Microsoft-Windows-Kernel-Boot

261 events across 3 channels

Event ID	Title	Channel
1	System was booted in %1x%2@%3bpp.	Analytic
2	BootUX screen was displayed in %1x%2@%3bpp.	Analytic
3	Video bit transfer rate is %1 bytes per ms.	Analytic
4	Boot library accessed file %2 on Device %1.	Analytic
5	File IO for boot application %1: Total Bytes Read = %2, Total Bytes Written = …	Analytic
6	Image %1 failed IntegrityCheck reason is %3.	Analytic
7	Bootmgr duration is %1 milliseconds.	Analytic
8	Image %1 is not self-signed.	Analytic
9	A device that was enumerated by the BIOS was inaccessible to the boot …	Analytic
10	The system firmware has allocated a memory region previously determined to be …	System
11	The time elapsed before Bootmgr, based on the TSC, is %1 ms.	Analytic
12	Variable %1 requires %2 bytes and was set with status %3.	Analytic
13	Element %2 of application %1 was not in policy.	Analytic
14	A Secure Boot Policy update resulted in status %1.	Analytic
15	A Secure Boot Revocation List update resulted in status %1.	Analytic
16	Windows failed to resume from hibernate with error status %1.	System
17	The boot manager multi OS selection screen was displayed.	System
18	There are %1 boot options on this system.	System
19	There are %1 boot tool options on this system.	System
20	The last shutdown's success status was %1.	System
21	The OS loader advanced options menu was displayed and the user selected option …	System
22	The OS loader edit options menu was displayed.	System
23	The Windows key was pressed during boot.	System
24	The F8 key was pressed during boot.	System
25	The boot menu policy was %1.	System
26	A one-time boot sequence was used during this boot.	System
27	The boot type was %1.	System
28		Operational
29	Windows failed fast startup with error status %1.	System
30	The firmware reported boot metrics.	System
31	Initialization of the firmware crypto hash provider resulted in status %1.	Analytic
32	The bootmgr spent %1 ms waiting for user input.	System
33	The firmware update capsule (%1) failed to load with status %2.	Analytic
34	The PE/COFF image firmware update capsule (%1) failed to load with status %2.	Analytic
35	The Efi UpdateCapsule failed to apply updates with status %1.	Operational
36	Firmware update supported status is %3.	Analytic
37	The firmware update capsule (%1) code integrity check failed with status %2.	Analytic
38	Windows failed to load the required system file %1 with error status %2.	Operational
39	Windows failed to load the system registry file %1 with error status %2.	Operational
40	Windows failed to initialize the ACPI with error status %1.	Operational
41	Windows failed to load with error status %1.	Operational
42	Windows failed to load image %2 imported from %1 with error status %3.	Operational
43	Windows failed to import %2 from image %1 with error status %3.	Operational
44	Windows failed to provision VSM Identity Key.	Operational
45	VSM Identity Key Provisioning.	Operational
46	Retrieving the driver list took %1 milliseconds.	Analytic
47	Loading the drivers took %1 milliseconds.	Analytic
48	Loading hive %1 took %2 milliseconds.	Analytic
49	Windows system integrity policy does not allow to load the required system file …	Operational
50	Windows failed to provision VSM Master Encryption Key.	Operational
51	VSM Master Encryption Key Provisioning.	Operational
52	The time elapsed loading %1 was %2 ms.	Analytic
53	The time elapsed executing %1 was %2 ms.	Analytic
54	Building chunk table for WIM compressed file %2 failed with status: %1.	Analytic
55	Soft Restart failed to prepare target Operating System.	Analytic
56	Boot application failed to process persistent data with status.	Analytic
57	Windows failed to provision the TPM Storage Root Key with error status.	Operational
58	Windows successfully provisioned the TPM Storage Root Key.	Operational
59	Windows failed to provision TPM binding information with error status.	Operational
60	NFIT ACPI table is not properly formed, and could not be parsed.	Operational
61		Analytic
62	Previous error detected while attempting to execute Measured Launch Environment.	Operational
63		Analytic
64		Analytic
65		Analytic
66		Analytic
67		Analytic
68		Analytic
69		Analytic
70		Analytic
71		Operational
72		Analytic
73	Firmware provided SINIT ACM not used.	Operational
74	Windows failed to provision DRTM-bound VSM Master Encryption Key.	Operational
75	Windows successfully provisioned DRTM-bound VSM Master Encryption Key.	Operational
76		Operational
77		Operational
78		Operational
79		Operational
80	FASR Platform Verification.	Operational
81	Windows skipped provisioning the TPM Storage Root Key because the …	Operational
82	Trace point: Function:%1 Point:%2 Status:%3.	Operational
83	VSM Master Key Array Package Read and Unseal From Disk Status: %1 OsDeviceId: %2 …	Operational
84	Seal and Store on Disk Status Status: %1 OsDeviceId: %2 SystemRoot: %3 …	Operational
85	Read and Unseal Master Key Array Package Status Status: %1 …	Operational
86	Get Plaintext Master Key Array Status Status: %1 SecondaryProtectorVariableName: …	Operational
87	Read and Unseal Master Key Array Package error LegacyMainBlobVariableName: %1 …	Operational
88	Read and Unseal Master Key Array Package Status Status: %1 OsDeviceId: %2 …	Operational
89	Create Sealed Encrypt Key Status Status: %1 PcrMask: %2 UnsealPolicyPdGuid: %3 …	Operational
90	Get Sealed Protector Status Status: %1 ProtectorName: %2 …	Operational
91	SRTM PCR Values algId: %1 digestLength:%2 PcrIndex: %3 PcrValue: %4.	Operational
92		Operational
100		Operational
101		Operational
102		Operational
103		Operational
104		Operational
105		Operational
106		Operational
107		Operational
108		Operational
109		Operational
110		Operational
111		Operational
112		Operational
113		Operational
114		Operational
115	Soft reboot cancellation started.	System
116	Soft reboot cancellation finished.	System
117		Operational
118		Operational
119		Operational
120		Operational
121		Operational
122		Operational
123		Operational
124	The virtualization-based security enablement policy check at phase %1 failed …	System
126		Operational
127		Operational
128		Operational
129		Operational
130		Operational
131		Operational
132		Operational
133		Operational
134		Operational
135		Operational
136	Soft Restart failed to complete with status: %1 due to %2 outstanding unclaimed …	Operational
137		Operational
138		Operational
139	Soft Restart failed to restore memory partition %1 with status: %2.	Operational
140		Operational
141		Operational
142	Soft Restart failed to register with Soft Restart extension.	Operational
143		Operational
144		Operational
145		Operational
146	Soft Restart failed to establish connection with secure load with status.	Operational
147		Operational
148		Operational
149		Operational
150		Operational
151		Operational
152		Operational
153	Virtualization-based security (policies: %3) is %2.	System
154	Boot Policy Migration used an authenticated variable.	Operational
155	Boot Policy Migration used an unauthenticated variable.	Operational
156	Virtualization-based security (policies: %3) is %2 with status: %1.	System
157	Info: %1 Status: %2.	Operational
158	Error: %1 Status: %2.	Operational
159		Operational
160		Operational
161		Operational
162		Operational
163		Operational
164		Operational
165		Operational
166		Operational
167		Operational
168		Operational
169		Operational
170	Measured Boot Measurement Failure.	Operational
171	TPM Measurement Failure.	Operational
172	Failure to close TCG log.	Operational
173		Operational
174		Operational
175		Operational
176		Operational
177		Operational
178		Operational
179		Operational
180		Operational
181	Soft Restart driver failed to register itself as a filter with status.	Operational
182		Operational
183		Operational
184		Operational
185	Soft Restart driver failed to store BCD store when BCDCache is enabled with …	Operational
186	Soft Restart driver failed to query MEMDISK configuration from the current OS …	Operational
200	A command was submitted to the TPM.	Analytic
201	A command was submitted to the TPM.	Analytic
202	A command could not be submitted to the TPM.	Operational
203	A command could not be submitted to the TPM.	Operational
204	The TPM was found not to be useable for BitLocker.	Analytic
205		Operational
206		Operational
207	Measured Boot library was initialized.	Analytic
208	Measured Boot library encountered a failure and entered insecure state.	Operational
209	DRTM Security Version Number check failed.	Operational
210	Intel TXT SENTER time: %1 ms.	Operational
211		Operational
212	File modification detected after load.	Analytic
213	Registry modification detected after load.	Analytic
214	Soft reboot prepare started (complete requested: %1).	System
215	Soft reboot prepare finished.	System
216	Soft reboot complete prepare started.	System
217	Soft reboot complete prepare finished.	System
218	Soft reboot call to %1 failed: %2 (checkpoint: %3).	System
219	Intel TXT prepared.	Operational
220	System Guard enabled but not supported.	Operational
221	System drivers need update to support VBS launch.	System
222	SMM configuration failed validation.	System
223		Operational
224		Operational
225	VBS is configured to disallow trustlets.	Operational
226		Operational
227		Operational
228		Operational
229		Operational
230		Operational
231	Boot menu timer canceled due to key press.	Operational
232		Operational
233		Operational
234		Operational
235	Windows boot environment failed to initialize TPM device.	Operational
236	SMM isolation level decreased.	Operational
237	Hardware memory mirroring is not supported.	Operational
238	EFI time zone bias.	System
239		Analytic
240		Operational
241		Operational
242	SMM isolation detected.	System
243	Hardware memory mirroring support is enabled.	Operational
244		Analytic
245		Operational
246		Operational
247	Windows boot environment failed load the HSP firmware.	System
248	Previous error detected while attempting to execute Measured Launch Environment.	Operational
249		Operational
250		Operational
251		Operational
252	This system has not supplied a valid framebuffer and the graphical boot menu is …	Operational
253		Analytic
253	HotPatch %4 failed to apply with Status: %2 at failure point: %1.	Operational
254		Operational
255		Operational
256	AMD DRTM Firmware Anti-Rollback Disabled.	System
257	Failed to build image path for dump stack module %1.	Operational
258	Failed to load dump stack module %1.	Operational
259	Early dump stack succesfully loaded by OS loader.	Operational
260	Early boot crash dump generation is not supported.	Operational
261	Soft restart prepare was vetoed by component %2 with status %1.	Operational
262	Soft restart finalize was vetoed by component %2 with status %1.	Operational
263	Early crash dump support is disabled by registry configuration.	Operational
264	Failed to query early dump enablement information from the registry with status …	Operational
265	Failed to query dedicated dump file name for the target OS with status %1.	Operational
266	Dedicated dump file names do not match (%1, %2).	Operational
267	Failed to query dump module list.	Operational
268	Boot Application %1 dropped %2 events during logging.	Operational
269	Trace point: Function:%1 Point:%2 Status:%3.	Operational
270	Cached boot BCD store was loaded by the boot environment.	Operational
271	TPRs are supported, TPR setup will be requested while attempting to execute …	Operational
272	PPAM Manifest Info.	System
273	BCD Option '.	Operational
274	Bootmgr Security Version Number check failed.	System
275	ACM InfoTable version used.	Operational
276	Windows boot manager revocation policy version %1 is applied.	Operational
277	Windows boot manager revocation policy version %1 was not found.	Operational
291	Succeeded in updating the SBAT value in FW.	Operational
292	Failed to update the SBAT value in FW.	Operational
295	Secure Boot revoked boot app %4 with SVN %1.	Operational
312	Failed to compose API Set schema extension with status.	Operational

Event ID 1 — System was booted in %1x%2@%3bpp.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

System was booted in %1x%2@%3bpp.

Fields

Name	Description
`Width`	—
`Height`	—
`BitsPerPixel`	—

Event ID 2 — BootUX screen was displayed in %1x%2@%3bpp.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

BootUX screen was displayed in %1x%2@%3bpp.

Fields

Name	Description
`Width`	—
`Height`	—
`BitsPerPixel`	—

Event ID 3 — Video bit transfer rate is %1 bytes per ms.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Video bit transfer rate is %1 bytes per ms.

Fields

Name	Description
`BytesPerMs`	—

Event ID 4 — Boot library accessed file %2 on Device %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Boot library accessed file %2 on Device %1. Read %3 bytes and wrote %4 bytes.

Fields

Name	Description
`DeviceID`	—
`FileName`	—
`BytesRead`	—
`BytesWritten`	—

Event ID 5 — File IO for boot application %1: Total Bytes Read = %2, Total Bytes Written = %3.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

File IO for boot application %1: Total Bytes Read = %2, Total Bytes Written = %3.

Fields

Name	Description
`ApplicationGuid`	—
`BytesRead`	—
`BytesWritten`	—

Event ID 6 — Image %1 failed IntegrityCheck reason is %3.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Image %1 failed IntegrityCheck reason is %3. Image flags are %2. Error ignored due to debugger %4.

Fields

Name	Description
`ImageName`	—
`ImageFlags`	—
`Reason`	—
`ErrorIgnored`	—

Event ID 7 — Bootmgr duration is %1 milliseconds.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Bootmgr duration is %1 milliseconds.

Fields

Name	Description
`BootmgrTime`	—

Event ID 8 — Image %1 is not self-signed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Image %1 is not self-signed.

Fields

Name	Description
`ImageName`	—

Event ID 9 — A device that was enumerated by the BIOS was inaccessible to the boot environment.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

A device (%1) that was enumerated by the BIOS was inaccessible to the boot environment.

Fields

Name	Description
`DriveNumber`	—

Event ID 10 — The system firmware has allocated a memory region previously determined to be unreliable.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

The system firmware has allocated a memory region previously determined to be unreliable. This has the potential to cause system instability and/or data corruption.

Fields

Name	Description
`FwStartPage`	—
`FwPageCount`	—
`FwMemoryType`	—
`FwMemoryAttributes`	—
`BlStartPage`	—
`BlPageCount`	—
`BlMemoryType`	—
`BlMemoryAttributes`	—

Event ID 11 — The time elapsed before Bootmgr, based on the TSC, is %1 ms.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

The time elapsed before Bootmgr, based on the TSC, is %1 ms.

Fields

Name	Description
`PreBootMgrTime`	—

Event ID 12 — Variable %1 requires %2 bytes and was set with status %3.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Variable %1 requires %2 bytes and was set with status %3.

Fields

Name	Description
`UefiVariableName`	—
`Size`	—
`Status`	—

Event ID 13 — Element %2 of application %1 was not in policy.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Element %2 of application %1 was not in policy.

Fields

Name	Description
`ApplicationGuid`	—
`Element`	—

Event ID 14 — A Secure Boot Policy update resulted in status %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

A Secure Boot Policy update resulted in status %1.

Fields

Name	Description
`Status`	—

Event ID 15 — A Secure Boot Revocation List update resulted in status %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

A Secure Boot Revocation List update resulted in status %1.

Fields

Name	Description
`Status`	—

Event ID 16 — Windows failed to resume from hibernate with error status %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

Windows failed to resume from hibernate with error status %1.

Fields

Name	Description
`FailureStatus`	—
`FailureMsg`	—

Event ID 17 — The boot manager multi OS selection screen was displayed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

The boot manager multi OS selection screen was displayed.

Event ID 18 — There are %1 boot options on this system.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: 4
Samples: 1

Message

There are %1 boot options on this system.

Fields

Name	Description
`EntryCount`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-Boot
  guid: 15CA44FF-4D7A-4BAA-BBA5-0998955E531E
  event_source_name: ''
  event_id: 18
  version: 0
  level: 4
  task: 57
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:24:56.268682+00:00'
  event_record_id: 1632
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  EntryCount: 1
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 19 — There are %1 boot tool options on this system.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

There are %1 boot tool options on this system.

Fields

Name	Description
`ToolsCount`	—

Event ID 20 — The last shutdown's success status was %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: 4
Samples: 1

Message

The last shutdown's success status was %1. The last boot's success status was %2.

Fields

Name	Description
`LastShutdownGood`	—
`LastBootGood`	—
`LastBootId`	—
`BootStatusPolicy`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-Boot
  guid: 15CA44FF-4D7A-4BAA-BBA5-0998955E531E
  event_source_name: ''
  event_id: 20
  version: 1
  level: 4
  task: 31
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:24:56.253255+00:00'
  event_record_id: 1626
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  LastShutdownGood: true
  LastBootGood: true
  LastBootId: 10
  BootStatusPolicy: 2
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 21 — The OS loader advanced options menu was displayed and the user selected option %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

The OS loader advanced options menu was displayed and the user selected option %1.

Fields

Name	Description
`OptionSelected`	—

Event ID 22 — The OS loader edit options menu was displayed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

The OS loader edit options menu was displayed.

Event ID 23 — The Windows key was pressed during boot.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

The Windows key was pressed during boot.

Event ID 24 — The F8 key was pressed during boot.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

The F8 key was pressed during boot.

Event ID 25 — The boot menu policy was %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: 4
Samples: 1

Message

The boot menu policy was %1.

Fields

Name	Description
`BootMenuPolicy`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-Boot
  guid: 15CA44FF-4D7A-4BAA-BBA5-0998955E531E
  event_source_name: ''
  event_id: 25
  version: 0
  level: 4
  task: 32
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:24:56.254354+00:00'
  event_record_id: 1630
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  BootMenuPolicy: 1
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 26 — A one-time boot sequence was used during this boot.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

A one-time boot sequence was used during this boot.

Event ID 27 — The boot type was %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: 4
Samples: 1

Message

The boot type was %1.

Fields

Name	Description
`BootType`	—
`LoadOptions`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-Boot
  guid: 15CA44FF-4D7A-4BAA-BBA5-0998955E531E
  event_source_name: ''
  event_id: 27
  version: 1
  level: 4
  task: 33
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:24:56.254562+00:00'
  event_record_id: 1631
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  BootType: 0
  LoadOptions: ' NOEXECUTE=OPTIN  HYPERVISORLAUNCHTYPE=AUTO  FVEBOOT=2670592'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 28 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmID`	—
`SqmStreamRowLength`	—
`SqmStreamRow`	—

Event ID 29 — Windows failed fast startup with error status %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

Windows failed fast startup with error status %1.

Fields

Name	Description
`FailureStatus`	—
`FailureMsg`	—

Event ID 30 — The firmware reported boot metrics.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

The firmware reported boot metrics.

Fields

Name	Description
`ResetEndStart`	—
`LoadOSImageStart`	—
`StartOSImageStart`	—
`ExitBootServicesEntry`	—
`ExitBootServicesExit`	—

Event ID 31 — Initialization of the firmware crypto hash provider resulted in status %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Initialization of the firmware crypto hash provider resulted in status %1.

Fields

Name	Description
`Status`	—

Event ID 32 — The bootmgr spent %1 ms waiting for user input.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: 4
Samples: 1

Message

The bootmgr spent %1 ms waiting for user input.

Fields

Name	Description
`BitlockerUserInputTime`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-Boot
  guid: 15CA44FF-4D7A-4BAA-BBA5-0998955E531E
  event_source_name: ''
  event_id: 32
  version: 0
  level: 4
  task: 58
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:24:56.273719+00:00'
  event_record_id: 1633
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  BitlockerUserInputTime: 0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 33 — The firmware update capsule (%1) failed to load with status %2.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

The firmware update capsule (%1) failed to load with status %2.

Fields

Name	Description
`ImageName`	—
`ImageLoadStatus`	—

Event ID 34 — The PE/COFF image firmware update capsule (%1) failed to load with status %2.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

The PE/COFF image firmware update capsule (%1) failed to load with status %2.

Fields

Name	Description
`PeImageName`	—
`PeImageLoadStatus`	—

Event ID 35 — The Efi UpdateCapsule failed to apply updates with status %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

The Efi UpdateCapsule failed to apply updates with status %1.

Fields

Name	Description
`UpdateCapsuleStatus`	—

Event ID 36 — Firmware update supported status is %3.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Firmware update supported status is %3. The BitLocker device flags are %1 and the PCR bitmap is %2.

Fields

Name	Description
`DeviceFlags`	—
`PcrBitmap`	—
`UpdateSupportedStatus`	—

Event ID 37 — The firmware update capsule (%1) code integrity check failed with status %2.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

The firmware update capsule (%1) code integrity check failed with status %2.

Fields

Name	Description
`ImageName`	—
`ImageLoadStatus`	—

Event ID 38 — Windows failed to load the required system file %1 with error status %2.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows failed to load the required system file %1 with error status %2.

Fields

Name	Description
`ImageName`	—
`ImageLoadStatus`	—

Event ID 39 — Windows failed to load the system registry file %1 with error status %2.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows failed to load the system registry file %1 with error status %2.

Fields

Name	Description
`HiveName`	—
`HiveLoadStatus`	—

Event ID 40 — Windows failed to initialize the ACPI with error status %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows failed to initialize the ACPI with error status %1.

Fields

Name	Description
`Status`	—

Event ID 41 — Windows failed to load with error status %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows failed to load with error status %1.

Fields

Name	Description
`Status`	—

Event ID 42 — Windows failed to load image %2 imported from %1 with error status %3.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows failed to load image %2 imported from %1 with error status %3.

Fields

Name	Description
`Path`	—
`FailedPath`	—
`Status`	—

Event ID 43 — Windows failed to import %2 from image %1 with error status %3.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows failed to import %2 from image %1 with error status %3.

Fields

Name	Description
`Path`	—
`Import`	—
`Status`	—

Event ID 44 — Windows failed to provision VSM Identity Key.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows failed to provision VSM Identity Key. Unsealing cached copy status: %1. New key generation status: %2. Measuring to PCR status: %3. Sealing and caching status: %4.

Fields

Name	Description
`CachedCopyStatus`	—
`IdkGenerationStatus`	—
`MeasuringStatus`	—
`SealingAndCachingStatus`	—

Event ID 45 — VSM Identity Key Provisioning.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

VSM Identity Key Provisioning. Unsealing cached copy status: %1. New key generation status: %2. Measuring to PCR status: %3. Sealing and caching status: %4.

Fields

Name	Description
`CachedCopyStatus`	—
`IdkGenerationStatus`	—
`MeasuringStatus`	—
`SealingAndCachingStatus`	—

Event ID 46 — Retrieving the driver list took %1 milliseconds.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Retrieving the driver list took %1 milliseconds.

Fields

Name	Description
`RetrieveDriverListTime`	—

Event ID 47 — Loading the drivers took %1 milliseconds.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Loading the drivers took %1 milliseconds.

Fields

Name	Description
`LoadDriversTime`	—

Event ID 48 — Loading hive %1 took %2 milliseconds.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Loading hive %1 took %2 milliseconds.

Fields

Name	Description
`Path`	—
`LoadHiveTime`	—

Event ID 49 — Windows system integrity policy does not allow to load the required system file %1 with error status %2.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows system integrity policy does not allow to load the required system file %1 with error status %2.

Fields

Name	Description
`ImageName`	—
`SiPolicyStatus`	—

Event ID 50 — Windows failed to provision VSM Master Encryption Key.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows failed to provision VSM Master Encryption Key. Using cached copy status: %1. Unsealing cached copy status: %2. New key generation status: %3. Sealing status: %4. TPM PCR mask: %5. Protector-assisted unseal status: %6. Protector-assisted re-seal status: %7. Protector update status: %8. Tpm Counter validation status: %9. Tpm Counter creation status: %10. Backup sealed blob used: %11.

Fields

Name	Description
`CachedCopyStatus`	—
`PrimaryBlobUnsealStatus`	—
`BackupBlobUnsealStatus`	—
`Pca2023ProtectorUnsealStatus`	—
`BackupBlobValidityCheckStatus`	—
`BackupBlobStillValid`	—
`Pca2023ProtectorValidityCheckStatus`	—
`Pca2023ProtectorStillValid`	—
`PrimaryBlobResealStatus`	—
`BackupBlobResealStatus`	—
`Pca2023ProtectorResealStatus`	—
`KeyGenerationAndSaveStatus`	—
`SealingStatus`	—
`TpmPcrMask`	—
`TpmCounterOpStatus`	—
`TpmCounterCreateStatus`	—
`BackupSealedBlobUsed`	—
`Pca2023ProtectorCleanupPostUpgradeStatus`	—
`NeedToRollLkey`	—
`CreationStateVerified`	—
`V2ProtectorsUsed`	—
`LegacyUefiVarQueryStatus`	—
`LegacyUefiVarCleanupStatus`	—
`VbsRollbackDataProtectionEnabled`	—
`VbsRollbackDataProtectionOptedIn`	—
`VbsRollbackDataProtectionTpmCounterStatus`	—
`FirstWriteToDisk`	—
`WritePkgToUefi`	—
`LatchedProtectorUsed`	—
`LatchTheUnlatched`	—
`UnsupportedRollback`	—
`UpgradedVbsPolicyExists`	—
`TpmCounterIncrementStatus`	—
`ActivePolicyVersion`	—
`LatchedPolicyVersion`	—
`UnlatchedPolicyVersion`	—
`LatchedPrimaryBlobResealStatusV2`	—
`LatchedBackupBlobResealStatusV2`	—
`LatchedPca2023ProtectorResealStatusV2`	—
`LatchedPca2023ProtectorCleanupPostUpgradeStatusV2`	—
`UnlatchedPrimaryBlobResealStatusV2`	—
`UnlatchedBackupBlobResealStatusV2`	—
`UnlatchedPca2023ProtectorResealStatusV2`	—
`UnlatchedPca2023ProtectorCleanupPostUpgradeStatusV2`	—

Event ID 51 — VSM Master Encryption Key Provisioning.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

VSM Master Encryption Key Provisioning. Using cached copy status: %1. Unsealing cached copy status: %2. New key generation status: %3. Sealing status: %4. TPM PCR mask: %5. Protector-assisted unseal status: %6. Protector-assisted re-seal status: %7. Protector update status: %8. Tpm Counter validation status: %9. Tpm Counter creation status: %10. Backup sealed blob used: %11.

Fields

Name	Description
`CachedCopyStatus`	—
`PrimaryBlobUnsealStatus`	—
`BackupBlobUnsealStatus`	—
`Pca2023ProtectorUnsealStatus`	—
`BackupBlobValidityCheckStatus`	—
`BackupBlobStillValid`	—
`Pca2023ProtectorValidityCheckStatus`	—
`Pca2023ProtectorStillValid`	—
`PrimaryBlobResealStatus`	—
`BackupBlobResealStatus`	—
`Pca2023ProtectorResealStatus`	—
`KeyGenerationAndSaveStatus`	—
`SealingStatus`	—
`TpmPcrMask`	—
`TpmCounterOpStatus`	—
`TpmCounterCreateStatus`	—
`BackupSealedBlobUsed`	—
`Pca2023ProtectorCleanupPostUpgradeStatus`	—
`NeedToRollLkey`	—
`CreationStateVerified`	—
`V2ProtectorsUsed`	—
`LegacyUefiVarQueryStatus`	—
`LegacyUefiVarCleanupStatus`	—
`VbsRollbackDataProtectionEnabled`	—
`VbsRollbackDataProtectionOptedIn`	—
`VbsRollbackDataProtectionTpmCounterStatus`	—
`FirstWriteToDisk`	—
`WritePkgToUefi`	—
`LatchedProtectorUsed`	—
`LatchTheUnlatched`	—
`UnsupportedRollback`	—
`UpgradedVbsPolicyExists`	—
`TpmCounterIncrementStatus`	—
`ActivePolicyVersion`	—
`LatchedPolicyVersion`	—
`UnlatchedPolicyVersion`	—
`LatchedPrimaryBlobResealStatusV2`	—
`LatchedBackupBlobResealStatusV2`	—
`LatchedPca2023ProtectorResealStatusV2`	—
`LatchedPca2023ProtectorCleanupPostUpgradeStatusV2`	—
`UnlatchedPrimaryBlobResealStatusV2`	—
`UnlatchedBackupBlobResealStatusV2`	—
`UnlatchedPca2023ProtectorResealStatusV2`	—
`UnlatchedPca2023ProtectorCleanupPostUpgradeStatusV2`	—

Event ID 52 — The time elapsed loading %1 was %2 ms.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

The time elapsed loading %1 was %2 ms.

Fields

Name	Description
`ApplicationIdentifier`	—
`ApplicationLoadTime`	—

Event ID 53 — The time elapsed executing %1 was %2 ms.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

The time elapsed executing %1 was %2 ms.

Fields

Name	Description
`ApplicationIdentifier`	—
`ApplicationExecutionTime`	—

Event ID 54 — Building chunk table for WIM compressed file %2 failed with status: %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Building chunk table for WIM compressed file %2 failed with status: %1

Fields

Name	Description
`Status`	—
`FileName`	—

Event ID 55 — Soft Restart failed to prepare target Operating System.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Soft Restart failed to prepare target Operating System. Operation status: %1 failure point: %2

Fields

Name	Description
`Status`	—
`FailurePoint`	—

Event ID 56 — Boot application failed to process persistent data with status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Boot application failed to process persistent data with status: %1

Fields

Name	Description
`Status`	—

Event ID 57 — Windows failed to provision the TPM Storage Root Key with error status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows failed to provision the TPM Storage Root Key with error status:%1. Reading SrkPolicy status: %2. SrkSymKeyPolicy value: %3. TPM symmetric key capability: %4. AES bits used: %5. SrkAsymKeyPolicy value: %6. TPM asymmetric key capability: %7. Rsa bits used: %8.

Fields

Name	Description
`TpmSrkProvisioningStatus`	—
`TpmSrkPolicyReadStatus`	—
`TpmSrkSymKeyPolicyValue`	—
`TpmSrkSymKeyCapability`	—
`TpmSrkAesBitsUsed`	—
`TpmSrkAsymKeyPolicyValue`	—
`TpmSrkAsymKeyCapability`	—
`TpmSrkRsaBitsUsed`	—

Event ID 58 — Windows successfully provisioned the TPM Storage Root Key.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows successfully provisioned the TPM Storage Root Key. This operation took %1 milliseconds. Reading SrkPolicy status: %2. SrkSymKeyPolicy value: %3. TPM symmetric key capability: %4. AES bits used: %5. SrkAsymKeyPolicy value: %6. TPM asymmetric key capability: %7. Rsa bits used: %8.

Fields

Name	Description
`SrkSymKeyPolicy_value`	1 milliseconds. Reading SrkPolicy status.
`TPM_symmetric_key_capability`	—
`AES_bits_used`	—
`SrkAsymKeyPolicy_value`	—
`TPM_asymmetric_key_capability`	—
`Rsa_bits_used`	—
`TpmSrkProvisioningTime`	—
`TpmSrkPolicyReadStatus`	—
`TpmSrkSymKeyPolicyValue`	—
`TpmSrkSymKeyCapability`	—
`TpmSrkAesBitsUsed`	—
`TpmSrkAsymKeyPolicyValue`	—
`TpmSrkAsymKeyCapability`	—
`TpmSrkRsaBitsUsed`	—

Event ID 59 — Windows failed to provision TPM binding information with error status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows failed to provision TPM binding information with error status:%1.

Fields

Name	Description
`TpmBindingProvisioningStatus`	—

Event ID 60 — NFIT ACPI table is not properly formed, and could not be parsed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

NFIT ACPI table is not properly formed, and could not be parsed.

Event ID 61 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Fields

Name	Description
`PmrLowBase`	—
`PmrLowSize`	—
`PmrHighBase`	—
`PmrHighSize`	—
`FirmwareProvidedAcm`	—

Event ID 62 — Previous error detected while attempting to execute Measured Launch Environment.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Previous error detected while attempting to execute Measured Launch Environment. TXT error code: %1.

Fields

Name	Description
`TxtErrorCode`	—

Event ID 63 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Fields

Name	Description
`Base`	—
`Size`	—

Event ID 64 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Fields

Name	Description
`Base`	—
`Size`	—

Event ID 65 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Fields

Name	Description
`Status`	—

Event ID 66 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Fields

Name	Description
`Status`	—

Event ID 67 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Fields

Name	Description
`Status`	—

Event ID 68 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Fields

Name	Description
`BiosDataSize`	—

Event ID 69 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Fields

Name	Description
`AcmMinMleHeaderVer`	—
`MleHeaderVersion`	—

Event ID 70 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Fields

Name	Description
`Status`	—

Event ID 71 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`DeviceID`	—
`FileName`	—
`Status`	—

Event ID 72 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Fields

Name	Description
`Status`	—

Event ID 73 — Firmware provided SINIT ACM not used.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Firmware provided SINIT ACM not used. %1

Fields

Name	Description
`TxtStatus`	—

Event ID 74 — Windows failed to provision DRTM-bound VSM Master Encryption Key.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows failed to provision DRTM-bound VSM Master Encryption Key . Using cached copy status: %1. New key generation status: %2. Sealing status: %3. UEFI keys provided to Secure Kernel status: %4.

Fields

Name	Description
`CachedCopyStatus`	—
`KeyGenerationStatus`	—
`SealAndSaveStatus`	—
`UEFIKeysStatus`	—
`UnLatchedCiPolicyVersion`	—
`LatchedCiPolicyVersion`	—
`LatchedAntiRollbackCounterValue`	—
`CurrentCiPolicyVersion`	—
`CurrentAntiRollbackCounterValue`	—
`MinimumUnsealCiPolicyVersion`	—
`AuthorizationIsDelegated`	—

Event ID 75 — Windows successfully provisioned DRTM-bound VSM Master Encryption Key.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows successfully provisioned DRTM-bound VSM Master Encryption Key. Using cached copy status: %1. New key generation status: %2. Sealing status: %3. UEFI keys provided to Secure Kernel status: %4.

Fields

Name	Description
`CachedCopyStatus`	—
`KeyGenerationStatus`	—
`SealAndSaveStatus`	—
`UEFIKeysStatus`	—
`UnLatchedCiPolicyVersion`	—
`LatchedCiPolicyVersion`	—
`LatchedAntiRollbackCounterValue`	—
`CurrentCiPolicyVersion`	—
`CurrentAntiRollbackCounterValue`	—
`MinimumUnsealCiPolicyVersion`	—
`AuthorizationIsDelegated`	—

Event ID 76 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Event ID 77 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`DebuggerStatus`	—
`Status`	—

Event ID 78 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`DebuggerStatus`	—
`Status`	—

Event ID 79 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Event ID 80 — FASR Platform Verification.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

FASR Platform Verification. FASR cert present: %1. FASR cert signature validation status: %2. BootmgrAuthorityEventCount: %3. VerifiedMicrosoftAuthority: %4. FASR PCR values validation status: %5. PCR mismatch index: %6. FASR cert size: %7. FASR cert: %8. FASR signature size: %9. FASR signature: %10.

Fields

Name	Description
`IsFasrCertPresent`	—
`ValidateFasrCertSignatureStatus`	—
`BootmgrAuthorityEventCount`	—
`VerifiedMicrosoftAuthority`	—
`ValidateFasrPcrValuesStatus`	—
`PcrMismatchIndex`	—
`FasrCertSize`	—
`FasrCertWithoutSignature`	—
`FasrSignatureSize`	—
`FasrSignature`	—

Event ID 81 — Windows skipped provisioning the TPM Storage Root Key because the NoAutoProvision registry value was set.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows skipped provisioning the TPM Storage Root Key because the NoAutoProvision registry value was set.

Event ID 82 — Trace point: Function:%1 Point:%2 Status:%3.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Trace point: Function:%1 Point:%2 Status:%3

Fields

Name	Description
`Function`	—
`Point`	—
`NTStatus`	—

Event ID 83 — VSM Master Key Array Package Read and Unseal From Disk Status: %1 OsDeviceId: %2 SystemRoot: %3 VsmLKeyRelPath: %4 LatchedUnsealPolicyRelPath: %5 U...

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

VSM Master Key Array Package Read and Unseal From Disk

Status: %1
OsDeviceId: %2
SystemRoot: %3
VsmLKeyRelPath: %4
LatchedUnsealPolicyRelPath: %5
UnlatchedUnsealPolicyRelPath: %6
LatchedPrimaryProtectorVariableName: %7
LatchedSecondaryProtectorVariableName: %8
UnlatchedPrimaryProtectorVariableName: %9
UnlatchedSecondaryProtectorVariableName: %10
LatchedProtectorUsedLocal: %11
LatchTheUnlatchedLocal: %12
UnsupportedRollbackLocal: %13
UpgradedAntirollbackPolicyExistsLocal: %14
PkgWasCorruptOrUnavailableLocal: %15
CreationStateVerifiedLocal: %16
PrimaryProtectorTargetPcrSealMaskLocal: %17
LatchedProtectorExists: %18
UnlatchedProtectorExists: %19
KeyPkgIdTpmCounterValue: %20
ActivePolicyVersion: %21
UseUnlatchedProtector: %22
NeedToResealPrimaryProtector: %23
NeedToResealSecondaryProtector: %24
NeedToResealPca2023Protector: %25

Substatus

PrimaryBlobUnsealStatus: %26
BackupBlobUnsealStatus: %27
Pca2023ProtectorUnsealStatus: %28
BackupBlobValidityCheckStatus: %29
BackupBlobStillValid: %30
Pca2023ProtectorValidityCheckStatus: %31
Pca2023ProtectorStillValid: %32
PrimaryBlobResealStatus: %33
BackupBlobResealStatus: %34
Pca2023ProtectorResealStatus: %35
V2ProtectorsUsed: %36
LegacyUefiVarQueryStatus: %37
LegacyUefiVarCleanupStatus: %38
ActivePolicyVersion: %39
LatchedPolicyVersion: %40
UnlatchedPolicyVersion: %41
LatchedUnsealPolicyValid: %42

Latched unseal policy

Version: %43
VarDataOffset: %44
StructureSize: %45
PolicyVersion: %46
PolicyHashLength: %47
WinloadSVN: %48
WinresumeSVN: %49
BootmgrSVN: %50
LKeyPkgId: %51
UnlatchedUnsealPolicyValid: %52

Unlatched unseal policy

Version: %53
VarDataOffset: %54
StructureSize: %55
PolicyVersion: %56
PolicyHashLength: %57
WinloadSVN: %58
WinresumeSVN: %59
BootmgrSVN: %60
LKeyPkgId: %61

Fields

Name	Description
`Status`	—
`OsDeviceId`	—
`SystemRoot`	—
`VsmLKeyRelPath`	—
`LatchedUnsealPolicyRelPath`	—
`UnlatchedUnsealPolicyRelPath`	—
`LatchedPrimaryProtectorVariableName`	—
`LatchedSecondaryProtectorVariableName`	—
`UnlatchedPrimaryProtectorVariableName`	—
`UnlatchedSecondaryProtectorVariableName`	—
`LatchedProtectorUsedLocal`	—
`LatchTheUnlatchedLocal`	—
`UnsupportedRollbackLocal`	—
`UpgradedAntirollbackPolicyExistsLocal`	—
`PkgWasCorruptOrUnavailableLocal`	—
`CreationStateVerifiedLocal`	—
`PrimaryProtectorTargetPcrSealMaskLocal`	—
`LatchedProtectorExists`	—
`UnlatchedProtectorExists`	—
`KeyPkgIdTpmCounterValue`	—
`ActivePolicyVersion`	—
`UseUnlatchedProtector`	—
`NeedToResealPrimaryProtector`	—
`NeedToResealSecondaryProtector`	—
`NeedToResealPca2023Protector`	—
`pSubStatusPrimaryBlobUnsealStatus`	—
`pSubStatusBackupBlobUnsealStatus`	—
`pSubStatusPca2023ProtectorUnsealStatus`	—
`pSubStatusBackupBlobValidityCheckStatus`	—
`pSubStatusBackupBlobStillValid`	—
`pSubStatusPca2023ProtectorValidityCheckStatus`	—
`pSubStatusPca2023ProtectorStillValid`	—
`pSubStatusPrimaryBlobResealStatus`	—
`pSubStatusBackupBlobResealStatus`	—
`pSubStatusPca2023ProtectorResealStatus`	—
`pSubStatusV2ProtectorsUsed`	—
`pSubStatusLegacyUefiVarQueryStatus`	—
`pSubStatusLegacyUefiVarCleanupStatus`	—
`pSubStatusActivePolicyVersion`	—
`pSubStatusLatchedPolicyVersion`	—
`pSubStatusUnlatchedPolicyVersion`	—
`LatchedUnsealPolicyValid`	—
`LatchedUnsealPolicyVersion`	—
`LatchedUnsealPolicyVarDataOffset`	—
`LatchedUnsealPolicyStructureSize`	—
`LatchedUnsealPolicyPolicyVersion`	—
`LatchedUnsealPolicyPolicyHashLength`	—
`LatchedUnsealPolicyWinloadSVN`	—
`LatchedUnsealPolicyWinresumeSVN`	—
`LatchedUnsealPolicyBootmgrSVN`	—
`LatchedUnsealPolicyLKeyPkgId`	—
`UnlatchedUnsealPolicyValid`	—
`UnlatchedUnsealPolicyVersion`	—
`UnlatchedUnsealPolicyVarDataOffset`	—
`UnlatchedUnsealPolicyStructureSize`	—
`UnlatchedUnsealPolicyPolicyVersion`	—
`UnlatchedUnsealPolicyPolicyHashLength`	—
`UnlatchedUnsealPolicyWinloadSVN`	—
`UnlatchedUnsealPolicyWinresumeSVN`	—
`UnlatchedUnsealPolicyBootmgrSVN`	—
`UnlatchedUnsealPolicyLKeyPkgId`	—

Event ID 84 — Seal and Store on Disk Status Status: %1 OsDeviceId: %2 SystemRoot: %3 PcrSealMask: %4 LatchTheUnlatched: %5 UpgradedAntirollbackPolicyExists: %6 E...

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Seal and Store on Disk Status

Status: %1
OsDeviceId: %2
SystemRoot: %3
PcrSealMask: %4
LatchTheUnlatched: %5
UpgradedAntirollbackPolicyExists: %6
EncryptionStatus: %7
KeyPkgIdTpmCounterValue: %8
EncryptedLKeyArrayPkgSize: %9
EncryptedLKeyPkgPdGuid: %10
UnlatchedUnsealPolicySize: %11
UnlatchedProtectorExists: %12
LatchedUnsealPolicySize: %13
LatchedProtectorExists: %14

Latched unseal policy

Version: %15
VarDataOffset: %16
StructureSize: %17
PolicyVersion: %18
PolicyHashLength: %19
WinloadSVN: %20
WinresumeSVN: %21
BootmgrSVN: %22
LKeyPkgId: %23

Unlatched unseal policy

Version: %24
VarDataOffset: %25
StructureSize: %26
PolicyVersion: %27
PolicyHashLength: %28
WinloadSVN: %29
WinresumeSVN: %30
BootmgrSVN: %31
LKeyPkgId: %32

Fields

Name	Description
`Status`	—
`OsDeviceId`	—
`SystemRoot`	—
`PcrSealMask`	—
`LatchTheUnlatched`	—
`UpgradedAntirollbackPolicyExists`	—
`EncryptionStatus`	—
`KeyPkgIdTpmCounterValue`	—
`EncryptedLKeyArrayPkgSize`	—
`EncryptedLKeyPkgPdGuid`	—
`UnlatchedUnsealPolicySize`	—
`UnlatchedProtectorExists`	—
`LatchedUnsealPolicySize`	—
`LatchedProtectorExists`	—
`LatchedUnsealPolicyVersion`	—
`LatchedUnsealPolicyVarDataOffset`	—
`LatchedUnsealPolicyStructureSize`	—
`LatchedUnsealPolicyPolicyVersion`	—
`LatchedUnsealPolicyPolicyHashLength`	—
`LatchedUnsealPolicyWinloadSVN`	—
`LatchedUnsealPolicyWinresumeSVN`	—
`LatchedUnsealPolicyBootmgrSVN`	—
`LatchedUnsealPolicyLKeyPkgId`	—
`UnlatchedUnsealPolicyVersion`	—
`UnlatchedUnsealPolicyVarDataOffset`	—
`UnlatchedUnsealPolicyStructureSize`	—
`UnlatchedUnsealPolicyPolicyVersion`	—
`UnlatchedUnsealPolicyPolicyHashLength`	—
`UnlatchedUnsealPolicyWinloadSVN`	—
`UnlatchedUnsealPolicyWinresumeSVN`	—
`UnlatchedUnsealPolicyBootmgrSVN`	—
`UnlatchedUnsealPolicyLKeyPkgId`	—

Event ID 85 — Read and Unseal Master Key Array Package Status Status: %1 PrimarySealedBlobName: %2 SecondaryProtectorVariableName: %3 BlobFromUefiVariableSize: %...

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Read and Unseal Master Key Array Package Status

Status: %1
PrimarySealedBlobName: %2
SecondaryProtectorVariableName: %3
BlobFromUefiVariableSize: %4
UefiContentIsSealed: %5
UnsealedBlobSize: %6
Pcr7SealingUsed: %7
PkgTpmSealMaskLocal: %8
PkgTpmCreationMaskLocal: %9
NeedToResealKeyPkg: %10
NeedToResealBackup: %11
NeedToResealPca2023Backup: %12
PlaintextBlobSize: %13
PlaintextIsLegacyFormat: %14
UefiBlobIsCorrupt: %15
NewKeyID: %16
VerifiedMicrosoftAuthority: %17
ContainsAuthorityData: %18
BootmgrAuthorityEventCount: %19
Authority: %20

Substatus

PrimaryBlobUnsealStatus: %21
BackupBlobUnsealStatus: %22
Pca2023ProtectorUnsealStatus: %23
BackupBlobValidityCheckStatus: %24
BackupBlobStillValid: %25
Pca2023ProtectorValidityCheckStatus: %26
Pca2023ProtectorStillValid: %27
PrimaryBlobResealStatus: %28
BackupBlobResealStatus: %29
Pca2023ProtectorResealStatus: %30
V2ProtectorsUsed: %31
LegacyUefiVarQueryStatus: %32
LegacyUefiVarCleanupStatus: %33
ActivePolicyVersion: %34
LatchedPolicyVersion: %35
UnlatchedPolicyVersion: %36

Fields

Name	Description
`Status`	—
`PrimarySealedBlobName`	—
`SecondaryProtectorVariableName`	—
`BlobFromUefiVariableSize`	—
`UefiContentIsSealed`	—
`UnsealedBlobSize`	—
`Pcr7SealingUsed`	—
`PkgTpmSealMaskLocal`	—
`PkgTpmCreationMaskLocal`	—
`NeedToResealKeyPkg`	—
`NeedToResealBackup`	—
`NeedToResealPca2023Protector`	—
`PlaintextBlobSize`	—
`PlaintextIsLegacyFormat`	—
`UefiBlobIsCorrupt`	—
`NewKeyID`	—
`VerifiedMicrosoftAuthority`	—
`ContainsAuthorityData`	—
`BootmgrAuthorityEventCount`	—
`Authority`	—
`pSubStatusPrimaryBlobUnsealStatus`	—
`pSubStatusBackupBlobUnsealStatus`	—
`pSubStatusPca2023ProtectorUnsealStatus`	—
`pSubStatusBackupBlobValidityCheckStatus`	—
`pSubStatusBackupBlobStillValid`	—
`pSubStatusPca2023ProtectorValidityCheckStatus`	—
`pSubStatusPca2023ProtectorStillValid`	—
`pSubStatusPrimaryBlobResealStatus`	—
`pSubStatusBackupBlobResealStatus`	—
`pSubStatusPca2023ProtectorResealStatus`	—
`pSubStatusV2ProtectorsUsed`	—
`pSubStatusLegacyUefiVarQueryStatus`	—
`pSubStatusLegacyUefiVarCleanupStatus`	—
`pSubStatusActivePolicyVersion`	—
`pSubStatusLatchedPolicyVersion`	—
`pSubStatusUnlatchedPolicyVersion`	—

Event ID 86 — Get Plaintext Master Key Array Status Status: %1 SecondaryProtectorVariableName: %2 NeedToResealPrimaryProtector: %3 NeedToResealSecondaryProtector...

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Get Plaintext Master Key Array Status

Status: %1
SecondaryProtectorVariableName: %2
NeedToResealPrimaryProtector: %3
NeedToResealSecondaryProtector: %4
NeedToResealPca2023Protector: %5
SealedBackupEncryptionKeySize: %6
SealedPca2023EncryptionKeySize: %7
UefiBlobIsCorrupt: %8
Pcr7SealingUsed: %9
CreationStateVerifiedLocal: %10
VerifiedMicrosoftAuthority: %11
ContainsAuthorityData: %12
BootmgrAuthorityEventCount: %13
PrimaryProtectorTargetPcrSealMaskLocal: %14
Authority: %15

Substatus

PrimaryBlobUnsealStatus: %16
BackupBlobUnsealStatus: %17
Pca2023ProtectorUnsealStatus: %18
BackupBlobValidityCheckStatus: %19
BackupBlobStillValid: %20
Pca2023ProtectorValidityCheckStatus: %21
Pca2023ProtectorStillValid: %22
PrimaryBlobResealStatus: %23
BackupBlobResealStatus: %24
Pca2023ProtectorResealStatus: %25
V2ProtectorsUsed: %26
LegacyUefiVarQueryStatus: %27
LegacyUefiVarCleanupStatus: %28
ActivePolicyVersion: %29
LatchedPolicyVersion: %30
UnlatchedPolicyVersion: %31

Validated Unseal Policy

Version: %32
VarDataOffset: %33
StructureSize: %34
PolicyVersion: %35
PolicyHashLength: %36
WinloadSVN: %37
WinresumeSVN: %38
BootmgrSVN: %39
LKeyPkgId: %40

Fields

Name	Description
`Status`	—
`SecondaryProtectorVariableName`	—
`NeedToResealPrimaryProtector`	—
`NeedToResealSecondaryProtector`	—
`NeedToResealPca2023Protector`	—
`SealedBackupEncryptionKeySize`	—
`SealedPca2023EncryptionKeySize`	—
`UefiBlobIsCorrupt`	—
`Pcr7SealingUsed`	—
`CreationStateVerifiedLocal`	—
`VerifiedMicrosoftAuthority`	—
`ContainsAuthorityData`	—
`BootmgrAuthorityEventCount`	—
`PrimaryProtectorTargetPcrSealMaskLocal`	—
`Authority`	—
`pSubStatusPrimaryBlobUnsealStatus`	—
`pSubStatusBackupBlobUnsealStatus`	—
`pSubStatusPca2023ProtectorUnsealStatus`	—
`pSubStatusBackupBlobValidityCheckStatus`	—
`pSubStatusBackupBlobStillValid`	—
`pSubStatusPca2023ProtectorValidityCheckStatus`	—
`pSubStatusPca2023ProtectorStillValid`	—
`pSubStatusPrimaryBlobResealStatus`	—
`pSubStatusBackupBlobResealStatus`	—
`pSubStatusPca2023ProtectorResealStatus`	—
`pSubStatusV2ProtectorsUsed`	—
`pSubStatusLegacyUefiVarQueryStatus`	—
`pSubStatusLegacyUefiVarCleanupStatus`	—
`pSubStatusActivePolicyVersion`	—
`pSubStatusLatchedPolicyVersion`	—
`pSubStatusUnlatchedPolicyVersion`	—
`ValidatedUnsealPolicyVersion`	—
`ValidatedUnsealPolicyVarDataOffset`	—
`ValidatedUnsealPolicyStructureSize`	—
`ValidatedUnsealPolicyPolicyVersion`	—
`ValidatedUnsealPolicyPolicyHashLength`	—
`ValidatedUnsealPolicyWinloadSVN`	—
`ValidatedUnsealPolicyWinresumeSVN`	—
`ValidatedUnsealPolicyBootmgrSVN`	—
`ValidatedUnsealPolicyLKeyPkgId`	—

Event ID 87 — Read and Unseal Master Key Array Package error LegacyMainBlobVariableName: %1 LegacySecondaryProtectorVariableName: %2 PkgWasCorruptOrUnavailableLo...

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Read and Unseal Master Key Array Package error

LegacyMainBlobVariableName: %1
LegacySecondaryProtectorVariableName: %2
PkgWasCorruptOrUnavailableLocal: %3
KeysAreLegacyLocal: %4
CreationStateVerifiedLocal: %5
PrimaryProtectorTargetPcrSealMaskLocal: %6

Substatus

PrimaryBlobUnsealStatus: %7
BackupBlobUnsealStatus: %8
Pca2023ProtectorUnsealStatus: %9
BackupBlobValidityCheckStatus: %10
BackupBlobStillValid: %11
Pca2023ProtectorValidityCheckStatus: %12
Pca2023ProtectorStillValid: %13
PrimaryBlobResealStatus: %14
BackupBlobResealStatus: %15
Pca2023ProtectorResealStatus: %16
V2ProtectorsUsed: %17
LegacyUefiVarQueryStatus: %18
LegacyUefiVarCleanupStatus: %19
ActivePolicyVersion: %20
LatchedPolicyVersion: %21
UnlatchedPolicyVersion: %22

Fields

Name	Description
`LegacyMainBlobVariableName`	—
`LegacySecondaryProtectorVariableName`	—
`PkgWasCorruptOrUnavailableLocal`	—
`KeysAreLegacyLocal`	—
`CreationStateVerifiedLocal`	—
`PrimaryProtectorTargetPcrSealMaskLocal`	—
`pSubStatusPrimaryBlobUnsealStatus`	—
`pSubStatusBackupBlobUnsealStatus`	—
`pSubStatusPca2023ProtectorUnsealStatus`	—
`pSubStatusBackupBlobValidityCheckStatus`	—
`pSubStatusBackupBlobStillValid`	—
`pSubStatusPca2023ProtectorValidityCheckStatus`	—
`pSubStatusPca2023ProtectorStillValid`	—
`pSubStatusPrimaryBlobResealStatus`	—
`pSubStatusBackupBlobResealStatus`	—
`pSubStatusPca2023ProtectorResealStatus`	—
`pSubStatusV2ProtectorsUsed`	—
`pSubStatusLegacyUefiVarQueryStatus`	—
`pSubStatusLegacyUefiVarCleanupStatus`	—
`pSubStatusActivePolicyVersion`	—
`pSubStatusLatchedPolicyVersion`	—
`pSubStatusUnlatchedPolicyVersion`	—

Event ID 88 — Read and Unseal Master Key Array Package Status Status: %1 OsDeviceId: %2 OsDataDeviceId: %3 SystemRoot: %4 VsmLKeyRelPath: %5 LatchedUnsealPolicyR...

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Read and Unseal Master Key Array Package Status

Status: %1
OsDeviceId: %2
OsDataDeviceId: %3
SystemRoot: %4
VsmLKeyRelPath: %5
LatchedUnsealPolicyRelPath: %6
UnlatchedUnsealPolicyRelPath: %7
LatchedPrimaryProtectorVariableName: %8
LatchedSecondaryProtectorVariableName: %9
UnlatchedPrimaryProtectorVariableName: %10
UnlatchedSecondaryProtectorVariableName: %11
LegacyMainBlobVariableName: %12
LegacySecondaryProtectorVariableName: %13
LatchedProtectorUsedLocal: %14
LatchTheUnlatchedLocal: %15
UnsupportedRollbackLocal: %16
UpgradedAntirollbackPolicyExistsLocal: %17
FirstWriteToDiskLocal: %18
WritePkgToUefiLocal: %19
PkgWasCorruptOrUnavailableLocal: %20
KeysAreLegacyLocal: %21
CreationStateVerifiedLocal: %22
PrimaryProtectorTargetPcrSealMaskLocal: %23

Substatus

PrimaryBlobUnsealStatus: %24
BackupBlobUnsealStatus: %25
Pca2023ProtectorUnsealStatus: %26
BackupBlobValidityCheckStatus: %27
BackupBlobStillValid: %28
Pca2023ProtectorValidityCheckStatus: %29
Pca2023ProtectorStillValid: %30
PrimaryBlobResealStatus: %31
BackupBlobResealStatus: %32
Pca2023ProtectorResealStatus: %33
V2ProtectorsUsed: %34
LegacyUefiVarQueryStatus: %35
LegacyUefiVarCleanupStatus: %36
ActivePolicyVersion: %37
LatchedPolicyVersion: %38
UnlatchedPolicyVersion: %39

Fields

Name	Description
`Status`	—
`OsDeviceId`	—
`OsDataDeviceId`	—
`SystemRoot`	—
`VsmLKeyRelPath`	—
`LatchedUnsealPolicyRelPath`	—
`UnlatchedUnsealPolicyRelPath`	—
`LatchedPrimaryProtectorVariableName`	—
`LatchedSecondaryProtectorVariableName`	—
`UnlatchedPrimaryProtectorVariableName`	—
`UnlatchedSecondaryProtectorVariableName`	—
`LegacyMainBlobVariableName`	—
`LegacySecondaryProtectorVariableName`	—
`LatchedProtectorUsedLocal`	—
`LatchTheUnlatchedLocal`	—
`UnsupportedRollbackLocal`	—
`UpgradedAntirollbackPolicyExistsLocal`	—
`FirstWriteToDiskLocal`	—
`WritePkgToUefiLocal`	—
`PkgWasCorruptOrUnavailableLocal`	—
`KeysAreLegacyLocal`	—
`CreationStateVerifiedLocal`	—
`PrimaryProtectorTargetPcrSealMaskLocal`	—
`pSubStatusPrimaryBlobUnsealStatus`	—
`pSubStatusBackupBlobUnsealStatus`	—
`pSubStatusPca2023ProtectorUnsealStatus`	—
`pSubStatusBackupBlobValidityCheckStatus`	—
`pSubStatusBackupBlobStillValid`	—
`pSubStatusPca2023ProtectorValidityCheckStatus`	—
`pSubStatusPca2023ProtectorStillValid`	—
`pSubStatusPrimaryBlobResealStatus`	—
`pSubStatusBackupBlobResealStatus`	—
`pSubStatusPca2023ProtectorResealStatus`	—
`pSubStatusV2ProtectorsUsed`	—
`pSubStatusLegacyUefiVarQueryStatus`	—
`pSubStatusLegacyUefiVarCleanupStatus`	—
`pSubStatusActivePolicyVersion`	—
`pSubStatusLatchedPolicyVersion`	—
`pSubStatusUnlatchedPolicyVersion`	—

Event ID 89 — Create Sealed Encrypt Key Status Status: %1 PcrMask: %2 UnsealPolicyPdGuid: %3 SealingProtectorFixedBufferSize: %4 SealingProtectorUsedBufferSize: ...

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Create Sealed Encrypt Key Status

Status: %1
PcrMask: %2
UnsealPolicyPdGuid: %3
SealingProtectorFixedBufferSize: %4
SealingProtectorUsedBufferSize: %5
SealedSecretBufferSize: %6
PcrInfoArrayElCount: %7

Unseal policy

Version: %8
VarDataOffset: %9
StructureSize: %10
PolicyVersion: %11
PolicyHashLength: %12
WinloadSVN: %13
WinresumeSVN: %14
BootmgrSVN: %15
LKeyPkgId: %16

Fields

Name	Description
`Status`	—
`PcrMask`	—
`UnsealPolicyPdGuid`	—
`SealingProtectorFixedBufferSize`	—
`SealingProtectorUsedBufferSize`	—
`SealedSecretBufferSize`	—
`PcrInfoArrayElCount`	—
`UnsealPolicyVersion`	—
`UnsealPolicyVarDataOffset`	—
`UnsealPolicyStructureSize`	—
`UnsealPolicyPolicyVersion`	—
`UnsealPolicyPolicyHashLength`	—
`UnsealPolicyWinloadSVN`	—
`UnsealPolicyWinresumeSVN`	—
`UnsealPolicyBootmgrSVN`	—
`UnsealPolicyLKeyPkgId`	—

Event ID 90 — Get Sealed Protector Status Status: %1 ProtectorName: %2 SealedEncryptionKeySize: %3 ProtectorBlobFromUefiVariableSize: %4.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Get Sealed Protector Status

Status: %1
ProtectorName: %2
SealedEncryptionKeySize: %3
ProtectorBlobFromUefiVariableSize: %4

Fields

Name	Description
`Status`	—
`ProtectorName`	—
`SealedEncryptionKeySize`	—
`ProtectorBlobFromUefiVariableSize`	—

Event ID 91 — SRTM PCR Values algId: %1 digestLength:%2 PcrIndex: %3 PcrValue: %4.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

SRTM PCR Values

algId: %1
digestLength:%2
PcrIndex: %3
PcrValue: %4

Fields

Name	Description
`algID`	—
`digestLength`	—
`PcrIndex`	—
`PcrValue`	—

Event ID 92 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`RangeAltitude`	—
`RangeEndpoint`	—
`Address`	—
`AlignedAddress`	—
`OverlappedMemoryType`	—

Event ID 100 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Secure`	—

Event ID 101 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 102 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`SoftRestartCount`	—
`Secure`	—

Event ID 103 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 104 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`ReserveDescriptors`	—

Event ID 105 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 106 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`ApplicationId`	—
`RunCount`	—
`PageCount`	—

Event ID 107 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—
`BlockId`	—

Event ID 108 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 109 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`FreePersistentPages`	—

Event ID 110 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 111 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`ApplicationId`	—
`FreePersistentPages`	—

Event ID 112 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 113 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`ApplicationId`	—
`BlockId`	—
`Flags`	—

Event ID 114 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—
`RunsClaimed`	—
`PageCount`	—

Event ID 115 — Soft reboot cancellation started.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

Soft reboot cancellation started: %1

Fields

Name	Description
`Soft_reboot_cancellation_started`	—
`FreePersistentPages`	—

Event ID 116 — Soft reboot cancellation finished.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

Soft reboot cancellation finished: %1.

Fields

Name	Description
`Soft_reboot_cancellation_finished`	—
`Status`	—

Event ID 117 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Event ID 118 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 119 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`ApplicationId`	—
`BlockId`	—

Event ID 120 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Event ID 121 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 122 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Type`	—
`Flags`	—
`BufferSize`	—

Event ID 123 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—
`DataSize`	—
`BufferSize`	—

Event ID 124 — The virtualization-based security enablement policy check at phase %1 failed with status: %2.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: 2
Samples: 1

Message

The virtualization-based security enablement policy check at phase %1 failed with status: %2

Fields

Name	Description
`Phase`	—
`Status`	1 failed with status.

Example Event

system:
  provider: Microsoft-Windows-Kernel-Boot
  guid: 15CA44FF-4D7A-4BAA-BBA5-0998955E531E
  event_source_name: ''
  event_id: 124
  version: 0
  level: 2
  task: 80
  opcode: 0
  keywords: 9223451201691975680
  time_created: '2023-11-06T06:24:56.254312+00:00'
  event_record_id: 1629
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Phase: 0
  Status: 3221225659
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 126 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`LowAddress`	—
`HighAddress`	—
`SkipBytes`	—
`TotalBytes`	—
`CacheType`	—
`Flags`	—

Event ID 127 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Mdl`	—

Event ID 128 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`StartTime`	—

Event ID 129 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Event ID 130 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`SequenceNumber`	—
`DescriptorCount`	—
`MemoryDescriptor`	—

Event ID 131 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Event ID 132 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`DescriptorCount`	—

Event ID 133 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—
`PageCount`	—
`MemoryType`	—
`Attributes`	—
`LowAddress`	—
`HighAddress`	—
`Alignment`	—
`ProximityId`	—

Event ID 134 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Event ID 135 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Event ID 136 — Soft Restart failed to complete with status: %1 due to %2 outstanding unclaimed allocations.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Soft Restart failed to complete with status: %1 due to %2 outstanding unclaimed allocations

Fields

Name	Description
`Status`	—
`OutstandingCount`	—
`ApplicationsCount`	—
`AppId`	—

Event ID 137 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Identifier`	—
`PartitionId`	—

Event ID 138 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Identifier`	—
`Status`	—
`NameLength`	—
`PartitoinName`	—
`MemoryRangeCount`	—
`MemorPageCount`	—
`IoSpaceRangeCount`	—
`IoSpacePageCount`	—
`AllocatedMemoryBlockCount`	—
`AllocatedMemoryRunCount`	—
`AllocatedMemoryPageCount`	—
`AllocatedIoSpaceBlockCount`	—
`AllocatedIoSpaceRunCount`	—
`AllocatedIoSpacePageCount`	—

Event ID 139 — Soft Restart failed to restore memory partition %1 with status: %2.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Soft Restart failed to restore memory partition %1 with status: %2

Fields

Name	Description
`Identifier`	—
`Status`	—

Event ID 140 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Identifier`	—

Event ID 141 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Identifier`	—
`RunCount`	—
`PageCount`	—
`IoSpaceRunCount`	—
`IoSpacePageCount`	—
`Status`	—
`PartitionNameLength`	—
`PartitionName`	—

Event ID 142 — Soft Restart failed to register with Soft Restart extension.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Soft Restart failed to register with Soft Restart extension. The versions are not compatible.

Fields

Name	Description
`Status`	—
`ActualSize`	—
`ExpectedSize`	—
`Vtl`	—

Event ID 143 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 144 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Event ID 145 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 146 — Soft Restart failed to establish connection with secure load with status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Soft Restart failed to establish connection with secure load with status: %1

Fields

Name	Description
`Status`	—

Event ID 147 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`ApplicationId`	—
`BlockId`	—
`FreePersistentPages`	—

Event ID 148 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 149 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Event ID 150 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—
`Tag`	—

Event ID 151 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`PartitionId`	—
`RunCount`	—
`PageCount`	—
`IoSpaceMemory`	—
`Allocated`	—

Event ID 152 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 153 — Virtualization-based security (policies: %3) is %2.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: 4
Samples: 1

Message

Virtualization-based security (policies: %3) is %2.

Fields

Name	Description
`Status`	—
`EnableDisableReason`	—
`VsmPolicy`	Virtualization-based security (policies.

Example Event

system:
  provider: Microsoft-Windows-Kernel-Boot
  guid: 15CA44FF-4D7A-4BAA-BBA5-0998955E531E
  event_source_name: ''
  event_id: 153
  version: 0
  level: 4
  task: 62
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T16:52:33.732630+00:00'
  event_record_id: 1132
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: System
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Status: 0
  EnableDisableReason: 0
  VsmPolicy: 0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 154 — Boot Policy Migration used an authenticated variable.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: 4
Samples: 1

Message

Boot Policy Migration used an authenticated variable.  Status: %1

Fields

Name	Description
`Status`	Boot Policy Migration used an authenticated variable. Status.

Example Event

system:
  provider: Microsoft-Windows-Kernel-Boot
  guid: 15CA44FF-4D7A-4BAA-BBA5-0998955E531E
  event_source_name: ''
  event_id: 154
  version: 0
  level: 4
  task: 44
  opcode: 0
  keywords: 2305843009213693952
  time_created: '2023-11-06T06:20:49.064672+00:00'
  event_record_id: 46
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: Microsoft-Windows-Kernel-Boot/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Status: 0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 155 — Boot Policy Migration used an unauthenticated variable.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Boot Policy Migration used an unauthenticated variable.  Status: %1

Fields

Name	Description
`Status`	—

Event ID 156 — Virtualization-based security (policies: %3) is %2 with status: %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: 3
Samples: 1

Message

Virtualization-based security (policies: %3) is %2 with status: %1

Fields

Name	Description
`Status`	2 with status.
`EnableDisableReason`	—
`VsmPolicy`	Virtualization-based security (policies.

Example Event

system:
  provider: Microsoft-Windows-Kernel-Boot
  guid: 15CA44FF-4D7A-4BAA-BBA5-0998955E531E
  event_source_name: ''
  event_id: 156
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:24:56.249721+00:00'
  event_record_id: 1625
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Status: 3221225659
  EnableDisableReason: 6
  VsmPolicy: 515
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 157 — Info: %1 Status: %2.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Info: %1 Status: %2

Fields

Name	Description
`Info`	—
`Status`	—
`DiagCode`	—

Event ID 158 — Error: %1 Status: %2.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: 2
Samples: 1

Message

Error: %1 Status: %2

Fields

Name	Description
`DiagCode`	Error.
`Status`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-Boot
  guid: 15CA44FF-4D7A-4BAA-BBA5-0998955E531E
  event_source_name: ''
  event_id: 158
  version: 0
  level: 2
  task: 53
  opcode: 0
  keywords: 2305851805306716160
  time_created: '2023-11-06T06:24:56.254284+00:00'
  event_record_id: 49
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: Microsoft-Windows-Kernel-Boot/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  DiagCode: 1076887595
  Status: 3221225659
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 159 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`BasePage`	—
`PageCount`	—

Event ID 160 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 161 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 162 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 163 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 164 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 165 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 166 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 167 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 168 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 169 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—
`FailurePoint`	—

Event ID 170 — Measured Boot Measurement Failure.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Measured Boot Measurement Failure. Status: %1

Fields

Name	Description
`Measured_Boot_Measurement_Failure_Status`	Measured Boot Measurement Failure. Status.
`Status`	—

Event ID 171 — TPM Measurement Failure.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

TPM Measurement Failure. Status: %1

Fields

Name	Description
`TPM_Measurement_Failure_Status`	TPM Measurement Failure. Status.
`Status`	—

Event ID 172 — Failure to close TCG log.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Failure to close TCG log. Status: %1

Fields

Name	Description
`Status`	—

Event ID 173 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 174 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 175 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 176 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 177 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`VendorGuid`	—
`VariableName`	—
`Attributes`	—
`Status`	—

Event ID 178 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`VendorGuid`	—
`VariableName`	—
`Attributes`	—
`Status`	—

Event ID 179 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 180 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 181 — Soft Restart driver failed to register itself as a filter with status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Soft Restart driver failed to register itself as a filter with status: %1

Fields

Name	Description
`Status`	—

Event ID 182 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 183 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 184 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`DisableReason`	—
`TcgLogStatus`	—

Event ID 185 — Soft Restart driver failed to store BCD store when BCDCache is enabled with status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Soft Restart driver failed to store BCD store when BCDCache is enabled with status: %1

Fields

Name	Description
`Status`	—

Event ID 186 — Soft Restart driver failed to query MEMDISK configuration from the current OS with status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Soft Restart driver failed to query MEMDISK configuration from the current OS with status: %1

Fields

Name	Description
`Status`	—

Event ID 200 — A command was submitted to the TPM.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

A command was submitted to the TPM.
Command code: %1.
Response code: %2.
Elapsed time: %3ms.

Fields

Name	Description
`Command_code`	—
`Response_code`	—
`Elapsed_time`	—
`CommandCode`	—
`ResponseCode`	—
`ResponseMilliseconds`	—

Event ID 201 — A command was submitted to the TPM.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

A command was submitted to the TPM.
Command code: %1.
Response code: %2.
Elapsed time: %3ms.

Fields

Name	Description
`Command_code`	—
`Response_code`	—
`Elapsed_time`	—
`CommandCode`	—
`ResponseCode`	—
`ResponseMilliseconds`	—
`CommandSize`	—
`CommandData`	—
`ResponseSize`	—
`ResponseData`	—

Event ID 202 — A command could not be submitted to the TPM.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

A command could not be submitted to the TPM.
Command code: %1.
Error code: %2.
Elapsed time: %3ms.

Fields

Name	Description
`Command_code`	—
`Error_code`	—
`Elapsed_time`	—
`CommandCode`	—
`ErrorCode`	—
`ResponseMilliseconds`	—

Event ID 203 — A command could not be submitted to the TPM.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

A command could not be submitted to the TPM.
Command code: %1.
Error code: %2.
Elapsed time: %3ms.

Fields

Name	Description
`Command_code`	—
`Error_code`	—
`Elapsed_time`	—
`CommandCode`	—
`ErrorCode`	—
`ResponseMilliseconds`	—
`CommandSize`	—
`CommandData`	—

Event ID 204 — The TPM was found not to be useable for BitLocker.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

The TPM was found not to be useable for BitLocker. Flags: %1.

Fields

Name	Description
`FveGlobalDataFlags`	—

Event ID 205 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Event ID 206 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 207 — Measured Boot library was initialized.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Measured Boot library was initialized. Phase: %1, StatusCode: %2.

Fields

Name	Description
`Phase`	—
`StatusCode`	—
`EnvironmentState`	—

Event ID 208 — Measured Boot library encountered a failure and entered insecure state.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: 2
Samples: 1

Message

Measured Boot library encountered a failure and entered insecure state. InitState: %1, StatusCode: %2, Failure Address: %3, Reference Address: %4, Reason: %5.

Fields

Name	Description
`InitState`	Measured Boot library encountered a failure and entered insecure state. InitState.
`StatusCode`	—
`FailureAddress`	—
`ReferenceAddress`	—
`ReasonCode`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-Boot
  guid: 15CA44FF-4D7A-4BAA-BBA5-0998955E531E
  event_source_name: ''
  event_id: 208
  version: 0
  level: 2
  task: 78
  opcode: 12
  keywords: 2305851805306716160
  time_created: '2023-11-06T06:24:56.268671+00:00'
  event_record_id: 51
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: Microsoft-Windows-Kernel-Boot/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  InitState: 1
  StatusCode: 3221225473
  FailureAddress: 269088818
  ReferenceAddress: 270250432
  ReasonCode: 1
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 209 — DRTM Security Version Number check failed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

DRTM Security Version Number check failed. SvnCounterId: %1, StatusCode: %2, Svn Value: %3, Previous SVN Value: %4.

Fields

Name	Description
`SvnCounterId`	—
`StatusCode`	—
`SvnValue`	—
`PrevSvnValue`	—

Event ID 210 — Intel TXT SENTER time: %1 ms.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Intel TXT SENTER time: %1 ms.

Fields

Name	Description
`Intel_TXT_SENTER_time`	—
`SinitTimeMs`	—

Event ID 211 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 212 — File modification detected after load.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

File modification detected after load: %1.

Fields

Name	Description
`File_modification_detected_after_load`	—
`PathLength`	—
`Path`	—

Event ID 213 — Registry modification detected after load.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Message

Registry modification detected after load: %1.

Fields

Name	Description
`PathLength`	—
`Path`	—

Event ID 214 — Soft reboot prepare started (complete requested: %1).

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

Soft reboot prepare started (complete requested: %1).

Fields

Name	Description
`TryComplete`	—

Event ID 215 — Soft reboot prepare finished.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

Soft reboot prepare finished: %1.

Fields

Name	Description
`Soft_reboot_prepare_finished`	—
`Status`	—

Event ID 216 — Soft reboot complete prepare started.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

Soft reboot complete prepare started.

Event ID 217 — Soft reboot complete prepare finished.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

Soft reboot complete prepare finished: %1.

Fields

Name	Description
`Soft_reboot_complete_prepare_finished`	—
`Status`	—

Event ID 218 — Soft reboot call to %1 failed: %2 (checkpoint: %3).

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

Soft reboot call to %1 failed: %2 (checkpoint: %3).

Fields

Name	Description
`checkpoint`	1 failed.
`Function`	—
`Status`	—
`Checkpoint`	—

Event ID 219 — Intel TXT prepared.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Intel TXT prepared. ACM date: %2/%1/%3.

Fields

Name	Description
`Intel_TXT_prepared_ACM_date`	—
`AcmDateDay`	—
`AcmDateMonth`	—
`AcmDateYear`	—

Event ID 220 — System Guard enabled but not supported.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

System Guard enabled but not supported. Reason: %1

Fields

Name	Description
`TxtStatus`	—

Event ID 221 — System drivers need update to support VBS launch.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

System drivers need update to support VBS launch.

Event ID 222 — SMM configuration failed validation.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

SMM configuration failed validation. Reason: %1

Fields

Name	Description
`TxtStatus`	—
`Instance`	—
`Status`	—

Event ID 223 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Phase`	—
`Status`	—
`Tries`	—
`RemainingNodesCount`	—
`RemainingNodes`	—

Event ID 224 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`AllocatedRegions`	—
`Tries`	—

Event ID 225 — VBS is configured to disallow trustlets.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

VBS is configured to disallow trustlets.

Event ID 226 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Event ID 227 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Event ID 228 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 229 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 230 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 231 — Boot menu timer canceled due to key press.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Boot menu timer canceled due to key press.

Fields

Name	Description
`KeyType`	—
`Code`	—

Event ID 232 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Event ID 233 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`RangeCount`	—
`PageCount`	—
`MarkedAsBadRegularPages`	—
`MarkedAsBadIoSpacePages`	—
`MarkErrorsCount`	—

Event ID 234 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Identifier`	—
`PartitionId`	—
`AllocatedBlockCount`	—
`AllocatedRunCount`	—
`AllocatedPageCount`	—
`Status`	—

Event ID 235 — Windows boot environment failed to initialize TPM device.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: 2
Samples: 1

Message

Windows boot environment failed to initialize TPM device. StatusCode: %1, Position: %2.

Fields

Name	Description
`StatusCode`	Windows boot environment failed to initialize TPM device. StatusCode.
`Position`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-Boot
  guid: 15CA44FF-4D7A-4BAA-BBA5-0998955E531E
  event_source_name: ''
  event_id: 235
  version: 0
  level: 2
  task: 99
  opcode: 11
  keywords: 2305851805306716160
  time_created: '2023-11-06T06:24:56.268658+00:00'
  event_record_id: 50
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: Microsoft-Windows-Kernel-Boot/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  StatusCode: 3221225474
  Position: 1
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 236 — SMM isolation level decreased.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

SMM isolation level decreased. Reason: %1

Fields

Name	Description
`SMM_isolation_level_decreased_Reason`	SMM isolation level decreased. Reason.
`TxtStatus`	—
`PolicyLevel`	—
`Argument1`	—
`Argument2`	—

Event ID 237 — Hardware memory mirroring is not supported.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Hardware memory mirroring is not supported. MirrorStatus: %1

Fields

Name	Description
`MirrorStatus`	—

Event ID 238 — EFI time zone bias.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: 4
Samples: 1

Message

EFI time zone bias: %1. Daylight flags: %2.

Fields

Name	Description
`EfiTimeZoneBias`	—
`EfiDaylightFlags`	—
`EfiTime`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-Boot
  guid: 15CA44FF-4D7A-4BAA-BBA5-0998955E531E
  event_source_name: ''
  event_id: 238
  version: 1
  level: 4
  task: 101
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:24:56.254256+00:00'
  event_record_id: 1628
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  EfiTimeZoneBias: 2047
  EfiDaylightFlags: 0
  EfiTime: '2023-11-05T22:24:37.000000Z'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 239 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Fields

Name	Description
`Pages`	—
`MemoryType`	—
`Attributes`	—
`Alignment`	—
`Status`	—
`RangeMinimum`	—
`RangeMaximum`	—
`RangeFlags`	—

Event ID 240 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Event ID 241 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—
`Tag`	—

Event ID 242 — SMM isolation detected.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

SMM isolation detected. Level: %1

Fields

Name	Description
`SMM_isolation_detected_Level`	SMM isolation detected. Level.
`IsolationLevel`	—

Event ID 243 — Hardware memory mirroring support is enabled.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Hardware memory mirroring support is enabled.

Fields

Name	Description
`MirrorPercentage`	—

Event ID 244 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Fields

Name	Description
`GetCapabilityTime`	—
`GetResourcesTime`	—
`ResourcesValidationTime`	—

Event ID 245 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Identifier`	—

Event ID 246 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Identifier`	—
`Status`	—

Event ID 247 — Windows boot environment failed load the HSP firmware.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

Unable to load Pluton-Windows firmware. StatusCode: %1, Reason: %2

Fields

Name	Description
`Status`	—
`FailureReason`	—

Event ID 248 — Previous error detected while attempting to execute Measured Launch Environment.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Previous error detected while attempting to execute Measured Launch Environment. Source: %1 Error code: %2.

Fields

Name	Description
`AmdSlErrorCode`	—

Event ID 249 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Module`	—
`Function`	—
`Status`	—

Event ID 250 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`PageCount`	—
`Status`	—
`MemoryType`	—
`Attributes`	—

Event ID 251 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`InformationClass`	—
`Status`	—

Event ID 252 — This system has not supplied a valid framebuffer and the graphical boot menu is not used.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

This system has not supplied a valid framebuffer and the graphical boot menu is not used.

Event ID 253 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic

Event ID 253 — HotPatch %4 failed to apply with Status: %2 at failure point: %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

HotPatch %4 failed to apply with Status: %2 at failure point: %1.

Fields

Name	Description
`FailurePoint`	—
`Status`	—
`HotPatchPathLength`	—
`HotPatchPath`	—

Event ID 254 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 255 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Fields

Name	Description
`Status`	—

Event ID 256 — AMD DRTM Firmware Anti-Rollback Disabled.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

AMD DRTM Firmware Anti-Rollback Disabled.

Event ID 257 — Failed to build image path for dump stack module %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Failed to build image path for dump stack module %1. Status: %2.

Fields

Name	Description
`ModulePath`	—
`Status`	—

Event ID 258 — Failed to load dump stack module %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Failed to load dump stack module %1. Status: %2.

Fields

Name	Description
`ModulePath`	—
`Status`	—

Event ID 259 — Early dump stack succesfully loaded by OS loader.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Early dump stack succesfully loaded by OS loader.

Event ID 260 — Early boot crash dump generation is not supported.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Early boot crash dump generation is not supported.

Event ID 261 — Soft restart prepare was vetoed by component %2 with status %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Soft restart prepare was vetoed by component %2 with status %1.

Fields

Name	Description
`Status`	—
`Tag`	—

Event ID 262 — Soft restart finalize was vetoed by component %2 with status %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Soft restart finalize was vetoed by component %2 with status %1.

Fields

Name	Description
`Status`	—
`Tag`	—

Event ID 263 — Early crash dump support is disabled by registry configuration.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Early crash dump support is disabled by registry configuration.

Event ID 264 — Failed to query early dump enablement information from the registry with status %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Failed to query early dump enablement information from the registry with status %1.

Fields

Name	Description
`Status`	—

Event ID 265 — Failed to query dedicated dump file name for the target OS with status %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Failed to query dedicated dump file name for the target OS with status %1. Early crash dump functinality will not be loaded.

Fields

Name	Description
`Status`	—

Event ID 266 — Dedicated dump file names do not match (%1, %2).

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Dedicated dump file names do not match (%1, %2). Early crash dump functinality will not be loaded.

Fields

Name	Description
`HostDumpFileName`	—
`TargetDumpFileName`	—

Event ID 267 — Failed to query dump module list.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Failed to query dump module list. Status: %1.

Fields

Name	Description
`Status`	—

Event ID 268 — Boot Application %1 dropped %2 events during logging.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Boot Application %1 dropped %2 events during logging.

Fields

Name	Description
`ApplicationIdentifier`	—
`EventsLostCount`	—

Event ID 269 — Trace point: Function:%1 Point:%2 Status:%3.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Trace point: Function:%1 Point:%2 Status:%3

Fields

Name	Description
`Function`	—
`Point`	—
`NTStatus`	—

Event ID 270 — Cached boot BCD store was loaded by the boot environment.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Cached boot BCD store was loaded by the boot environment.

Event ID 271 — TPRs are supported, TPR setup will be requested while attempting to execute Measured Launch Environment.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

TPRs are supported, TPR setup will be requested while attempting to execute Measured Launch Environment.

Event ID 272 — PPAM Manifest Info.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

PPAM Manifest Info: %1

Fields

Name	Description
`PpamStatus`	—

Event ID 273 — BCD Option '.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

BCD Option '%1' was not applied due to Secure Boot being enabled. Option: %2

Fields

Name	Description
`BcdOption`	—
`BcdElement`	—

Event ID 274 — Bootmgr Security Version Number check failed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System

Message

Bootmgr Security Version Number check failed. Svn Value: %1, Previous SVN Value: %2.

Fields

Name	Description
`SvnValue`	—
`PrevSvnValue`	—

Event ID 275 — ACM InfoTable version used.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

ACM InfoTable version used: %1.

Fields

Name	Description
`AcmInfoTableVersion`	—

Event ID 276 — Windows boot manager revocation policy version %1 is applied.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows boot manager revocation policy version %1 is applied.

Fields

Name	Description
`Version`	—

Event ID 277 — Windows boot manager revocation policy version %1 was not found.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Windows boot manager revocation policy version %1 was not found. It is recommended that it be redeployed.

Fields

Name	Description
`Version`	—

Event ID 291 — Succeeded in updating the SBAT value in FW.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Succeeded in updating the SBAT value in FW.

Fields

Name	Description
`Status`	—
`FailurePoint`	—
`UpdateStatusEnum`	—
`FwLevel`	—

Event ID 292 — Failed to update the SBAT value in FW.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Failed to update the SBAT value in FW.

Fields

Name	Description
`Status`	—
`FailurePoint`	—
`UpdateStatusEnum`	—
`FwLevel`	—

Event ID 295 — Secure Boot revoked boot app %4 with SVN %1.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Secure Boot revoked boot app %4 with SVN %1. Min SVN required: %2. Status: %3.

Fields

Name	Description
`LoadedBootAppSvn`	—
`EnforcedBootAppSvn`	—
`Status`	—
`FileName`	—

Event ID 312 — Failed to compose API Set schema extension with status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational

Message

Failed to compose API Set schema extension with status: %1

Fields

Name	Description
`NTStatus`	—