Message

Windows has started up: 

     Boot Duration		:	%6ms

     IsDegradation		:	%26

     Incident Time (UTC)	:	%2

Fields

Example Event

system:
  provider: Microsoft-Windows-Diagnostics-Performance
  guid: CFC18EC0-96B1-4EBA-961B-622CAEE05B0A
  event_source_name: ''
  event_id: 100
  version: 2
  level: 1
  task: 4002
  opcode: 34
  keywords: 9223372036854841344
  time_created: '2023-11-05T22:33:58.036254+00:00'
  event_record_id: 38
  correlation:
    ActivityID: E4DB489E-1037-0003-0982-DBE43710DA01
  execution:
    process_id: 3160
    thread_id: 3556
  channel: Microsoft-Windows-Diagnostics-Performance/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  BootTsVersion: 2
  BootStartTime: '2023-11-05T22:32:00.970725Z'
  BootEndTime: '2023-11-05T22:33:56.389945Z'
  SystemBootInstance: 8
  UserBootInstance: 2
  BootTime: 110680
  MainPathBootTime: 34629
  BootKernelInitTime: 164
  BootDriverInitTime: 1567
  BootDevicesInitTime: 2810
  BootPrefetchInitTime: 0
  BootPrefetchBytes: 0
  BootAutoChkTime: 0
  BootSmssInitTime: 6391
  BootCriticalServicesInitTime: 1441
  BootUserProfileProcessingTime: 1084
  BootMachineProfileProcessingTime: 456
  BootExplorerInitTime: 18858
  BootNumStartupApps: 3
  BootPostBootTime: 76051
  BootIsRebootAfterInstall: false
  BootRootCauseStepImprovementBits: 0
  BootRootCauseGradualImprovementBits: 0
  BootRootCauseStepDegradationBits: 13631488
  BootRootCauseGradualDegradationBits: 13631488
  BootIsDegradation: true
  BootIsStepDegradation: true
  BootIsGradualDegradation: true
  BootImprovementDelta: 0
  BootDegradationDelta: 68995
  BootIsRootCauseIdentified: true
  OSLoaderDuration: 3107
  BootPNPInitStartTimeMS: 164
  BootPNPInitDuration: 4163
  OtherKernelInitDuration: 445
  SystemPNPInitStartTimeMS: 4495
  SystemPNPInitDuration: 1301
  SessionInitStartTimeMS: 5910
  Session0InitDuration: 1013
  Session1InitDuration: 219
  SessionInitOtherDuration: 5158
  WinLogonStartTimeMS: 12302
  OtherLogonInitActivityDuration: 1926
  UserLogonWaitDuration: 4739
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

This application took longer than usual to start up, resulting in a performance degradation in the system startup process: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Total Time		:	%8ms

     Degradation Time	:	%9ms

     Incident Time (UTC)	:	%1

Fields

Example Event

system:
  provider: Microsoft-Windows-Diagnostics-Performance
  guid: CFC18EC0-96B1-4EBA-961B-622CAEE05B0A
  event_source_name: ''
  event_id: 101
  version: 1
  level: 3
  task: 4002
  opcode: 33
  keywords: 9223372036854841344
  time_created: '2023-11-05T22:33:58.036338+00:00'
  event_record_id: 44
  correlation:
    ActivityID: E4DB489E-1037-0003-0982-DBE43710DA01
  execution:
    process_id: 3160
    thread_id: 3556
  channel: Microsoft-Windows-Diagnostics-Performance/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  StartTime: '2023-11-05T22:32:00.970725Z'
  NameLength: 28
  Name: StartMenuExperienceHost.exe
  FriendlyNameLength: 30
  FriendlyName: Windows Start Experience Host
  VersionLength: 39
  Version: 10.0.22621.2361 (WinBuild.160101.0800)
  TotalTime: 6125
  DegradationTime: 3625
  PathLength: 106
  Path: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  ProductNameLength: 37
  ProductName: Microsoft® Windows® Operating System
  CompanyNameLength: 22
  CompanyName: Microsoft Corporation
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

This driver took longer to initialize, resulting in a performance degradation in the system start up process: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Total Time		:	%8ms

     Degradation Time	:	%9ms

     Incident Time (UTC)	:	%1

Fields

Example Event

system:
  provider: Microsoft-Windows-Diagnostics-Performance
  guid: CFC18EC0-96B1-4EBA-961B-622CAEE05B0A
  event_source_name: ''
  event_id: 102
  version: 1
  level: 3
  task: 4002
  opcode: 33
  keywords: 9223372036854841344
  time_created: '2023-10-25T22:05:44.601509+00:00'
  event_record_id: 25
  correlation:
    ActivityID: 028F2288-078F-0001-413E-8F028F07DA01
  execution:
    process_id: 2484
    thread_id: 3796
  channel: Microsoft-Windows-Diagnostics-Performance/Operational
  computer: WinDevEval
  security:
    user_id: S-1-5-19
event_data:
  StartTime: '2023-10-25T22:02:56.552302Z'
  NameLength: 7
  Name: VfpExt
  FriendlyNameLength: 30
  FriendlyName: Microsoft Azure VFP Extension
  VersionLength: 36
  Version: 10.0.22621.1 (WinBuild.160101.0800)
  TotalTime: 8403
  DegradationTime: 6903
  PathLength: 39
  Path: C:\Windows\system32\drivers\vfpext.sys
  ProductNameLength: 37
  ProductName: Microsoft® Windows® Operating System
  CompanyNameLength: 22
  CompanyName: Microsoft Corporation
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

This startup service took longer than expected to startup, resulting in a performance degradation in the system start up process: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Total Time		:	%8ms

     Degradation Time	:	%9ms

     Incident Time (UTC)	:	%1

Fields

Message

Core system took longer to initialize, resulting in a performance degradation in the system start up process: 

     Name		:	%3

     Total Time		:	%4ms

     Degradation Time	:	%5ms

     Incident Time (UTC)	:	%1

Fields

Message

Foreground optimizations (prefetching) took longer to complete, resulting in a performance degradation in the system start up process: 

     Name		:	%3

     Total Time		:	%4ms

     Degradation Time	:	%5ms

     Incident Time (UTC)	:	%1

Fields

Message

Background optimizations (prefetching) took longer to complete, resulting in a performance degradation in the system start up process: 

     Name		:	%3

     Total Time		:	%4ms

     Degradation Time	:	%5ms

     Incident Time (UTC)	:	%1

Fields

Message

Application of machine policy caused a slow down in the system start up process: 

     Name		:	%3

     Total Time		:	%4ms

     Degradation Time	:	%5ms

     Incident Time (UTC)	:	%1

Fields

Message

Application of user policy caused a slow down in the system start up process: 

     Name		:	%3

     Total Time		:	%4ms

     Degradation Time	:	%5ms

     Incident Time (UTC)	:	%1

Fields

Message

This device took longer to initialize, resulting in a performance degradation in the system start up process: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Total Time		:	%8ms

     Degradation Time	:	%9ms

     Incident Time (UTC)	:	%1

Fields

Message

Session manager initialization caused a slow down in the startup process: 

     Name		:	%3

     Total Time		:	%4ms

     Degradation Time	:	%5ms

     Incident Time (UTC)	:	%1

Fields

Example Event

system:
  provider: Microsoft-Windows-Diagnostics-Performance
  guid: CFC18EC0-96B1-4EBA-961B-622CAEE05B0A
  event_source_name: ''
  event_id: 110
  version: 1
  level: 3
  task: 4002
  opcode: 33
  keywords: 9223372036854841344
  time_created: '2023-10-25T22:05:44.601513+00:00'
  event_record_id: 26
  correlation:
    ActivityID: 028F2288-078F-0001-413E-8F028F07DA01
  execution:
    process_id: 2484
    thread_id: 3796
  channel: Microsoft-Windows-Diagnostics-Performance/Operational
  computer: WinDevEval
  security:
    user_id: S-1-5-19
event_data:
  StartTime: '2023-10-25T22:02:56.552302Z'
  NameLength: 9
  Name: SMSSInit
  TotalTime: 17567
  DegradationTime: 7567
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Windows has shutdown: 

     Shutdown Duration	:	%4ms

     IsDegradation		:	%16

     Incident Time (UTC)	:	%2

Fields

Example Event

system:
  provider: Microsoft-Windows-Diagnostics-Performance
  guid: CFC18EC0-96B1-4EBA-961B-622CAEE05B0A
  event_source_name: ''
  event_id: 200
  version: 1
  level: 3
  task: 4007
  opcode: 40
  keywords: 9223372036854841344
  time_created: '2023-11-05T22:33:56.991516+00:00'
  event_record_id: 36
  correlation:
    ActivityID: E4DB489E-1037-0001-FD89-DBE43710DA01
  execution:
    process_id: 3160
    thread_id: 3468
  channel: Microsoft-Windows-Diagnostics-Performance/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  ShutdownTsVersion: 1
  ShutdownStartTime: '2023-11-05T22:31:30.287074Z'
  ShutdownEndTime: '2023-11-05T22:31:43.106260Z'
  ShutdownTime: 12819
  ShutdownUserSessionTime: 3778
  ShutdownUserPolicyTime: 17
  ShutdownUserProfilesTime: 236
  ShutdownSystemSessionsTime: 6148
  ShutdownPreShutdownNotificationsTime: 1596
  ShutdownServicesTime: 4185
  ShutdownKernelTime: 2892
  ShutdownRootCauseStepImprovementBits: 0
  ShutdownRootCauseGradualImprovementBits: 0
  ShutdownRootCauseStepDegradationBits: 72
  ShutdownRootCauseGradualDegradationBits: 0
  ShutdownIsDegradation: true
  ShutdownTimeChange: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

This application caused a delay in the system shutdown process: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Total Time		:	%8ms

     Degradation Time	:	%9ms

     Incident Time (UTC)	:	%1

Fields

Message

This device caused a delay in the system shutdown process: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Total Time		:	%8ms

     Degradation Time	:	%9ms

     Incident Time (UTC)	:	%1

Fields

Message

This service caused a delay in the system shutdown process: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Total Time		:	%8ms

     Degradation Time	:	%9ms

     Incident Time (UTC)	:	%1

Fields

Example Event

system:
  provider: Microsoft-Windows-Diagnostics-Performance
  guid: CFC18EC0-96B1-4EBA-961B-622CAEE05B0A
  event_source_name: ''
  event_id: 203
  version: 1
  level: 3
  task: 4007
  opcode: 41
  keywords: 9223372036854841344
  time_created: '2023-11-05T22:33:56.991549+00:00'
  event_record_id: 37
  correlation:
    ActivityID: E4DB489E-1037-0001-FD89-DBE43710DA01
  execution:
    process_id: 3160
    thread_id: 3468
  channel: Microsoft-Windows-Diagnostics-Performance/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  StartTime: '2023-11-05T22:31:30.287074Z'
  NameLength: 10
  Name: WinDefend
  FriendlyNameLength: 0
  FriendlyName: ''
  VersionLength: 0
  Version: ''
  TotalTime: 4054
  DegradationTime: 54
  PathLength: 83
  Path: '"c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe"'
  ProductNameLength: 0
  ProductName: ''
  CompanyNameLength: 0
  CompanyName: ''
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Windows has resumed from standby: 

     Standby Duration		:	%7ms

     Standby Incident Time (UTC)	:	%5

     Resume  Duration		:	%39ms

     Resume  Incident Time (UTC)	:	%37

     IsDegradation			:	%51

Fields

Message

This application caused a delay during standby: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Total Time		:	%8ms

     Degradation Time	:	%9ms

     Incident Time (UTC)	:	%1

Fields

Message

This driver caused a delay during standby while servicing a device:

     Driver File Name		:	%3

     Driver Friendly Name		:	%5

     Driver Version			:	%7

     Driver Total Time		:	%8ms

     Driver Degradation Time	:	%9ms

     Incident Time (UTC)		:	%1

     Device Name			:	%17

     Device Friendly Name		:	%19

     Device Total Time		:	%20ms

     Device Degradation Time	:	%21ms

Fields

Message

This service caused a delay during hybrid-sleep: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Total Time		:	%8ms

     Degradation Time	:	%9ms

     Incident Time (UTC)	:	%1

Fields

Message

Creation of the hiber-file was slower than expected: 

     Name		:	%3

     Total Time		:	%4ms

     Degradation Time	:	%5ms

     Incident Time (UTC)	:	%1

Fields

Message

Persisting disk caches was slower than expected: 

     Name		:	%3

     Total Time		:	%4ms

     Degradation Time	:	%5ms

     Incident Time (UTC)	:	%1

Fields

Message

Preparing the video subsystem for sleep was slower than expected: 

     Name		:	%3

     Total Time		:	%4ms

     Degradation Time	:	%5ms

     Incident Time (UTC)	:	%1

Fields

Message

Preparing Winlogon for sleep was slower than expected: 

     Name		:	%3

     Total Time		:	%4ms

     Degradation Time	:	%5ms

     Incident Time (UTC)	:	%1

Fields

Message

Preparing system memory for sleep was slower than expected: 

     Name		:	%3

     Total Time		:	%4ms

     Degradation Time	:	%5ms

     Incident Time (UTC)	:	%1

Fields

Message

Preparing core system for sleep was slower than expected: 

     Name		:	%3

     Total Time		:	%4ms

     Degradation Time	:	%5ms

     Incident Time (UTC)	:	%1

Fields

Message

Preparing system worker threads for sleep was slower than expected: 

     Name		:	%3

     Total Time		:	%4ms

     Degradation Time	:	%5ms

     Incident Time (UTC)	:	%1

Fields

Message

Bios initialization time was greater than 250ms (logo requirement) during system resume: 

     Name		:	%3

     Total Time		:	%4ms

     Degradation Time	:	%5ms

     Incident Time (UTC)	:	%1

Fields

Message

This driver responded slower than expected to the resume request while servicing this device: 

     Driver File Name		:	%3

     Driver Friendly Name		:	%5

     Driver Version			:	%7

     Driver Total Time		:	%8ms

     Driver Degradation Time	:	%9ms

     Incident Time (UTC)		:	%1

     Device Name			:	%17

     Device Friendly Name		:	%19

     Device Total Time		:	%20ms

     Device Degradation Time	:	%21ms

Fields

Message

Reading the hiber-file was slower than expected: 

     Name		:	%3

     Total Time		:	%4ms

     Degradation Time	:	%5ms

     Incident Time (UTC)	:	%1

Fields

Message

Information about the system performance monitoring event: 

     Scenario		:	%3

     Analysis result		:	%6

     Incident Time (UTC)	:	%1

Fields

Message

This process is using up processor time and is impacting the performance of Windows: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Thread time		:	%8ms

     Blocked Time		:	%9ms

     Incident Time (UTC)	:	%1

Fields

Message

This process is doing excessive disk activities and is impacting the performance of Windows: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Thread time		:	%8ms

     Blocked Time		:	%9ms

     Incident Time (UTC)	:	%1

Fields

Message

This driver is using up too many resources and is impacting the performance of Windows: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Thread time		:	%8ms

     Blocked Time		:	%9ms

     Incident Time (UTC)	:	%1

Fields

Message

This driver is waiting longer than expected on a device: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Thread time		:	%8ms

     Blocked Time		:	%9ms

     Incident Time (UTC)	:	%1

Fields

Message

This file is fragmented and is impacting the performance of Windows: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Thread time		:	%8ms

     Blocked Time		:	%9ms

     Incident Time (UTC)	:	%1

Fields

Message

Disk IO to this file is taking longer than expected: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Thread time		:	%8ms

     Blocked Time		:	%9ms

     Incident Time (UTC)	:	%1

Fields

Message

This process is using up too much system memory: 

     File Name		:	%3

     Friendly Name		:	%5

     Version		:	%7

     Workingset size	:	%8Kb

     Percent memory	:	%11

     Incident Time (UTC)	:	%1

Fields

Message

Many processes are using too much system memory: 

     Workingset size	:	%2Kb

     Percent memory	:	%3

     Incident Time (UTC)	:	%1

Fields

Message

The Desktop Window Manager is experiencing heavy resource contention. 

     Scenario	:	%5

Fields

Message

The Desktop Window Manager is experiencing heavy resource contention.

     Reason	:	%1

     Diagnosis	:	%2

Fields

Message

Status

Fields

Message

Status

Fields

Message

Status

Fields

Message

Status

Fields

Message

Status

Message

Status

Fields

Message

Status

Message

Status

Fields

Message

Status

Message

Status

Fields

Message

Status

Message

Status

Fields

Message

Status

Fields

Message

Status

Message

Status

Message

Status

Fields

Message

Status

Message

Status

Message

Status

Message

Status

Fields

Message

Status

Message

Status

Fields

Message

Status

Message

Status

Message

Status

Message

Status

Message

Status

Fields

Message

Status

Fields

Message

Status

Fields

Message

Status

Fields

Message

Status

Fields

Message

Status

Fields

Message

Status

Fields

Message

Status

Fields

Message

Status

Fields

Message

Status

Fields

Message

Status

Fields

Message

Status

Fields

Message

Status

Message

Status

Message

Status

Message

Status

Message

Status

Message

Status

Message

Status

Message

Status

Fields

Message

Status

Fields

Message

Status

Message

Status

Fields

Message

Status

Message

Status

Fields

Message

Status

Fields

Message

Status

Message

Status

Fields

Message

Status

Message

Status

Message

Status

Fields

Message

Status

Message

Status

Fields

Message

Status

Fields

Message

Status

Fields

Message

Status

Message

Status

Fields

Message

Status

Message

Status

Fields

Message

Status

Message

Status

Fields

Message

Status

Fields

Fields

Fields