Event ID 115 — Diagnostic module DiagnosticModuleId (DiagnosticModuleImageName) finished troubleshooting scenario ScenarioId, instance InstanceId, original activity ID OriginalActivityId.
Description
Diagnostic module () finished troubleshooting scenario , instance , original activity ID . It set resolution for user in session with expiration date . The resolution will be started immediately.
Message #
Fields #
| Name | Description |
|---|---|
ScenarioId GUID | — |
InstanceId GUID | — |
OriginalActivityId GUID | — |
DiagnosticModuleImageName UnicodeString | — |
ResolutionId GUID | — |
ResolutionSID SID | — |
ResolutionSessionId UInt32 | — |
ResolutionExpirationDate FILETIME | — |
DiagnosticModuleId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Diagnosis-DPS",
"guid": "6BBA3851-2C7E-4DEA-8F54-31E5AFD029E3",
"event_source_name": "",
"event_id": 115,
"version": 0,
"level": 4,
"task": 1,
"opcode": 15,
"keywords": 4611686052787126272,
"time_created": "2023-11-06T01:57:37.135043+00:00",
"event_record_id": 72,
"correlation": {
"ActivityID": "44552D3D-0E8F-4E4A-B552-A11F4B96A461"
},
"execution": {
"process_id": 3160,
"thread_id": 20000
},
"channel": "Microsoft-Windows-Diagnosis-DPS/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ScenarioId": "180B3A99-8C39-4F12-B631-2031998EFE45",
"InstanceId": "44552D3D-0E8F-4E4A-B552-A11F4B96A461",
"OriginalActivityId": "00000000-0000-0000-0000-000000000000",
"DiagnosticModuleImageName": "%windir%\\system32\\radardt.dll",
"ResolutionId": "5EE64AFB-398D-4EDB-AF71-3B830219ABF7",
"ResolutionSID": "S-1-5-21-1992711665-1655669231-58201500-1000",
"ResolutionSessionId": 1,
"ResolutionExpirationDate": "1601-01-01T00:00:00.000000Z",
"DiagnosticModuleId": "45DE1EA9-10BC-4F96-9B21-4B6B83DBF476"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline