Event ID 2100 — Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId.

Provider: Microsoft-Windows-DriverFrameworks-UserMode
Channel: Operational
Level: Informational
Collection Priority: Recommended (ANSSI)
Task: PnporPowerManagementoperationtoaparticulardevice.
Opcode: Start

Description

Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId.

Message #

Received a Pnp or Power operation (%3, %4) for device %2.

Fields #

Name	Description
`UMDFHostDeviceRequest.LifetimeId` GUID	—
`UMDFHostDeviceRequest.InstanceId` UnicodeString	—
`UMDFHostDeviceRequest.RequestMajorCode`	—
`UMDFHostDeviceRequest.RequestMinorCode`	—
`UMDFHostDeviceRequest.Argument1` Pointer	—
`UMDFHostDeviceRequest.Argument2` Pointer	—
`UMDFHostDeviceRequest.Argument3` Pointer	—
`UMDFHostDeviceRequest.Argument4` Pointer	—
`UMDFHostDeviceRequest.Status` UInt32	— NTSTATUS reference
`LifetimeId` GUID	—
`InstanceId` UnicodeString	—
`MajorCode` UInt8	—
`MinorCode` UInt8	—
`Argument1` Pointer	—
`Argument2` Pointer	—
`Argument3` Pointer	—
`Argument4` Pointer	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DriverFrameworks-UserMode",
    "guid": "2E35AAEB-857F-4BEB-A418-2E6C0E54D988",
    "event_source_name": "",
    "event_id": 2100,
    "version": 1,
    "level": 4,
    "task": 37,
    "opcode": 1,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:00:24.156732+00:00",
    "event_record_id": 28,
    "correlation": {},
    "execution": {
      "process_id": 8116,
      "thread_id": 7940
    },
    "channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "user_data": {
    "UMDFHostDeviceRequest": {
      "LifetimeId": "3D69498E-0D29-42F1-905E-33C3A505E322",
      "InstanceId": "SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0001",
      "RequestMajorCode": 27,
      "RequestMinorCode": 9,
      "Argument1": "0x10040",
      "Argument2": "0xffffffffffffffff",
      "Argument3": "0x0",
      "Argument4": "0x0",
      "Status": 3221225659
    }
  },
  "message": ""
}

Detection Patterns #

Initial Access: Hardware Additions

DriverFrameworks-UserMode Event ID 2003: The UMDF Host Process (UMDFHostDeviceArrivalBegin.LifetimeId) has been asked to load drivers for device UMDFHostDeviceArrivalBegin.InstanceId.OREvent ID 2100: Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId.OREvent ID 2102: Forwarded a finished Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) to the lower driver for device UMDFHostDeviceRequest.InstanceId with status UMDFHostDeviceRequest.Status.

1 rule

Sigma

USB Device Plugged (source)

Florian Roth (Nextron Systems)