Microsoft-Windows-DriverFrameworks-UserMode

77 events across 4 channels

Event ID	Title	Channel
1000	The Driver Manager service started successfully	Operational
1001	The Driver Manager service failed to start.	Operational
1002	The Driver Manager service was stopped	Operational
1003	The Driver Manager service is starting a host process for device …	Operational
1004	The host process (UMDFDriverManagerHostCreateEnd.LifetimeId) started …	Operational
1005	The host process (LifetimeId) failed to start successfully.	Operational
1006	The host process (UMDFDriverManagerHostShutdown.LifetimeId) is being asked to …	Operational
1007	The host process (LifetimeId) has a problem (Problem) and is being terminated.	Operational
1008	The host process (UMDFDriverManagerHostShutdown.LifetimeId) has been shutdown.	Operational
1009	The host process (LifetimeId) has a problem (Problem) and is being terminated.	Operational
2000	The UMDF Host Process (UMDFHostStartupBegin.LifetimeId) is starting up.	Operational
2001	The UMDF Host Process (UMDFHostStartupEnd.LifetimeId) started successfully.	Operational
2002	The UMDF Host Process (LifetimeId) failed to start successfully.	Operational
2003	The UMDF Host Process (UMDFHostDeviceArrivalBegin.LifetimeId) has been asked to …	Operational
2004	The UMDF Host is loading driver UMDFHostAddDeviceBegin.Service at level …	Operational
2005	The UMDF Host Process (UMDFHostModuleLoad.LifetimeId) has loaded module …	Operational
2006	The UMDF Host successfully loaded the driver at level …	Operational
2007	The UMDF Host failed to load the driver at level Level.	Operational
2010	The UMDF Host Process (UMDFHostDeviceArrivalEnd.LifetimeId) has successfully …	Operational
2011	The UMDF Host Process (LifetimeId) has failed to load drivers for device …	Operational
2100	Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, …	Operational
2101	Completed a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, …	Operational
2102	Forwarded a finished Pnp or Power operation …	Operational
2103	Completed a Pnp or Power operation (MajorCode, MinorCode) for device InstanceId …	Operational
2105	Forwarded a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, …	Operational
2106	Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, …	Operational
2107	Received a Pnp or Power operation (MajorCode, MinorCode) for device InstanceId …	Operational
2900	The UMDF Host (UMDFHostShutdown.LifetimeId) has been asked to shutdown.	Operational
2901	The UMDF Host (UMDFHostShutdown.LifetimeId) has shutdown.	Operational
3000	UMDF State Machine StateMachine start processing event Event (Queueing …	Operational
3001	UMDF State Machine StateMachine dropped event Event.	Operational
3010	UMDF State Machine StateMachine state change from CurrentState to NewState on …	Operational
3011	UMDF State Machine StateMachine event processing finished in state CurrentState.	Operational
3020	UMDF State Machine StateMachine event processing stopped in state Event.	Operational
4000	A runtime failure has occurred in user-mode driver Driver and the hosting …	Operational
10000	A driver package which uses user-mode driver framework version …	System
10001	The UMDF service UMDFServiceInstall.ServiceName (CLSID UMDFServiceInstall.CLSID) …	System
10002	The UMDF service ServiceName (CLSID CLSID) was upgraded.	System
10100	The driver package installation has succeeded.	System
10101	The driver package installation has failed.	System
10110	A problem has occurred with one or more user-mode drivers and the hosting …	System
10111	The device FriendlyName (location Location) is offline due to a user-mode driver …	System
10112	The device FriendlyName (location Location) is offline due to a user-mode device …	System
10113	The device InstanceId was unable to start due to conflict between the settings …	System
10114	{UnstartedService} (part of UMDF) did not load yet.	System
10115	The device FriendlyName (location Location) is offline due to a user-mode driver …	System
10116	The device FriendlyName (location Location) is offline due to a user-mode driver …	System
10117	UMDF driver service ServiceName failed to load because it was compiled using a …	System
10118	UMDF reflector is unable to connect to service control manager (SCM).	System
10120	A problem has occurred with one or more user-mode drivers and the hosting …	System
10121	A runtime failure has occurred in user-mode driver Driver and the hosting …	System
19999	UMDF Test Event (String).	System
20030	Power IRP related event in the User-mode Driver Frameworks Host Process	Diagnostic
20031	Power IRP related event in the User-mode Driver Frameworks Host Process	Diagnostic
20032	Power IRP related event in the User-mode Driver Frameworks Host Process	Diagnostic
20033	Power IRP related event in the User-mode Driver Frameworks Host Process	Diagnostic
30000	A driver package which uses user-mode driver framework version …	Operational
30001	The driver package installation has finished.	Operational
30002	PreDevice installation (UMDF version {FrameworkVersion}) is starting for device …	Operational
30003	PreDevice installation has finished.	Operational
30004	PostDevice installation (UMDF version {FrameworkVersion}) is starting for device …	Operational
30005	PostDevice installation has finished.	Operational
30007	UMDF has been updated.	Operational
30008	DDI to read from hardware begins (TargetType: HwAccessTargetType, TargetSize: …	Operational
30009	DDI to read from hardware ends (TargetType: HwAccessTargetType, TargetSize: …	Operational
30010	Read from hardware begins (TargetType: HwAccessTargetType, TargetSize: …	Operational
30011	Read from hardware ends (TargetType: HwAccessTargetType, TargetSize: …	Operational
30012	DDI to write to hardware begins (TargetType: HwAccessTargetType, TargetSize: …	Operational
30013	DDI to write to hardware ends (TargetType: HwAccessTargetType, TargetSize: …	Operational
30014	Write to hardware begins (TargetType: HwAccessTargetType, TargetSize: …	Operational
30015	Write to hardware ends (TargetType: HwAccessTargetType, TargetSize: …	Operational
30016	Read from hardware begins (TargetType: HwAccessTargetType, TargetSize: …	Operational
30017	Read from hardware ends (TargetType: HwAccessTargetType, TargetSize: …	Operational
30018	Write to hardware begins (TargetType: HwAccessTargetType, TargetSize: …	Operational
30019	Write to hardware ends (TargetType: HwAccessTargetType, TargetSize: …	Operational
30020	UMDF Reflector sent notification for hardware interrupt (Message ID …	Operational
30021	UMDF framework received notification for hardware interrupt (Message ID …	Operational

Event ID 1000 — The Driver Manager service started successfully

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Task: Startupofthedrivermanagerservice.
Opcode: Start

Description

The Driver Manager service started successfully.

Message #

The Driver Manager service started successfully

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 1000,
    "version": 2,
    "level": 4,
    "task": 16,
    "opcode": 1,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T20:05:02.700509+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 656,
      "thread_id": 692
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 1001 — The Driver Manager service failed to start.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: Startupofthedrivermanagerservice.
Opcode: Stop

Description

The Driver Manager service failed to start. The error reported was %2.

Message #

The Driver Manager service failed to start.  The error reported was %2.

Fields #

Name	Description
`Error` UInt32	—

Event ID 1002 — The Driver Manager service was stopped

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: Startupofthedrivermanagerservice.
Opcode: Stop

Description

The Driver Manager service was stopped.

Message #

The Driver Manager service was stopped

Event ID 1003 — The Driver Manager service is starting a host process for device UMDFDriverManagerHostCreateStart.DeviceInstanceId.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Task: Creationofanewdriverhostprocess.
Opcode: Start

Description

The Driver Manager service is starting a host process for device UMDFDriverManagerHostCreateStart.DeviceInstanceId.

Message #

The Driver Manager service is starting a host process for device %3.

Fields #

Name	Description
`UMDFDriverManagerHostCreateStart.LifetimeId` GUID	—
`UMDFDriverManagerHostCreateStart.HostGuid` UnicodeString	—
`UMDFDriverManagerHostCreateStart.DeviceInstanceId`	—
`LifetimeId` GUID	—
`HostGuid` UnicodeString	—
`InstanceId` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 1003,
    "version": 1,
    "level": 4,
    "task": 17,
    "opcode": 1,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:00:23.938852+00:00",
    "event_record_id": 2,
    "correlation": {},
    "execution": {
      "process_id": 928,
      "thread_id": 608
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "UMDFDriverManagerHostCreateStart": {
      "LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
      "HostGuid": "{193a1820-d9ac-4997-8c55-be817523f6aa}",
      "DeviceInstanceId": "SWD.REMOTEDISPLAYENUM.RDPIDD_INDIRECTDISPLAY&SESSIONID_0001"
    }
  },
  "message": ""
}

Event ID 1004 — The host process (UMDFDriverManagerHostCreateEnd.LifetimeId) started successfully.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Task: Creationofanewdriverhostprocess.
Opcode: Stop

Description

The host process (UMDFDriverManagerHostCreateEnd.LifetimeId) started successfully.

Message #

The host process (%1) started successfully.

Fields #

Name	Description
`UMDFDriverManagerHostCreateEnd.LifetimeId` GUID	—
`UMDFDriverManagerHostCreateEnd.FinalStatus` UInt32	—
`LifetimeId` GUID	—
`FinalStatus` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 1004,
    "version": 1,
    "level": 4,
    "task": 17,
    "opcode": 2,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:00:23.989889+00:00",
    "event_record_id": 5,
    "correlation": {},
    "execution": {
      "process_id": 928,
      "thread_id": 608
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "UMDFDriverManagerHostCreateEnd": {
      "LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
      "FinalStatus": 0
    }
  },
  "message": ""
}

Event ID 1005 — The host process (LifetimeId) failed to start successfully.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: Creationofanewdriverhostprocess.
Opcode: Stop

Description

The host process (LifetimeId) failed to start successfully. The error reported was FinalStatus.

Message #

The host process (%1) failed to start successfully.  The error reported was %2.

Fields #

Name	Description
`LifetimeId` GUID	—
`FinalStatus` UInt32	—

Event ID 1006 — The host process (UMDFDriverManagerHostShutdown.LifetimeId) is being asked to shutdown.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Task: Shutdownofadriverhostprocess.
Opcode: Start

Description

The host process (UMDFDriverManagerHostShutdown.LifetimeId) is being asked to shutdown.

Message #

The host process (%1) is being asked to shutdown.

Fields #

Name	Description
`UMDFDriverManagerHostShutdown.LifetimeId` GUID	—
`LifetimeId` GUID	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 1006,
    "version": 1,
    "level": 4,
    "task": 18,
    "opcode": 1,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:03:23.476353+00:00",
    "event_record_id": 56,
    "correlation": {},
    "execution": {
      "process_id": 656,
      "thread_id": 1112
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "UMDFDriverManagerHostShutdown": {
      "LifetimeId": "2E824AC4-1BF6-49DF-A55C-C63302D85A3E"
    }
  },
  "message": ""
}

Event ID 1007 — The host process (LifetimeId) has a problem (Problem) and is being terminated.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: Shutdownofadriverhostprocess.

Description

The host process (LifetimeId) has a problem (Problem) and is being terminated.

Message #

The host process (%1) has a problem (%2) and is being terminated.

Fields #

Name	Description
`LifetimeId` GUID	—
`Problem` UInt8	—
`DetectedBy` UInt8	—
`ActiveOperation` UInt8	—
`ExitCode` UInt32	—
`Message` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1008 — The host process (UMDFDriverManagerHostShutdown.LifetimeId) has been shutdown.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Task: Shutdownofadriverhostprocess.
Opcode: Stop

Description

The host process (UMDFDriverManagerHostShutdown.LifetimeId) has been shutdown.

Message #

The host process (%1) has been shutdown.

Fields #

Name	Description
`UMDFDriverManagerHostShutdown.LifetimeId` GUID	—
`UMDFDriverManagerHostShutdown.TerminateStatus`	—
`UMDFDriverManagerHostShutdown.ExitCode` UInt32	—
`LifetimeId` GUID	—
`TerminationStatus` UInt32	—
`ExitCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 1008,
    "version": 1,
    "level": 4,
    "task": 18,
    "opcode": 2,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:03:23.482031+00:00",
    "event_record_id": 59,
    "correlation": {},
    "execution": {
      "process_id": 656,
      "thread_id": 1112
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "UMDFDriverManagerHostShutdown": {
      "LifetimeId": "2E824AC4-1BF6-49DF-A55C-C63302D85A3E",
      "TerminateStatus": 0,
      "ExitCode": 0
    }
  },
  "message": ""
}

Event ID 1009 — The host process (LifetimeId) has a problem (Problem) and is being terminated.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: Shutdownofadriverhostprocess.

Description

The host process (LifetimeId) has a problem (Problem) and is being terminated.

Message #

The host process (%1) has a problem (%2) and is being terminated.

Fields #

Name	Description
`LifetimeId` GUID	—
`Problem` UInt8	—
`DetectedBy` UInt8	—
`ActiveOperation` UInt8	—
`ExitCode` UInt32	—
`Message` UInt32	—
`Status` UInt32	— NTSTATUS reference
`InstanceId` UnicodeString	—
`HardwareId` UnicodeString	—
`ServiceName` UnicodeString	—

Event ID 2000 — The UMDF Host Process (UMDFHostStartupBegin.LifetimeId) is starting up.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Task: Startupofanewdriverhostprocess.
Opcode: Start

Description

The UMDF Host Process (UMDFHostStartupBegin.LifetimeId) is starting up.

Message #

The UMDF Host Process (%1) is starting up.

Fields #

Name	Description
`UMDFHostStartupBegin.LifetimeId` GUID	—
`LifetimeId` GUID	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 2000,
    "version": 1,
    "level": 4,
    "task": 32,
    "opcode": 1,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:00:23.973052+00:00",
    "event_record_id": 3,
    "correlation": {},
    "execution": {
      "process_id": 8116,
      "thread_id": 3552
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "UMDFHostStartupBegin": {
      "LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322"
    }
  },
  "message": ""
}

Event ID 2001 — The UMDF Host Process (UMDFHostStartupEnd.LifetimeId) started successfully.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Task: Startupofanewdriverhostprocess.
Opcode: Stop

Description

The UMDF Host Process (UMDFHostStartupEnd.LifetimeId) started successfully.

Message #

The UMDF Host Process (%1) started successfully.

Fields #

Name	Description
`UMDFHostStartupEnd.LifetimeId` GUID	—
`UMDFHostStartupEnd.FinalStatus`	—
`LifetimeId` GUID	—
`ExitCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 2001,
    "version": 1,
    "level": 4,
    "task": 32,
    "opcode": 2,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:00:23.978254+00:00",
    "event_record_id": 4,
    "correlation": {},
    "execution": {
      "process_id": 8116,
      "thread_id": 3552
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "UMDFHostStartupEnd": {
      "LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
      "FinalStatus": 0
    }
  },
  "message": ""
}

Event ID 2002 — The UMDF Host Process (LifetimeId) failed to start successfully.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: Startupofanewdriverhostprocess.
Opcode: Stop

Description

The UMDF Host Process (LifetimeId) failed to start successfully. The error reported was ExitCode.

Message #

The UMDF Host Process (%1) failed to start successfully.  The error reported was %2.

Fields #

Name	Description
`LifetimeId` GUID	—
`ExitCode` UInt32	—

Event ID 2003 — The UMDF Host Process (UMDFHostDeviceArrivalBegin.LifetimeId) has been asked to load drivers for device UMDFHostDeviceArrivalBegin.InstanceId.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Collection Priority: Recommended (ANSSI)
Task: Loadingdriverstocontrolanewlydiscovereddevice.
Opcode: Start

Description

The UMDF Host Process (UMDFHostDeviceArrivalBegin.LifetimeId) has been asked to load drivers for device UMDFHostDeviceArrivalBegin.InstanceId.

Message #

The UMDF Host Process (%1) has been asked to load drivers for device %2.

Fields #

Name	Description
`UMDFHostDeviceArrivalBegin.LifetimeId` GUID	—
`UMDFHostDeviceArrivalBegin.InstanceId` UnicodeString	—
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 2003,
    "version": 1,
    "level": 4,
    "task": 33,
    "opcode": 1,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:00:23.998527+00:00",
    "event_record_id": 6,
    "correlation": {},
    "execution": {
      "process_id": 8116,
      "thread_id": 7760
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "UMDFHostDeviceArrivalBegin": {
      "LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
      "InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001"
    }
  },
  "message": ""
}

Detection Patterns #

Initial Access: Hardware Additions

DriverFrameworks-UserMode Event ID 2003: The UMDF Host Process (UMDFHostDeviceArrivalBegin.LifetimeId) has been asked to load drivers for device UMDFHostDeviceArrivalBegin.InstanceId.OREvent ID 2100: Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId.OREvent ID 2102: Forwarded a finished Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) to the lower driver for device UMDFHostDeviceRequest.InstanceId with status UMDFHostDeviceRequest.Status.

1 rule

Sigma

USB Device Plugged (source)

Florian Roth (Nextron Systems)

Event ID 2004 — The UMDF Host is loading driver UMDFHostAddDeviceBegin.Service at level UMDFHostAddDeviceBegin.Level for device UMDFHostAddDeviceBegin.InstanceId.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Verbose
Collection Priority: Recommended (Microsoft-WEF, others)
Task: Loadingdriverstocontrolanewlydiscovereddevice.
Opcode: Start

Description

The UMDF Host is loading driver UMDFHostAddDeviceBegin.Service at level UMDFHostAddDeviceBegin.Level for device UMDFHostAddDeviceBegin.InstanceId.

Message #

The UMDF Host is loading driver %4 at level %3 for device %2.

Fields #

Name	Description
`UMDFHostAddDeviceBegin.LifetimeId` GUID	—
`UMDFHostAddDeviceBegin.InstanceId` UnicodeString	—
`UMDFHostAddDeviceBegin.Level` UInt32	—
`UMDFHostAddDeviceBegin.Service` UnicodeString	—
`UMDFHostAddDeviceBegin.DriverClsid`	—
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`Level` UInt32	—
`Service` UnicodeString	—
`ClsId` GUID	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 2004,
    "version": 1,
    "level": 5,
    "task": 33,
    "opcode": 1,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:00:23.998872+00:00",
    "event_record_id": 8,
    "correlation": {},
    "execution": {
      "process_id": 8116,
      "thread_id": 7760
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "UMDFHostAddDeviceBegin": {
      "LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
      "InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
      "Level": 0,
      "Service": "RdpIdd",
      "DriverClsid": "00000000-0000-0000-0000-000000000000"
    }
  },
  "message": ""
}

Event ID 2005 — The UMDF Host Process (UMDFHostModuleLoad.LifetimeId) has loaded module UMDFHostModuleLoad.ModulePath while loading drivers for device UMDFHostModuleLoad.InstanceId.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Verbose
Task: Loadingdriverstocontrolanewlydiscovereddevice.

Description

The UMDF Host Process (UMDFHostModuleLoad.LifetimeId) has loaded module UMDFHostModuleLoad.ModulePath while loading drivers for device UMDFHostModuleLoad.InstanceId.

Message #

The UMDF Host Process (%1) has loaded module %3 while loading drivers for device %2.

Fields #

Name	Description
`UMDFHostModuleLoad.LifetimeId` GUID	—
`UMDFHostModuleLoad.InstanceId` UnicodeString	—
`UMDFHostModuleLoad.ModulePath` UnicodeString	—
`UMDFHostModuleLoad.CompanyName` UnicodeString	—
`UMDFHostModuleLoad.FileDescription` UnicodeString	—
`UMDFHostModuleLoad.FileVersion` UnicodeString	—
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`ModulePath` UnicodeString	—
`CompanyName` UnicodeString	—
`FileDescription` UnicodeString	—
`FileVersion` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 2005,
    "version": 1,
    "level": 5,
    "task": 33,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:00:24.104813+00:00",
    "event_record_id": 9,
    "correlation": {},
    "execution": {
      "process_id": 8116,
      "thread_id": 7760
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "UMDFHostModuleLoad": {
      "LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
      "InstanceId": "NULL",
      "ModulePath": "C:\\Windows\\System32\\WUDFx02000.dll",
      "CompanyName": "Microsoft Corporation",
      "FileDescription": "WDF:UMDF Framework Library",
      "FileVersion": "10.0.20348.1 (WinBuild.160101.0800)"
    }
  },
  "message": ""
}

Event ID 2006 — The UMDF Host successfully loaded the driver at level UMDFHostAddDeviceEnd.Level.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Verbose
Collection Priority: Recommended (ANSSI)
Task: Loadingdriverstocontrolanewlydiscovereddevice.
Opcode: Stop

Description

The UMDF Host successfully loaded the driver at level UMDFHostAddDeviceEnd.Level.

Message #

The UMDF Host successfully loaded the driver at level %3.

Fields #

Name	Description
`UMDFHostAddDeviceEnd.LifetimeId` GUID	—
`UMDFHostAddDeviceEnd.InstanceId` UnicodeString	—
`UMDFHostAddDeviceEnd.Level` UInt32	—
`UMDFHostAddDeviceEnd.FinalStatus` UInt32	—
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`Level` UInt32	—
`FinalStatus` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 2006,
    "version": 1,
    "level": 5,
    "task": 33,
    "opcode": 2,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:00:24.154881+00:00",
    "event_record_id": 27,
    "correlation": {},
    "execution": {
      "process_id": 8116,
      "thread_id": 7760
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "UMDFHostAddDeviceEnd": {
      "LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
      "InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
      "Level": 0,
      "FinalStatus": 0
    }
  },
  "message": ""
}

Event ID 2007 — The UMDF Host failed to load the driver at level Level.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: Loadingdriverstocontrolanewlydiscovereddevice.
Opcode: Stop

Description

The UMDF Host failed to load the driver at level Level. The error reported was FinalStatus.

Message #

The UMDF Host failed to load the driver at level %3.  The error reported was %4.

Fields #

Name	Description
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`Level` UInt32	—
`FinalStatus` UInt32	—

Event ID 2010 — The UMDF Host Process (UMDFHostDeviceArrivalEnd.LifetimeId) has successfully loaded drivers for device UMDFHostDeviceArrivalEnd.InstanceId.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Collection Priority: Recommended (ANSSI)
Task: Loadingdriverstocontrolanewlydiscovereddevice.
Opcode: Stop

Description

The UMDF Host Process (UMDFHostDeviceArrivalEnd.LifetimeId) has successfully loaded drivers for device UMDFHostDeviceArrivalEnd.InstanceId.

Message #

The UMDF Host Process (%1) has successfully loaded drivers for device %2.

Fields #

Name	Description
`UMDFHostDeviceArrivalEnd.LifetimeId` GUID	—
`UMDFHostDeviceArrivalEnd.InstanceId` UnicodeString	—
`UMDFHostDeviceArrivalEnd.FinalStatus` UInt32	—
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`FinalStatus` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 2010,
    "version": 1,
    "level": 4,
    "task": 33,
    "opcode": 2,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:00:23.998782+00:00",
    "event_record_id": 7,
    "correlation": {},
    "execution": {
      "process_id": 8116,
      "thread_id": 7760
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "UMDFHostDeviceArrivalEnd": {
      "LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
      "InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
      "FinalStatus": 0
    }
  },
  "message": ""
}

Event ID 2011 — The UMDF Host Process (LifetimeId) has failed to load drivers for device InstanceId.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: Loadingdriverstocontrolanewlydiscovereddevice.
Opcode: Stop

Description

The UMDF Host Process (LifetimeId) has failed to load drivers for device InstanceId. The error reported was FinalStatus.

Message #

The UMDF Host Process (%1) has failed to load drivers for device %2.  The error reported was %3

Fields #

Name	Description
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`FinalStatus` UInt32	—

Event ID 2100 — Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Collection Priority: Recommended (ANSSI)
Task: PnporPowerManagementoperationtoaparticulardevice.
Opcode: Start

Description

Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId.

Message #

Received a Pnp or Power operation (%3, %4) for device %2.

Fields #

Name	Description
`UMDFHostDeviceRequest.LifetimeId` GUID	—
`UMDFHostDeviceRequest.InstanceId` UnicodeString	—
`UMDFHostDeviceRequest.RequestMajorCode`	—
`UMDFHostDeviceRequest.RequestMinorCode`	—
`UMDFHostDeviceRequest.Argument1` Pointer	—
`UMDFHostDeviceRequest.Argument2` Pointer	—
`UMDFHostDeviceRequest.Argument3` Pointer	—
`UMDFHostDeviceRequest.Argument4` Pointer	—
`UMDFHostDeviceRequest.Status` UInt32	— NTSTATUS reference
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`MajorCode` UInt8	—
`MinorCode` UInt8	—
`Argument1` Pointer	—
`Argument2` Pointer	—
`Argument3` Pointer	—
`Argument4` Pointer	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 2100,
    "version": 1,
    "level": 4,
    "task": 37,
    "opcode": 1,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:00:24.156732+00:00",
    "event_record_id": 28,
    "correlation": {},
    "execution": {
      "process_id": 8116,
      "thread_id": 7940
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "UMDFHostDeviceRequest": {
      "LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
      "InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
      "RequestMajorCode": 27,
      "RequestMinorCode": 9,
      "Argument1": "0x10040",
      "Argument2": "0xffffffffffffffff",
      "Argument3": "0x0",
      "Argument4": "0x0",
      "Status": 3221225659
    }
  },
  "message": ""
}

Detection Patterns #

Initial Access: Hardware Additions

1 rule

Sigma

USB Device Plugged (source)

Florian Roth (Nextron Systems)

Event ID 2101 — Completed a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId with status UMDFHostDeviceRequest.Sta...

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Collection Priority: Recommended (ANSSI)
Task: PnporPowerManagementoperationtoaparticulardevice.
Opcode: Stop

Description

Completed a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId with status UMDFHostDeviceRequest.Status.

Message #

Completed a Pnp or Power operation (%3, %4) for device %2 with status %9.

Fields #

Name	Description
`UMDFHostDeviceRequest.LifetimeId` GUID	—
`UMDFHostDeviceRequest.InstanceId` UnicodeString	—
`UMDFHostDeviceRequest.RequestMajorCode`	—
`UMDFHostDeviceRequest.RequestMinorCode`	—
`UMDFHostDeviceRequest.Argument1` Pointer	—
`UMDFHostDeviceRequest.Argument2` Pointer	—
`UMDFHostDeviceRequest.Argument3` Pointer	—
`UMDFHostDeviceRequest.Argument4` Pointer	—
`UMDFHostDeviceRequest.Status` UInt32	— NTSTATUS reference
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`MajorCode` UInt8	—
`MinorCode` UInt8	—
`Argument1` Pointer	—
`Argument2` Pointer	—
`Argument3` Pointer	—
`Argument4` Pointer	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 2101,
    "version": 1,
    "level": 4,
    "task": 37,
    "opcode": 2,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:00:24.156878+00:00",
    "event_record_id": 31,
    "correlation": {},
    "execution": {
      "process_id": 8116,
      "thread_id": 7940
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "UMDFHostDeviceRequest": {
      "LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
      "InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
      "RequestMajorCode": 27,
      "RequestMinorCode": 9,
      "Argument1": "0x2d000010040",
      "Argument2": "0xffffffffffffffff",
      "Argument3": "0x100000000",
      "Argument4": "0x400000004",
      "Status": 0
    }
  },
  "message": ""
}

Event ID 2102 — Forwarded a finished Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) to the lower driver for device UMDFHostDeviceRequest.InstanceId with sta...

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Task: PnporPowerManagementoperationtoaparticulardevice.
Opcode: Stop

Description

Forwarded a finished Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) to the lower driver for device UMDFHostDeviceRequest.InstanceId with status UMDFHostDeviceRequest.Status.

Message #

Forwarded a finished Pnp or Power operation (%3, %4) to the lower driver for device %2 with status %9.

Fields #

Name	Description
`UMDFHostDeviceRequest.LifetimeId` GUID	—
`UMDFHostDeviceRequest.InstanceId` UnicodeString	—
`UMDFHostDeviceRequest.RequestMajorCode`	—
`UMDFHostDeviceRequest.RequestMinorCode`	—
`UMDFHostDeviceRequest.Argument1` Pointer	—
`UMDFHostDeviceRequest.Argument2` Pointer	—
`UMDFHostDeviceRequest.Argument3` Pointer	—
`UMDFHostDeviceRequest.Argument4` Pointer	—
`UMDFHostDeviceRequest.Status` UInt32	— NTSTATUS reference
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`MajorCode` UInt8	—
`MinorCode` UInt8	—
`Argument1` Pointer	—
`Argument2` Pointer	—
`Argument3` Pointer	—
`Argument4` Pointer	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 2102,
    "version": 1,
    "level": 4,
    "task": 37,
    "opcode": 2,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:03:23.459717+00:00",
    "event_record_id": 53,
    "correlation": {},
    "execution": {
      "process_id": 6928,
      "thread_id": 6020
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "UMDFHostDeviceRequest": {
      "LifetimeId": "2E824AC4-1BF6-49DF-A55C-C63302D85A3E",
      "InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
      "RequestMajorCode": 27,
      "RequestMinorCode": 23,
      "Argument1": "0x0",
      "Argument2": "0x0",
      "Argument3": "0x0",
      "Argument4": "0x0",
      "Status": 0
    }
  },
  "message": ""
}

Detection Patterns #

Initial Access: Hardware Additions

1 rule

Sigma

USB Device Plugged (source)

Florian Roth (Nextron Systems)

Event ID 2103 — Completed a Pnp or Power operation (MajorCode, MinorCode) for device InstanceId with status Status.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: PnporPowerManagementoperationtoaparticulardevice.
Opcode: Stop

Description

Completed a Pnp or Power operation (MajorCode, MinorCode) for device InstanceId with status Status.

Message #

Completed a Pnp or Power operation (%3, %4) for device %2 with status %9.

Fields #

Name	Description
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`MajorCode` UInt8	—
`MinorCode` UInt8	—
`Argument1` Pointer	—
`Argument2` Pointer	—
`Argument3` Pointer	—
`Argument4` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 2105 — Forwarded a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId to the lower driver with status UMDFH...

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Collection Priority: Recommended (ANSSI)
Task: PnporPowerManagementoperationtoaparticulardevice.
Opcode: Start

Description

Forwarded a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId to the lower driver with status UMDFHostDeviceRequest.Status.

Message #

Forwarded a Pnp or Power operation (%3, %4) for device %2 to the lower driver with status %9

Fields #

Name	Description
`UMDFHostDeviceRequest.LifetimeId` GUID	—
`UMDFHostDeviceRequest.InstanceId` UnicodeString	—
`UMDFHostDeviceRequest.RequestMajorCode`	—
`UMDFHostDeviceRequest.RequestMinorCode`	—
`UMDFHostDeviceRequest.Argument1` Pointer	—
`UMDFHostDeviceRequest.Argument2` Pointer	—
`UMDFHostDeviceRequest.Argument3` Pointer	—
`UMDFHostDeviceRequest.Argument4` Pointer	—
`UMDFHostDeviceRequest.Status` UInt32	— NTSTATUS reference
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`MajorCode` UInt8	—
`MinorCode` UInt8	—
`Argument1` Pointer	—
`Argument2` Pointer	—
`Argument3` Pointer	—
`Argument4` Pointer	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 2105,
    "version": 1,
    "level": 4,
    "task": 37,
    "opcode": 1,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:00:24.156800+00:00",
    "event_record_id": 29,
    "correlation": {},
    "execution": {
      "process_id": 8116,
      "thread_id": 7940
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "UMDFHostDeviceRequest": {
      "LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
      "InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
      "RequestMajorCode": 27,
      "RequestMinorCode": 9,
      "Argument1": "0x10040",
      "Argument2": "0xffffffffffffffff",
      "Argument3": "0x0",
      "Argument4": "0x0",
      "Status": 3221225659
    }
  },
  "message": ""
}

Event ID 2106 — Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId which was completed by the lower drive...

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Collection Priority: Recommended (ANSSI)
Task: PnporPowerManagementoperationtoaparticulardevice.
Opcode: Start

Description

Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId which was completed by the lower drivers with status UMDFHostDeviceRequest.Status.

Message #

Received a Pnp or Power operation (%3, %4) for device %2 which was completed by the lower drivers with status %9

Fields #

Name	Description
`UMDFHostDeviceRequest.LifetimeId` GUID	—
`UMDFHostDeviceRequest.InstanceId` UnicodeString	—
`UMDFHostDeviceRequest.RequestMajorCode`	—
`UMDFHostDeviceRequest.RequestMinorCode`	—
`UMDFHostDeviceRequest.Argument1` Pointer	—
`UMDFHostDeviceRequest.Argument2` Pointer	—
`UMDFHostDeviceRequest.Argument3` Pointer	—
`UMDFHostDeviceRequest.Argument4` Pointer	—
`UMDFHostDeviceRequest.Status` UInt32	— NTSTATUS reference
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`MajorCode` UInt8	—
`MinorCode` UInt8	—
`Argument1` Pointer	—
`Argument2` Pointer	—
`Argument3` Pointer	—
`Argument4` Pointer	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 2106,
    "version": 1,
    "level": 4,
    "task": 37,
    "opcode": 1,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:00:24.156869+00:00",
    "event_record_id": 30,
    "correlation": {},
    "execution": {
      "process_id": 8116,
      "thread_id": 7940
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "UMDFHostDeviceRequest": {
      "LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
      "InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
      "RequestMajorCode": 27,
      "RequestMinorCode": 9,
      "Argument1": "0x10040",
      "Argument2": "0xffffffffffffffff",
      "Argument3": "0x0",
      "Argument4": "0x0",
      "Status": 0
    }
  },
  "message": ""
}

Event ID 2107 — Received a Pnp or Power operation (MajorCode, MinorCode) for device InstanceId which was completed by the lower drivers with status Status.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: PnporPowerManagementoperationtoaparticulardevice.
Opcode: Start

Description

Received a Pnp or Power operation (MajorCode, MinorCode) for device InstanceId which was completed by the lower drivers with status Status.

Message #

Received a Pnp or Power operation (%3, %4) for device %2 which was completed by the lower drivers with status %9

Fields #

Name	Description
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`MajorCode` UInt8	—
`MinorCode` UInt8	—
`Argument1` Pointer	—
`Argument2` Pointer	—
`Argument3` Pointer	—
`Argument4` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 2900 — The UMDF Host (UMDFHostShutdown.LifetimeId) has been asked to shutdown.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Task: Shutdownofadriverhostprocess._41
Opcode: Start

Description

The UMDF Host (UMDFHostShutdown.LifetimeId) has been asked to shutdown.

Message #

The UMDF Host (%1) has been asked to shutdown.

Fields #

Name	Description
`UMDFHostShutdown.LifetimeId` GUID	—
`LifetimeId` GUID	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 2900,
    "version": 1,
    "level": 4,
    "task": 41,
    "opcode": 1,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:03:23.476446+00:00",
    "event_record_id": 57,
    "correlation": {},
    "execution": {
      "process_id": 6928,
      "thread_id": 6020
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "UMDFHostShutdown": {
      "LifetimeId": "2E824AC4-1BF6-49DF-A55C-C63302D85A3E"
    }
  },
  "message": ""
}

Event ID 2901 — The UMDF Host (UMDFHostShutdown.LifetimeId) has shutdown.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Task: Shutdownofadriverhostprocess._41
Opcode: Stop

Description

The UMDF Host (UMDFHostShutdown.LifetimeId) has shutdown.

Message #

The UMDF Host (%1) has shutdown.

Fields #

Name	Description
`UMDFHostShutdown.LifetimeId` GUID	—
`LifetimeId` GUID	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 2901,
    "version": 1,
    "level": 4,
    "task": 41,
    "opcode": 2,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:03:23.477062+00:00",
    "event_record_id": 58,
    "correlation": {},
    "execution": {
      "process_id": 6928,
      "thread_id": 8256
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "UMDFHostShutdown": {
      "LifetimeId": "2E824AC4-1BF6-49DF-A55C-C63302D85A3E"
    }
  },
  "message": ""
}

Event ID 3000 — UMDF State Machine StateMachine start processing event Event (Queueing Queueing).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: PnporPowerManagementoperationtoaparticulardriverinadevicestack.
Opcode: Start

Description

UMDF State Machine StateMachine start processing event Event (Queueing Queueing).

Message #

UMDF State Machine %4 start processing event %5 (Queueing %6)

Fields #

Name	Description
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`Level` UInt32	—
`StateMachine` UInt8	—
`Event` UInt32	—
`Queueing` UInt32	—

Event ID 3001 — UMDF State Machine StateMachine dropped event Event.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: PnporPowerManagementoperationtoaparticulardriverinadevicestack.

Description

UMDF State Machine StateMachine dropped event Event.

Message #

UMDF State Machine %4 dropped event %5

Fields #

Name	Description
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`Level` UInt32	—
`StateMachine` UInt8	—
`Event` UInt32	—

Event ID 3010 — UMDF State Machine StateMachine state change from CurrentState to NewState on event Event.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: PnporPowerManagementoperationtoaparticulardriverinadevicestack.
Opcode: Start

Description

UMDF State Machine StateMachine state change from CurrentState to NewState on event Event.

Message #

UMDF State Machine %4 state change from %5 to %7 on event %6

Fields #

Name	Description
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`Level` UInt32	—
`StateMachine` UInt32	—
`CurrentState` UInt32	—
`Event` UInt32	—
`NewState` UInt32	—

Event ID 3011 — UMDF State Machine StateMachine event processing finished in state CurrentState.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: PnporPowerManagementoperationtoaparticulardriverinadevicestack.
Opcode: Stop

Description

UMDF State Machine StateMachine event processing finished in state CurrentState.

Message #

UMDF State Machine %4 event processing finished in state %5

Fields #

Name	Description
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`Level` UInt32	—
`StateMachine` UInt8	—
`CurrentState` UInt32	—

Event ID 3020 — UMDF State Machine StateMachine event processing stopped in state Event.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: PnporPowerManagementoperationtoaparticulardriverinadevicestack.
Opcode: Stop

Description

UMDF State Machine StateMachine event processing stopped in state Event.

Message #

UMDF State Machine %4 event processing stopped in state %5

Fields #

Name	Description
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`Level` UInt32	—
`StateMachine` UInt8	—
`Event` UInt32	—

Event ID 4000 — A runtime failure has occurred in user-mode driver Driver and the hosting process has been terminated.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: UMDFVerifierFailure.

Message #

A runtime failure has occurred in user-mode driver %5 and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices. Please contact the device manufacturer or driver vendor for more information about this problem.

Fields #

Name	Description
`LifetimeId` GUID	—
`Category` UnicodeString	—
`ErrorNumber` HexInt64	—
`Location` UnicodeString	—
`Driver` UnicodeString	—
`ImageVersion` UnicodeString	—
`UMDFVersion` UnicodeString	—

Event ID 10000 — A driver package which uses user-mode driver framework version UMDFDeviceInstallBegin.FrameworkVersion is being installed on device UMDFDeviceInstallBegin.DeviceId.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Level: Informational
Task: Installationorupdateofdevicedrivers.
Opcode: Start

Description

A driver package which uses user-mode driver framework version UMDFDeviceInstallBegin.FrameworkVersion is being installed on device UMDFDeviceInstallBegin.DeviceId.

Message #

A driver package which uses user-mode driver framework version %2 is being installed on device %1.

Fields #

Name	Description
`UMDFDeviceInstallBegin.DeviceId`	—
`UMDFDeviceInstallBegin.FrameworkVersion`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 10000,
    "version": 1,
    "level": 4,
    "task": 48,
    "opcode": 1,
    "keywords": 2305843009213693952,
    "time_created": "2022-04-07T16:53:01.068372+00:00",
    "event_record_id": 375,
    "correlation": {},
    "execution": {
      "process_id": 2204,
      "thread_id": 4904
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "UMDFDeviceInstallBegin": {
      "DeviceId": "SWD\\WPDBUSENUM\\_??_USBSTOR#DISK&VEN_VENDORCO&PROD_PRODUCTCODE&REV_2.00#9207032533193411390&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}",
      "FrameworkVersion": "2.33.0"
    }
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 10001 — The UMDF service UMDFServiceInstall.ServiceName (CLSID UMDFServiceInstall.CLSID) was installed.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Level: Informational
Task: Installationorupdateofdevicedrivers.

Description

The UMDF service UMDFServiceInstall.ServiceName (CLSID UMDFServiceInstall.CLSID) was installed. It requires framework version UMDFServiceInstall.MinimumFxVersion or higher.

Message #

The UMDF service %1 (CLSID %2) was installed.  It requires framework version %3 or higher.

Fields #

Name	Description
`UMDFServiceInstall.ServiceName`	—
`UMDFServiceInstall.CLSID`	—
`UMDFServiceInstall.MinimumFxVersion`	—
`UMDFServiceInstall.Upgrade`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 10001,
    "version": 1,
    "level": 4,
    "task": 48,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2022-04-07T16:53:01.087249+00:00",
    "event_record_id": 376,
    "correlation": {},
    "execution": {
      "process_id": 2204,
      "thread_id": 4904
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "UMDFServiceInstall": {
      "ServiceName": "WpdFs",
      "CLSID": "112DE495-AC4C-46F8-B663-6A4266C53313",
      "MinimumFxVersion": "2.33.0",
      "Upgrade": false
    }
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 10002 — The UMDF service ServiceName (CLSID CLSID) was upgraded.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Task: Installationorupdateofdevicedrivers.

Description

The UMDF service ServiceName (CLSID CLSID) was upgraded. It requires framework version FxVersion or higher.

Message #

The UMDF service %1 (CLSID %2) was upgraded.  It requires framework version %3 or higher.

Fields #

Name	Description
`ServiceName` UnicodeString	—
`CLSID` GUID	—
`FxVersion` UnicodeString	—
`Upgrade` Boolean	—

Event ID 10100 — The driver package installation has succeeded.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Level: Informational
Task: Installationorupdateofdevicedrivers.
Opcode: Stop

Description

The driver package installation has succeeded.

Message #

The driver package installation has succeeded.

Fields #

Name	Description
`UMDFDeviceInstallEnd.FinalStatus`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 10100,
    "version": 1,
    "level": 4,
    "task": 48,
    "opcode": 2,
    "keywords": 2305843009213693952,
    "time_created": "2022-04-07T16:53:01.102346+00:00",
    "event_record_id": 377,
    "correlation": {},
    "execution": {
      "process_id": 2204,
      "thread_id": 4904
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "UMDFDeviceInstallEnd": {
      "FinalStatus": 0
    }
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 10101 — The driver package installation has failed.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Task: Installationorupdateofdevicedrivers.
Opcode: Stop

Description

The driver package installation has failed. The final status was FinalStatus.

Message #

The driver package installation has failed.  The final status was %1.

Fields #

Name	Description
`FinalStatus` UInt32	—

Event ID 10110 — A problem has occurred with one or more user-mode drivers and the hosting process has been terminated.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Task: User_modeDriverproblems.

Description

A problem has occurred with one or more user-mode drivers and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices.

Message #

A problem has occurred with one or more user-mode drivers and the hosting process has been terminated.  This may temporarily interrupt your ability to access the devices.

Fields #

Name	Description
`LifetimeId` GUID	—
`Problem` UInt8	—
`DetectedBy` UInt8	—
`ActiveOperation` UInt8	—
`ExitCode` UInt32	—
`Message` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 10111 — The device FriendlyName (location Location) is offline due to a user-mode driver crash.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Task: User_modeDriverproblems.

Message #

The device %2 (location %3) is offline due to a user-mode driver crash.  Windows will attempt to restart the device %5 more times.  Please contact the device manufacturer for more information about this problem.

Fields #

Name	Description
`LifetimeId` GUID	—
`FriendlyName` UnicodeString	—
`Location` UnicodeString	—
`InstanceId` UnicodeString	—
`RestartCount` UInt32	—

Event ID 10112 — The device FriendlyName (location Location) is offline due to a user-mode device crash.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Task: User_modeDriverproblems.

Message #

The device %2 (location %3) is offline due to a user-mode device crash.  Windows will no longer attempt to restart this device because the maximum restart limit has been reached.  Disconnecting the device and reconnecting it, or disabling it and re-enabling it from the device manager, will reset this limit and allow the device to be accessed again.  Please contact the device manufacturer for more information about this problem.

Fields #

Name	Description
`LifetimeId` GUID	—
`FriendlyName` UnicodeString	—
`Location` UnicodeString	—
`InstanceId` UnicodeString	—
`RestartCount` UInt32	—

Event ID 10113 — The device InstanceId was unable to start due to conflict between the settings for driver DriverName (ConflictingParameter - Value) and the other drivers.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Task: Startupofanewdriverhostprocess.

Message #

The device %2 was unable to start due to conflict between the settings for driver %5 (%3 - %4) and the other drivers.  Windows will not be able to start this device.  Please contact the device manufacturer for assistance.

Fields #

Name	Description
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`ConflictingParameter` UnicodeString	—
`Value` UInt64	—
`DriverName` UnicodeString	—

Event ID 10114 — {UnstartedService} (part of UMDF) did not load yet.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System

Description

{UnstartedService} (part of UMDF) did not load yet. After it does; Windows will start the device again.

Message #

{UnstartedService} (part of UMDF) did not load yet. After it does; Windows will start the device again.

Fields #

Name	Description
`UnstartedService`	—

Event ID 10115 — The device FriendlyName (location Location) is offline due to a user-mode driver crash.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Task: User_modeDriverproblems.

Message #

The device %2 (location %3) is offline due to a user-mode driver crash.  Windows will attempt to restart the device %5 more times in its own process.  Please contact the device manufacturer for more information about this problem.

Fields #

Name	Description
`LifetimeId` GUID	—
`FriendlyName` UnicodeString	—
`Location` UnicodeString	—
`InstanceId` UnicodeString	—
`RestartCount` UInt32	—

Event ID 10116 — The device FriendlyName (location Location) is offline due to a user-mode driver crash.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Task: User_modeDriverproblems.

Message #

The device %2 (location %3) is offline due to a user-mode driver crash.  Windows will attempt to restart the device in the shared process %5 more times before moving the device in its own process.  Please contact the device manufacturer for more information about this problem.

Fields #

Name	Description
`LifetimeId` GUID	—
`FriendlyName` UnicodeString	—
`Location` UnicodeString	—
`InstanceId` UnicodeString	—
`RestartCount` UInt32	—

Event ID 10117 — UMDF driver service ServiceName failed to load because it was compiled using a pre-release version of the Windows Driver Kit(WDK).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Task: Installationorupdateofdevicedrivers.

Message #

UMDF driver service %1 failed to load because it was compiled using a pre-release version of the Windows Driver Kit(WDK). The driver should be recompiled using a release version of the WDK. Driver's function table count is %2 and the expected count is %3.

Fields #

Name	Description
`ServiceName` UnicodeString	—
`ActualFuntionTableCount` UInt32	—
`ExpectedFuntionTableCount` UInt32	—

Event ID 10118 — UMDF reflector is unable to connect to service control manager (SCM).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Task: StartupoftheUMDFreflector

Description

UMDF reflector is unable to connect to service control manager (SCM). This is expected during boot, when SCM has not started yet. Will retry when it starts.

Message #

UMDF reflector is unable to connect to service control manager (SCM). This is expected during boot, when SCM has not started yet. Will retry when it starts.

Event ID 10120 — A problem has occurred with one or more user-mode drivers and the hosting process has been terminated.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Task: User_modeDriverproblems.

Description

A problem has occurred with one or more user-mode drivers and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices.

Message #

A problem has occurred with one or more user-mode drivers and the hosting process has been terminated.  This may temporarily interrupt your ability to access the devices.

Fields #

Name	Description
`LifetimeId` GUID	—
`Problem` UInt8	—
`DetectedBy` UInt8	—
`ActiveOperation` UInt8	—
`ExitCode` UInt32	—
`Message` UInt32	—
`Status` UInt32	— NTSTATUS reference
`InstanceId` UnicodeString	—
`HardwareId` UnicodeString	—
`ServiceName` UnicodeString	—

Event ID 10121 — A runtime failure has occurred in user-mode driver Driver and the hosting process has been terminated.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Task: User_modeDriverproblems.

Message #

A runtime failure has occurred in user-mode driver %5 and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices. Please contact the device manufacturer or driver vendor for more information about this problem.

Fields #

Name	Description
`LifetimeId` GUID	—
`Category` UnicodeString	—
`ErrorNumber` HexInt64	—
`Location` UnicodeString	—
`Driver` UnicodeString	—
`ImageVersion` UnicodeString	—
`UMDFVersion` UnicodeString	—

Event ID 19999 — UMDF Test Event (String).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: System
Task: TestingUMDF

Description

UMDF Test Event (String).

Message #

UMDF Test Event (%1)

Fields #

Name	Description
`String` UnicodeString	—

Event ID 20030 — Power IRP related event in the User-mode Driver Frameworks Host Process

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Diagnostic
Task: PowerTransition_Driver
Opcode: Start

Description

Power IRP related event in the User-mode Driver Frameworks Host Process.

Message #

Power IRP related event in the User-mode Driver Frameworks Host Process

Fields #

Name	Description
`Irp` Pointer	—
`Device` Pointer	—
`DriverName` UnicodeString	—

Event ID 20031 — Power IRP related event in the User-mode Driver Frameworks Host Process

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Diagnostic
Task: PowerTransition_Driver
Opcode: Stop

Description

Power IRP related event in the User-mode Driver Frameworks Host Process.

Message #

Power IRP related event in the User-mode Driver Frameworks Host Process

Fields #

Name	Description
`Irp` Pointer	—
`Device` Pointer	—

Event ID 20032 — Power IRP related event in the User-mode Driver Frameworks Host Process

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Diagnostic
Task: PowerTransition_Driver
Opcode: NestingStart

Description

Power IRP related event in the User-mode Driver Frameworks Host Process.

Message #

Power IRP related event in the User-mode Driver Frameworks Host Process

Fields #

Name	Description
`Irp` Pointer	—
`Device` Pointer	—

Event ID 20033 — Power IRP related event in the User-mode Driver Frameworks Host Process

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Diagnostic
Task: PowerTransition_Driver
Opcode: NestingStop

Description

Power IRP related event in the User-mode Driver Frameworks Host Process.

Message #

Power IRP related event in the User-mode Driver Frameworks Host Process

Fields #

Name	Description
`Irp` Pointer	—
`Device` Pointer	—

Event ID 30000 — A driver package which uses user-mode driver framework version {FrameworkVersion} is being installed on device {DeviceId}.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational

Description

A driver package which uses user-mode driver framework version {FrameworkVersion} is being installed on device {DeviceId}.

Message #

A driver package which uses user-mode driver framework version {FrameworkVersion} is being installed on device {DeviceId}.

Fields #

Name	Description
`FrameworkVersion`	—
`DeviceId`	—

Event ID 30001 — The driver package installation has finished.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational

Description

The driver package installation has finished. The final status was {FinalStatus}.

Message #

The driver package installation has finished. The final status was {FinalStatus}.

Fields #

Name	Description
`FinalStatus`	—

Event ID 30002 — PreDevice installation (UMDF version {FrameworkVersion}) is starting for device {DeviceId}.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational

Description

PreDevice installation (UMDF version {FrameworkVersion}) is starting for device {DeviceId}.

Message #

PreDevice installation (UMDF version {FrameworkVersion}) is starting for device {DeviceId}.

Fields #

Name	Description
`FrameworkVersion`	—
`DeviceId`	—

Event ID 30003 — PreDevice installation has finished.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational

Description

PreDevice installation has finished. The final status was {FinalStatus}.

Message #

PreDevice installation has finished. The final status was {FinalStatus}.

Fields #

Name	Description
`FinalStatus`	—

Event ID 30004 — PostDevice installation (UMDF version {FrameworkVersion}) is starting for device {DeviceId}.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational

Description

PostDevice installation (UMDF version {FrameworkVersion}) is starting for device {DeviceId}.

Message #

PostDevice installation (UMDF version {FrameworkVersion}) is starting for device {DeviceId}.

Fields #

Name	Description
`FrameworkVersion`	—
`DeviceId`	—

Event ID 30005 — PostDevice installation has finished.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational

Description

PostDevice installation has finished. The final status was {FinalStatus}.

Message #

PostDevice installation has finished. The final status was {FinalStatus}.

Fields #

Name	Description
`FinalStatus`	—

Event ID 30007 — UMDF has been updated.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational

Description

UMDF has been updated. The final status was {FinalStatus}.

Message #

UMDF has been updated. The final status was {FinalStatus}.

Fields #

Name	Description
`FinalStatus`	—

Event ID 30008 — DDI to read from hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: DDIcalltoreadfromHardware.
Opcode: Start

Description

DDI to read from hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Message #

DDI to read from hardware begins (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields #

Name	Description
`HwAccessTargetType` UInt32	—
`HwAccessTargetSize` UInt32	—
`HwAccessBufferCount` UInt32	—

Event ID 30009 — DDI to read from hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: DDIcalltoreadfromHardware.
Opcode: Stop

Description

DDI to read from hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Message #

DDI to read from hardware ends (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields #

Name	Description
`HwAccessTargetType` UInt32	—
`HwAccessTargetSize` UInt32	—
`HwAccessBufferCount` UInt32	—

Event ID 30010 — Read from hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: ReadfromHardware.
Opcode: Start

Description

Read from hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Message #

Read from hardware begins (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields #

Name	Description
`HwAccessTargetType` UInt32	—
`HwAccessTargetSize` UInt32	—
`HwAccessBufferCount` UInt32	—

Event ID 30011 — Read from hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: ReadfromHardware.
Opcode: Stop

Description

Read from hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Message #

Read from hardware ends (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields #

Name	Description
`HwAccessTargetType` UInt32	—
`HwAccessTargetSize` UInt32	—
`HwAccessBufferCount` UInt32	—

Event ID 30012 — DDI to write to hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: DDIcalltoWritetohardware.
Opcode: Start

Description

DDI to write to hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Message #

DDI to write to hardware begins (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields #

Name	Description
`HwAccessTargetType` UInt32	—
`HwAccessTargetSize` UInt32	—
`HwAccessBufferCount` UInt32	—

Event ID 30013 — DDI to write to hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: DDIcalltoWritetohardware.
Opcode: Stop

Description

DDI to write to hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Message #

DDI to write to hardware ends (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields #

Name	Description
`HwAccessTargetType` UInt32	—
`HwAccessTargetSize` UInt32	—
`HwAccessBufferCount` UInt32	—

Event ID 30014 — Write to hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: Writetohardware.
Opcode: Start

Description

Write to hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Message #

Write to hardware begins (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields #

Name	Description
`HwAccessTargetType` UInt32	—
`HwAccessTargetSize` UInt32	—
`HwAccessBufferCount` UInt32	—

Event ID 30015 — Write to hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: Writetohardware.
Opcode: Stop

Description

Write to hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Message #

Write to hardware ends (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields #

Name	Description
`HwAccessTargetType` UInt32	—
`HwAccessTargetSize` UInt32	—
`HwAccessBufferCount` UInt32	—

Event ID 30016 — Read from hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: ReadfromHardware.
Opcode: Start

Description

Read from hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Message #

Read from hardware begins (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields #

Name	Description
`HwAccessTargetType` UInt32	—
`HwAccessTargetSize` UInt32	—
`HwAccessBufferCount` UInt32	—

Event ID 30017 — Read from hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: ReadfromHardware.
Opcode: Stop

Description

Read from hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Message #

Read from hardware ends (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields #

Name	Description
`HwAccessTargetType` UInt32	—
`HwAccessTargetSize` UInt32	—
`HwAccessBufferCount` UInt32	—

Event ID 30018 — Write to hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: Writetohardware.
Opcode: Start

Description

Write to hardware begins (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Message #

Write to hardware begins (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields #

Name	Description
`HwAccessTargetType` UInt32	—
`HwAccessTargetSize` UInt32	—
`HwAccessBufferCount` UInt32	—

Event ID 30019 — Write to hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: Writetohardware.
Opcode: Stop

Description

Write to hardware ends (TargetType: HwAccessTargetType, TargetSize: HwAccessTargetSize, BufferCount: HwAccessBufferCount).

Message #

Write to hardware ends (TargetType: %1, TargetSize: %2, BufferCount: %3).

Fields #

Name	Description
`HwAccessTargetType` UInt32	—
`HwAccessTargetSize` UInt32	—
`HwAccessBufferCount` UInt32	—

Event ID 30020 — UMDF Reflector sent notification for hardware interrupt (Message ID InterruptMessageNumber).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: UMDFhardwareinterruptnotification.

Description

UMDF Reflector sent notification for hardware interrupt (Message ID InterruptMessageNumber).

Message #

UMDF Reflector sent notification for hardware interrupt (Message ID %1).

Fields #

Name	Description
`InterruptMessageNumber` UInt32	—

Event ID 30021 — UMDF framework received notification for hardware interrupt (Message ID InterruptMessageNumber).

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Task: UMDFhardwareinterruptnotification.

Description

UMDF framework received notification for hardware interrupt (Message ID InterruptMessageNumber).

Message #

UMDF framework received notification for hardware interrupt (Message ID %1).

Fields #

Name	Description
`InterruptMessageNumber` UInt32	—