Microsoft-Windows-Diagnosis-PCW

20 events across 3 channels

Event ID	Title	Channel
1	Provider ProviderGuid failed to register.	Operational
2	Provider ProviderGuid failed to register counter set CounterSetGuid.	Operational
3	Instance (CounterSetGuid, InstanceName, InstanceId) could not be created.	Operational
4	About to call provider ProviderGuid callback with arguments (CallbackReason, …	Analytic
5	Callback returned.	Analytic
6	Provider ProviderGuid received an invalid notification with size Size.	Debug
7	Provider ProviderGuid received notification: RequestCode.	Debug
8	Provider ProviderGuid notification handler has replied with size Size and error …	Debug
9	Notification returning with status: "Status".	Debug
13	Query of provider ProviderGuid with id Id had data collected.	Analytic
16	Counter CounterId of instance (CounterSetGuid, InstanceName, InstanceId) could …	Operational
17	Provider ProviderGuid failed to unregister.	Operational
18	Instance (CounterSetGuid, InstanceName, InstanceId) could not be closed.	Operational
19	Instance (CounterSetGuid, InstanceName, InstanceId) could not be queried.	Operational
20	Unable to load pcw.	Operational
21	Kernel-mode provider failed to register counter set CounterSetName.	Operational
22	Kernel-mode provider failed to create instance InstanceName of counter set …	Operational
23	Kernel-mode provider failed to add instance InstanceName of counter set …	Operational
24	PCW driver failed when executing ioctl function FunctionIndex.	Analytic
25	PCW device missing during registration of counter set CounterSetGuid of provider …	Debug

Event ID 1 — Provider ProviderGuid failed to register.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Description

Provider ProviderGuid failed to register. Error: "Error".

Message #

Provider %2 failed to register. Error: "%1"

Fields #

Name	Description
`Error` UInt32	—
`ProviderGuid` GUID	—

Event ID 2 — Provider ProviderGuid failed to register counter set CounterSetGuid.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Description

Provider ProviderGuid failed to register counter set CounterSetGuid. Error: "Error".

Message #

Provider %2 failed to register counter set %3. Error: "%1"

Fields #

Name	Description
`Error` UInt32	—
`ProviderGuid` GUID	—
`CounterSetGuid` GUID	—

Event ID 3 — Instance (CounterSetGuid, InstanceName, InstanceId) could not be created.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Description

Instance (CounterSetGuid, InstanceName, InstanceId) could not be created. Error: "Error".

Message #

Instance (%2, %3, %4) could not be created. Error: "%1"

Fields #

Name	Description
`Error` UInt32	—
`CounterSetGuid` GUID	—
`InstanceName` UnicodeString	—
`InstanceId` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PCW",
    "guid": "AABF8B86-7936-4FA2-ACB0-63127F879DBF",
    "event_source_name": "",
    "event_id": 3,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854777856,
    "time_created": "2026-03-13T20:26:07.358863+00:00",
    "event_record_id": 2245,
    "correlation": {
      "ActivityID": "010930CA-58CC-4D55-AD7E-3768B763C942"
    },
    "execution": {
      "process_id": 1840,
      "thread_id": 4820
    },
    "channel": "Microsoft-Windows-Diagnosis-PCW/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Error": 183,
    "CounterSetGuid": "90C3888A-474E-4932-9925-ED1DC6731F36",
    "InstanceName": "D66F4153-89DD-4D11-8753-19E1BF9370ED configuration file",
    "InstanceId": 0
  },
  "message": ""
}

Event ID 4 — About to call provider ProviderGuid callback with arguments (CallbackReason, MachineName, MachineNameSize).

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Analytic

Description

About to call provider ProviderGuid callback with arguments (CallbackReason, MachineName, MachineNameSize).

Message #

About to call provider %1 callback with arguments (%2, %3, %4).

Fields #

Name	Description
`ProviderGuid` GUID	—
`CallbackReason` UInt32	—
`MachineName` UnicodeString	—
`MachineNameSize` UInt32	—

Event ID 5 — Callback returned.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Analytic

Description

Callback returned. Return value: "Status".

Message #

Callback returned. Return value: "%1"

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 6 — Provider ProviderGuid received an invalid notification with size Size.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Debug

Description

Provider ProviderGuid received an invalid notification with size Size.

Message #

Provider %1 received an invalid notification with size %2.

Fields #

Name	Description
`ProviderGuid` GUID	—
`Size` UInt32	—

Event ID 7 — Provider ProviderGuid received notification: RequestCode.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Debug

Description

Provider ProviderGuid received notification: RequestCode.

Message #

Provider %1 received notification: %2.

Fields #

Name	Description
`ProviderGuid` GUID	—
`RequestCode` UInt32	—

Event ID 8 — Provider ProviderGuid notification handler has replied with size Size and error code "Status".

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Debug

Description

Provider ProviderGuid notification handler has replied with size Size and error code "Status".

Message #

Provider %1 notification handler has replied with size %3 and error code "%2".

Fields #

Name	Description
`ProviderGuid` GUID	—
`Status` UInt32	— NTSTATUS reference
`Size` UInt32	—

Event ID 9 — Notification returning with status: "Status".

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Debug

Description

Notification returning with status: "Status".

Message #

Notification returning with status: "%1"

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 13 — Query of provider ProviderGuid with id Id had data collected.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Analytic

Description

Query of provider ProviderGuid with id Id had data collected.

Message #

Query of provider %1 with id %2 had data collected.

Fields #

Name	Description
`ProviderGuid` GUID	—
`Id` UInt64	—

Event ID 16 — Counter CounterId of instance (CounterSetGuid, InstanceName, InstanceId) could not be modified.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Description

Counter CounterId of instance (CounterSetGuid, InstanceName, InstanceId) could not be modified. Error: "Error".

Message #

Counter %5 of instance (%2, %3, %4) could not be modified. Error: "%1"

Fields #

Name	Description
`Error` UInt32	—
`CounterSetGuid` GUID	—
`InstanceName` UnicodeString	—
`InstanceId` UInt32	—
`CounterId` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnosis-PCW",
    "guid": "AABF8B86-7936-4FA2-ACB0-63127F879DBF",
    "event_source_name": "",
    "event_id": 16,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854777856,
    "time_created": "2022-04-07T08:15:12.584665+00:00",
    "event_record_id": 352,
    "correlation": {},
    "execution": {
      "process_id": 1300,
      "thread_id": 1856
    },
    "channel": "Microsoft-Windows-Diagnosis-PCW/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Error": 1168,
    "CounterSetGuid": "40E6824E-1B9B-4329-9A6E-E94C8FB03A3F",
    "InstanceName": "_Default",
    "InstanceId": 0,
    "CounterId": 84
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 17 — Provider ProviderGuid failed to unregister.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Description

Provider ProviderGuid failed to unregister. Error: "Error".

Message #

Provider %2 failed to unregister. Error: "%1"

Fields #

Name	Description
`Error` UInt32	—
`ProviderGuid` GUID	—

Event ID 18 — Instance (CounterSetGuid, InstanceName, InstanceId) could not be closed.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Description

Instance (CounterSetGuid, InstanceName, InstanceId) could not be closed. Error: "Error".

Message #

Instance (%2, %3, %4) could not be closed. Error: "%1"

Fields #

Name	Description
`Error` UInt32	—
`CounterSetGuid` GUID	—
`InstanceName` UnicodeString	—
`InstanceId` UInt32	—

Event ID 19 — Instance (CounterSetGuid, InstanceName, InstanceId) could not be queried.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Description

Instance (CounterSetGuid, InstanceName, InstanceId) could not be queried. Error: "Error".

Message #

Instance (%2, %3, %4) could not be queried. Error: "%1"

Fields #

Name	Description
`Error` UInt32	—
`CounterSetGuid` GUID	—
`InstanceName` UnicodeString	—
`InstanceId` UInt32	—

Event ID 20 — Unable to load pcw.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Description

Unable to load pcw.sys, phase Phase failed. Error: "ErrorCode".

Message #

Unable to load pcw.sys, phase %2 failed. Error: "%1"

Fields #

Name	Description
`ErrorCode` UInt32	—
`Phase` UInt32	—

Event ID 21 — Kernel-mode provider failed to register counter set CounterSetName.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Description

Kernel-mode provider failed to register counter set CounterSetName. Error: "ErrorCode".

Message #

Kernel-mode provider failed to register counter set %3. Error: "%1"

Fields #

Name	Description
`ErrorCode` UInt32	—
`CounterSetNameLength` UInt16	—
`CounterSetName` UnicodeString	—

Event ID 22 — Kernel-mode provider failed to create instance InstanceName of counter set CounterSetName.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Description

Kernel-mode provider failed to create instance InstanceName of counter set CounterSetName. Error: "ErrorCode".

Message #

Kernel-mode provider failed to create instance %5 of counter set %3. Error: "%1"

Fields #

Name	Description
`ErrorCode` UInt32	—
`CounterSetNameLength` UInt16	—
`CounterSetName` UnicodeString	—
`InstanceNameLength` UInt16	—
`InstanceName` UnicodeString	—

Event ID 23 — Kernel-mode provider failed to add instance InstanceName of counter set CounterSetName.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Operational

Description

Kernel-mode provider failed to add instance InstanceName of counter set CounterSetName. Error: "ErrorCode".

Message #

Kernel-mode provider failed to add instance %5 of counter set %3. Error: "%1"

Fields #

Name	Description
`ErrorCode` UInt32	—
`CounterSetNameLength` UInt16	—
`CounterSetName` UnicodeString	—
`InstanceNameLength` UInt16	—
`InstanceName` UnicodeString	—

Event ID 24 — PCW driver failed when executing ioctl function FunctionIndex.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Analytic

Description

PCW driver failed when executing ioctl function FunctionIndex. Error: "ErrorCode".

Message #

PCW driver failed when executing ioctl function %2. Error: "%1"

Fields #

Name	Description
`ErrorCode` UInt32	—
`FunctionIndex` UInt32	—

Event ID 25 — PCW device missing during registration of counter set CounterSetGuid of provider ProviderGuid.

Provider: Microsoft-Windows-Diagnosis-PCW
Channel: Debug

Description

PCW device missing during registration of counter set CounterSetGuid of provider ProviderGuid.

Message #

PCW device missing during registration of counter set %2 of provider %1.

Fields #

Name	Description
`ProviderGuid` GUID	—
`CounterSetGuid` GUID	—