detection.wiki

Microsoft-Windows-Diagnostics-Performance › Event 100

Event ID 100 — Windows has started up.

Provider
Microsoft-Windows-Diagnostics-Performance
Channel
Operational
Level
Critical
Task
BootPerformanceMonitoring
Opcode
BootInformation

Description

Windows has started up.

Message #

Windows has started up: 

     Boot Duration		: %6ms

     IsDegradation		: %26

     Incident Time (UTC)	: %2

Fields #

NameDescription
BootTsVersion UInt32
BootStartTime FILETIME
BootEndTime FILETIME
SystemBootInstance UInt32
UserBootInstance UInt32
BootTime UInt32
MainPathBootTime UInt32
BootKernelInitTime UInt32
BootDriverInitTime UInt32
BootDevicesInitTime UInt32
BootPrefetchInitTime UInt32
BootPrefetchBytes UInt32
BootAutoChkTime UInt32
BootSmssInitTime UInt32
BootCriticalServicesInitTime UInt32
BootUserProfileProcessingTime UInt32
BootMachineProfileProcessingTime UInt32
BootExplorerInitTime UInt32
BootNumStartupApps UInt32
BootPostBootTime UInt32
BootIsRebootAfterInstall Boolean
BootRootCauseStepImprovementBits UInt32
BootRootCauseGradualImprovementBits UInt32
BootRootCauseStepDegradationBits UInt32
BootRootCauseGradualDegradationBits UInt32
BootIsDegradation Boolean
BootIsStepDegradation Boolean
BootIsGradualDegradation Boolean
BootImprovementDelta UInt32
BootDegradationDelta UInt32
BootIsRootCauseIdentified Boolean
OSLoaderDuration UInt32
BootPNPInitStartTimeMS UInt32
BootPNPInitDuration UInt32
OtherKernelInitDuration UInt32
SystemPNPInitStartTimeMS UInt32
SystemPNPInitDuration UInt32
SessionInitStartTimeMS UInt32
Session0InitDuration UInt32
Session1InitDuration UInt32
SessionInitOtherDuration UInt32
WinLogonStartTimeMS UInt32
OtherLogonInitActivityDuration UInt32
UserLogonWaitDuration UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Diagnostics-Performance",
    "guid": "CFC18EC0-96B1-4EBA-961B-622CAEE05B0A",
    "event_source_name": "",
    "event_id": 100,
    "version": 2,
    "level": 1,
    "task": 4002,
    "opcode": 34,
    "keywords": 9223372036854841344,
    "time_created": "2023-11-05T22:33:58.036254+00:00",
    "event_record_id": 38,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0003-0982-DBE43710DA01"
    },
    "execution": {
      "process_id": 3160,
      "thread_id": 3556
    },
    "channel": "Microsoft-Windows-Diagnostics-Performance/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "BootTsVersion": 2,
    "BootStartTime": "2023-11-05T22:32:00.970725Z",
    "BootEndTime": "2023-11-05T22:33:56.389945Z",
    "SystemBootInstance": 8,
    "UserBootInstance": 2,
    "BootTime": 110680,
    "MainPathBootTime": 34629,
    "BootKernelInitTime": 164,
    "BootDriverInitTime": 1567,
    "BootDevicesInitTime": 2810,
    "BootPrefetchInitTime": 0,
    "BootPrefetchBytes": 0,
    "BootAutoChkTime": 0,
    "BootSmssInitTime": 6391,
    "BootCriticalServicesInitTime": 1441,
    "BootUserProfileProcessingTime": 1084,
    "BootMachineProfileProcessingTime": 456,
    "BootExplorerInitTime": 18858,
    "BootNumStartupApps": 3,
    "BootPostBootTime": 76051,
    "BootIsRebootAfterInstall": false,
    "BootRootCauseStepImprovementBits": 0,
    "BootRootCauseGradualImprovementBits": 0,
    "BootRootCauseStepDegradationBits": 13631488,
    "BootRootCauseGradualDegradationBits": 13631488,
    "BootIsDegradation": true,
    "BootIsStepDegradation": true,
    "BootIsGradualDegradation": true,
    "BootImprovementDelta": 0,
    "BootDegradationDelta": 68995,
    "BootIsRootCauseIdentified": true,
    "OSLoaderDuration": 3107,
    "BootPNPInitStartTimeMS": 164,
    "BootPNPInitDuration": 4163,
    "OtherKernelInitDuration": 445,
    "SystemPNPInitStartTimeMS": 4495,
    "SystemPNPInitDuration": 1301,
    "SessionInitStartTimeMS": 5910,
    "Session0InitDuration": 1013,
    "Session1InitDuration": 219,
    "SessionInitOtherDuration": 5158,
    "WinLogonStartTimeMS": 12302,
    "OtherLogonInitActivityDuration": 1926,
    "UserLogonWaitDuration": 4739
  },
  "message": ""
}

References #