Microsoft-Windows-Win32k
358 events across 8 channels
Event ID 3: UIPIMsgError
#Fields #
| Name | Description |
|---|---|
UIPI_Trace_Header UInt8 | |
Message UInt32 | |
wParam UInt64 | |
lParam UInt64 |
Event ID 4: UIPIHookError
#Fields #
| Name | Description |
|---|---|
UIPI_Trace_Header UInt16 | |
HookID Int32 | |
Flags Int8 | |
nCode Int32 | |
wParam UInt64 | |
lParam UInt64 |
Event ID 5: UIPIEventHookError
#Fields #
| Name | Description |
|---|---|
UIPI_Trace_Header UInt32 | |
WinEvent UInt32 | |
WndHandle UInt64 | |
ObjectID UInt32 | |
ChildID UInt32 | |
SenderTID Int32 | |
Time Int32 | |
Flags UInt32 |
Event ID 6: UIPIHandleValError
#Fields #
| Name | Description |
|---|---|
UIPI_Trace_Header UInt8 | |
Handle UInt64 | |
HandleType UInt32 | |
Reserved UInt32 |
Event ID 7: UIPIInputError
#Fields #
| Name | Description |
|---|---|
UIPI_Trace_Header UInt8 | |
InputType UInt32 | |
QIL UInt32 | |
QLBN UInt32 |
Event ID 8: UIPIClipboardError
#Fields #
| Name | Description |
|---|---|
UIPI_Trace_Header UInt8 | |
ClipFormat UInt32 | |
ClipIL UInt32 | |
ClipLBN UInt32 |
Event ID 10: PowerDisplayChange
#Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
PreviousStateTime UInt32 | |
PreviousState UInt16 | |
NewState UInt16 | |
IsConsoleSession UInt16 |
Event ID 11: IdleActionExpiration
#Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
IdleAction UInt32 | |
TimeoutValueMs UInt32 | |
IdleStartTime UInt32 | |
IsConsoleSession UInt16 |
Event ID 12: DisplayReqChange
#Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
IsConsoleSession UInt16 | |
NewCount UInt32 |
Event ID 13: DisplayTimeoutReset
#Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
IsConsoleSession UInt16 | |
DisplayTimeoutValueMs UInt32 |
Event ID 14: LockAcquireExclusive
#Fields #
| Name | Description |
|---|---|
LockId Pointer | |
LockLevel UInt32 | |
LockName UnicodeString |
Event ID 16: LockAcquireSharedStarveExclusive
#Fields #
| Name | Description |
|---|---|
LockId Pointer | |
LockName UnicodeString |
Event ID 20: IdleStatusTracing
#Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
AccruedIdleTime UInt32 | |
DisplayTimeoutValueMs UInt32 | |
ScreenSaverTimeoutValueMs UInt32 | |
DimTimeoutValueMs UInt32 | |
DimBrightnessValue UInt32 | |
NormalBrightnessValue UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 20,
"version": 0,
"level": 4,
"task": 21,
"opcode": 0,
"keywords": "0x2000000000008000",
"time_created": "2026-06-02T05:32:25.246+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 1004,
"thread_id": 1112
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AccruedIdleTime": 24078,
"DimBrightnessValue": 0,
"DimTimeoutValueMs": 585000,
"DisplayTimeoutValueMs": 600000,
"NormalBrightnessValue": 100,
"ScreenSaverTimeoutValueMs": 900000,
"SessionId": 1
},
"message": "IdleStatusTracing"
}
Event ID 21: SwapChainSetStats
#Fields #
| Name | Description |
|---|---|
hLogicalSurfSwapChainBind UInt64 | |
ConfirmReason UInt32 | |
LastPresentId UInt32 | |
LastFrameCount UInt32 | |
SyncFrameCount UInt32 | |
LastFrameTime UInt64 |
Event ID 25: UserActive
#Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
ProcessIdOwningFocus UInt32 | |
ProcessCreateTimeOwningFocus FILETIME |
Event ID 26: FocusedProcessChange
#Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
OldProcessId UInt32 | |
NewProcessId UInt32 |
Event ID 32: LogicalSurfPhysSurfUnbind
#Fields #
| Name | Description |
|---|---|
hLogicalSurf UInt64 | |
hPhysicalSurf UInt64 |
Event ID 33: GdiSysMemToken
#Fields #
| Name | Description |
|---|---|
Pending UInt32 | |
dwDirtyFlags UInt32 | |
hLogicalSurf UInt64 | |
uiCookie UInt64 |
Event ID 35: WaitCursor
#Fields #
| Name | Description |
|---|---|
CursorThreadId UInt32 | |
CursorProcessId UInt32 | |
SessionId UInt32 | |
CursorType UInt32 | |
DisplayTimeMs UInt32 |
Event ID 36: ThreadInfoRundown
#Fields #
| Name | Description |
|---|---|
ThreadId UInt32 | |
Flags UInt32 | |
TimeSinceInputCheckMs UInt32 | |
TimeSinceInputRemoveMs UInt32 | |
TimeSinceOldestInputMs UInt32 |
Event ID 37: InputProcessDelay
#Fields #
| Name | Description |
|---|---|
Flags UInt32 | |
TimeSinceInputRemoveMs UInt32 | |
TimeSinceOldestInputMs UInt32 | |
ClassName UnicodeString | |
TopLevelClassName UnicodeString | |
ImagePath UnicodeString | |
MessageId UInt32 | |
WParam UInt64 |
Event ID 38: MessageCheckDelay
#Fields #
| Name | Description |
|---|---|
Flags UInt32 | |
DelayTimeMs UInt32 | |
TimeSinceInputRemoveMs UInt32 | |
TimeSinceOldestInputMs UInt32 | |
ClassName UnicodeString | |
TopLevelClassName UnicodeString | |
ImagePath UnicodeString | |
MessageId UInt32 | |
WParam UInt64 |
Event ID 39: RenderingNewRendering
#Fields #
| Name | Description |
|---|---|
hwndDst Pointer | |
hwndDstSprite Pointer | |
hbmDst Pointer | |
DstLeft UInt32 | |
DstTop UInt32 | |
DstRight UInt32 | |
DstBottom UInt32 | |
hwndSrc Pointer | |
hwndSrcSprite Pointer | |
hbmSrc Pointer | |
SrcLeft UInt32 | |
SrcTop UInt32 | |
SrcRight UInt32 | |
SrcBottom UInt32 |
Event ID 40: RenderingOldToNewRendering
#Fields #
| Name | Description |
|---|---|
hwndDst Pointer | |
hwndDstSprite Pointer | |
hbmDst Pointer | |
DstLeft UInt32 | |
DstTop UInt32 | |
DstRight UInt32 | |
DstBottom UInt32 | |
hwndSrc Pointer | |
hwndSrcSprite Pointer | |
hbmSrc Pointer | |
SrcLeft UInt32 | |
SrcTop UInt32 | |
SrcRight UInt32 | |
SrcBottom UInt32 |
Event ID 41: Rendering
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
bitmapCX UInt32 | |
bitmapCY UInt32 | |
DirtyLeft UInt32 | |
DirtyTop UInt32 | |
DirtyRight UInt32 | |
DirtyBottom UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 41,
"version": 0,
"level": 4,
"task": 39,
"opcode": 12,
"keywords": "0x0800000000100000",
"time_created": "2026-06-02T04:02:00.030+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 4304,
"thread_id": 3088
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DirtyBottom": 40,
"DirtyLeft": 907,
"DirtyRight": 971,
"DirtyTop": 0,
"bitmapCX": 1024,
"bitmapCY": 40,
"hwnd": "0x20032"
},
"message": "Rendering"
}
Event ID 42: RenderingAppRenderingTightUpdate
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
bitmapCX UInt32 | |
bitmapCY UInt32 | |
DirtyLeft UInt32 | |
DirtyTop UInt32 | |
DirtyRight UInt32 | |
DirtyBottom UInt32 |
Event ID 43: RenderingValidateWindow
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
FULL UInt32 | |
Left UInt32 | |
Top UInt32 | |
Right UInt32 | |
Bottom UInt32 |
Event ID 44: RenderingInvalidateWindow
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
FULL UInt32 | |
Left UInt32 | |
Top UInt32 | |
Right UInt32 | |
Bottom UInt32 |
Event ID 45: ThreadExit
#Fields #
| Name | Description |
|---|---|
ThreadId UInt32 | |
Flags UInt32 | |
TimeSinceInputCheckMs UInt32 | |
TimeSinceInputRemoveMs UInt32 | |
TimeSinceOldestInputMs UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 45,
"version": 0,
"level": 4,
"task": 45,
"opcode": 0,
"keywords": "0x0000000000200000",
"time_created": "2026-06-02T04:02:00.577+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 4872,
"thread_id": 10316
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Flags": 64,
"ThreadId": 10316,
"TimeSinceInputCheckMs": 0,
"TimeSinceInputRemoveMs": 72438,
"TimeSinceOldestInputMs": 0
},
"message": "ThreadExit"
}
Event ID 51: LogicalSurfEnableDirtyNotification
#Fields #
| Name | Description |
|---|---|
hLogicalSurf UInt64 | |
hPhysSurf UInt64 |
Event ID 52: PhysicalSurfCreate
#Fields #
| Name | Description |
|---|---|
hPhysicalSurf UInt64 | |
Type UInt32 | |
hDxSharedSurface UInt64 | |
Flags UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 52,
"version": 0,
"level": 4,
"task": 52,
"opcode": 0,
"keywords": "0x0000000000001000",
"time_created": "2026-06-02T05:32:25.758+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 14592,
"thread_id": 10500
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Flags": 0,
"Type": 0,
"hDxSharedSurface": 0,
"hPhysicalSurf": 18446744071763722935
},
"message": "PhysicalSurfCreate"
}
Event ID 53: ModifyRgn
#Fields #
| Name | Description |
|---|---|
hLogicalSurface UInt64 | |
RgnType UInt32 | |
rcBounds Int16 | |
NumRects UInt32 | |
rcData Int64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 53,
"version": 0,
"level": 4,
"task": 53,
"opcode": 0,
"keywords": "0x0000000000001000",
"time_created": "2026-06-02T04:02:00.030+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 4304,
"thread_id": 3088
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"NumRects": 1,
"RgnType": 1,
"hLogicalSurface": 68290098,
"rcBounds": "00000000000000000004000028000000",
"rcData": "00000000000000000004000028000000"
},
"message": "ModifyRgn"
}
Event ID 54: SwapChainGetStats
#Fields #
| Name | Description |
|---|---|
hLogicalSurfSwapChainBind UInt64 | |
ConfirmReason UInt32 | |
LastPresentId UInt32 | |
LastFrameCount UInt32 | |
SyncFrameCount UInt32 | |
LastFrameTime UInt64 |
Event ID 55: SwapChainBindingOpen
#Fields #
| Name | Description |
|---|---|
hLogicalSurfSwapChainBinding UInt64 | |
luidAdapter UInt64 | |
nWidth UInt32 | |
nHeight UInt32 | |
DxgiColorFormat UInt32 | |
hmonAssociation UInt64 | |
uiPresentLimitSemaphoreId UInt64 | |
cBuffers UInt32 | |
BindingInfoHandle Int64 |
Event ID 56: SwapChainBindingRelease
#Fields #
| Name | Description |
|---|---|
hLogicalSurfSwapChainBinding UInt64 | |
DesktopCompositorProcess UInt8 | |
DesktopCompositorError UInt8 | |
DesktopCompositorRef UInt8 | |
DesktopCompositorStatus UInt8 | |
pEventConfirmed UInt64 |
Event ID 57: SwapChainBindingStatus
#Fields #
| Name | Description |
|---|---|
hLogicalSurfSwapChainBinding UInt64 | |
DesktopCompositorStatus UInt8 |
Event ID 59: QueuePostMessage
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pqmsg Pointer | |
hwnd Pointer | |
WParam Pointer | |
LParam Pointer | |
message UInt32 | |
inputReadyTimeMs UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 59,
"version": 0,
"level": 4,
"task": 59,
"opcode": 0,
"keywords": "0x0400000000400000",
"time_created": "2026-06-02T05:32:24.458+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 6296,
"thread_id": 3488
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackCount": 0,
"LParam": "0x0",
"WParam": "0x0",
"hwnd": "0x30048",
"inputReadyTimeMs": 35788625,
"message": 0,
"pqmsg": "0xFFFFC5238079C710"
},
"message": "QueuePostMessage"
}
Event ID 60: SendMessageStart
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pqmsg Pointer | |
hwnd Pointer | |
WParam Pointer | |
LParam Pointer | |
message UInt32 | |
inputReadyTimeMs UInt32 | |
flags UInt32 | |
pidReceiver UInt32 | |
tidReceiver UInt32 |
Event ID 61: RetrievePostMessage
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pqmsg Pointer | |
hwnd Pointer | |
WParam Pointer | |
LParam Pointer | |
message UInt32 | |
inputReadyTimeMs UInt32 | |
flags UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 61,
"version": 0,
"level": 4,
"task": 65,
"opcode": 0,
"keywords": "0x0400000000400000",
"time_created": "2026-06-02T05:32:24.458+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 6296,
"thread_id": 6300
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackCount": 0,
"LParam": "0x0",
"WParam": "0x0",
"flags": 1,
"hwnd": "0x30048",
"inputReadyTimeMs": 35788625,
"message": 0,
"pqmsg": "0xFFFFC5238079C710"
},
"message": "RetrievePostMessage"
}
Event ID 62: RetrieveSendMessageStart
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pqmsg Pointer | |
hwnd Pointer | |
WParam Pointer | |
LParam Pointer | |
message UInt32 | |
inputReadyTimeMs UInt32 |
Event ID 63: RetrieveInputMessage
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
hwnd Pointer | |
WParam Pointer | |
LParam Pointer | |
message UInt32 | |
inputReadyTimeMs UInt32 | |
flags UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 63,
"version": 0,
"level": 4,
"task": 67,
"opcode": 0,
"keywords": "0x0400000040400000",
"time_created": "2026-06-02T05:32:25.759+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 952,
"thread_id": 1052
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackCount": 0,
"LParam": "0x0",
"WParam": "0x0",
"flags": 1,
"hwnd": "0x10004",
"inputReadyTimeMs": 0,
"message": 0
},
"message": "RetrieveInputMessage"
}
Event ID 64: RetrievePseudoMessage
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pqmsg Pointer | |
hwnd Pointer | |
WParam Pointer | |
LParam Pointer | |
message UInt32 | |
inputReadyTimeMs UInt32 | |
flags UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 64,
"version": 0,
"level": 0,
"task": 68,
"opcode": 0,
"keywords": "0x0400000000400000",
"time_created": "2026-06-02T05:32:25.771+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 14592,
"thread_id": 10500
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackCount": 0,
"LParam": "0x0",
"WParam": "0x0",
"flags": 1,
"hwnd": "0x4F006C",
"inputReadyTimeMs": 35789937,
"message": 0,
"pqmsg": "0x0"
},
"message": "RetrievePseudoMessage"
}
Event ID 65: WakePump
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pqmsg Pointer | |
hwnd Pointer | |
WParam Pointer | |
LParam Pointer | |
message UInt32 | |
inputReadyTimeMs UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 65,
"version": 0,
"level": 4,
"task": 61,
"opcode": 0,
"keywords": "0x0400000000400000",
"time_created": "2026-06-02T05:32:25.758+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 14592,
"thread_id": 10500
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackCount": 0,
"LParam": "0x0",
"WParam": "0x0",
"hwnd": "0x4F006C",
"inputReadyTimeMs": 0,
"message": 15,
"pqmsg": "0xFFFFC52384489010"
},
"message": "WakePump"
}
Event ID 66: InputQueueLocked
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pQueue Pointer | |
ownerThread UInt32 |
Event ID 67: InputQueueLocked67
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pQueue Pointer | |
ownerThread UInt32 |
Event ID 74: MessageInjectionPostGestureInputMessage
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
hwnd Pointer | |
hGestureInfo Pointer |
Event ID 75: MessageInjectionPostGestureMessage
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
hwnd Pointer | |
hGestureInfo Pointer |
Event ID 76: AppMessagePump
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
fGetMessage Int32 | |
dwFlags UInt32 | |
Message UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 76,
"version": 0,
"level": 4,
"task": 69,
"opcode": 1,
"keywords": "0x0400000000800000",
"time_created": "2026-06-02T05:32:24.458+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 6296,
"thread_id": 6300
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackCount": 0,
"Message": 1024,
"dwFlags": 1,
"fGetMessage": 1
},
"message": "AppMessagePump"
}
Event ID 77: AppMessagePump
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
fGetMessage Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 77,
"version": 0,
"level": 4,
"task": 69,
"opcode": 2,
"keywords": "0x0400000000800000",
"time_created": "2026-06-02T05:32:24.458+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 6296,
"thread_id": 6300
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackCount": 0,
"fGetMessage": 1
},
"message": "AppMessagePump"
}
Event ID 78: WakeRIT
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
WakeReason Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 78,
"version": 0,
"level": 4,
"task": 72,
"opcode": 0,
"keywords": "0x0400000000800000",
"time_created": "2026-06-02T05:32:25.759+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 14592,
"thread_id": 10500
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackCount": 0,
"WakeReason": 1
},
"message": "WakeRIT"
}
Event ID 84: GUIProcess
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 84,
"version": 0,
"level": 4,
"task": 76,
"opcode": 1,
"keywords": "0x0400000000200000",
"time_created": "2026-06-02T05:32:25.745+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 14592,
"thread_id": 12892
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "GUIProcess"
}
Event ID 85: GUIProcess
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 85,
"version": 0,
"level": 4,
"task": 76,
"opcode": 2,
"keywords": "0x0400000000200000",
"time_created": "2026-06-02T06:07:54.630+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 11204,
"thread_id": 4120
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "GUIProcess"
}
Event ID 86: GUIThread
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 86,
"version": 0,
"level": 4,
"task": 77,
"opcode": 1,
"keywords": "0x0400000000200000",
"time_created": "2026-06-02T05:32:24.730+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 21572,
"thread_id": 12732
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "GUIThread"
}
Event ID 87: GUIThread
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 87,
"version": 0,
"level": 4,
"task": 77,
"opcode": 2,
"keywords": "0x0400000000200000",
"time_created": "2026-06-02T04:02:00.577+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 4872,
"thread_id": 10316
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "GUIThread"
}
Event ID 88: QueueInputMessage
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pqmsg Pointer | |
WindowDelegated Boolean | |
WasWindowDelegated Boolean | |
Delegated Boolean | |
WasDelegated Boolean | |
Processed Boolean | |
fDelayedFree Boolean | |
hwnd Pointer | |
WParam Pointer | |
LParam Pointer | |
message UInt32 | |
inputReadyTimeMs UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 88,
"version": 0,
"level": 4,
"task": 79,
"opcode": 0,
"keywords": "0x0400000040400000",
"time_created": "2026-06-02T05:32:25.759+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 952,
"thread_id": 1052
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackCount": 0,
"Delegated": false,
"LParam": "0x0",
"Processed": false,
"WParam": "0x0",
"WasDelegated": false,
"WasWindowDelegated": false,
"WindowDelegated": false,
"fDelayedFree": false,
"hwnd": "0x0",
"inputReadyTimeMs": 35789921,
"message": 0,
"pqmsg": "0xFFFFC5238079C710"
},
"message": "QueueInputMessage"
}
Event ID 92: DispatchMessage
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
message UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 92,
"version": 0,
"level": 4,
"task": 81,
"opcode": 1,
"keywords": "0x0400000000400000",
"time_created": "2026-06-02T05:32:25.759+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 952,
"thread_id": 1052
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackCount": 0,
"message": 512
},
"message": "DispatchMessage"
}
Event ID 93: DispatchMessage
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
message UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 93,
"version": 0,
"level": 4,
"task": 81,
"opcode": 2,
"keywords": "0x0400000000400000",
"time_created": "2026-06-02T05:32:25.759+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 952,
"thread_id": 1052
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackCount": 0,
"message": 512
},
"message": "DispatchMessage"
}
Event ID 94: TouchTargetingSpeedHitTestStart
#Event ID 95: TouchTargetingSpeedHitTestStop
#Event ID 96: TouchTargetingWindowHitTestStart
#Event ID 97: TouchTargetingWindowHitTestStop
#Event ID 98: TouchTargetingPointerTargetStart
#Event ID 99: TouchTargetingPointerTargetStop
#Event ID 103: task_0103
#Fields #
| Name | Description |
|---|---|
ProcName AnsiString | |
ClassName UnicodeString | |
WindowName UnicodeString | |
uId UInt32 | |
uElapse UInt32 | |
uType UInt32 |
Event ID 104: ContactVisualizationStart
#Event ID 105: ContactVisualizationStop
#Event ID 106: TouchTargetingOffset
#Fields #
| Name | Description |
|---|---|
ptOffsetX Int32 | |
ptOffsetY Int32 | |
pointerId Int32 | |
cursorId Int32 |
Event ID 107: TouchTargetingPointerEvent
#Fields #
| Name | Description |
|---|---|
pointerId Int32 | |
cursorId Int32 | |
pointerType Int32 | |
pointerFlags Int32 | |
touchMask Int32 | |
ptLocationX Int32 | |
ptLocationY Int32 | |
rcContactLeft Int32 | |
rcContactRight Int32 | |
rcContactTop Int32 | |
rcContactBottom Int32 | |
orientation Int32 |
Event ID 108: TouchTargetingPointerEvent108
#Fields #
| Name | Description |
|---|---|
pointerId Int32 | |
cursorId Int32 | |
pointerType Int32 | |
pointerFlags Int32 | |
touchMask Int32 | |
ptLocationX Int32 | |
ptLocationY Int32 | |
rcContactLeft Int32 | |
rcContactRight Int32 | |
rcContactTop Int32 | |
rcContactBottom Int32 | |
orientation Int32 |
Event ID 109: PointerDeviceReadStart
#Event ID 110: PointerDeviceReadStop
#Event ID 111: PointerDeviceMessageStart
#Event ID 112: PointerDeviceMessageStop
#Event ID 113: PointerDeviceMessageStart113
#Event ID 114: PointerDeviceMessageStop114
#Event ID 117: RenderingTranslationUpdate
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
DirtyLeft UInt32 | |
DirtyTop UInt32 | |
DirtyRight UInt32 | |
DirtyBottom UInt32 |
Event ID 119: RenderingTranslationUpdateRectClip
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
DirtyLeft UInt32 | |
DirtyTop UInt32 | |
DirtyRight UInt32 | |
DirtyBottom UInt32 |
Event ID 120: RenderingUpdateDxAccumFromGDI
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
DirtyLeft UInt32 | |
DirtyTop UInt32 | |
DirtyRight UInt32 | |
DirtyBottom UInt32 |
Event ID 121: RenderingUpdateDxAccumFromDX
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
DirtyLeft UInt32 | |
DirtyTop UInt32 | |
DirtyRight UInt32 | |
DirtyBottom UInt32 |
Event ID 123: ModifyDxAccumRgn
#Fields #
| Name | Description |
|---|---|
hLogicalSurface UInt64 | |
RgnType UInt32 | |
rcBounds Int16 | |
NumRects UInt32 | |
rcData Int64 |
Event ID 124: LogicalSurfRemovedTranslationFromDirty
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
DirtyLeft UInt32 | |
DirtyTop UInt32 | |
DirtyRight UInt32 | |
DirtyBottom UInt32 |
Event ID 125: PointerDeviceDiscoveryStart
#Event ID 126: PointerDeviceDiscoveryStop
#Event ID 127: PointerDeviceMessageStart127
#Event ID 128: PointerDeviceMessageStop128
#Event ID 129: TouchInjectionEventStart
#Event ID 130: TouchInjectionEventStop
#Event ID 131: PointerFrameCreationStart
#Fields #
| Name | Description |
|---|---|
FrameId UInt32 | |
PointerCount UInt32 | |
PendingPointerCount UInt32 |
Event ID 132: PointerFrameCreationStop
#Fields #
| Name | Description |
|---|---|
FrameId UInt32 | |
PointerCount UInt32 | |
PendingPointerCount UInt32 |
Event ID 133: PointerFrameBuildPartialStart
#Fields #
| Name | Description |
|---|---|
FrameId UInt32 | |
PointerCount UInt32 | |
PendingPointerCount UInt32 |
Event ID 134: PointerFrameBuildPartialStop
#Fields #
| Name | Description |
|---|---|
FrameId UInt32 | |
PointerCount UInt32 | |
PendingPointerCount UInt32 |
Event ID 135: PointerFrameCommitStart
#Fields #
| Name | Description |
|---|---|
FrameId UInt32 | |
PointerCount UInt32 | |
PendingPointerCount UInt32 |
Event ID 136: PointerFrameCommitStop
#Fields #
| Name | Description |
|---|---|
FrameId UInt32 | |
PointerCount UInt32 | |
PendingPointerCount UInt32 |
Event ID 137: PointerFrameCoalesceStart
#Fields #
| Name | Description |
|---|---|
FrameId UInt32 | |
PointerCount UInt32 | |
PendingPointerCount UInt32 |
Event ID 138: PointerFrameCoalesceStop
#Fields #
| Name | Description |
|---|---|
FrameId UInt32 | |
PointerCount UInt32 | |
PendingPointerCount UInt32 |
Event ID 139: PointerFrameMessageGenerationStart
#Fields #
| Name | Description |
|---|---|
FrameId UInt32 | |
PointerCount UInt32 | |
PendingPointerCount UInt32 |
Event ID 140: PointerFrameMessageGenerationStop
#Fields #
| Name | Description |
|---|---|
FrameId UInt32 | |
PointerCount UInt32 | |
PendingPointerCount UInt32 |
Event ID 141: PointerMessageRetrieveStart
#Fields #
| Name | Description |
|---|---|
pqmsg Pointer | |
PointerId UInt32 | |
Message UInt32 |
Event ID 142: PointerMessageRetrieveStop
#Fields #
| Name | Description |
|---|---|
pqmsg Pointer | |
PointerId UInt32 | |
Message UInt32 |
Event ID 143: PointerUpdateMessageRetrieveStart
#Fields #
| Name | Description |
|---|---|
pqmsg Pointer | |
PointerId UInt32 | |
Message UInt32 |
Event ID 144: PointerUpdateMessageRetrieveStop
#Fields #
| Name | Description |
|---|---|
pqmsg Pointer | |
PointerId UInt32 | |
Message UInt32 |
Event ID 145: PointerSetTargetWindowsStart
#Event ID 146: PointerSetTargetWindowsStop
#Event ID 147: PointerUpdateSetTargetWindowsStart
#Event ID 148: PointerUpdateSetTargetWindowsStop
#Event ID 149: InputQueueNoRemoveLockerStop
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pQueue Pointer | |
ownerThread UInt32 |
Event ID 150: InputQueueLockedPeekRecursionStop
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pQueue Pointer | |
ownerThread UInt32 |
Event ID 151: DCompCommitBatch
#Fields #
| Name | Description |
|---|---|
channelHandle UInt32 | |
pBatch Pointer | |
batchID UInt32 | |
isNinja Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 151,
"version": 0,
"level": 4,
"task": 107,
"opcode": 0,
"keywords": "0x0000000400001000",
"time_created": "2026-06-02T06:08:00.231+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 5396,
"thread_id": 3744
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"batchID": 24923,
"channelHandle": 15,
"isNinja": false,
"pBatch": "0xFFFF990EE77329B0"
},
"message": "DCompCommitBatch"
}
Event ID 152: DelegateInputUserCallbackStart
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pqmsg Pointer | |
WindowDelegated Boolean | |
WasWindowDelegated Boolean | |
Delegated Boolean | |
WasDelegated Boolean | |
Processed Boolean | |
fDelayedFree Boolean | |
hwnd Pointer | |
WParam Pointer | |
LParam Pointer | |
message UInt32 | |
inputReadyTimeMs UInt32 |
Event ID 153: DelegateInputUserCallbackStop
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pqmsg Pointer | |
WindowDelegated Boolean | |
WasWindowDelegated Boolean | |
Delegated Boolean | |
WasDelegated Boolean | |
Processed Boolean | |
fDelayedFree Boolean | |
hwnd Pointer | |
WParam Pointer | |
LParam Pointer | |
message UInt32 | |
inputReadyTimeMs UInt32 |
Event ID 154: DelegatedInputWorkerStart
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pqmsg Pointer | |
WindowDelegated Boolean | |
WasWindowDelegated Boolean | |
Delegated Boolean | |
WasDelegated Boolean | |
Processed Boolean | |
fDelayedFree Boolean | |
hwnd Pointer | |
WParam Pointer | |
LParam Pointer | |
message UInt32 | |
inputReadyTimeMs UInt32 | |
hdfResponse UInt32 |
Event ID 155: DelegatedInputWorkerStop
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pqmsg Pointer | |
WindowDelegated Boolean | |
WasWindowDelegated Boolean | |
Delegated Boolean | |
WasDelegated Boolean | |
Processed Boolean | |
fDelayedFree Boolean | |
hwnd Pointer | |
WParam Pointer | |
LParam Pointer | |
message UInt32 | |
inputReadyTimeMs UInt32 | |
hdfResponse UInt32 |
Event ID 156: PointerDeviceMessage
#Fields #
| Name | Description |
|---|---|
bNew UInt32 | |
ulContactId UInt32 | |
dwCursorId UInt32 | |
X Int32 | |
Y Int32 |
Event ID 157: PointerMessageGenerationStart
#Fields #
| Name | Description |
|---|---|
wCursorId UInt16 | |
wPointerId UInt16 |
Event ID 159: PointerFrameCoalesce
#Fields #
| Name | Description |
|---|---|
wCursorId UInt16 | |
wPointerId UInt16 | |
dwReason UInt32 |
Event ID 160: SmoothRotationStart
#Fields #
| Name | Description |
|---|---|
Orientation UInt32 | |
SensorOriginated Boolean | |
ActiveProcessId UInt32 |
Event ID 162: DCompGetBatch
#Fields #
| Name | Description |
|---|---|
pBatch Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 162,
"version": 0,
"level": 4,
"task": 111,
"opcode": 0,
"keywords": "0x0000000400001000",
"time_created": "2026-06-02T06:08:00.242+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 1168,
"thread_id": 1236
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"pBatch": "0xFFFF990EE77329B0"
},
"message": "DCompGetBatch"
}
Event ID 163: ExclusiveUserCrit
#Fields #
| Name | Description |
|---|---|
AcquireQpcCounts UInt64 | |
AcquireTimeUs UInt32 | |
Token UInt64 |
Event ID 164: ExclusiveUserCrit
#Fields #
| Name | Description |
|---|---|
AcquireQpcCounts UInt64 | |
AcquireTimeUs UInt32 | |
Token UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 164,
"version": 0,
"level": 4,
"task": 113,
"opcode": 0,
"keywords": "0x0200000010000000",
"time_created": "2026-06-02T05:32:24.458+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 6296,
"thread_id": 3488
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AcquireQpcCounts": 5,
"AcquireTimeUs": 0,
"Token": 267
},
"message": "ExclusiveUserCrit"
}
Event ID 165: SharedUserCrit
#Fields #
| Name | Description |
|---|---|
AcquireQpcCounts UInt64 | |
AcquireTimeUs UInt32 | |
Token UInt64 |
Event ID 166: SharedUserCrit
#Fields #
| Name | Description |
|---|---|
AcquireQpcCounts UInt64 | |
AcquireTimeUs UInt32 | |
Token UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 166,
"version": 0,
"level": 4,
"task": 114,
"opcode": 0,
"keywords": "0x0200000010000000",
"time_created": "2026-06-02T05:32:24.458+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 6296,
"thread_id": 6300
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AcquireQpcCounts": 4,
"AcquireTimeUs": 0,
"Token": 270
},
"message": "SharedUserCrit"
}
Event ID 167: ReleaseUserCrit
#Fields #
| Name | Description |
|---|---|
HoldQpcCounts UInt64 | |
HoldTimeMs UInt32 | |
Token UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 167,
"version": 0,
"level": 4,
"task": 115,
"opcode": 0,
"keywords": "0x0200000010000000",
"time_created": "2026-06-02T05:32:24.458+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 6296,
"thread_id": 3488
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"HoldQpcCounts": 1895,
"HoldTimeMs": 0,
"Token": 268
},
"message": "ReleaseUserCrit"
}
Event ID 168: SleepInputIdle
#Fields #
| Name | Description |
|---|---|
pti Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 168,
"version": 0,
"level": 4,
"task": 116,
"opcode": 0,
"keywords": "0x0400000000800000",
"time_created": "2026-06-02T05:32:24.458+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 6296,
"thread_id": 6300
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"pti": "0xFFFFC5238447A010"
},
"message": "SleepInputIdle"
}
Event ID 169: WakeInputIdle
#Fields #
| Name | Description |
|---|---|
pti Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 169,
"version": 0,
"level": 4,
"task": 117,
"opcode": 0,
"keywords": "0x0400000000800000",
"time_created": "2026-06-02T05:32:24.458+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 6296,
"thread_id": 6300
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"pti": "0xFFFFC5238447A010"
},
"message": "WakeInputIdle"
}
Event ID 170: EdgyDetectionStart
#Event ID 172: ImmersiveInputProcessDelay
#Fields #
| Name | Description |
|---|---|
Flags UInt32 | |
TimeSinceInputRemoveMs UInt32 | |
TimeSinceOldestInputMs UInt32 | |
ClassName UnicodeString | |
TopLevelClassName UnicodeString | |
PackageMoniker UnicodeString | |
AppUserModelId UnicodeString | |
MessageId UInt32 | |
WParam UInt64 |
Event ID 173: ImmersiveMessageCheckDelay
#Fields #
| Name | Description |
|---|---|
Flags UInt32 | |
DelayTimeMs UInt32 | |
TimeSinceInputRemoveMs UInt32 | |
TimeSinceOldestInputMs UInt32 | |
ClassName UnicodeString | |
TopLevelClassName UnicodeString | |
PackageMoniker UnicodeString | |
AppUserModelId UnicodeString | |
MessageId UInt32 | |
WParam UInt64 |
Event ID 174: THQAEventStart
#Event ID 175: THQAEventStop
#Event ID 178: MoveRgn
#Fields #
| Name | Description |
|---|---|
hLogicalSurface UInt64 | |
RgnType UInt32 | |
rcBounds Int16 | |
NumRects UInt32 | |
rcData Int64 |
Event ID 179: DirtyRgn
#Fields #
| Name | Description |
|---|---|
hLogicalSurface UInt64 | |
RgnType UInt32 | |
rcBounds Int16 | |
NumRects UInt32 | |
rcData Int64 |
Event ID 180: LogicalSurfRemovedTranslationFromMove
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
DirtyLeft UInt32 | |
DirtyTop UInt32 | |
DirtyRight UInt32 | |
DirtyBottom UInt32 |
Event ID 181: DirtyRectUpdate
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
DirtyLeft UInt32 | |
DirtyTop UInt32 | |
DirtyRight UInt32 | |
DirtyBottom UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 181,
"version": 0,
"level": 4,
"task": 127,
"opcode": 0,
"keywords": "0x0000000000001000",
"time_created": "2026-06-02T04:02:00.030+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 4304,
"thread_id": 3088
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DirtyBottom": 40,
"DirtyLeft": 907,
"DirtyRight": 971,
"DirtyTop": 0,
"hwnd": "0x4120632"
},
"message": "DirtyRectUpdate"
}
Event ID 182: TranslationUpdateOffsetDWM
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
Offsetx Int32 | |
Offsety Int32 |
Event ID 183: DwmGetRgn
#Fields #
| Name | Description |
|---|---|
hLogicalSurface UInt64 | |
RgnType UInt32 | |
rcBounds Int16 | |
NumRects UInt32 | |
rcData Int64 |
Event ID 184: PointerFrameCoalesceStart184
#Fields #
| Name | Description |
|---|---|
FrameId UInt32 | |
PointerCount UInt32 | |
PendingPointerCount UInt32 |
Event ID 185: PointerFrameCoalesceStop185
#Fields #
| Name | Description |
|---|---|
FrameId UInt32 | |
PointerCount UInt32 | |
PendingPointerCount UInt32 |
Event ID 186: PointerFrameCoalesce186
#Fields #
| Name | Description |
|---|---|
wCursorId UInt16 | |
wPointerId UInt16 | |
dwReason UInt32 |
Event ID 187: InternalSetTimerCoalescing
#Fields #
| Name | Description |
|---|---|
Hwnd Pointer | |
uId UInt32 | |
uElapse UInt32 | |
uCoalescingTolerance UInt32 | |
uType UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 187,
"version": 0,
"level": 4,
"task": 130,
"opcode": 0,
"keywords": "0x0000000020000000",
"time_created": "2026-06-02T05:32:25.745+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 14592,
"thread_id": 12892
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Hwnd": "0x0",
"uCoalescingTolerance": 0,
"uElapse": 35000,
"uId": 32766,
"uType": 540
},
"message": "InternalSetTimerCoalescing"
}
Event ID 188: InternalSetTimerNoCoalescing
#Fields #
| Name | Description |
|---|---|
Hwnd Pointer | |
uId UInt32 | |
uElapse UInt32 | |
uType UInt32 |
Event ID 189: KillTimer
#Fields #
| Name | Description |
|---|---|
Hwnd Pointer | |
uId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 189,
"version": 0,
"level": 4,
"task": 132,
"opcode": 0,
"keywords": "0x0000000020000000",
"time_created": "2026-06-02T04:02:01.046+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 4304,
"thread_id": 3088
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Hwnd": "0x0",
"uId": 23933
},
"message": "KillTimer"
}
Event ID 190: ProcTimerCoalescing
#Fields #
| Name | Description |
|---|---|
Hwnd Pointer | |
uId UInt32 | |
uElapse UInt32 | |
uCoalescingTolerance UInt32 | |
uType UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 190,
"version": 0,
"level": 4,
"task": 133,
"opcode": 0,
"keywords": "0x0000000020000000",
"time_created": "2026-06-02T05:32:25.246+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 1004,
"thread_id": 1112
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Hwnd": "0x0",
"uCoalescingTolerance": 0,
"uElapse": 1000,
"uId": 32766,
"uType": 516
},
"message": "ProcTimerCoalescing"
}
Event ID 191: ProcTimerNoCoalescing
#Fields #
| Name | Description |
|---|---|
Hwnd Pointer | |
uId UInt32 | |
uElapse UInt32 | |
uType UInt32 |
Event ID 192: DrvChangeDisplaySettingsStart
#Event ID 193: DrvChangeDisplaySettingsStop
#Event ID 194: ChangeDisplayModeStart
#Event ID 195: ChangeDisplayModeStop
#Event ID 196: PseudoDevCreationStart
#Event ID 197: PseudoDevCreationStop
#Event ID 198: TouchHWTimeStamp
#Fields #
| Name | Description |
|---|---|
ScanTime Int32 | |
dwTime Int32 | |
QPC UInt64 | |
XRawPosition Int32 | |
YRawPosition Int32 | |
XPredictedPosition Int32 | |
YPredictedPosition Int32 |
Event ID 199: PointerFrameCoalesce199
#Fields #
| Name | Description |
|---|---|
wCursorId UInt16 | |
wPointerId UInt16 | |
dwReason UInt32 |
Event ID 200: PointerFrameCoalesce200
#Fields #
| Name | Description |
|---|---|
wCursorId UInt16 | |
wPointerId UInt16 | |
dwReason UInt32 |
Event ID 201: TokenCompositionSurfaceObject_V1
#Fields #
| Name | Description |
|---|---|
pToken Pointer | |
pCompositionSurfaceObject Pointer | |
SwapChainIndex UInt32 | |
PresentCount UInt64 | |
CompositionSurfaceLuid UInt64 | |
BindId UInt64 | |
FlipInterval UInt32 | |
DestWidth UInt32 | |
DestHeight UInt32 |
Event ID 202: CompositionSurfaceObjectUpdate
#Fields #
| Name | Description |
|---|---|
pCompositionSurfaceObject Pointer | |
SwapChainIndex UInt32 |
Event ID 203: QueueEventMessage
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pqmsg Pointer | |
pti Pointer | |
dwQEvent UInt32 | |
hwnd Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 203,
"version": 0,
"level": 4,
"task": 140,
"opcode": 0,
"keywords": "0x0400000000800000",
"time_created": "2026-06-02T06:08:00.227+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 5396,
"thread_id": 3744
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackCount": 1,
"dwQEvent": 9,
"hwnd": "0x200D2",
"pqmsg": "0xFFFF990F043BDD00",
"pti": "0x0"
},
"message": "QueueEventMessage"
}
Event ID 204: RetrieveQueueEventMessage
#Fields #
| Name | Description |
|---|---|
CallbackCount Int8 | |
pqmsg Pointer | |
pti Pointer | |
dwQEvent UInt32 | |
hwnd Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 204,
"version": 0,
"level": 4,
"task": 141,
"opcode": 0,
"keywords": "0x0400000000800000",
"time_created": "2026-06-02T06:08:00.228+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 5396,
"thread_id": 3744
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackCount": 0,
"dwQEvent": 9,
"hwnd": "0x200D2",
"pqmsg": "0xFFFF990F043BDD00",
"pti": "0xFFFF990EFF42E720"
},
"message": "RetrieveQueueEventMessage"
}
Event ID 205: ForegroundWindowFullScreenStart
#Event ID 206: ForegroundWindowFullScreenStop
#Event ID 207: ChangeDisplayModeBroadcast
#Event ID 214: ChangeDisplayModeDeferral
#Event ID 217: TouchPadHWTimeStamp
#Fields #
| Name | Description |
|---|---|
ScanTime UInt32 | |
dwTime UInt32 | |
QPCTime UInt64 | |
XLogicalT UInt32 | |
YLogicalT UInt32 | |
XLogicalC UInt32 | |
YLogicalC UInt32 | |
XHimetricT UInt32 | |
YHimetricT UInt32 | |
Button Boolean | |
Count UInt32 | |
Identifier UInt32 | |
Width UInt32 | |
Height UInt32 | |
Confidence Boolean | |
Pressure UInt32 | |
DeviceType UInt32 |
Event ID 218: TransformAgeDecay
#Fields #
| Name | Description |
|---|---|
InputTransformList Pointer | |
PerformanceCount UInt64 |
Event ID 220: ArmDitMouseFlush
#Event ID 221: ProcessQueuedMouseEvents
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 221,
"version": 0,
"level": 4,
"task": 216,
"opcode": 1,
"keywords": "0x0400000040800000",
"time_created": "2026-06-02T05:32:25.759+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 952,
"thread_id": 1048
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "ProcessQueuedMouseEvents"
}
Event ID 222: ProcessQueuedMouseEvents
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 222,
"version": 0,
"level": 4,
"task": 216,
"opcode": 2,
"keywords": "0x0400000040800000",
"time_created": "2026-06-02T05:32:25.759+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 952,
"thread_id": 1048
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "ProcessQueuedMouseEvents"
}
Event ID 224: InputRedirection
#Fields #
| Name | Description |
|---|---|
hDCompInputHandle Pointer | |
Hwnd Pointer | |
XformQPCTime UInt64 | |
XformStored UInt32 |
Event ID 225: OnInputXformUpdate
#Fields #
| Name | Description |
|---|---|
Hwnd Pointer | |
XformQPCTime UInt64 | |
XformUpdated UInt32 |
Event ID 226: DitWaitForRitDisEngagement
#Event ID 227: RitDisEngaged
#Event ID 228: DitEngaged
#Event ID 229: RitReEngaged
#Event ID 230: DitDisEngaged
#Event ID 231: DitTerminated
#Event ID 232: DitShutdown
#Event ID 233: TouchPadAAP
#Fields #
| Name | Description |
|---|---|
LastKeyDownTime UInt32 | |
LastKeyUpTime UInt32 | |
TapTime UInt32 | |
Blocked Boolean | |
Feature UInt32 |
Event ID 234: MouseInputApc
#Event ID 235: MouseInputCoalesced
#Event ID 237: TouchPadEnabledStatusChangeStart
#Event ID 238: TouchPadEnabledStatusChangeStop
#Event ID 239: PTPReadThresholdsStart
#Event ID 240: PTPReadThresholdsStop
#Event ID 241: TouchPadConfidenceCleared
#Fields #
| Name | Description |
|---|---|
ContactId UInt32 | |
OnUp Boolean | |
NeedsUp Boolean |
Event ID 243: PTPElasticDragModeStart
#Event ID 244: PTPElasticDragModeStop
#Event ID 245: LegacyTouchPadDetectionStart
#Event ID 246: LegacyTouchPadDetectionStop
#Event ID 247: LegacyTouchPadDetection
#Event ID 248: LegacyTouchPadDetection248
#Event ID 250: TouchPadCurtainSize
#Fields #
| Name | Description |
|---|---|
Top UInt32 | |
Left UInt32 | |
Right UInt32 | |
Enabled Boolean |
Event ID 251: TouchpadStopInertia
#Event ID 252: TouchpadStopInertia252
#Event ID 253: TouchpadStopInertia253
#Event ID 254: TrappedAppContainerRender
#Fields #
| Name | Description |
|---|---|
RenderSourceProcessName AnsiString | |
RenderSourcePackageName UnicodeString | |
RenderTargetProcessName AnsiString | |
RenderTargetPackageName UnicodeString |
Event ID 256: DitMmcssWorkStart
#Event ID 257: DitMmcssWorkStop
#Event ID 258: FocusedProcessChangeGained
#Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
NewProcessId UInt32 | |
NewProcessCreateTime FILETIME |
Event ID 259: FocusedProcessChangeLost
#Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
OldProcessId UInt32 | |
OldProcessCreateTime FILETIME |
Event ID 260: SourceProcessName attempted loading a font that is restricted by font loading policy.
#Event ID 301: TokenStateChanged_V1
#Fields #
| Name | Description |
|---|---|
pCompositionSurfaceObject Pointer | |
SwapChainIndex UInt32 | |
PresentCount UInt32 | |
FenceValue UInt64 | |
NewState UInt32 | |
IndependentFlip Boolean | |
SkipIndependentFlip Boolean | |
CompositionSurfaceLuid UInt64 | |
BindId UInt64 | |
EarlyComposition Boolean |
Event ID 400: DCompDeferBatch
#Fields #
| Name | Description |
|---|---|
channelHandle UInt32 | |
pBatch Pointer | |
batchID UInt32 | |
submissionTime UInt64 | |
submissionDeadline UInt64 | |
deferReason UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 400,
"version": 0,
"level": 4,
"task": 400,
"opcode": 0,
"keywords": "0x0000000000001000",
"time_created": "2026-06-02T06:08:00.231+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 1168,
"thread_id": 1236
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"batchID": 24923,
"channelHandle": 15,
"deferReason": 3,
"pBatch": "0xFFFF990EE77329B0",
"submissionDeadline": 1236898750000,
"submissionTime": 1236898856077
},
"message": "DCompDeferBatch"
}
Event ID 401: TouchPadHIDProcessingStart
#Event ID 402: TouchPadHIDProcessingStop
#Event ID 403: TouchPadWMPointerProcessingStart
#Event ID 404: TouchPadWMPointerProcessingStop
#Event ID 405: TouchPadGesture
#Event ID 406: CopyPointerInputFrameStart
#Event ID 407: CopyPointerInputFrameStop
#Event ID 410: LatencyModeProcessingStart
#Event ID 411: LatencyModeProcessingStop
#Event ID 412: DCompBeginFrame
#Fields #
| Name | Description |
|---|---|
hConnection UInt64 | |
targetTime UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 412,
"version": 0,
"level": 4,
"task": 412,
"opcode": 0,
"keywords": "0x0000000000001000",
"time_created": "2026-06-02T04:02:00.060+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 1648,
"thread_id": 1712
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"SyncRefreshCount": 1943314,
"hConnection": 4
},
"message": "DCompBeginFrame"
}
Event ID 413: TokenIndependentFlipSkipComplete
#Fields #
| Name | Description |
|---|---|
SyncRefreshCount UInt32 | |
PresentCount UInt32 | |
CompositionSurfaceLuid UInt64 | |
BindId UInt64 |
Event ID 416: ExclusiveUserCritTelemetry
#Fields #
| Name | Description |
|---|---|
AcquireQpcCounts UInt64 | |
AcquireTimeMs UInt32 | |
Token UInt64 |
Event ID 417: SharedUserCritTelemetry
#Fields #
| Name | Description |
|---|---|
AcquireQpcCounts UInt64 | |
AcquireTimeMs UInt32 | |
Token UInt64 |
Event ID 420: UserResetDisplayDevice
#Event ID 421: UserResetDisplayDevice
#Event ID 422: PowerOnMonitor
#Event ID 423: PowerOnMonitor
#Event ID 424: DwmSyncFlushForceRenderAndWaitForBatch
#Event ID 425: DwmSyncFlushForceRenderAndWaitForBatch
#Event ID 426: QueueNullPostMessage
#Fields #
| Name | Description |
|---|---|
SourceProcessId UInt32 | |
SourceThreadId UInt32 | |
SourceProcessName AnsiString | |
DestinationHwnd Pointer |
Event ID 427: The following win32k syscall is blocked by Win32k Syscall Filter: SyscallName.
#Event ID 428: The following SystemParametersInfo action was blocked by Win32k Syscall Filter: SPIAction.
#Event ID 429: PowerWatchdog
#Event ID 430: PowerWatchdog
#Event ID 431: VideoPortCalloutThread
#Description
VideoPortCalloutThread.
Message #
Fields #
| Name | Description |
|---|---|
CalloutType Int32 | |
Status UInt32 | NTSTATUS reference |
Event ID 432: VideoPortCalloutThread
#Description
VideoPortCalloutThread.
Message #
Fields #
| Name | Description |
|---|---|
CalloutType Int32 | |
Status UInt32 | NTSTATUS reference |
Event ID 433: PowerStateCalloutWorker
#Description
PowerStateCalloutWorker.
Message #
Fields #
| Name | Description |
|---|---|
PowerTaskState Int32 | |
Status UInt32 | NTSTATUS reference |
Event ID 434: PowerStateCalloutWorker
#Description
PowerStateCalloutWorker.
Message #
Fields #
| Name | Description |
|---|---|
PowerTaskState Int32 | |
Status UInt32 | NTSTATUS reference |
Event ID 435: PowerEventCalloutWorker
#Description
PowerEventCalloutWorker.
Message #
Fields #
| Name | Description |
|---|---|
EventNumber Int32 | |
Code UInt64 | |
Status UInt32 | NTSTATUS reference |
Event ID 436: PowerEventCalloutWorker
#Description
PowerEventCalloutWorker.
Message #
Fields #
| Name | Description |
|---|---|
EventNumber Int32 | |
Code UInt64 | |
Status UInt32 | NTSTATUS reference |
Event ID 437: Insert
#Event ID 438: Remove
#Event ID 439: Canceled
#Event ID 440: Completed
#Event ID 441: WaitForVideoPortCalloutReady
#Event ID 443: DCompResourceMapping
#Fields #
| Name | Description |
|---|---|
Channel UInt32 | |
InternalHandle UInt32 | |
ExternalHandle UInt32 | |
InternalHandleAndChannel UInt64 | |
ExternalHandleAndChannel UInt64 | |
ResourceType UInt32 | |
CreateShared Boolean | |
OpenShared Boolean |
Event ID 444: DCompResourcePropertyUpdate
#Fields #
| Name | Description |
|---|---|
Channel UInt32 | |
InternalHandle UInt32 | |
ExternalHandle UInt32 | |
ResourceType UInt32 | |
PropertyId UInt32 |
Event ID 445: DCompCommandType
#Fields #
| Name | Description |
|---|---|
CommandType UInt32 | |
status UInt64 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 445,
"version": 0,
"level": 4,
"task": 433,
"opcode": 0,
"keywords": "0x0000000400001000",
"time_created": "2026-06-02T06:08:00.231+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 5396,
"thread_id": 3744
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CommandType": 11,
"status": 0
},
"message": "DCompCommandType"
}
Event ID 446: DCompCommandsInBatch
#Fields #
| Name | Description |
|---|---|
CommandsCount UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 446,
"version": 0,
"level": 4,
"task": 434,
"opcode": 0,
"keywords": "0x0000000400001000",
"time_created": "2026-06-02T06:08:00.231+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 5396,
"thread_id": 3744
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CommandsCount": 18
},
"message": "DCompCommandsInBatch"
}
Event ID 450: DCompCreateImplicitInteraction
#Fields #
| Name | Description |
|---|---|
Channel UInt32 | |
VisualInternalHandle UInt32 | |
InteractionInternalHandle UInt32 | |
VisualInternalHandleAndChannel UInt64 | |
InteractionInternalHandleAndChannel UInt64 | |
ResourceType UInt32 | |
DefaultInteraction Boolean | |
Reason UnicodeString |
Event ID 451: DCompVisualSetInteraction
#Fields #
| Name | Description |
|---|---|
Channel UInt32 | |
VisualInternalHandle UInt32 | |
InteractionInternalHandle UInt32 | |
VisualInternalHandleAndChannel UInt64 | |
InteractionInternalHandleAndChannel UInt64 |
Event ID 452: UserHandleOperation
#Fields #
| Name | Description |
|---|---|
HandleValue Pointer | |
HandleType UInt32 | |
SessionId UInt32 | |
OwnerProcessId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 452,
"version": 0,
"level": 4,
"task": 443,
"opcode": 28,
"keywords": "0x0000020000000000",
"time_created": "2026-06-02T05:32:25.757+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 14592,
"thread_id": 10500
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"HandleType": 1,
"HandleValue": "0x4F006C",
"OwnerProcessId": 14592,
"SessionId": 0
},
"message": "UserHandleOperation"
}
Event ID 453: UserHandleOperation
#Fields #
| Name | Description |
|---|---|
HandleValue Pointer | |
HandleType UInt32 | |
SessionId UInt32 | |
OwnerProcessId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 453,
"version": 0,
"level": 4,
"task": 443,
"opcode": 29,
"keywords": "0x0000020000000000",
"time_created": "2026-06-02T05:32:25.759+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 14592,
"thread_id": 10500
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"HandleType": 3,
"HandleValue": "0x8902DD",
"OwnerProcessId": 14592,
"SessionId": 0
},
"message": "UserHandleOperation"
}
Event ID 454: UserHandleOperationUpdateHandleOwner
#Fields #
| Name | Description |
|---|---|
HandleValue Pointer | |
HandleType UInt32 | |
SessionId UInt32 | |
OwnerProcessId UInt32 |
Event ID 455: GdiHandleOperation
#Fields #
| Name | Description |
|---|---|
HandleValue Pointer | |
HandleType UInt32 | |
SessionId UInt32 | |
OwnerProcessId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 455,
"version": 0,
"level": 4,
"task": 442,
"opcode": 28,
"keywords": "0x0000010000000000",
"time_created": "2026-06-02T05:32:25.757+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 14592,
"thread_id": 10500
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"HandleType": 1,
"HandleValue": "0xFFFFFFFF8B0102B7",
"OwnerProcessId": 14592,
"SessionId": 0
},
"message": "GdiHandleOperation"
}
Event ID 456: GdiHandleOperation
#Fields #
| Name | Description |
|---|---|
HandleValue Pointer | |
HandleType UInt32 | |
SessionId UInt32 | |
OwnerProcessId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 456,
"version": 0,
"level": 4,
"task": 442,
"opcode": 29,
"keywords": "0x0000010000000000",
"time_created": "2026-06-02T05:32:25.757+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 14592,
"thread_id": 10500
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"HandleType": 1,
"HandleValue": "0xFFFFFFFF92010287",
"OwnerProcessId": 14592,
"SessionId": 0
},
"message": "GdiHandleOperation"
}
Event ID 457: GdiHandleOperation
#Fields #
| Name | Description |
|---|---|
HandleValue Pointer | |
HandleType UInt32 | |
SessionId UInt32 | |
OwnerProcessId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 457,
"version": 0,
"level": 4,
"task": 442,
"opcode": 30,
"keywords": "0x0000010000000000",
"time_created": "2026-06-02T05:32:25.757+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 14592,
"thread_id": 10500
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"HandleType": 4,
"HandleValue": "0xFFFFFFFF93040287",
"OwnerProcessId": 0,
"SessionId": 0
},
"message": "GdiHandleOperation"
}
Event ID 458: GdiHandleOperation
#Fields #
| Name | Description |
|---|---|
PreviousHandleValue Pointer | |
NewHandleValue Pointer | |
HandleType UInt32 | |
SessionId UInt32 | |
OwnerProcessId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 458,
"version": 0,
"level": 4,
"task": 442,
"opcode": 31,
"keywords": "0x0000010000000000",
"time_created": "2026-06-02T04:02:00.029+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 4304,
"thread_id": 3088
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"HandleType": 4,
"NewHandleValue": "0xD8041846",
"OwnerProcessId": 4304,
"PreviousHandleValue": "0xD7041846",
"SessionId": 1
},
"message": "GdiHandleOperation"
}
Event ID 461: DwmVisRgnUpdate
#Fields #
| Name | Description |
|---|---|
hwnd Pointer | |
hwndParent Pointer | |
visRgnType UInt32 | |
changed Boolean |
Event ID 463: ReadClipboard
#Fields #
| Name | Description |
|---|---|
CallerPid UInt32 | |
CallerProcessCreateTime FILETIME | |
OwnerPid UInt32 | |
OwnerProcessCreateTime FILETIME | |
ClipboardSequenceNumber UInt32 |
Event ID 500: FlipManagerCompleteTokenStart
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 | |
IFlip Boolean | |
IFlipCompleted Boolean | |
ConvertedToNonIflip Boolean | |
RequestDwmConfirm Boolean | |
RequestDwmExit Boolean | |
IndependentFlipCandidate Boolean |
Event ID 502: FlipManagerTokenReleaseToFrameStart
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 |
Event ID 503: FlipManagerTokenReleaseToFrameStop
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 |
Event ID 504: FlipManagerSignalPresentRetired
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 |
Event ID 505: FlipManagerPresentRetiredSignalOverride
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
SignalValue UInt64 | |
Skipped Boolean | |
Status UInt32 | NTSTATUS reference |
Event ID 506: FlipManagerPresentPosted
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 | |
PresentAtTimeHns UInt64 | |
CurrentTimeHns UInt64 | |
PresentAtTimeMinusCurrentTimeHns Int64 |
Event ID 507: FlipManagerProducerSetContent
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
ContentResource Pointer | |
BufferResource Pointer | |
BufferIndex UInt32 |
Event ID 508: FlipManagerBufferAvailable
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
BufferResource Pointer | |
available Boolean |
Event ID 509: FlipManagerAddBuffer
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
BufferResource Pointer | |
hVidMmGlobalAlloc Pointer |
Event ID 510: FlipManagerRemoveBuffer
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
BufferResource Pointer |
Event ID 511: FlipManagerContentRebind
#Fields #
| Name | Description |
|---|---|
Content Pointer | |
LUID UInt64 | |
BindId UInt64 | |
Displayable Boolean | |
BufferCount UInt32 |
Event ID 512: FlipManagerPresentProcessed
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 | |
FrameId UInt64 | |
PresentAtTimeHns UInt64 | |
FrameTimeHns UInt64 | |
MaxAcceptableTargetTimeHns UInt64 | |
PresentTimeMinusFrameTimeHns Int64 |
Event ID 513: FlipManagerPresentDeferred
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 | |
FrameId UInt64 | |
PresentAtTimeHns UInt64 | |
FrameTimeHns UInt64 | |
MaxAcceptableTargetTimeHns UInt64 | |
PresentTimeMinusFrameTimeHns Int64 |
Event ID 514: FlipManagerPresentCanceled
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 | |
FrameId UInt64 | |
PresentAtTimeHns UInt64 | |
FrameTimeHns UInt64 | |
MaxAcceptableTargetTimeHns UInt64 | |
PresentTimeMinusFrameTimeHns Int64 |
Event ID 515: FlipManagerPresentIFlipSubmitted
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 | |
WasCanceled Boolean |
Event ID 516: FlipManagerPresentIFlipCompleted
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 | |
Notify Boolean | |
WasCanceled Boolean | |
CompletedQpc UInt64 | |
DurationQpc UInt64 |
Event ID 517: FlipManagerPresentQueueDepth
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentQueueDepth UInt64 |
Event ID 520: FlipManagerBindingStop
#Event ID 521: FlipManagerAddContent
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
ContentResource Pointer |
Event ID 522: FlipManagerContentFlip
#Fields #
| Name | Description |
|---|---|
ContentResource Pointer | |
LUID UInt64 | |
BindId UInt64 | |
FlipIndex UInt32 |
Event ID 530: FlipManagerCanceledPresentShown
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 | |
Reason UInt32 |
Event ID 531: FlipManagerUpdateExpectedConsumerPresentId
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 | |
Reason UInt32 |
Event ID 532: FlipManagerPresentSkipped
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 | |
FrameId UInt64 | |
PresentAtTimeHns UInt64 | |
FrameTimeHns UInt64 | |
MaxAcceptableTargetTimeHns UInt64 | |
PresentTimeMinusFrameTimeHns Int64 |
Event ID 533: FlipManagerRemoveContent
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
ContentResource Pointer |
Event ID 534: FlipManagerPresentIFlipPurgePreviousPresents
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 |
Event ID 535: FlipManagerDiscardPresentAfterDestroy
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 |
Event ID 536: FlipManagerWaitForFrameRenderingComplete
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
PresentId UInt64 | |
FrameId UInt64 | |
Status UInt32 | NTSTATUS reference |
Event ID 537: FlipManagerWaitForFrameFlipAway
#Fields #
| Name | Description |
|---|---|
FlipManagerId UInt32 | |
adapterLuid UInt64 | |
fenceValue UInt64 | |
Status UInt32 | NTSTATUS reference |
Event ID 538: FlipManagerFlipAwayFenceCreate
#Fields #
| Name | Description |
|---|---|
fenceId UInt64 | |
displayAdapterLuid UInt64 |
Event ID 539: FlipManagerFlipAwayFenceDestroy
#Fields #
| Name | Description |
|---|---|
fenceId UInt64 | |
displayAdapterLuid UInt64 |
Event ID 1000: task_01000
#Fields #
| Name | Description |
|---|---|
eventMin UInt32 | |
eventMax UInt32 | |
idEventProcess UInt32 | |
idEventThread UInt32 | |
Flags UInt32 | |
HookInstance Pointer |
Event ID 1001: RegisterRawInputDevices
#Description
Fires when RegisterRawInputDevices is called. The Flags field indicates registration mode; RIDEV_INPUTSINK (0x100) enables background capture. Captured via the AuditApiCalls ETW keyword (0x400) on the Microsoft-Windows-Win32k provider.
Fields #
| Name | Description |
|---|---|
ReturnValue UInt32 | Return value of RegisterRawInputDevices (1=success) |
UsagePage UInt16 | HID usage page (1 = Generic Desktop) |
Usage UInt16 | HID usage (2=Mouse, 6=Keyboard) |
Flags UInt32 | Registration flags; RIDEV_INPUTSINK=0x100 indicates background input capture |
hwndTarget Pointer | Target window handle (required when RIDEV_INPUTSINK is set) |
ThreadStartAddress Pointer | |
ThreadCreateTime FILETIME | |
ThreadId UInt32 | |
cWindows UInt32 | |
cVisWindows UInt32 | |
ThreadInfoFlags UInt64 | |
ProcessId UInt32 | |
ProcessCreateTime FILETIME | |
ProcessStartKey UInt64 | |
ThreadStartAddressMappedModuleName UnicodeString | Mapped module at the calling thread's start address |
ThreadStartAddressQueryResult UInt32 | |
ThreadStartAddressVadAllocationBase Pointer | |
ThreadStartAddressVadAllocationProtect UInt32 | |
ThreadStartAddressVadRegionType UInt32 | |
ThreadStartAddressVadRegionSize Pointer | |
ThreadStartAddressVadProtect UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 1001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000400",
"time_created": "2026-06-08T20:01:29.588+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 6504,
"thread_id": 556
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"ReturnValue": 1,
"UsagePage": 1,
"Usage": 6,
"Flags": 0,
"hwndTarget": "0x0",
"ThreadStartAddress": "0x7FF97E3DDCB0",
"ThreadId": 556,
"cWindows": 0,
"cVisWindows": 0,
"ThreadInfoFlags": 0,
"ProcessId": 6504,
"ThreadStartAddressMappedModuleName": "\\Device\\HarddiskVolume4\\Windows\\System32\\ntdll.dll",
"ThreadStartAddressQueryResult": 0,
"ThreadStartAddressVadAllocationBase": "0x7FF97E360000",
"ThreadStartAddressVadAllocationProtect": 128,
"ThreadStartAddressVadRegionType": 16777216,
"ThreadStartAddressVadRegionSize": "0xF8000",
"ThreadStartAddressVadProtect": 32
},
"message": ""
}
Event ID 1002: SetWindowsHookEx
#Description
Fires when SetWindowsHookEx is called. FilterType carries the hook identifier; WH_KEYBOARD_LL (0xD) is the low-level keyboard hook used by keyloggers. pfnFilterProc is the callback address — unbacked or shellcode-range values indicate injection. Captured via the AuditApiCalls ETW keyword (0x400) on the Microsoft-Windows-Win32k provider.
Fields #
| Name | Description |
|---|---|
FilterType UInt32 | Windows hook type (WH_KEYBOARD_LL=0xD, WH_MOUSE_LL=0xE, WH_KEYBOARD=0x2). 0xFFFFFFFF seen for internal system hooks. |
pstrLib UnicodeString | DLL path when hook is loaded from a remote DLL; NULL for in-process hooks |
hmod Pointer | Module handle of the hook DLL (0x0 for in-process hooks) |
pfnFilterProc Pointer | Address of the hook callback procedure; unbacked addresses indicate reflectively-loaded code |
ReturnValue UInt32 | Hook handle returned by SetWindowsHookEx (HHOOK) |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 1002,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000400",
"time_created": "2026-06-08T20:01:29.617+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 6504,
"thread_id": 556
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"FilterType": 13,
"pstrLib": "NULL",
"hmod": "0x0",
"pfnFilterProc": "0x1EC341D6C0C",
"ReturnValue": 3408085
},
"message": ""
}
Event ID 1003: GetAsyncKeyState
#Description
Fires when a background process calls GetAsyncKeyState while another process holds the foreground. BackgroundCallCount accumulates calls since the last key event; MsSinceLastKeyEvent is the interval since the previous key press. Captured via the AuditApiCalls ETW keyword (0x400) on the Microsoft-Windows-Win32k provider. Requires an interactive desktop session with active keyboard input.
Fields #
| Name | Description |
|---|---|
PID UInt32 | Process ID of the background caller polling keyboard state |
MsSinceLastKeyEvent UInt32 | Milliseconds elapsed since the last key press event in the session |
BackgroundCallCount UInt32 | Number of GetAsyncKeyState calls made by this background process since the last key event |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 1003,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000400",
"time_created": "2026-06-08T21:12:41.337+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 808,
"thread_id": 928
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"PID": 11716,
"MsSinceLastKeyEvent": 0,
"BackgroundCallCount": 2
},
"message": ""
}
Event ID 2000: task_02000
#Fields #
| Name | Description |
|---|---|
Flags UInt32 | |
ProcessId UInt32 | |
ProcessCreateTime FILETIME | |
ProcessStartKey UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Win32k",
"guid": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}",
"event_source_name": "",
"event_id": 2000,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000004000000000",
"time_created": "2026-06-02T05:32:25.771+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8C416C79-D49B-4F01-A467-E56D3AA8234C}"
},
"execution": {
"process_id": 14592,
"thread_id": 10500
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Flags": 26,
"ProcessCreateTime": "2026-06-02 05:32:25.725Z",
"ProcessId": 14592,
"ProcessStartKey": 6755399441100732
},
"message": ""
}
Event ID 10002: WindowLayoutChangeStop
#Fields #
| Name | Description |
|---|---|
hWnd UInt32 | |
Packed_High_Height_Low_Width UInt32 | |
PRAID UnicodeString | |
PackageFullName UnicodeString |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {8C416C79-D49B-4F01-A467-E56D3AA8234C}
Defined in win32kbase.sys, the binary that emits these events.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.4893, captured 2026-06-02
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.1000, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.4893, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1000, captured 2026-06-02