Microsoft-Windows-Diagnosis-DPS
24 events across 3 channels
Event ID 1 — The Diagnostic Policy Service started.
Description
The Diagnostic Policy Service started. This event signals diagnostic modules for delayed processing after the service is initialized.
Message #
Event ID 2 — The Diagnostic Policy Service started.
Description
The Diagnostic Policy Service started. This event signals diagnostic modules for immediate processing after the service is initialized.
Message #
Event ID 5 — The scenario ScenarioId has a configuration error or has been explicitly disabled in the WDI registry namespace.
Event ID 100 — Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) detected a problem for scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) detected a problem for scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | — |
InstanceId GUID | — |
OriginalActivityId GUID | — |
DiagnosticModuleImageName UnicodeString | — |
DiagnosticModuleId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3",
"event_source_name": "",
"event_id": 100,
"version": 0,
"level": 4,
"task": 1,
"opcode": 12,
"keywords": 4611686052787126272,
"time_created": "2023-11-06T06:25:44.322448+00:00",
"event_record_id": 41,
"correlation": {
"ActivityID": "208FDFDB-A4DB-420F-A514-9C4315A6B7D9"
},
"execution": {
"process_id": 3724,
"thread_id": 4228
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "2698178D-FDAD-40AE-9D3C-1371703ADC5B",
"InstanceId": "208FDFDB-A4DB-420F-A514-9C4315A6B7D9",
"OriginalActivityId": "2698178D-FDAD-40AE-9D3C-1371703ADC5B",
"DiagnosticModuleImageName": "%SystemRoot%\\system32\\diagperf.dll",
"DiagnosticModuleId": "15FBA3B8-A37A-4F91-BDBA-FBB98FE804BF"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 105 — Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) started troubleshooting scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) started troubleshooting scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | — |
InstanceId GUID | — |
OriginalActivityId GUID | — |
DiagnosticModuleImageName UnicodeString | — |
DiagnosticModuleId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3",
"event_source_name": "",
"event_id": 105,
"version": 0,
"level": 4,
"task": 1,
"opcode": 13,
"keywords": 4611686052787126272,
"time_created": "2023-11-06T06:25:44.322453+00:00",
"event_record_id": 42,
"correlation": {
"ActivityID": "208FDFDB-A4DB-420F-A514-9C4315A6B7D9"
},
"execution": {
"process_id": 3724,
"thread_id": 4228
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "2698178D-FDAD-40AE-9D3C-1371703ADC5B",
"InstanceId": "208FDFDB-A4DB-420F-A514-9C4315A6B7D9",
"OriginalActivityId": "2698178D-FDAD-40AE-9D3C-1371703ADC5B",
"DiagnosticModuleImageName": "%SystemRoot%\\system32\\diagperf.dll",
"DiagnosticModuleId": "15FBA3B8-A37A-4F91-BDBA-FBB98FE804BF"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 110 — Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) finished troubleshooting scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) finished troubleshooting scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId. No resolution was set by the diagnostic module.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | — |
InstanceId GUID | — |
OriginalActivityId GUID | — |
DiagnosticModuleImageName UnicodeString | — |
DiagnosticModuleId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3",
"event_source_name": "",
"event_id": 110,
"version": 0,
"level": 4,
"task": 1,
"opcode": 14,
"keywords": 4611686052787126272,
"time_created": "2023-11-05T22:33:58.076518+00:00",
"event_record_id": 55,
"correlation": {
"ActivityID": "51DC3142-BD1D-4BBF-9040-E1AF3322EAF0"
},
"execution": {
"process_id": 3160,
"thread_id": 3436
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "86432A0B-3C7D-4DDF-A89C-172FAA90485D",
"InstanceId": "51DC3142-BD1D-4BBF-9040-E1AF3322EAF0",
"OriginalActivityId": "86432A0B-3C7D-4DDF-A89C-172FAA90485D",
"DiagnosticModuleImageName": "%SystemRoot%\\system32\\diagperf.dll",
"DiagnosticModuleId": "C8544339-5BE9-4F25-862E-485F1B1A6935"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 115 — Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) finished troubleshooting scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module () finished troubleshooting scenario , instance , original activity ID . It set resolution for user in session with expiration date . The resolution will be started immediately.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | — |
InstanceId GUID | — |
OriginalActivityId GUID | — |
DiagnosticModuleImageName UnicodeString | — |
ResolutionId GUID | — |
ResolutionSID SID | — |
ResolutionSessionId UInt32 | — |
ResolutionExpirationDate FILETIME | — |
DiagnosticModuleId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3",
"event_source_name": "",
"event_id": 115,
"version": 0,
"level": 4,
"task": 1,
"opcode": 15,
"keywords": 4611686052787126272,
"time_created": "2023-11-06T01:57:37.135043+00:00",
"event_record_id": 72,
"correlation": {
"ActivityID": "44552D3D-0E8F-4E4A-B552-A11F4B96A461"
},
"execution": {
"process_id": 3160,
"thread_id": 20000
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "180B3A99-8C39-4F12-B631-2031998EFE45",
"InstanceId": "44552D3D-0E8F-4E4A-B552-A11F4B96A461",
"OriginalActivityId": "00000000-0000-0000-0000-000000000000",
"DiagnosticModuleImageName": "%windir%\\system32\\radardt.dll",
"ResolutionId": "5EE64AFB-398D-4EDB-AF71-3B830219ABF7",
"ResolutionSID": "S-1-5-21-1992711665-1655669231-58201500-1000",
"ResolutionSessionId": 1,
"ResolutionExpirationDate": "1601-01-01T00:00:00.000000Z",
"DiagnosticModuleId": "45DE1EA9-10BC-4F96-9B21-4B6B83DBF476"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 120 — Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) finished troubleshooting scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module () finished troubleshooting scenario , instance , original activity ID . It set resolution for user in session with expiration date . The resolution was queued to start later.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | — |
InstanceId GUID | — |
OriginalActivityId GUID | — |
DiagnosticModuleImageName UnicodeString | — |
ResolutionId GUID | — |
ResolutionSID SID | — |
ResolutionSessionId UInt32 | — |
ResolutionExpirationDate FILETIME | — |
DiagnosticModuleId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3",
"event_source_name": "",
"event_id": 120,
"version": 0,
"level": 4,
"task": 1,
"opcode": 16,
"keywords": 4611686052787126272,
"time_created": "2023-10-25T22:50:15.569431+00:00",
"event_record_id": 34,
"correlation": {
"ActivityID": "13443185-CF4B-4989-8B2A-A73BBD6A6B1A"
},
"execution": {
"process_id": 2912,
"thread_id": 3572
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "3A5D4378-9D2F-4393-B1E5-34F5FA9A1140",
"InstanceId": "13443185-CF4B-4989-8B2A-A73BBD6A6B1A",
"OriginalActivityId": "8E76E1FB-2E89-4557-8E7A-927267F0975C",
"DiagnosticModuleImageName": "%SystemRoot%\\system32\\diagperf.dll",
"ResolutionId": "B171AB1C-60E9-4301-A338-BEAB1C70B3E9",
"ResolutionSID": "S-1-1-0",
"ResolutionSessionId": 0,
"ResolutionExpirationDate": "2024-01-23T22:50:15.559312Z",
"DiagnosticModuleId": "B171AB1C-60E9-4301-A338-BEAB1C70B3E9"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 125 — Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) started resolving scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) started resolving scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | — |
InstanceId GUID | — |
OriginalActivityId GUID | — |
DiagnosticModuleImageName UnicodeString | — |
DiagnosticModuleId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3",
"event_source_name": "",
"event_id": 125,
"version": 0,
"level": 4,
"task": 1,
"opcode": 17,
"keywords": 4611686052787126272,
"time_created": "2023-11-06T01:57:37.136481+00:00",
"event_record_id": 73,
"correlation": {
"ActivityID": "44552D3D-0E8F-4E4A-B552-A11F4B96A461"
},
"execution": {
"process_id": 3160,
"thread_id": 20000
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "180B3A99-8C39-4F12-B631-2031998EFE45",
"InstanceId": "44552D3D-0E8F-4E4A-B552-A11F4B96A461",
"OriginalActivityId": "00000000-0000-0000-0000-000000000000",
"DiagnosticModuleImageName": "%windir%\\system32\\radarrs.dll",
"DiagnosticModuleId": "5EE64AFB-398D-4EDB-AF71-3B830219ABF7"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 126 — Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) was queued to start later for scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
Description
Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) was queued to start later for scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | — |
InstanceId GUID | — |
OriginalActivityId GUID | — |
DiagnosticModuleImageName UnicodeString | — |
DiagnosticModuleId GUID | — |
Event ID 130 — Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) finished resolving scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
#Description
Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) finished resolving scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | — |
InstanceId GUID | — |
OriginalActivityId GUID | — |
DiagnosticModuleImageName UnicodeString | — |
DiagnosticModuleId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3",
"event_source_name": "",
"event_id": 130,
"version": 0,
"level": 4,
"task": 1,
"opcode": 19,
"keywords": 4611686052787126272,
"time_created": "2023-11-06T01:57:53.183025+00:00",
"event_record_id": 74,
"correlation": {
"ActivityID": "44552D3D-0E8F-4E4A-B552-A11F4B96A461"
},
"execution": {
"process_id": 3160,
"thread_id": 20000
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "180B3A99-8C39-4F12-B631-2031998EFE45",
"InstanceId": "44552D3D-0E8F-4E4A-B552-A11F4B96A461",
"OriginalActivityId": "00000000-0000-0000-0000-000000000000",
"DiagnosticModuleImageName": "%windir%\\system32\\radarrs.dll",
"DiagnosticModuleId": "5EE64AFB-398D-4EDB-AF71-3B830219ABF7"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 135 — The Diagnostic Policy Service could not create a diagnostic module host instance for diagnostic module DiagnosticModuleId (DiagnosticModuleImageName).
Description
The Diagnostic Policy Service could not create a diagnostic module host instance for diagnostic module (). The error code was . The scenario , instance , original activity ID will be discarded.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | — |
InstanceId GUID | — |
OriginalActivityId GUID | — |
StatusCode UInt32 | — |
DiagnosticModuleImageName UnicodeString | — |
DiagnosticModuleId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3",
"event_source_name": "",
"event_id": 135,
"version": 0,
"level": 2,
"task": 1,
"opcode": 20,
"keywords": 4611686052787126272,
"time_created": "2026-03-13T19:07:40.320523+00:00",
"event_record_id": 31,
"correlation": {
"ActivityID": "9E133514-C13B-49E9-AADB-614204EBAB23"
},
"execution": {
"process_id": 8540,
"thread_id": 8560
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "DC42FF48-E40D-4A60-8675-E71F7E64AA9A",
"InstanceId": "9E133514-C13B-49E9-AADB-614204EBAB23",
"OriginalActivityId": "00000000-0000-0000-0000-000000000000",
"StatusCode": 2147943469,
"DiagnosticModuleImageName": "%windir%\\system32\\fthsvc.dll",
"DiagnosticModuleId": "8D39BD5B-81F8-4B94-A608-6A50BBFF5D15"
},
"message": ""
}
Event ID 140 — The Diagnostic Policy Service encountered an error in file FileName, function FunctionName, line LineNumber: ErrorMessage.
Event ID 145 — This event is raised when the SCM loads the service DLL
Description
This event is raised when the SCM loads the service DLL.
Message #
Event ID 150 — This event is raised when the service enters a SERVICE_RUNNING state
Description
This event is raised when the service enters a SERVICE_RUNNING state.
Message #
Event ID 155 — This event is raised when the SCM signals the service to shut down.
Description
This event is raised when the SCM signals the service to shut down.
Message #
Event ID 160 — This event is raised when the service is successfully stopped
Description
This event is raised when the service is successfully stopped.
Message #
Event ID 165 — The Diagnostic Policy Service encountered an error while handling scenario ScenarioId with diagnostic module DiagnosticModuleId (DiagnosticModuleImageName), instance InstanceId, original activity I...
Description
The Diagnostic Policy Service encountered an error while handling scenario ScenarioId with diagnostic module DiagnosticModuleId (DiagnosticModuleImageName), instance InstanceId, original activity ID OriginalActivityId. The error code was StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | — |
InstanceId GUID | — |
OriginalActivityId GUID | — |
StatusCode UInt32 | — |
DiagnosticModuleImageName UnicodeString | — |
DiagnosticModuleId GUID | — |
Event ID 170 — Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) encountered an error while handling scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
Description
Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) encountered an error while handling scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId. The error code was StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | — |
InstanceId GUID | — |
OriginalActivityId GUID | — |
DiagnosticModuleImageName UnicodeString | — |
StatusCode Int32 | — |
DiagnosticModuleId GUID | — |
Event ID 175 — Scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId was dropped by diagnostic module DiagnosticModuleId (DiagnosticModuleImageName).
Description
Scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId was dropped by diagnostic module DiagnosticModuleId (DiagnosticModuleImageName). The error code was StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | — |
InstanceId GUID | — |
OriginalActivityId GUID | — |
DiagnosticModuleImageName UnicodeString | — |
StatusCode Int32 | — |
DiagnosticModuleId GUID | — |
Event ID 180 — The Diagnostic Policy Service just refreshed the Group Policy.
Description
The Diagnostic Policy Service just refreshed the Group Policy. This event notifies the diagnostic modules about the Group Policy changes.