detection.wiki

Microsoft-Windows-Kernel-LiveDump

60 events across 2 channels

Event IDTitleChannel
1Live Dump Capture Dump Data API started.Analytic
2Live Dump Capture Dump Data API ended.Operational
3Writing dump file started.Operational
4Writing dump file ended.Operational
5Live Dump request aborted due to memory pressure on systemAnalytic
6LiveDump Event GenericOperational
101Sizing Workflow: Mirroring started.Operational
102Sizing Workflow: Mirroring Phase 0 ended.Analytic
103Sizing Workflow: Mirroring Phase 1 ended.Analytic
104Sizing Workflow: System Quiesce started.Operational
105Sizing Workflow: System Quiesce ended.Operational
106Sizing Workflow: Estimation.Operational
107Sizing Workflow: Allocation.Operational
108Sizing Workflow: RemovePages Callbacks started.Analytic
109Sizing Workflow: RemovePages Callbacks ended.Analytic
110Sizing Workflow: RemovePages Callback CallbackIdentifier started.Analytic
111Sizing Workflow: RemovePages Callback CallbackIdentifier ended.Analytic
112Sizing Workflow: RemovePages Callback CallbackIdentifier failed.Analytic
113Sizing workflow: Sizing_workflow pages estimated to be allocated and …Operational
114Sizing Workflow: Query Hvl for dump size failed.Operational
115Sizing Workflow: Open VM memory partition failed.Operational
116Sizing Workflow: Buffer allocation from the VM memory partition failed.Operational
117Sizing Workflow: Capture processor context when the system is quiesced.Analytic
118Sizing Workflow: Mark required dump data when system is quiesced.Analytic
119Sizing Workflow: Mark important dump data when system is quiesced.Analytic
120Sizing Workflow: Populate bitmap for dump when system is quiesced.Analytic
121Sizing Workflow: Corral processors to quiesce the system.Analytic
122Sizing Workflow: Uncorral processors to quiesce the system.Analytic
123Sizing Workflow: MmDuplicateMemory failed.Operational
124IO space utilization disabled when HV/SK pages requested, NoSecrets mode …Operational
125Callout for Callout (included Included).Operational
126Sizing Workflow: Call to Hvl for preparing livedump descriptor failed.Operational
151Capture Pages Workflow: Mirroring started.Analytic
152Capture Pages Workflow: Mirroring Phase 0 ended.Analytic
153Capture Pages Workflow: Mirroring Phase 1 ended.Analytic
154Capture Pages Workflow: System Quiesce started.Operational
155Capture Pages Workflow: System Quiesce ended.Operational
156Capture Pages Workflow: Copy memory pages started.Operational
157Capture Pages Workflow: Copy memory pages ended.Operational
158Capture Pages Workflow: Capture processor context when the system is quiesced.Analytic
159Capture Pages Workflow: Mark required dump data when system is quiesced.Analytic
160Capture Pages Workflow: Mark important dump data when system is quiesced.Analytic
161Capture Pages Workflow: Populate bitmap for dump when system is quiesced.Analytic
162Capture Pages Workflow: Collect Hvl dump when system is quiesced.Analytic
163Capture Pages Workflow: Generate Ipt secondary data when system is quiesced.Analytic
164Capture Pages Workflow: Initiate state change to copy contents of marked pages …Analytic
165Capture Pages Workflow: Corral processors to quiesce the system.Analytic
166Capture Pages Workflow: Uncorral processors to quiesce the system.Analytic
167Capture Pages Workflow: Capture memory pages.Operational
168Capture Pages Workflow: MmDuplicateMemory failed.Operational
169Callout for Callout (included Included).Operational
201Live Dump Write Deferred Dump Data API started.Analytic
202Live Dump Write Deferred Dump Data API ended.Operational
203Write deferred dump data to file started.Operational
204Write deferred dump data to file ended.Operational
251Live Dump Discard Deferred Dump Data API started.Analytic
252Live Dump Discard Deferred Dump Data API ended.Operational
271AllowLiveDump policy: AllowLiveDump_policy.Operational
272AllowLiveDump policy value changed (AllowLiveDump = PolicyValue).Operational
273LiveDump disabled on boot by policy (AllowLiveDump = PolicyValue).Operational

Event ID 1 — Live Dump Capture Dump Data API started.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
LiveDumpCaptureDumpDataAPI
Opcode
APIStart

Description

Live Dump Capture Dump Data API started. Flags: ControlFlags. AddPagesControl: AddPagesControl.

Message #

Live Dump Capture Dump Data API started.  Flags: %1.  AddPagesControl: %2

Fields #

NameDescription
ControlFlags UInt64
AddPagesControl UInt64

Event ID 2 — Live Dump Capture Dump Data API ended.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
Live Dump Capture Dump Data API
Opcode
API End

Message #

Live Dump Capture Dump Data API ended. NT Status: %1.  BugcheckCode: %2. BugcheckParameter1: %3. BugcheckParameter2: %4. BugcheckParameter3: %5. BugcheckParameter4: %6. AbortIfMemoryPressure: %7. DumpCaptureDuration: %8ms. SelectiveDump: %9. DynamicLowMemoryThreshold: %10 bytes.  AvailablePhysicalMemory: %11 bytes.  TotalPhysicalMemory: %12 bytes.  IOSpaceEnabled: %13.

Fields #

NameDescription
NTStatus UInt32
BugcheckCode UInt32
BugCheckParameter1 Pointer
BugCheckParameter2 Pointer
BugCheckParameter3 Pointer
BugCheckParameter4 Pointer
AbortIfMemoryPressure UInt32
DumpCaptureDuration_ms UInt64
SelectiveDump UInt32
DynamicLowMemoryThresholdBytes UInt64
AvailablePhysicalMemoryInBytes UInt64
TotalPhysicalMemoryInBytes UInt64
IOSpaceEnabled Boolean

Event ID 3 — Writing dump file started.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
LiveDumpCaptureDumpDataAPI
Opcode
DumpFileWriteStart

Description

Writing dump file started.

Message #

Writing dump file started.

Event ID 4 — Writing dump file ended.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
LiveDumpCaptureDumpDataAPI
Opcode
DumpFileWriteEnd

Description

Writing dump file ended. NT Status: Writing_dump_file_ended_NT_Status. Total NTStatus bytes (Header|Primary|Secondary: TotalBytes|HeaderBytes|PrimaryDataBytes bytes). DumpWriteDuration: SecondaryDataBytesms.

Message #

Writing dump file ended. NT Status: %1. Total %2 bytes (Header|Primary|Secondary: %3|%4|%5 bytes). DumpWriteDuration: %6ms.

Fields #

NameDescription
Writing_dump_file_ended_NT_StatusWriting dump file ended. NT Status.
NTStatus UInt32
TotalBytes UInt64
HeaderBytes UInt64
PrimaryDataBytes UInt64
SecondaryDataBytes UInt64
DumpWriteDuration_ms UInt64

Event ID 5 — Live Dump request aborted due to memory pressure on system

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
LiveDumpCaptureDumpDataAPI
Opcode
BufferAllocationData

Description

Live Dump request aborted due to memory pressure on system.

Message #

Live Dump request aborted due to memory pressure on system

Event ID 6 — LiveDump Event Generic

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
SizingWorkflow

Description

LiveDump Event Generic.

Message #

LiveDump Event Generic

Fields #

NameDescription
LiveDumpEventDescription UnicodeString
Parameter1Name UnicodeString
Parameter1Value UInt64
Parameter2Name UnicodeString
Parameter2Value UInt64
Parameter3Name UnicodeString
Parameter3Value UInt64
Parameter4Name UnicodeString
Parameter4Value UInt64
Parameter5Name UnicodeString
Parameter5Value UInt64
Parameter6Name UnicodeString
Parameter6Value UInt64
Parameter7Name UnicodeString
Parameter7Value UInt64
Parameter8Name UnicodeString
Parameter8Value UInt64

Event ID 101 — Sizing Workflow: Mirroring started.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
SizingWorkflow
Opcode
MirroringStart

Description

Sizing Workflow: Mirroring started.

Message #

Sizing Workflow: Mirroring started.

Event ID 102 — Sizing Workflow: Mirroring Phase 0 ended.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
SizingWorkflow
Opcode
MirroringPhase0End

Description

Sizing Workflow: Mirroring Phase 0 ended.

Message #

Sizing Workflow: Mirroring Phase 0 ended.

Event ID 103 — Sizing Workflow: Mirroring Phase 1 ended.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
SizingWorkflow
Opcode
MirroringPhase1End

Description

Sizing Workflow: Mirroring Phase 1 ended.

Message #

Sizing Workflow: Mirroring Phase 1 ended.

Event ID 104 — Sizing Workflow: System Quiesce started.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
SizingWorkflow
Opcode
SystemQuiesceStart

Description

Sizing Workflow: System Quiesce started.

Message #

Sizing Workflow: System Quiesce started.

Event ID 105 — Sizing Workflow: System Quiesce ended.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
SizingWorkflow
Opcode
SystemQuiesceEnd

Description

Sizing Workflow: System Quiesce ended.

Message #

Sizing Workflow: System Quiesce ended.

Event ID 106 — Sizing Workflow: Estimation.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
SizingWorkflow
Opcode
BufferEstimationData

Description

Sizing Workflow: Estimation. NT: NtEstimatedRequiredPrimaryDataBytes bytes (Minimum Sizing_Workflow_Estimation_NT bytes). Hypervisor: Primary NtEstimatedPrimaryDataBytes bytes. Secondary HvEstimatedPrimaryDataBytes bytes.

Message #

Sizing Workflow: Estimation. NT: %2 bytes (Minimum %1 bytes). Hypervisor: Primary %3 bytes. Secondary %4 bytes.

Fields #

NameDescription
Sizing_Workflow_Estimation_NT
NtEstimatedRequiredPrimaryDataBytes UInt64
NtEstimatedPrimaryDataBytes UInt64
HvEstimatedPrimaryDataBytes UInt64
HvEstimatedSecondaryDataBytes UInt64
SkEstimatedPrimaryDataBytes UInt64
MemoryEstimationDuration_ms UInt64
SystemQuiescedDuration_ms UInt64
EndMirroringPhasesDuration_ms UInt64
MirrorPhysicalMemoryDuration_ms UInt64
MirrorPhysicalMemorySizeInBytes UInt64
HvlCalculateLiveDumpSizeDuration_ms UInt64

Event ID 107 — Sizing Workflow: Allocation.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
SizingWorkflow
Opcode
BufferAllocationData

Description

Sizing Workflow: Allocation. NT: Sizing_Workflow_Allocation_NT bytes. Hypervisor: Primary NtPrimaryDataBytes bytes. Secondary HvPrimaryDataBytes bytes.

Message #

Sizing Workflow: Allocation. NT: %1 bytes. Hypervisor: Primary %2 bytes. Secondary %3 bytes.

Fields #

NameDescription
Sizing_Workflow_Allocation_NTSizing Workflow: Allocation. NT.
NtPrimaryDataBytes UInt64
HvPrimaryDataBytes UInt64
HvSecondaryDataBytes UInt64
SkPrimaryDataBytes UInt64
AllocateDumpBuffersDuration_ms UInt64
AllocateExtraBuffersDuration_ms UInt64
HvlPrepareLivedumpDescriptorDuration_ms UInt64

Event ID 108 — Sizing Workflow: RemovePages Callbacks started.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
SizingWorkflow
Opcode
RemovePagesCallbacks

Description

Sizing Workflow: RemovePages Callbacks started.

Message #

Sizing Workflow: RemovePages Callbacks started.

Event ID 109 — Sizing Workflow: RemovePages Callbacks ended.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
SizingWorkflow
Opcode
RemovePagesCallbacks

Description

Sizing Workflow: RemovePages Callbacks ended.

Message #

Sizing Workflow: RemovePages Callbacks ended.

Event ID 110 — Sizing Workflow: RemovePages Callback CallbackIdentifier started.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
SizingWorkflow
Opcode
RemovePagesCallbacks

Description

Sizing Workflow: RemovePages Callback CallbackIdentifier started.

Message #

Sizing Workflow: RemovePages Callback %1 started.

Fields #

NameDescription
CallbackIdentifier AnsiString

Event ID 111 — Sizing Workflow: RemovePages Callback CallbackIdentifier ended.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
SizingWorkflow
Opcode
RemovePagesCallbacks

Description

Sizing Workflow: RemovePages Callback CallbackIdentifier ended.

Message #

Sizing Workflow: RemovePages Callback %1 ended.

Fields #

NameDescription
CallbackIdentifier AnsiString

Event ID 112 — Sizing Workflow: RemovePages Callback CallbackIdentifier failed.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
SizingWorkflow
Opcode
RemovePagesCallbacks

Description

Sizing Workflow: RemovePages Callback CallbackIdentifier failed. NT Status: NTStatus.

Message #

Sizing Workflow: RemovePages Callback %1 failed. NT Status: %2.

Fields #

NameDescription
CallbackIdentifier AnsiString
NTStatus UInt32

Event ID 113 — Sizing workflow: Sizing_workflow pages estimated to be allocated and Dump_file_size_limit pages allocated.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
SizingWorkflow
Opcode
BufferEstimationData

Message #

Sizing workflow: %1 pages estimated to be allocated and %2 pages allocated (VM memory partition's IOSpace|VM memory partition|System partition's IOSpace|System partition: %3|%4|%5|%6 pages). Limit dump file size: %7. Dump file size limit: %8 bytes. Dump file size limit reached: %9. Aborted while buffer allocation: %10.

Fields #

NameDescription
Sizing_workflow
Dump_file_size_limit
bytes_Dump_file_size_limit_reached
Aborted_while_buffer_allocation
EstimatedPageCount UInt64
AllocatedPageCount UInt64
VMMemoryPartitionIOSpaceAllocatedPages UInt64
VMMemoryPartitionAllocatedPages UInt64
SystemPartitionIOSpaceAllocatedPages UInt64
SystemPartitionAllocatedPages UInt64
LimitDumpFileSize UInt32
DumpFileSizeLimitInBytes UInt64
DumpFileSizeLimitReached UInt32
AbortWhileBufferAllocation UInt32

Event ID 114 — Sizing Workflow: Query Hvl for dump size failed.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
SizingWorkflow
Opcode
BufferEstimationData

Description

Sizing Workflow: Query Hvl for dump size failed. NT Status: NTStatus.

Message #

Sizing Workflow: Query Hvl for dump size failed. NT Status: %1.

Fields #

NameDescription
NTStatus UInt32

Event ID 115 — Sizing Workflow: Open VM memory partition failed.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
SizingWorkflow
Opcode
BufferAllocationData

Description

Sizing Workflow: Open VM memory partition failed. NT Status: NTStatus.

Message #

Sizing Workflow: Open VM memory partition failed. NT Status: %1

Fields #

NameDescription
NTStatus UInt32

Event ID 116 — Sizing Workflow: Buffer allocation from the VM memory partition failed.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
SizingWorkflow
Opcode
BufferAllocationData

Description

Sizing Workflow: Buffer allocation from the VM memory partition failed. NT Status: NTStatus.

Message #

Sizing Workflow: Buffer allocation from the VM memory partition failed. NT Status: %1

Fields #

NameDescription
NTStatus UInt32

Event ID 117 — Sizing Workflow: Capture processor context when the system is quiesced.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
SizingWorkflow
Opcode
CaptureProcessorContext

Description

Sizing Workflow: Capture processor context when the system is quiesced. Duration: Duration_msms.

Message #

Sizing Workflow: Capture processor context when the system is quiesced. Duration: %1ms.

Fields #

NameDescription
Duration_ms UInt64

Event ID 118 — Sizing Workflow: Mark required dump data when system is quiesced.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
SizingWorkflow
Opcode
MarkRequiredDumpData

Description

Sizing Workflow: Mark required dump data when system is quiesced. Duration: MarkRequiredDumpDataDuration_msms.

Message #

Sizing Workflow: Mark required dump data when system is quiesced. Duration: %1ms.

Fields #

NameDescription
MarkRequiredDumpDataDuration_ms UInt64

Event ID 119 — Sizing Workflow: Mark important dump data when system is quiesced.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
SizingWorkflow
Opcode
MarkImportantDumpData

Description

Sizing Workflow: Mark important dump data when system is quiesced. Duration: MarkImportantDumpDataDuration_msms.

Message #

Sizing Workflow: Mark important dump data when system is quiesced. Duration: %1ms.

Fields #

NameDescription
MarkImportantDumpDataDuration_ms UInt64

Event ID 120 — Sizing Workflow: Populate bitmap for dump when system is quiesced.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
SizingWorkflow
Opcode
PopulateBitmapForDump

Description

Sizing Workflow: Populate bitmap for dump when system is quiesced. PopulateBitmapForDumpDuration: PopulateBitmapForDumpDuration_msms. RemoveSystemCacheFromDumpDuration RemoveSystemCacheFromDumpDuration_msms.

Message #

Sizing Workflow: Populate bitmap for dump when system is quiesced. PopulateBitmapForDumpDuration: %1ms. RemoveSystemCacheFromDumpDuration %2ms.

Fields #

NameDescription
PopulateBitmapForDumpDuration_ms UInt64
RemoveSystemCacheFromDumpDuration_ms UInt64

Event ID 121 — Sizing Workflow: Corral processors to quiesce the system.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
SizingWorkflow
Opcode
CorralProcessors

Description

Sizing Workflow: Corral processors to quiesce the system. CorralDuration: CorralDuration_msms. DisableInterruptsDuration: DisableInterruptsDuration_msms. SaveSupervisorStateDuration: SaveSupervisorStateDuration_msms. SuspendClockTimerDuration: SuspendClockTimerDuration_msms.

Message #

Sizing Workflow: Corral processors to quiesce the system. CorralDuration: %1ms. DisableInterruptsDuration: %2ms. SaveSupervisorStateDuration: %3ms. SuspendClockTimerDuration: %4ms.

Fields #

NameDescription
CorralDuration_ms UInt64
DisableInterruptsDuration_ms UInt64
SaveSupervisorStateDuration_ms UInt64
SuspendClockTimerDuration_ms UInt64

Event ID 122 — Sizing Workflow: Uncorral processors to quiesce the system.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
SizingWorkflow
Opcode
UncorralProcessors

Description

Sizing Workflow: Uncorral processors to quiesce the system. UncorralDuration: UncorralDuration_msms. EnableInterruptsDuration: EnableInterruptsDuration_msms. RestoreSupervisorStateDuration: RestoreSupervisorStateDuration_msms. ResumeClockTimerDuration: ResumeClockTimerDuration_msms.

Message #

Sizing Workflow: Uncorral processors to quiesce the system. UncorralDuration: %1ms. EnableInterruptsDuration: %2ms. RestoreSupervisorStateDuration: %3ms. ResumeClockTimerDuration: %4ms.

Fields #

NameDescription
UncorralDuration_ms UInt64
EnableInterruptsDuration_ms UInt64
RestoreSupervisorStateDuration_ms UInt64
ResumeClockTimerDuration_ms UInt64

Event ID 123 — Sizing Workflow: MmDuplicateMemory failed.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
SizingWorkflow
Opcode
MmDuplicateMemoryFailure

Description

Sizing Workflow: MmDuplicateMemory failed. NT Status: NTStatus. MirrorInProgress: MirrorInProgress.

Message #

Sizing Workflow: MmDuplicateMemory failed. NT Status: %1. MirrorInProgress: %2.

Fields #

NameDescription
NTStatus UInt32
MirrorInProgress UInt64

Event ID 124 — IO space utilization disabled when HV/SK pages requested, NoSecrets mode disabled, and SK running.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
SizingWorkflow
Opcode
LiveDumpDisableIOSpaceUtilization

Description

IO space utilization disabled when HV/SK pages requested, NoSecrets mode disabled, and SK running.

Message #

IO space utilization disabled when HV/SK pages requested, NoSecrets mode disabled, and SK running.

Event ID 125 — Callout for Callout (included Included).

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
SizingWorkflow
Opcode
LiveDumpFeatureCallout

Description

Callout for Callout (included Included).

Message #

Callout for %1 (included %2).

Fields #

NameDescription
Callout UInt32
Included Boolean

Event ID 126 — Sizing Workflow: Call to Hvl for preparing livedump descriptor failed.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
SizingWorkflow
Opcode
HvlPrepareLiveDumpDescriptorFailure

Description

Sizing Workflow: Call to Hvl for preparing livedump descriptor failed. NT Status: NTStatus.

Message #

Sizing Workflow: Call to Hvl for preparing livedump descriptor failed. NT Status: %1

Fields #

NameDescription
NTStatus UInt32

Event ID 151 — Capture Pages Workflow: Mirroring started.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
CapturePagesWorkflow
Opcode
MirroringStart

Description

Capture Pages Workflow: Mirroring started.

Message #

Capture Pages Workflow: Mirroring started.

Event ID 152 — Capture Pages Workflow: Mirroring Phase 0 ended.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
CapturePagesWorkflow
Opcode
MirroringPhase0End

Description

Capture Pages Workflow: Mirroring Phase 0 ended.

Message #

Capture Pages Workflow: Mirroring Phase 0 ended.

Event ID 153 — Capture Pages Workflow: Mirroring Phase 1 ended.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
CapturePagesWorkflow
Opcode
MirroringPhase1End

Description

Capture Pages Workflow: Mirroring Phase 1 ended.

Message #

Capture Pages Workflow: Mirroring Phase 1 ended.

Event ID 154 — Capture Pages Workflow: System Quiesce started.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
CapturePagesWorkflow
Opcode
SystemQuiesceStart

Description

Capture Pages Workflow: System Quiesce started.

Message #

Capture Pages Workflow: System Quiesce started.

Event ID 155 — Capture Pages Workflow: System Quiesce ended.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
CapturePagesWorkflow
Opcode
SystemQuiesceEnd

Description

Capture Pages Workflow: System Quiesce ended.

Message #

Capture Pages Workflow: System Quiesce ended.

Event ID 156 — Capture Pages Workflow: Copy memory pages started.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
CapturePagesWorkflow
Opcode
CopyingMemoryPagesStart

Description

Capture Pages Workflow: Copy memory pages started.

Message #

Capture Pages Workflow: Copy memory pages started.

Event ID 157 — Capture Pages Workflow: Copy memory pages ended.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
CapturePagesWorkflow
Opcode
CopyingMemoryPagesEnd

Description

Capture Pages Workflow: Copy memory pages ended.

Message #

Capture Pages Workflow: Copy memory pages ended.

Event ID 158 — Capture Pages Workflow: Capture processor context when the system is quiesced.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
CapturePagesWorkflow
Opcode
CaptureProcessorContext

Description

Capture Pages Workflow: Capture processor context when the system is quiesced. Duration: Duration_msms.

Message #

Capture Pages Workflow: Capture processor context when the system is quiesced. Duration: %1ms.

Fields #

NameDescription
Duration_ms UInt64

Event ID 159 — Capture Pages Workflow: Mark required dump data when system is quiesced.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
CapturePagesWorkflow
Opcode
MarkRequiredDumpData

Description

Capture Pages Workflow: Mark required dump data when system is quiesced. Duration: MarkRequiredDumpDataDuration_msms.

Message #

Capture Pages Workflow: Mark required dump data when system is quiesced. Duration: %1ms.

Fields #

NameDescription
MarkRequiredDumpDataDuration_ms UInt64

Event ID 160 — Capture Pages Workflow: Mark important dump data when system is quiesced.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
CapturePagesWorkflow
Opcode
MarkImportantDumpData

Description

Capture Pages Workflow: Mark important dump data when system is quiesced. Duration: MarkImportantDumpDataDuration_msms.

Message #

Capture Pages Workflow: Mark important dump data when system is quiesced. Duration: %1ms.

Fields #

NameDescription
MarkImportantDumpDataDuration_ms UInt64

Event ID 161 — Capture Pages Workflow: Populate bitmap for dump when system is quiesced.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
CapturePagesWorkflow
Opcode
PopulateBitmapForDump

Description

Capture Pages Workflow: Populate bitmap for dump when system is quiesced. PopulateBitmapForDumpDuration: PopulateBitmapForDumpDuration_msms. RemoveSystemCacheFromDumpDuration RemoveSystemCacheFromDumpDuration_msms.

Message #

Capture Pages Workflow: Populate bitmap for dump when system is quiesced. PopulateBitmapForDumpDuration: %1ms. RemoveSystemCacheFromDumpDuration %2ms.

Fields #

NameDescription
PopulateBitmapForDumpDuration_ms UInt64
RemoveSystemCacheFromDumpDuration_ms UInt64

Event ID 162 — Capture Pages Workflow: Collect Hvl dump when system is quiesced.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic

Description

Capture Pages Workflow: Collect Hvl dump when system is quiesced. Duration: Duration_msms.

Message #

Capture Pages Workflow: Collect Hvl dump when system is quiesced. Duration: %1ms.

Fields #

NameDescription
Duration_ms UInt64

Event ID 163 — Capture Pages Workflow: Generate Ipt secondary data when system is quiesced.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
CapturePagesWorkflow
Opcode
GenerateIptSecondaryData

Description

Capture Pages Workflow: Generate Ipt secondary data when system is quiesced. Duration: Duration_msms.

Message #

Capture Pages Workflow: Generate Ipt secondary data when system is quiesced. Duration: %1ms.

Fields #

NameDescription
Duration_ms UInt64

Event ID 164 — Capture Pages Workflow: Initiate state change to copy contents of marked pages when system is quiesced.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic

Description

Capture Pages Workflow: Initiate state change to copy contents of marked pages when system is quiesced. Duration: Duration_msms.

Message #

Capture Pages Workflow: Initiate state change to copy contents of marked pages when system is quiesced. Duration: %1ms.

Fields #

NameDescription
Duration_ms UInt64

Event ID 165 — Capture Pages Workflow: Corral processors to quiesce the system.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
CapturePagesWorkflow
Opcode
CorralProcessors

Description

Capture Pages Workflow: Corral processors to quiesce the system. CorralDuration: CorralDuration_msms. DisableInterruptsDuration: DisableInterruptsDuration_msms. SaveSupervisorStateDuration: SaveSupervisorStateDuration_msms. SuspendClockTimerDuration: SuspendClockTimerDuration_msms.

Message #

Capture Pages Workflow: Corral processors to quiesce the system. CorralDuration: %1ms. DisableInterruptsDuration: %2ms. SaveSupervisorStateDuration: %3ms. SuspendClockTimerDuration: %4ms.

Fields #

NameDescription
CorralDuration_ms UInt64
DisableInterruptsDuration_ms UInt64
SaveSupervisorStateDuration_ms UInt64
SuspendClockTimerDuration_ms UInt64

Event ID 166 — Capture Pages Workflow: Uncorral processors to quiesce the system.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
CapturePagesWorkflow
Opcode
UncorralProcessors

Description

Capture Pages Workflow: Uncorral processors to quiesce the system. UncorralDuration: UncorralDuration_msms. EnableInterruptsDuration: EnableInterruptsDuration_msms. RestoreSupervisorStateDuration: RestoreSupervisorStateDuration_msms. ResumeClockTimerDuration: ResumeClockTimerDuration_msms.

Message #

Capture Pages Workflow: Uncorral processors to quiesce the system. UncorralDuration: %1ms. EnableInterruptsDuration: %2ms. RestoreSupervisorStateDuration: %3ms. ResumeClockTimerDuration: %4ms.

Fields #

NameDescription
UncorralDuration_ms UInt64
EnableInterruptsDuration_ms UInt64
RestoreSupervisorStateDuration_ms UInt64
ResumeClockTimerDuration_ms UInt64

Event ID 167 — Capture Pages Workflow: Capture memory pages.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
CapturePagesWorkflow
Opcode
CaptureMemoryPages

Message #

Capture Pages Workflow: Capture memory pages. MemoryCaptureDuration: %1ms. SystemQuiescedDuration: %2ms. EndMirroringPhasesDuration: %3ms. MirrorPhysicalMemoryDuration: %4ms. MirrorPhysicalMemorySizeInBytes: %5 bytes. HvlCollectLivedumpDuration: %6ms. DumpDataBufferingDuration: %7ms.

Fields #

NameDescription
MemoryCaptureDuration_ms UInt64
SystemQuiescedDuration_ms UInt64
EndMirroringPhasesDuration_ms UInt64
MirrorPhysicalMemoryDuration_ms UInt64
MirrorPhysicalMemorySizeInBytes UInt64
HvlCollectLivedumpDuration_ms UInt64
DumpDataBufferingDuration_ms UInt64

Event ID 168 — Capture Pages Workflow: MmDuplicateMemory failed.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
CapturePagesWorkflow
Opcode
MmDuplicateMemoryFailure

Description

Capture Pages Workflow: MmDuplicateMemory failed. NT Status: NTStatus. MirrorInProgress: MirrorInProgress.

Message #

Capture Pages Workflow: MmDuplicateMemory failed. NT Status: %1. MirrorInProgress: %2.

Fields #

NameDescription
NTStatus UInt32
MirrorInProgress UInt64

Event ID 169 — Callout for Callout (included Included).

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
CapturePagesWorkflow
Opcode
LiveDumpFeatureCallout

Description

Callout for Callout (included Included).

Message #

Callout for %1 (included %2).

Fields #

NameDescription
Callout UInt32
Included Boolean

Event ID 201 — Live Dump Write Deferred Dump Data API started.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
LiveDumpWriteDeferredDumpDataAPI
Opcode
APIStart

Description

Live Dump Write Deferred Dump Data API started.

Message #

Live Dump Write Deferred Dump Data API started.

Event ID 202 — Live Dump Write Deferred Dump Data API ended.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
Live Dump Write Deferred Dump Data API
Opcode
API End

Message #

Live Dump Write Deferred Dump Data API ended. NT Status: %1. BugcheckCode: %2. BugcheckParameter1: %3. BugcheckParameter2: %4. BugcheckParameter3: %5. BugcheckParameter4: %6. DumpWriteDuration: %8ms.  SelectiveDump: %9. DynamicLowMemoryThreshold: %10 bytes.  AvailablePhysicalMemory: %11 bytes.  TotalPhysicalMemory: %12 bytes.  IOSpaceEnabled: %13.

Fields #

NameDescription
NTStatus UInt32
BugcheckCode UInt32
BugCheckParameter1 Pointer
BugCheckParameter2 Pointer
BugCheckParameter3 Pointer
BugCheckParameter4 Pointer
AbortIfMemoryPressure UInt32
DumpCaptureDuration_ms UInt64
SelectiveDump UInt32
DynamicLowMemoryThresholdBytes UInt64
AvailablePhysicalMemoryInBytes UInt64
TotalPhysicalMemoryInBytes UInt64
IOSpaceEnabled Boolean

Event ID 203 — Write deferred dump data to file started.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
LiveDumpWriteDeferredDumpDataAPI
Opcode
DumpFileWriteStart

Description

Write deferred dump data to file started.

Message #

Write deferred dump data to file started.

Event ID 204 — Write deferred dump data to file ended.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
LiveDumpWriteDeferredDumpDataAPI
Opcode
DumpFileWriteEnd

Description

Write deferred dump data to file ended. NT Status: NTStatus. Total TotalBytes bytes (Header|Primary|Secondary: HeaderBytes|PrimaryDataBytes|SecondaryDataBytes bytes). DumpWriteDuration: DumpWriteDuration_msms.

Message #

Write deferred dump data to file ended. NT Status: %1. Total %2 bytes (Header|Primary|Secondary: %3|%4|%5 bytes). DumpWriteDuration: %6ms.

Fields #

NameDescription
NTStatus UInt32
TotalBytes UInt64
HeaderBytes UInt64
PrimaryDataBytes UInt64
SecondaryDataBytes UInt64
DumpWriteDuration_ms UInt64

Event ID 251 — Live Dump Discard Deferred Dump Data API started.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Analytic
Task
LiveDumpDiscardDeferredDumpDataAPI
Opcode
APIStart

Description

Live Dump Discard Deferred Dump Data API started.

Message #

Live Dump Discard Deferred Dump Data API started.

Event ID 252 — Live Dump Discard Deferred Dump Data API ended.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
Live Dump Discard Deferred Dump Data API
Opcode
API End

Description

Live Dump Discard Deferred Dump Data API ended. NT Status: NTStatus. BugcheckCode: BugcheckCode. BugcheckParameter1: BugCheckParameter1. BugcheckParameter2: BugCheckParameter2. BugcheckParameter3: BugCheckParameter3. BugcheckParameter4: BugCheckParameter4.

Message #

Live Dump Discard Deferred Dump Data API ended. NT Status: %1. BugcheckCode: %2. BugcheckParameter1: %3. BugcheckParameter2: %4. BugcheckParameter3: %5. BugcheckParameter4: %6.

Fields #

NameDescription
NTStatus UInt32
BugcheckCode UInt32
BugCheckParameter1 Pointer
BugCheckParameter2 Pointer
BugCheckParameter3 Pointer
BugCheckParameter4 Pointer
AbortIfMemoryPressure UInt32
DumpCaptureDuration_ms UInt64
SelectiveDump UInt32
DynamicLowMemoryThresholdBytes UInt64
AvailablePhysicalMemoryInBytes UInt64
TotalPhysicalMemoryInBytes UInt64
IOSpaceEnabled Boolean

Event ID 271 — AllowLiveDump policy: AllowLiveDump_policy.

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
LiveDumpPolicy
Opcode
PolicyOperationFailed

Description

AllowLiveDump policy: AllowLiveDump_policy.

Message #

AllowLiveDump policy: %1.

Fields #

NameDescription
AllowLiveDump_policy AnsiString
OperationType AnsiString
Known values
%%1904
New registry value created
%%1905
Existing registry value modified
%%1906
Registry value deleted
%%14674
Value Added
%%14675
Value Deleted
%%14680
Value Added With Expiration Time
%%14681
Value Deleted With Expiration Time
%%14688
Value Auto Deleted With Expiration Time

Event ID 272 — AllowLiveDump policy value changed (AllowLiveDump = PolicyValue).

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
LiveDumpPolicy
Opcode
PolicyValueChanged

Description

AllowLiveDump policy value changed (AllowLiveDump = PolicyValue). Configure live dump. NT status: NTStatus.

Message #

AllowLiveDump policy value changed (AllowLiveDump = %1). Configure live dump. NT status: %2

Fields #

NameDescription
PolicyValue UInt32
NTStatus UInt32

Event ID 273 — LiveDump disabled on boot by policy (AllowLiveDump = PolicyValue).

Provider
Microsoft-Windows-Kernel-LiveDump
Channel
Operational
Task
LiveDumpPolicy
Opcode
LiveDumpDisabledOnBoot

Description

LiveDump disabled on boot by policy (AllowLiveDump = PolicyValue).

Message #

LiveDump disabled on boot by policy (AllowLiveDump = %1).

Fields #

NameDescription
PolicyValue UInt32