Microsoft-Antimalware-Engine

110 events across 1 channel

EventTitleChannel
1Start of engine scan requestApplication
2End of engine scan requestApplication
3MessageApplication
4VersionsApplication
5Start of stream scan requestApplication
6End of stream scan requestApplication
7Skipped fileApplication
8Behavior MonitoringApplication
9Behavior MonitoringApplication
10Behavior MonitoringApplication
11Behavior MonitoringApplication
12Behavior MonitoringApplication
13Behavior MonitoringApplication
14Behavior MonitoringApplication
15Behavior MonitoringApplication
16Behavior MonitoringApplication
17Behavior MonitoringApplication
18Behavior MonitoringApplication
19Behavior MonitoringApplication
20Behavior MonitoringApplication
21Behavior MonitoringApplication
22Behavior MonitoringApplication
23Behavior MonitoringApplication
24Behavior MonitoringApplication
25Behavior MonitoringApplication
26Behavior MonitoringApplication
27Behavior MonitoringApplication
28Behavior MonitoringApplication
29Behavior MonitoringApplication
30UfsScanFileTaskApplication
31UfsScanFileTaskApplication
32UfsScanProcTaskStart_V2Application
33UfsScanProcTaskStop_V3Application
35CacheApplication
36CacheApplication
37CacheApplication
38CacheApplication
39CacheApplication
40PersistedStoreTaskPersistedStoreActionApplication
41PersistedStoreTaskPersistedStoreMaintenanceApplication
42PersistedStoreTaskPersistedStoreAnalyzeFileApplication
43ExpensiveOperationTaskApplication
44MetaStoreTaskApplication
45MetaStoreTaskMetaStoreMaintenanceApplication
46Behavior MonitoringApplication
47Behavior MonitoringApplication
48Behavior MonitoringApplication
49Behavior MonitoringApplication
50Behavior MonitoringApplication
51Behavior MonitoringApplication
52Behavior MonitoringApplication
53Behavior MonitoringApplication
58Behavior MonitoringApplication
59MessageApplication
60Behavior MonitoringApplication
61Behavior MonitoringApplication
62Behavior MonitoringApplication
63Behavior MonitoringApplication
64Behavior MonitoringApplication
65Behavior MonitoringApplication
66Behavior MonitoringApplication
67ExpensiveOperationTaskApplication
68MessageApplication
69MessageApplication
70Behavior MonitoringApplication
71Behavior MonitoringApplication
72Behavior MonitoringApplication
73Behavior MonitoringApplication
74SenseRemediationTaskApplication
75MessageApplication
76SenseHeartbeatTaskApplication
77SmsScanTaskSmsRequestMonitorProcessIdApplication
78SmsScanTaskSmsRequestMonitorFilePathApplication
79SmsScanTaskSmsMonitoringStartApplication
80SmsScanTaskSmsMonitoringStopApplication
81SmsScanTaskSmsScanStartApplication
82SmsScanTaskSmsScanStopApplication
83StartRundownTaskStartApplication
84StartRundownTaskStopApplication
85EndRundownTaskStartApplication
86EndRundownTaskStopApplication
87EngineTaskStartApplication
88EngineTaskStopApplication
89EngineTaskDCStartApplication
90EngineTaskDCStopApplication
91UfsScanFileTaskDCStart_V1Application
92UfsScanFileTaskDCStop_V1Application
93UfsScanProcTaskDCStart_V1Application
94UfsScanProcTaskDCStop_V1Application
95Behavior MonitoringApplication
96SenseOnboardingInfoTaskApplication
97Scan requestApplication
98Scan requestApplication
99Behavior MonitoringApplication
100Behavior MonitoringApplication
101EngineLoadTaskStartApplication
102EngineLoadTaskStopApplication
103Behavior MonitoringApplication
104Behavior MonitoringApplication
105Behavior MonitoringApplication
106Behavior MonitoringApplication
107Behavior MonitoringApplication
108SenseExclusionTaskApplication
109Behavior MonitoringApplication
110Behavior MonitoringApplication
111Behavior MonitoringApplication
112Behavior MonitoringApplication
113Behavior MonitoringApplication
114Behavior MonitoringApplication
115BehaviorMonitoringBmDbChangedApplication

Event ID 1: Start of engine scan request

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Scanrequest
Opcode
Start

Description

Start of engine scan request.

Message #

Start of engine scan request

Fields #

NameDescription
EngineId Pointer
Id UInt8
Type AnsiString
Flags HexInt32
ScanSource UInt32
ResourceCount UInt32
FirstResourceType UnicodeString
FirstResourcePath UnicodeString
ThreadTime FILETIME

Event ID 2: End of engine scan request

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Scanrequest
Opcode
Stop

Description

End of engine scan request.

Message #

End of engine scan request

Fields #

NameDescription
EngineId Pointer
Id UInt8
Type AnsiString
Flags HexInt32
ScanSource UInt32
ResourceCount UInt32
FirstResourceType UnicodeString
FirstResourcePath UnicodeString
ThreadTime FILETIME
StartQPC UInt64

Event ID 3: Message

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
Message
Opcode
win:Info

Fields #

NameDescription
Message UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 3,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:53.152+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 13108
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Message": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.We0722664#\\fabb9e10f6808e7fbef2496dc4f4b9a2\\Microsoft.WSMan.Management.ni.dll : CI bit is set, but level is too low. Level: 2"
  },
  "message": "GenericMessageTask"
}

Event ID 4: Versions

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
Versions
Opcode
win:Info

Fields #

NameDescription
EngineVersion UnicodeString
AVVersion UnicodeString
ASVersion UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 4,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:18:28.322+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4712,
      "thread_id": 16152
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AS Version": "1.451.223.0",
    "AV Version": "1.451.223.0",
    "Engine Version": "1.1.26040.8"
  },
  "message": "VersionTask"
}

Event ID 5: Start of stream scan request

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
Streamscanrequest
Opcode
Start

Description

Start of stream scan request.

Message #

Start of stream scan request

Fields #

NameDescription
Id UInt32
Path UnicodeString
Process UnicodeString
Reason UInt32
ThreadTime FILETIME
PID UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 5,
    "version": 1,
    "level": 4,
    "task": 4,
    "opcode": 1,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:52.988+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{C3AAE106-E766-4DFA-9E19-A815726CDA4D}"
    },
    "execution": {
      "process_id": 3756,
      "thread_id": 4400
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Id": 477820198,
    "PID": 11608,
    "Path": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Local\\Temp\\__PSScriptPolicyTest_i3yqwsnl.1tp.ps1",
    "Process": "\\Device\\HarddiskVolume4\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "Reason": 2,
    "ThreadTime": "1601-01-01 00:01:27.187Z"
  },
  "message": "StreamScanRequestTask"
}

Event ID 6: End of stream scan request

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
Streamscanrequest
Opcode
Stop

Description

End of stream scan request.

Message #

End of stream scan request

Fields #

NameDescription
Id UInt32
Path UnicodeString
Process UnicodeString
Reason UInt32
ThreadTime FILETIME
PID UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 6,
    "version": 1,
    "level": 4,
    "task": 4,
    "opcode": 2,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:52.991+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{C3AAE106-E766-4DFA-9E19-A815726CDA4D}"
    },
    "execution": {
      "process_id": 3756,
      "thread_id": 4400
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Id": 477820198,
    "PID": 11608,
    "Path": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Local\\Temp\\__PSScriptPolicyTest_i3yqwsnl.1tp.ps1",
    "Process": "\\Device\\HarddiskVolume4\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "Reason": 2,
    "ThreadTime": "1601-01-01 00:01:27.187Z"
  },
  "message": "StreamScanRequestTask"
}

Event ID 7: Skipped file

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
Skippedfile
Opcode
win:Info

Description

Skipped file.

Message #

Skipped file

Fields #

NameDescription
Path UnicodeString
Reason AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 7,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:53.580+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{7D77A037-82FB-4E65-B66C-86F3AA5440F9}"
    },
    "execution": {
      "process_id": 3756,
      "thread_id": 4400
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Path": "\\Device\\HarddiskVolume4\\Windows\\System32\\en-US\\logman.exe.mui",
    "Reason": "Log skip"
  },
  "message": "SkippedFileTask"
}

Event ID 8: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmDetection

Fields #

NameDescription
PID UInt32
GUID GUID
Type UInt32
Name UnicodeString
SignatureId HexInt64
ImagePath UnicodeString

Event ID 9: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmProcessStart

Fields #

NameDescription
PID UInt32
PPID UInt32
ImagePath UnicodeString
Flags HexInt32

Event ID 10: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmDriverLoad

Fields #

NameDescription
PID UInt32
ImagePath UnicodeString

Event ID 11: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmModuleLoad

Fields #

NameDescription
PID UInt32
ImagePath UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 11,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 13,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:52.924+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 8752
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ImagePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\win32u.dll",
    "PID": 14912
  },
  "message": "BehaviorMonitorTask"
}

Event ID 12: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmDocumentOpen

Fields #

NameDescription
PID UInt32
ImageName UnicodeString
FileName UnicodeString

Event ID 13: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFileCreate

Fields #

NameDescription
PID UInt32
FileName UnicodeString

Event ID 14: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFileChange

Fields #

NameDescription
PID UInt32
FileName UnicodeString

Event ID 15: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmFileDelete

Fields #

NameDescription
PID UInt32
FileName UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 15,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 17,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T04:00:01.310+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 5168
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "FileName": "\\Device\\HarddiskVolume4\\Windows\\System32\\LogFiles\\WMI\\RtBackup\\EtwRTAdmin_PS_Provider.etl",
    "PID": 4
  },
  "message": "BehaviorMonitorTask"
}

Event ID 16: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFileRename

Fields #

NameDescription
PID UInt32
FileName UnicodeString
OldFileName UnicodeString

Event ID 17: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryKeyCreate

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 18: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryKeyRename

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 19: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryKeyDelete

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 20: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryValueSet

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString
ValueName UnicodeString

Event ID 21: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryValueDelete

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString
ValueName UnicodeString

Event ID 22: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmNetworkConnect

Fields #

NameDescription
PID UInt32

Event ID 23: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmNetworkData

Fields #

NameDescription
PID UInt32

Event ID 24: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmNetworkListen

Fields #

NameDescription
PID UInt32

Event ID 25: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmNetworkAccept

Fields #

NameDescription
PID UInt32

Event ID 26: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmProcessTerminate

Fields #

NameDescription
PID UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 26,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 28,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:53.178+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 8752
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PID": 15580
  },
  "message": "BehaviorMonitorTask"
}

Event ID 27: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmNetworkDetection

Fields #

NameDescription
PID UInt32
DetectionId HexInt64

Event ID 28: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmBootRecordChange

Fields #

NameDescription
PID UInt32
RecordType UInt32
ImagePath UnicodeString
Path UnicodeString

Event ID 29: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRemoteThreadCreate

Fields #

NameDescription
PID UInt32
TPID UInt32
TTID UInt32
ImageName UnicodeString

Event ID 30: UfsScanFileTask

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
UfsScanFileTask
Opcode
Start

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
ThreadTime FILETIME

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 30,
    "version": 2,
    "level": 4,
    "task": 17,
    "opcode": 1,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T04:10:23.756+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 10388
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EngineId": "0x7FFCAC8D0000",
    "FilePath": "C:\\Windows\\System32\\csrss.exe",
    "ThreadTime": "1601-01-01 00:00:13.781Z"
  },
  "message": "UfsScanFileTask"
}

Event ID 31: UfsScanFileTask

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
UfsScanFileTask
Opcode
Stop

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
ThreadTime FILETIME
StartQPC UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 31,
    "version": 3,
    "level": 4,
    "task": 17,
    "opcode": 2,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T04:10:23.759+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2B9B7F01-B456-4101-B35E-FBBF789E6ADF}"
    },
    "execution": {
      "process_id": 3756,
      "thread_id": 10388
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EngineId": "0x7FFCAC8D0000",
    "FilePath": "C:\\Windows\\System32\\csrss.exe",
    "StartQPC": 1166334107702,
    "ThreadTime": "1601-01-01 00:00:13.781Z"
  },
  "message": "UfsScanFileTask"
}

Event ID 32: UfsScanProcTaskStart_V2

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
UfsScanProcTask
Opcode
Start

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
PID UInt32
ThreadTime FILETIME

Event ID 33: UfsScanProcTaskStop_V3

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
UfsScanProcTask
Opcode
Stop

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
PID UInt32
ThreadTime FILETIME
StartQPC UInt64

Event ID 35: Cache

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Cache
Opcode
MOACAdd

Fields #

NameDescription
ScanSource UInt32
EventType UInt32
Classification UInt32
Info UnicodeString
FileName UnicodeString
FileID UInt32
FileUSN UInt32
Result HexInt32

Event ID 36: Cache

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
Cache
Opcode
MOACLookup

Fields #

NameDescription
ScanSource UInt32
EventType UInt32
Classification UInt32
Info UnicodeString
FileName UnicodeString
FileID UInt32
FileUSN UInt32
Result HexInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 36,
    "version": 0,
    "level": 4,
    "task": 7,
    "opcode": 35,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:52.923+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 1744
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Classification": 1,
    "EventType": 56,
    "FileID": 62386,
    "FileName": "C:\\Windows\\System32\\psapi.dll",
    "FileUSN": 44610216,
    "Info": "",
    "Result": "01800000",
    "ScanSource": 0
  },
  "message": "CacheTask"
}

Event ID 37: Cache

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
Cache
Opcode
MOACRevoke

Fields #

NameDescription
ScanSource UInt32
EventType UInt32
Classification UInt32
Info UnicodeString
FileName UnicodeString
FileID UInt32
FileUSN UInt32
Result HexInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 37,
    "version": 0,
    "level": 4,
    "task": 7,
    "opcode": 36,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:52.991+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E6DA7C55-BDD5-43E2-923E-C2831F5534D0}"
    },
    "execution": {
      "process_id": 3756,
      "thread_id": 4400
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Classification": 1,
    "EventType": 31,
    "FileID": 174812,
    "FileName": "C:\\Users\\localuser\\AppData\\Local\\Temp\\__PSScriptPolicyTest_i3yqwsnl.1tp.ps1",
    "FileUSN": 153465104,
    "Info": "",
    "Result": "00000000",
    "ScanSource": 0
  },
  "message": "CacheTask"
}

Event ID 38: Cache

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
Cache
Opcode
CacheLookup

Fields #

NameDescription
FileName UnicodeString
CacheName UnicodeString
Result UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 38,
    "version": 0,
    "level": 4,
    "task": 7,
    "opcode": 38,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:53.151+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 13108
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "CacheName": "USN Cache",
    "FileName": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.We0722664#\\fabb9e10f6808e7fbef2496dc4f4b9a2\\Microsoft.WSMan.Management.ni.dll",
    "Result": "MISS"
  },
  "message": "CacheTask"
}

Event ID 39: Cache

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Cache
Opcode
CacheAdd

Fields #

NameDescription
FileName UnicodeString
CacheName UnicodeString
Result UnicodeString

Event ID 40: PersistedStoreTaskPersistedStoreAction

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
PersistedStoreTask
Opcode
PersistedStoreAction

Fields #

NameDescription
action UnicodeString
key UInt64
filename UnicodeString
result UInt32

Event ID 41: PersistedStoreTaskPersistedStoreMaintenance

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
PersistedStoreTask
Opcode
PersistedStoreMaintenance

Fields #

NameDescription
utilization UInt32
result UInt32

Event ID 42: PersistedStoreTaskPersistedStoreAnalyzeFile

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
PersistedStoreTask
Opcode
PersistedStoreAnalyzeFile

Fields #

NameDescription
key UInt64
filename UnicodeString
parentKey UInt64
result UInt32

Event ID 43: ExpensiveOperationTask

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
ExpensiveOperationTask
Opcode
ExpensiveOperationBegin

Fields #

NameDescription
Message UnicodeString
Name UnicodeString
Data UInt64
StartStop Boolean
ThreadTime FILETIME

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 43,
    "version": 1,
    "level": 4,
    "task": 9,
    "opcode": 43,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:52.990+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E6DA7C55-BDD5-43E2-923E-C2831F5534D0}"
    },
    "execution": {
      "process_id": 3756,
      "thread_id": 4400
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": 60,
    "Message": "GetHashes",
    "Name": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Local\\Temp\\__PSScriptPolicyTest_i3yqwsnl.1tp.ps1",
    "StartStop": true,
    "ThreadTime": "1601-01-01 00:01:27.187Z"
  },
  "message": "ExpensiveOperationTask"
}

Event ID 44: MetaStoreTask

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
MetaStoreTask
Opcode
MetaStoreAction

Fields #

NameDescription
action UnicodeString
vault UInt32
key UInt64
result UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 44,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 44,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:52.921+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 1744
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "action": "exists",
    "key": 1312170257355239075,
    "result": 0,
    "vault": 7
  },
  "message": "MetaStoreTask"
}

Event ID 45: MetaStoreTaskMetaStoreMaintenance

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
MetaStoreTask
Opcode
MetaStoreMaintenance

Fields #

NameDescription
vault UInt32
records UInt64
result UInt32

Event ID 46: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryBlockSet

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 47: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryBlockDelete

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 48: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryBlockRename

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 49: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryReplace

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 50: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryRestore

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 51: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryBlockReplace

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 52: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryBlockRestore

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 53: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmOpenProcess

Fields #

NameDescription
PID UInt32
TargetPID UInt32
AccessMask UInt32Access mask reference
WasHardened Boolean

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 53,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 53,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:52.947+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 8752
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AccessMask": 2097151,
    "PID": 15704,
    "TargetPID": 14692,
    "WasHardened": false
  },
  "message": "BehaviorMonitorTask"
}

Event ID 58: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryBlockCreate

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 59: Message

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
Message
Opcode
win:Info

Fields #

NameDescription
VName AnsiString
SigSeq HexInt64
SigSha AnsiString
Result Int8

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 59,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:53.030+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 1744
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Result": 0,
    "SigSeq": "E24B7913B31F0100",
    "SigSha": "4b623fca87b0cb1048a094ee73e570d3e5ba1f97",
    "VName": "Behavior:Win32/NonStdMpClientLoader.A"
  },
  "message": "GenericMessageTask"
}

Event ID 60: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmEtw

Fields #

NameDescription
PID UInt32
Channel UnicodeString
EventId UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 60,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 60,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:53.214+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 1748
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Channel": "ThreatIntel",
    "EventId": 19,
    "PID": 16720
  },
  "message": "BehaviorMonitorTask"
}

Event ID 61: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmFolderCreate

Fields #

NameDescription
PID UInt32
FolderName UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 61,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 61,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:53.109+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 8752
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "FolderName": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Local\\Temp\\EtwGenFile_09220244\\subdir",
    "PID": 15144
  },
  "message": "BehaviorMonitorTask"
}

Event ID 62: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmScavengerTask

Fields #

NameDescription
Count UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 62,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 62,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:53.261+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 15096
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Count": 1
  },
  "message": "BehaviorMonitorTask"
}

Event ID 63: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmProcessTainting

Fields #

NameDescription
TaintReason UInt64
ReasonImagePath UnicodeString
ProcessImagePath UnicodeString

Event ID 64: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFolderRename

Fields #

NameDescription
PID UInt32
FileName UnicodeString
OldFileName UnicodeString

Event ID 65: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFolderEnum

Fields #

NameDescription
PID UInt32
FolderName UnicodeString

Event ID 66: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFileHardLink

Fields #

NameDescription
PID UInt32
FileName UnicodeString
FileHardLinkName UnicodeString

Event ID 67: ExpensiveOperationTask

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
ExpensiveOperationTask
Opcode
ExpensiveOperationEnd

Fields #

NameDescription
Message UnicodeString
Name UnicodeString
Data UInt64
StartStop Boolean
ThreadTime FILETIME
DeltaCPU UInt64
DeltaWall UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 67,
    "version": 1,
    "level": 4,
    "task": 9,
    "opcode": 67,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:52.990+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E6DA7C55-BDD5-43E2-923E-C2831F5534D0}"
    },
    "execution": {
      "process_id": 3756,
      "thread_id": 4400
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": 60,
    "DeltaCPU": 0,
    "DeltaWall": 0,
    "Message": "GetHashes",
    "Name": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Local\\Temp\\__PSScriptPolicyTest_i3yqwsnl.1tp.ps1",
    "StartStop": false,
    "ThreadTime": "1601-01-01 00:01:27.187Z"
  },
  "message": "ExpensiveOperationTask"
}

Event ID 68: Message

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Message

Fields #

NameDescription
SigName AnsiString
SigSeq HexInt64
SigSha AnsiString
SigTypeName AnsiString
Dimension AnsiString
Value UInt64
Limit UInt64
FileName UnicodeString
VPath UnicodeString
FileSha1 AnsiString
PartialCRC1 HexInt32
PartialCRC2 HexInt32
PartialCRC3 HexInt32
FileSize UInt64

Event ID 69: Message

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Message

Fields #

NameDescription
Guid AnsiString
VolumeSize UInt64
Attributes HexInt32
FilesCount HexInt32
FileGuidsArray AnsiString
FileSizeArray AnsiString
CompressedFileSizeArray AnsiString
FileNameArray UnicodeString
FileAttributesArray AnsiString
EfiFileTypeArray AnsiString
FileSha1Array AnsiString
SmbiosAttributes AnsiString
FileCRCsArray AnsiString

Event ID 70: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmProcessCreate

Fields #

NameDescription
BasePath UnicodeString
CommandLine UnicodeString
PID UInt32
ParentPID UInt32
Flags UInt32
IntegrityLevel UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 70,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 68,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T04:10:16.967+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 10388
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "BasePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\logman.exe",
    "CommandLine": "\"C:\\WINDOWS\\system32\\logman.exe\" query etw-cap-fixtest-b0 -ets",
    "Flags": 33554432,
    "IntegrityLevel": 12288,
    "PID": 4944,
    "ParentPID": 2348
  },
  "message": "BehaviorMonitorTask"
}

Event ID 71: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmFileCreateEx

Fields #

NameDescription
PID UInt32
FileName UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 71,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 69,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:52.948+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 8752
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "FileName": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Local\\Temp\\EtwGen_8ddae864\\host.err",
    "PID": 15704
  },
  "message": "BehaviorMonitorTask"
}

Event ID 72: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmFileChangeEx

Fields #

NameDescription
PID UInt32
FileName UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 72,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 70,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:53.210+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 8752
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "FileName": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Local\\Temp\\__PSScriptPolicyTest_sbsid2qt.goq.psm1",
    "PID": 11280
  },
  "message": "BehaviorMonitorTask"
}

Event ID 73: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
ProcessMonitorFlags

Fields #

NameDescription
EngineId Pointer
CreationTime FILETIME
PID UInt32
filepath UnicodeString
flags HexInt32
flags2low HexInt64
flags2high HexInt64
oldFlags HexInt32
oldFlags2low HexInt64
oldFlags2high HexInt64
Source UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 73,
    "version": 2,
    "level": 4,
    "task": 6,
    "opcode": 71,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:53.161+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{F2714F70-C68A-4E47-85BF-FAD7C1934515}"
    },
    "execution": {
      "process_id": 3756,
      "thread_id": 4400
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "CreationTime": "2026-06-02 05:20:53.156Z",
    "EngineId": "0x7FFCAC8D0000",
    "PID": 5984,
    "Source": "SyncStart",
    "filepath": "C:\\Windows\\System32\\logman.exe",
    "flags": "FF030040",
    "flags2high": "0000000000000000",
    "flags2low": "4400000000000000",
    "oldFlags": "00000000",
    "oldFlags2high": "0000000000000000",
    "oldFlags2low": "0000000000000000"
  },
  "message": "BehaviorMonitorTask"
}

Event ID 74: SenseRemediationTask

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SenseRemediationTask

Fields #

NameDescription
Sha1 UnicodeString
Sha256 UnicodeString
SigSeq HexInt64
SigSha UnicodeString
AllSigSeqs UnicodeString
AllSigShas UnicodeString
RealPath UnicodeString
VPath UnicodeString
EtwDataReportType UInt32
ReportType UInt32
EngineReportGuid UnicodeString
ResourceData UnicodeString
ResourceSchema UnicodeString
Determination Int32
ActionStatus HexInt32
ProcessID UInt32
ProcessCreationTime UInt64
ProcessPath UnicodeString
ThreatName UnicodeString
Classification HexInt32
IsLatent Boolean
IsPassiveMode Boolean
ScanSource UInt32
ScanType UInt32
RtpProcessID UInt32
RtpProcessCreationTime UInt64
ProcessCommandLine UnicodeString
ExtraDataJson UnicodeString

Event ID 75: Message

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Message

Fields #

NameDescription
DeviceInfo AnsiString
TCGEventsArray AnsiString
PCRsArray AnsiString

Event ID 76: SenseHeartbeatTask

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SenseHeartbeatTask

Fields #

NameDescription
JsonData UnicodeString

Event ID 77: SmsScanTaskSmsRequestMonitorProcessId

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SmsScanTask
Opcode
SmsRequestMonitorProcessId

Fields #

NameDescription
ProcessId UInt32
CreationTime FILETIME
Level UInt8
EffectiveLevel UInt8
TriggerSigSeq UInt64
Origin UInt8

Event ID 78: SmsScanTaskSmsRequestMonitorFilePath

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SmsScanTask
Opcode
SmsRequestMonitorFilePath

Fields #

NameDescription
ImageFilePath UnicodeString
Level UInt8
EffectiveLevel UInt8
TriggerSigSeq UInt64
Origin UInt8

Event ID 79: SmsScanTaskSmsMonitoringStart

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SmsScanTask
Opcode
SmsMonitoringStart

Fields #

NameDescription
ProcessId UInt32
CreationTime FILETIME
Level UInt8
TriggerSigSeq UInt64

Event ID 80: SmsScanTaskSmsMonitoringStop

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SmsScanTask
Opcode
SmsMonitoringStop

Fields #

NameDescription
ProcessId UInt32
CreationTime FILETIME
Level UInt8
TriggerSigSeq UInt64
StopReason UInt8

Event ID 81: SmsScanTaskSmsScanStart

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SmsScanTask
Opcode
SmsScanStart

Fields #

NameDescription
ProcessId UInt32
CreationTime FILETIME
ScanReason UInt8

Event ID 82: SmsScanTaskSmsScanStop

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SmsScanTask
Opcode
SmsScanStop

Fields #

NameDescription
ProcessId UInt32
CreationTime FILETIME
ScanReason UInt8
ScanResult UInt8

Event ID 83: StartRundownTaskStart

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
StartRundownTask
Opcode
Start

Fields #

NameDescription
EngineId Pointer

Event ID 84: StartRundownTaskStop

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
StartRundownTask
Opcode
Stop

Fields #

NameDescription
EngineId Pointer

Event ID 85: EndRundownTaskStart

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EndRundownTask
Opcode
Start

Fields #

NameDescription
EngineId Pointer

Event ID 86: EndRundownTaskStop

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EndRundownTask
Opcode
Stop

Fields #

NameDescription
EngineId Pointer

Event ID 87: EngineTaskStart

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EngineTask
Opcode
Start

Fields #

NameDescription
EngineId Pointer
EngineVersion UnicodeString
AVVersion UnicodeString
ASVersion UnicodeString

Event ID 88: EngineTaskStop

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EngineTask
Opcode
Stop

Fields #

NameDescription
EngineId Pointer
EngineVersion UnicodeString
AVVersion UnicodeString
ASVersion UnicodeString

Event ID 89: EngineTaskDCStart

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EngineTask
Opcode
DC_Start

Fields #

NameDescription
EngineId Pointer
EngineVersion UnicodeString
AVVersion UnicodeString
ASVersion UnicodeString

Event ID 90: EngineTaskDCStop

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EngineTask
Opcode
DC_Stop

Fields #

NameDescription
EngineId Pointer
EngineVersion UnicodeString
AVVersion UnicodeString
ASVersion UnicodeString

Event ID 91: UfsScanFileTaskDCStart_V1

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
UfsScanFileTask
Opcode
DC_Start

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
ThreadId UInt32
StartQPC UInt64

Event ID 92: UfsScanFileTaskDCStop_V1

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
UfsScanFileTask
Opcode
DC_Stop

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
ThreadId UInt32
StartQPC UInt64

Event ID 93: UfsScanProcTaskDCStart_V1

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
UfsScanProcTask
Opcode
DC_Start

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
PID UInt32
ThreadId UInt32
StartQPC UInt64

Event ID 94: UfsScanProcTaskDCStop_V1

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
UfsScanProcTask
Opcode
DC_Stop

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
PID UInt32
ThreadId UInt32
StartQPC UInt64

Event ID 95: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmFileOverwrite

Fields #

NameDescription
ProcessId UInt32
CreationTime FILETIME
FileName UnicodeString
FirstOffsetWritten UInt64
LastOffsetWritten UInt64
SmallestOffsetWritten UInt64
BiggestOffsetWritten UInt64
TotalSizeOfWrites UInt64
TotalSizeOfAppends UInt64
NumberOfWrites UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 95,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 78,
    "keywords": "0x0000000000000010",
    "time_created": "2026-06-02T04:10:43.003+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 10144
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "BiggestOffsetWritten": 104044,
    "CreationTime": "2026-05-27 20:01:10.073Z",
    "FileName": "\\Device\\HarddiskVolume4\\Users\\localuser\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper",
    "FirstOffsetWritten": 0,
    "LastOffsetWritten": 104044,
    "NumberOfWrites": 13,
    "ProcessId": 5396,
    "SmallestOffsetWritten": 0,
    "TotalSizeOfAppends": 0,
    "TotalSizeOfWrites": 104053
  },
  "message": "BehaviorMonitorTask"
}

Event ID 96: SenseOnboardingInfoTask

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SenseOnboardingInfoTask

Fields #

NameDescription
OnboardedInfo UnicodeString

Event ID 97: Scan request

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Scanrequest
Opcode
DC_Start

Fields #

NameDescription
EngineId Pointer
Id UInt8
Type AnsiString
Flags HexInt32
ScanSource UInt32
ResourceCount UInt32
FirstResourceType UnicodeString
FirstResourcePath UnicodeString
ThreadId UInt32
StartQPC UInt64

Event ID 98: Scan request

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Scanrequest
Opcode
DC_Stop

Fields #

NameDescription
EngineId Pointer
Id UInt8
Type AnsiString
Flags HexInt32
ScanSource UInt32
ResourceCount UInt32
FirstResourceType UnicodeString
FirstResourcePath UnicodeString
ThreadId UInt32
StartQPC UInt64

Event ID 99: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
ProcessMonitorFlagsDCStart

Fields #

NameDescription
EngineId Pointer
CreationTime FILETIME
PID UInt32
flags HexInt32
flags2low HexInt64
flags2high HexInt64

Event ID 100: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
ProcessMonitorFlagsDCStop

Fields #

NameDescription
EngineId Pointer
CreationTime FILETIME
PID UInt32
flags HexInt32
flags2low HexInt64
flags2high HexInt64

Event ID 101: EngineLoadTaskStart

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EngineLoadTask
Opcode
Start

Fields #

NameDescription
EngineId Pointer
EngineVersion UnicodeString
AVVersion UnicodeString
ASVersion UnicodeString

Event ID 102: EngineLoadTaskStop

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EngineLoadTask
Opcode
Stop

Fields #

NameDescription
EngineId Pointer
EngineVersion UnicodeString
AVVersion UnicodeString
ASVersion UnicodeString

Event ID 103: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFileSequentialRead

Fields #

NameDescription
PID UInt32
FileName UnicodeString

Event ID 104: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmInternal

Fields #

NameDescription
PID UInt32
FeatureId UInt32
FirstParam UnicodeString
SecondParam UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 104,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 82,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:52.968+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 1744
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "FeatureId": 22,
    "FirstParam": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "PID": 13856,
    "SecondParam": "\"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\\Tools\\Sealighter\\drv\\drv15.ps1 "
  },
  "message": "BehaviorMonitorTask"
}

Event ID 105: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmRegistry

Fields #

NameDescription
PID UInt32
EventId UnicodeString
KeyPath UnicodeString
ValueName UnicodeString
OldValue UnicodeString
NewValue UnicodeString
UserMode UnicodeString
FeatureType UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 105,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 83,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:52.967+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 6200
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EventId": "RegistryValueSet",
    "FeatureType": 0,
    "KeyPath": "HKCU@S-1-5-21-3798294047-1846905762-1150995898-1000\\SOFTWARE\\ETWGEN",
    "NewValue": "2026-06-02T05:20:23.7274078+00:00",
    "OldValue": "N/A",
    "PID": 6556,
    "UserMode": "false",
    "ValueName": "ts"
  },
  "message": "BehaviorMonitorTask"
}

Event ID 106: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmInternalStateDCStart

Fields #

NameDescription
EngineId Pointer
LiveContextCount UInt32
TotalContextCount UInt32

Event ID 107: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmInternalStateDCStop

Fields #

NameDescription
EngineId Pointer
LiveContextCount UInt32
TotalContextCount UInt32

Event ID 108: SenseExclusionTask

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SenseExclusionTask

Fields #

NameDescription
Type AnsiString
Scope AnsiString
ResourceType AnsiString
TargetResource UnicodeString
ParentResource UnicodeString
DetectionName AnsiString
UserName UnicodeString

Event ID 109: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmProcessContextStart

Fields #

NameDescription
PID UInt32
ProcessContextId Pointer
ImagePath UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 109,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 86,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T04:10:16.967+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 10388
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ImagePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\logman.exe",
    "PID": 4944,
    "ProcessContextId": "0x1FF1D6EFEE0"
  },
  "message": "BehaviorMonitorTask"
}

Event ID 110: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmProcessContextStop

Fields #

NameDescription
PID UInt32
ProcessContextId Pointer
TerminationTime UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 110,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 87,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T04:10:40.283+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 2760
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PID": 1220,
    "ProcessContextId": "0x1FF1FD2AEE0",
    "TerminationTime": 134248470076227719
  },
  "message": "BehaviorMonitorTask"
}

Event ID 111: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmNotificationHandleStart

Fields #

NameDescription
PID UInt32
AttrId UInt32
AttrSeq UInt32
AttrSubset UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 111,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 88,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:52.921+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 1744
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AttrId": 16404,
    "AttrSeq": 1812357,
    "AttrSubset": 0,
    "PID": 13856
  },
  "message": "BehaviorMonitorTask"
}

Event ID 112: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
BehaviorMonitoring
Opcode
BmNotificationHandleStop

Fields #

NameDescription
PID UInt32
AttrId UInt32
AttrSeq UInt32
AttrSubset UInt32
MatchedThreatsNumber UInt32
IsMultiProcMatch Boolean
IsMultiProcDetection Boolean

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-Engine",
    "guid": "{0A002690-3839-4E3A-B3B6-96D8DF868D99}",
    "event_source_name": "",
    "event_id": 112,
    "version": 0,
    "level": 4,
    "task": 6,
    "opcode": 89,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:20:52.921+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3756,
      "thread_id": 1744
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AttrId": 16404,
    "AttrSeq": 1812357,
    "AttrSubset": 0,
    "IsMultiProcDetection": false,
    "IsMultiProcMatch": false,
    "MatchedThreatsNumber": 0,
    "PID": 13856
  },
  "message": "BehaviorMonitorTask"
}

Event ID 113: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmCloudCallStart

Fields #

NameDescription
PID UInt32
DetectionName UnicodeString
SigSeq UInt64

Event ID 114: Behavior Monitoring

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmCloudCallStop

Fields #

NameDescription
PID UInt32
DetectionName UnicodeString
SigSeq UInt64
CloudResponse UnicodeString

Event ID 115: BehaviorMonitoringBmDbChanged

#
Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitorTask
Opcode
BmDbChanged

Fields #

NameDescription
PID UInt32
FileName UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {0A002690-3839-4E3A-B3B6-96D8DF868D99}

Defined in mpengine_etw.dll, which carries the event manifest.

Observed on:

  • WS2022-20348.4893 · sample captured from a live trace · binary version 1.1.26040.8 · captured 2026-06-02
  • Win11-26200.6584 · sample captured from a live trace · binary version 1.1.26040.8 · captured 2026-06-02
  • WS2022-20348.4893 · schema read from the registered manifest · binary version 1.1.26040.8 · captured 2026-06-02
  • Win11-26200.6584 · schema read from the registered manifest · binary version 1.1.26040.8 · captured 2026-06-02

Downloads

Credits

  • Microsoft - authored the ETW manifests and PDBs the schema comes from
  • jdu2600 - the event-schema TSV format this catalog adopted
  • nasbench - the tool that dumps registered providers and manifests