Microsoft-Windows-IsolatedUserMode

5 events across 1 channel

Event ID	Title	Channel
1	Secure Trustlet ImageName Id TrustletIdentity and Pid NormalProcessId started …	System
2	Secure Trustlet Id TrustletIdentity and Pid NormalProcessId stopped with status …	System
3	Secure Kernel started with status Status and flags Flags.	System
4	Secure Trustlet Id TrustletIdentity and Pid NormalProcessId failed to start with …	System
5	Secure Trustlet ImageName Id TrustletIdentity and Pid NormalProcessId started …	System

Event ID 1 — Secure Trustlet ImageName Id TrustletIdentity and Pid NormalProcessId started with status Status.

Provider: Microsoft-Windows-IsolatedUserMode
Channel: System
Level: Informational

Description

Secure Trustlet ImageName Id TrustletIdentity and Pid NormalProcessId started with status Status.

Message #

Secure Trustlet %4 Id %1 and Pid %2 started with status %3.

Fields #

Name	Description
`TrustletIdentity` UInt64	—
`NormalProcessId` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ImageName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IsolatedUserMode",
    "guid": "73A33AB2-1966-4999-8ADD-868C41415269",
    "event_source_name": "",
    "event_id": 1,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223442405598953472,
    "time_created": "2026-03-11T06:27:21.608775+00:00",
    "event_record_id": 2747,
    "correlation": {},
    "execution": {
      "process_id": 928,
      "thread_id": 932
    },
    "channel": "System",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TrustletIdentity": 1,
    "NormalProcessId": 740,
    "Status": 0,
    "ImageName": "\\??\\C:\\Windows\\system32\\lsaiso.exe"
  },
  "message": ""
}

Event ID 2 — Secure Trustlet Id TrustletIdentity and Pid NormalProcessId stopped with status Status.

Provider: Microsoft-Windows-IsolatedUserMode
Channel: System
Level: Informational

Description

Secure Trustlet Id TrustletIdentity and Pid NormalProcessId stopped with status Status.

Message #

Secure Trustlet Id %1 and Pid %2 stopped with status %3.

Fields #

Name	Description
`TrustletIdentity` UInt64	—
`NormalProcessId` UInt32	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IsolatedUserMode",
    "guid": "73A33AB2-1966-4999-8ADD-868C41415269",
    "event_source_name": "",
    "event_id": 2,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223442405598953472,
    "time_created": "2026-03-12T03:04:20.510853+00:00",
    "event_record_id": 2866,
    "correlation": {},
    "execution": {
      "process_id": 8132,
      "thread_id": 10968
    },
    "channel": "System",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
    }
  },
  "event_data": {
    "TrustletIdentity": 0,
    "NormalProcessId": 0,
    "Status": 0
  },
  "message": ""
}

Event ID 3 — Secure Kernel started with status Status and flags Flags.

Provider: Microsoft-Windows-IsolatedUserMode
Channel: System
Level: Informational

Description

Secure Kernel started with status Status and flags Flags.

Message #

Secure Kernel started with status %1 and flags %2.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`Flags` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IsolatedUserMode",
    "guid": "73A33AB2-1966-4999-8ADD-868C41415269",
    "event_source_name": "",
    "event_id": 3,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223442405598953472,
    "time_created": "2026-03-11T06:27:08.620314+00:00",
    "event_record_id": 2713,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Status": 0,
    "Flags": 0
  },
  "message": ""
}

Event ID 4 — Secure Trustlet Id TrustletIdentity and Pid NormalProcessId failed to start with status Status.

Provider: Microsoft-Windows-IsolatedUserMode
Channel: System

Description

Secure Trustlet Id TrustletIdentity and Pid NormalProcessId failed to start with status Status.

Message #

Secure Trustlet Id %1 and Pid %2 failed to start with status %3.

Fields #

Name	Description
`TrustletIdentity` UInt64	—
`NormalProcessId` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 5 — Secure Trustlet ImageName Id TrustletIdentity and Pid NormalProcessId started with status Status.

Provider: Microsoft-Windows-IsolatedUserMode
Channel: System
Level: Informational

Description

Secure Trustlet ImageName Id TrustletIdentity and Pid NormalProcessId started with status Status.

Message #

Secure Trustlet %4 Id %1 and Pid %2 started with status %3.

Fields #

Name	Description
`TrustletIdentity` UInt64	—
`NormalProcessId` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ImageName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IsolatedUserMode",
    "guid": "73A33AB2-1966-4999-8ADD-868C41415269",
    "event_source_name": "",
    "event_id": 5,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223442405598953472,
    "time_created": "2026-03-11T06:37:46.854691+00:00",
    "event_record_id": 2819,
    "correlation": {},
    "execution": {
      "process_id": 8132,
      "thread_id": 10968
    },
    "channel": "System",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
    }
  },
  "event_data": {
    "TrustletIdentity": 0,
    "NormalProcessId": 0,
    "Status": 0,
    "ImageName": "NULL"
  },
  "message": ""
}