Microsoft-Windows-Diagnosis-PCW

20 events across 3 channels

Event ID	Title	Channel
1	Provider %2 failed to register.	Operational
2	Provider %2 failed to register counter set %3.	Operational
3	Instance (%2, %3, %4) could not be created.	Operational
4	About to call provider %1 callback with arguments (%2, %3, %4).	Analytic
5	Callback returned.	Analytic
6	Provider %1 received an invalid notification with size %2.	Debug
7	Provider %1 received notification: %2.	Debug
8	Provider %1 notification handler has replied with size %3 and error code "%2".	Debug
9	Notification returning with status: ".	Debug
13	Query of provider %1 with id %2 had data collected.	Analytic
16	Counter %5 of instance (%2, %3, %4) could not be modified.	Operational
17	Provider %2 failed to unregister.	Operational
18	Instance (%2, %3, %4) could not be closed.	Operational
19	Instance (%2, %3, %4) could not be queried.	Operational
20	Unable to load pcw.	Operational
21	Kernel-mode provider failed to register counter set %3.	Operational
22	Kernel-mode provider failed to create instance %5 of counter set %3.	Operational
23	Kernel-mode provider failed to add instance %5 of counter set %3.	Operational
24	PCW driver failed when executing ioctl function %2.	Analytic
25	PCW device missing during registration of counter set %2 of provider %1.	Debug

Event ID 1 — Provider %2 failed to register.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Message

Provider %2 failed to register. Error: "%1"

Fields

Name	Description
`Error`	—
`ProviderGuid`	—

Event ID 2 — Provider %2 failed to register counter set %3.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Message

Provider %2 failed to register counter set %3. Error: "%1"

Fields

Name	Description
`Error`	—
`ProviderGuid`	—
`CounterSetGuid`	—

Event ID 3 — Instance (%2, %3, %4) could not be created.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Message

Instance (%2, %3, %4) could not be created. Error: "%1"

Fields

Name	Description
`Error`	—
`CounterSetGuid`	—
`InstanceName`	—
`InstanceId`	—

Event ID 4 — About to call provider %1 callback with arguments (%2, %3, %4).

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Analytic

Message

About to call provider %1 callback with arguments (%2, %3, %4).

Fields

Name	Description
`ProviderGuid`	—
`CallbackReason`	—
`MachineName`	—
`MachineNameSize`	—

Event ID 5 — Callback returned.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Analytic

Message

Callback returned. Return value: "%1"

Fields

Name	Description
`Status`	—

Event ID 6 — Provider %1 received an invalid notification with size %2.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Debug

Message

Provider %1 received an invalid notification with size %2.

Fields

Name	Description
`ProviderGuid`	—
`Size`	—

Event ID 7 — Provider %1 received notification: %2.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Debug

Message

Provider %1 received notification: %2.

Fields

Name	Description
`ProviderGuid`	—
`RequestCode`	—

Event ID 8 — Provider %1 notification handler has replied with size %3 and error code "%2".

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Debug

Message

Provider %1 notification handler has replied with size %3 and error code "%2".

Fields

Name	Description
`ProviderGuid`	—
`Status`	—
`Size`	—

Event ID 9 — Notification returning with status: ".

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Debug

Message

Notification returning with status: "%1"

Fields

Name	Description
`Status`	—

Event ID 13 — Query of provider %1 with id %2 had data collected.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Analytic

Message

Query of provider %1 with id %2 had data collected.

Fields

Name	Description
`ProviderGuid`	—
`Id`	—

Event ID 16 — Counter %5 of instance (%2, %3, %4) could not be modified.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational
Samples: 1

Message

Counter %5 of instance (%2, %3, %4) could not be modified. Error: "%1"

Fields

Name	Description
`Error`	—
`CounterSetGuid`	—
`InstanceName`	—
`InstanceId`	—
`CounterId`	—

Example Event

system:
  provider: Microsoft-Windows-Diagnosis-PCW
  guid: AABF8B86-7936-4FA2-ACB0-63127F879DBF
  event_source_name: ''
  event_id: 16
  version: 0
  level: 0
  task: 0
  opcode: 0
  keywords: 9223372036854777856
  time_created: '2022-04-07T08:15:12.584665+00:00'
  event_record_id: 352
  correlation: {}
  execution:
    process_id: 1300
    thread_id: 1856
  channel: Microsoft-Windows-Diagnosis-PCW/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-19
event_data:
  Error: 1168
  CounterSetGuid: 40E6824E-1B9B-4329-9A6E-E94C8FB03A3F
  InstanceName: _Default
  InstanceId: 0
  CounterId: 84
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 17 — Provider %2 failed to unregister.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Message

Provider %2 failed to unregister. Error: "%1"

Fields

Name	Description
`Error`	—
`ProviderGuid`	—

Event ID 18 — Instance (%2, %3, %4) could not be closed.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Message

Instance (%2, %3, %4) could not be closed. Error: "%1"

Fields

Name	Description
`Error`	—
`CounterSetGuid`	—
`InstanceName`	—
`InstanceId`	—

Event ID 19 — Instance (%2, %3, %4) could not be queried.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Message

Instance (%2, %3, %4) could not be queried. Error: "%1"

Fields

Name	Description
`Error`	—
`CounterSetGuid`	—
`InstanceName`	—
`InstanceId`	—

Event ID 20 — Unable to load pcw.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Message

Unable to load pcw.sys, phase %2 failed. Error: "%1"

Fields

Name	Description
`ErrorCode`	—
`Phase`	—

Event ID 21 — Kernel-mode provider failed to register counter set %3.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Message

Kernel-mode provider failed to register counter set %3. Error: "%1"

Fields

Name	Description
`ErrorCode`	—
`CounterSetNameLength`	—
`CounterSetName`	—

Event ID 22 — Kernel-mode provider failed to create instance %5 of counter set %3.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Message

Kernel-mode provider failed to create instance %5 of counter set %3. Error: "%1"

Fields

Name	Description
`ErrorCode`	—
`CounterSetNameLength`	—
`CounterSetName`	—
`InstanceNameLength`	—
`InstanceName`	—

Event ID 23 — Kernel-mode provider failed to add instance %5 of counter set %3.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Message

Kernel-mode provider failed to add instance %5 of counter set %3. Error: "%1"

Fields

Name	Description
`ErrorCode`	—
`CounterSetNameLength`	—
`CounterSetName`	—
`InstanceNameLength`	—
`InstanceName`	—

Event ID 24 — PCW driver failed when executing ioctl function %2.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Analytic

Message

PCW driver failed when executing ioctl function %2. Error: "%1"

Fields

Name	Description
`ErrorCode`	—
`FunctionIndex`	—

Event ID 25 — PCW device missing during registration of counter set %2 of provider %1.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Debug

Message

PCW device missing during registration of counter set %2 of provider %1.

Fields

Name	Description
`ProviderGuid`	—
`CounterSetGuid`	—