Microsoft-Windows-Diagnosis-DPS

24 events across 3 channels

Event ID	Title	Channel
1	The Diagnostic Policy Service started.	Analytic
2	The Diagnostic Policy Service started.	Analytic
5	The scenario %1 has a configuration error or has been explicitly disabled in the …	Operational
100	Diagnostic module %5 (%4) detected a problem for scenario %1, instance %2, …	Operational
105	Diagnostic module %5 (%4) started troubleshooting scenario %1, instance %2, …	Operational
110	Diagnostic module %5 (%4) finished troubleshooting scenario %1, instance %2, …	Operational
115	Diagnostic module %9 (%4) finished troubleshooting scenario %1, instance %2, …	Operational
120	Diagnostic module %9 (%4) finished troubleshooting scenario %1, instance %2, …	Operational
125	Diagnostic module %5 (%4) started resolving scenario %1, instance %2, original …	Operational
126	Diagnostic module %5 (%4) was queued to start later for scenario %1, instance …	Operational
130	Diagnostic module %5 (%4) finished resolving scenario %1, instance %2, original …	Operational
135	The Diagnostic Policy Service could not create a diagnostic module host instance …	Operational
140	The Diagnostic Policy Service encountered an error in file %1, function %2, line …	Debug
145	This event is raised when the SCM loads the service DLL	Debug
150	This event is raised when the service enters a SERVICE_RUNNING state	Debug
155	This event is raised when the SCM signals the service to shut down.	Debug
160	This event is raised when the service is successfully stopped	Debug
165	The Diagnostic Policy Service encountered an error while handling scenario %1 …	Operational
170	Diagnostic module %6 (%4) encountered an error while handling scenario %1, …	Operational
175	Scenario %1, instance %2, original activity ID %3 was dropped by diagnostic …	Operational
180	The Diagnostic Policy Service just refreshed the Group Policy.	Analytic
185	Diagnostic module %2 (%1) was moved into a broken state.	Operational
5016	The Diagnostic Policy Service just made a heap allocation	Operational
5017	The Diagnostic Policy Service just freed a previously made heap allocation	Operational

Event ID 1 — The Diagnostic Policy Service started.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Analytic

Message

The Diagnostic Policy Service started.  This event signals diagnostic modules for delayed processing after the service is initialized.

Event ID 2 — The Diagnostic Policy Service started.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Analytic

Message

The Diagnostic Policy Service started.  This event signals diagnostic modules for immediate processing after the service is initialized.

Event ID 5 — The scenario %1 has a configuration error or has been explicitly disabled in the WDI registry namespace.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational

Message

The scenario %1 has a configuration error or has been explicitly disabled in the WDI registry namespace.  The Diagnostic Policy Service will ignore the scenario.

Fields

Name	Description
`ScenarioId`	—

Event ID 100 — Diagnostic module %5 (%4) detected a problem for scenario %1, instance %2, original activity ID %3.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational
Level: 4
Samples: 1

Message

Diagnostic module %5 (%4) detected a problem for scenario %1, instance %2, original activity ID %3.

Fields

Name	Description
`ScenarioId`	—
`InstanceId`	—
`OriginalActivityId`	—
`DiagnosticModuleImageName`	—
`DiagnosticModuleId`	—

Example Event

system:
  provider: Microsoft-Windows-Diagnosis-DPS
  guid: 6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3
  event_source_name: ''
  event_id: 100
  version: 0
  level: 4
  task: 1
  opcode: 12
  keywords: 4611686052787126272
  time_created: '2023-11-06T06:25:44.322448+00:00'
  event_record_id: 41
  correlation:
    ActivityID: 208FDFDB-A4DB-420F-A514-9C4315A6B7D9
  execution:
    process_id: 3724
    thread_id: 4228
  channel: Microsoft-Windows-Diagnosis-DPS/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  ScenarioId: 2698178D-FDAD-40AE-9D3C-1371703ADC5B
  InstanceId: 208FDFDB-A4DB-420F-A514-9C4315A6B7D9
  OriginalActivityId: 2698178D-FDAD-40AE-9D3C-1371703ADC5B
  DiagnosticModuleImageName: '%SystemRoot%\system32\diagperf.dll'
  DiagnosticModuleId: 15FBA3B8-A37A-4F91-BDBA-FBB98FE804BF
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 105 — Diagnostic module %5 (%4) started troubleshooting scenario %1, instance %2, original activity ID %3.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational
Level: 4
Samples: 1

Message

Diagnostic module %5 (%4) started troubleshooting scenario %1, instance %2, original activity ID %3.

Fields

Name	Description
`ScenarioId`	—
`InstanceId`	—
`OriginalActivityId`	—
`DiagnosticModuleImageName`	—
`DiagnosticModuleId`	—

Example Event

system:
  provider: Microsoft-Windows-Diagnosis-DPS
  guid: 6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3
  event_source_name: ''
  event_id: 105
  version: 0
  level: 4
  task: 1
  opcode: 13
  keywords: 4611686052787126272
  time_created: '2023-11-06T06:25:44.322453+00:00'
  event_record_id: 42
  correlation:
    ActivityID: 208FDFDB-A4DB-420F-A514-9C4315A6B7D9
  execution:
    process_id: 3724
    thread_id: 4228
  channel: Microsoft-Windows-Diagnosis-DPS/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  ScenarioId: 2698178D-FDAD-40AE-9D3C-1371703ADC5B
  InstanceId: 208FDFDB-A4DB-420F-A514-9C4315A6B7D9
  OriginalActivityId: 2698178D-FDAD-40AE-9D3C-1371703ADC5B
  DiagnosticModuleImageName: '%SystemRoot%\system32\diagperf.dll'
  DiagnosticModuleId: 15FBA3B8-A37A-4F91-BDBA-FBB98FE804BF
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 110 — Diagnostic module %5 (%4) finished troubleshooting scenario %1, instance %2, original activity ID %3.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational
Level: 4
Samples: 1

Message

Diagnostic module %5 (%4) finished troubleshooting scenario %1, instance %2, original activity ID %3.  No resolution was set by the diagnostic module.

Fields

Name	Description
`ScenarioId`	—
`InstanceId`	—
`OriginalActivityId`	—
`DiagnosticModuleImageName`	—
`DiagnosticModuleId`	—

Example Event

system:
  provider: Microsoft-Windows-Diagnosis-DPS
  guid: 6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3
  event_source_name: ''
  event_id: 110
  version: 0
  level: 4
  task: 1
  opcode: 14
  keywords: 4611686052787126272
  time_created: '2023-11-05T22:33:58.076518+00:00'
  event_record_id: 55
  correlation:
    ActivityID: 51DC3142-BD1D-4BBF-9040-E1AF3322EAF0
  execution:
    process_id: 3160
    thread_id: 3436
  channel: Microsoft-Windows-Diagnosis-DPS/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  ScenarioId: 86432A0B-3C7D-4DDF-A89C-172FAA90485D
  InstanceId: 51DC3142-BD1D-4BBF-9040-E1AF3322EAF0
  OriginalActivityId: 86432A0B-3C7D-4DDF-A89C-172FAA90485D
  DiagnosticModuleImageName: '%SystemRoot%\system32\diagperf.dll'
  DiagnosticModuleId: C8544339-5BE9-4F25-862E-485F1B1A6935
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 115 — Diagnostic module %9 (%4) finished troubleshooting scenario %1, instance %2, original activity ID %3.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational
Level: 4
Samples: 1

Message

Diagnostic module %9 (%4) finished troubleshooting scenario %1, instance %2, original activity ID %3.  It set resolution %5 for user %6 in session %7 with expiration date %8.  The resolution will be started immediately.

Fields

Name	Description
`ScenarioId`	—
`InstanceId`	—
`OriginalActivityId`	—
`DiagnosticModuleImageName`	—
`ResolutionId`	—
`ResolutionSID`	—
`ResolutionSessionId`	—
`ResolutionExpirationDate`	—
`DiagnosticModuleId`	—

Example Event

system:
  provider: Microsoft-Windows-Diagnosis-DPS
  guid: 6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3
  event_source_name: ''
  event_id: 115
  version: 0
  level: 4
  task: 1
  opcode: 15
  keywords: 4611686052787126272
  time_created: '2023-11-06T01:57:37.135043+00:00'
  event_record_id: 72
  correlation:
    ActivityID: 44552D3D-0E8F-4E4A-B552-A11F4B96A461
  execution:
    process_id: 3160
    thread_id: 20000
  channel: Microsoft-Windows-Diagnosis-DPS/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  ScenarioId: 180B3A99-8C39-4F12-B631-2031998EFE45
  InstanceId: 44552D3D-0E8F-4E4A-B552-A11F4B96A461
  OriginalActivityId: 00000000-0000-0000-0000-000000000000
  DiagnosticModuleImageName: '%windir%\system32\radardt.dll'
  ResolutionId: 5EE64AFB-398D-4EDB-AF71-3B830219ABF7
  ResolutionSID: S-1-5-21-1992711665-1655669231-58201500-1000
  ResolutionSessionId: 1
  ResolutionExpirationDate: '1601-01-01T00:00:00.000000Z'
  DiagnosticModuleId: 45DE1EA9-10BC-4F96-9B21-4B6B83DBF476
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 120 — Diagnostic module %9 (%4) finished troubleshooting scenario %1, instance %2, original activity ID %3.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational
Level: 4
Samples: 1

Message

Diagnostic module %9 (%4) finished troubleshooting scenario %1, instance %2, original activity ID %3.  It set resolution %5 for user %6 in session %7 with expiration date %8.  The resolution was queued to start later.

Fields

Name	Description
`ScenarioId`	—
`InstanceId`	—
`OriginalActivityId`	—
`DiagnosticModuleImageName`	—
`ResolutionId`	—
`ResolutionSID`	—
`ResolutionSessionId`	—
`ResolutionExpirationDate`	—
`DiagnosticModuleId`	—

Example Event

system:
  provider: Microsoft-Windows-Diagnosis-DPS
  guid: 6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3
  event_source_name: ''
  event_id: 120
  version: 0
  level: 4
  task: 1
  opcode: 16
  keywords: 4611686052787126272
  time_created: '2023-10-25T22:50:15.569431+00:00'
  event_record_id: 34
  correlation:
    ActivityID: 13443185-CF4B-4989-8B2A-A73BBD6A6B1A
  execution:
    process_id: 2912
    thread_id: 3572
  channel: Microsoft-Windows-Diagnosis-DPS/Operational
  computer: WinDevEval
  security:
    user_id: S-1-5-19
event_data:
  ScenarioId: 3A5D4378-9D2F-4393-B1E5-34F5FA9A1140
  InstanceId: 13443185-CF4B-4989-8B2A-A73BBD6A6B1A
  OriginalActivityId: 8E76E1FB-2E89-4557-8E7A-927267F0975C
  DiagnosticModuleImageName: '%SystemRoot%\system32\diagperf.dll'
  ResolutionId: B171AB1C-60E9-4301-A338-BEAB1C70B3E9
  ResolutionSID: S-1-1-0
  ResolutionSessionId: 0
  ResolutionExpirationDate: '2024-01-23T22:50:15.559312Z'
  DiagnosticModuleId: B171AB1C-60E9-4301-A338-BEAB1C70B3E9
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 125 — Diagnostic module %5 (%4) started resolving scenario %1, instance %2, original activity ID %3.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational
Level: 4
Samples: 1

Message

Diagnostic module %5 (%4) started resolving scenario %1, instance %2, original activity ID %3.

Fields

Name	Description
`ScenarioId`	—
`InstanceId`	—
`OriginalActivityId`	—
`DiagnosticModuleImageName`	—
`DiagnosticModuleId`	—

Example Event

system:
  provider: Microsoft-Windows-Diagnosis-DPS
  guid: 6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3
  event_source_name: ''
  event_id: 125
  version: 0
  level: 4
  task: 1
  opcode: 17
  keywords: 4611686052787126272
  time_created: '2023-11-06T01:57:37.136481+00:00'
  event_record_id: 73
  correlation:
    ActivityID: 44552D3D-0E8F-4E4A-B552-A11F4B96A461
  execution:
    process_id: 3160
    thread_id: 20000
  channel: Microsoft-Windows-Diagnosis-DPS/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  ScenarioId: 180B3A99-8C39-4F12-B631-2031998EFE45
  InstanceId: 44552D3D-0E8F-4E4A-B552-A11F4B96A461
  OriginalActivityId: 00000000-0000-0000-0000-000000000000
  DiagnosticModuleImageName: '%windir%\system32\radarrs.dll'
  DiagnosticModuleId: 5EE64AFB-398D-4EDB-AF71-3B830219ABF7
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 126 — Diagnostic module %5 (%4) was queued to start later for scenario %1, instance %2, original activity ID %3.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational

Message

Diagnostic module %5 (%4) was queued to start later for scenario %1, instance %2, original activity ID %3.

Fields

Name	Description
`ScenarioId`	—
`InstanceId`	—
`OriginalActivityId`	—
`DiagnosticModuleImageName`	—
`DiagnosticModuleId`	—

Event ID 130 — Diagnostic module %5 (%4) finished resolving scenario %1, instance %2, original activity ID %3.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational
Level: 4
Samples: 1

Message

Diagnostic module %5 (%4) finished resolving scenario %1, instance %2, original activity ID %3.

Fields

Name	Description
`ScenarioId`	—
`InstanceId`	—
`OriginalActivityId`	—
`DiagnosticModuleImageName`	—
`DiagnosticModuleId`	—

Example Event

system:
  provider: Microsoft-Windows-Diagnosis-DPS
  guid: 6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3
  event_source_name: ''
  event_id: 130
  version: 0
  level: 4
  task: 1
  opcode: 19
  keywords: 4611686052787126272
  time_created: '2023-11-06T01:57:53.183025+00:00'
  event_record_id: 74
  correlation:
    ActivityID: 44552D3D-0E8F-4E4A-B552-A11F4B96A461
  execution:
    process_id: 3160
    thread_id: 20000
  channel: Microsoft-Windows-Diagnosis-DPS/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  ScenarioId: 180B3A99-8C39-4F12-B631-2031998EFE45
  InstanceId: 44552D3D-0E8F-4E4A-B552-A11F4B96A461
  OriginalActivityId: 00000000-0000-0000-0000-000000000000
  DiagnosticModuleImageName: '%windir%\system32\radarrs.dll'
  DiagnosticModuleId: 5EE64AFB-398D-4EDB-AF71-3B830219ABF7
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 135 — The Diagnostic Policy Service could not create a diagnostic module host instance for diagnostic module %6 (%5).

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational

Message

The Diagnostic Policy Service could not create a diagnostic module host instance for diagnostic module %6 (%5).  The error code was %4.  The scenario %1, instance %2, original activity ID %3 will be discarded.

Fields

Name	Description
`ScenarioId`	—
`InstanceId`	—
`OriginalActivityId`	—
`StatusCode`	—
`DiagnosticModuleImageName`	—
`DiagnosticModuleId`	—

Event ID 140 — The Diagnostic Policy Service encountered an error in file %1, function %2, line %3: %4.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Debug

Message

The Diagnostic Policy Service encountered an error in file %1, function %2, line %3: %4.

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`ErrorMessage`	—

Event ID 145 — This event is raised when the SCM loads the service DLL

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Debug

Message

This event is raised when the SCM loads the service DLL

Event ID 150 — This event is raised when the service enters a SERVICE_RUNNING state

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Debug

Message

This event is raised when the service enters a SERVICE_RUNNING state

Event ID 155 — This event is raised when the SCM signals the service to shut down.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Debug

Message

This event is raised when the SCM signals the service to shut down.

Event ID 160 — This event is raised when the service is successfully stopped

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Debug

Message

This event is raised when the service is successfully stopped

Event ID 165 — The Diagnostic Policy Service encountered an error while handling scenario %1 with diagnostic module %6 (%5), instance %2, original activity ID %3.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational

Message

The Diagnostic Policy Service encountered an error while handling scenario %1 with diagnostic module %6 (%5), instance %2, original activity ID %3. The error code was %4.

Fields

Name	Description
`ScenarioId`	—
`InstanceId`	—
`OriginalActivityId`	—
`StatusCode`	—
`DiagnosticModuleImageName`	—
`DiagnosticModuleId`	—

Event ID 170 — Diagnostic module %6 (%4) encountered an error while handling scenario %1, instance %2, original activity ID %3.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational

Message

Diagnostic module %6 (%4) encountered an error while handling scenario %1, instance %2, original activity ID %3.  The error code was %5.

Fields

Name	Description
`ScenarioId`	—
`InstanceId`	—
`OriginalActivityId`	—
`DiagnosticModuleImageName`	—
`StatusCode`	—
`DiagnosticModuleId`	—

Event ID 175 — Scenario %1, instance %2, original activity ID %3 was dropped by diagnostic module %6 (%4).

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational

Message

Scenario %1, instance %2, original activity ID %3 was dropped by diagnostic module %6 (%4). The error code was %5.

Fields

Name	Description
`ScenarioId`	—
`InstanceId`	—
`OriginalActivityId`	—
`DiagnosticModuleImageName`	—
`StatusCode`	—
`DiagnosticModuleId`	—

Event ID 180 — The Diagnostic Policy Service just refreshed the Group Policy.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Analytic

Message

The Diagnostic Policy Service just refreshed the Group Policy. This event notifies the diagnostic modules about the Group Policy changes.

Event ID 185 — Diagnostic module %2 (%1) was moved into a broken state.

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational

Message

Diagnostic module %2 (%1) was moved into a broken state. The error code was %3.

Fields

Name	Description
`DiagnosticModuleImageName`	—
`DiagnosticModuleId`	—
`StatusCode`	—

Event ID 5016 — The Diagnostic Policy Service just made a heap allocation

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational

Message

The Diagnostic Policy Service just made a heap allocation

Fields

Name	Description
`FileName`	—
`Line`	—
`Address`	—
`Size`	—

Event ID 5017 — The Diagnostic Policy Service just freed a previously made heap allocation

Provider: Microsoft-Windows-Diagnosis-DPS
Channel: Operational

Message

The Diagnostic Policy Service just freed a previously made heap allocation

Fields

Name	Description
`FileName`	—
`Line`	—
`Address`	—