Microsoft-Windows-UserPnp
88 events across 8 channels
Event ID 7550: New device queued up for install.
#Event ID 7551: Plug and Play install scheduler has started.
#Event ID 7552: Plug and Play install scheduler has exited.
#Event ID 7553: Plug and Play install worker thread has started.
#Event ID 7554: Plug and Play install worker thread has exited.
#Event ID 7555: Parent of current device is already ahead in the install queue.
#Event ID 7556: Current device is a volume snapshot device.
#Event ID 7600: Client {ClientName} successfully registered for device notifications.
#Event ID 7601: Error sending device event notification window message to client {WindowName} (hWnd={hWnd}; Session={SessionId}; Err={ErrorCode}).
#Event ID 7602: Error sending service control for device event notification to client {ClientName} (Session={SessionId}; Err={ErrorCode}).
#Event ID 7603: Error broadcasting system message for device event notification (Err={ErrorCode}).
#Event ID 7604: Sending notification for event {EventType} for device: {DeviceID}.
#Event ID 7650: Received device event from Kernel PnP (GUID={EventGuid}; EventCategory={EventCategory}; Async={IsEventAsync}).
#Event ID 7651: User PnP completed handling of the device event (GUID={EventGuid}; EventCategory={EventCategory}; Async={IsEventAsync}).
#Event ID 7700: Start processing 'DIF_CODE'.
#Event ID 7701: Finished processing 'DIF_CODE' (Err=ErrorCode).
#Event ID 7702: START: Core device install operations.
#Description
START: Core device install operations.
Message #
Event ID 7703: END: Core device install operations.
#Description
END: Core device install operations.
Message #
Event ID 7704: ENTER: Synchronization wait for core device install.
#Description
ENTER: Synchronization wait for core device install.
Message #
Event ID 7705: EXIT: Synchronization wait for core device install.
#Description
EXIT: Synchronization wait for core device install.
Message #
Event ID 7714: ENTER: Sending event notification to service ({ClientName}).
#Event ID 7715: EXIT: Sending event notification to service ({ClientName}).
#Event ID 7716: ENTER: Sending event notification to window ({ClientName}).
#Event ID 7717: EXIT: Sending event notification to window ({ClientName}).
#Event ID 7718: ENTER: Device installation restrictions policy check.
#Description
ENTER: Device installation restrictions policy check.
Message #
Event ID 7719: EXIT: Device installation restrictions policy check.
#Description
EXIT: Device installation restrictions policy check.
Message #
Event ID 7722: ENTER: Build driver info list - search published INFs.
#Description
ENTER: Build driver info list - search published INFs.
Message #
Event ID 7723: EXIT: Build driver info list - search published INFs.
#Description
EXIT: Build driver info list - search published INFs.
Message #
Event ID 7724: ENTER: Build driver info list - search Device Path.
#Description
ENTER: Build driver info list - search Device Path.
Message #
Event ID 7725: EXIT: Build driver info list - search Device Path.
#Description
EXIT: Build driver info list - search Device Path.
Message #
Event ID 7728: ENTER: Build driver info list - search caller specified folder.
#Description
ENTER: Build driver info list - search caller specified folder.
Message #
Event ID 7729: EXIT: Build driver info list - search caller specified folder.
#Description
EXIT: Build driver info list - search caller specified folder.
Message #
Event ID 7730: ENTER: PnpInstallDevice - install device instance.
#Description
ENTER: PnpInstallDevice - install device instance.
Message #
Event ID 7731: EXIT: PnpInstallDevice - install device instance.
#Description
EXIT: PnpInstallDevice - install device instance.
Message #
Event ID 7800: START: Searching WMIS for metadata package
#Description
START: Searching WMIS for metadata package.
Message #
Event ID 7801: STOP: Searching WMIS for metadata package
#Description
STOP: Searching WMIS for metadata package.
Message #
Event ID 7802: START: Downloading metadata package from WMIS
#Description
START: Downloading metadata package from WMIS.
Message #
Event ID 7803: STOP: Downloading metadata package from WMIS
#Description
STOP: Downloading metadata package from WMIS.
Message #
Event ID 7804: START: Searching local index for metadata package
#Description
START: Searching local index for metadata package.
Message #
Event ID 7805: STOP: Searching local index for metadata package
#Description
STOP: Searching local index for metadata package.
Message #
Event ID 7806: START: Unpacking metadata package into cache
#Description
START: Unpacking metadata package into cache.
Message #
Event ID 7807: STOP: Unpacking metadata package into cache
#Description
STOP: Unpacking metadata package into cache.
Message #
Event ID 7808: START: Parsing packageinfo.
#Description
START: Parsing packageinfo.xml for metadata properties.
Message #
Event ID 7809: STOP: Parsing packageinfo.
#Description
STOP: Parsing packageinfo.xml for metadata properties.
Message #
Event ID 7810: START: Scanning local store for new metadata packages
#Description
START: Scanning local store for new metadata packages.
Message #
Event ID 7811: STOP: Scanning local store for new metadata packages
#Description
STOP: Scanning local store for new metadata packages.
Message #
Event ID 7900: Message (Package: Package Error Code = ErrorCode, Win32 Error Code = Win32ErrorCode).
#Event ID 7901: A new device metadata package was downloaded from WMIS.
#Event ID 7902: Message (Package: Package Error Code = ErrorCode, Win32 Error Code = Win32ErrorCode).
#Event ID 7903: Successfully parsed device metadata file.
#Event ID 7950: A new device metadata package was discovered.
#Event ID 7951: DMRC was queried for type 'QueryType' with lookup key 'LookupKey'.
#Event ID 7952: Message (Error Code = NetworkErrorCode, Last Http Status Code = HttpStatusCode).
#Event ID 8000: A reboot is required to complete device installation of device 'ERR_DEVICE_ID.DeviceId'.
#Description
A reboot is required to complete device installation of device 'ERR_DEVICE_ID.DeviceId'.
Message #
Fields #
| Name | Description |
|---|---|
DeviceId |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UserPnp",
"guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
"event_source_name": "",
"event_id": 8000,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 576460752303423490,
"time_created": "2023-10-25T22:50:39.873740+00:00",
"event_record_id": 21,
"correlation": {},
"execution": {
"process_id": 3600,
"thread_id": 1060
},
"channel": "Microsoft-Windows-UserPnp/DeviceInstall",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"ERR_DEVICE_ID": {
"DeviceId": "ACPI\\VMW0003\\4&1BD7F811&0"
}
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8001: The DeviceInstall service has started.
#Description
The DeviceInstall service has started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UserPnp",
"guid": "{96F4A050-7E31-453C-88BE-9634F4E02139}",
"event_source_name": "",
"event_id": 8001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 576460752303423490,
"time_created": "2026-05-28T04:47:58.4674435+00:00",
"event_record_id": 13,
"correlation": {},
"execution": {
"process_id": 4536,
"thread_id": 5956
},
"channel": "Microsoft-Windows-UserPnp/DeviceInstall",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "The DeviceInstall service has started."
}
Event ID 8002: The DeviceInstall service is stopping (idle).
#Description
The DeviceInstall service is stopping (idle).
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UserPnp",
"guid": "{96F4A050-7E31-453C-88BE-9634F4E02139}",
"event_source_name": "",
"event_id": 8002,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 576460752303423490,
"time_created": "2026-05-28T04:50:31.7833993+00:00",
"event_record_id": 14,
"correlation": {},
"execution": {
"process_id": 4536,
"thread_id": 2572
},
"channel": "Microsoft-Windows-UserPnp/DeviceInstall",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "The DeviceInstall service is stopping (idle)."
}
Event ID 8003: The DeviceInstall service is stopping (stop control).
#Description
The DeviceInstall service is stopping (stop control).
Message #
Event ID 8004: The DeviceInstall service is stopping (shutdown).
#Description
The DeviceInstall service is stopping (shutdown).
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UserPnp",
"guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
"event_source_name": "",
"event_id": 8004,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 576460752303423490,
"time_created": "2023-11-06T06:23:40.089953+00:00",
"event_record_id": 27,
"correlation": {},
"execution": {
"process_id": 1068,
"thread_id": 1072
},
"channel": "Microsoft-Windows-UserPnp/DeviceInstall",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8005: The DeviceInstall service has stopped.
#Description
The DeviceInstall service has stopped.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UserPnp",
"guid": "{96F4A050-7E31-453C-88BE-9634F4E02139}",
"event_source_name": "",
"event_id": 8005,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 576460752303423490,
"time_created": "2026-05-28T04:50:31.7839977+00:00",
"event_record_id": 15,
"correlation": {},
"execution": {
"process_id": 4536,
"thread_id": 2572
},
"channel": "Microsoft-Windows-UserPnp/DeviceInstall",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "The DeviceInstall service has stopped."
}
Event ID 8006: There are pending driver updates to install.
#Description
There are pending driver updates to install.
Message #
Event ID 8007: A timeout was detected during the installation of device 'DeviceId'.
#Event ID 8008: The DeviceInstall service is starting.
#Description
The DeviceInstall service is starting.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UserPnp",
"guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
"event_source_name": "",
"event_id": 8008,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 576460752303423490,
"time_created": "2023-11-06T06:25:29.340577+00:00",
"event_record_id": 29,
"correlation": {},
"execution": {
"process_id": 1080,
"thread_id": 1096
},
"channel": "Microsoft-Windows-UserPnp/DeviceInstall",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8009: The DeviceInstall service failed to start with error ErrorCode.
#Event ID 8010: Finish install operation state changed to hc_stateid.
#Event ID 8020: Device installation is currently disabled.
#Description
Device installation is currently disabled.
Message #
Event ID 8021: Device installation has been disabled.
#Description
Device installation has been disabled.
Message #
Event ID 8022: Device installation has been enabled.
#Description
Device installation has been enabled.
Message #
Event ID 8030: The DeviceInstall service will not idle stop.
#Description
The DeviceInstall service will not idle stop.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UserPnp",
"guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
"event_source_name": "",
"event_id": 8030,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 576460752303423490,
"time_created": "2023-11-06T06:25:29.352092+00:00",
"event_record_id": 31,
"correlation": {},
"execution": {
"process_id": 1080,
"thread_id": 1096
},
"channel": "Microsoft-Windows-UserPnp/DeviceInstall",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8040: task_08040
#Fields #
| Name | Description |
|---|---|
DeviceInstanceId UnicodeString | |
HardwareIds UnicodeString | |
CompatibleIds UnicodeString | |
MatchingDeviceId UnicodeString | |
OriginalInfName UnicodeString | |
DriverDate FILETIME | |
DriverVersion UnicodeString | |
SubmissionId UnicodeString | |
FlightIds UnicodeString |
Event ID 20001: Driver Management concluded the process to install driver http://schemas.
#Description
Driver Management concluded the process to install driver for Device Instance ID with the following status: .
Message #
Fields #
| Name | Description |
|---|---|
DriverName | |
DriverVersion | |
DriverProvider | |
DeviceInstanceID | |
SetupClass | |
RebootOption | |
UpgradeDevice | |
IsDriverOEM | |
InstallStatus | |
DriverDescription |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UserPnp",
"guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
"event_source_name": "",
"event_id": 20001,
"version": 0,
"level": 4,
"task": 7005,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2013-10-23T16:17:53.968750+00:00",
"event_record_id": 250,
"correlation": {},
"execution": {
"process_id": 1536,
"thread_id": 1900
},
"channel": "System",
"computer": "37L4247D28-05",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"InstallDeviceID": {
"xmlns:auto-ns2": "http://schemas.microsoft.com/win/2004/08/events",
"DriverName": "FileRepository\\rdpbus.inf_x86_neutral_27637529205407be\\rdpbus.inf",
"DriverVersion": "6.1.7600.16385",
"DriverProvider": "Microsoft",
"DeviceInstanceID": "ROOT\\RDPBUS\\0000",
"SetupClass": "4D36E97D-E325-11CE-BFC1-08002BE10318",
"RebootOption": false,
"UpgradeDevice": false,
"IsDriverOEM": false,
"InstallStatus": 0,
"DriverDescription": "Remote Desktop Device Redirector Bus"
}
},
"message": "Driver Management concluded the process to install driver http://schemas.microsoft.com/win/2004/08/events for Device Instance ID Microsoft with the following status: false."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 20002: Driver Management concluded the process to remove driver DriverName from Device Instance ID DeviceInstanceID with the following status: InstallStatus.
#Description
Driver Management concluded the process to remove driver DriverName from Device Instance ID DeviceInstanceID with the following status: InstallStatus.
Message #
Fields #
| Name | Description |
|---|---|
DriverName UnicodeString | |
DriverVersion UnicodeString | |
DriverProvider UnicodeString | |
DeviceInstanceID UnicodeString | |
SetupClass GUID | |
RebootOption Boolean | |
UpgradeDevice Boolean | |
IsDriverOEM Boolean | |
InstallStatus HexInt32 | |
DriverDescription UnicodeString |
Event ID 20003: Driver Management has concluded the process to add Service AddServiceID.ServiceName for Device Instance ID AddServiceID.DeviceInstanceID with the following status: AddServiceID.AddServiceStatus.
#Description
Driver Management has concluded the process to add Service AddServiceID.ServiceName for Device Instance ID AddServiceID.DeviceInstanceID with the following status: AddServiceID.AddServiceStatus.
Message #
Fields #
| Name | Description |
|---|---|
ServiceName | |
DriverFileName | |
DeviceInstanceID | |
PrimaryService | |
UpdateService | |
AddServiceStatus |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UserPnp",
"guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
"event_source_name": "",
"event_id": 20003,
"version": 0,
"level": 4,
"task": 7005,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T22:30:40.551666+00:00",
"event_record_id": 1844,
"correlation": {},
"execution": {
"process_id": 7864,
"thread_id": 8460
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"AddServiceID": {
"ServiceName": "VM3DService",
"DriverFileName": "%SystemRoot%\\system32\\vm3dservice.exe",
"DeviceInstanceID": "PCI\\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\\3&61AAA01&0&78",
"PrimaryService": false,
"UpdateService": false,
"AddServiceStatus": 0
}
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 20004: Driver Management has concluded the process to remove Service ServiceName for Device Instance ID DeviceInstanceID with the following status: AddServiceStatus.
#Description
Driver Management has concluded the process to remove Service ServiceName for Device Instance ID DeviceInstanceID with the following status: AddServiceStatus.
Message #
Fields #
| Name | Description |
|---|---|
ServiceName UnicodeString | |
DriverFileName UnicodeString | |
DeviceInstanceID UnicodeString | |
PrimaryService Boolean | |
UpdateService Boolean | |
AddServiceStatus UInt32 |
Event ID 20005: Driver Management has restricted the installation of Device Instance ID DeviceId because of a Device Installation Restriction policy setting.
#Event ID 20006: Driver Management has deferred the process to install Device Instance ID DeviceId until a driver has been selected because of a Device Installation Restr...
#Event ID 20007: Driver Management has removed Device Instance ID DeviceId because of a Device Installation Restriction policy setting.
#Event ID 20008: Driver Management has not removed Device Instance ID DeviceId with matching policy restriction because it is a required system device.
#Event ID 20009: Driver Management will reboot the system in RebootTime seconds to enforce a Device Installation Restriction policy setting.
#Event ID 20010
#Fields #
| Name | Description |
|---|---|
INFO_PNP_STATE.xmlns:auto-ns2 | |
INFO_PNP_STATE.InstallSubsystemState | |
INFO_PNP_STATE.CachingSubsystemState |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UserPnp",
"guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
"event_source_name": "",
"event_id": 20010,
"version": 0,
"level": 4,
"task": 7010,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2013-10-23T16:18:04.750000+00:00",
"event_record_id": 255,
"correlation": {},
"execution": {
"process_id": 616,
"thread_id": 1644
},
"channel": "System",
"computer": "37L4247D28-05",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"INFO_PNP_STATE": {
"xmlns:auto-ns2": "http://schemas.microsoft.com/win/2004/08/events",
"InstallSubsystemState": true,
"CachingSubsystemState": true
}
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 20011: Device action request for device '{VetoDevice}' was vetoed by '{VetoName}' with veto type {VetoType}.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 96f4a050-7e31-453c-88be-9634f4e02139
Defined in umpnpmgr.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02