Windows Kernel Trace

141 events across 1 channel

Event	Title	Channel	Sample
0	FileIo_Name	ETW Trace	N
1	Thread_TypeGroup1	ETW Trace	N
2	Thread_TypeGroup1	ETW Trace	N
3	Thread_TypeGroup1	ETW Trace	N
4	Thread_TypeGroup1	ETW Trace	N
5	Header_Extension_TypeGroup	ETW Trace	N
8	RDComplete	ETW Trace	N
10	SystemConfig_V3_CPU	ETW Trace	N
11	DiskIo_TypeGroup1	ETW Trace	N
12	DiskIo_TypeGroup2	ETW Trace	N
13	DiskIo_TypeGroup2	ETW Trace	N
14	DiskIo_TypeGroup3	ETW Trace	N
15	SystemConfig_V3_Services	ETW Trace	N
16	Registry_TypeGroup1	ETW Trace	N
17	UdpIp_Fail	ETW Trace	N
18	Registry_TypeGroup1	ETW Trace	N
19	Registry_TypeGroup1	ETW Trace	N
20	Registry_TypeGroup1	ETW Trace	N
21	SystemConfig_V3_IRQ	ETW Trace	N
22	SystemConfig_PnP	ETW Trace	N
23	Registry_TypeGroup1	ETW Trace	N
24	Registry_TypeGroup1	ETW Trace	N
25	Registry_TypeGroup1	ETW Trace	N
26	UdpIp_TypeGroup2	ETW Trace	N
27	UdpIp_TypeGroup2	ETW Trace	N
28	Registry_TypeGroup1	ETW Trace	N
29	Registry_TypeGroup1	ETW Trace	N
30	Registry_TxR	ETW Trace	N
31	Registry_TxR	ETW Trace	N
32	SystemConfig_V4_MobilePlatform	ETW Trace	N
33	ObHandleEvent	ETW Trace	N
34	ObHandleDuplicateEvent	ETW Trace	N
35	FileIo_Name	ETW Trace	N
36	CSwitch_V4	ETW Trace	N
37	FileIo_V2_MapFile	ETW Trace	N
38	FileIo_V2_MapFile	ETW Trace	N
39	Process_Defunct_TypeGroup1	ETW Trace	N
40	FileIo_V2_MapFile	ETW Trace	N
41	SpinLock	ETW Trace	N
42	PoolSnapshot	ETW Trace	N
43	PoolSnapshot	ETW Trace	N
44	PoolSnapshot	ETW Trace	N
45	PoolSnapshot	ETW Trace	N
46	SampledProfile	ETW Trace	N
47	PmcCounterProfile	ETW Trace	N
48	ThreadPriority	ETW Trace	N
49	ThreadPriority	ETW Trace	N
50	ObReferenceEvent	ETW Trace	N
51	ThreadPriority	ETW Trace	N
52	ThreadPriority	ETW Trace	N
53	ThreadAffinity	ETW Trace	N
55	DiskIo_TypeGroup1	ETW Trace	N
56	DiskIo_TypeGroup1	ETW Trace	N
57	DiskIo_TypeGroup3	ETW Trace	N
58	DiskIo_TypeGroup2	ETW Trace	N
59	DiskIo_TypeGroup2	ETW Trace	N
60	DiskIo_TypeGroup2	ETW Trace	N
61	ThreadMigration	ETW Trace	N
62	KernelQueueEnqueue	ETW Trace	N
63	KernelQueueDequeue	ETW Trace	N
64	FileIo_Create	ETW Trace	N
65	FileIo_SimpleOp	ETW Trace	N
66	FileIo_SimpleOp	ETW Trace	N
67	FileIo_ReadWrite	ETW Trace	N
68	FileIo_ReadWrite	ETW Trace	N
69	FileIo_Info	ETW Trace	N
70	FileIo_Info	ETW Trace	N
71	FileIo_Info	ETW Trace	N
72	FileIo_DirEnum	ETW Trace	N
73	SampledProfileInterval_V3	ETW Trace	N
74	SampledProfileInterval_V3	ETW Trace	N
75	SpinLockConfig_V3	ETW Trace	N
76	SpinLockConfig_V3	ETW Trace	N
77	FileIo_DirEnum	ETW Trace	N
79	FileIo_PathOperation	ETW Trace	N
80	FileIo_PathOperation	ETW Trace	N
81	FileIo_PathOperation	ETW Trace	N
82	Header_LastDroppedTimes_TypeGroup	ETW Trace	N
83	Process_V2_TypeGroup4	ETW Trace	N
84	Process_V2_TypeGroup4	ETW Trace	N
92	ISR_Unexpected	ETW Trace	N
93	IoTimerEvent	ETW Trace	N
94	IoTimerEvent	ETW Trace	N
95	ISR	ETW Trace	N
96	FltIoInit	ETW Trace	N
97	FltIoInit	ETW Trace	N
98	FltIoCompletion	ETW Trace	N
99	FltIoCompletion	ETW Trace	N
100	PageFault_HeapRangeRundown	ETW Trace	N
101	FltIoFailure	ETW Trace	N
102	PageFault_HeapRangeTypeGroup	ETW Trace	N
103	PageFault_HeapRangeTypeGroup	ETW Trace	N
104	PageFault_HeapRangeDestroy	ETW Trace	N
105	PageFault_ImageLoadBacked	ETW Trace	N
106	CancelKTimer2	ETW Trace	N
107	DisableKTimer2	ETW Trace	N
108	FinalizeKTimer2	ETW Trace	N
114	HV_Hypercall	ETW Trace	N
122	ContextRegistersAMD64	ETW Trace	N
123	ContextRegistersARM64	ETW Trace	N
127	PageFault_VirtualRotate	ETW Trace	N
128	PageFault_VirtualAllocRundown	ETW Trace	N
129	PageFault_VirtualAllocRundown	ETW Trace	N
130	LoaderBasicEvent	ETW Trace	N
131	LoaderBasicEvent	ETW Trace	N
132	LoaderBasicEvent	ETW Trace	N
133	LoaderBasicEvent	ETW Trace	N
134	PageFault_MemReset	ETW Trace	N
135	LoaderBasicEvent	ETW Trace	N
144	LoaderBaseEvent	ETW Trace	N
145	LoaderBaseEvent	ETW Trace	N
146	LoaderBaseEvent	ETW Trace	N
147	LoaderBaseEvent	ETW Trace	N
148	LoaderBaseEvent	ETW Trace	N
149	LoaderBaseEvent	ETW Trace	N
150	LoaderBaseEvent	ETW Trace	N
160	LoaderCodedEvent	ETW Trace	N
161	LoaderCodedEvent	ETW Trace	N
162	LoaderCodedEvent	ETW Trace	N
163	LoaderCodedEvent	ETW Trace	N
164	LoaderCodedEvent	ETW Trace	N
165	LoaderCodedEventStatus	ETW Trace	N
166	LoaderCodedEventStatus	ETW Trace	N
167	LoaderCodedEventStatus	ETW Trace	N
168	LoaderCodedEventStatus	ETW Trace	N
169	LoaderCodedEventStatus	ETW Trace	N
170	LoaderCodedEventStatus	ETW Trace	N
171	LoaderCodedEventStatus	ETW Trace	N
172	LoaderCodedEventStatus	ETW Trace	N
173	LoaderCodedEventStatus	ETW Trace	N
174	LoaderCodedEventStatus	ETW Trace	N
176	LoaderNewDllEvent	ETW Trace	N
177	LoaderNewDllEvent	ETW Trace	N
192	LoaderCodedEventPath	ETW Trace	N
193	LoaderCodedEventPath	ETW Trace	N
208	LoaderCodedEventStatus	ETW Trace	N
209	LoaderCodedEventStatus	ETW Trace	N
210	LoaderCodedEventStatus	ETW Trace	N
211	LoaderCodedEventStatus	ETW Trace	N
212	LoaderDllSearchResults	ETW Trace	N
213	LoaderPathSearchResults	ETW Trace	N

Event ID 0: FileIo_Name

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`FileObject` mof:UInt32
`FileName` mof:String

Event ID 1: Thread_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`ProcessId` mof:UInt32
`TThreadId` mof:UInt32
`StackBase` mof:UInt32
`StackLimit` mof:UInt32
`UserStackBase` mof:UInt32
`UserStackLimit` mof:UInt32
`Affinity` mof:UInt32
`Win32StartAddr` mof:UInt32
`TebBase` mof:UInt32
`SubProcessTag` mof:UInt32
`BasePriority` mof:UInt8
`PagePriority` mof:UInt8
`IoPriority` mof:UInt8
`ThreadFlags` mof:UInt8
`ThreadName` mof:String

Event ID 2: Thread_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`ProcessId` mof:UInt32
`TThreadId` mof:UInt32
`StackBase` mof:UInt32
`StackLimit` mof:UInt32
`UserStackBase` mof:UInt32
`UserStackLimit` mof:UInt32
`Affinity` mof:UInt32
`Win32StartAddr` mof:UInt32
`TebBase` mof:UInt32
`SubProcessTag` mof:UInt32
`BasePriority` mof:UInt8
`PagePriority` mof:UInt8
`IoPriority` mof:UInt8
`ThreadFlags` mof:UInt8
`ThreadName` mof:String

Event ID 3: Thread_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`ProcessId` mof:UInt32
`TThreadId` mof:UInt32
`StackBase` mof:UInt32
`StackLimit` mof:UInt32
`UserStackBase` mof:UInt32
`UserStackLimit` mof:UInt32
`Affinity` mof:UInt32
`Win32StartAddr` mof:UInt32
`TebBase` mof:UInt32
`SubProcessTag` mof:UInt32
`BasePriority` mof:UInt8
`PagePriority` mof:UInt8
`IoPriority` mof:UInt8
`ThreadFlags` mof:UInt8
`ThreadName` mof:String

Event ID 4: Thread_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`ProcessId` mof:UInt32
`TThreadId` mof:UInt32
`StackBase` mof:UInt32
`StackLimit` mof:UInt32
`UserStackBase` mof:UInt32
`UserStackLimit` mof:UInt32
`Affinity` mof:UInt32
`Win32StartAddr` mof:UInt32
`TebBase` mof:UInt32
`SubProcessTag` mof:UInt32
`BasePriority` mof:UInt8
`PagePriority` mof:UInt8
`IoPriority` mof:UInt8
`ThreadFlags` mof:UInt8
`ThreadName` mof:String

Event ID 5: Header_Extension_TypeGroup

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`GroupMask1` mof:UInt32
`GroupMask2` mof:UInt32
`GroupMask3` mof:UInt32
`GroupMask4` mof:UInt32
`GroupMask5` mof:UInt32
`GroupMask6` mof:UInt32
`GroupMask7` mof:UInt32
`GroupMask8` mof:UInt32
`KernelEventVersion` mof:UInt32

Event ID 8: RDComplete

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Event ID 10: SystemConfig_V3_CPU

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`MHz` mof:UInt32
`NumberOfProcessors` mof:UInt32
`MemSize` mof:UInt32
`PageSize` mof:UInt32
`AllocationGranularity` mof:UInt32
`ComputerName` mof:Char16
`DomainName` mof:Char16
`HyperThreadingFlag` mof:UInt32
`HighestUserAddress` mof:UInt32
`ProcessorArchitecture` mof:UInt16
`ProcessorLevel` mof:UInt16
`ProcessorRevision` mof:UInt16
`PaeEnabled` mof:UInt8
`NxEnabled` mof:UInt8
`MemorySpeed` mof:UInt32

Event ID 11: DiskIo_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`DiskNumber` mof:UInt32
`IrpFlags` mof:UInt32
`TransferSize` mof:UInt32
`Reserved` mof:UInt32
`ByteOffset` mof:UInt64
`FileObject` mof:UInt32
`Irp` mof:UInt32
`HighResResponseTime` mof:UInt64
`IssuingThreadId` mof:UInt32

Event ID 12: DiskIo_TypeGroup2

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Irp` mof:UInt32
`IssuingThreadId` mof:UInt32

Event ID 13: DiskIo_TypeGroup2

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Irp` mof:UInt32
`IssuingThreadId` mof:UInt32

Event ID 14: DiskIo_TypeGroup3

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`DiskNumber` mof:UInt32
`IrpFlags` mof:UInt32
`HighResResponseTime` mof:UInt64
`Irp` mof:UInt32
`IssuingThreadId` mof:UInt32

Event ID 15: SystemConfig_V3_Services

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`ProcessId` mof:UInt32
`ServiceState` mof:UInt32
`SubProcessTag` mof:UInt32
`ServiceName` mof:String
`DisplayName` mof:String
`ProcessName` mof:String
`LoadOrderGroup` mof:String
`SvchostGroup` mof:String

Event ID 16: Registry_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`S1` mof:UInt8
`S2` mof:UInt8
`S3` mof:UInt8
`S4` mof:UInt8
`S5` mof:UInt8
`Pad1` mof:UInt8
`Pad2` mof:UInt8
`Pad3` mof:UInt8

Event ID 17: UdpIp_Fail

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`InitialTime` mof:SInt64
`Status` mof:UInt32	NTSTATUS reference
`Index` mof:UInt32
`KeyHandle` mof:UInt32
`KeyName` mof:String

Event ID 18: Registry_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`DiskNumber` mof:UInt16
`BusType` mof:UInt16
`DeviceType` mof:UInt16
`MediaType` mof:UInt16
`StartingOffset` mof:UInt64
`Size` mof:UInt64
`NumberOfFreeBlocks` mof:UInt64
`TotalNumberOfBlocks` mof:UInt64
`NextWritableAddress` mof:UInt64
`NumberOfSessions` mof:UInt32
`NumberOfTracks` mof:UInt32
`BytesPerSector` mof:UInt32
`DiscStatus` mof:UInt16
`LastSessionStatus` mof:UInt16
`DriveLetter` mof:String
`FileSystemName` mof:String
`DeviceName` mof:String
`ManufacturerName` mof:String

Event ID 19: Registry_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`InitialTime` mof:SInt64
`Status` mof:UInt32	NTSTATUS reference
`Index` mof:UInt32
`KeyHandle` mof:UInt32
`KeyName` mof:String

Event ID 20: Registry_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`InitialTime` mof:SInt64
`Status` mof:UInt32	NTSTATUS reference
`Index` mof:UInt32
`KeyHandle` mof:UInt32
`KeyName` mof:String

Event ID 21: SystemConfig_V3_IRQ

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`IRQAffinity` mof:UInt64
`IRQGroup` mof:UInt16
`Reserved` mof:UInt16
`IRQNum` mof:UInt32
`DeviceDescriptionLen` mof:UInt32
`DeviceDescription` mof:String

Event ID 22: SystemConfig_PnP

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`ClassGuid` mof:Object
`UpperFiltersCount` mof:UInt32
`LowerFiltersCount` mof:UInt32
`DevStatus` mof:UInt32
`DevProblem` mof:UInt32
`DeviceID` mof:String
`DeviceDescription` mof:String
`FriendlyName` mof:String
`PdoName` mof:String
`ServiceName` mof:String
`UpperFilters` mof:String
`LowerFilters` mof:String

Event ID 23: Registry_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`TargetId` mof:UInt32
`DeviceType` mof:UInt32
`DeviceTimingMode` mof:UInt32
`LocationInformationLen` mof:UInt32
`LocationInformation` mof:String

Event ID 24: Registry_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`InitialTime` mof:SInt64
`Status` mof:UInt32	NTSTATUS reference
`Index` mof:UInt32
`KeyHandle` mof:UInt32
`KeyName` mof:String

Event ID 25: Registry_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`InitialTime` mof:SInt64
`Status` mof:UInt32	NTSTATUS reference
`Index` mof:UInt32
`KeyHandle` mof:UInt32
`KeyName` mof:String

Event ID 26: UdpIp_TypeGroup2

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`PID` mof:UInt32
`size` mof:UInt32
`daddr` mof:Object
`saddr` mof:Object
`dport` mof:Object
`sport` mof:Object
`startime` mof:UInt32
`endtime` mof:UInt32
`seqnum` mof:UInt32
`connid` mof:UInt32

Event ID 27: UdpIp_TypeGroup2

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`PID` mof:UInt32
`size` mof:UInt32
`daddr` mof:Object
`saddr` mof:Object
`dport` mof:Object
`sport` mof:Object
`seqnum` mof:UInt32
`connid` mof:UInt32

Event ID 28: Registry_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`PID` mof:UInt32
`size` mof:UInt32
`daddr` mof:Object
`saddr` mof:Object
`dport` mof:Object
`sport` mof:Object
`mss` mof:UInt16
`sackopt` mof:UInt16
`tsopt` mof:UInt16
`wsopt` mof:UInt16
`rcvwin` mof:UInt32
`rcvwinscale` mof:SInt16
`sndwinscale` mof:SInt16
`seqnum` mof:UInt32
`connid` mof:UInt32

Event ID 29: Registry_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`PID` mof:UInt32
`size` mof:UInt32
`daddr` mof:Object
`saddr` mof:Object
`dport` mof:Object
`sport` mof:Object
`seqnum` mof:UInt32
`connid` mof:UInt32

Event ID 30: Registry_TxR

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`PID` mof:UInt32
`size` mof:UInt32
`daddr` mof:Object
`saddr` mof:Object
`dport` mof:Object
`sport` mof:Object
`seqnum` mof:UInt32
`connid` mof:UInt32

Event ID 31: Registry_TxR

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`AlignmentClusters` mof:UInt64
`AvgFreeSpaceSize` mof:UInt64
`ClustersPerSlab` mof:UInt64
`FragmentedDirectoryExtents` mof:UInt64
`FragmentedExtents` mof:UInt64
`FreeSpaceCount` mof:UInt64
`LargestFreeSpaceSize` mof:UInt64
`LastRunActualPurgeClusters` mof:UInt64
`LastRunClustersTrimmed` mof:UInt64
`LastRunFullDefragTime` mof:UInt64
`LastRunTime` mof:UInt64
`MFTSize` mof:UInt64
`TotalClusters` mof:UInt64
`TotalUsedClusters` mof:UInt64
`AvgFragmentsPerFile` mof:UInt32
`BytesPerCluster` mof:UInt32
`DirectoryCount` mof:UInt32
`FragmentedDirectories` mof:UInt32
`FragmentedFiles` mof:UInt32
`FragmentedSpace` mof:UInt32
`HardwareIssue` mof:UInt32
`InUseMFTRecords` mof:UInt32
`InUseSlabs` mof:UInt32
`LastRunActualPurgeSlabs` mof:UInt32
`LastRunInitialBackedSlabs` mof:UInt32
`LastRunPercentFragmentation` mof:UInt32
`LastRunPinnedSlabs` mof:UInt32
`LastRunPotentialPurgeSlabs` mof:UInt32
`LastRunSpaceInefficientSlabs` mof:UInt32
`LastRunTrimmedSlabs` mof:UInt32
`LastRunUnknownEvictFailSlabs` mof:UInt32
`LastRunVolsnapPinnedSlabs` mof:UInt32
`MFTFragmentCount` mof:UInt32
`MovableFiles` mof:UInt32
`TotalMFTRecords` mof:UInt32
`TotalSlabs` mof:UInt32
`UnmovableFiles` mof:UInt32
`VolumeId` mof:Object
`VolumePathNames` mof:String

Event ID 32: SystemConfig_V4_MobilePlatform

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`DeviceManufacturer` mof:String
`DeviceManufacturerDisplayName` mof:String
`DeviceModel` mof:String
`DeviceModelDisplayName` mof:String
`MobileOperator` mof:String
`SocVersion` mof:String
`BspVersion` mof:String

Event ID 33: ObHandleEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`ProcessId` mof:UInt32
`PageFaultCount` mof:UInt32
`HandleCount` mof:UInt32
`Reserved` mof:UInt32
`PeakVirtualSize` mof:Object
`PeakWorkingSetSize` mof:Object
`PeakPagefileUsage` mof:Object
`QuotaPeakPagedPoolUsage` mof:Object
`QuotaPeakNonPagedPoolUsage` mof:Object
`VirtualSize` mof:Object
`WorkingSetSize` mof:Object
`PagefileUsage` mof:Object
`QuotaPagedPoolUsage` mof:Object
`QuotaNonPagedPoolUsage` mof:Object
`PrivatePageCount` mof:Object

Event ID 34: ObHandleDuplicateEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Counter1` mof:UInt64
`Counter2` mof:UInt64
`Counter3` mof:UInt64
`Counter4` mof:UInt64
`Counter5` mof:UInt64
`Counter6` mof:UInt64
`Counter7` mof:UInt64
`Counter8` mof:UInt64
`Counter9` mof:UInt64
`Counter10` mof:UInt64
`Counter11` mof:UInt64

Event ID 35: FileIo_Name

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`FileObject` mof:UInt32
`FileName` mof:String

Event ID 36: CSwitch_V4

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`NewThreadId` mof:UInt32
`OldThreadId` mof:UInt32
`NewThreadPriority` mof:SInt8
`OldThreadPriority` mof:SInt8
`PreviousCState` mof:UInt8
`SpareByte` mof:SInt8
`OldThreadWaitReason` mof:SInt8
`ThreadFlags` mof:SInt8
`OldThreadState` mof:SInt8
`OldThreadWaitIdealProcessor` mof:SInt8
`NewThreadWaitTime` mof:UInt32
`Reserved` mof:UInt32

Event ID 37: FileIo_V2_MapFile

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BootFlags` mof:UInt64
`FirmwareType` mof:UInt32
`SecureBootEnabled` mof:UInt8
`SecureBootCapable` mof:UInt8
`Reserved1` mof:UInt8
`Reserved2` mof:UInt8

Event ID 38: FileIo_V2_MapFile

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Object` mof:UInt32
`ProcessId` mof:UInt32
`Handle` mof:UInt32
`ObjectType` mof:UInt16
`ObjectName` mof:String

Event ID 39: Process_Defunct_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`UniqueProcessKey` mof:UInt32
`ProcessId` mof:UInt32
`ParentId` mof:UInt32
`SessionId` mof:UInt32
`ExitStatus` mof:SInt32
`DirectoryTableBase` mof:UInt32
`Flags` mof:UInt32
`UserSID` mof:Object
`ImageFileName` mof:String
`CommandLine` mof:String
`PackageFullName` mof:String
`ApplicationId` mof:String
`ExitTime` mof:UInt64

Event ID 40: FileIo_V2_MapFile

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`ViewBase` mof:UInt32
`FileObject` mof:UInt32
`MiscInfo` mof:UInt64
`ViewSize` mof:Object
`ProcessId` mof:UInt32

Event ID 41: SpinLock

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`SpinLockAddress` mof:UInt32
`CallerAddress` mof:UInt32
`AcquireTime` mof:UInt64
`ReleaseTime` mof:UInt64
`WaitTimeInCycles` mof:UInt32
`SpinCount` mof:UInt32
`ThreadId` mof:UInt32
`InterruptCount` mof:UInt32
`Irql` mof:UInt8
`AcquireDepth` mof:UInt8
`Flag` mof:UInt8
`Reserved` mof:UInt8

Event ID 42: PoolSnapshot

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Event ID 43: PoolSnapshot

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Event ID 44: PoolSnapshot

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Event ID 45: PoolSnapshot

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Event ID 46: SampledProfile

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`InstructionPointer` mof:UInt32
`ThreadId` mof:UInt32
`Count` mof:UInt16
`Reserved` mof:UInt16

Event ID 47: PmcCounterProfile

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`InstructionPointer` mof:UInt32
`ThreadId` mof:UInt32
`ProfileSource` mof:UInt16
`Reserved` mof:UInt16

Event ID 48: ThreadPriority

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`ThreadId` mof:UInt32
`OldPriority` mof:UInt8
`NewPriority` mof:UInt8
`Reserved` mof:UInt16

Event ID 49: ThreadPriority

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`ThreadId` mof:UInt32
`OldPriority` mof:UInt8
`NewPriority` mof:UInt8
`Reserved` mof:UInt16

Event ID 50: ObReferenceEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`InitialTime` mof:Object
`Routine` mof:UInt32
`ReturnValue` mof:UInt8
`Vector` mof:UInt16
`Reserved` mof:UInt8
`MessageNumber` mof:UInt32

Event ID 51: ThreadPriority

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`ThreadId` mof:UInt32
`OldPriority` mof:UInt8
`NewPriority` mof:UInt8
`Reserved` mof:UInt16

Event ID 52: ThreadPriority

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`ThreadId` mof:UInt32
`OldPriority` mof:UInt8
`NewPriority` mof:UInt8
`Reserved` mof:UInt16

Event ID 53: ThreadAffinity

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Affinity` mof:UInt32
`ThreadId` mof:UInt32
`Group` mof:UInt16
`Reserved` mof:UInt16

Event ID 55: DiskIo_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`DiskNumber` mof:UInt32
`IrpFlags` mof:UInt32
`TransferSize` mof:UInt32
`Reserved` mof:UInt32
`ByteOffset` mof:UInt64
`FileObject` mof:UInt32
`Irp` mof:UInt32
`HighResResponseTime` mof:UInt64
`IssuingThreadId` mof:UInt32

Event ID 56: DiskIo_TypeGroup1

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`DiskNumber` mof:UInt32
`IrpFlags` mof:UInt32
`TransferSize` mof:UInt32
`Reserved` mof:UInt32
`ByteOffset` mof:UInt64
`FileObject` mof:UInt32
`Irp` mof:UInt32
`HighResResponseTime` mof:UInt64
`IssuingThreadId` mof:UInt32

Event ID 57: DiskIo_TypeGroup3

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`DiskNumber` mof:UInt32
`IrpFlags` mof:UInt32
`HighResResponseTime` mof:UInt64
`Irp` mof:UInt32
`IssuingThreadId` mof:UInt32

Event ID 58: DiskIo_TypeGroup2

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Irp` mof:UInt32
`IssuingThreadId` mof:UInt32

Event ID 59: DiskIo_TypeGroup2

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Irp` mof:UInt32
`IssuingThreadId` mof:UInt32

Event ID 60: DiskIo_TypeGroup2

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Irp` mof:UInt32
`IssuingThreadId` mof:UInt32

Event ID 61: ThreadMigration

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`ThreadId` mof:UInt32
`SourceProcessorIndex` mof:UInt16
`TargetProcessorIndex` mof:UInt16
`Priority` mof:UInt8
`IdealProcessorAdjust` mof:Boolean
`OldIdealProcessorIndex` mof:UInt16

Event ID 62: KernelQueueEnqueue

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Entry` mof:UInt32
`ThreadId` mof:UInt32

Event ID 63: KernelQueueDequeue

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`ThreadId` mof:UInt32
`EntryCount` mof:UInt32
`Entries` mof:UInt32

Event ID 64: FileIo_Create

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`TTID` mof:UInt32
`CreateOptions` mof:UInt32
`FileAttributes` mof:UInt32
`ShareAccess` mof:UInt32
`OpenPath` mof:String

Event ID 65: FileIo_SimpleOp

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`FileKey` mof:UInt32
`TTID` mof:UInt32

Event ID 66: FileIo_SimpleOp

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`FileKey` mof:UInt32
`TTID` mof:UInt32

Event ID 67: FileIo_ReadWrite

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Offset` mof:UInt64
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`FileKey` mof:UInt32
`TTID` mof:UInt32
`IoSize` mof:UInt32
`IoFlags` mof:UInt32

Event ID 68: FileIo_ReadWrite

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Offset` mof:UInt64
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`FileKey` mof:UInt32
`TTID` mof:UInt32
`IoSize` mof:UInt32
`IoFlags` mof:UInt32

Event ID 69: FileIo_Info

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`FileKey` mof:UInt32
`ExtraInfo` mof:UInt32
`TTID` mof:UInt32
`InfoClass` mof:UInt32

Event ID 70: FileIo_Info

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`FileKey` mof:UInt32
`ExtraInfo` mof:UInt32
`TTID` mof:UInt32
`InfoClass` mof:UInt32

Event ID 71: FileIo_Info

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`FileKey` mof:UInt32
`ExtraInfo` mof:UInt32
`TTID` mof:UInt32
`InfoClass` mof:UInt32

Event ID 72: FileIo_DirEnum

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`FileKey` mof:UInt32
`TTID` mof:UInt32
`Length` mof:UInt32
`InfoClass` mof:UInt32
`FileIndex` mof:UInt32
`FileName` mof:String

Event ID 73: SampledProfileInterval_V3

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`FileKey` mof:UInt32
`TTID` mof:UInt32

Event ID 74: SampledProfileInterval_V3

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`FileKey` mof:UInt32
`ExtraInfo` mof:UInt32
`TTID` mof:UInt32
`InfoClass` mof:UInt32

Event ID 75: SpinLockConfig_V3

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`FileKey` mof:UInt32
`ExtraInfo` mof:UInt32
`TTID` mof:UInt32
`InfoClass` mof:UInt32

Event ID 76: SpinLockConfig_V3

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`SpinLockSpinThreshold` mof:UInt32
`SpinLockContentionSampleRate` mof:UInt32
`SpinLockAcquireSampleRate` mof:UInt32
`SpinLockHoldThreshold` mof:UInt32

Event ID 77: FileIo_DirEnum

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`FileKey` mof:UInt32
`TTID` mof:UInt32
`Length` mof:UInt32
`InfoClass` mof:UInt32
`FileIndex` mof:UInt32
`FileName` mof:String

Event ID 79: FileIo_PathOperation

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`FileKey` mof:UInt32
`ExtraInfo` mof:UInt32
`TTID` mof:UInt32
`InfoClass` mof:UInt32
`FileName` mof:String

Event ID 80: FileIo_PathOperation

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`FileKey` mof:UInt32
`ExtraInfo` mof:UInt32
`TTID` mof:UInt32
`InfoClass` mof:UInt32
`FileName` mof:String

Event ID 81: FileIo_PathOperation

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`IrpPtr` mof:UInt32
`FileObject` mof:UInt32
`FileKey` mof:UInt32
`ExtraInfo` mof:UInt32
`TTID` mof:UInt32
`InfoClass` mof:UInt32
`FileName` mof:String

Event ID 82: Header_LastDroppedTimes_TypeGroup

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Object` mof:UInt32
`Tag` mof:UInt32
`ProcessId` mof:UInt32
`Count` mof:UInt32

Event ID 83: Process_V2_TypeGroup4

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Object` mof:UInt32
`Tag` mof:UInt32
`ProcessId` mof:UInt32
`Count` mof:UInt32

Event ID 84: Process_V2_TypeGroup4

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Object` mof:UInt32
`Tag` mof:UInt32
`ProcessId` mof:UInt32
`Count` mof:UInt32

Event ID 92: ISR_Unexpected

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Vector` mof:UInt16

Event ID 93: IoTimerEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`DeviceObject` mof:UInt32
`TimerRoutine` mof:UInt32

Event ID 94: IoTimerEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`DeviceObject` mof:UInt32
`TimerRoutine` mof:UInt32

Event ID 95: ISR

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`InitialTime` mof:Object
`Routine` mof:UInt32
`ReturnValue` mof:UInt8
`Vector` mof:UInt16
`Reserved` mof:UInt8

Event ID 96: FltIoInit

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`RoutineAddr` mof:UInt32
`FileObject` mof:UInt32
`FileContext` mof:UInt32
`IrpPtr` mof:UInt32
`CallbackDataPtr` mof:UInt32
`MajorFunction` mof:UInt32

Event ID 97: FltIoInit

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`RoutineAddr` mof:UInt32
`FileObject` mof:UInt32
`FileContext` mof:UInt32
`IrpPtr` mof:UInt32
`CallbackDataPtr` mof:UInt32
`MajorFunction` mof:UInt32

Event ID 98: FltIoCompletion

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`InitialTime` mof:Object
`RoutineAddr` mof:UInt32
`FileObject` mof:UInt32
`FileContext` mof:UInt32
`IrpPtr` mof:UInt32
`CallbackDataPtr` mof:UInt32
`MajorFunction` mof:UInt32

Event ID 99: FltIoCompletion

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`InitialTime` mof:Object
`RoutineAddr` mof:UInt32
`FileObject` mof:UInt32
`FileContext` mof:UInt32
`IrpPtr` mof:UInt32
`CallbackDataPtr` mof:UInt32
`MajorFunction` mof:UInt32

Event ID 100: PageFault_HeapRangeRundown

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`HeapHandle` mof:UInt32
`HRFlags` mof:UInt32
`HRPid` mof:UInt32
`HRRangeCount` mof:UInt32
`HRHeapTag` mof:UInt64

Event ID 101: FltIoFailure

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`RoutineAddr` mof:UInt32
`FileObject` mof:UInt32
`FileContext` mof:UInt32
`IrpPtr` mof:UInt32
`CallbackDataPtr` mof:UInt32
`MajorFunction` mof:UInt32
`Status` mof:UInt32	NTSTATUS reference

Event ID 102: PageFault_HeapRangeTypeGroup

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`HeapHandle` mof:UInt32
`HRAddress` mof:UInt32
`HRSize` mof:Object

Event ID 103: PageFault_HeapRangeTypeGroup

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`HeapHandle` mof:UInt32
`HRAddress` mof:UInt32
`HRSize` mof:Object

Event ID 104: PageFault_HeapRangeDestroy

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`DueTime` mof:UInt64
`MaximumDueTime` mof:UInt64
`Period` mof:UInt64
`Timer` mof:UInt32
`Callback` mof:UInt32
`CallbackContext` mof:UInt32
`TimerFlags` mof:UInt8

Event ID 105: PageFault_ImageLoadBacked

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`DueTime` mof:UInt64
`MaximumDueTime` mof:UInt64
`Period` mof:UInt64
`Timer` mof:UInt32
`Callback` mof:UInt32
`CallbackContext` mof:UInt32
`TimerFlags` mof:UInt8

Event ID 106: CancelKTimer2

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Timer` mof:UInt32

Event ID 107: DisableKTimer2

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Timer` mof:UInt32
`DisableCallback` mof:UInt32
`DisableContext` mof:UInt32
`TimerFlags` mof:UInt8

Event ID 108: FinalizeKTimer2

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Timer` mof:UInt32
`DisableCallback` mof:UInt32
`DisableContext` mof:UInt32

Event ID 114: HV_Hypercall

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`CallCode` mof:UInt32
`IsFast` mof:UInt8
`IsNested` mof:UInt8

Event ID 122: ContextRegistersAMD64

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Rip` mof:UInt64
`Rax` mof:UInt64
`Rcx` mof:UInt64
`Rdx` mof:UInt64
`Rbx` mof:UInt64
`Rsp` mof:UInt64
`Rsi` mof:UInt64
`Rdi` mof:UInt64
`R8` mof:UInt64
`R9` mof:UInt64
`R10` mof:UInt64
`R11` mof:UInt64
`R12` mof:UInt64
`R13` mof:UInt64
`R14` mof:UInt64
`R15` mof:UInt64

Event ID 123: ContextRegistersARM64

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Cpsr` mof:UInt32
`X0` mof:UInt64
`X1` mof:UInt64
`X2` mof:UInt64
`X3` mof:UInt64
`X4` mof:UInt64
`X5` mof:UInt64
`X6` mof:UInt64
`X7` mof:UInt64
`X8` mof:UInt64
`X9` mof:UInt64
`X10` mof:UInt64
`X11` mof:UInt64
`X12` mof:UInt64
`X13` mof:UInt64
`X14` mof:UInt64
`X15` mof:UInt64
`X16` mof:UInt64
`X17` mof:UInt64
`X18` mof:UInt64
`X19` mof:UInt64
`X20` mof:UInt64
`X21` mof:UInt64
`X22` mof:UInt64
`X23` mof:UInt64
`X24` mof:UInt64
`X25` mof:UInt64
`X26` mof:UInt64
`X27` mof:UInt64
`X28` mof:UInt64
`Fp` mof:UInt64
`Lr` mof:UInt64
`Sp` mof:UInt64
`Pc` mof:UInt64

Event ID 127: PageFault_VirtualRotate

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt32
`SizeInBytes` mof:Object
`Flags` mof:UInt32

Event ID 128: PageFault_VirtualAllocRundown

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt32
`RegionSize` mof:Object
`ProcessId` mof:UInt32
`Flags` mof:UInt32
`CommitSizeInBytes` mof:Object

Event ID 129: PageFault_VirtualAllocRundown

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt32
`RegionSize` mof:Object
`ProcessId` mof:UInt32
`Flags` mof:UInt32
`CommitSizeInBytes` mof:Object

Event ID 130: LoaderBasicEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Event ID 131: LoaderBasicEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Event ID 132: LoaderBasicEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Event ID 133: LoaderBasicEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Event ID 134: PageFault_MemReset

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt32
`SizeInBytes` mof:Object
`Flags` mof:UInt32

Event ID 135: LoaderBasicEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Event ID 144: LoaderBaseEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64

Event ID 145: LoaderBaseEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64

Event ID 146: LoaderBaseEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64

Event ID 147: LoaderBaseEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64

Event ID 148: LoaderBaseEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64

Event ID 149: LoaderBaseEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64

Event ID 150: LoaderBaseEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64

Event ID 160: LoaderCodedEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 161: LoaderCodedEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 162: LoaderCodedEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 163: LoaderCodedEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 164: LoaderCodedEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 165: LoaderCodedEventStatus

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 166: LoaderCodedEventStatus

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 167: LoaderCodedEventStatus

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 168: LoaderCodedEventStatus

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 169: LoaderCodedEventStatus

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 170: LoaderCodedEventStatus

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 171: LoaderCodedEventStatus

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 172: LoaderCodedEventStatus

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 173: LoaderCodedEventStatus

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 174: LoaderCodedEventStatus

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 176: LoaderNewDllEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`NewDllBaseAddress` mof:UInt32
`ParentDllBaseAddress` mof:UInt32
`LoadReason` mof:UInt32
`FilePath` mof:String

Event ID 177: LoaderNewDllEvent

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`NewDllBaseAddress` mof:UInt32
`ParentDllBaseAddress` mof:UInt32
`LoadReason` mof:UInt32
`FilePath` mof:String

Event ID 192: LoaderCodedEventPath

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String1` mof:String
`String2` mof:String

Event ID 193: LoaderCodedEventPath

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String1` mof:String
`String2` mof:String

Event ID 208: LoaderCodedEventStatus

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 209: LoaderCodedEventStatus

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 210: LoaderCodedEventStatus

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 211: LoaderCodedEventStatus

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`BaseAddress` mof:UInt64
`ErrorOpcode` mof:UInt8
`Code` mof:SInt8
`String` mof:String

Event ID 212: LoaderDllSearchResults

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`LdrLoadFlags` mof:UInt32
`LdrSearchFlags` mof:UInt32
`SearchInfo` mof:UInt32
`LoadReason` mof:UInt32
`FullDllName` mof:String

Event ID 213: LoaderPathSearchResults

Provider: Windows Kernel Trace
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`SearchInfo` mof:UInt32
`Cwd` mof:String
`AppDir` mof:String
`DllDir` mof:String
`DllLoadDir` mof:String

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {9E814AAD-3204-11D2-9A82-006008A86939}

Observed on:

WS2025-26100.0, schema read from the WMI MOF class, captured 2026-02-26
Taken from Windows installation media (build 26100.1), not a patched system, so the exact update level is unknown.
WS2022-20348.4893, schema read from the WMI MOF class, captured 2026-06-02
MOF class: MSNT_SystemTrace
Win11-26200.6584, schema read from the WMI MOF class, captured 2026-06-02
MOF class: MSNT_SystemTrace

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)