Message

The Driver Manager service started successfully

Message

The Driver Manager service failed to start.  The error reported was %2.

Fields

Message

The Driver Manager service was stopped

Message

The Driver Manager service is starting a host process for device %3.

Fields

Message

The host process (%1) started successfully.

Fields

Message

The host process (%1) failed to start successfully.  The error reported was %2.

Fields

Message

The host process (%1) is being asked to shutdown.

Fields

Message

The host process (%1) has a problem (%2) and is being terminated.

Fields

Message

The host process (%1) has been shutdown.

Fields

Message

The host process (%1) has a problem (%2) and is being terminated.

Fields

Message

The UMDF Host Process (%1) is starting up.

Fields

Message

The UMDF Host Process (%1) started successfully.

Fields

Message

The UMDF Host Process (%1) failed to start successfully.  The error reported was %2.

Fields

Message

The UMDF Host Process (%1) has been asked to load drivers for device %2.

Fields

Sigma Rules

• USB Device Plugged
  Detects plugged/unplugged USB devices

Message

The UMDF Host is loading driver %4 at level %3 for device %2.

Fields

Message

The UMDF Host Process (%1) has loaded module %3 while loading drivers for device %2.

Fields

Message

The UMDF Host successfully loaded the driver at level %3.

Fields

Message

The UMDF Host failed to load the driver at level %3.  The error reported was %4.

Fields

Message

The UMDF Host Process (%1) has successfully loaded drivers for device %2.

Fields

Message

The UMDF Host Process (%1) has failed to load drivers for device %2.  The error reported was %3

Fields

Message

Received a Pnp or Power operation (%3, %4) for device %2.

Fields

Sigma Rules

• USB Device Plugged
  Detects plugged/unplugged USB devices

Message

Completed a Pnp or Power operation (%3, %4) for device %2 with status %9.

Fields

Message

Forwarded a finished Pnp or Power operation (%3, %4) to the lower driver for device %2 with status %9.

Fields

Sigma Rules

• USB Device Plugged
  Detects plugged/unplugged USB devices

Message

Completed a Pnp or Power operation (%3, %4) for device %2 with status %9.

Fields

Message

Forwarded a Pnp or Power operation (%3, %4) for device %2 to the lower driver with status %9

Fields

Message

Received a Pnp or Power operation (%3, %4) for device %2 which was completed by the lower drivers with status %9

Fields

Message

Received a Pnp or Power operation (%3, %4) for device %2 which was completed by the lower drivers with status %9

Fields

Message

The UMDF Host (%1) has been asked to shutdown.

Fields

Message

The UMDF Host (%1) has shutdown.

Fields

Message

UMDF State Machine %4 start processing event %5 (Queueing %6)

Fields

Message

UMDF State Machine %4 dropped event %5

Fields

Message

UMDF State Machine %4 state change from %5 to %7 on event %6

Fields

Message

UMDF State Machine %4 event processing finished in state %5

Fields

Message

UMDF State Machine %4 event processing stopped in state %5

Fields

Message

A runtime failure has occurred in user-mode driver %5 and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices. Please contact the device manufacturer or driver vendor for more information about this problem.

Fields

Message

A driver package which uses user-mode driver framework version %2 is being installed on device %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-DriverFrameworks-UserMode
  guid: 2E35AAEB-857F-4BEB-A418-2E6C0E54D988
  event_source_name: ''
  event_id: 10000
  version: 1
  level: 4
  task: 48
  opcode: 1
  keywords: 2305843009213693952
  time_created: '2022-04-07T16:53:01.068372+00:00'
  event_record_id: 375
  correlation: {}
  execution:
    process_id: 2204
    thread_id: 4904
  channel: System
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-18
user_data:
  UMDFDeviceInstallBegin:
    DeviceId: SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_VENDORCO&PROD_PRODUCTCODE&REV_2.00#9207032533193411390&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}
    FrameworkVersion: 2.33.0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The UMDF service %1 (CLSID %2) was installed.  It requires framework version %3 or higher.

Fields

Example Event

system:
  provider: Microsoft-Windows-DriverFrameworks-UserMode
  guid: 2E35AAEB-857F-4BEB-A418-2E6C0E54D988
  event_source_name: ''
  event_id: 10001
  version: 1
  level: 4
  task: 48
  opcode: 0
  keywords: 2305843009213693952
  time_created: '2022-04-07T16:53:01.087249+00:00'
  event_record_id: 376
  correlation: {}
  execution:
    process_id: 2204
    thread_id: 4904
  channel: System
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-18
user_data:
  UMDFServiceInstall:
    ServiceName: WpdFs
    CLSID: 112DE495-AC4C-46F8-B663-6A4266C53313
    MinimumFxVersion: 2.33.0
    Upgrade: false
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The UMDF service %1 (CLSID %2) was upgraded.  It requires framework version %3 or higher.

Fields

Message

The driver package installation has succeeded.

Fields

Example Event

system:
  provider: Microsoft-Windows-DriverFrameworks-UserMode
  guid: 2E35AAEB-857F-4BEB-A418-2E6C0E54D988
  event_source_name: ''
  event_id: 10100
  version: 1
  level: 4
  task: 48
  opcode: 2
  keywords: 2305843009213693952
  time_created: '2022-04-07T16:53:01.102346+00:00'
  event_record_id: 377
  correlation: {}
  execution:
    process_id: 2204
    thread_id: 4904
  channel: System
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-18
user_data:
  UMDFDeviceInstallEnd:
    FinalStatus: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The driver package installation has failed.  The final status was %1.

Fields

Message

A problem has occurred with one or more user-mode drivers and the hosting process has been terminated.  This may temporarily interrupt your ability to access the devices.

Fields

Message

The device %2 (location %3) is offline due to a user-mode driver crash.  Windows will attempt to restart the device %5 more times.  Please contact the device manufacturer for more information about this problem.

Fields

Message

The device %2 (location %3) is offline due to a user-mode device crash.  Windows will no longer attempt to restart this device because the maximum restart limit has been reached.  Disconnecting the device and reconnecting it, or disabling it and re-enabling it from the device manager, will reset this limit and allow the device to be accessed again.  Please contact the device manufacturer for more information about this problem.

Fields

Message

The device %2 was unable to start due to conflict between the settings for driver %5 (%3 - %4) and the other drivers.  Windows will not be able to start this device.  Please contact the device manufacturer for assistance.

Fields

Message

{UnstartedService} (part of UMDF) did not load yet. After it does; Windows will start the device again.

Fields

Message

The device %2 (location %3) is offline due to a user-mode driver crash.  Windows will attempt to restart the device %5 more times in its own process.  Please contact the device manufacturer for more information about this problem.

Fields

Message

The device %2 (location %3) is offline due to a user-mode driver crash.  Windows will attempt to restart the device in the shared process %5 more times before moving the device in its own process.  Please contact the device manufacturer for more information about this problem.

Fields

Message

UMDF driver service %1 failed to load because it was compiled using a pre-release version of the Windows Driver Kit(WDK). The driver should be recompiled using a release version of the WDK. Driver's function table count is %2 and the expected count is %3.

Fields

Message

UMDF reflector is unable to connect to service control manager (SCM). This is expected during boot, when SCM has not started yet. Will retry when it starts.

Message

A problem has occurred with one or more user-mode drivers and the hosting process has been terminated.  This may temporarily interrupt your ability to access the devices.

Fields

Message

A runtime failure has occurred in user-mode driver %5 and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices. Please contact the device manufacturer or driver vendor for more information about this problem.

Fields

Message

UMDF Test Event (%1)

Fields

Message

Power IRP related event in the User-mode Driver Frameworks Host Process

Fields

Message

Power IRP related event in the User-mode Driver Frameworks Host Process

Fields

Message

Power IRP related event in the User-mode Driver Frameworks Host Process

Fields

Message

Power IRP related event in the User-mode Driver Frameworks Host Process

Fields

Message

A driver package which uses user-mode driver framework version {FrameworkVersion} is being installed on device {DeviceId}.

Fields

Message

The driver package installation has finished. The final status was {FinalStatus}.

Fields

Message

PreDevice installation (UMDF version {FrameworkVersion}) is starting for device {DeviceId}.

Fields

Message

PreDevice installation has finished. The final status was {FinalStatus}.

Fields

Message

PostDevice installation (UMDF version {FrameworkVersion}) is starting for device {DeviceId}.

Fields

Message

PostDevice installation has finished. The final status was {FinalStatus}.

Fields

Message

UMDF has been updated. The final status was {FinalStatus}.

Fields

Message

DDI to read from hardware begins (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields

Message

DDI to read from hardware ends (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields

Message

Read from hardware begins (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields

Message

Read from hardware ends (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields

Message

DDI to write to hardware begins (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields

Message

DDI to write to hardware ends (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields

Message

Write to hardware begins (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields

Message

Write to hardware ends (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields

Message

Read from hardware begins (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields

Message

Read from hardware ends (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields

Message

Write to hardware begins (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields

Message

Write to hardware ends (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields

Message

UMDF Reflector sent notification for hardware interrupt (Message ID %1).

Fields

Message

UMDF framework received notification for hardware interrupt (Message ID %1).

Fields