Microsoft-Windows-Kernel-Boot

261 events across 3 channels

Event ID	Title	Channel
1	System was booted in WidthxHeight@BitsPerPixelbpp.	Analytic
2	BootUX screen was displayed in WidthxHeight@BitsPerPixelbpp.	Analytic
3	Video bit transfer rate is BytesPerMs bytes per ms.	Analytic
4	Boot library accessed file FileName on Device DeviceID.	Analytic
5	File IO for boot application ApplicationGuid: Total Bytes Read = BytesRead, …	Analytic
6	Image ImageName failed IntegrityCheck reason is Reason.	Analytic
7	Bootmgr duration is BootmgrTime milliseconds.	Analytic
8	Image ImageName is not self-signed.	Analytic
9	A device (DriveNumber) that was enumerated by the BIOS was inaccessible to the …	Analytic
10	The system firmware has allocated a memory region previously determined to be …	System
11	The time elapsed before Bootmgr, based on the TSC, is PreBootMgrTime ms.	Analytic
12	Variable UefiVariableName requires Size bytes and was set with status Status.	Analytic
13	Element Element of application ApplicationGuid was not in policy.	Analytic
14	A Secure Boot Policy update resulted in status Status.	Analytic
15	A Secure Boot Revocation List update resulted in status Status.	Analytic
16	Windows failed to resume from hibernate with error status FailureStatus.	System
17	The boot manager multi OS selection screen was displayed.	System
18	There are EntryCount boot options on this system.	System
19	There are ToolsCount boot tool options on this system.	System
20	The last shutdown's success status was LastShutdownGood.	System
21	The OS loader advanced options menu was displayed and the user selected option …	System
22	The OS loader edit options menu was displayed.	System
23	The Windows key was pressed during boot.	System
24	The F8 key was pressed during boot.	System
25	The boot menu policy was BootMenuPolicy.	System
26	A one-time boot sequence was used during this boot.	System
27	The boot type was BootType.	System
28		Operational
29	Windows failed fast startup with error status FailureStatus.	System
30	The firmware reported boot metrics.	System
31	Initialization of the firmware crypto hash provider resulted in status Status.	Analytic
32	The bootmgr spent BitlockerUserInputTime ms waiting for user input.	System
33	The firmware update capsule (ImageName) failed to load with status …	Analytic
34	The PE/COFF image firmware update capsule (PeImageName) failed to load with …	Analytic
35	The Efi UpdateCapsule failed to apply updates with status UpdateCapsuleStatus.	Operational
36	Firmware update supported status is UpdateSupportedStatus.	Analytic
37	The firmware update capsule (ImageName) code integrity check failed with status …	Analytic
38	Windows failed to load the required system file ImageName with error status …	Operational
39	Windows failed to load the system registry file HiveName with error status …	Operational
40	Windows failed to initialize the ACPI with error status Status.	Operational
41	Windows failed to load with error status Status.	Operational
42	Windows failed to load image FailedPath imported from Path with error status …	Operational
43	Windows failed to import Import from image Path with error status Status.	Operational
44	Windows failed to provision VSM Identity Key.	Operational
45	VSM Identity Key Provisioning.	Operational
46	Retrieving the driver list took RetrieveDriverListTime milliseconds.	Analytic
47	Loading the drivers took LoadDriversTime milliseconds.	Analytic
48	Loading hive Path took LoadHiveTime milliseconds.	Analytic
49	Windows system integrity policy does not allow to load the required system file …	Operational
50	Windows failed to provision VSM Master Encryption Key.	Operational
51	VSM Master Encryption Key Provisioning.	Operational
52	The time elapsed loading ApplicationIdentifier was ApplicationLoadTime ms.	Analytic
53	The time elapsed executing ApplicationIdentifier was ApplicationExecutionTime …	Analytic
54	Building chunk table for WIM compressed file FileName failed with status: …	Analytic
55	Soft Restart failed to prepare target Operating System.	Analytic
56	Boot application failed to process persistent data with status: Status.	Analytic
57	Windows failed to provision the TPM Storage Root Key with error status.	Operational
58	Windows successfully provisioned the TPM Storage Root Key.	Operational
59	Windows failed to provision TPM binding information with error …	Operational
60	NFIT ACPI table is not properly formed, and could not be parsed.	Operational
61		Analytic
62	Previous error detected while attempting to execute Measured Launch Environment.	Operational
63		Analytic
64		Analytic
65		Analytic
66		Analytic
67		Analytic
68		Analytic
69		Analytic
70		Analytic
71		Operational
72		Analytic
73	Firmware provided SINIT ACM not used.	Operational
74	Windows failed to provision DRTM-bound VSM Master Encryption Key .	Operational
75	Windows successfully provisioned DRTM-bound VSM Master Encryption Key.	Operational
76		Operational
77		Operational
78		Operational
79		Operational
80	FASR Platform Verification.	Operational
81	Windows skipped provisioning the TPM Storage Root Key because the …	Operational
82	Trace point: Function:Function Point:Point Status:NTStatus.	Operational
83	VSM Master Key Array Package Read and Unseal From Disk.	Operational
84	Seal and Store on Disk Status.	Operational
85	Read and Unseal Master Key Array Package Status.	Operational
86	Get Plaintext Master Key Array Status.	Operational
87	Read and Unseal Master Key Array Package error.	Operational
88	Read and Unseal Master Key Array Package Status.	Operational
89	Create Sealed Encrypt Key Status.	Operational
90	Get Sealed Protector Status.	Operational
91	SRTM PCR Values.	Operational
92		Operational
100		Operational
101		Operational
102		Operational
103		Operational
104		Operational
105		Operational
106		Operational
107		Operational
108		Operational
109		Operational
110		Operational
111		Operational
112		Operational
113		Operational
114		Operational
115	Soft reboot cancellation started: Soft_reboot_cancellation_started.	System
116	Soft reboot cancellation finished: Soft_reboot_cancellation_finished.	System
117		Operational
118		Operational
119		Operational
120		Operational
121		Operational
122		Operational
123		Operational
124	The virtualization-based security enablement policy check at phase Phase failed …	System
126		Operational
127		Operational
128		Operational
129		Operational
130		Operational
131		Operational
132		Operational
133		Operational
134		Operational
135		Operational
136	Soft Restart failed to complete with status: Status due to OutstandingCount …	Operational
137		Operational
138		Operational
139	Soft Restart failed to restore memory partition Identifier with status: Status.	Operational
140		Operational
141		Operational
142	Soft Restart failed to register with Soft Restart extension.	Operational
143		Operational
144		Operational
145		Operational
146	Soft Restart failed to establish connection with secure load with status: …	Operational
147		Operational
148		Operational
149		Operational
150		Operational
151		Operational
152		Operational
153	Virtualization-based security (policies: VsmPolicy) is EnableDisableReason.	System
154	Boot Policy Migration used an authenticated variable.	Operational
155	Boot Policy Migration used an unauthenticated variable.	Operational
156	Virtualization-based security (policies: VsmPolicy) is EnableDisableReason with …	System
157	Info: Info Status: Status.	Operational
158	Error: DiagCode Status: Status.	Operational
159		Operational
160		Operational
161		Operational
162		Operational
163		Operational
164		Operational
165		Operational
166		Operational
167		Operational
168		Operational
169		Operational
170	Measured Boot Measurement Failure.	Operational
171	TPM Measurement Failure.	Operational
172	Failure to close TCG log.	Operational
173		Operational
174		Operational
175		Operational
176		Operational
177		Operational
178		Operational
179		Operational
180		Operational
181	Soft Restart driver failed to register itself as a filter with status: Status.	Operational
182		Operational
183		Operational
184		Operational
185	Soft Restart driver failed to store BCD store when BCDCache is enabled with …	Operational
186	Soft Restart driver failed to query MEMDISK configuration from the current OS …	Operational
200	A command was submitted to the TPM.	Analytic
201	A command was submitted to the TPM.	Analytic
202	A command could not be submitted to the TPM.	Operational
203	A command could not be submitted to the TPM.	Operational
204	The TPM was found not to be useable for BitLocker.	Analytic
205		Operational
206		Operational
207	Measured Boot library was initialized.	Analytic
208	Measured Boot library encountered a failure and entered insecure state.	Operational
209	DRTM Security Version Number check failed.	Operational
210	Intel TXT SENTER time: Intel_TXT_SENTER_time ms.	Operational
211		Operational
212	File modification detected after load: File_modification_detected_after_load.	Analytic
213	Registry modification detected after load: PathLength.	Analytic
214	Soft reboot prepare started (complete requested: TryComplete).	System
215	Soft reboot prepare finished: Soft_reboot_prepare_finished.	System
216	Soft reboot complete prepare started.	System
217	Soft reboot complete prepare finished: Soft_reboot_complete_prepare_finished.	System
218	Soft reboot call to checkpoint failed: Function (checkpoint: Status).	System
219	Intel TXT prepared.	Operational
220	System Guard enabled but not supported.	Operational
221	System drivers need update to support VBS launch.	System
222	SMM configuration failed validation.	System
223		Operational
224		Operational
225	VBS is configured to disallow trustlets.	Operational
226		Operational
227		Operational
228		Operational
229		Operational
230		Operational
231	Boot menu timer canceled due to key press.	Operational
232		Operational
233		Operational
234		Operational
235	Windows boot environment failed to initialize TPM device.	Operational
236	SMM isolation level decreased.	Operational
237	Hardware memory mirroring is not supported.	Operational
238	EFI time zone bias: EfiTimeZoneBias.	System
239		Analytic
240		Operational
241		Operational
242	SMM isolation detected.	System
243	Hardware memory mirroring support is enabled.	Operational
244		Analytic
245		Operational
246		Operational
247	Unable to load Pluton-Windows firmware.	System
248	Previous error detected while attempting to execute Measured Launch Environment.	Operational
249		Operational
250		Operational
251		Operational
252	This system has not supplied a valid framebuffer and the graphical boot menu is …	Operational
253		Analytic
253	HotPatch HotPatchPath failed to apply with Status: Status at failure point: …	Operational
254		Operational
255		Operational
256	AMD DRTM Firmware Anti-Rollback Disabled.	System
257	Failed to build image path for dump stack module ModulePath.	Operational
258	Failed to load dump stack module ModulePath.	Operational
259	Early dump stack succesfully loaded by OS loader.	Operational
260	Early boot crash dump generation is not supported.	Operational
261	Soft restart prepare was vetoed by component Tag with status Status.	Operational
262	Soft restart finalize was vetoed by component Tag with status Status.	Operational
263	Early crash dump support is disabled by registry configuration.	Operational
264	Failed to query early dump enablement information from the registry with status …	Operational
265	Failed to query dedicated dump file name for the target OS with status Status.	Operational
266	Dedicated dump file names do not match (HostDumpFileName, TargetDumpFileName).	Operational
267	Failed to query dump module list.	Operational
268	Boot Application ApplicationIdentifier dropped EventsLostCount events during …	Operational
269	Trace point: Function:Function Point:Point Status:NTStatus.	Operational
270	Cached boot BCD store was loaded by the boot environment.	Operational
271	TPRs are supported, TPR setup will be requested while attempting to execute …	Operational
272	PPAM Manifest Info: PpamStatus.	System
273	BCD Option 'BcdOption' was not applied due to Secure Boot being enabled.	Operational
274	Bootmgr Security Version Number check failed.	System
275	ACM InfoTable version used: AcmInfoTableVersion.	Operational
276	Windows boot manager revocation policy version Version is applied.	Operational
277	Windows boot manager revocation policy version Version was not found.	Operational
291	Succeeded in updating the SBAT value in FW.	Operational
292	Failed to update the SBAT value in FW.	Operational
295	Secure Boot revoked boot app FileName with SVN LoadedBootAppSvn.	Operational
312	Failed to compose API Set schema extension with status: NTStatus.	Operational

Event ID 1 — System was booted in WidthxHeight@BitsPerPixelbpp.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: FirmwareResolution

Description

System was booted in WidthxHeight@BitsPerPixelbpp.

Message #

System was booted in %1x%2@%3bpp.

Fields #

Name	Description
`Width` UInt32	—
`Height` UInt32	—
`BitsPerPixel` UInt32	—

Event ID 2 — BootUX screen was displayed in WidthxHeight@BitsPerPixelbpp.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: BootEnvResolution

Description

BootUX screen was displayed in WidthxHeight@BitsPerPixelbpp.

Message #

BootUX screen was displayed in %1x%2@%3bpp.

Fields #

Name	Description
`Width` UInt32	—
`Height` UInt32	—
`BitsPerPixel` UInt32	—

Event ID 3 — Video bit transfer rate is BytesPerMs bytes per ms.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

Video bit transfer rate is BytesPerMs bytes per ms.

Message #

Video bit transfer rate is %1 bytes per ms.

Fields #

Name	Description
`BytesPerMs` UInt32	—

Event ID 4 — Boot library accessed file FileName on Device DeviceID.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: BootFileAccess

Description

Boot library accessed file FileName on Device DeviceID. Read BytesRead bytes and wrote BytesWritten bytes.

Message #

Boot library accessed file %2 on Device %1. Read %3 bytes and wrote %4 bytes.

Fields #

Name	Description
`DeviceID` UInt32	—
`FileName` UnicodeString	—
`BytesRead` UInt64	—
`BytesWritten` UInt64	—

Event ID 5 — File IO for boot application ApplicationGuid: Total Bytes Read = BytesRead, Total Bytes Written = BytesWritten.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: BootTotalIo

Description

File IO for boot application ApplicationGuid: Total Bytes Read = BytesRead, Total Bytes Written = BytesWritten.

Message #

File IO for boot application %1: Total Bytes Read = %2, Total Bytes Written = %3.

Fields #

Name	Description
`ApplicationGuid` GUID	—
`BytesRead` UInt64	—
`BytesWritten` UInt64	—

Event ID 6 — Image ImageName failed IntegrityCheck reason is Reason.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: ImageIntegrityCheck

Description

Image ImageName failed IntegrityCheck reason is Reason. Image flags are ImageFlags. Error ignored due to debugger ErrorIgnored.

Message #

Image %1 failed IntegrityCheck reason is %3. Image flags are %2. Error ignored due to debugger %4.

Fields #

Name	Description
`ImageName` UnicodeString	—
`ImageFlags` UInt32	—
`Reason` UInt32	—
`ErrorIgnored` UInt32	—

Event ID 7 — Bootmgr duration is BootmgrTime milliseconds.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: BootManager

Description

Bootmgr duration is BootmgrTime milliseconds.

Message #

Bootmgr duration is %1 milliseconds.

Fields #

Name	Description
`BootmgrTime` UInt64	—

Event ID 8 — Image ImageName is not self-signed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: ImageHashCheck

Description

Image ImageName is not self-signed.

Message #

Image %1 is not self-signed.

Fields #

Name	Description
`ImageName` UnicodeString	—

Event ID 9 — A device (DriveNumber) that was enumerated by the BIOS was inaccessible to the boot environment.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

A device (DriveNumber) that was enumerated by the BIOS was inaccessible to the boot environment.

Message #

A device (%1) that was enumerated by the BIOS was inaccessible to the boot environment.

Fields #

Name	Description
`DriveNumber` UInt32	—

Event ID 10 — The system firmware has allocated a memory region previously determined to be unreliable.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

The system firmware has allocated a memory region previously determined to be unreliable. This has the potential to cause system instability and/or data corruption.

Message #

The system firmware has allocated a memory region previously determined to be unreliable. This has the potential to cause system instability and/or data corruption.

Fields #

Name	Description
`FwStartPage` UInt64	—
`FwPageCount` UInt64	—
`FwMemoryType` UInt32	—
`FwMemoryAttributes` UInt32	—
`BlStartPage` UInt64	—
`BlPageCount` UInt64	—
`BlMemoryType` UInt32	—
`BlMemoryAttributes` UInt32	—

Event ID 11 — The time elapsed before Bootmgr, based on the TSC, is PreBootMgrTime ms.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: PreBoot

Description

The time elapsed before Bootmgr, based on the TSC, is PreBootMgrTime ms.

Message #

The time elapsed before Bootmgr, based on the TSC, is %1 ms.

Fields #

Name	Description
`PreBootMgrTime` UInt64	—

Event ID 12 — Variable UefiVariableName requires Size bytes and was set with status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: SecureBootVariableUsage

Description

Variable UefiVariableName requires Size bytes and was set with status Status.

Message #

Variable %1 requires %2 bytes and was set with status %3.

Fields #

Name	Description
`UefiVariableName` UnicodeString	—
`Size` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 13 — Element Element of application ApplicationGuid was not in policy.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

Element Element of application ApplicationGuid was not in policy.

Message #

Element %2 of application %1 was not in policy.

Fields #

Name	Description
`ApplicationGuid` GUID	—
`Element` UInt32	—

Event ID 14 — A Secure Boot Policy update resulted in status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

A Secure Boot Policy update resulted in status Status.

Message #

A Secure Boot Policy update resulted in status %1.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 15 — A Secure Boot Revocation List update resulted in status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

A Secure Boot Revocation List update resulted in status Status.

Message #

A Secure Boot Revocation List update resulted in status %1.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 16 — Windows failed to resume from hibernate with error status FailureStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

Windows failed to resume from hibernate with error status FailureStatus.

Message #

Windows failed to resume from hibernate with error status %1.

Fields #

Name	Description
`FailureStatus` UInt32	—
`FailureMsg` UnicodeString	—

Event ID 17 — The boot manager multi OS selection screen was displayed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

The boot manager multi OS selection screen was displayed.

Message #

The boot manager multi OS selection screen was displayed.

Event ID 18 — There are EntryCount boot options on this system.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Task: BootmgrEntryCount

Description

There are EntryCount boot options on this system.

Message #

There are %1 boot options on this system.

Fields #

Name	Description
`EntryCount` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 18,
    "version": 0,
    "level": 4,
    "task": 57,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:24:56.268682+00:00",
    "event_record_id": 1632,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EntryCount": 1
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 19 — There are ToolsCount boot tool options on this system.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

There are ToolsCount boot tool options on this system.

Message #

There are %1 boot tool options on this system.

Fields #

Name	Description
`ToolsCount` UInt32	—

Event ID 20 — The last shutdown's success status was LastShutdownGood.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Task: DirtyBootShutdown

Description

The last shutdown's success status was LastShutdownGood. The last boot's success status was LastBootGood.

Message #

The last shutdown's success status was %1. The last boot's success status was %2.

Fields #

Name	Description
`LastShutdownGood` Boolean	—
`LastBootGood` Boolean	—
`LastBootId` UInt32	—
`BootStatusPolicy` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 20,
    "version": 1,
    "level": 4,
    "task": 31,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:24:56.253255+00:00",
    "event_record_id": 1626,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "LastShutdownGood": true,
    "LastBootGood": true,
    "LastBootId": 10,
    "BootStatusPolicy": 2
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 21 — The OS loader advanced options menu was displayed and the user selected option OptionSelected.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

The OS loader advanced options menu was displayed and the user selected option OptionSelected.

Message #

The OS loader advanced options menu was displayed and the user selected option %1.

Fields #

Name	Description
`OptionSelected` UInt32	—

Event ID 22 — The OS loader edit options menu was displayed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

The OS loader edit options menu was displayed.

Message #

The OS loader edit options menu was displayed.

Event ID 23 — The Windows key was pressed during boot.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

The Windows key was pressed during boot.

Message #

The Windows key was pressed during boot.

Event ID 24 — The F8 key was pressed during boot.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

The F8 key was pressed during boot.

Message #

The F8 key was pressed during boot.

Event ID 25 — The boot menu policy was BootMenuPolicy.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Task: BootMenuPolicy

Description

The boot menu policy was BootMenuPolicy.

Message #

The boot menu policy was %1.

Fields #

Name	Description
`BootMenuPolicy` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 25,
    "version": 0,
    "level": 4,
    "task": 32,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:24:56.254354+00:00",
    "event_record_id": 1630,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "BootMenuPolicy": 1
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 26 — A one-time boot sequence was used during this boot.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

A one-time boot sequence was used during this boot.

Message #

A one-time boot sequence was used during this boot.

Event ID 27 — The boot type was BootType.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Task: BootType

Description

The boot type was BootType.

Message #

The boot type was %1.

Fields #

Name	Description
`BootType` UInt32	—
`LoadOptions` AnsiString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 27,
    "version": 1,
    "level": 4,
    "task": 33,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:24:56.254562+00:00",
    "event_record_id": 1631,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "BootType": 0,
    "LoadOptions": " NOEXECUTE=OPTIN  HYPERVISORLAUNCHTYPE=AUTO  FVEBOOT=2670592"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 28 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SqmType` UInt32	—
`SqmSessionGuid` GUID	—
`SqmID` UInt32	—
`SqmStreamRowLength` UInt32	—
`SqmStreamRow` Int16	—

Event ID 29 — Windows failed fast startup with error status FailureStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

Windows failed fast startup with error status FailureStatus.

Message #

Windows failed fast startup with error status %1.

Fields #

Name	Description
`FailureStatus` UInt32	—
`FailureMsg` UnicodeString	—

Event ID 30 — The firmware reported boot metrics.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: FirmwareBootData

Description

The firmware reported boot metrics.

Message #

The firmware reported boot metrics.

Fields #

Name	Description
`ResetEndStart` UInt64	—
`LoadOSImageStart` UInt64	—
`StartOSImageStart` UInt64	—
`ExitBootServicesEntry` UInt64	—
`ExitBootServicesExit` UInt64	—

Event ID 31 — Initialization of the firmware crypto hash provider resulted in status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

Initialization of the firmware crypto hash provider resulted in status Status.

Message #

Initialization of the firmware crypto hash provider resulted in status %1.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 32 — The bootmgr spent BitlockerUserInputTime ms waiting for user input.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Task: UserInputTime

Description

The bootmgr spent BitlockerUserInputTime ms waiting for user input.

Message #

The bootmgr spent %1 ms waiting for user input.

Fields #

Name	Description
`BitlockerUserInputTime` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 32,
    "version": 0,
    "level": 4,
    "task": 58,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:24:56.273719+00:00",
    "event_record_id": 1633,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "BitlockerUserInputTime": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 33 — The firmware update capsule (ImageName) failed to load with status ImageLoadStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

The firmware update capsule (ImageName) failed to load with status ImageLoadStatus.

Message #

The firmware update capsule (%1) failed to load with status %2.

Fields #

Name	Description
`ImageName` UnicodeString	—
`ImageLoadStatus` UInt32	—

Event ID 34 — The PE/COFF image firmware update capsule (PeImageName) failed to load with status PeImageLoadStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

The PE/COFF image firmware update capsule (PeImageName) failed to load with status PeImageLoadStatus.

Message #

The PE/COFF image firmware update capsule (%1) failed to load with status %2.

Fields #

Name	Description
`PeImageName` UnicodeString	—
`PeImageLoadStatus` UInt32	—

Event ID 35 — The Efi UpdateCapsule failed to apply updates with status UpdateCapsuleStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

The Efi UpdateCapsule failed to apply updates with status UpdateCapsuleStatus.

Message #

The Efi UpdateCapsule failed to apply updates with status %1.

Fields #

Name	Description
`UpdateCapsuleStatus` UInt32	—

Event ID 36 — Firmware update supported status is UpdateSupportedStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

Firmware update supported status is UpdateSupportedStatus. The BitLocker device flags are DeviceFlags and the PCR bitmap is PcrBitmap.

Message #

Firmware update supported status is %3. The BitLocker device flags are %1 and the PCR bitmap is %2.

Fields #

Name	Description
`DeviceFlags` UInt32	—
`PcrBitmap` UInt32	—
`UpdateSupportedStatus` UInt32	—

Event ID 37 — The firmware update capsule (ImageName) code integrity check failed with status ImageLoadStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

The firmware update capsule (ImageName) code integrity check failed with status ImageLoadStatus.

Message #

The firmware update capsule (%1) code integrity check failed with status %2.

Fields #

Name	Description
`ImageName` UnicodeString	—
`ImageLoadStatus` UInt32	—

Event ID 38 — Windows failed to load the required system file ImageName with error status ImageLoadStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: ImageLoadFailure

Description

Windows failed to load the required system file ImageName with error status ImageLoadStatus.

Message #

Windows failed to load the required system file %1 with error status %2.

Fields #

Name	Description
`ImageName` UnicodeString	—
`ImageLoadStatus` UInt32	—

Event ID 39 — Windows failed to load the system registry file HiveName with error status HiveLoadStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows failed to load the system registry file HiveName with error status HiveLoadStatus.

Message #

Windows failed to load the system registry file %1 with error status %2.

Fields #

Name	Description
`HiveName` UnicodeString	—
`HiveLoadStatus` UInt32	—

Event ID 40 — Windows failed to initialize the ACPI with error status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows failed to initialize the ACPI with error status Status.

Message #

Windows failed to initialize the ACPI with error status %1.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 41 — Windows failed to load with error status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows failed to load with error status Status.

Message #

Windows failed to load with error status %1.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 42 — Windows failed to load image FailedPath imported from Path with error status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows failed to load image FailedPath imported from Path with error status Status.

Message #

Windows failed to load image %2 imported from %1 with error status %3.

Fields #

Name	Description
`Path` UnicodeString	—
`FailedPath` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 43 — Windows failed to import Import from image Path with error status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows failed to import Import from image Path with error status Status.

Message #

Windows failed to import %2 from image %1 with error status %3.

Fields #

Name	Description
`Path` UnicodeString	—
`Import` AnsiString	—
`Status` UInt32	— NTSTATUS reference

Event ID 44 — Windows failed to provision VSM Identity Key.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows failed to provision VSM Identity Key. Unsealing cached copy status: CachedCopyStatus. New key generation status: IdkGenerationStatus. Measuring to PCR status: MeasuringStatus. Sealing and caching status: SealingAndCachingStatus.

Message #

Windows failed to provision VSM Identity Key. Unsealing cached copy status: %1. New key generation status: %2. Measuring to PCR status: %3. Sealing and caching status: %4.

Fields #

Name	Description
`CachedCopyStatus` UInt32	—
`IdkGenerationStatus` UInt32	—
`MeasuringStatus` UInt32	—
`SealingAndCachingStatus` UInt32	—

Event ID 45 — VSM Identity Key Provisioning.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Informational
Task: VsmIdkProvisioningStatus

Description

VSM Identity Key Provisioning. Unsealing cached copy status: CachedCopyStatus. New key generation status: IdkGenerationStatus. Measuring to PCR status: MeasuringStatus. Sealing and caching status: SealingAndCachingStatus.

Message #

VSM Identity Key Provisioning. Unsealing cached copy status: %1. New key generation status: %2. Measuring to PCR status: %3. Sealing and caching status: %4.

Fields #

Name	Description
`CachedCopyStatus` UInt32	—
`IdkGenerationStatus` UInt32	—
`MeasuringStatus` UInt32	—
`SealingAndCachingStatus` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 45,
    "version": 0,
    "level": 4,
    "task": 59,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-11T06:27:08.605376+00:00",
    "event_record_id": 61,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-Boot/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "CachedCopyStatus": 3221225487,
    "IdkGenerationStatus": 0,
    "MeasuringStatus": 1,
    "SealingAndCachingStatus": 0
  },
  "message": ""
}

Event ID 46 — Retrieving the driver list took RetrieveDriverListTime milliseconds.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: RetrieveDriverListTime

Description

Retrieving the driver list took RetrieveDriverListTime milliseconds.

Message #

Retrieving the driver list took %1 milliseconds.

Fields #

Name	Description
`RetrieveDriverListTime` UInt64	—

Event ID 47 — Loading the drivers took LoadDriversTime milliseconds.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: LoadDrivers

Description

Loading the drivers took LoadDriversTime milliseconds.

Message #

Loading the drivers took %1 milliseconds.

Fields #

Name	Description
`LoadDriversTime` UInt64	—

Event ID 48 — Loading hive Path took LoadHiveTime milliseconds.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: LoadHive

Description

Loading hive Path took LoadHiveTime milliseconds.

Message #

Loading hive %1 took %2 milliseconds.

Fields #

Name	Description
`Path` UnicodeString	—
`LoadHiveTime` UInt64	—

Event ID 49 — Windows system integrity policy does not allow to load the required system file ImageName with error status SiPolicyStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SiPolicyFailure

Description

Windows system integrity policy does not allow to load the required system file ImageName with error status SiPolicyStatus.

Message #

Windows system integrity policy does not allow to load the required system file %1 with error status %2.

Fields #

Name	Description
`ImageName` UnicodeString	—
`SiPolicyStatus` UInt32	—

Event ID 50 — Windows failed to provision VSM Master Encryption Key.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Message #

Windows failed to provision VSM Master Encryption Key. Using cached copy status: %1. Unsealing cached copy status: %2. New key generation status: %3. Sealing status: %4. TPM PCR mask: %5. Protector-assisted unseal status: %6. Protector-assisted re-seal status: %7. Protector update status: %8. Tpm Counter validation status: %9. Tpm Counter creation status: %10. Backup sealed blob used: %11.

Fields #

Name	Description
`CachedCopyStatus` UInt32	—
`PrimaryBlobUnsealStatus` UInt32	—
`BackupBlobUnsealStatus` UInt32	—
`Pca2023ProtectorUnsealStatus` UInt32	—
`BackupBlobValidityCheckStatus` UInt32	—
`BackupBlobStillValid` Boolean	—
`Pca2023ProtectorValidityCheckStatus` UInt32	—
`Pca2023ProtectorStillValid` Boolean	—
`PrimaryBlobResealStatus` UInt32	—
`BackupBlobResealStatus` UInt32	—
`Pca2023ProtectorResealStatus` UInt32	—
`KeyGenerationAndSaveStatus` UInt32	—
`SealingStatus` UInt32	—
`TpmPcrMask` UInt32	—
`TpmCounterOpStatus` UInt32	—
`TpmCounterCreateStatus` UInt32	—
`BackupSealedBlobUsed` Boolean	—
`Pca2023ProtectorCleanupPostUpgradeStatus` UInt32	—
`NeedToRollLkey` UInt8	—
`CreationStateVerified` UInt8	—
`V2ProtectorsUsed` UInt8	—
`LegacyUefiVarQueryStatus` UInt32	—
`LegacyUefiVarCleanupStatus` UInt32	—
`VbsRollbackDataProtectionEnabled` UInt8	—
`VbsRollbackDataProtectionOptedIn` UInt8	—
`VbsRollbackDataProtectionTpmCounterStatus` UInt32	—
`FirstWriteToDisk` UInt8	—
`WritePkgToUefi` UInt8	—
`LatchedProtectorUsed` UInt8	—
`LatchTheUnlatched` UInt8	—
`UnsupportedRollback` UInt8	—
`UpgradedVbsPolicyExists` UInt8	—
`TpmCounterIncrementStatus` UInt32	—
`ActivePolicyVersion` UInt64	—
`LatchedPolicyVersion` UInt64	—
`UnlatchedPolicyVersion` UInt64	—
`LatchedPrimaryBlobResealStatusV2` UInt32	—
`LatchedBackupBlobResealStatusV2` UInt32	—
`LatchedPca2023ProtectorResealStatusV2` UInt32	—
`LatchedPca2023ProtectorCleanupPostUpgradeStatusV2` UInt32	—
`UnlatchedPrimaryBlobResealStatusV2` UInt32	—
`UnlatchedBackupBlobResealStatusV2` UInt32	—
`UnlatchedPca2023ProtectorResealStatusV2` UInt32	—
`UnlatchedPca2023ProtectorCleanupPostUpgradeStatusV2` UInt32	—

Event ID 51 — VSM Master Encryption Key Provisioning.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Informational
Task: VsmLKeyProvisioningStatus

Message #

VSM Master Encryption Key Provisioning. Using cached copy status: %1. Unsealing cached copy status: %2. New key generation status: %3. Sealing status: %4. TPM PCR mask: %5. Protector-assisted unseal status: %6. Protector-assisted re-seal status: %7. Protector update status: %8. Tpm Counter validation status: %9. Tpm Counter creation status: %10. Backup sealed blob used: %11.

Fields #

Name	Description
`CachedCopyStatus` UInt32	—
`UnsealingCachedCopyStatus`	—
`KeyGenerationAndSaveStatus` UInt32	—
`SealingStatus` UInt32	—
`TpmPcrMask` UInt32	—
`ProtectorAssistedUnsealStatus`	—
`ProtectorAssistedResealStatus`	—
`ProtectorSealUpdateStatus`	—
`TpmCounterOpStatus` UInt32	—
`TpmCounterCreateStatus` UInt32	—
`BackupSealedBlobUsed` Boolean	—
`PrimaryBlobUnsealStatus` UInt32	—
`BackupBlobUnsealStatus` UInt32	—
`Pca2023ProtectorUnsealStatus` UInt32	—
`BackupBlobValidityCheckStatus` UInt32	—
`BackupBlobStillValid` Boolean	—
`Pca2023ProtectorValidityCheckStatus` UInt32	—
`Pca2023ProtectorStillValid` Boolean	—
`PrimaryBlobResealStatus` UInt32	—
`BackupBlobResealStatus` UInt32	—
`Pca2023ProtectorResealStatus` UInt32	—
`Pca2023ProtectorCleanupPostUpgradeStatus` UInt32	—
`NeedToRollLkey` UInt8	—
`CreationStateVerified` UInt8	—
`V2ProtectorsUsed` UInt8	—
`LegacyUefiVarQueryStatus` UInt32	—
`LegacyUefiVarCleanupStatus` UInt32	—
`VbsRollbackDataProtectionEnabled` UInt8	—
`VbsRollbackDataProtectionOptedIn` UInt8	—
`VbsRollbackDataProtectionTpmCounterStatus` UInt32	—
`FirstWriteToDisk` UInt8	—
`WritePkgToUefi` UInt8	—
`LatchedProtectorUsed` UInt8	—
`LatchTheUnlatched` UInt8	—
`UnsupportedRollback` UInt8	—
`UpgradedVbsPolicyExists` UInt8	—
`TpmCounterIncrementStatus` UInt32	—
`ActivePolicyVersion` UInt64	—
`LatchedPolicyVersion` UInt64	—
`UnlatchedPolicyVersion` UInt64	—
`LatchedPrimaryBlobResealStatusV2` UInt32	—
`LatchedBackupBlobResealStatusV2` UInt32	—
`LatchedPca2023ProtectorResealStatusV2` UInt32	—
`LatchedPca2023ProtectorCleanupPostUpgradeStatusV2` UInt32	—
`UnlatchedPrimaryBlobResealStatusV2` UInt32	—
`UnlatchedBackupBlobResealStatusV2` UInt32	—
`UnlatchedPca2023ProtectorResealStatusV2` UInt32	—
`UnlatchedPca2023ProtectorCleanupPostUpgradeStatusV2` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 51,
    "version": 0,
    "level": 4,
    "task": 81,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-11T06:27:08.605364+00:00",
    "event_record_id": 60,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-Boot/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "CachedCopyStatus": 3221226021,
    "UnsealingCachedCopyStatus": 1,
    "KeyGenerationAndSaveStatus": 0,
    "SealingStatus": 1,
    "TpmPcrMask": 0,
    "ProtectorAssistedUnsealStatus": 1,
    "ProtectorAssistedResealStatus": 1,
    "ProtectorSealUpdateStatus": 1,
    "TpmCounterOpStatus": 1,
    "TpmCounterCreateStatus": 1,
    "BackupSealedBlobUsed": 0
  },
  "message": ""
}

Event ID 52 — The time elapsed loading ApplicationIdentifier was ApplicationLoadTime ms.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: BootAppLoadTime

Description

The time elapsed loading ApplicationIdentifier was ApplicationLoadTime ms.

Message #

The time elapsed loading %1 was %2 ms.

Fields #

Name	Description
`ApplicationIdentifier` GUID	—
`ApplicationLoadTime` UInt64	—

Event ID 53 — The time elapsed executing ApplicationIdentifier was ApplicationExecutionTime ms.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: BootApplicationExecution

Description

The time elapsed executing ApplicationIdentifier was ApplicationExecutionTime ms.

Message #

The time elapsed executing %1 was %2 ms.

Fields #

Name	Description
`ApplicationIdentifier` GUID	—
`ApplicationExecutionTime` UInt64	—

Event ID 54 — Building chunk table for WIM compressed file FileName failed with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

Building chunk table for WIM compressed file FileName failed with status: Status.

Message #

Building chunk table for WIM compressed file %2 failed with status: %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`FileName` UnicodeString	—

Event ID 55 — Soft Restart failed to prepare target Operating System.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: PrepareTargetFailure

Description

Soft Restart failed to prepare target Operating System. Operation status: Status failure point: FailurePoint.

Message #

Soft Restart failed to prepare target Operating System. Operation status: %1 failure point: %2

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`FailurePoint` UInt32	—

Event ID 56 — Boot application failed to process persistent data with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Opcode: Info

Description

Boot application failed to process persistent data with status: Status.

Message #

Boot application failed to process persistent data with status: %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 57 — Windows failed to provision the TPM Storage Root Key with error status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Message #

Windows failed to provision the TPM Storage Root Key with error status:%1. Reading SrkPolicy status: %2. SrkSymKeyPolicy value: %3. TPM symmetric key capability: %4. AES bits used: %5. SrkAsymKeyPolicy value: %6. TPM asymmetric key capability: %7. Rsa bits used: %8.

Fields #

Name	Description
`TpmSrkProvisioningStatus` UInt32	—
`TpmSrkPolicyReadStatus` UInt32	—
`TpmSrkSymKeyPolicyValue` UInt32	—
`TpmSrkSymKeyCapability` UInt32	—
`TpmSrkAesBitsUsed` UInt32	—
`TpmSrkAsymKeyPolicyValue` UInt32	—
`TpmSrkAsymKeyCapability` UInt32	—
`TpmSrkRsaBitsUsed` UInt32	—

Event ID 58 — Windows successfully provisioned the TPM Storage Root Key.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Message #

Windows successfully provisioned the TPM Storage Root Key. This operation took %1 milliseconds. Reading SrkPolicy status: %2. SrkSymKeyPolicy value: %3. TPM symmetric key capability: %4. AES bits used: %5. SrkAsymKeyPolicy value: %6. TPM asymmetric key capability: %7. Rsa bits used: %8.

Fields #

Name	Description
`SrkSymKeyPolicy_value`	1 milliseconds. Reading SrkPolicy status.
`TPM_symmetric_key_capability`	—
`AES_bits_used`	—
`SrkAsymKeyPolicy_value`	—
`TPM_asymmetric_key_capability`	—
`Rsa_bits_used`	—
`TpmSrkProvisioningTime` UInt64	—
`TpmSrkPolicyReadStatus` UInt32	—
`TpmSrkSymKeyPolicyValue` UInt32	—
`TpmSrkSymKeyCapability` UInt32	—
`TpmSrkAesBitsUsed` UInt32	—
`TpmSrkAsymKeyPolicyValue` UInt32	—
`TpmSrkAsymKeyCapability` UInt32	—
`TpmSrkRsaBitsUsed` UInt32	—

Event ID 59 — Windows failed to provision TPM binding information with error status:TpmBindingProvisioningStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows failed to provision TPM binding information with error status:TpmBindingProvisioningStatus.

Message #

Windows failed to provision TPM binding information with error status:%1.

Fields #

Name	Description
`TpmBindingProvisioningStatus` UInt32	—

Event ID 60 — NFIT ACPI table is not properly formed, and could not be parsed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: InvalidNfitTable

Description

NFIT ACPI table is not properly formed, and could not be parsed.

Message #

NFIT ACPI table is not properly formed, and could not be parsed.

Event ID 61 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: TxtLaunchPrepared

Fields #

Name	Description
`PmrLowBase` UInt64	—
`PmrLowSize` UInt64	—
`PmrHighBase` UInt64	—
`PmrHighSize` UInt64	—
`FirmwareProvidedAcm` Boolean	—

Event ID 62 — Previous error detected while attempting to execute Measured Launch Environment.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: PreviousTxtError

Description

Previous error detected while attempting to execute Measured Launch Environment. TXT error code: TxtErrorCode.

Message #

Previous error detected while attempting to execute Measured Launch Environment. TXT error code: %1.

Fields #

Name	Description
`TxtErrorCode` UInt32	—

Event ID 63 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: InvalidTxtSinitRange

Fields #

Name	Description
`Base` UInt64	—
`Size` UInt64	—

Event ID 64 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: InvalidTxtHeapRange

Fields #

Name	Description
`Base` UInt64	—
`Size` UInt64	—

Event ID 65 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: MleLoadFailure

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 66 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: MissingRsdpTable

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 67 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: NoSinitAcm

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 68 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: InvalidTxtHeapBiosDataSize

Fields #

Name	Description
`BiosDataSize` UInt64	—

Event ID 69 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: MleHeaderTooOld

Fields #

Name	Description
`AcmMinMleHeaderVer` UInt32	—
`MleHeaderVersion` UInt32	—

Event ID 70 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: ComputePmrRangesFailure

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 71 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FileOpen
Opcode: OpenFailure

Fields #

Name	Description
`DeviceID` UInt32	—
`FileName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 72 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: PrepareLcpFailure

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 73 — Firmware provided SINIT ACM not used.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: TxtRejectedFirmwareAcm

Description

Firmware provided SINIT ACM not used. TxtStatus.

Message #

Firmware provided SINIT ACM not used. %1

Fields #

Name	Description
`TxtStatus` UInt32	—

Event ID 74 — Windows failed to provision DRTM-bound VSM Master Encryption Key .

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Windows failed to provision DRTM-bound VSM Master Encryption Key . Using cached copy status: CachedCopyStatus. New key generation status: KeyGenerationStatus. Sealing status: SealAndSaveStatus. UEFI keys provided to Secure Kernel status: UEFIKeysStatus.

Message #

Windows failed to provision DRTM-bound VSM Master Encryption Key . Using cached copy status: %1. New key generation status: %2. Sealing status: %3. UEFI keys provided to Secure Kernel status: %4.

Fields #

Name	Description
`CachedCopyStatus` UInt32	—
`KeyGenerationStatus` UInt32	—
`SealAndSaveStatus` UInt32	—
`UEFIKeysStatus` UInt32	—
`UnLatchedCiPolicyVersion` UInt64	—
`LatchedCiPolicyVersion` UInt64	—
`LatchedAntiRollbackCounterValue` UInt64	—
`CurrentCiPolicyVersion` UInt64	—
`CurrentAntiRollbackCounterValue` UInt64	—
`MinimumUnsealCiPolicyVersion` UInt64	—
`AuthorizationIsDelegated` Boolean	—

Event ID 75 — Windows successfully provisioned DRTM-bound VSM Master Encryption Key.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Windows successfully provisioned DRTM-bound VSM Master Encryption Key. Using cached copy status: CachedCopyStatus. New key generation status: KeyGenerationStatus. Sealing status: SealAndSaveStatus. UEFI keys provided to Secure Kernel status: UEFIKeysStatus.

Message #

Windows successfully provisioned DRTM-bound VSM Master Encryption Key. Using cached copy status: %1. New key generation status: %2. Sealing status: %3. UEFI keys provided to Secure Kernel status: %4.

Fields #

Name	Description
`CachedCopyStatus` UInt32	—
`KeyGenerationStatus` UInt32	—
`SealAndSaveStatus` UInt32	—
`UEFIKeysStatus` UInt32	—
`UnLatchedCiPolicyVersion` UInt64	—
`LatchedCiPolicyVersion` UInt64	—
`LatchedAntiRollbackCounterValue` UInt64	—
`CurrentCiPolicyVersion` UInt64	—
`CurrentAntiRollbackCounterValue` UInt64	—
`MinimumUnsealCiPolicyVersion` UInt64	—
`AuthorizationIsDelegated` Boolean	—

Event ID 76 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootDebugger
Opcode: BdEnabled

Event ID 77 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootDebugger
Opcode: BdInitFailure

Fields #

Name	Description
`DebuggerStatus` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 78 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: KernelDebugger
Opcode: KdInitFailure

Fields #

Name	Description
`DebuggerStatus` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 79 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: KernelDebugger
Opcode: KdEnabled

Event ID 80 — FASR Platform Verification.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Informational
Task: VsmLKeyProvisioningStatus

Message #

FASR Platform Verification. FASR cert present: %1. FASR cert signature validation status: %2. BootmgrAuthorityEventCount: %3. VerifiedMicrosoftAuthority: %4. FASR PCR values validation status: %5. PCR mismatch index: %6. FASR cert size: %7. FASR cert: %8. FASR signature size: %9. FASR signature: %10.

Fields #

Name	Description
`IsFasrCertPresent` UInt8	—
`ValidateFasrCertSignatureStatus` UInt32	—
`BootmgrAuthorityEventCount` UInt32	—
`VerifiedMicrosoftAuthority` UInt8	—
`ValidateFasrPcrValuesStatus` UInt32	—
`PcrMismatchIndex` Int32	—
`FasrCertSize` UInt32	—
`FasrCertWithoutSignature` Binary	—
`FasrSignatureSize` UInt32	—
`FasrSignature` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 80,
    "version": 1,
    "level": 4,
    "task": 81,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-11T06:27:08.605349+00:00",
    "event_record_id": 59,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-Boot/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "IsFasrCertPresent": 0,
    "ValidateFasrCertSignatureStatus": 1,
    "BootmgrAuthorityEventCount": 0,
    "VerifiedMicrosoftAuthority": 0,
    "ValidateFasrPcrValuesStatus": 1,
    "PcrMismatchIndex": -1,
    "FasrCertSize": 0,
    "FasrCertWithoutSignature": "",
    "FasrSignatureSize": 0,
    "FasrSignature": ""
  },
  "message": ""
}

Event ID 81 — Windows skipped provisioning the TPM Storage Root Key because the NoAutoProvision registry value was set.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Opcode: Info

Description

Windows skipped provisioning the TPM Storage Root Key because the NoAutoProvision registry value was set.

Message #

Windows skipped provisioning the TPM Storage Root Key because the NoAutoProvision registry value was set.

Event ID 82 — Trace point: Function:Function Point:Point Status:NTStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootDiag

Description

Trace point: Function:Function Point:Point Status:NTStatus.

Message #

Trace point: Function:%1 Point:%2 Status:%3

Fields #

Name	Description
`Function` AnsiString	—
`Point` UInt16	—
`NTStatus` UInt32	—

Event ID 83 — VSM Master Key Array Package Read and Unseal From Disk.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

VSM Master Key Array Package Read and Unseal From Disk.

Message #

VSM Master Key Array Package Read and Unseal From Disk

Status: %1
OsDeviceId: %2
SystemRoot: %3
VsmLKeyRelPath: %4
LatchedUnsealPolicyRelPath: %5
UnlatchedUnsealPolicyRelPath: %6
LatchedPrimaryProtectorVariableName: %7
LatchedSecondaryProtectorVariableName: %8
UnlatchedPrimaryProtectorVariableName: %9
UnlatchedSecondaryProtectorVariableName: %10
LatchedProtectorUsedLocal: %11
LatchTheUnlatchedLocal: %12
UnsupportedRollbackLocal: %13
UpgradedAntirollbackPolicyExistsLocal: %14
PkgWasCorruptOrUnavailableLocal: %15
CreationStateVerifiedLocal: %16
PrimaryProtectorTargetPcrSealMaskLocal: %17
LatchedProtectorExists: %18
UnlatchedProtectorExists: %19
KeyPkgIdTpmCounterValue: %20
ActivePolicyVersion: %21
UseUnlatchedProtector: %22
NeedToResealPrimaryProtector: %23
NeedToResealSecondaryProtector: %24
NeedToResealPca2023Protector: %25

Substatus

PrimaryBlobUnsealStatus: %26
BackupBlobUnsealStatus: %27
Pca2023ProtectorUnsealStatus: %28
BackupBlobValidityCheckStatus: %29
BackupBlobStillValid: %30
Pca2023ProtectorValidityCheckStatus: %31
Pca2023ProtectorStillValid: %32
PrimaryBlobResealStatus: %33
BackupBlobResealStatus: %34
Pca2023ProtectorResealStatus: %35
V2ProtectorsUsed: %36
LegacyUefiVarQueryStatus: %37
LegacyUefiVarCleanupStatus: %38
ActivePolicyVersion: %39
LatchedPolicyVersion: %40
UnlatchedPolicyVersion: %41
LatchedUnsealPolicyValid: %42

Latched unseal policy

Version: %43
VarDataOffset: %44
StructureSize: %45
PolicyVersion: %46
PolicyHashLength: %47
WinloadSVN: %48
WinresumeSVN: %49
BootmgrSVN: %50
LKeyPkgId: %51
UnlatchedUnsealPolicyValid: %52

Unlatched unseal policy

Version: %53
VarDataOffset: %54
StructureSize: %55
PolicyVersion: %56
PolicyHashLength: %57
WinloadSVN: %58
WinresumeSVN: %59
BootmgrSVN: %60
LKeyPkgId: %61

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`OsDeviceId` UInt32	—
`SystemRoot` UnicodeString	—
`VsmLKeyRelPath` UnicodeString	—
`LatchedUnsealPolicyRelPath` UnicodeString	—
`UnlatchedUnsealPolicyRelPath` UnicodeString	—
`LatchedPrimaryProtectorVariableName` UnicodeString	—
`LatchedSecondaryProtectorVariableName` UnicodeString	—
`UnlatchedPrimaryProtectorVariableName` UnicodeString	—
`UnlatchedSecondaryProtectorVariableName` UnicodeString	—
`LatchedProtectorUsedLocal` UInt8	—
`LatchTheUnlatchedLocal` UInt8	—
`UnsupportedRollbackLocal` UInt8	—
`UpgradedAntirollbackPolicyExistsLocal` UInt8	—
`PkgWasCorruptOrUnavailableLocal` UInt8	—
`CreationStateVerifiedLocal` UInt8	—
`PrimaryProtectorTargetPcrSealMaskLocal` UInt32	—
`LatchedProtectorExists` UInt8	—
`UnlatchedProtectorExists` UInt8	—
`KeyPkgIdTpmCounterValue` UInt64	—
`ActivePolicyVersion` UInt64	—
`UseUnlatchedProtector` UInt8	—
`NeedToResealPrimaryProtector` UInt8	—
`NeedToResealSecondaryProtector` UInt8	—
`NeedToResealPca2023Protector` UInt8	—
`pSubStatusPrimaryBlobUnsealStatus` UInt32	—
`pSubStatusBackupBlobUnsealStatus` UInt32	—
`pSubStatusPca2023ProtectorUnsealStatus` UInt32	—
`pSubStatusBackupBlobValidityCheckStatus` UInt32	—
`pSubStatusBackupBlobStillValid` Boolean	—
`pSubStatusPca2023ProtectorValidityCheckStatus` UInt32	—
`pSubStatusPca2023ProtectorStillValid` Boolean	—
`pSubStatusPrimaryBlobResealStatus` UInt32	—
`pSubStatusBackupBlobResealStatus` UInt32	—
`pSubStatusPca2023ProtectorResealStatus` UInt32	—
`pSubStatusV2ProtectorsUsed` UInt8	—
`pSubStatusLegacyUefiVarQueryStatus` UInt32	—
`pSubStatusLegacyUefiVarCleanupStatus` UInt32	—
`pSubStatusActivePolicyVersion` UInt64	—
`pSubStatusLatchedPolicyVersion` UInt64	—
`pSubStatusUnlatchedPolicyVersion` UInt64	—
`LatchedUnsealPolicyValid` UInt8	—
`LatchedUnsealPolicyVersion` UInt16	—
`LatchedUnsealPolicyVarDataOffset` UInt16	—
`LatchedUnsealPolicyStructureSize` UInt32	—
`LatchedUnsealPolicyPolicyVersion` UInt64	—
`LatchedUnsealPolicyPolicyHashLength` UInt32	—
`LatchedUnsealPolicyWinloadSVN` UInt32	—
`LatchedUnsealPolicyWinresumeSVN` UInt32	—
`LatchedUnsealPolicyBootmgrSVN` UInt32	—
`LatchedUnsealPolicyLKeyPkgId` UInt64	—
`UnlatchedUnsealPolicyValid` UInt8	—
`UnlatchedUnsealPolicyVersion` UInt16	—
`UnlatchedUnsealPolicyVarDataOffset` UInt16	—
`UnlatchedUnsealPolicyStructureSize` UInt32	—
`UnlatchedUnsealPolicyPolicyVersion` UInt64	—
`UnlatchedUnsealPolicyPolicyHashLength` UInt32	—
`UnlatchedUnsealPolicyWinloadSVN` UInt32	—
`UnlatchedUnsealPolicyWinresumeSVN` UInt32	—
`UnlatchedUnsealPolicyBootmgrSVN` UInt32	—
`UnlatchedUnsealPolicyLKeyPkgId` UInt64	—

Event ID 84 — Seal and Store on Disk Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Seal and Store on Disk Status.

Message #

Seal and Store on Disk Status

Status: %1
OsDeviceId: %2
SystemRoot: %3
PcrSealMask: %4
LatchTheUnlatched: %5
UpgradedAntirollbackPolicyExists: %6
EncryptionStatus: %7
KeyPkgIdTpmCounterValue: %8
EncryptedLKeyArrayPkgSize: %9
EncryptedLKeyPkgPdGuid: %10
UnlatchedUnsealPolicySize: %11
UnlatchedProtectorExists: %12
LatchedUnsealPolicySize: %13
LatchedProtectorExists: %14

Latched unseal policy

Version: %15
VarDataOffset: %16
StructureSize: %17
PolicyVersion: %18
PolicyHashLength: %19
WinloadSVN: %20
WinresumeSVN: %21
BootmgrSVN: %22
LKeyPkgId: %23

Unlatched unseal policy

Version: %24
VarDataOffset: %25
StructureSize: %26
PolicyVersion: %27
PolicyHashLength: %28
WinloadSVN: %29
WinresumeSVN: %30
BootmgrSVN: %31
LKeyPkgId: %32

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`OsDeviceId` UInt32	—
`SystemRoot` UnicodeString	—
`PcrSealMask` UInt32	—
`LatchTheUnlatched` UInt8	—
`UpgradedAntirollbackPolicyExists` UInt8	—
`EncryptionStatus` UInt32	—
`KeyPkgIdTpmCounterValue` UInt64	—
`EncryptedLKeyArrayPkgSize` UInt32	—
`EncryptedLKeyPkgPdGuid` GUID	—
`UnlatchedUnsealPolicySize` UInt32	—
`UnlatchedProtectorExists` UInt8	—
`LatchedUnsealPolicySize` UInt32	—
`LatchedProtectorExists` UInt8	—
`LatchedUnsealPolicyVersion` UInt16	—
`LatchedUnsealPolicyVarDataOffset` UInt16	—
`LatchedUnsealPolicyStructureSize` UInt32	—
`LatchedUnsealPolicyPolicyVersion` UInt64	—
`LatchedUnsealPolicyPolicyHashLength` UInt32	—
`LatchedUnsealPolicyWinloadSVN` UInt32	—
`LatchedUnsealPolicyWinresumeSVN` UInt32	—
`LatchedUnsealPolicyBootmgrSVN` UInt32	—
`LatchedUnsealPolicyLKeyPkgId` UInt64	—
`UnlatchedUnsealPolicyVersion` UInt16	—
`UnlatchedUnsealPolicyVarDataOffset` UInt16	—
`UnlatchedUnsealPolicyStructureSize` UInt32	—
`UnlatchedUnsealPolicyPolicyVersion` UInt64	—
`UnlatchedUnsealPolicyPolicyHashLength` UInt32	—
`UnlatchedUnsealPolicyWinloadSVN` UInt32	—
`UnlatchedUnsealPolicyWinresumeSVN` UInt32	—
`UnlatchedUnsealPolicyBootmgrSVN` UInt32	—
`UnlatchedUnsealPolicyLKeyPkgId` UInt64	—

Event ID 85 — Read and Unseal Master Key Array Package Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Read and Unseal Master Key Array Package Status.

Message #

Read and Unseal Master Key Array Package Status

Status: %1
PrimarySealedBlobName: %2
SecondaryProtectorVariableName: %3
BlobFromUefiVariableSize: %4
UefiContentIsSealed: %5
UnsealedBlobSize: %6
Pcr7SealingUsed: %7
PkgTpmSealMaskLocal: %8
PkgTpmCreationMaskLocal: %9
NeedToResealKeyPkg: %10
NeedToResealBackup: %11
NeedToResealPca2023Backup: %12
PlaintextBlobSize: %13
PlaintextIsLegacyFormat: %14
UefiBlobIsCorrupt: %15
NewKeyID: %16
VerifiedMicrosoftAuthority: %17
ContainsAuthorityData: %18
BootmgrAuthorityEventCount: %19
Authority: %20

Substatus

PrimaryBlobUnsealStatus: %21
BackupBlobUnsealStatus: %22
Pca2023ProtectorUnsealStatus: %23
BackupBlobValidityCheckStatus: %24
BackupBlobStillValid: %25
Pca2023ProtectorValidityCheckStatus: %26
Pca2023ProtectorStillValid: %27
PrimaryBlobResealStatus: %28
BackupBlobResealStatus: %29
Pca2023ProtectorResealStatus: %30
V2ProtectorsUsed: %31
LegacyUefiVarQueryStatus: %32
LegacyUefiVarCleanupStatus: %33
ActivePolicyVersion: %34
LatchedPolicyVersion: %35
UnlatchedPolicyVersion: %36

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`PrimarySealedBlobName` UnicodeString	—
`SecondaryProtectorVariableName` UnicodeString	—
`BlobFromUefiVariableSize` UInt32	—
`UefiContentIsSealed` UInt8	—
`UnsealedBlobSize` UInt32	—
`Pcr7SealingUsed` UInt8	—
`PkgTpmSealMaskLocal` UInt32	—
`PkgTpmCreationMaskLocal` UInt32	—
`NeedToResealKeyPkg` UInt8	—
`NeedToResealBackup` UInt8	—
`NeedToResealPca2023Protector` UInt8	—
`PlaintextBlobSize` UInt32	—
`PlaintextIsLegacyFormat` UInt8	—
`UefiBlobIsCorrupt` UInt8	—
`NewKeyID` UInt32	—
`VerifiedMicrosoftAuthority` UInt8	—
`ContainsAuthorityData` UInt8	—
`BootmgrAuthorityEventCount` UInt32	—
`Authority` UInt32	—
`pSubStatusPrimaryBlobUnsealStatus` UInt32	—
`pSubStatusBackupBlobUnsealStatus` UInt32	—
`pSubStatusPca2023ProtectorUnsealStatus` UInt32	—
`pSubStatusBackupBlobValidityCheckStatus` UInt32	—
`pSubStatusBackupBlobStillValid` Boolean	—
`pSubStatusPca2023ProtectorValidityCheckStatus` UInt32	—
`pSubStatusPca2023ProtectorStillValid` Boolean	—
`pSubStatusPrimaryBlobResealStatus` UInt32	—
`pSubStatusBackupBlobResealStatus` UInt32	—
`pSubStatusPca2023ProtectorResealStatus` UInt32	—
`pSubStatusV2ProtectorsUsed` UInt8	—
`pSubStatusLegacyUefiVarQueryStatus` UInt32	—
`pSubStatusLegacyUefiVarCleanupStatus` UInt32	—
`pSubStatusActivePolicyVersion` UInt64	—
`pSubStatusLatchedPolicyVersion` UInt64	—
`pSubStatusUnlatchedPolicyVersion` UInt64	—

Event ID 86 — Get Plaintext Master Key Array Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Get Plaintext Master Key Array Status.

Message #

Get Plaintext Master Key Array Status

Status: %1
SecondaryProtectorVariableName: %2
NeedToResealPrimaryProtector: %3
NeedToResealSecondaryProtector: %4
NeedToResealPca2023Protector: %5
SealedBackupEncryptionKeySize: %6
SealedPca2023EncryptionKeySize: %7
UefiBlobIsCorrupt: %8
Pcr7SealingUsed: %9
CreationStateVerifiedLocal: %10
VerifiedMicrosoftAuthority: %11
ContainsAuthorityData: %12
BootmgrAuthorityEventCount: %13
PrimaryProtectorTargetPcrSealMaskLocal: %14
Authority: %15

Substatus

PrimaryBlobUnsealStatus: %16
BackupBlobUnsealStatus: %17
Pca2023ProtectorUnsealStatus: %18
BackupBlobValidityCheckStatus: %19
BackupBlobStillValid: %20
Pca2023ProtectorValidityCheckStatus: %21
Pca2023ProtectorStillValid: %22
PrimaryBlobResealStatus: %23
BackupBlobResealStatus: %24
Pca2023ProtectorResealStatus: %25
V2ProtectorsUsed: %26
LegacyUefiVarQueryStatus: %27
LegacyUefiVarCleanupStatus: %28
ActivePolicyVersion: %29
LatchedPolicyVersion: %30
UnlatchedPolicyVersion: %31

Validated Unseal Policy

Version: %32
VarDataOffset: %33
StructureSize: %34
PolicyVersion: %35
PolicyHashLength: %36
WinloadSVN: %37
WinresumeSVN: %38
BootmgrSVN: %39
LKeyPkgId: %40

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`SecondaryProtectorVariableName` UnicodeString	—
`NeedToResealPrimaryProtector` UInt8	—
`NeedToResealSecondaryProtector` UInt8	—
`NeedToResealPca2023Protector` UInt8	—
`SealedBackupEncryptionKeySize` UInt16	—
`SealedPca2023EncryptionKeySize` UInt16	—
`UefiBlobIsCorrupt` UInt8	—
`Pcr7SealingUsed` UInt8	—
`CreationStateVerifiedLocal` UInt8	—
`VerifiedMicrosoftAuthority` UInt8	—
`ContainsAuthorityData` UInt8	—
`BootmgrAuthorityEventCount` UInt32	—
`PrimaryProtectorTargetPcrSealMaskLocal` UInt32	—
`Authority` UInt32	—
`pSubStatusPrimaryBlobUnsealStatus` UInt32	—
`pSubStatusBackupBlobUnsealStatus` UInt32	—
`pSubStatusPca2023ProtectorUnsealStatus` UInt32	—
`pSubStatusBackupBlobValidityCheckStatus` UInt32	—
`pSubStatusBackupBlobStillValid` Boolean	—
`pSubStatusPca2023ProtectorValidityCheckStatus` UInt32	—
`pSubStatusPca2023ProtectorStillValid` Boolean	—
`pSubStatusPrimaryBlobResealStatus` UInt32	—
`pSubStatusBackupBlobResealStatus` UInt32	—
`pSubStatusPca2023ProtectorResealStatus` UInt32	—
`pSubStatusV2ProtectorsUsed` UInt8	—
`pSubStatusLegacyUefiVarQueryStatus` UInt32	—
`pSubStatusLegacyUefiVarCleanupStatus` UInt32	—
`pSubStatusActivePolicyVersion` UInt64	—
`pSubStatusLatchedPolicyVersion` UInt64	—
`pSubStatusUnlatchedPolicyVersion` UInt64	—
`ValidatedUnsealPolicyVersion` UInt16	—
`ValidatedUnsealPolicyVarDataOffset` UInt16	—
`ValidatedUnsealPolicyStructureSize` UInt32	—
`ValidatedUnsealPolicyPolicyVersion` UInt64	—
`ValidatedUnsealPolicyPolicyHashLength` UInt32	—
`ValidatedUnsealPolicyWinloadSVN` UInt32	—
`ValidatedUnsealPolicyWinresumeSVN` UInt32	—
`ValidatedUnsealPolicyBootmgrSVN` UInt32	—
`ValidatedUnsealPolicyLKeyPkgId` UInt64	—

Event ID 87 — Read and Unseal Master Key Array Package error.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Read and Unseal Master Key Array Package error.

Message #

Read and Unseal Master Key Array Package error

LegacyMainBlobVariableName: %1
LegacySecondaryProtectorVariableName: %2
PkgWasCorruptOrUnavailableLocal: %3
KeysAreLegacyLocal: %4
CreationStateVerifiedLocal: %5
PrimaryProtectorTargetPcrSealMaskLocal: %6

Substatus

PrimaryBlobUnsealStatus: %7
BackupBlobUnsealStatus: %8
Pca2023ProtectorUnsealStatus: %9
BackupBlobValidityCheckStatus: %10
BackupBlobStillValid: %11
Pca2023ProtectorValidityCheckStatus: %12
Pca2023ProtectorStillValid: %13
PrimaryBlobResealStatus: %14
BackupBlobResealStatus: %15
Pca2023ProtectorResealStatus: %16
V2ProtectorsUsed: %17
LegacyUefiVarQueryStatus: %18
LegacyUefiVarCleanupStatus: %19
ActivePolicyVersion: %20
LatchedPolicyVersion: %21
UnlatchedPolicyVersion: %22

Fields #

Name	Description
`LegacyMainBlobVariableName` UnicodeString	—
`LegacySecondaryProtectorVariableName` UnicodeString	—
`PkgWasCorruptOrUnavailableLocal` UInt8	—
`KeysAreLegacyLocal` UInt8	—
`CreationStateVerifiedLocal` UInt8	—
`PrimaryProtectorTargetPcrSealMaskLocal` UInt32	—
`pSubStatusPrimaryBlobUnsealStatus` UInt32	—
`pSubStatusBackupBlobUnsealStatus` UInt32	—
`pSubStatusPca2023ProtectorUnsealStatus` UInt32	—
`pSubStatusBackupBlobValidityCheckStatus` UInt32	—
`pSubStatusBackupBlobStillValid` Boolean	—
`pSubStatusPca2023ProtectorValidityCheckStatus` UInt32	—
`pSubStatusPca2023ProtectorStillValid` Boolean	—
`pSubStatusPrimaryBlobResealStatus` UInt32	—
`pSubStatusBackupBlobResealStatus` UInt32	—
`pSubStatusPca2023ProtectorResealStatus` UInt32	—
`pSubStatusV2ProtectorsUsed` UInt8	—
`pSubStatusLegacyUefiVarQueryStatus` UInt32	—
`pSubStatusLegacyUefiVarCleanupStatus` UInt32	—
`pSubStatusActivePolicyVersion` UInt64	—
`pSubStatusLatchedPolicyVersion` UInt64	—
`pSubStatusUnlatchedPolicyVersion` UInt64	—

Event ID 88 — Read and Unseal Master Key Array Package Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Read and Unseal Master Key Array Package Status.

Message #

Read and Unseal Master Key Array Package Status

Status: %1
OsDeviceId: %2
OsDataDeviceId: %3
SystemRoot: %4
VsmLKeyRelPath: %5
LatchedUnsealPolicyRelPath: %6
UnlatchedUnsealPolicyRelPath: %7
LatchedPrimaryProtectorVariableName: %8
LatchedSecondaryProtectorVariableName: %9
UnlatchedPrimaryProtectorVariableName: %10
UnlatchedSecondaryProtectorVariableName: %11
LegacyMainBlobVariableName: %12
LegacySecondaryProtectorVariableName: %13
LatchedProtectorUsedLocal: %14
LatchTheUnlatchedLocal: %15
UnsupportedRollbackLocal: %16
UpgradedAntirollbackPolicyExistsLocal: %17
FirstWriteToDiskLocal: %18
WritePkgToUefiLocal: %19
PkgWasCorruptOrUnavailableLocal: %20
KeysAreLegacyLocal: %21
CreationStateVerifiedLocal: %22
PrimaryProtectorTargetPcrSealMaskLocal: %23

Substatus

PrimaryBlobUnsealStatus: %24
BackupBlobUnsealStatus: %25
Pca2023ProtectorUnsealStatus: %26
BackupBlobValidityCheckStatus: %27
BackupBlobStillValid: %28
Pca2023ProtectorValidityCheckStatus: %29
Pca2023ProtectorStillValid: %30
PrimaryBlobResealStatus: %31
BackupBlobResealStatus: %32
Pca2023ProtectorResealStatus: %33
V2ProtectorsUsed: %34
LegacyUefiVarQueryStatus: %35
LegacyUefiVarCleanupStatus: %36
ActivePolicyVersion: %37
LatchedPolicyVersion: %38
UnlatchedPolicyVersion: %39

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`OsDeviceId` UInt32	—
`OsDataDeviceId` UInt32	—
`SystemRoot` UnicodeString	—
`VsmLKeyRelPath` UnicodeString	—
`LatchedUnsealPolicyRelPath` UnicodeString	—
`UnlatchedUnsealPolicyRelPath` UnicodeString	—
`LatchedPrimaryProtectorVariableName` UnicodeString	—
`LatchedSecondaryProtectorVariableName` UnicodeString	—
`UnlatchedPrimaryProtectorVariableName` UnicodeString	—
`UnlatchedSecondaryProtectorVariableName` UnicodeString	—
`LegacyMainBlobVariableName` UnicodeString	—
`LegacySecondaryProtectorVariableName` UnicodeString	—
`LatchedProtectorUsedLocal` UInt8	—
`LatchTheUnlatchedLocal` UInt8	—
`UnsupportedRollbackLocal` UInt8	—
`UpgradedAntirollbackPolicyExistsLocal` UInt8	—
`FirstWriteToDiskLocal` UInt8	—
`WritePkgToUefiLocal` UInt8	—
`PkgWasCorruptOrUnavailableLocal` UInt8	—
`KeysAreLegacyLocal` UInt8	—
`CreationStateVerifiedLocal` UInt8	—
`PrimaryProtectorTargetPcrSealMaskLocal` UInt32	—
`pSubStatusPrimaryBlobUnsealStatus` UInt32	—
`pSubStatusBackupBlobUnsealStatus` UInt32	—
`pSubStatusPca2023ProtectorUnsealStatus` UInt32	—
`pSubStatusBackupBlobValidityCheckStatus` UInt32	—
`pSubStatusBackupBlobStillValid` Boolean	—
`pSubStatusPca2023ProtectorValidityCheckStatus` UInt32	—
`pSubStatusPca2023ProtectorStillValid` Boolean	—
`pSubStatusPrimaryBlobResealStatus` UInt32	—
`pSubStatusBackupBlobResealStatus` UInt32	—
`pSubStatusPca2023ProtectorResealStatus` UInt32	—
`pSubStatusV2ProtectorsUsed` UInt8	—
`pSubStatusLegacyUefiVarQueryStatus` UInt32	—
`pSubStatusLegacyUefiVarCleanupStatus` UInt32	—
`pSubStatusActivePolicyVersion` UInt64	—
`pSubStatusLatchedPolicyVersion` UInt64	—
`pSubStatusUnlatchedPolicyVersion` UInt64	—

Event ID 89 — Create Sealed Encrypt Key Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Create Sealed Encrypt Key Status.

Message #

Create Sealed Encrypt Key Status

Status: %1
PcrMask: %2
UnsealPolicyPdGuid: %3
SealingProtectorFixedBufferSize: %4
SealingProtectorUsedBufferSize: %5
SealedSecretBufferSize: %6
PcrInfoArrayElCount: %7

Unseal policy

Version: %8
VarDataOffset: %9
StructureSize: %10
PolicyVersion: %11
PolicyHashLength: %12
WinloadSVN: %13
WinresumeSVN: %14
BootmgrSVN: %15
LKeyPkgId: %16

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`PcrMask` UInt32	—
`UnsealPolicyPdGuid` GUID	—
`SealingProtectorFixedBufferSize` UInt32	—
`SealingProtectorUsedBufferSize` UInt32	—
`SealedSecretBufferSize` UInt32	—
`PcrInfoArrayElCount` UInt32	—
`UnsealPolicyVersion` UInt16	—
`UnsealPolicyVarDataOffset` UInt16	—
`UnsealPolicyStructureSize` UInt32	—
`UnsealPolicyPolicyVersion` UInt64	—
`UnsealPolicyPolicyHashLength` UInt32	—
`UnsealPolicyWinloadSVN` UInt32	—
`UnsealPolicyWinresumeSVN` UInt32	—
`UnsealPolicyBootmgrSVN` UInt32	—
`UnsealPolicyLKeyPkgId` UInt64	—

Event ID 90 — Get Sealed Protector Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

Get Sealed Protector Status.

Message #

Get Sealed Protector Status

Status: %1
ProtectorName: %2
SealedEncryptionKeySize: %3
ProtectorBlobFromUefiVariableSize: %4

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`ProtectorName` UnicodeString	—
`SealedEncryptionKeySize` UInt16	—
`ProtectorBlobFromUefiVariableSize` UInt32	—

Event ID 91 — SRTM PCR Values.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmLKeyProvisioningStatus

Description

SRTM PCR Values.

Message #

SRTM PCR Values

algId: %1
digestLength:%2
PcrIndex: %3
PcrValue: %4

Fields #

Name	Description
`algID` UInt16	—
`digestLength` UInt16	—
`PcrIndex` UInt32	—
`PcrValue` UnicodeString	—

Event ID 92 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: DmaProtectedRangeAdjusted

Fields #

Name	Description
`RangeAltitude` UInt32	—
`RangeEndpoint` UInt32	—
`Address` UInt64	—
`AlignedAddress` UInt64	—
`OverlappedMemoryType` UInt32	—

Event ID 100 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: InitializeLibrary
Opcode: Start

Fields #

Name	Description
`Secure` Boolean	—

Event ID 101 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: InitializeLibrary
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 102 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PrepareTarget
Opcode: Start

Fields #

Name	Description
`SoftRestartCount` UInt32	—
`Secure` Boolean	—

Event ID 103 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PrepareTarget
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 104 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: RebuildKernelMemoryMap
Opcode: Start

Fields #

Name	Description
`ReserveDescriptors` UInt32	—

Event ID 105 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: RebuildKernelMemoryMap
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 106 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PersistMemory
Opcode: Start

Fields #

Name	Description
`ApplicationId` GUID	—
`RunCount` UInt32	—
`PageCount` UInt64	—

Event ID 107 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PersistMemory
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`BlockId` UInt64	—

Event ID 108 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FatalError

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 109 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CleanupPageDatabase
Opcode: Start

Fields #

Name	Description
`FreePersistentPages` Boolean	—

Event ID 110 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CleanupPageDatabase
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 111 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FreePersistedMemory
Opcode: Start

Fields #

Name	Description
`ApplicationId` GUID	—
`FreePersistentPages` Boolean	—

Event ID 112 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FreePersistedMemory
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 113 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: ClaimPersistedMemory
Opcode: Start

Fields #

Name	Description
`ApplicationId` GUID	—
`BlockId` UInt64	—
`Flags` UInt32	—

Event ID 114 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: ClaimPersistedMemory
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`RunsClaimed` UInt32	—
`PageCount` UInt64	—

Event ID 115 — Soft reboot cancellation started: Soft_reboot_cancellation_started.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: CancelBoot
Opcode: Start

Description

Soft reboot cancellation started: Soft_reboot_cancellation_started.

Message #

Soft reboot cancellation started: %1

Fields #

Name	Description
`Soft_reboot_cancellation_started` Boolean	—
`FreePersistentPages` Boolean	—

Event ID 116 — Soft reboot cancellation finished: Soft_reboot_cancellation_finished.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: CancelBoot
Opcode: Stop

Description

Soft reboot cancellation finished: Soft_reboot_cancellation_finished.

Message #

Soft reboot cancellation finished: %1.

Fields #

Name	Description
`Soft_reboot_cancellation_finished` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 117 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: AttachPersistentPageDatabase
Opcode: Start

Event ID 118 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: AttachPersistentPageDatabase
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 119 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryBlockRundown

Fields #

Name	Description
`ApplicationId` GUID	—
`BlockId` UInt64	—

Event ID 120 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BuildKernelMemoryMap
Opcode: Start

Event ID 121 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BuildKernelMemoryMap
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 122 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: GetMemoryMap
Opcode: Start

Fields #

Name	Description
`Type` UInt32	—
`Flags` UInt32	—
`BufferSize` UInt32	—

Event ID 123 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: GetMemoryMap
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`DataSize` UInt32	—
`BufferSize` UInt32	—

Event ID 124 — The virtualization-based security enablement policy check at phase Phase failed with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Error
Task: VsmPolicyFailure

Description

The virtualization-based security enablement policy check at phase Phase failed with status: Status.

Message #

The virtualization-based security enablement policy check at phase %1 failed with status: %2

Fields #

Name	Description
`Phase` UInt8	—
`Status` UInt32	1 failed with status. NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 124,
    "version": 0,
    "level": 2,
    "task": 80,
    "opcode": 0,
    "keywords": 9223451201691975680,
    "time_created": "2023-11-06T06:24:56.254312+00:00",
    "event_record_id": 1629,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Phase": 0,
    "Status": 3221225659
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 126 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: AllocatePhysicalPagesForMdl
Opcode: Start

Fields #

Name	Description
`LowAddress` UInt64	—
`HighAddress` UInt64	—
`SkipBytes` UInt64	—
`TotalBytes` UInt64	—
`CacheType` UInt32	—
`Flags` UInt32	—

Event ID 127 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: AllocatePhysicalPagesForMdl
Opcode: Stop

Fields #

Name	Description
`Mdl` Pointer	—

Event ID 128 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: ExecuteTransition
Opcode: Start

Fields #

Name	Description
`StartTime` FILETIME	—

Event ID 129 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: DisconnectHypervisor
Opcode: Start

Event ID 130 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryMapRundown

Fields #

Name	Description
`SequenceNumber` UInt32	—
`DescriptorCount` UInt32	—
`MemoryDescriptor` Int8	—

Event ID 131 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryMapRundown
Opcode: Start

Event ID 132 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryMapRundown
Opcode: Stop

Fields #

Name	Description
`DescriptorCount` UInt32	—

Event ID 133 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PhysicalPageAllocationFailure

Fields #

Name	Description
`Status` HexInt32	— NTSTATUS reference
`PageCount` UInt64	—
`MemoryType` UInt32	—
`Attributes` UInt32	—
`LowAddress` UInt64	—
`HighAddress` UInt64	—
`Alignment` UInt32	—
`ProximityId` UInt32	—

Event ID 134 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: WaitForPartitionsRestored
Opcode: Start

Event ID 135 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: WaitForPartitionsRestored
Opcode: Stop

Event ID 136 — Soft Restart failed to complete with status: Status due to OutstandingCount outstanding unclaimed allocations.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CleanupPageDatabase

Description

Soft Restart failed to complete with status: Status due to OutstandingCount outstanding unclaimed allocations.

Message #

Soft Restart failed to complete with status: %1 due to %2 outstanding unclaimed allocations

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`OutstandingCount` UInt64	—
`ApplicationsCount` UInt32	—
`AppId` GUID	—

Event ID 137 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryPartitionRestore
Opcode: Start

Fields #

Name	Description
`Identifier` GUID	—
`PartitionId` UInt32	—

Event ID 138 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryPartitionRestore
Opcode: Stop

Fields #

Name	Description
`Identifier` GUID	—
`Status` UInt32	— NTSTATUS reference
`NameLength` UInt16	—
`PartitoinName` UnicodeString	—
`MemoryRangeCount` UInt32	—
`MemorPageCount` UInt64	—
`IoSpaceRangeCount` UInt32	—
`IoSpacePageCount` UInt64	—
`AllocatedMemoryBlockCount` UInt64	—
`AllocatedMemoryRunCount` UInt64	—
`AllocatedMemoryPageCount` UInt64	—
`AllocatedIoSpaceBlockCount` UInt64	—
`AllocatedIoSpaceRunCount` UInt64	—
`AllocatedIoSpacePageCount` UInt64	—

Event ID 139 — Soft Restart failed to restore memory partition Identifier with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryPartitionRestore

Description

Soft Restart failed to restore memory partition Identifier with status: Status.

Message #

Soft Restart failed to restore memory partition %1 with status: %2

Fields #

Name	Description
`Identifier` GUID	—
`Status` UInt32	— NTSTATUS reference

Event ID 140 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PersistMemoryPartition
Opcode: Start

Fields #

Name	Description
`Identifier` GUID	—

Event ID 141 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PersistMemoryPartition
Opcode: Stop

Fields #

Name	Description
`Identifier` GUID	—
`RunCount` UInt32	—
`PageCount` UInt64	—
`IoSpaceRunCount` UInt32	—
`IoSpacePageCount` UInt64	—
`Status` UInt32	— NTSTATUS reference
`PartitionNameLength` UInt16	—
`PartitionName` UnicodeString	—

Event ID 142 — Soft Restart failed to register with Soft Restart extension.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: RegisterLoader

Description

Soft Restart failed to register with Soft Restart extension. The versions are not compatible.

Message #

Soft Restart failed to register with Soft Restart extension. The versions are not compatible.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`ActualSize` UInt32	—
`ExpectedSize` UInt32	—
`Vtl` UInt8	—

Event ID 143 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryPartitionsRestored

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 144 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: QueryStatistics
Opcode: Start

Event ID 145 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: QueryStatistics
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 146 — Soft Restart failed to establish connection with secure load with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: ConnectSecureLoader

Description

Soft Restart failed to establish connection with secure load with status: Status.

Message #

Soft Restart failed to establish connection with secure load with status: %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 147 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FreePersistedMemoryBlock
Opcode: Start

Fields #

Name	Description
`ApplicationId` GUID	—
`BlockId` UInt64	—
`FreePersistentPages` Boolean	—

Event ID 148 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FreePersistedMemoryBlock
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 149 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PrepareNotification
Opcode: Start

Event ID 150 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PrepareNotification
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`Tag` AnsiString	—

Event ID 151 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PartitionInitialAddMemory
Opcode: Start

Fields #

Name	Description
`PartitionId` UInt32	—
`RunCount` UInt64	—
`PageCount` UInt64	—
`IoSpaceMemory` Boolean	—
`Allocated` Boolean	—

Event ID 152 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PartitionInitialAddMemory
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 153 — Virtualization-based security (policies: VsmPolicy) is EnableDisableReason.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Task: VsmPolicyEnablement

Description

Virtualization-based security (policies: VsmPolicy) is EnableDisableReason.

Message #

Virtualization-based security (policies: %3) is %2.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`EnableDisableReason` UInt32	—
`VsmPolicy` UInt32	Virtualization-based security (policies.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 153,
    "version": 0,
    "level": 4,
    "task": 62,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T16:52:33.732630+00:00",
    "event_record_id": 1132,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Status": 0,
    "EnableDisableReason": 0,
    "VsmPolicy": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 154 — Boot Policy Migration used an authenticated variable.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Informational
Task: BootPolicyMigration

Description

Boot Policy Migration used an authenticated variable. Status: Status.

Message #

Boot Policy Migration used an authenticated variable.  Status: %1

Fields #

Name	Description
`Status` UInt32	Boot Policy Migration used an authenticated variable. Status. NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 154,
    "version": 0,
    "level": 4,
    "task": 44,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2023-11-06T06:20:49.064672+00:00",
    "event_record_id": 46,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-Boot/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Status": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 155 — Boot Policy Migration used an unauthenticated variable.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootPolicyMigration

Description

Boot Policy Migration used an unauthenticated variable. Status: Status.

Message #

Boot Policy Migration used an unauthenticated variable.  Status: %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 156 — Virtualization-based security (policies: VsmPolicy) is EnableDisableReason with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Warning
Opcode: Info

Description

Virtualization-based security (policies: VsmPolicy) is EnableDisableReason with status: Status.

Message #

Virtualization-based security (policies: %3) is %2 with status: %1

Fields #

Name	Description
`Status` UInt32	2 with status. NTSTATUS reference
`EnableDisableReason` UInt32	—
`VsmPolicy` UInt32	Virtualization-based security (policies.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 156,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:24:56.249721+00:00",
    "event_record_id": 1625,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Status": 3221225659,
    "EnableDisableReason": 6,
    "VsmPolicy": 515
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 157 — Info: Info Status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootDiag

Description

Info: Info Status: Status.

Message #

Info: %1 Status: %2

Fields #

Name	Description
`Info`	—
`Status` UInt32	— NTSTATUS reference
`DiagCode` UInt32	—

Event ID 158 — Error: DiagCode Status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Error
Task: BootDiag

Description

Error: DiagCode Status: Status.

Message #

Error: %1 Status: %2

Fields #

Name	Description
`DiagCode` UInt32	Error.
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 158,
    "version": 0,
    "level": 2,
    "task": 53,
    "opcode": 0,
    "keywords": 2305851805306716160,
    "time_created": "2023-11-06T06:24:56.254284+00:00",
    "event_record_id": 49,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-Boot/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DiagCode": 1076887595,
    "Status": 3221225659
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 159 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: RemoveEnclavePages
Opcode: Start

Fields #

Name	Description
`BasePage` UInt64	—
`PageCount` UInt64	—

Event ID 160 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CancelNotification
Opcode: Start

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 161 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CancelNotification
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 162 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: GetFirmwareBootDevice

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 163 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: NormalizeBootOptionList

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 164 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CreateLibraryParameters

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 165 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: InitializeLibrary

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 166 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CreateDevices

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 167 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SoftRestartHostCapability

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 168 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: EnumerateEnclavePages

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 169 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: InitializeMeasurementContext
Opcode: InitializationFailure

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`FailurePoint` UInt32	—

Event ID 170 — Measured Boot Measurement Failure.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: KsrMeasurement

Description

Measured Boot Measurement Failure. Status: Measured_Boot_Measurement_Failure_Status.

Message #

Measured Boot Measurement Failure. Status: %1

Fields #

Name	Description
`Measured_Boot_Measurement_Failure_Status` UInt32	Measured Boot Measurement Failure. Status.
`Status` UInt32	— NTSTATUS reference

Event ID 171 — TPM Measurement Failure.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: TpmMeasurement

Description

TPM Measurement Failure. Status: TPM_Measurement_Failure_Status.

Message #

TPM Measurement Failure. Status: %1

Fields #

Name	Description
`TPM_Measurement_Failure_Status` UInt32	TPM Measurement Failure. Status.
`Status` UInt32	— NTSTATUS reference

Event ID 172 — Failure to close TCG log.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CloseMeasurementLog

Description

Failure to close TCG log. Status: Status.

Message #

Failure to close TCG log. Status: %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 173 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CommitPendingEvents

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 174 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CapTpmPcr

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 175 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: CapTpmPcr

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 176 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: InitializeLibrary

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 177 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: EfiVariableAccess
Opcode: GetEfiVariable

Fields #

Name	Description
`VendorGuid` GUID	—
`VariableName` UnicodeString	—
`Attributes` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 178 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: EfiVariableAccess
Opcode: SetEfiVariable

Fields #

Name	Description
`VendorGuid` GUID	—
`VariableName` UnicodeString	—
`Attributes` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 179 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: GetFirmwareInformation

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 180 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VerifyBootEntry

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 181 — Soft Restart driver failed to register itself as a filter with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: RegisterFilter

Description

Soft Restart driver failed to register itself as a filter with status: Status.

Message #

Soft Restart driver failed to register itself as a filter with status: %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 182 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: IoSpaceMemory
Opcode: EnumerateFailure

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 183 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BadMemoryPages
Opcode: ListInitializationFailure

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 184 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: InitializeMeasurementContext
Opcode: MeasurementsDisabled

Fields #

Name	Description
`DisableReason` UInt32	—
`TcgLogStatus` UInt32	—

Event ID 185 — Soft Restart driver failed to store BCD store when BCDCache is enabled with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PersistBcdFailure

Description

Soft Restart driver failed to store BCD store when BCDCache is enabled with status: Status.

Message #

Soft Restart driver failed to store BCD store when BCDCache is enabled with status: %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 186 — Soft Restart driver failed to query MEMDISK configuration from the current OS with status: Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: QueryMemdiskInformation

Description

Soft Restart driver failed to query MEMDISK configuration from the current OS with status: Status.

Message #

Soft Restart driver failed to query MEMDISK configuration from the current OS with status: %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 200 — A command was submitted to the TPM.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: TpmCommandResponse

Description

A command was submitted to the TPM.

Message #

A command was submitted to the TPM.
Command code: %1.
Response code: %2.
Elapsed time: %3ms.

Fields #

Name	Description
`Command_code` UInt32	—
`Response_code` UInt32	—
`Elapsed_time` UInt64	—
`CommandCode` UInt32	—
`ResponseCode` UInt32	—
`ResponseMilliseconds` UInt64	—

Event ID 201 — A command was submitted to the TPM.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: TpmCommandResponse

Description

A command was submitted to the TPM.

Message #

A command was submitted to the TPM.
Command code: %1.
Response code: %2.
Elapsed time: %3ms.

Fields #

Name	Description
`Command_code`	—
`Response_code`	—
`Elapsed_time`	—
`CommandCode` UInt32	—
`ResponseCode` UInt32	—
`ResponseMilliseconds` UInt64	—
`CommandSize` UInt32	—
`CommandData` Binary	—
`ResponseSize` UInt32	—
`ResponseData` Binary	—

Event ID 202 — A command could not be submitted to the TPM.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: TpmSubmitError

Description

A command could not be submitted to the TPM.

Message #

A command could not be submitted to the TPM.
Command code: %1.
Error code: %2.
Elapsed time: %3ms.

Fields #

Name	Description
`Command_code` UInt32	—
`Error_code` UInt32	—
`Elapsed_time` UInt64	—
`CommandCode` UInt32	—
`ErrorCode` UInt32	—
`ResponseMilliseconds` UInt64	—

Event ID 203 — A command could not be submitted to the TPM.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: TpmSubmitError

Description

A command could not be submitted to the TPM.

Message #

A command could not be submitted to the TPM.
Command code: %1.
Error code: %2.
Elapsed time: %3ms.

Fields #

Name	Description
`Command_code`	—
`Error_code`	—
`Elapsed_time`	—
`CommandCode` UInt32	—
`ErrorCode` UInt32	—
`ResponseMilliseconds` UInt64	—
`CommandSize` UInt32	—
`CommandData` Binary	—

Event ID 204 — The TPM was found not to be useable for BitLocker.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: TpmBitLockerUsage

Description

The TPM was found not to be useable for BitLocker. Flags: FveGlobalDataFlags.

Message #

The TPM was found not to be useable for BitLocker. Flags: %1.

Fields #

Name	Description
`FveGlobalDataFlags` UInt32	—

Event ID 205 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: EFICapsuleCreation
Opcode: Start

Event ID 206 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: EFICapsuleCreation
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 207 — Measured Boot library was initialized.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: BootSI
Opcode: InitStatus

Description

Measured Boot library was initialized. Phase: Phase, StatusCode: StatusCode.

Message #

Measured Boot library was initialized. Phase: %1, StatusCode: %2.

Fields #

Name	Description
`Phase` UInt32	—
`StatusCode` UInt32	—
`EnvironmentState` UInt32	—

Event ID 208 — Measured Boot library encountered a failure and entered insecure state.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Error
Task: BootSI
Opcode: EnterInsecureState

Description

Measured Boot library encountered a failure and entered insecure state. InitState: InitState, StatusCode: StatusCode, Failure Address: FailureAddress, Reference Address: ReferenceAddress, Reason: ReasonCode.

Message #

Measured Boot library encountered a failure and entered insecure state. InitState: %1, StatusCode: %2, Failure Address: %3, Reference Address: %4, Reason: %5.

Fields #

Name	Description
`InitState` UInt32	Measured Boot library encountered a failure and entered insecure state. InitState.
`StatusCode` UInt32	—
`FailureAddress` UInt64	—
`ReferenceAddress` UInt64	—
`ReasonCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 208,
    "version": 0,
    "level": 2,
    "task": 78,
    "opcode": 12,
    "keywords": 2305851805306716160,
    "time_created": "2023-11-06T06:24:56.268671+00:00",
    "event_record_id": 51,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-Boot/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "InitState": 1,
    "StatusCode": 3221225473,
    "FailureAddress": 269088818,
    "ReferenceAddress": 270250432,
    "ReasonCode": 1
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 209 — DRTM Security Version Number check failed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootSI
Opcode: DrtmSvnCheck

Description

DRTM Security Version Number check failed. SvnCounterId: SvnCounterId, StatusCode: StatusCode, Svn Value: SvnValue, Previous SVN Value: PrevSvnValue.

Message #

DRTM Security Version Number check failed. SvnCounterId: %1, StatusCode: %2, Svn Value: %3, Previous SVN Value: %4.

Fields #

Name	Description
`SvnCounterId` UInt32	—
`StatusCode` UInt32	—
`SvnValue` UInt32	—
`PrevSvnValue` UInt32	—

Event ID 210 — Intel TXT SENTER time: Intel_TXT_SENTER_time ms.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: SinitPerformance

Description

Intel TXT SENTER time: Intel_TXT_SENTER_time ms.

Message #

Intel TXT SENTER time: %1 ms.

Fields #

Name	Description
`Intel_TXT_SENTER_time` UInt64	—
`SinitTimeMs` UInt64	—

Event ID 211 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MiniFilterStartFailure

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 212 — File modification detected after load: File_modification_detected_after_load.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: FileModification

Description

File modification detected after load: File_modification_detected_after_load.

Message #

File modification detected after load: %1.

Fields #

Name	Description
`File_modification_detected_after_load`	—
`PathLength` UInt16	—
`Path` UnicodeString	—

Event ID 213 — Registry modification detected after load: PathLength.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: RegistryModification

Description

Registry modification detected after load: PathLength.

Message #

Registry modification detected after load: %1.

Fields #

Name	Description
`PathLength` UInt16	—
`Path` UnicodeString	—

Event ID 214 — Soft reboot prepare started (complete requested: TryComplete).

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: SoftReboot
Opcode: Start

Description

Soft reboot prepare started (complete requested: TryComplete).

Message #

Soft reboot prepare started (complete requested: %1).

Fields #

Name	Description
`TryComplete` Boolean	—

Event ID 215 — Soft reboot prepare finished: Soft_reboot_prepare_finished.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: SoftReboot
Opcode: Stop

Description

Soft reboot prepare finished: Soft_reboot_prepare_finished.

Message #

Soft reboot prepare finished: %1.

Fields #

Name	Description
`Soft_reboot_prepare_finished` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 216 — Soft reboot complete prepare started.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: SoftReboot
Opcode: Start

Description

Soft reboot complete prepare started.

Message #

Soft reboot complete prepare started.

Event ID 217 — Soft reboot complete prepare finished: Soft_reboot_complete_prepare_finished.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: SoftReboot
Opcode: Stop

Description

Soft reboot complete prepare finished: Soft_reboot_complete_prepare_finished.

Message #

Soft reboot complete prepare finished: %1.

Fields #

Name	Description
`Soft_reboot_complete_prepare_finished` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 218 — Soft reboot call to checkpoint failed: Function (checkpoint: Status).

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: SoftReboot

Description

Soft reboot call to checkpoint failed: Function (checkpoint: Status).

Message #

Soft reboot call to %1 failed: %2 (checkpoint: %3).

Fields #

Name	Description
`checkpoint`	1 failed.
`Function` UnicodeString	—
`Status` UInt32	— NTSTATUS reference
`Checkpoint` UInt32	—

Event ID 219 — Intel TXT prepared.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: TxtInformation

Description

Intel TXT prepared. ACM date: AcmDateDay/Intel_TXT_prepared_ACM_date/AcmDateMonth.

Message #

Intel TXT prepared. ACM date: %2/%1/%3.

Fields #

Name	Description
`Intel_TXT_prepared_ACM_date`	—
`AcmDateDay` UInt8	—
`AcmDateMonth` UInt8	—
`AcmDateYear` UInt16	—

Event ID 220 — System Guard enabled but not supported.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: DrtmNotSupported

Description

System Guard enabled but not supported. Reason: TxtStatus.

Message #

System Guard enabled but not supported. Reason: %1

Fields #

Name	Description
`TxtStatus` UInt32	—

Event ID 221 — System drivers need update to support VBS launch.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: MeasuredLaunch
Opcode: DrtmDriversNotSupportVbs

Description

System drivers need update to support VBS launch.

Message #

System drivers need update to support VBS launch.

Event ID 222 — SMM configuration failed validation.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: MeasuredLaunch
Opcode: PpamFailure

Description

SMM configuration failed validation. Reason: TxtStatus.

Message #

SMM configuration failed validation. Reason: %1

Fields #

Name	Description
`TxtStatus` UInt32	—
`Instance` UInt64	—
`Status` UInt64	— NTSTATUS reference

Event ID 223 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: IoSpaceMemory
Opcode: AllocationFailure

Fields #

Name	Description
`Phase` UInt32	—
`Status` UInt32	— NTSTATUS reference
`Tries` UInt32	—
`RemainingNodesCount` UInt32	—
`RemainingNodes` Int16	—

Event ID 224 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: IoSpaceMemory
Opcode: Allocation

Fields #

Name	Description
`AllocatedRegions` UInt32	—
`Tries` UInt32	—

Event ID 225 — VBS is configured to disallow trustlets.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: VsmBootNoSecretsMode

Description

VBS is configured to disallow trustlets.

Message #

VBS is configured to disallow trustlets.

Event ID 226 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FinalizeMemoryMap
Opcode: Start

Event ID 227 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FinalizeMemoryMap
Opcode: Stop

Event ID 228 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FinalizeMemoryMap
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 229 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: RegisterHvloaderPersistenceInterface

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 230 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadHvloaderForPersistence

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 231 — Boot menu timer canceled due to key press.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootMenuTimerCanceled

Description

Boot menu timer canceled due to key press.

Message #

Boot menu timer canceled due to key press.

Fields #

Name	Description
`KeyType` UInt32	— Known values `%%2499` Machine key `%%2500` User key
`Code` UInt32	—

Event ID 232 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryPartitionFreeUnusedMemory
Opcode: Start

Event ID 233 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryPartitionFreeUnusedMemory
Opcode: Stop

Fields #

Name	Description
`RangeCount` UInt64	—
`PageCount` UInt64	—
`MarkedAsBadRegularPages` UInt64	—
`MarkedAsBadIoSpacePages` UInt64	—
`MarkErrorsCount` UInt64	—

Event ID 234 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryPartitionRestoreStats

Fields #

Name	Description
`Identifier` GUID	—
`PartitionId` UInt32	—
`AllocatedBlockCount` UInt64	—
`AllocatedRunCount` UInt64	—
`AllocatedPageCount` UInt64	—
`Status` UInt32	— NTSTATUS reference

Event ID 235 — Windows boot environment failed to initialize TPM device.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Level: Error
Task: BootTpm
Opcode: TpmInit

Description

Windows boot environment failed to initialize TPM device. StatusCode: StatusCode, Position: Position.

Message #

Windows boot environment failed to initialize TPM device. StatusCode: %1, Position: %2.

Fields #

Name	Description
`StatusCode` UInt32	Windows boot environment failed to initialize TPM device. StatusCode.
`Position` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 235,
    "version": 0,
    "level": 2,
    "task": 99,
    "opcode": 11,
    "keywords": 2305851805306716160,
    "time_created": "2023-11-06T06:24:56.268658+00:00",
    "event_record_id": 50,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-Boot/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "StatusCode": 3221225474,
    "Position": 1
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 236 — SMM isolation level decreased.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: SmmLevelCheck

Description

SMM isolation level decreased. Reason: SMM_isolation_level_decreased_Reason.

Message #

SMM isolation level decreased. Reason: %1

Fields #

Name	Description
`SMM_isolation_level_decreased_Reason`	SMM isolation level decreased. Reason.
`TxtStatus` UInt32	—
`PolicyLevel` UInt32	—
`Argument1` UInt64	—
`Argument2` UInt64	—

Event ID 237 — Hardware memory mirroring is not supported.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryMirroring
Opcode: NotSupported

Description

Hardware memory mirroring is not supported. MirrorStatus: MirrorStatus.

Message #

Hardware memory mirroring is not supported. MirrorStatus: %1

Fields #

Name	Description
`MirrorStatus` UInt32	—

Event ID 238 — EFI time zone bias: EfiTimeZoneBias.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Level: Informational
Task: EfiTimeZoneInformation

Description

EFI time zone bias: EfiTimeZoneBias. Daylight flags: EfiDaylightFlags.

Message #

EFI time zone bias: %1. Daylight flags: %2.

Fields #

Name	Description
`EfiTimeZoneBias` Int16	—
`EfiDaylightFlags` UInt8	—
`EfiTime` FILETIME	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Boot",
    "guid": "15CA44FF-4D7A-4BAA-BBA5-0998955E531E",
    "event_source_name": "",
    "event_id": 238,
    "version": 1,
    "level": 4,
    "task": 101,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:24:56.254256+00:00",
    "event_record_id": 1628,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EfiTimeZoneBias": 2047,
    "EfiDaylightFlags": 0,
    "EfiTime": "2023-11-05T22:24:37.000000Z"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 239 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MemoryAllocation
Opcode: BlMmAllocationFailure

Fields #

Name	Description
`Pages` UInt64	—
`MemoryType` UInt32	—
`Attributes` UInt32	—
`Alignment` UInt32	—
`Status` UInt32	— NTSTATUS reference
`RangeMinimum` UInt64	—
`RangeMaximum` UInt64	—
`RangeFlags` UInt32	—

Event ID 240 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FinalizeNotification
Opcode: Start

Event ID 241 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FinalizeNotification
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`Tag` AnsiString	—

Event ID 242 — SMM isolation detected.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: MeasuredLaunch
Opcode: SmmIsolation

Description

SMM isolation detected. Level: SMM_isolation_detected_Level.

Message #

SMM isolation detected. Level: %1

Fields #

Name	Description
`SMM_isolation_detected_Level` UInt32	SMM isolation detected. Level.
`IsolationLevel` UInt32	—

Event ID 243 — Hardware memory mirroring support is enabled.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MemoryMirroring
Opcode: Enabled

Description

Hardware memory mirroring support is enabled.

Message #

Hardware memory mirroring support is enabled.

Fields #

Name	Description
`MirrorPercentage` UInt32	—

Event ID 244 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: MeasuredLaunch
Opcode: TxtSmmIsolationPerf

Fields #

Name	Description
`GetCapabilityTime` UInt64	—
`GetResourcesTime` UInt64	—
`ResourcesValidationTime` UInt64	—

Event ID 245 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: UnpersistMemoryPartition
Opcode: Start

Fields #

Name	Description
`Identifier` GUID	—

Event ID 246 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: UnpersistMemoryPartition
Opcode: Stop

Fields #

Name	Description
`Identifier` GUID	—
`Status` UInt32	— NTSTATUS reference

Event ID 247 — Unable to load Pluton-Windows firmware.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: BootTpm
Opcode: PlutonLoadFailure

Description

Unable to load Pluton-Windows firmware. StatusCode: Status, Reason: FailureReason.

Message #

Unable to load Pluton-Windows firmware. StatusCode: %1, Reason: %2

Fields #

Name Description

Status UInt32 — NTSTATUS reference

FailureReason UInt32

—

Known values

%%2304: An Error occured during Logon.
%%2305: The specified user account has expired.
%%2306: The NetLogon component is not active.
%%2307: Account locked out.
%%2308: The user has not been granted the requested logon type at this machine.
%%2309: The specified account's password has expired.
%%2310: Account currently disabled.
%%2311: Account logon time restriction violation.
%%2312: User not allowed to logon at this computer.
%%2313: Unknown user name or bad password.
%%2314: Domain sid inconsistent.
%%2315: Smartcard logon is required and was not used.

Event ID 248 — Previous error detected while attempting to execute Measured Launch Environment.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: PreviousAmdSlError

Description

Previous error detected while attempting to execute Measured Launch Environment. Source: AmdSlErrorCode Error code: %2.

Message #

Previous error detected while attempting to execute Measured Launch Environment. Source: %1 Error code: %2.

Fields #

Name	Description
`AmdSlErrorCode` UInt32	—

Event ID 249 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BindImportsFailure

Fields #

Name	Description
`Module` AnsiString	—
`Function` AnsiString	—
`Status` UInt32	— NTSTATUS reference

Event ID 250 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SlabAllocationFailure

Fields #

Name	Description
`PageCount` UInt64	—
`Status` UInt32	— NTSTATUS reference
`MemoryType` UInt32	—
`Attributes` UInt32	—

Event ID 251 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: QuerySystemInformationFailure

Fields #

Name	Description
`InformationClass` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 252 — This system has not supplied a valid framebuffer and the graphical boot menu is not used.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootmgrBltDisplayMenu

Description

This system has not supplied a valid framebuffer and the graphical boot menu is not used.

Message #

This system has not supplied a valid framebuffer and the graphical boot menu is not used.

Event ID 253 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Analytic
Task: HotPatch
Opcode: HotPatchApplyFailure

Description

HotPatch failed to apply with Status: at failure point: .

Event ID 253 — HotPatch HotPatchPath failed to apply with Status: Status at failure point: FailurePoint.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: HotPatch
Opcode: HotPatchApplyFailure

Description

HotPatch HotPatchPath failed to apply with Status: Status at failure point: FailurePoint.

Message #

HotPatch %4 failed to apply with Status: %2 at failure point: %1.

Fields #

Name	Description
`FailurePoint` UInt32	—
`Status` UInt32	— NTSTATUS reference
`HotPatchPathLength` UInt16	—
`HotPatchPath` UnicodeString	—

Event ID 254 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: GetPerformanceOptions

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 255 —

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SnapshotPolicy

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 256 — AMD DRTM Firmware Anti-Rollback Disabled.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Opcode: Info

Description

AMD DRTM Firmware Anti-Rollback Disabled.

Message #

AMD DRTM Firmware Anti-Rollback Disabled.

Event ID 257 — Failed to build image path for dump stack module ModulePath.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: BuildImagePathFailure

Description

Failed to build image path for dump stack module ModulePath. Status: Status.

Message #

Failed to build image path for dump stack module %1. Status: %2.

Fields #

Name	Description
`ModulePath` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 258 — Failed to load dump stack module ModulePath.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: LoadModuleFailure

Description

Failed to load dump stack module ModulePath. Status: Status.

Message #

Failed to load dump stack module %1. Status: %2.

Fields #

Name	Description
`ModulePath` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 259 — Early dump stack succesfully loaded by OS loader.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport

Description

Early dump stack succesfully loaded by OS loader.

Message #

Early dump stack succesfully loaded by OS loader.

Event ID 260 — Early boot crash dump generation is not supported.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: EarlyDumpNotSupported

Description

Early boot crash dump generation is not supported.

Message #

Early boot crash dump generation is not supported.

Event ID 261 — Soft restart prepare was vetoed by component Tag with status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: PrepareNotification
Opcode: Veto

Description

Soft restart prepare was vetoed by component Tag with status Status.

Message #

Soft restart prepare was vetoed by component %2 with status %1.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`Tag` AnsiString	—

Event ID 262 — Soft restart finalize was vetoed by component Tag with status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: FinalizeNotification
Opcode: Veto

Description

Soft restart finalize was vetoed by component Tag with status Status.

Message #

Soft restart finalize was vetoed by component %2 with status %1.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`Tag` AnsiString	—

Event ID 263 — Early crash dump support is disabled by registry configuration.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: EarlyDumpDisabled

Description

Early crash dump support is disabled by registry configuration.

Message #

Early crash dump support is disabled by registry configuration.

Event ID 264 — Failed to query early dump enablement information from the registry with status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: QueryEarlyDumpInitFailure

Description

Failed to query early dump enablement information from the registry with status Status.

Message #

Failed to query early dump enablement information from the registry with status %1.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 265 — Failed to query dedicated dump file name for the target OS with status Status.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: QueryDumpFileNameFailure

Description

Failed to query dedicated dump file name for the target OS with status Status. Early crash dump functinality will not be loaded.

Message #

Failed to query dedicated dump file name for the target OS with status %1. Early crash dump functinality will not be loaded.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 266 — Dedicated dump file names do not match (HostDumpFileName, TargetDumpFileName).

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: DumpFileNameMismatch

Description

Dedicated dump file names do not match (HostDumpFileName, TargetDumpFileName). Early crash dump functinality will not be loaded.

Message #

Dedicated dump file names do not match (%1, %2). Early crash dump functinality will not be loaded.

Fields #

Name	Description
`HostDumpFileName` UnicodeString	—
`TargetDumpFileName` UnicodeString	—

Event ID 267 — Failed to query dump module list.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: LoadEarlyDumpSupport
Opcode: GetDriverListFailure

Description

Failed to query dump module list. Status: Status.

Message #

Failed to query dump module list. Status: %1.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 268 — Boot Application ApplicationIdentifier dropped EventsLostCount events during logging.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootEventsLost

Description

Boot Application ApplicationIdentifier dropped EventsLostCount events during logging.

Message #

Boot Application %1 dropped %2 events during logging.

Fields #

Name	Description
`ApplicationIdentifier` GUID	—
`EventsLostCount` UInt32	—

Event ID 269 — Trace point: Function:Function Point:Point Status:NTStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootDiag

Description

Trace point: Function:Function Point:Point Status:NTStatus.

Message #

Trace point: Function:%1 Point:%2 Status:%3

Fields #

Name	Description
`Function` AnsiString	—
`Point` UInt16	—
`NTStatus` UInt32	—

Event ID 270 — Cached boot BCD store was loaded by the boot environment.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootBcdLoaded

Description

Cached boot BCD store was loaded by the boot environment.

Message #

Cached boot BCD store was loaded by the boot environment.

Event ID 271 — TPRs are supported, TPR setup will be requested while attempting to execute Measured Launch Environment.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: TprSetupRequested

Description

TPRs are supported, TPR setup will be requested while attempting to execute Measured Launch Environment.

Message #

TPRs are supported, TPR setup will be requested while attempting to execute Measured Launch Environment.

Event ID 272 — PPAM Manifest Info: PpamStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: MeasuredLaunch
Opcode: PpamManifestInfo

Description

PPAM Manifest Info: PpamStatus.

Message #

PPAM Manifest Info: %1

Fields #

Name	Description
`PpamStatus` UInt32	—

Event ID 273 — BCD Option 'BcdOption' was not applied due to Secure Boot being enabled.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SecureBootMitigations

Description

BCD Option 'BcdOption' was not applied due to Secure Boot being enabled. Option: BcdElement.

Message #

BCD Option '%1' was not applied due to Secure Boot being enabled. Option: %2

Fields #

Name	Description
`BcdOption` UInt32	—
`BcdElement` HexInt64	—

Event ID 274 — Bootmgr Security Version Number check failed.

Provider: Microsoft-Windows-Kernel-Boot
Channel: System
Task: BootSI
Opcode: BootmgrSvnCheck

Description

Bootmgr Security Version Number check failed. Svn Value: SvnValue, Previous SVN Value: PrevSvnValue.

Message #

Bootmgr Security Version Number check failed. Svn Value: %1, Previous SVN Value: %2.

Fields #

Name	Description
`SvnValue` UInt32	—
`PrevSvnValue` UInt32	—

Event ID 275 — ACM InfoTable version used: AcmInfoTableVersion.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: MeasuredLaunch
Opcode: AcmInfoTableInfo

Description

ACM InfoTable version used: AcmInfoTableVersion.

Message #

ACM InfoTable version used: %1.

Fields #

Name	Description
`AcmInfoTableVersion` UInt32	—

Event ID 276 — Windows boot manager revocation policy version Version is applied.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SecureBootMitigations

Description

Windows boot manager revocation policy version Version is applied.

Message #

Windows boot manager revocation policy version %1 is applied.

Fields #

Name	Description
`Version` HexInt64	—

Event ID 277 — Windows boot manager revocation policy version Version was not found.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SecureBootMitigations

Description

Windows boot manager revocation policy version Version was not found. It is recommended that it be redeployed.

Message #

Windows boot manager revocation policy version %1 was not found. It is recommended that it be redeployed.

Fields #

Name	Description
`Version` HexInt64	—

Event ID 291 — Succeeded in updating the SBAT value in FW.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SbatUpdate
Opcode: SbatUpdateSuccess

Description

Succeeded in updating the SBAT value in FW.

Message #

Succeeded in updating the SBAT value in FW.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`FailurePoint` UInt32	—
`UpdateStatusEnum` UInt32	—
`FwLevel` AnsiString	—

Event ID 292 — Failed to update the SBAT value in FW.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: SbatUpdate
Opcode: SbatUpdateFailure

Description

Failed to update the SBAT value in FW.

Message #

Failed to update the SBAT value in FW.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`FailurePoint` UInt32	—
`UpdateStatusEnum` UInt32	—
`FwLevel` AnsiString	—

Event ID 295 — Secure Boot revoked boot app FileName with SVN LoadedBootAppSvn.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: BootAppRevocation
Opcode: BootAppRevoked

Description

Secure Boot revoked boot app FileName with SVN LoadedBootAppSvn. Min SVN required: EnforcedBootAppSvn. Status: Status.

Message #

Secure Boot revoked boot app %4 with SVN %1. Min SVN required: %2. Status: %3.

Fields #

Name	Description
`LoadedBootAppSvn` UInt32	—
`EnforcedBootAppSvn` UInt32	—
`Status` HexInt32	— NTSTATUS reference
`FileName` UnicodeString	—

Event ID 312 — Failed to compose API Set schema extension with status: NTStatus.

Provider: Microsoft-Windows-Kernel-Boot
Channel: Operational
Task: ApiSetSchemaComposition

Description

Failed to compose API Set schema extension with status: NTStatus.

Message #

Failed to compose API Set schema extension with status: %1

Fields #

Name	Description
`NTStatus` UInt32	—