Microsoft-Windows-Kernel-Memory

14 events across 1 channel

Event ID	Title	Channel
1		Analytic
2		Analytic
3		Analytic
4		Analytic
5		Analytic
6		Analytic
7		Analytic
8		Analytic
9		Analytic
10		Analytic
11		Analytic
12		Analytic
13		Analytic
14		Analytic

Event ID 1 —

Provider: Microsoft-Windows-Kernel-Memory
Channel: Analytic
Task: MemInfo

Fields #

Name	Description
`PriorityLevels` UInt8	—
`ZeroPageCount` Pointer	—
`FreePageCount` Pointer	—
`ModifiedPageCount` Pointer	—
`ModifiedNoWritePageCount` Pointer	—
`BadPageCount` Pointer	—
`StandbyPageCounts` Pointer	—
`RepurposedPageCounts` Pointer	—
`ModifiedPageCountPageFile` Pointer	—
`PagedPoolPageCount` Pointer	—
`NonPagedPoolPageCount` Pointer	—
`MdlPageCount` Pointer	—
`CommitPageCount` Pointer	—

Event ID 2 —

Provider: Microsoft-Windows-Kernel-Memory
Channel: Analytic
Task: MemInfoWS

Fields #

Name	Description
`Count` UInt32	—
`WSCommitInfo` AnsiString	—

Event ID 3 —

Provider: Microsoft-Windows-Kernel-Memory
Channel: Analytic
Task: MemInfoSessionWS

Fields #

Name	Description
`Count` UInt32	—
`SessionWSCommitInfo` AnsiString	—

Event ID 4 —

Provider: Microsoft-Windows-Kernel-Memory
Channel: Analytic
Task: WorkingSetOutSwap
Opcode: Start

Fields #

Name	Description
`ProcessId` UInt32	—
`Flags` HexInt32	—

Event ID 5 —

Provider: Microsoft-Windows-Kernel-Memory
Channel: Analytic
Task: WorkingSetOutSwap
Opcode: Stop

Fields #

Name	Description
`ProcessId` UInt32	—
`Status` HexInt32	— NTSTATUS reference
`PagesProcessed` Pointer	—
`WriteCombinePagesProcessed` Pointer	—
`UncachedPagesProcessed` Pointer	—
`CleanPagesProcessed` Pointer	—

Event ID 6 —

Provider: Microsoft-Windows-Kernel-Memory
Channel: Analytic
Task: WorkingSetInSwap
Opcode: Start

Fields #

Name	Description
`ProcessId` UInt32	—
`Flags` HexInt32	—

Event ID 7 —

Provider: Microsoft-Windows-Kernel-Memory
Channel: Analytic
Task: WorkingSetInSwap
Opcode: Stop

Fields #

Name	Description
`ProcessId` UInt32	—
`Status` HexInt32	— NTSTATUS reference

Event ID 8 —

Provider: Microsoft-Windows-Kernel-Memory
Channel: Analytic
Task: Acg

Fields #

Name	Description
`AcgFlag` UInt32	—

Event ID 9 —

Provider: Microsoft-Windows-Kernel-Memory
Channel: Analytic
Task: WorkingSetInSwap

Fields #

Name	Description
`ProcessId` UInt32	—
`Status` HexInt32	— NTSTATUS reference

Event ID 10 —

Provider: Microsoft-Windows-Kernel-Memory
Channel: Analytic
Task: MdlAllocation

Fields #

Name	Description
`DurationInMicroseconds` UInt64	—
`TotalBytes` UInt64	—
`LowAddress` UInt64	—
`HighAddress` UInt64	—
`SkipBytes` UInt64	—
`MemoryDescriptorList` Pointer	—
`IdealNode` UInt32	—
`Flags` UInt32	—

Event ID 11 —

Provider: Microsoft-Windows-Kernel-Memory
Channel: Analytic
Task: ContAllocation

Fields #

Name	Description
`DurationInMicroseconds` UInt64	—
`TotalBytes` UInt64	—
`LowAddress` UInt64	—
`HighAddress` UInt64	—
`Boundary` UInt64	—
`PhysicalAddress` UInt64	—
`MappedAddress` Pointer	—
`ProtectionMask` UInt32	—
`PreferredNode` UInt32	—
`PartitionId` UInt32	—
`Tag` UInt32	—
`Flags` UInt32	—
`AllocatedFromPool` Boolean	—
`AllocatedFromExtension` Boolean	—

Event ID 12 —

Provider: Microsoft-Windows-Kernel-Memory
Channel: Analytic
Task: MemInfoNode

Fields #

Name	Description
`PartitionId` UInt32	—
`Count` UInt32	—
`MemoryNodeInfo` Int8	—

Event ID 13 —

Provider: Microsoft-Windows-Kernel-Memory
Channel: Analytic
Task: MemInfoHugeIoSpace

Fields #

Name	Description
`PartitionId` UInt32	—
`Count` UInt32	—
`MemoryNodeInfo` Int8	—

Event ID 14 —

Provider: Microsoft-Windows-Kernel-Memory
Channel: Analytic
Task: ContFree

Fields #

Name	Description
`BaseAddress` Pointer	—
`Size` Pointer	—