detection.wiki

Microsoft-Antimalware-Engine

109 events across 1 channel

Event IDTitleChannel
1Start of engine scan requestApplication
2End of engine scan requestApplication
3Application
4Application
5Start of stream scan requestApplication
6End of stream scan requestApplication
7Skipped fileApplication
8Application
9Application
10Application
11Application
12Application
13Application
14Application
15Application
16Application
17Application
18Application
19Application
20Application
21Application
22Application
23Application
24Application
25Application
26Application
27Application
28Application
29Application
30Application
31Application
32Application
33Application
35Application
36Application
37Application
38Application
39Application
40Application
41Application
42Application
43Application
44Application
45Application
46Application
47Application
48Application
49Application
50Application
51Application
52Application
53Application
58Application
59Application
60Application
61Application
62Application
63Application
64Application
65Application
66Application
67Application
68Application
69Application
70Application
71Application
72Application
73Application
74Application
75Application
76Application
77Application
78Application
79Application
80Application
81Application
82Application
83Application
84Application
85Application
86Application
87Application
88Application
89Application
90Application
91Application
92Application
93Application
94Application
95Application
96Application
97Application
98Application
99Application
100Application
101Application
102Application
103Application
104Application
105Application
106Application
107Application
108Application
109Application
110Application
111Application
112Application
113Application
114Application

Event ID 1 — Start of engine scan request

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Scanrequest
Opcode
Start

Description

Start of engine scan request.

Message #

Start of engine scan request

Fields #

NameDescription
EngineId Pointer
Id UInt8
Type AnsiString
Flags HexInt32
ScanSource UInt32
ResourceCount UInt32
FirstResourceType UnicodeString
FirstResourcePath UnicodeString
ThreadTime FILETIME

Event ID 2 — End of engine scan request

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Scanrequest
Opcode
Stop

Description

End of engine scan request.

Message #

End of engine scan request

Fields #

NameDescription
EngineId Pointer
Id UInt8
Type AnsiString
Flags HexInt32
ScanSource UInt32
ResourceCount UInt32
FirstResourceType UnicodeString
FirstResourcePath UnicodeString
ThreadTime FILETIME
StartQPC UInt64

Event ID 3 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Message

Fields #

NameDescription
Message UnicodeString

Event ID 4 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Versions

Fields #

NameDescription
EngineVersion UnicodeString
AVVersion UnicodeString
ASVersion UnicodeString

Event ID 5 — Start of stream scan request

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Streamscanrequest
Opcode
Start

Description

Start of stream scan request.

Message #

Start of stream scan request

Fields #

NameDescription
Id UInt32
Path UnicodeString
Process UnicodeString
Reason UInt32
ThreadTime FILETIME
PID UInt32

Event ID 6 — End of stream scan request

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Streamscanrequest
Opcode
Stop

Description

End of stream scan request.

Message #

End of stream scan request

Fields #

NameDescription
Id UInt32
Path UnicodeString
Process UnicodeString
Reason UInt32
ThreadTime FILETIME
PID UInt32

Event ID 7 — Skipped file

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Skippedfile

Description

Skipped file.

Message #

Skipped file

Fields #

NameDescription
Path UnicodeString
Reason AnsiString

Event ID 8 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmDetection

Fields #

NameDescription
PID UInt32
GUID GUID
Type UInt32
Name UnicodeString
SignatureId HexInt64
ImagePath UnicodeString

Event ID 9 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmProcessStart

Fields #

NameDescription
PID UInt32
PPID UInt32
ImagePath UnicodeString
Flags HexInt32

Event ID 10 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmDriverLoad

Fields #

NameDescription
PID UInt32
ImagePath UnicodeString

Event ID 11 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmModuleLoad

Fields #

NameDescription
PID UInt32
ImagePath UnicodeString

Event ID 12 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmDocumentOpen

Fields #

NameDescription
PID UInt32
ImageName UnicodeString
FileName UnicodeString

Event ID 13 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFileCreate

Fields #

NameDescription
PID UInt32
FileName UnicodeString

Event ID 14 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFileChange

Fields #

NameDescription
PID UInt32
FileName UnicodeString

Event ID 15 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFileDelete

Fields #

NameDescription
PID UInt32
FileName UnicodeString

Event ID 16 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFileRename

Fields #

NameDescription
PID UInt32
FileName UnicodeString
OldFileName UnicodeString

Event ID 17 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryKeyCreate

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 18 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryKeyRename

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 19 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryKeyDelete

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 20 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryValueSet

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString
ValueName UnicodeString

Event ID 21 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryValueDelete

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString
ValueName UnicodeString

Event ID 22 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmNetworkConnect

Fields #

NameDescription
PID UInt32

Event ID 23 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmNetworkData

Fields #

NameDescription
PID UInt32

Event ID 24 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmNetworkListen

Fields #

NameDescription
PID UInt32

Event ID 25 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmNetworkAccept

Fields #

NameDescription
PID UInt32

Event ID 26 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmProcessTerminate

Fields #

NameDescription
PID UInt32

Event ID 27 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmNetworkDetection

Fields #

NameDescription
PID UInt32
DetectionId HexInt64

Event ID 28 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmBootRecordChange

Fields #

NameDescription
PID UInt32
RecordType UInt32
ImagePath UnicodeString
Path UnicodeString

Event ID 29 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRemoteThreadCreate

Fields #

NameDescription
PID UInt32
TPID UInt32
TTID UInt32
ImageName UnicodeString

Event ID 30 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
UfsScanFileTask
Opcode
Start

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
ThreadTime FILETIME

Event ID 31 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
UfsScanFileTask
Opcode
Stop

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
ThreadTime FILETIME
StartQPC UInt64

Event ID 32 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
UfsScanProcTask
Opcode
Start

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
PID UInt32
ThreadTime FILETIME

Event ID 33 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
UfsScanProcTask
Opcode
Stop

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
PID UInt32
ThreadTime FILETIME
StartQPC UInt64

Event ID 35 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Cache
Opcode
MOACAdd

Fields #

NameDescription
ScanSource UInt32
EventType UInt32
Classification UInt32
Info UnicodeString
FileName UnicodeString
FileID UInt32
FileUSN UInt32
Result HexInt32

Event ID 36 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Cache
Opcode
MOACLookup

Fields #

NameDescription
ScanSource UInt32
EventType UInt32
Classification UInt32
Info UnicodeString
FileName UnicodeString
FileID UInt32
FileUSN UInt32
Result HexInt32

Event ID 37 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Cache
Opcode
MOACRevoke

Fields #

NameDescription
ScanSource UInt32
EventType UInt32
Classification UInt32
Info UnicodeString
FileName UnicodeString
FileID UInt32
FileUSN UInt32
Result HexInt32

Event ID 38 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Cache
Opcode
CacheLookup

Fields #

NameDescription
FileName UnicodeString
CacheName UnicodeString
Result UnicodeString

Event ID 39 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Cache
Opcode
CacheAdd

Fields #

NameDescription
FileName UnicodeString
CacheName UnicodeString
Result UnicodeString

Event ID 40 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
PersistedStoreTask
Opcode
PersistedStoreAction

Fields #

NameDescription
action UnicodeString
key UInt64
filename UnicodeString
result UInt32

Event ID 41 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
PersistedStoreTask
Opcode
PersistedStoreMaintenance

Fields #

NameDescription
utilization UInt32
result UInt32

Event ID 42 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
PersistedStoreTask
Opcode
PersistedStoreAnalyzeFile

Fields #

NameDescription
key UInt64
filename UnicodeString
parentKey UInt64
result UInt32

Event ID 43 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
ExpensiveOperationTask
Opcode
ExpensiveOperationBegin

Fields #

NameDescription
Message UnicodeString
Name UnicodeString
Data UInt64
StartStop Boolean
ThreadTime FILETIME

Event ID 44 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
MetaStoreTask
Opcode
MetaStoreAction

Fields #

NameDescription
action UnicodeString
vault UInt32
key UInt64
result UInt32

Event ID 45 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
MetaStoreTask
Opcode
MetaStoreMaintenance

Fields #

NameDescription
vault UInt32
records UInt64
result UInt32

Event ID 46 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryBlockSet

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 47 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryBlockDelete

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 48 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryBlockRename

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 49 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryReplace

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 50 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryRestore

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 51 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryBlockReplace

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 52 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryBlockRestore

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 53 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmOpenProcess

Fields #

NameDescription
PID UInt32
TargetPID UInt32
AccessMask UInt32Access mask reference
WasHardened Boolean

Event ID 58 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistryBlockCreate

Fields #

NameDescription
PID UInt32
KeyPath UnicodeString

Event ID 59 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Message

Fields #

NameDescription
VName AnsiString
SigSeq HexInt64
SigSha AnsiString
Result Int8

Event ID 60 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmEtw

Fields #

NameDescription
PID UInt32
Channel UnicodeString
EventId UInt32

Event ID 61 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFolderCreate

Fields #

NameDescription
PID UInt32
FolderName UnicodeString

Event ID 62 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmScavengerTask

Fields #

NameDescription
Count UInt32

Event ID 63 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmProcessTainting

Fields #

NameDescription
TaintReason UInt64
ReasonImagePath UnicodeString
ProcessImagePath UnicodeString

Event ID 64 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFolderRename

Fields #

NameDescription
PID UInt32
FileName UnicodeString
OldFileName UnicodeString

Event ID 65 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFolderEnum

Fields #

NameDescription
PID UInt32
FolderName UnicodeString

Event ID 66 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFileHardLink

Fields #

NameDescription
PID UInt32
FileName UnicodeString
FileHardLinkName UnicodeString

Event ID 67 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
ExpensiveOperationTask
Opcode
ExpensiveOperationEnd

Fields #

NameDescription
Message UnicodeString
Name UnicodeString
Data UInt64
StartStop Boolean
ThreadTime FILETIME
DeltaCPU UInt64
DeltaWall UInt64

Event ID 68 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Message

Fields #

NameDescription
SigName AnsiString
SigSeq HexInt64
SigSha AnsiString
SigTypeName AnsiString
Dimension AnsiString
Value UInt64
Limit UInt64
FileName UnicodeString
VPath UnicodeString
FileSha1 AnsiString
PartialCRC1 HexInt32
PartialCRC2 HexInt32
PartialCRC3 HexInt32
FileSize UInt64

Event ID 69 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Message

Fields #

NameDescription
Guid AnsiString
VolumeSize UInt64
Attributes HexInt32
FilesCount HexInt32
FileGuidsArray AnsiString
FileSizeArray AnsiString
CompressedFileSizeArray AnsiString
FileNameArray UnicodeString
FileAttributesArray AnsiString
EfiFileTypeArray AnsiString
FileSha1Array AnsiString
SmbiosAttributes AnsiString
FileCRCsArray AnsiString

Event ID 70 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmProcessCreate

Fields #

NameDescription
BasePath UnicodeString
CommandLine UnicodeString
PID UInt32
ParentPID UInt32
Flags UInt32
IntegrityLevel UInt32

Event ID 71 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFileCreateEx

Fields #

NameDescription
PID UInt32
FileName UnicodeString

Event ID 72 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFileChangeEx

Fields #

NameDescription
PID UInt32
FileName UnicodeString

Event ID 73 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
ProcessMonitorFlags

Fields #

NameDescription
EngineId Pointer
CreationTime FILETIME
PID UInt32
filepath UnicodeString
flags HexInt32
flags2low HexInt64
flags2high HexInt64
oldFlags HexInt32
oldFlags2low HexInt64
oldFlags2high HexInt64
Source UnicodeString

Event ID 74 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SenseRemediationTask

Fields #

NameDescription
Sha1 UnicodeString
Sha256 UnicodeString
SigSeq HexInt64
SigSha UnicodeString
AllSigSeqs UnicodeString
AllSigShas UnicodeString
RealPath UnicodeString
VPath UnicodeString
EtwDataReportType UInt32
ReportType UInt32
EngineReportGuid UnicodeString
ResourceData UnicodeString
ResourceSchema UnicodeString
Determination Int32
ActionStatus HexInt32
ProcessID UInt32
ProcessCreationTime UInt64
ProcessPath UnicodeString
ThreatName UnicodeString
Classification HexInt32
IsLatent Boolean
IsPassiveMode Boolean
ScanSource UInt32
ScanType UInt32
RtpProcessID UInt32
RtpProcessCreationTime UInt64
ProcessCommandLine UnicodeString
ExtraDataJson UnicodeString

Event ID 75 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Message

Fields #

NameDescription
DeviceInfo AnsiString
TCGEventsArray AnsiString
PCRsArray AnsiString

Event ID 76 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SenseHeartbeatTask

Fields #

NameDescription
JsonData UnicodeString

Event ID 77 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SmsScanTask
Opcode
SmsRequestMonitorProcessId

Fields #

NameDescription
ProcessId UInt32
CreationTime FILETIME
Level UInt8
EffectiveLevel UInt8
TriggerSigSeq UInt64
Origin UInt8

Event ID 78 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SmsScanTask
Opcode
SmsRequestMonitorFilePath

Fields #

NameDescription
ImageFilePath UnicodeString
Level UInt8
EffectiveLevel UInt8
TriggerSigSeq UInt64
Origin UInt8

Event ID 79 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SmsScanTask
Opcode
SmsMonitoringStart

Fields #

NameDescription
ProcessId UInt32
CreationTime FILETIME
Level UInt8
TriggerSigSeq UInt64

Event ID 80 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SmsScanTask
Opcode
SmsMonitoringStop

Fields #

NameDescription
ProcessId UInt32
CreationTime FILETIME
Level UInt8
TriggerSigSeq UInt64
StopReason UInt8

Event ID 81 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SmsScanTask
Opcode
SmsScanStart

Fields #

NameDescription
ProcessId UInt32
CreationTime FILETIME
ScanReason UInt8

Event ID 82 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SmsScanTask
Opcode
SmsScanStop

Fields #

NameDescription
ProcessId UInt32
CreationTime FILETIME
ScanReason UInt8
ScanResult UInt8

Event ID 83 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
StartRundownTask
Opcode
Start

Fields #

NameDescription
EngineId Pointer

Event ID 84 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
StartRundownTask
Opcode
Stop

Fields #

NameDescription
EngineId Pointer

Event ID 85 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EndRundownTask
Opcode
Start

Fields #

NameDescription
EngineId Pointer

Event ID 86 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EndRundownTask
Opcode
Stop

Fields #

NameDescription
EngineId Pointer

Event ID 87 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EngineTask
Opcode
Start

Fields #

NameDescription
EngineId Pointer
EngineVersion UnicodeString
AVVersion UnicodeString
ASVersion UnicodeString

Event ID 88 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EngineTask
Opcode
Stop

Fields #

NameDescription
EngineId Pointer
EngineVersion UnicodeString
AVVersion UnicodeString
ASVersion UnicodeString

Event ID 89 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EngineTask
Opcode
DC_Start

Fields #

NameDescription
EngineId Pointer
EngineVersion UnicodeString
AVVersion UnicodeString
ASVersion UnicodeString

Event ID 90 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EngineTask
Opcode
DC_Stop

Fields #

NameDescription
EngineId Pointer
EngineVersion UnicodeString
AVVersion UnicodeString
ASVersion UnicodeString

Event ID 91 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
UfsScanFileTask
Opcode
DC_Start

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
ThreadId UInt32
StartQPC UInt64

Event ID 92 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
UfsScanFileTask
Opcode
DC_Stop

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
ThreadId UInt32
StartQPC UInt64

Event ID 93 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
UfsScanProcTask
Opcode
DC_Start

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
PID UInt32
ThreadId UInt32
StartQPC UInt64

Event ID 94 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
UfsScanProcTask
Opcode
DC_Stop

Fields #

NameDescription
EngineId Pointer
FilePath UnicodeString
PID UInt32
ThreadId UInt32
StartQPC UInt64

Event ID 95 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFileOverwrite

Fields #

NameDescription
ProcessId UInt32
CreationTime FILETIME
FileName UnicodeString
FirstOffsetWritten UInt64
LastOffsetWritten UInt64
SmallestOffsetWritten UInt64
BiggestOffsetWritten UInt64
TotalSizeOfWrites UInt64
TotalSizeOfAppends UInt64
NumberOfWrites UInt32

Event ID 96 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SenseOnboardingInfoTask

Fields #

NameDescription
OnboardedInfo UnicodeString

Event ID 97 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Scanrequest
Opcode
DC_Start

Fields #

NameDescription
EngineId Pointer
Id UInt8
Type AnsiString
Flags HexInt32
ScanSource UInt32
ResourceCount UInt32
FirstResourceType UnicodeString
FirstResourcePath UnicodeString
ThreadId UInt32
StartQPC UInt64

Event ID 98 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
Scanrequest
Opcode
DC_Stop

Fields #

NameDescription
EngineId Pointer
Id UInt8
Type AnsiString
Flags HexInt32
ScanSource UInt32
ResourceCount UInt32
FirstResourceType UnicodeString
FirstResourcePath UnicodeString
ThreadId UInt32
StartQPC UInt64

Event ID 99 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
ProcessMonitorFlagsDCStart

Fields #

NameDescription
EngineId Pointer
CreationTime FILETIME
PID UInt32
flags HexInt32
flags2low HexInt64
flags2high HexInt64

Event ID 100 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
ProcessMonitorFlagsDCStop

Fields #

NameDescription
EngineId Pointer
CreationTime FILETIME
PID UInt32
flags HexInt32
flags2low HexInt64
flags2high HexInt64

Event ID 101 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EngineLoadTask
Opcode
Start

Fields #

NameDescription
EngineId Pointer
EngineVersion UnicodeString
AVVersion UnicodeString
ASVersion UnicodeString

Event ID 102 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
EngineLoadTask
Opcode
Stop

Fields #

NameDescription
EngineId Pointer
EngineVersion UnicodeString
AVVersion UnicodeString
ASVersion UnicodeString

Event ID 103 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmFileSequentialRead

Fields #

NameDescription
PID UInt32
FileName UnicodeString

Event ID 104 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmInternal

Fields #

NameDescription
PID UInt32
FeatureId UInt32
FirstParam UnicodeString
SecondParam UnicodeString

Event ID 105 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmRegistry

Fields #

NameDescription
PID UInt32
EventId UnicodeString
KeyPath UnicodeString
ValueName UnicodeString
OldValue UnicodeString
NewValue UnicodeString
UserMode UnicodeString
FeatureType UInt32

Event ID 106 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmInternalStateDCStart

Fields #

NameDescription
EngineId Pointer
LiveContextCount UInt32
TotalContextCount UInt32

Event ID 107 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmInternalStateDCStop

Fields #

NameDescription
EngineId Pointer
LiveContextCount UInt32
TotalContextCount UInt32

Event ID 108 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
SenseExclusionTask

Fields #

NameDescription
Type AnsiString
Scope AnsiString
ResourceType AnsiString
TargetResource UnicodeString
ParentResource UnicodeString
DetectionName AnsiString
UserName UnicodeString

Event ID 109 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmProcessContextStart

Fields #

NameDescription
PID UInt32
ProcessContextId Pointer
ImagePath UnicodeString

Event ID 110 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmProcessContextStop

Fields #

NameDescription
PID UInt32
ProcessContextId Pointer
TerminationTime UInt64

Event ID 111 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmNotificationHandleStart

Fields #

NameDescription
PID UInt32
AttrId UInt32
AttrSeq UInt32
AttrSubset UInt32

Event ID 112 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmNotificationHandleStop

Fields #

NameDescription
PID UInt32
AttrId UInt32
AttrSeq UInt32
AttrSubset UInt32
MatchedThreatsNumber UInt32
IsMultiProcMatch Boolean
IsMultiProcDetection Boolean

Event ID 113 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmCloudCallStart

Fields #

NameDescription
PID UInt32
DetectionName UnicodeString
SigSeq UInt64

Event ID 114 —

Provider
Microsoft-Antimalware-Engine
Channel
Application
Task
BehaviorMonitoring
Opcode
BmCloudCallStop

Fields #

NameDescription
PID UInt32
DetectionName UnicodeString
SigSeq UInt64
CloudResponse UnicodeString