile (read only) is not available.
#Event ID 1524: Windows cannot unload your classes registry file - it is still in use by other applications or services.
#Description
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Message #
Event ID 1525: Windows has detected that Automatic Offline Caching is enabled on the Roaming Profile share - to avoid potential profile corruption, Offline Cachin...
#Description
Windows has detected that Automatic Offline Caching is enabled on the Roaming Profile share - to avoid potential profile corruption, Offline Caching must be set to manual or disabled on shares where roaming user profiles are stored.
Message #
Event ID 1526: Windows could not load your roaming profile and is attempting to log you on with your local profile.
#Description
Windows could not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. Windows could not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrators group must be the owner of the folder.
Message #
Event ID 1527: Windows failed to initialize user profiles.
#Description
Windows failed to initialize user profiles. Non-console users will be unable to log on.
Message #
Event ID 1529: Roaming user profiles across forests are disabled.
#Description
Roaming user profiles across forests are disabled. Windows did not load your roaming profile and is logging you on with a local profile. Changes to the profile will not be copied to the server when you log off.
Message #
Event ID 1530: Windows detected your registry file is still in use by other applications or services.
#Description
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. No user action is required. DETAIL - Detail
Message #
Fields #
| Name | Description |
|---|---|
Detail |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-User Profiles Service",
"guid": "89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845",
"event_source_name": "",
"event_id": 1530,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2013-10-23T17:27:30.004750+00:00",
"event_record_id": 170,
"correlation": {},
"execution": {
"process_id": 916,
"thread_id": 928
},
"channel": "Application",
"computer": "IE8Win7",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Name": "EVENT_HIVE_LEAK",
"Data": {
"Name": "Detail",
"Value": "1 user registry handles leaked from \\Registry\\User\\S-1-5-21-3463664321-2923530833-3546627382-1000:\nProcess 432 (\\Device\\HarddiskVolume2\\Windows\\System32\\winlogon.exe) has opened key \\REGISTRY\\USER\\S-1-5-21-3463664321-2923530833-3546627382-1000\n"
}
},
"message": "Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. No user action is required. \n\n DETAIL - \n EVENT_HIVE_LEAK"
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 1531: The User Profile Service has started successfully.
#Description
The User Profile Service has started successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-User Profiles Service",
"guid": "{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}",
"event_source_name": "",
"event_id": 1531,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-29T16:32:54.0483762+00:00",
"event_record_id": 711,
"correlation": {},
"execution": {
"process_id": 1956,
"thread_id": 2036
},
"channel": "Application",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "The User Profile Service has started successfully. \r\n\r\n"
}
Event ID 1532: The User Profile Service has stopped.
#Description
The User Profile Service has stopped.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-User Profiles Service",
"guid": "{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}",
"event_source_name": "",
"event_id": 1532,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-06-13T05:22:34.5310830+00:00",
"event_record_id": 1013,
"correlation": {},
"execution": {
"process_id": 1852,
"thread_id": 1928
},
"channel": "Application",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "The User Profile Service has stopped. \r\n\r\n"
}
Event ID 1533: Windows cannot delete the profile directory Folder.
#Event ID 1534: Profile notification of event Event for component Component failed, error code is Error.
#Event ID 1535: Successfully suspended folder "Folder".
#Event ID 1536: Successfully unsuspended folder "Folder".
#Event ID 1537: Failed to suspend folder "Folder" DETAIL - Error.
#Event ID 1538: Failed to unsuspend folder "Folder" DETAIL - Error.
#Event ID 1539: Failed to sync folder "Folder" DETAIL - Error.
#Event ID 1540: Your roaming profile is not synchronized correctly with the server.
#Description
Your roaming profile is not synchronized correctly with the server. Windows will load your previously-saved local profile instead. See the previous events for details.
Message #
Event ID 1541: Failed to apply CSC suspend policy.
#Event ID 1542: Windows cannot load classes registry file.
#Event ID 1543: A slow network connection is detected for the roaming profile Folder.
#Event ID 1544: Windows cannot back up a ProfileList entry because one already exists for this user.
#Description
Windows cannot back up a ProfileList entry because one already exists for this user. Only the existing backup entry will be kept in the ProfileList. Future logons will restore the ProfileList entry from the existing backup entry.
Message #
Event ID 1545: User hive is loaded by another process (File Lock).
#Event ID 1552: User hive is loaded by another process (Registry Lock) Process name: InterferingImageName, PID: InterferingPID, ProfSvc PID: ProfsvcPID.
#Event ID 1073743340: Windows unloaded user {User} registry when it received a notification that no other applications or services were using the profile.
#Event ID 1073743341: Windows saved user {User} registry while an application or service was still using the registry when the user logged off.
#Event ID 1073743355: The User Profile Service has started successfully.
#Description
The User Profile Service has started successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-User Profiles Service",
"event_id": 1531,
"level": 4,
"task": 0,
"opcode": 0,
"time_created": "2026-05-27T19:31:56.9024507+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Application"
},
"event_data": {}
}
Event ID 1073743356: The User Profile Service has stopped.
#Description
The User Profile Service has stopped.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-User Profiles Service",
"event_id": 1532,
"level": 4,
"task": 0,
"opcode": 0,
"time_created": "2026-05-27T19:31:32.4740949+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Application"
},
"event_data": {}
}
Event ID 1073743359: Successfully suspended folder '{Folder}'.
#Event ID 1073743360: Successfully unsuspended folder '{Folder}'.
#Event ID 2147485172: Windows cannot unload your classes registry file - it is still in use by other applications or services.
#Description
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Message #
Event ID 2147485173: Windows has detected that Automatic Offline Caching is enabled on the Roaming Profile share - to avoid potential profile corruption; Offline Cachin...
#Message #
Event ID 2147485178: Windows detected your registry file is still in use by other applications or services.
#Event ID 2147485182: Profile notification of event {Event} for component {Component} failed; error code is {Error}.
#Event ID 2147485188: Your roaming profile is not synchronized correctly with the server.
#Description
Your roaming profile is not synchronized correctly with the server. Windows will load your previously-saved local profile instead. See the previous events for details.
Message #
Event ID 3221226972: Windows cannot log you on because your profile cannot be loaded.
#Event ID 3221226973: Windows cannot create a temporary profile directory.
#Event ID 3221226974: Windows cannot load the locally stored profile.
#Event ID 3221226975: Windows cannot set security on your registry.
#Event ID 3221226976: Windows Windows cannot update your roaming profile completely.
#Description
Windows Windows cannot update your roaming profile completely. Check previous events for more details.
Message #
Event ID 3221226977: Windows cannot load the user's profile but has logged you on with the default profile for the system.
#Event ID 3221226980: Windows was unable to load the registry.
#Event ID 3221226982: Windows cannot load your profile because it appears to be corrupted.
#Description
Windows cannot load your profile because it appears to be corrupted.
Message #
Event ID 3221226983: Windows cannot find the local profile and is logging you on with a temporary profile.
#Description
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
Message #
Event ID 3221226984: Windows cannot unload your registry file.
#Event ID 3221226985: Windows cannot copy your profile because it contains encrypted files or directories.
#Message #
Event ID 3221226986: The roaming profile path {File} is too long.
#Event ID 3221226987: Windows has backed up this user profile.
#Description
Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
Message #
Event ID 3221226990: Windows cannot create a local profile and is logging you on with a temporary profile.
#Message #
Event ID 3221226991: Windows cannot locate your roaming mandatory profile and is attempting to log you on with your local profile.
#Event ID 3221226992: Windows cannot log you on because your roaming mandatory profile is not available.
#Event ID 3221226993: Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile.
#Event ID 3221226994: Windows cannot locate your roaming profile (read only) and is attempting to log you on with your local profile.
#Event ID 3221226995: Your roaming profile (read only) is not available.
#Event ID 3221226998: Windows could not load your roaming profile and is attempting to log you on with your local profile.
#Message #
Event ID 3221226999: Windows failed to initialize user profiles.
#Description
Windows failed to initialize user profiles. Non-console users will be unable to log on.
Message #
Event ID 3221227005: Windows cannot delete the profile directory {Directory}.
#Event ID 3221227009: Failed to suspend folder '{Folder}' DETAIL - {Error}.
#Event ID 3221227010: Failed to unsuspend folder '{Folder}' DETAIL - {Error}.
#Event ID 3221227011: Failed to sync folder '{Folder}' DETAIL - {Error}.
#Event ID 3221227013: Failed to apply CSC suspend policy.
#Event ID 3221227014: Windows cannot load classes registry file.
#Event ID 3221227015: A slow network connection is detected for the roaming profile {Path}.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 89b1e9f0-5aff-44a6-9b44-0a07a7ce5845
Defined in profsvc.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02