Microsoft-Windows-Winsrv
13 events across 2 channels
| Event | Title | Channel | Sample |
|---|---|---|---|
| 10001 | The following application attempted to veto the shutdown: VetoAppEvent.AppName. | Application | Y |
| 10002 | The following application was terminated because it was hung: ServerManager. | Application | Y |
| 12001 | ThreadShutdownStart_V1 | Analytic | N |
| 12002 | ThreadShutdownStop_V1 | Analytic | N |
| 12003 | ThreadShutdown_SentMessage_V1 | Analytic | N |
| 12005 | TerminateProcessStart_V1 | Analytic | N |
| 12006 | TerminateProcessStop_V1 | Analytic | N |
| 12007 | WaitForProcessStart_V1 | Analytic | N |
| 12008 | WaitForProcessStop_V1 | Analytic | N |
| 12009 | ShutdownProcessStart_V1 | Analytic | N |
| 12010 | ShutdownProcessStop_V1 | Analytic | N |
| 12011 | NotificationEventStart_V1 | Analytic | N |
| 12012 | NotificationEventStop_V1 | Analytic | N |
Event ID 10001: The following application attempted to veto the shutdown: VetoAppEvent.AppName.
#Description
The following application attempted to veto the shutdown: VetoAppEvent.AppName.
Message #
Fields #
| Name | Description |
|---|---|
AppName UnicodeString | |
ResponseTime UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsrv",
"guid": "9D55B53D-449B-4824-A637-24F9D69AA02F",
"event_source_name": "",
"event_id": 10001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-14T21:57:27.378644+00:00",
"event_record_id": 5369,
"correlation": {},
"execution": {
"process_id": 788,
"thread_id": 4912
},
"channel": "Application",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"VetoAppEvent": {
"AppName": "WINWORD.EXE",
"ResponseTime": 141
}
},
"message": ""
}
Event ID 10002: The following application was terminated because it was hung: ServerManager.
#Description
The following application was terminated because it was hung: .
Message #
Fields #
| Name | Description |
|---|---|
AppName |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsrv",
"guid": "9D55B53D-449B-4824-A637-24F9D69AA02F",
"event_source_name": "",
"event_id": 10002,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2022-03-04T12:03:13.945898+00:00",
"event_record_id": 68,
"correlation": {},
"execution": {
"process_id": 464,
"thread_id": 3484
},
"channel": "Application",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"HungAppEvent": {
"AppName": "ServerManager.exe"
}
},
"message": "The following application was terminated because it was hung: ServerManager.exe."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 12001: ThreadShutdownStart_V1
#Fields #
| Name | Description |
|---|---|
ThreadId UInt32 | |
Flags UInt32 | |
ProcessId UInt32 |
Event ID 12003: ThreadShutdown_SentMessage_V1
#Fields #
| Name | Description |
|---|---|
MessageId UInt32 | |
Flags UInt32 | |
ThreadId UInt32 |
Event ID 12006: TerminateProcessStop_V1
#Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | |
TerminateStatus UInt32 |
Event ID 12010: ShutdownProcessStop_V1
#Fields #
| Name | Description |
|---|---|
ProcessId UInt32 | |
Status UInt32 | NTSTATUS reference |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 9d55b53d-449b-4824-a637-24f9d69aa02f
Defined in winsrv.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02