Microsoft-Windows-UserDataAccess-CEMAPI

141 events across 1 channel

Event	Title	Channel	Sample
1	Error: P1_HResult Location: P2_String Line Number: P3_UInt32.	Operational	N
2	Error Propagated: P1_HResult Location: P2_String Line Number: P3_UInt32.	Operational	N
3	Trace	Operational	N
4011	FOLDER_EMPTYFOLDERStart	Operational	N
4012	FOLDER_EMPTYFOLDERStop	Operational	N
4013	FOLDER_CREATEMESSAGEStart	Operational	N
4014	FOLDER_CREATEMESSAGEStop	Operational	N
4015	FOLDER_DELETEMESSAGESStart	Operational	N
4016	FOLDER_DELETEMESSAGESStop	Operational	N
4017	FOLDER_COPYMESSAGESStart	Operational	N
4018	FOLDER_COPYMESSAGESStop	Operational	N
4019	FOLDER_GETHIERARCHYTABLEStart	Operational	N
4020	FOLDER_GETHIERARCHYTABLEStop	Operational	N
4021	FOLDER_GETCONTENTSTABLEStart	Operational	N
4022	FOLDER_GETCONTENTSTABLEStop	Operational	N
4023	FOLDER_DELETEFOLDERStart	Operational	N
4024	FOLDER_DELETEFOLDERStop	Operational	N
4025	FOLDER_COPYFOLDERStart	Operational	N
4026	FOLDER_COPYFOLDERStop	Operational	N
4027	FOLDER_CREATEFOLDERStart	Operational	N
4028	FOLDER_CREATEFOLDERStop	Operational	N
4100	QUERYROWS_ATTACHMENTSStart	Operational	N
4101	QUERYROWS_ATTACHMENTSStop	Operational	N
4102	QUERYROWS_RECIPIENTSStart	Operational	N
4103	QUERYROWS_RECIPIENTSStop	Operational	N
4104	QUERYROWS_FOLDERCONTENTSStart	Operational	N
4105	QUERYROWS_FOLDERCONTENTSStop	Operational	N
4106	QUERYROWS_FOLDERHIERARCHYStart	Operational	N
4107	QUERYROWS_FOLDERHIERARCHYStop	Operational	N
4108	QUERYROWS_SEARCHFOLDERStart	Operational	N
4109	QUERYROWS_SEARCHFOLDERStop	Operational	N
4110	QUERYROWS_STORESStart	Operational	N
4111	QUERYROWS_STORESStop	Operational	N
4112	QUERYROWS_CONVERSATIONSStart	Operational	N
4113	QUERYROWS_CONVERSATIONSStop	Operational	N
4200	STORE_GETIDSFROMNAMESStart	Operational	N
4201	STORE_GETIDSFROMNAMESStop	Operational	N
4202	STORE_OPENFOLDERStart	Operational	N
4203	STORE_OPENFOLDERStop	Operational	N
4204	STORE_OPENMESSAGEStart	Operational	N
4205	STORE_OPENMESSAGEStop	Operational	N
4206	STORE_ISANCESTORStart	Operational	N
4207	STORE_ISANCESTORStop	Operational	N
4208	STORE_CREATESPECIALFOLDERSStart	Operational	N
4209	STORE_CREATESPECIALFOLDERSStop	Operational	N
4210	STORE_LOADRULESLISTStart	Operational	N
4211	STORE_LOADRULESLISTStop	Operational	N
4212	STORE_RUNRULESStart	Operational	N
4213	STORE_RUNRULESStop	Operational	N
4300	MAPILOGONEXStart	Operational	N
4301	MAPILOGONEXStop	Operational	N
4302	CTX_GETSTOREMANAGERStart	Operational	N
4303	CTX_GETSTOREMANAGERStop	Operational	N
4304	CTX_CREATESESSIONStart	Operational	N
4305	CTX_CREATESESSIONStop	Operational	N
4306	CTX_CREATEINSTANCEStart	Operational	N
4307	CTX_CREATEINSTANCEStop	Operational	N
4308	CTX_INITMESSAGESTORESStart	Operational	N
4309	CTX_INITMESSAGESTORESStop	Operational	N
4310	CTX_CREATESMSSTOREStart	Operational	N
4311	CTX_CREATESMSSTOREStop	Operational	N
4312	CTX_LOADDEFAULTMESSAGESTOREStart	Operational	N
4313	CTX_LOADDEFAULTMESSAGESTOREStop	Operational	N
4314	CTX_CREATEMESSAGESTOREStart	Operational	N
4315	CTX_CREATEMESSAGESTOREStop	Operational	N
4316	CTX_OPENENTRYStart	Operational	N
4317	CTX_OPENENTRYStop	Operational	N
4318	CTX_ADVISEStart	Operational	N
4319	CTX_ADVISEStop	Operational	N
4320	CTX_UNADVISEStart	Operational	N
4321	CTX_UNADVISEStop	Operational	N
4322	CTX_INITSTORESINKStart	Operational	N
4323	CTX_INITSTORESINKStop	Operational	N
4324	CTX_GETSTOREBYIDStart	Operational	N
4325	CTX_GETSTOREBYIDStop	Operational	N
4326	CTX_GETSTOREFROMDATABASEStart	Operational	N
4327	CTX_GETSTOREFROMDATABASEStop	Operational	N
4328	CTX_OPENMSGSTOREStart	Operational	N
4329	CTX_OPENMSGSTOREStop	Operational	N
4330	CTX_DELETEMSGSTOREStart	Operational	N
4331	CTX_DELETEMSGSTOREStop	Operational	N
4332	CTX_REFRESHRULECLIENTSStart	Operational	N
4333	CTX_REFRESHRULECLIENTSStop	Operational	N
4400	MSG_CREATEATTACHStart	Operational	N
4401	MSG_CREATEATTACHStop	Operational	N
4402	MSG_DELETEATTACHStart	Operational	N
4403	MSG_DELETEATTACHStop	Operational	N
4404	MSG_OPENATTACHStart	Operational	N
4405	MSG_OPENATTACHStop	Operational	N
4406	MSG_GETATTACHTABLEStart	Operational	N
4407	MSG_GETATTACHTABLEStop	Operational	N
4408	MSG_MODIFYRECIPIENTSStart	Operational	N
4409	MSG_MODIFYRECIPIENTSStop	Operational	N
4410	MSG_SUBMITMESSAGEStart	Operational	N
4411	MSG_SUBMITMESSAGEStop	Operational	N
4412	MSG_DELETERECIPIENTSStart	Operational	N
4413	MSG_DELETERECIPIENTSStop	Operational	N
4414	MSG_ADDRECIPIENTSStart	Operational	N
4415	MSG_ADDRECIPIENTSStop	Operational	N
4416	MSG_UPDATERECIPIENTTABLEStart	Operational	N
4417	MSG_UPDATERECIPIENTTABLEStop	Operational	N
4418	MSG_PREPROCESSWRITEStart	Operational	N
4419	MSG_PREPROCESSWRITEStop	Operational	N
4420	MSG_POSTPROCESSWRITEStart	Operational	N
4421	MSG_POSTPROCESSWRITEStop	Operational	N
4500	SETPROPSStart	Operational	N
4501	SETPROPSStop	Operational	N
4502	GETPROPSStart	Operational	N
4503	GETPROPSStop	Operational	N
4504	DELETEPROPSStart	Operational	N
4505	DELETEPROPSStop	Operational	N
4506	OPENSTREAMPROPERTYStart	Operational	N
4507	OPENSTREAMPROPERTYStop	Operational	N
4508	RUNRULEStart	Operational	N
4509	RUNRULEStop	Operational	N
4510	SESSION_GETSTORESTABLEStart	Operational	N
4511	SESSION_GETSTORESTABLEStop	Operational	N
4512	SINK_ONNOTIFYStart	Operational	N
4513	SINK_ONNOTIFYStop	Operational	N
4514	SINK_ONNOTIFYWRAPPERStart	Operational	N
4515	SINK_ONNOTIFYWRAPPERStop	Operational	N
4600	CONVERSATION_DELETEStart	Operational	N
4601	CONVERSATION_DELETEStop	Operational	N
4602	CONVERSATION_SOFTDELETEStart	Operational	N
4603	CONVERSATION_SOFTDELETEStop	Operational	N
4604	CONVERSATION_MSGPROPSETStart	Operational	N
4605	CONVERSATION_MSGPROPSETStop	Operational	N
4606	CONVERSATION_MSGPROPDELETEStart	Operational	N
4607	CONVERSATION_MSGPROPDELETEStop	Operational	N
4608	CONVERSATION_DELETEMESSAGESStart	Operational	N
4609	CONVERSATION_DELETEMESSAGESStop	Operational	N
4610	CONVERSATIONID_SETStart	Operational	N
4611	CONVERSATIONID_SETStop	Operational	N
4612	CONVERSATIONID_CREATEHASHStart	Operational	N
4613	CONVERSATIONID_CREATEHASHStop	Operational	N
4700	SHARECONTENTStart	Operational	N
4701	SHARECONTENTStop	Operational	N
4800	MAPI Context is being deleted	Operational	N
4801	MAPI Event is lost	Operational	N
4802	MAPI Event data error	Operational	N
4803	Unknown prop tag seen in ConvertDatabasePropertyTagsToMapiTags: Prop_Hex_UInt32.	Operational	N

Event ID 1: Error: P1_HResult Location: P2_String Line Number: P3_UInt32.

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational

Description

Error: P1_HResult Location: P2_String Line Number: P3_UInt32.

Message #

Error: %1 Location: %2 Line Number: %3

Fields #

Name	Description
`P1_HResult` Int32
`P2_String` AnsiString
`P3_UInt32` UInt32

Event ID 2: Error Propagated: P1_HResult Location: P2_String Line Number: P3_UInt32.

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational

Description

Error Propagated: P1_HResult Location: P2_String Line Number: P3_UInt32.

Message #

Error Propagated: %1 Location: %2 Line Number: %3

Fields #

Name	Description
`P1_HResult` Int32
`P2_String` AnsiString
`P3_UInt32` UInt32

Event ID 3: Trace

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: Trace

Fields #

Name	Description
`Message` Pointer

Event ID 4011: FOLDER_EMPTYFOLDERStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_EMPTYFOLDER
Opcode: Start

Event ID 4012: FOLDER_EMPTYFOLDERStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_EMPTYFOLDER
Opcode: Stop

Event ID 4013: FOLDER_CREATEMESSAGEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_CREATEMESSAGE
Opcode: Start

Event ID 4014: FOLDER_CREATEMESSAGEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_CREATEMESSAGE
Opcode: Stop

Event ID 4015: FOLDER_DELETEMESSAGESStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_DELETEMESSAGES
Opcode: Start

Event ID 4016: FOLDER_DELETEMESSAGESStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_DELETEMESSAGES
Opcode: Stop

Event ID 4017: FOLDER_COPYMESSAGESStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_COPYMESSAGES
Opcode: Start

Event ID 4018: FOLDER_COPYMESSAGESStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_COPYMESSAGES
Opcode: Stop

Event ID 4019: FOLDER_GETHIERARCHYTABLEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_GETHIERARCHYTABLE
Opcode: Start

Event ID 4020: FOLDER_GETHIERARCHYTABLEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_GETHIERARCHYTABLE
Opcode: Stop

Event ID 4021: FOLDER_GETCONTENTSTABLEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_GETCONTENTSTABLE
Opcode: Start

Event ID 4022: FOLDER_GETCONTENTSTABLEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_GETCONTENTSTABLE
Opcode: Stop

Event ID 4023: FOLDER_DELETEFOLDERStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_DELETEFOLDER
Opcode: Start

Event ID 4024: FOLDER_DELETEFOLDERStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_DELETEFOLDER
Opcode: Stop

Event ID 4025: FOLDER_COPYFOLDERStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_COPYFOLDER
Opcode: Start

Event ID 4026: FOLDER_COPYFOLDERStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_COPYFOLDER
Opcode: Stop

Event ID 4027: FOLDER_CREATEFOLDERStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_CREATEFOLDER
Opcode: Start

Event ID 4028: FOLDER_CREATEFOLDERStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: FOLDER_CREATEFOLDER
Opcode: Stop

Event ID 4100: QUERYROWS_ATTACHMENTSStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: QUERYROWS_ATTACHMENTS
Opcode: Start

Event ID 4101: QUERYROWS_ATTACHMENTSStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: QUERYROWS_ATTACHMENTS
Opcode: Stop

Event ID 4102: QUERYROWS_RECIPIENTSStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: QUERYROWS_RECIPIENTS
Opcode: Start

Event ID 4103: QUERYROWS_RECIPIENTSStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: QUERYROWS_RECIPIENTS
Opcode: Stop

Event ID 4104: QUERYROWS_FOLDERCONTENTSStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: QUERYROWS_FOLDERCONTENTS
Opcode: Start

Event ID 4105: QUERYROWS_FOLDERCONTENTSStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: QUERYROWS_FOLDERCONTENTS
Opcode: Stop

Event ID 4106: QUERYROWS_FOLDERHIERARCHYStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: QUERYROWS_FOLDERHIERARCHY
Opcode: Start

Event ID 4107: QUERYROWS_FOLDERHIERARCHYStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: QUERYROWS_FOLDERHIERARCHY
Opcode: Stop

Event ID 4108: QUERYROWS_SEARCHFOLDERStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: QUERYROWS_SEARCHFOLDER
Opcode: Start

Event ID 4109: QUERYROWS_SEARCHFOLDERStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: QUERYROWS_SEARCHFOLDER
Opcode: Stop

Event ID 4110: QUERYROWS_STORESStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: QUERYROWS_STORES
Opcode: Start

Event ID 4111: QUERYROWS_STORESStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: QUERYROWS_STORES
Opcode: Stop

Event ID 4112: QUERYROWS_CONVERSATIONSStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: QUERYROWS_CONVERSATIONS
Opcode: Start

Event ID 4113: QUERYROWS_CONVERSATIONSStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: QUERYROWS_CONVERSATIONS
Opcode: Stop

Event ID 4200: STORE_GETIDSFROMNAMESStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: STORE_GETIDSFROMNAMES
Opcode: Start

Event ID 4201: STORE_GETIDSFROMNAMESStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: STORE_GETIDSFROMNAMES
Opcode: Stop

Event ID 4202: STORE_OPENFOLDERStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: STORE_OPENFOLDER
Opcode: Start

Event ID 4203: STORE_OPENFOLDERStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: STORE_OPENFOLDER
Opcode: Stop

Event ID 4204: STORE_OPENMESSAGEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: STORE_OPENMESSAGE
Opcode: Start

Event ID 4205: STORE_OPENMESSAGEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: STORE_OPENMESSAGE
Opcode: Stop

Event ID 4206: STORE_ISANCESTORStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: STORE_ISANCESTOR
Opcode: Start

Event ID 4207: STORE_ISANCESTORStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: STORE_ISANCESTOR
Opcode: Stop

Event ID 4208: STORE_CREATESPECIALFOLDERSStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: STORE_CREATESPECIALFOLDERS
Opcode: Start

Event ID 4209: STORE_CREATESPECIALFOLDERSStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: STORE_CREATESPECIALFOLDERS
Opcode: Stop

Event ID 4210: STORE_LOADRULESLISTStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: STORE_LOADRULESLIST
Opcode: Start

Event ID 4211: STORE_LOADRULESLISTStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: STORE_LOADRULESLIST
Opcode: Stop

Event ID 4212: STORE_RUNRULESStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: STORE_RUNRULES
Opcode: Start

Event ID 4213: STORE_RUNRULESStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: STORE_RUNRULES
Opcode: Stop

Event ID 4300: MAPILOGONEXStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MAPILOGONEX
Opcode: Start

Event ID 4301: MAPILOGONEXStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MAPILOGONEX
Opcode: Stop

Event ID 4302: CTX_GETSTOREMANAGERStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_GETSTOREMANAGER
Opcode: Start

Event ID 4303: CTX_GETSTOREMANAGERStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_GETSTOREMANAGER
Opcode: Stop

Event ID 4304: CTX_CREATESESSIONStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_CREATESESSION
Opcode: Start

Event ID 4305: CTX_CREATESESSIONStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_CREATESESSION
Opcode: Stop

Event ID 4306: CTX_CREATEINSTANCEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_CREATEINSTANCE
Opcode: Start

Event ID 4307: CTX_CREATEINSTANCEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_CREATEINSTANCE
Opcode: Stop

Event ID 4308: CTX_INITMESSAGESTORESStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_INITMESSAGESTORES
Opcode: Start

Event ID 4309: CTX_INITMESSAGESTORESStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_INITMESSAGESTORES
Opcode: Stop

Event ID 4310: CTX_CREATESMSSTOREStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_CREATESMSSTORE
Opcode: Start

Event ID 4311: CTX_CREATESMSSTOREStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_CREATESMSSTORE
Opcode: Stop

Event ID 4312: CTX_LOADDEFAULTMESSAGESTOREStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_LOADDEFAULTMESSAGESTORE
Opcode: Start

Event ID 4313: CTX_LOADDEFAULTMESSAGESTOREStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_LOADDEFAULTMESSAGESTORE
Opcode: Stop

Event ID 4314: CTX_CREATEMESSAGESTOREStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_CREATEMESSAGESTORE
Opcode: Start

Event ID 4315: CTX_CREATEMESSAGESTOREStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_CREATEMESSAGESTORE
Opcode: Stop

Event ID 4316: CTX_OPENENTRYStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_OPENENTRY
Opcode: Start

Event ID 4317: CTX_OPENENTRYStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_OPENENTRY
Opcode: Stop

Event ID 4318: CTX_ADVISEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_ADVISE
Opcode: Start

Event ID 4319: CTX_ADVISEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_ADVISE
Opcode: Stop

Event ID 4320: CTX_UNADVISEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_UNADVISE
Opcode: Start

Event ID 4321: CTX_UNADVISEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_UNADVISE
Opcode: Stop

Event ID 4322: CTX_INITSTORESINKStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_INITSTORESINK
Opcode: Start

Event ID 4323: CTX_INITSTORESINKStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_INITSTORESINK
Opcode: Stop

Event ID 4324: CTX_GETSTOREBYIDStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_GETSTOREBYID
Opcode: Start

Event ID 4325: CTX_GETSTOREBYIDStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_GETSTOREBYID
Opcode: Stop

Event ID 4326: CTX_GETSTOREFROMDATABASEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_GETSTOREFROMDATABASE
Opcode: Start

Event ID 4327: CTX_GETSTOREFROMDATABASEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_GETSTOREFROMDATABASE
Opcode: Stop

Event ID 4328: CTX_OPENMSGSTOREStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_OPENMSGSTORE
Opcode: Start

Event ID 4329: CTX_OPENMSGSTOREStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_OPENMSGSTORE
Opcode: Stop

Event ID 4330: CTX_DELETEMSGSTOREStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_DELETEMSGSTORE
Opcode: Start

Event ID 4331: CTX_DELETEMSGSTOREStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_DELETEMSGSTORE
Opcode: Stop

Event ID 4332: CTX_REFRESHRULECLIENTSStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_REFRESHRULECLIENTS
Opcode: Start

Event ID 4333: CTX_REFRESHRULECLIENTSStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CTX_REFRESHRULECLIENTS
Opcode: Stop

Event ID 4400: MSG_CREATEATTACHStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_CREATEATTACH
Opcode: Start

Event ID 4401: MSG_CREATEATTACHStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_CREATEATTACH
Opcode: Stop

Event ID 4402: MSG_DELETEATTACHStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_DELETEATTACH
Opcode: Start

Event ID 4403: MSG_DELETEATTACHStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_DELETEATTACH
Opcode: Stop

Event ID 4404: MSG_OPENATTACHStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_OPENATTACH
Opcode: Start

Event ID 4405: MSG_OPENATTACHStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_OPENATTACH
Opcode: Stop

Event ID 4406: MSG_GETATTACHTABLEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_GETATTACHTABLE
Opcode: Start

Event ID 4407: MSG_GETATTACHTABLEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_GETATTACHTABLE
Opcode: Stop

Event ID 4408: MSG_MODIFYRECIPIENTSStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_MODIFYRECIPIENTS
Opcode: Start

Event ID 4409: MSG_MODIFYRECIPIENTSStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_MODIFYRECIPIENTS
Opcode: Stop

Event ID 4410: MSG_SUBMITMESSAGEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_SUBMITMESSAGE
Opcode: Start

Event ID 4411: MSG_SUBMITMESSAGEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_SUBMITMESSAGE
Opcode: Stop

Event ID 4412: MSG_DELETERECIPIENTSStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_DELETERECIPIENTS
Opcode: Start

Event ID 4413: MSG_DELETERECIPIENTSStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_DELETERECIPIENTS
Opcode: Stop

Event ID 4414: MSG_ADDRECIPIENTSStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_ADDRECIPIENTS
Opcode: Start

Event ID 4415: MSG_ADDRECIPIENTSStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_ADDRECIPIENTS
Opcode: Stop

Event ID 4416: MSG_UPDATERECIPIENTTABLEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_UPDATERECIPIENTTABLE
Opcode: Start

Event ID 4417: MSG_UPDATERECIPIENTTABLEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_UPDATERECIPIENTTABLE
Opcode: Stop

Event ID 4418: MSG_PREPROCESSWRITEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_PREPROCESSWRITE
Opcode: Start

Event ID 4419: MSG_PREPROCESSWRITEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_PREPROCESSWRITE
Opcode: Stop

Event ID 4420: MSG_POSTPROCESSWRITEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_POSTPROCESSWRITE
Opcode: Start

Event ID 4421: MSG_POSTPROCESSWRITEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: MSG_POSTPROCESSWRITE
Opcode: Stop

Event ID 4500: SETPROPSStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: SETPROPS
Opcode: Start

Event ID 4501: SETPROPSStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: SETPROPS
Opcode: Stop

Event ID 4502: GETPROPSStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: GETPROPS
Opcode: Start

Event ID 4503: GETPROPSStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: GETPROPS
Opcode: Stop

Event ID 4504: DELETEPROPSStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: DELETEPROPS
Opcode: Start

Event ID 4505: DELETEPROPSStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: DELETEPROPS
Opcode: Stop

Event ID 4506: OPENSTREAMPROPERTYStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: OPENSTREAMPROPERTY
Opcode: Start

Event ID 4507: OPENSTREAMPROPERTYStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: OPENSTREAMPROPERTY
Opcode: Stop

Event ID 4508: RUNRULEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: RUNRULE
Opcode: Start

Event ID 4509: RUNRULEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: RUNRULE
Opcode: Stop

Event ID 4510: SESSION_GETSTORESTABLEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: SESSION_GETSTORESTABLE
Opcode: Start

Event ID 4511: SESSION_GETSTORESTABLEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: SESSION_GETSTORESTABLE
Opcode: Stop

Event ID 4512: SINK_ONNOTIFYStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: SINK_ONNOTIFY
Opcode: Start

Event ID 4513: SINK_ONNOTIFYStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: SINK_ONNOTIFY
Opcode: Stop

Event ID 4514: SINK_ONNOTIFYWRAPPERStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: SINK_ONNOTIFYWRAPPER
Opcode: Start

Event ID 4515: SINK_ONNOTIFYWRAPPERStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: SINK_ONNOTIFYWRAPPER
Opcode: Stop

Event ID 4600: CONVERSATION_DELETEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CONVERSATION_DELETE
Opcode: Start

Event ID 4601: CONVERSATION_DELETEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CONVERSATION_DELETE
Opcode: Stop

Event ID 4602: CONVERSATION_SOFTDELETEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CONVERSATION_SOFTDELETE
Opcode: Start

Event ID 4603: CONVERSATION_SOFTDELETEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CONVERSATION_SOFTDELETE
Opcode: Stop

Event ID 4604: CONVERSATION_MSGPROPSETStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CONVERSATION_MSGPROPSET
Opcode: Start

Event ID 4605: CONVERSATION_MSGPROPSETStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CONVERSATION_MSGPROPSET
Opcode: Stop

Event ID 4606: CONVERSATION_MSGPROPDELETEStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CONVERSATION_MSGPROPDELETE
Opcode: Start

Event ID 4607: CONVERSATION_MSGPROPDELETEStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CONVERSATION_MSGPROPDELETE
Opcode: Stop

Event ID 4608: CONVERSATION_DELETEMESSAGESStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CONVERSATION_DELETEMESSAGES
Opcode: Start

Event ID 4609: CONVERSATION_DELETEMESSAGESStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CONVERSATION_DELETEMESSAGES
Opcode: Stop

Event ID 4610: CONVERSATIONID_SETStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CONVERSATIONID_SET
Opcode: Start

Event ID 4611: CONVERSATIONID_SETStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CONVERSATIONID_SET
Opcode: Stop

Event ID 4612: CONVERSATIONID_CREATEHASHStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CONVERSATIONID_CREATEHASH
Opcode: Start

Event ID 4613: CONVERSATIONID_CREATEHASHStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: CONVERSATIONID_CREATEHASH
Opcode: Stop

Event ID 4700: SHARECONTENTStart

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: SHARECONTENT
Opcode: Start

Event ID 4701: SHARECONTENTStop

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational
Task: SHARECONTENT
Opcode: Stop

Event ID 4800: MAPI Context is being deleted

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational

Description

MAPI Context is being deleted.

Message #

MAPI Context is being deleted

Event ID 4801: MAPI Event is lost

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational

Description

MAPI Event is lost.

Message #

MAPI Event is lost

Event ID 4802: MAPI Event data error

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational

Description

MAPI Event data error.

Message #

MAPI Event data error

Event ID 4803: Unknown prop tag seen in ConvertDatabasePropertyTagsToMapiTags: Prop_Hex_UInt32.

Provider: Microsoft-Windows-UserDataAccess-CEMAPI
Channel: Operational

Description

Unknown prop tag seen in ConvertDatabasePropertyTagsToMapiTags: Prop_Hex_UInt32.

Message #

Unknown prop tag seen in ConvertDatabasePropertyTagsToMapiTags: %1

Fields #

Name	Description
`Prop_Hex_UInt32` UInt32

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 83a9277a-d2fc-4b34-bf81-8ceb4407824f

Defined in cemapi.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)