Thread Pool
17 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 32 | ThreadPool | ETW Trace | Y |
| 33 | ThreadPool | ETW Trace | Y |
| 34 | ThreadPool | ETW Trace | Y |
| 35 | ThreadPool | ETW Trace | Y |
| 36 | TPCBCancel | ETW Trace | N |
| 37 | TP_V2_PoolCreateClose | ETW Trace | N |
| 38 | TP_V2_PoolCreateClose | ETW Trace | N |
| 39 | TP_V2_ThreadSet | ETW Trace | N |
| 40 | TP_V2_ThreadSet | ETW Trace | N |
| 41 | TP_V2_WTNodeSwitch | ETW Trace | N |
| 42 | TP_V2_TimerSet | ETW Trace | N |
| 43 | TP_V2_TimerCancelled | ETW Trace | N |
| 44 | TP_V2_TimerSetNtTimer | ETW Trace | N |
| 45 | TP_V2_TimerExpirationGroup | ETW Trace | N |
| 46 | TP_V2_TimerExpirationGroup | ETW Trace | N |
| 47 | TP_V2_TimerExpirationGroup | ETW Trace | N |
| 48 | TP_V2_TimerExpiration | ETW Trace | N |
Event ID 32: ThreadPool
#Fields #
| Name | Description |
|---|---|
PoolId mof:UInt32 | |
TaskId mof:UInt32 | |
CallbackFunction mof:UInt32 | |
CallbackContext mof:UInt32 | |
SubProcessTag mof:UInt32 |
Example Event #
{
"system": {
"provider": "Thread Pool",
"guid": "{C861D0E2-A2C1-4D36-9F9C-970BAB943A12}",
"event_source_name": "",
"event_id": 32,
"version": 2,
"level": 0,
"task": 0,
"opcode": 32,
"keywords": "",
"time_created": "2026-06-02T04:02:05.309+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 7996
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackContext": "0x1FEAC907ED0",
"CallbackFunction": "0x7FFD14FA0A10",
"PoolId": "0x1FEAC103280",
"SubProcessTag": "0xFB",
"TaskId": "0x1FEAC8ED898"
},
"message": "ThreadPool"
}
Event ID 33: ThreadPool
#Fields #
| Name | Description |
|---|---|
PoolId mof:UInt32 | |
TaskId mof:UInt32 | |
CallbackFunction mof:UInt32 | |
CallbackContext mof:UInt32 | |
SubProcessTag mof:UInt32 |
Example Event #
{
"system": {
"provider": "Thread Pool",
"guid": "{C861D0E2-A2C1-4D36-9F9C-970BAB943A12}",
"event_source_name": "",
"event_id": 33,
"version": 3,
"level": 0,
"task": 0,
"opcode": 33,
"keywords": "",
"time_created": "2026-06-02T04:02:05.309+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 10144
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackContext": "0x1FEAC907ED0",
"CallbackFunction": "0x7FFD14FA0A10",
"PoolId": "0x1FEAC103280",
"SubProcessTag": "0xFB",
"TaskId": "0x1FEAC8ED898"
},
"message": "ThreadPool"
}
Event ID 34: ThreadPool
#Fields #
| Name | Description |
|---|---|
PoolId mof:UInt32 | |
TaskId mof:UInt32 | |
CallbackFunction mof:UInt32 | |
CallbackContext mof:UInt32 | |
SubProcessTag mof:UInt32 |
Example Event #
{
"system": {
"provider": "Thread Pool",
"guid": "{C861D0E2-A2C1-4D36-9F9C-970BAB943A12}",
"event_source_name": "",
"event_id": 34,
"version": 2,
"level": 0,
"task": 0,
"opcode": 34,
"keywords": "",
"time_created": "2026-06-02T04:02:05.303+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 944,
"thread_id": 11520
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackContext": "0x34",
"CallbackFunction": "0x7FFD282E51D0",
"PoolId": "0x21546103280",
"SubProcessTag": "0x0",
"TaskId": "0x21546103BF8"
},
"message": "ThreadPool"
}
Event ID 35: ThreadPool
#Fields #
| Name | Description |
|---|---|
PoolId mof:UInt32 | |
TaskId mof:UInt32 | |
CallbackFunction mof:UInt32 | |
CallbackContext mof:UInt32 | |
SubProcessTag mof:UInt32 |
Example Event #
{
"system": {
"provider": "Thread Pool",
"guid": "{C861D0E2-A2C1-4D36-9F9C-970BAB943A12}",
"event_source_name": "",
"event_id": 35,
"version": 3,
"level": 0,
"task": 0,
"opcode": 35,
"keywords": "",
"time_created": "2026-06-02T04:02:05.303+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 944,
"thread_id": 11520
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CallbackContext": "0x34",
"CallbackFunction": "0x7FFD282E51D0",
"PoolId": "0x21546103280",
"SubProcessTag": "0x0",
"TaskId": "0x21546103BF8"
},
"message": "ThreadPool"
}
Event ID 36: TPCBCancel
#Fields #
| Name | Description |
|---|---|
PoolId mof:UInt32 | |
TaskId mof:UInt32 | |
CallbackFunction mof:UInt32 | |
CallbackContext mof:UInt32 | |
SubProcessTag mof:UInt32 | |
CancelCount mof:UInt32 |
Event ID 41: TP_V2_WTNodeSwitch
#Fields #
| Name | Description |
|---|---|
PoolId mof:UInt32 | |
CurrentNode mof:UInt32 | |
NextNode mof:UInt32 | |
CurrentGroup mof:UInt16 | |
NextGroup mof:UInt16 | |
CurrentWorkerCount mof:UInt32 | |
NextWorkerCount mof:UInt32 |
Event ID 42: TP_V2_TimerSet
#Fields #
| Name | Description |
|---|---|
DueTime mof:UInt64 | |
SubQueue mof:UInt32 | |
Timer mof:UInt32 | |
Period mof:UInt32 | |
WindowLength mof:UInt32 | |
Absolute mof:UInt32 |
Event ID 44: TP_V2_TimerSetNtTimer
#Fields #
| Name | Description |
|---|---|
DueTime mof:UInt64 | |
SubQueue mof:UInt32 | |
TolerableDelay mof:UInt32 |
Event ID 48: TP_V2_TimerExpiration
#Fields #
| Name | Description |
|---|---|
DueTime mof:UInt64 | |
SubQueue mof:UInt32 | |
Timer mof:UInt32 | |
Period mof:UInt32 | |
WindowLength mof:UInt32 |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {C861D0E2-A2C1-4D36-9F9C-970BAB943A12}
Observed on:
- WS2025-26100.0, schema read from the WMI MOF class, captured 2026-02-26
Taken from Windows installation media (build 26100.1), not a patched system, so the exact update level is unknown.
- Win11-26200.6584, sample captured from a live trace, captured 2026-06-02
- WS2022-20348.4893, schema read from the WMI MOF class, captured 2026-06-02
MOF class: ThreadPool
- Win11-26200.6584, schema read from the WMI MOF class, captured 2026-06-02
MOF class: ThreadPool