Microsoft-Antimalware-RTP

29 events across 1 channel

EventTitleChannel
1RTPPassthroughStartApplication
2RTPPassthroughStopApplication
3RTPPluginStartApplication
4RTPPluginStopApplication
5RTPFilterLoadApplication
6RTPFilterUnloadApplication
7RTPSetEngineApplication
8RTPFlushCacheApplication
9RTPScanTimeoutApplication
10RTPEnabledApplication
11RTPDisabledApplication
12RTPConfigUpdateApplication
13RTPSetRegistryMonitoringApplication
14RTPThreatDetectionApplication
15RTPSampleDetectionApplication
16RTPLofiDetectionApplication
17RTPExpensiveDetectionApplication
18RTPBMDetectionApplication
19RTPSeqReadApplication
20RTPSuspendApplication
21RTPResumeApplication
22RTPPriorityApplication
23DlpPerfOperationStartApplication
24DlpPerfOperationStopApplication
25DCEventApplication
26DCEvent26Application
27RTPFileScanResultApplication
28DCEvent28Application
29DCEvent29Application

Event ID 1: RTPPassthroughStart

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPPassthrough
Opcode
Start

Event ID 2: RTPPassthroughStop

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPPassthrough
Opcode
Stop

Event ID 3: RTPPluginStart

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPPlugin
Opcode
Start

Event ID 4: RTPPluginStop

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPPlugin
Opcode
Stop

Event ID 5: RTPFilterLoad

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPFilterLoad

Event ID 6: RTPFilterUnload

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPFilterUnload

Event ID 7: RTPSetEngine

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPSetEngine

Event ID 8: RTPFlushCache

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPFlushCache

Event ID 9: RTPScanTimeout

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPScanTimeout

Event ID 10: RTPEnabled

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPEnabled

Event ID 11: RTPDisabled

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPDisabled

Event ID 12: RTPConfigUpdate

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPConfigUpdate

Event ID 13: RTPSetRegistryMonitoring

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPSetRegistryMonitoring

Event ID 14: RTPThreatDetection

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPThreatDetection

Fields #

NameDescription
File UnicodeString

Event ID 15: RTPSampleDetection

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPSampleDetection

Fields #

NameDescription
File UnicodeString

Event ID 16: RTPLofiDetection

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPLofiDetection

Fields #

NameDescription
File UnicodeString

Event ID 17: RTPExpensiveDetection

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPExpensiveDetection

Fields #

NameDescription
File UnicodeString

Event ID 18: RTPBMDetection

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPBMDetection

Event ID 19: RTPSeqRead

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPSeqRead

Event ID 20: RTPSuspend

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPSuspend

Event ID 21: RTPResume

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
RTPResume

Event ID 22: RTPPriority

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
RTPPriority
Opcode
win:Info

Fields #

NameDescription
Description UnicodeString
PreviousValue UInt32
IntendedValueOrHResult UInt32
LatestValue UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-RTP",
    "guid": "{8E92DEEF-5E17-413B-B927-59B2F06A3CFC}",
    "event_source_name": "",
    "event_id": 22,
    "version": 0,
    "level": 4,
    "task": 20,
    "opcode": 0,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T05:18:28.997+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4712,
      "thread_id": 10308
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Description": "AsyncWorkerUpdate",
    "IntendedValueOrHResult": 0,
    "LatestValue": 8,
    "PreviousValue": 8
  },
  "message": "RTPPriority"
}

Event ID 23: DlpPerfOperationStart

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
DlpPerfOperation
Opcode
Start

Fields #

NameDescription
Operation UInt32
Known values
%%2456
Open key file.
%%2457
Delete key file.
%%2458
Read persisted key from file.
%%2459
Write persisted key to file.
%%2464
Export of persistent cryptographic key.
%%2465
Import of persistent cryptographic key.
%%2480
Open Key.
%%2481
Create Key.
%%2482
Delete Key.
%%2483
Encrypt.
%%2484
Decrypt.
%%2485
Sign hash.
%%2486
Secret agreement.
%%2487
Domain settings.
%%2488
Local settings.
%%2489
Add provider.
%%2490
Remove provider.
%%2491
Add context.
%%2492
Remove context.
%%2493
Add function.
%%2494
Remove function.
%%2495
Add function provider.
%%2496
Remove function provider.
%%2497
Add function property.
%%2498
Remove function property.
%%2499
Machine key.
%%2500
User key.
%%2501
Key Derivation.
%%2502
Claim Creation.
%%2503
Claim Verification.
SubOperation UInt32
AccessCheck UInt32

Event ID 24: DlpPerfOperationStop

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
DlpPerfOperation
Opcode
Stop

Fields #

NameDescription
Operation UInt32
Known values
%%2456
Open key file.
%%2457
Delete key file.
%%2458
Read persisted key from file.
%%2459
Write persisted key to file.
%%2464
Export of persistent cryptographic key.
%%2465
Import of persistent cryptographic key.
%%2480
Open Key.
%%2481
Create Key.
%%2482
Delete Key.
%%2483
Encrypt.
%%2484
Decrypt.
%%2485
Sign hash.
%%2486
Secret agreement.
%%2487
Domain settings.
%%2488
Local settings.
%%2489
Add provider.
%%2490
Remove provider.
%%2491
Add context.
%%2492
Remove context.
%%2493
Add function.
%%2494
Remove function.
%%2495
Add function provider.
%%2496
Remove function provider.
%%2497
Add function property.
%%2498
Remove function property.
%%2499
Machine key.
%%2500
User key.
%%2501
Key Derivation.
%%2502
Claim Creation.
%%2503
Claim Verification.
SubOperation UInt32
AccessCheck UInt32

Event ID 25: DCEvent

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
DCEvent

Fields #

NameDescription
Timestamp UInt64
ActionType UnicodeString
Access UnicodeString
Policy UnicodeString
MachineName UnicodeString
MediaName UnicodeString
ClassName UnicodeString
ClassGuid UnicodeString
UserName UnicodeString
VendorId UnicodeString
ProductId UnicodeString
DeviceId UnicodeString
InstanceId UnicodeString
SerialNumber UnicodeString
BusType UnicodeString
FilePath UnicodeString
FileSize UInt64
Tag UInt64
DomainAuthenticatedNetworkPresent UnicodeString
ActiveVPNConnections UnicodeString
ProcessImageName UnicodeString
PolicyId UnicodeString
AccessChainRuleIds UnicodeString
AccessChainRuleEntryIds UnicodeString
PrinterPortName UnicodeString

Event ID 26: DCEvent26

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
DCEvent

Fields #

NameDescription
Timestamp UInt64
Policy UnicodeString
PolicyRuleId UnicodeString
DuplicatedOperation UnicodeString
MachineName UnicodeString
UserName UnicodeString
ClassName UnicodeString
MediaName UnicodeString
InstanceId UnicodeString
SerialNumber UnicodeString
VendorId UnicodeString
ProductId UnicodeString
DeviceFilePath UnicodeString
EvidenceFileSize UInt64
EvidenceFileLocation UnicodeString
Tag UInt64

Event ID 27: RTPFileScanResult

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Also via
realtime ETW trace
Level
Informational
Task
RTPFileScanResult
Opcode
win:Info

Fields #

NameDescription
FileName UnicodeString
ScanReason UInt32
FileId UInt64
USN UInt64
RtpScanResult UInt32
RtpScanAction UInt32
DoNotCache UInt32
Flags UInt32
ScanResult UInt32
hr UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Antimalware-RTP",
    "guid": "{8E92DEEF-5E17-413B-B927-59B2F06A3CFC}",
    "event_source_name": "",
    "event_id": 27,
    "version": 0,
    "level": 4,
    "task": 23,
    "opcode": 0,
    "keywords": "0x0000000000000000",
    "time_created": "2026-06-02T04:10:16.802+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E9BB1A5E-6969-4F68-BB28-D76285FBCF17}"
    },
    "execution": {
      "process_id": 3756,
      "thread_id": 3984
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "DoNotCache": 0,
    "FileId": 281474976775421,
    "FileName": "\\Device\\HarddiskVolume4\\Windows\\System32\\drivers\\msquic.sys",
    "Flags": 0,
    "RtpScanAction": 0,
    "RtpScanResult": 0,
    "ScanReason": 3,
    "ScanResult": 3,
    "USN": 0,
    "hr": 0
  },
  "message": "RTPFileScanResult"
}

Event ID 28: DCEvent28

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
DCEvent

Fields #

NameDescription
Timestamp UInt64
CurrentGrantedAccess UnicodeString
MaximumPossibleGrantedAccess UnicodeString
CurrentDeniedAccess UnicodeString
MinimumGuaranteedDeniedAccess UnicodeString
MachineName UnicodeString
UserName UnicodeString
ClassName UnicodeString
MediaName UnicodeString
BusType UnicodeString
DeviceId UnicodeString
InstanceId UnicodeString
SerialNumber UnicodeString
VendorId UnicodeString
ProductId UnicodeString
DomainAuthenticatedNetworkPresent UnicodeString
ActiveVPNConnections UnicodeString
ActiveNetworks UnicodeString
DevicePolicyGroupMembership UnicodeString

Event ID 29: DCEvent29

#
Provider
Microsoft-Antimalware-RTP
Channel
Application
Task
DCEvent

Fields #

NameDescription
Timestamp UInt64
State UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {8E92DEEF-5E17-413B-B927-59B2F06A3CFC}

Defined in MpRtp.dll, which carries the event manifest.

Observed on:

  • WS2022-20348.4893 · sample captured from a live trace · binary version 4.18.26040.7 · captured 2026-06-02
  • Win11-26200.6584 · sample captured from a live trace · binary version 4.18.26040.7 · captured 2026-06-02
  • WS2022-20348.4893 · schema read from the registered manifest · binary version 4.18.26040.7 · captured 2026-06-02
  • Win11-26200.6584 · schema read from the registered manifest · binary version 4.18.26040.7 · captured 2026-06-02

Downloads

Credits

  • Microsoft - authored the ETW manifests and PDBs the schema comes from
  • jdu2600 - the event-schema TSV format this catalog adopted
  • nasbench - the tool that dumps registered providers and manifests