Microsoft-Antimalware-Protection

7 events across 1 channel

EventTitleChannel
1FastMemScanStartApplication
2FastMemScanStopApplication
3AllowedUrlExclusionCheckStartApplication
4AllowedUrlExclusionCheckStopApplication
5FastMemScanCacheStartApplication
6FastMemScanCacheStopApplication
7MpDataApplication

Event ID 1: FastMemScanStart

#
Provider
Microsoft-Antimalware-Protection
Channel
Application
Task
FastMemScan
Opcode
Start

Fields #

NameDescription
DwordData UInt32

Event ID 2: FastMemScanStop

#
Provider
Microsoft-Antimalware-Protection
Channel
Application
Task
FastMemScan
Opcode
Stop

Fields #

NameDescription
DwordData UInt32

Event ID 3: AllowedUrlExclusionCheckStart

#
Provider
Microsoft-Antimalware-Protection
Channel
Application
Task
AllowedUrlExclusionCheck
Opcode
Start

Fields #

NameDescription
Description UnicodeString

Event ID 4: AllowedUrlExclusionCheckStop

#
Provider
Microsoft-Antimalware-Protection
Channel
Application
Task
AllowedUrlExclusionCheck
Opcode
Stop

Fields #

NameDescription
DwordData UInt32

Event ID 5: FastMemScanCacheStart

#
Provider
Microsoft-Antimalware-Protection
Channel
Application
Task
FastMemScanCache
Opcode
Start

Event ID 6: FastMemScanCacheStop

#
Provider
Microsoft-Antimalware-Protection
Channel
Application
Task
FastMemScanCache
Opcode
Stop

Fields #

NameDescription
DwordData UInt32

Event ID 7: MpData

#
Provider
Microsoft-Antimalware-Protection
Channel
Application
Task
MpData

Fields #

NameDescription
Description UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID e4b70372-261f-4c54-8fa6-a5a7914d73da

Defined in Windows, which carries the event manifest.

Observed on:

  • WS2022-20348.4893 · schema read from the registered manifest · binary version 4.18.26040.7 · captured 2026-06-02
  • Win11-26200.6584 · schema read from the registered manifest · binary version 4.18.26040.7 · captured 2026-06-02

Downloads

Credits

  • Microsoft - authored the ETW manifests and PDBs the schema comes from
  • jdu2600 - the event-schema TSV format this catalog adopted
  • nasbench - the tool that dumps registered providers and manifests