Microsoft-Windows-Wininit
61 events across 4 channels
Event ID 1: WaitForWinstationShutdownStart
#Event ID 2: WaitForWinstationShutdownStop
#Event ID 3: PreShutdownNotificationStart
#Event ID 4: PreShutdownNotificationStop
#Event ID 5: WaitForSystemProcessesStart
#Event ID 6: WaitForSystemProcessesStop
#Event ID 7: ShutdownSystemRestoreStart
#Event ID 8: ShutdownSystemRestoreStop
#Event ID 11: Custom dynamic link libraries are being loaded for every application.
#Description
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
Message #
Fields #
| Name | Description |
|---|---|
StringCount UInt32 | |
String UnicodeString |
Event ID 12: LSASS.
#Description
LSASS.exe was started as a protected process with level: .
Message #
Fields #
| Name | Description |
|---|---|
Level |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Wininit",
"guid": "{206F6DEA-D3C5-4D10-BC72-989F03C8B84B}",
"event_source_name": "",
"event_id": 12,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-06-13T13:53:45.1729140+00:00",
"event_record_id": 2662,
"correlation": {},
"execution": {
"process_id": 792,
"thread_id": 796
},
"channel": "System",
"computer": "telemetry-W11-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Level": "4"
},
"message": "LSASS.exe was started as a protected process with level: 4."
}
Event ID 13: Credential Guard was started and will protect LSA credentials.
#Description
Credential Guard was started and will protect LSA credentials.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Wininit",
"guid": "206F6DEA-D3C5-4D10-BC72-989F03C8B84B",
"event_source_name": "",
"event_id": 13,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:27:21.619522+00:00",
"event_record_id": 2749,
"correlation": {},
"execution": {
"process_id": 928,
"thread_id": 932
},
"channel": "System",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 14: Credential Guard configuration: 0, 0
#Description
Credential Guard configuration.
Message #
Fields #
| Name | Description |
|---|---|
Config UInt32 | |
IsTestConfig UInt32 | |
IsAutoEnabled UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Wininit",
"guid": "{206F6DEA-D3C5-4D10-BC72-989F03C8B84B}",
"event_source_name": "",
"event_id": 14,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-29T16:32:50.1627758+00:00",
"event_record_id": 6692,
"correlation": {},
"execution": {
"process_id": 660,
"thread_id": 664
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Config": "0",
"IsTestConfig": "0"
},
"message": "Credential Guard configuration: 0x0, 0"
}
Event ID 15: Credential Guard and/or VBS Key Isolation are configured but the secure kernel is not running; continuing without them.
#Description
Credential Guard and/or VBS Key Isolation are configured but the secure kernel is not running; continuing without them.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Wininit",
"guid": "{206F6DEA-D3C5-4D10-BC72-989F03C8B84B}",
"event_source_name": "",
"event_id": 15,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-27T21:58:49.7100955+00:00",
"event_record_id": 1201,
"correlation": {},
"execution": {
"process_id": 748,
"thread_id": 752
},
"channel": "System",
"computer": "telemetry-W11-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "Credential Guard and/or VBS Key Isolation are configured but the secure kernel is not running; continuing without them."
}
Event ID 16: LsaIso.
#Event ID 17: Error reading Credential Guard.
#Event ID 18: Key Guard was started and will protect VSM-isolated keys.
#Description
VBS Key Isolation was started and will protect VSM-isolated keys.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Wininit",
"guid": "206F6DEA-D3C5-4D10-BC72-989F03C8B84B",
"event_source_name": "",
"event_id": 18,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:27:21.619506+00:00",
"event_record_id": 2748,
"correlation": {},
"execution": {
"process_id": 928,
"thread_id": 932
},
"channel": "System",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 19: Virtualization Based Security new timer creation status.
#Description
Virtualization Based Security new timer creation status.
Message #
Fields #
| Name | Description |
|---|---|
HRESULT Int32 | |
NewLatchTimerNeeded Boolean | |
NewLatchTimerWaitingSystemUpdateCompletion Boolean | |
PreviousLatchTimerExistsButDisabled Boolean | |
PolicyFileExists Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Wininit",
"guid": "{206f6dea-d3c5-4d10-bc72-989f03c8b84b}",
"event_source_name": "",
"event_id": 19,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-04-18 00:24:11.444918+00:00",
"event_record_id": 38,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 688,
"thread_id": 692
},
"channel": "System",
"computer": "USERUSE-I0E7KUG",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0",
"NewLatchTimerNeeded": "False",
"NewLatchTimerWaitingSystemUpdateCompletion": "False",
"PreviousLatchTimerExistsButDisabled": "False",
"PolicyFileExists": "False"
},
"message": "Virtualization Based Security new timer creation status\r\n\r\nHRESULT: The operation completed successfully.\r\nNew latch timer needed: false\r\nNew latch timer waiting for system update completion: false\r\nPrevious latch timer exists but disabled by registry: false\r\nPolicy file exists: false\r\n"
}
Event ID 20: Virtualization Based Security master key timer start status.
#Event ID 21: Virtualization Based Security previous timer resume status.
#Description
Virtualization Based Security previous timer resume status.
Message #
Fields #
| Name | Description |
|---|---|
HRESULT Int32 | |
PreviousTimerPresent Boolean | |
ftStartTime FILETIME | |
ullDelay UInt64 | |
PolicyVersion UInt64 | |
fAttemptedRecoveryIncrementCounterSucceeded Boolean | |
fPreviousLatchTimerInvalid Boolean | |
fPolicyFileExists Boolean |
Event ID 22: Virtualization Based Security latch policy status.
#Event ID 23: Boot App Anti-Rollback: Initialize Completed with status.
#Description
Boot App Anti-Rollback: Initialize Completed with status.
Message #
Fields #
| Name | Description |
|---|---|
HRESULT Int32 | |
NewTimerNeeded Boolean | |
NewTimerWaitingUpdateCompletion Boolean | |
PreviousTimerExistsButDisabled Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Wininit",
"guid": "{206f6dea-d3c5-4d10-bc72-989f03c8b84b}",
"event_source_name": "",
"event_id": 23,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-04-18 00:24:11.445660+00:00",
"event_record_id": 40,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 688,
"thread_id": 692
},
"channel": "System",
"computer": "USERUSE-I0E7KUG",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0",
"NewTimerNeeded": "False",
"NewTimerWaitingUpdateCompletion": "False",
"PreviousTimerExistsButDisabled": "False"
},
"message": "Boot App Anti-Rollback: Initialize Completed with status:\r\nHRESULT: The operation completed successfully.\r\nNew timer needed: false\r\nNew timer waiting for system update completion: false\r\nPrevious latch timer exists but disabled by registry: false\r\n"
}
Event ID 24: Boot App Anti-Rollback: Timer start completed with status.
#Event ID 25: Boot App Anti-Rollback: Previous timer resumed with status.
#Description
Boot App Anti-Rollback: Previous timer resumed with status.
Message #
Fields #
| Name | Description |
|---|---|
HRESULT Int32 | |
PreviousTimerExists Boolean | |
PreviousTimerStartTime FILETIME | |
GracePeriod UInt64 | |
AttemptedRecoveryEnforcementSucceeded Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Wininit",
"guid": "{206f6dea-d3c5-4d10-bc72-989f03c8b84b}",
"event_source_name": "",
"event_id": 25,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-04-18 00:24:11.444954+00:00",
"event_record_id": 39,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 688,
"thread_id": 692
},
"channel": "System",
"computer": "USERUSE-I0E7KUG",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0",
"PreviousTimerExists": "False",
"PreviousTimerStartTime": "0001-01-01 00:00:00",
"GracePeriod": "0",
"AttemptedRecoveryEnforcementSucceeded": "False"
},
"message": "Boot App Anti-Rollback: Previous timer resumed with status:\r\n\r\nHRESULT: The operation completed successfully.\r\nPrevious timer present: false\r\nStart time: ?1601?-?01?-?01T00:00:00.000000000Z\r\nGrace period: 0\r\nAttempted recovery enforcement succeeded: false\r\n"
}
Event ID 26: Boot App Anti-Rollback: Boot.
#Event ID 51: NtShutdownSystem
#Event ID 55: ReceivedShutdownRequest
#Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
IsRemote UInt32 | |
GracePeriod UInt32 | |
Flags UInt32 | |
Reason UInt32 | |
Message UnicodeString |
Event ID 100: Hybrid shutdown has been overridden by a disk check request.
#Description
Hybrid shutdown has been overridden by a disk check request. The system will perform a full shutdown instead.
Message #
Event ID 1001
#Event ID 1001
#Event ID 1015: A critical system process, Data_0, failed with status code
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Data_1 | |
Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Wininit",
"guid": "{206f6dea-d3c5-4d10-bc72-989f03c8b84b}",
"event_source_name": "Wininit",
"event_id": 1015,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-13T19:07:39.959249+00:00",
"event_record_id": 3508,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "C:\\Windows\\system32\\lsass.exe",
"Data_1": "c0000005",
"Binary": ""
},
"message": ""
}
Event ID 1015: A critical system process, %1, failed with status code
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Wininit",
"event_id": 1015,
"level": 2,
"task": 0,
"opcode": 0,
"time_created": "2026-03-13T19:07:39.9592493+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Application"
},
"event_data": {}
}
Event ID 1015: A critical system process, %1, failed with status code
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-Wininit",
"event_id": 1015,
"level": 2,
"task": 0,
"opcode": 0,
"time_created": "2026-03-13T19:07:39.9592493+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Application"
},
"event_data": {}
}
Event ID 3002: Windows start-up process has unexpectedly terminated
#Event ID 3002: Windows start-up process has unexpectedly terminated
#Event ID 3003: Windows start-up process has failed to start the remote shutdown server
#Event ID 3003: Windows start-up process has failed to start the remote shutdown server
#Event ID 3004: Windows start-up process has failed to synchronize with the local security subsystem during setup
#Event ID 3004: Windows start-up process has failed to synchronize with the local security subsystem during setup
#Event ID 3005: Windows start-up process has failed to terminate system processes
#Event ID 3005: Windows start-up process has failed to terminate system processes
#Event ID 3006: Windows shudown failed with error code %1 in phase:
#Event ID 3006: Windows shudown failed with error code %1 in phase:
#Event ID 6002: PerfTrackFullShutdown_V1
#Fields #
| Name | Description |
|---|---|
ShutdownFlags UInt32 | |
SystemShutdownDuration UInt64 | |
SkuHasLogoff UInt32 |
Event ID 2147486651: Windows start-up process has failed to start the remote shutdown server.
#Description
Windows start-up process has failed to start the remote shutdown server.
Message #
Event ID 2147486651: Windows start-up process has failed to start the remote shutdown server.
#Description
Windows start-up process has failed to start the remote shutdown server.
Event ID 2147486652: Windows start-up process has failed to synchronize with the local security subsystem during setup.
#Description
Windows start-up process has failed to synchronize with the local security subsystem during setup.
Message #
Event ID 2147486652: Windows start-up process has failed to synchronize with the local security subsystem during setup.
#Description
Windows start-up process has failed to synchronize with the local security subsystem during setup.
Event ID 3221226487: A critical system process, %1, failed with status code %2.
#Description
A critical system process, , failed with status code . The machine must now be restarted.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Wininit",
"event_id": 1015,
"level": 2,
"task": 0,
"opcode": 0,
"time_created": "2026-03-13T19:07:39.9592493+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Application"
},
"event_data": {}
}
Event ID 3221226487: A critical system process, .
#Description
A critical system process, , failed with status code . The machine must now be restarted.
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Wininit",
"event_id": 1015,
"level": 2,
"task": 0,
"opcode": 0,
"time_created": "2026-03-13T19:07:39.9592493+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Application"
},
"event_data": {}
}
Event ID 3221228474: Windows start-up process has unexpectedly terminated.
#Description
Windows start-up process has unexpectedly terminated.
Message #
Event ID 3221228474: Windows start-up process has unexpectedly terminated.
#Description
Windows start-up process has unexpectedly terminated.
Event ID 3221228477: Windows start-up process has failed to terminate system processes.
#Description
Windows start-up process has failed to terminate system processes.
Message #
Event ID 3221228477: Windows start-up process has failed to terminate system processes.
#Description
Windows start-up process has failed to terminate system processes.
Event ID 3221228478: Windows shudown failed with error code %1 in phase: %2.
#Description
Windows shudown failed with error code in phase: .
Message #
Event ID 3221228478: Windows shudown failed with error code .
#Description
Windows shudown failed with error code in phase: .
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 206f6dea-d3c5-4d10-bc72-989f03c8b84b
Defined in wininit.exe, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4652, captured 2026-06-02