Microsoft-Windows-Kernel-PnP

196 events across 9 channels

Event ID	Title	Channel
200	Begin boot start drivers phase	Boot Diagnostic
201	End boot start drivers phase	Boot Diagnostic
202	Begin system start drivers phase	Boot Diagnostic
203	End system start drivers phase	Boot Diagnostic
204	OS Loader Start: %1 OS Loader End: %2.	Boot Diagnostic
205		Operational
206		Operational
207		Operational
208		Operational
209		Operational
210	Begin initializing boot start driver %2.	Driver Diagnostic
211	End initializing boot start driver %2.	Driver Diagnostic
212	Begin loading driver %2.	Driver Diagnostic
213	End loading driver %5.	Driver Diagnostic
214	Begin unloading driver %2.	Driver Diagnostic
215	End unloading driver %5.	Driver Diagnostic
216	Begin starting device %2.	Device Enumeration Diagnostic
217	Pending start of device %2.	Device Enumeration Diagnostic
218	End starting device %2 using driver %5.	Device Enumeration Diagnostic
219	The driver %5 failed to load.	System
220	Begin querying bus relations for device %2.	Device Enumeration Diagnostic
221	Pending querying bus relations for device %2.	Device Enumeration Diagnostic
222	End querying bus relations for device %2.	Device Enumeration Diagnostic
223	Begin attempting to eject device %2.	Device Enumeration Diagnostic
224	End attempting to eject device %2.	Device Enumeration Diagnostic
225	The application %3 with process id %1 stopped the removal or ejection for the …	System
226	Begin calling driver initialization routine for driver %2.	Driver Diagnostic
227	End calling driver initialization routine for driver %2.	Driver Diagnostic
228		Operational
229		Operational
230		Operational
231		Operational
232		Operational
233		Operational
234		Operational
235		Operational
236		Operational
240	A partition unit replace operation has been initiated.	System
241	A partition unit replace operation has failed.	System
242	A partition unit has been successfully replaced.	System
250	Begin configuration of device %2.	Configuration Diagnostic
251	Pending configuration of device %2.	Configuration Diagnostic
252	End configuration of device %2.	Configuration Diagnostic
260	Begin starting system start drivers part 1	Boot Diagnostic
261	End starting system start drivers part 1	Boot Diagnostic
262	Begin starting system start drivers part 2	Boot Diagnostic
263	End starting system start drivers part 2	Boot Diagnostic
264	Begin processing reinitialization requests for boot start drivers	Driver Diagnostic
265	End processing reinitialization requests for boot start drivers	Driver Diagnostic
266	Begin processing reinitialization requests for system start drivers	Driver Diagnostic
267	End processing reinitialization requests for system start drivers	Driver Diagnostic
270	Begin loading driver database %2.	Configuration Diagnostic
271	Pending loading driver database %2.	Configuration Diagnostic
272	End loading driver database %2.	Configuration Diagnostic
273	Begin unloading driver database %2.	Configuration Diagnostic
274	Pending unloading driver database %2.	Configuration Diagnostic
275	End unloading driver database %2.	Configuration Diagnostic
276		Operational
277		Operational
278		Operational
300	Begin starting initialization of drivers	Boot Diagnostic
301	End starting initialization of drivers	Boot Diagnostic
400	Device %1 was configured.	Configuration
401	Device %1 failed configuration.	Configuration
402	Device %1 had its configuration blocked by policy.	Configuration
403	Device %1 requires a system reboot to complete configuration.	Configuration
410	Device %1 was started.	Configuration
411	Device %1 had a problem starting.	Configuration
412	Device %1 requires a system reboot before it can be started.	Configuration
420	Device %1 was deleted.	Configuration
421	Device %1 could not be deleted.	Configuration
430	Device %1 requires further installation.	Configuration
440	Device settings for %1 were migrated from previous OS installation.	Configuration
441	Device settings for %1 could not be migrated from previous OS installation.	Configuration
442	Device settings for %1 were not migrated from previous OS installation due to …	Configuration
500		Operational
501		Operational
502		Operational
503		Operational
600	A start type override of %3 was set for driver %2 in hardware configuration %1.	Driver Diagnostic
700		Operational
701		Operational
702		Operational
703		Operational
704		Operational
705		Operational
800	Begin processing new device	Device Enumeration Diagnostic
801	Processing device %2 (%1).	Device Enumeration Diagnostic
802	End processing new device	Device Enumeration Diagnostic
803	Begin processing phase %1 of starting device %2.	Operational
804	End processing phase %1 of starting device %2.	Operational
805	Begin processing phase %1 of restarting device %2.	Operational
806	End processing phase %1 of restarting device %2.	Operational
807	Begin device add operation for driver %3, device %4.	Device Enumeration Diagnostic
808	End device add, status	Device Enumeration Diagnostic
809	Duplicate device instance reported by %4 and %5.	Device Management
810	Reenumeration of device tree below %1 has been queued.	Device Enumeration Diagnostic
811	Begin reenumeration of device tree below %1.	Device Enumeration Diagnostic
812	End reenumeration of device tree below %1.	Device Enumeration Diagnostic
813	Reenumeration of %1 has been queued.	Device Enumeration Diagnostic
814	Begin reenumeration of %1.	Device Enumeration Diagnostic
815	End reenumeration of %1.	Device Enumeration Diagnostic
816	Configuration of device %1 for configuration type %2 has been queued.	Configuration Diagnostic
817	Begin configuration of device %1 for configuration type %2.	Configuration Diagnostic
818	End configuration of device %1 for configuration type %2.	Configuration Diagnostic
819		Operational
820		Operational
821		Operational
830	Removal of %1 has been queued.	Device Enumeration Diagnostic
831	Begin removal of %1.	Device Enumeration Diagnostic
832	End removal of %1.	Device Enumeration Diagnostic
840	Begin resetting device %2.	Device Enumeration Diagnostic
841	End resetting device %2 with status %3, veto type %4, veto name %6.	Device Enumeration Diagnostic
850	Begin assigning resources to device tree below %1.	Device Enumeration Diagnostic
851	End assigning resources to device tree below %1.	Device Enumeration Diagnostic
852	Begin rebalancing resources for device %2.	Device Enumeration Diagnostic
853	End rebalancing resources for device %2.	Device Enumeration Diagnostic
860	Updated problem code on device %2.	Operational
900	A long running thread for the device event queue was detected.	Driver Watchdog
901	A long running thread for the device event queue has been completed.	Driver Watchdog
902	A long running thread for device start processing was detected.	Driver Watchdog
903	A long running thread for device start processing has been completed.	Driver Watchdog
904	A long running thread for device removal was detected.	Driver Watchdog
905	A long running thread for device removal has been completed.	Driver Watchdog
906	A long running thread for device add routine was detected.	Driver Watchdog
907	A long running thread for device add routine has been completed.	Driver Watchdog
908	A long running thread for driver entry was detected.	Driver Watchdog
909	A long running thread for driver entry routine has been completed.	Driver Watchdog
930	Timed out waiting for response from user mode clients to synchronous …	Driver Watchdog
931	Responses from user mode clients to synchronous notification %1 took %6 …	Driver Watchdog
932	Synchronous notification %7 to process %2 (%3) was removed after %14 …	Driver Watchdog
933	Notification %4 to driver %3 took %5 milliseconds Event Category: %1 …	Driver Watchdog
1000	Device %1 could not be query removed as the removal was vetoed.	Device Management
1010	Device %1 has been surprise removed as it is reported as missing on the bus.	Device Management
1011	Device %1 has been surprise removed as it was reported to be failing.	Device Management
1020	A resource rebalance operation has succeeded.	Device Management
1021	A resource rebalance operation has failed.	Device Management
1030	Device %1 has been assigned to a guest partition.	Device Management
1031	Device %1 is no longer assigned to a guest partition.	Device Management
1040	Device %1 has requested a platform-level device reset.	Device Management
1041	Device %2 has completed a platform-level device reset.	Device Management
1050	Failed to create driver package defined child device of %1.	Device Management
1060	Failed to create computer device derived from firmware information.	Device Management
1065	Device %1 with problem code %2 and problem status %3 requires the system to be …	Device Management
1070	Failed to open %3 driver service %2 for device %1.	Device Management
1080	The driver %5 failed to unload.	Device Management
1100		Operational
1101		Operational
1102		Operational
1103		Operational
1104		Operational
1105		Operational
1106		Operational
1107		Operational
1108		Operational
1109		Operational
1110		Operational
1111		Operational
1120		Operational
1121		Operational
1122		Operational
1130		Operational
1131		Operational
1132		Operational
1140		Operational
1141		Operational
1142		Operational
1143		Operational
1144		Operational
1145		Operational
1150		Operational
1151		Operational
1160		Operational
1161		Operational
1170		Operational
1171		Operational
1172		Operational
1173		Operational
1174		Operational
1175		Operational
1176		Operational
1177		Operational
1178		Operational
1190		Operational
1191		Operational
1192		Operational
1200		Operational
1201		Operational
1202		Operational
1300		Operational
1301		Operational
1302		Operational
1303		Operational
1304		Operational
1400	Begin serializing boot with PnP device enumeration	Boot Diagnostic
1401	End serializing boot with PnP device enumeration	Boot Diagnostic

Event ID 200 — Begin boot start drivers phase

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic

Message

Begin boot start drivers phase

Event ID 201 — End boot start drivers phase

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic

Message

End boot start drivers phase

Event ID 202 — Begin system start drivers phase

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic

Message

Begin system start drivers phase

Event ID 203 — End system start drivers phase

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic

Message

End system start drivers phase

Event ID 204 — OS Loader Start: %1 OS Loader End: %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic

Message

OS Loader Start: %1
OS Loader End: %2

Fields

Name	Description
`OS_Loader_Start`	—
`OS_Loader_End`	—
`OSLoaderStart`	—
`OSLoaderEnd`	—
`PreloadEndTime`	—
`TcbLoaderStartTime`	—
`LoadHypervisorTime`	—
`LaunchHypervisorTime`	—
`LoadVsmTime`	—
`LaunchVsmTime`	—
`ExecuteTransitionStartTime`	—
`ExecuteTransitionEndTime`	—
`PerformanceDataFrequency`	—

Event ID 205 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`ElamDriverNameLength`	—
`ElamDriverName`	—

Event ID 206 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`ElamDriverNameLength`	—
`ElamDriverName`	—

Event ID 207 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`ElamStatus`	—

Event ID 208 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`ElamStatus`	—

Event ID 209 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`Classification`	—
`Policy`	—
`Result`	—

Event ID 210 — Begin initializing boot start driver %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic

Message

Begin initializing boot start driver %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—

Event ID 211 — End initializing boot start driver %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic

Message

End initializing boot start driver %2.  Status: %3

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—
`Status`	—

Event ID 212 — Begin loading driver %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic

Message

Begin loading driver %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—

Event ID 213 — End loading driver %5.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic

Message

End loading driver %5.  Status: %3

Fields

Name	Description
`ServiceNameLength`	—
`ServiceName`	—
`Status`	—
`DriverNameLength`	—
`DriverName`	—
`Version`	—

Event ID 214 — Begin unloading driver %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic

Message

Begin unloading driver %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—

Event ID 215 — End unloading driver %5.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic

Message

End unloading driver %5.  Status: %3

Fields

Name	Description
`ServiceNameLength`	—
`ServiceName`	—
`Status`	—
`DriverNameLength`	—
`DriverName`	—
`Version`	—

Event ID 216 — Begin starting device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Begin starting device %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—

Event ID 217 — Pending start of device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Pending start of device %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—

Event ID 218 — End starting device %2 using driver %5.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

End starting device %2 using driver %5.  Status: %3

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—
`Status`	—
`FailureNameLength`	—
`FailureName`	—
`Version`	—

Event ID 219 — The driver %5 failed to load.

Provider: Microsoft-Windows-Kernel-PnP
Channel: System
Level: 3
Samples: 1

Message

The driver %5 failed to load.
Device: %2
Status: %3

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—
`Status`	—
`FailureNameLength`	—
`FailureName`	—
`Version`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-PnP
  guid: 9C205A39-1250-487D-ABD7-E831C6290539
  event_source_name: ''
  event_id: 219
  version: 0
  level: 3
  task: 212
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:19.591886+00:00'
  event_record_id: 1645
  correlation: {}
  execution:
    process_id: 4
    thread_id: 224
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  DriverNameLength: 15
  DriverName: ROOT\VMBus\0000
  Status: 3221226341
  FailureNameLength: 14
  FailureName: \Driver\vmbusr
  Version: 0
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/event-id-219-when-device-plugged-in-windows-system
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 220 — Begin querying bus relations for device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Begin querying bus relations for device %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—

Event ID 221 — Pending querying bus relations for device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Pending querying bus relations for device %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—

Event ID 222 — End querying bus relations for device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

End querying bus relations for device %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—

Event ID 223 — Begin attempting to eject device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Begin attempting to eject device %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—

Event ID 224 — End attempting to eject device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

End attempting to eject device %2. Status: %3

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—
`Status`	—
`FailureNameLength`	—
`FailureName`	—
`Version`	—

Event ID 225 — The application %3 with process id %1 stopped the removal or ejection for the device %5.

Provider: Microsoft-Windows-Kernel-PnP
Channel: System

Message

The application %3 with process id %1 stopped the removal or ejection for the device %5.

Fields

Name	Description
`ProcessId`	—
`ProcessNameLength`	—
`ProcessName`	—
`DeviceInstanceLength`	—
`DeviceInstance`	—
`CommandLineLength`	—
`CommandLine`	—
`VetoingDevicesLength`	—
`VetoingDevices`	—

Event ID 226 — Begin calling driver initialization routine for driver %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic

Message

Begin calling driver initialization routine for driver %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—

Event ID 227 — End calling driver initialization routine for driver %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic

Message

End calling driver initialization routine for driver %2. Status: %3

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—
`Status`	—

Event ID 228 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmSid`	—
`SqmWindowsSessionId`	—
`SqmSessionFlags`	—

Event ID 229 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—

Event ID 230 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmID`	—
`SqmDWORDDatapointValue`	—

Event ID 231 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmID`	—
`SqmDWORDDatapointValue`	—

Event ID 232 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmID`	—
`SqmDWORDDatapointValue`	—

Event ID 233 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmID`	—
`SqmDWORDDatapointValue`	—

Event ID 234 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmID`	—
`SqmDWORDDatapointValue`	—

Event ID 235 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmID`	—
`SqmStringDatapointValue`	—

Event ID 236 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmID`	—
`SqmStreamRowLength`	—
`SqmStreamRow`	—

Event ID 240 — A partition unit replace operation has been initiated.

Provider: Microsoft-Windows-Kernel-PnP
Channel: System

Message

A partition unit replace operation has been initiated.

Fields

Name	Description
`TargetPath`	—
`SparePath`	—

Event ID 241 — A partition unit replace operation has failed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: System

Message

A partition unit replace operation has failed.

Fields

Name	Description
`TargetPath`	—
`SparePath`	—
`Status`	—
`Location`	—
`ExtendedStatus`	—

Event ID 242 — A partition unit has been successfully replaced.

Provider: Microsoft-Windows-Kernel-PnP
Channel: System

Message

A partition unit has been successfully replaced.

Fields

Name	Description
`TargetPath`	—
`TargetAffinity`	—
`TargetProcessorCount`	—
`TargetMemoryCount`	—
`TargetMemorySize`	—
`SparePath`	—
`SpareProcessorCount`	—
`SpareMemoryCount`	—
`SpareMemorySize`	—
`TimeTotal`	—
`TimeToQuiesce`	—
`TimeQuiesced`	—
`TimeToWake`	—
`TargetProcessors`	—
`TargetMemoryRanges`	—
`SpareProcessors`	—
`SpareMemoryRanges`	—

Event ID 250 — Begin configuration of device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic

Message

Begin configuration of device %2

Fields

Name	Description
`DeviceInstanceLength`	—
`DeviceInstance`	—

Event ID 251 — Pending configuration of device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic

Message

Pending configuration of device %2

Fields

Name	Description
`DeviceInstanceLength`	—
`DeviceInstance`	—

Event ID 252 — End configuration of device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic

Message

End configuration of device %2. Status: %3

Fields

Name	Description
`DeviceInstanceLength`	—
`DeviceInstance`	—
`Status`	—

Event ID 260 — Begin starting system start drivers part 1

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic

Message

Begin starting system start drivers part 1

Event ID 261 — End starting system start drivers part 1

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic

Message

End starting system start drivers part 1

Event ID 262 — Begin starting system start drivers part 2

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic

Message

Begin starting system start drivers part 2

Event ID 263 — End starting system start drivers part 2

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic

Message

End starting system start drivers part 2

Event ID 264 — Begin processing reinitialization requests for boot start drivers

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic

Message

Begin processing reinitialization requests for boot start drivers

Event ID 265 — End processing reinitialization requests for boot start drivers

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic

Message

End processing reinitialization requests for boot start drivers

Event ID 266 — Begin processing reinitialization requests for system start drivers

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic

Message

Begin processing reinitialization requests for system start drivers

Event ID 267 — End processing reinitialization requests for system start drivers

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic

Message

End processing reinitialization requests for system start drivers

Event ID 270 — Begin loading driver database %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic

Message

Begin loading driver database %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—

Event ID 271 — Pending loading driver database %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic

Message

Pending loading driver database %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—

Event ID 272 — End loading driver database %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic

Message

End loading driver database %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—
`Status`	—

Event ID 273 — Begin unloading driver database %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic

Message

Begin unloading driver database %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—

Event ID 274 — Pending unloading driver database %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic

Message

Pending unloading driver database %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—

Event ID 275 — End unloading driver database %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic

Message

End unloading driver database %2

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—
`Status`	—

Event ID 276 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—

Event ID 277 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—
`Status`	—

Event ID 278 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`BlockedDriverEntry`	—

Event ID 300 — Begin starting initialization of drivers

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic

Message

Begin starting initialization of drivers

Event ID 301 — End starting initialization of drivers

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic

Message

End starting initialization of drivers

Event ID 400 — Device %1 was configured.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Level: 4
Samples: 1

Message

Device %1 was configured.

Driver Name: %2
Class GUID: %3
Driver Date: %4
Driver Version: %5
Driver Provider: %6
Driver Section: %8
Driver Rank: %9
Matching Device ID: %10
Outranked Drivers: %11
Device Updated: %12
Parent Device: %14

Fields

Name	Description
`DeviceInstanceId`	—
`DriverName`	—
`ClassGuid`	—
`DriverDate`	—
`DriverVersion`	—
`DriverProvider`	—
`DriverInbox`	—
`DriverSection`	—
`DriverRank`	—
`MatchingDeviceId`	—
`OutrankedDrivers`	—
`DeviceUpdated`	—
`Status`	—
`ParentDeviceInstanceId`	Parent Device.

Example Event

system:
  provider: Microsoft-Windows-Kernel-PnP
  guid: 9C205A39-1250-487D-ABD7-E831C6290539
  event_source_name: ''
  event_id: 400
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T06:20:50.122130+00:00'
  event_record_id: 211
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: Microsoft-Windows-Kernel-PnP/Configuration
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  DeviceInstanceId: ACPI\GenuineIntel_-_Intel64_Family_6_Model_183_-_13th_Gen_Intel(R)_Core(TM)_i9-13980HX\_3
  DriverName: cpu.inf
  ClassGuid: 50127DC3-0F36-415E-A6CC-4CB3BE910B65
  DriverDate: 04/21/2009
  DriverVersion: 10.0.22621.2215
  DriverProvider: Microsoft
  DriverInbox: true
  DriverSection: IntelPPM_Inst.NT
  DriverRank: '0xff0004'
  MatchingDeviceId: ACPI\GenuineIntel_-_Intel64
  OutrankedDrivers: cpu.inf:ACPI\Processor:00FF2000
  DeviceUpdated: false
  Status: '0x0'
  ParentDeviceInstanceId: ACPI_HAL\PNP0C08\0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 401 — Device %1 failed configuration.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration

Message

Device %1 failed configuration.

Driver Name: %2
Class GUID: %3
Driver Date: %4
Driver Version: %5
Driver Provider: %6
Driver Section: %8
Driver Rank: %9
Matching Device ID: %10
Outranked Drivers: %11
Device Updated: %12
Status: %13
Parent Device: %14

Fields

Name	Description
`Driver_Name`	—
`Class_Guid`	—
`Driver_Date`	—
`Driver_Version`	—
`Driver_Provider`	—
`Driver_Section`	—
`Driver_Rank`	—
`Matching_Device_Id`	Driver Section.
`Outranked_Drivers`	Driver Rank.
`Device_Updated`	Matching Device Id.
`Status`	Outranked Drivers.
`Parent_Device`	Device Updated.
`DeviceInstanceId`	—
`DriverName`	—
`ClassGuid`	—
`DriverDate`	—
`DriverVersion`	—
`DriverProvider`	—
`DriverInbox`	—
`DriverSection`	—
`DriverRank`	—
`MatchingDeviceId`	—
`OutrankedDrivers`	—
`DeviceUpdated`	—
`ParentDeviceInstanceId`	—
`DriverPackageId`	—

Event ID 402 — Device %1 had its configuration blocked by policy.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration

Message

Device %1 had its configuration blocked by policy.

Driver Name: %2
Class GUID: %3
Driver Date: %4
Driver Version: %5
Driver Provider: %6
Driver Section: %8
Driver Rank: %9
Matching Device ID: %10
Outranked Drivers: %11
Device Updated: %12
Status: %13
Parent Device: %14

Fields

Name	Description
`Driver_Name`	—
`Class_Guid`	—
`Driver_Date`	—
`Driver_Version`	—
`Driver_Provider`	—
`Driver_Section`	—
`Driver_Rank`	—
`Matching_Device_Id`	Driver Section.
`Outranked_Drivers`	Driver Rank.
`Device_Updated`	Matching Device Id.
`Status`	Outranked Drivers.
`Parent_Device`	Device Updated.
`DeviceInstanceId`	—
`DriverName`	—
`ClassGuid`	—
`DriverDate`	—
`DriverVersion`	—
`DriverProvider`	—
`DriverInbox`	—
`DriverSection`	—
`DriverRank`	—
`MatchingDeviceId`	—
`OutrankedDrivers`	—
`DeviceUpdated`	—
`ParentDeviceInstanceId`	—
`DriverPackageId`	—

Event ID 403 — Device %1 requires a system reboot to complete configuration.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Level: 3
Samples: 1

Message

Device %1 requires a system reboot to complete configuration.

Driver Name: %2
Class GUID: %3
Driver Date: %4
Driver Version: %5
Driver Provider: %6
Driver Section: %8
Driver Rank: %9
Matching Device ID: %10
Outranked Drivers: %11
Device Updated: %12
Status: %13
Parent Device: %14

Fields

Name	Description
`DeviceInstanceId`	—
`DriverName`	—
`ClassGuid`	—
`DriverDate`	—
`DriverVersion`	—
`DriverProvider`	—
`DriverInbox`	—
`DriverSection`	—
`DriverRank`	—
`MatchingDeviceId`	—
`OutrankedDrivers`	—
`DeviceUpdated`	—
`Status`	—
`ParentDeviceInstanceId`	Parent Device.

Example Event

system:
  provider: Microsoft-Windows-Kernel-PnP
  guid: 9C205A39-1250-487D-ABD7-E831C6290539
  event_source_name: ''
  event_id: 403
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-10-26T04:16:19.107877+00:00'
  event_record_id: 112
  correlation: {}
  execution:
    process_id: 4
    thread_id: 248
  channel: Microsoft-Windows-Kernel-PnP/Configuration
  computer: WIN-OQ6R0RVA4NF
  security:
    user_id: S-1-5-18
event_data:
  DeviceInstanceId: ROOT\VOLMGR\0000
  DriverName: volmgr.inf
  ClassGuid: 4D36E97D-E325-11CE-BFC1-08002BE10318
  DriverDate: 06/21/2006
  DriverVersion: 10.0.22621.608
  DriverProvider: Microsoft
  DriverInbox: true
  DriverSection: Volmgr
  DriverRank: '0xff0000'
  MatchingDeviceId: ROOT\VOLMGR
  OutrankedDrivers: ''
  DeviceUpdated: false
  Status: '0x0'
  ParentDeviceInstanceId: HTREE\ROOT\0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 410 — Device %1 was started.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Level: 4
Samples: 1

Message

Device %1 was started.

Driver Name: %2
Class GUID: %3
Service: %4
Lower Filters: %5
Upper Filters: %6

Fields

Name	Description
`DeviceInstanceId`	—
`DriverName`	—
`ClassGuid`	—
`ServiceName`	Service.
`LowerFilters`	—
`UpperFilters`	—
`Problem`	—
`Status`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-PnP
  guid: 9C205A39-1250-487D-ABD7-E831C6290539
  event_source_name: ''
  event_id: 410
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T06:20:59.295648+00:00'
  event_record_id: 215
  correlation: {}
  execution:
    process_id: 4
    thread_id: 52
  channel: Microsoft-Windows-Kernel-PnP/Configuration
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  DeviceInstanceId: ACPI\GenuineIntel_-_Intel64_Family_6_Model_183_-_13th_Gen_Intel(R)_Core(TM)_i9-13980HX\_3
  DriverName: cpu.inf
  ClassGuid: 50127DC3-0F36-415E-A6CC-4CB3BE910B65
  ServiceName: intelppm
  LowerFilters: ''
  UpperFilters: ''
  Problem: '0x0'
  Status: '0x0'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 411 — Device %1 had a problem starting.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Level: 2
Samples: 1

Message

Device %1 had a problem starting.

Driver Name: %2
Class GUID: %3
Service: %4
Lower Filters: %5
Upper Filters: %6
Problem: %7
Problem Status: %8

Fields

Name	Description
`DeviceInstanceId`	—
`DriverName`	—
`ClassGuid`	—
`ServiceName`	Service.
`LowerFilters`	—
`UpperFilters`	—
`Problem`	—
`Status`	Problem Status.

Example Event

system:
  provider: Microsoft-Windows-Kernel-PnP
  guid: 9C205A39-1250-487D-ABD7-E831C6290539
  event_source_name: ''
  event_id: 411
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-10-26T04:17:42.366175+00:00'
  event_record_id: 168
  correlation: {}
  execution:
    process_id: 4
    thread_id: 52
  channel: Microsoft-Windows-Kernel-PnP/Configuration
  computer: WIN-OQ6R0RVA4NF
  security:
    user_id: S-1-5-18
event_data:
  DeviceInstanceId: PCI\VEN_8086&DEV_100F&SUBSYS_075015AD&REV_01\4&bbf9765&0&0088
  DriverName: nete1g3e.inf
  ClassGuid: 4D36E972-E325-11CE-BFC1-08002BE10318
  ServiceName: E1G60
  LowerFilters: ''
  UpperFilters: ''
  Problem: '0x0'
  Status: '0xc00000e5'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 412 — Device %1 requires a system reboot before it can be started.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration

Message

Device %1 requires a system reboot before it can be started.

Driver Name: %2
Class GUID: %3
Service: %4
Lower Filters: %5
Upper Filters: %6
Problem: %7
Problem Status: %8

Fields

Name	Description
`Driver_Name`	—
`Class_Guid`	—
`Service`	—
`Lower_Filters`	—
`Upper_Filters`	—
`Problem`	—
`Problem_Status`	—
`DeviceInstanceId`	—
`DriverName`	—
`ClassGuid`	—
`ServiceName`	—
`LowerFilters`	—
`UpperFilters`	—
`Status`	—

Event ID 420 — Device %1 was deleted.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration

Message

Device %1 was deleted.

Class GUID: %2

Fields

Name	Description
`Class_Guid`	—
`DeviceInstanceId`	—
`ClassGuid`	—
`Problem`	—
`Status`	—

Event ID 421 — Device %1 could not be deleted.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration

Message

Device %1 could not be deleted.

Class GUID: %2
Problem: %3
Status: %4

Fields

Name	Description
`Class_Guid`	—
`Problem`	—
`Status`	—
`DeviceInstanceId`	—
`ClassGuid`	—

Event ID 430 — Device %1 requires further installation.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Level: 4
Samples: 1

Message

Device %1 requires further installation.

Fields

Name	Description
`DeviceInstanceId`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-PnP
  guid: 9C205A39-1250-487D-ABD7-E831C6290539
  event_source_name: ''
  event_id: 430
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-10-26T04:16:49.350000+00:00'
  event_record_id: 160
  correlation: {}
  execution:
    process_id: 4
    thread_id: 248
  channel: Microsoft-Windows-Kernel-PnP/Configuration
  computer: WIN-OQ6R0RVA4NF
  security:
    user_id: S-1-5-18
event_data:
  DeviceInstanceId: PCI\VEN_8086&DEV_100F&SUBSYS_075015AD&REV_01\4&bbf9765&0&0888
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 440 — Device settings for %1 were migrated from previous OS installation.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration

Message

Device settings for %1 were migrated from previous OS installation.

Last Device Instance ID: %2
Class GUID: %3
Location Path: %4
Migration Rank: %5
Present: %6

Fields

Name	Description
`Last_Device_Instance_Id`	—
`Class_Guid`	—
`Location_Path`	—
`Migration_Rank`	—
`Present`	—
`DeviceInstanceId`	—
`LastDeviceInstanceId`	—
`ClassGuid`	—
`LocationPath`	—
`MigrationRank`	—
`Status`	—

Event ID 441 — Device settings for %1 could not be migrated from previous OS installation.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration

Message

Device settings for %1 could not be migrated from previous OS installation.

Last Device Instance ID: %2
Class GUID: %3
Location Path: %4
Migration Rank: %5
Present: %6
Status: %7

Fields

Name	Description
`Last_Device_Instance_Id`	—
`Class_Guid`	—
`Location_Path`	—
`Migration_Rank`	—
`Present`	—
`Status`	—
`DeviceInstanceId`	—
`LastDeviceInstanceId`	—
`ClassGuid`	—
`LocationPath`	—
`MigrationRank`	—

Event ID 442 — Device settings for %1 were not migrated from previous OS installation due to partial or ambiguous device match.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration

Message

Device settings for %1 were not migrated from previous OS installation due to partial or ambiguous device match.

Last Device Instance ID: %2
Class GUID: %3
Location Path: %4
Migration Rank: %5
Present: %6
Status: %7

Fields

Name	Description
`Last_Device_Instance_Id`	—
`Class_Guid`	—
`Location_Path`	—
`Migration_Rank`	—
`Present`	—
`Status`	—
`DeviceInstanceId`	—
`LastDeviceInstanceId`	—
`ClassGuid`	—
`LocationPath`	—
`MigrationRank`	—

Event ID 500 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`QueryAddress`	—
`ProcessId`	—
`ObjectType`	—
`QueryType`	—
`ObjectId`	—
`QueryFlags`	—
`PreferredLanguages`	—
`RequestedProperties`	—
`FilterExpression`	—

Event ID 501 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`QueryAddress`	—

Event ID 502 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`QueryAddress`	—

Event ID 503 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`QueryAddress`	—

Event ID 600 — A start type override of %3 was set for driver %2 in hardware configuration %1.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic

Message

A start type override of %3 was set for driver %2 in hardware configuration %1

Fields

Name	Description
`HardwareConfigurationId`	—
`Driver`	—
`StartType`	—

Event ID 700 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`Filter`	—
`FilterBy`	—
`OnlyPresent`	—

Event ID 701 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`Result`	—

Event ID 702 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`Class`	—
`Device`	—
`OnlyPresent`	—

Event ID 703 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`Result`	—

Event ID 704 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`QueryRemoveType`	—
`Device`	—

Event ID 705 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`Device`	—

Event ID 800 — Begin processing new device

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Begin processing new device (%1)

Fields

Name	Description
`DeviceNode`	—

Event ID 801 — Processing device %2 (%1).

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Processing device %2 (%1)

Fields

Name	Description
`DeviceNode`	—
`DeviceInstancePath`	—
`ParentDeviceInstancePath`	—

Event ID 802 — End processing new device

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

End processing new device (%1)

Fields

Name	Description
`DeviceNode`	—

Event ID 803 — Begin processing phase %1 of starting device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Message

Begin processing phase %1 of starting device %2

Fields

Name	Description
`Phase`	—
`Device`	—

Event ID 804 — End processing phase %1 of starting device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Message

End processing phase %1 of starting device %2

Fields

Name	Description
`Phase`	—
`Device`	—

Event ID 805 — Begin processing phase %1 of restarting device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Message

Begin processing phase %1 of restarting device %2

Fields

Name	Description
`Phase`	—
`Device`	—

Event ID 806 — End processing phase %1 of restarting device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Message

End processing phase %1 of restarting device %2

Fields

Name	Description
`Phase`	—
`Device`	—

Event ID 807 — Begin device add operation for driver %3, device %4.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Begin device add operation for driver %3, device %4

Fields

Name	Description
`ServiceType`	—
`DriverNameLength`	—
`DriverName`	—
`DeviceInstancePath`	—

Event ID 808 — End device add, status

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

End device add, status (%1)

Fields

Name	Description
`Status`	—

Event ID 809 — Duplicate device instance reported by %4 and %5.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management

Message

Duplicate device instance reported by %4 and %5.
Bus ID: %1
Device ID: %2
Instance ID: %3

Fields

Name	Description
`Bus_ID`	—
`Device_ID`	—
`Instance_ID`	—
`BusId`	—
`DeviceId`	—
`InstanceId`	—
`PreviousParent`	—
`CurrentParent`	—

Event ID 810 — Reenumeration of device tree below %1 has been queued.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Reenumeration of device tree below %1 has been queued.

Fields

Name	Description
`Device`	—
`ReenumerateType`	—

Event ID 811 — Begin reenumeration of device tree below %1.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Begin reenumeration of device tree below %1.

Fields

Name	Description
`Device`	—
`ReenumerateType`	—

Event ID 812 — End reenumeration of device tree below %1.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

End reenumeration of device tree below %1.

Fields

Name	Description
`Device`	—
`ReenumerateType`	—

Event ID 813 — Reenumeration of %1 has been queued.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Reenumeration of %1 has been queued.

Fields

Name	Description
`Device`	—

Event ID 814 — Begin reenumeration of %1.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Begin reenumeration of %1.

Fields

Name	Description
`Device`	—

Event ID 815 — End reenumeration of %1.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

End reenumeration of %1.

Fields

Name	Description
`Device`	—

Event ID 816 — Configuration of device %1 for configuration type %2 has been queued.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic

Message

Configuration of device %1 for configuration type %2 has been queued.

Fields

Name	Description
`Device`	—
`RequestType`	—

Event ID 817 — Begin configuration of device %1 for configuration type %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic

Message

Begin configuration of device %1 for configuration type %2.

Fields

Name	Description
`Device`	—
`RequestType`	—

Event ID 818 — End configuration of device %1 for configuration type %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic

Message

End configuration of device %1 for configuration type %2. Result is %3

Fields

Name	Description
`Device`	—
`RequestType`	—
`Status`	—

Event ID 819 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`Device`	—
`RequestType`	—

Event ID 820 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`Device`	—
`RequestType`	—

Event ID 821 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`Device`	—
`RequestType`	—
`Status`	—

Event ID 830 — Removal of %1 has been queued.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Removal of %1 has been queued.

Fields

Name	Description
`Device`	—
`EventGuid`	—
`ProblemCode`	—
`ProblemStatus`	—
`Synchronous`	—
`Flags`	—

Event ID 831 — Begin removal of %1.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Begin removal of %1.

Fields

Name	Description
`Device`	—

Event ID 832 — End removal of %1.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

End removal of %1.

Fields

Name	Description
`Device`	—

Event ID 840 — Begin resetting device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Begin resetting device %2.

Fields

Name	Description
`DeviceInstanceLength`	—
`DeviceInstance`	—

Event ID 841 — End resetting device %2 with status %3, veto type %4, veto name %6.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

End resetting device %2 with status %3, veto type %4, veto name %6.

Fields

Name	Description
`DeviceInstanceLength`	—
`DeviceInstance`	—
`Status`	—
`VetoType`	—
`VetoNameLength`	—
`VetoName`	—

Event ID 850 — Begin assigning resources to device tree below %1.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Begin assigning resources to device tree below %1.

Fields

Name	Description
`Device`	—

Event ID 851 — End assigning resources to device tree below %1.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

End assigning resources to device tree below %1.

Fields

Name	Description
`Device`	—

Event ID 852 — Begin rebalancing resources for device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

Begin rebalancing resources for device %2.

Fields

Name	Description
`DeviceInstanceLength`	—
`DeviceInstance`	—

Event ID 853 — End rebalancing resources for device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic

Message

End rebalancing resources for device %2.

Fields

Name	Description
`DeviceInstanceLength`	—
`DeviceInstance`	—
`Status`	—

Event ID 860 — Updated problem code on device %2.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Message

Updated problem code on device %2.
Service name: %3
New problem code: %4
New problem status: %5
Old problem code: %6
Old problem status: %7

Fields

Name	Description
`DeviceNode`	—
`DeviceInstanceId`	—
`ServiceName`	—
`NewProblemCode`	—
`NewProblemStatus`	—
`OldProblemCode`	—
`OldProblemStatus`	—

Event ID 900 — A long running thread for the device event queue was detected.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Message

A long running thread for the device event queue was detected. The thread has been running for %4 milliseconds.
Thread ID: %1
Device: %2
Service: %3

Fields

Name	Description
`Thread_ID`	—
`Device`	—
`Service`	—
`ThreadId`	—
`DeviceInstanceId`	—
`ServiceName`	—
`ElapsedTimeMs`	—
`EventCategory`	—
`EventGuid`	—
`EventArgument`	—
`EventArgumentStatus`	—
`CategorySpecificData_Guid`	—
`CategorySpecificData_String`	—

Event ID 901 — A long running thread for the device event queue has been completed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Message

A long running thread for the device event queue has been completed.
Thread ID: %1
Device: %2
Service: %3
Total run time in milliseconds: %4

Fields

Name	Description
`ThreadId`	—
`DeviceInstanceId`	—
`ServiceName`	—
`ElapsedTimeMs`	—
`EventCategory`	—
`EventGuid`	—
`EventArgument`	—
`EventArgumentStatus`	—
`CategorySpecificData_Guid`	—
`CategorySpecificData_String`	—

Event ID 902 — A long running thread for device start processing was detected.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Message

A long running thread for device start processing was detected. The thread has been running for %4 milliseconds.
Thread ID: %1
Device: %2
Service: %3

Fields

Name	Description
`Thread_ID`	—
`Device`	—
`Service`	—
`ThreadId`	—
`DeviceInstanceId`	—
`ServiceName`	—
`ElapsedTimeMs`	—

Event ID 903 — A long running thread for device start processing has been completed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Message

A long running thread for device start processing has been completed.
Thread ID: %1
Device: %2
Service: %3
Total run time in milliseconds: %4

Fields

Name	Description
`ThreadId`	—
`DeviceInstanceId`	—
`ServiceName`	—
`ElapsedTimeMs`	—

Event ID 904 — A long running thread for device removal was detected.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Message

A long running thread for device removal was detected. The thread has been running for %4 milliseconds.
Thread ID: %1
Device: %2
Service: %3

Fields

Name	Description
`Thread_ID`	—
`Device`	—
`Service`	—
`ThreadId`	—
`DeviceInstanceId`	—
`ServiceName`	—
`ElapsedTimeMs`	—

Event ID 905 — A long running thread for device removal has been completed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Message

A long running thread for device removal has been completed.
Thread ID: %1
Device: %2
Service: %3
Total run time in milliseconds: %4

Fields

Name	Description
`ThreadId`	—
`DeviceInstanceId`	—
`ServiceName`	—
`ElapsedTimeMs`	—

Event ID 906 — A long running thread for device add routine was detected.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Message

A long running thread for device add routine was detected. The thread has been running for %4 milliseconds.
Thread ID: %1
Device: %2
Driver: %3

Fields

Name	Description
`Thread_ID`	—
`Device`	—
`Driver`	—
`ThreadId`	—
`DeviceInstanceId`	—
`DriverName`	—
`ElapsedTimeMs`	—

Event ID 907 — A long running thread for device add routine has been completed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Message

A long running thread for device add routine has been completed.
Thread ID: %1
Device: %2
Driver: %3
Total run time in milliseconds: %4

Fields

Name	Description
`ThreadId`	—
`DeviceInstanceId`	—
`DriverName`	—
`ElapsedTimeMs`	—

Event ID 908 — A long running thread for driver entry was detected.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog
Level: 3
Samples: 1

Message

A long running thread for driver entry was detected. The thread has been running for %4 milliseconds.
Thread ID: %1
Driver: %3

Fields

Name	Description
`ThreadId`	—
`DeviceInstanceId`	—
`DriverName`	Driver.
`ElapsedTimeMs`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-PnP
  guid: 9C205A39-1250-487D-ABD7-E831C6290539
  event_source_name: ''
  event_id: 908
  version: 0
  level: 3
  task: 900
  opcode: 1
  keywords: 144115188075855872
  time_created: '2023-11-06T00:25:57.930157+00:00'
  event_record_id: 1
  correlation: {}
  execution:
    process_id: 4
    thread_id: 2352
  channel: Microsoft-Windows-Kernel-PnP/Driver Watchdog
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  ThreadId: '0x2ba4'
  DeviceInstanceId: ''
  DriverName: avgSP
  ElapsedTimeMs: 10005
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 909 — A long running thread for driver entry routine has been completed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog
Level: 4
Samples: 1

Message

A long running thread for driver entry routine has been completed.
Thread ID: %1
Driver: %3
Total run time in milliseconds: %4

Fields

Name	Description
`ThreadId`	—
`DeviceInstanceId`	—
`DriverName`	Driver.
`ElapsedTimeMs`	Total run time in milliseconds.

Example Event

system:
  provider: Microsoft-Windows-Kernel-PnP
  guid: 9C205A39-1250-487D-ABD7-E831C6290539
  event_source_name: ''
  event_id: 909
  version: 0
  level: 4
  task: 900
  opcode: 2
  keywords: 144115188075855872
  time_created: '2023-11-06T00:26:29.468233+00:00'
  event_record_id: 2
  correlation: {}
  execution:
    process_id: 4
    thread_id: 11172
  channel: Microsoft-Windows-Kernel-PnP/Driver Watchdog
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  ThreadId: '0x2ba4'
  DeviceInstanceId: ''
  DriverName: avgSP
  ElapsedTimeMs: 41546
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 930 — Timed out waiting for response from user mode clients to synchronous notification %1 Event Category: %2 Device Instance ID: %3 Category Specific Da...

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Message

Timed out waiting for response from user mode clients to synchronous notification %1
Event Category: %2
Device Instance ID: %3
Category Specific Data:
%4
%5

Fields

Name	Description
`EventGuid`	—
`EventCategory`	—
`DeviceInstanceId`	—
`CategorySpecificData_Guid`	—
`CategorySpecificData_String`	—
`TimeMs`	—

Event ID 931 — Responses from user mode clients to synchronous notification %1 took %6 milliseconds Event Category: %2 Device Instance ID: %3 Category Specific Da...

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Message

Responses from user mode clients to synchronous notification %1 took %6 milliseconds
Event Category: %2
Device Instance ID: %3
Category Specific Data:
%4
%5

Fields

Name	Description
`EventGuid`	—
`EventCategory`	—
`DeviceInstanceId`	—
`CategorySpecificData_Guid`	—
`CategorySpecificData_String`	—
`TimeMs`	—

Event ID 932 — Synchronous notification %7 to process %2 (%3) was removed after %14 milliseconds Event Category: %8 Device Instance ID: %9 Category Specific Data:...

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Message

Synchronous notification %7 to process %2 (%3) was removed after %14 milliseconds
Event Category: %8
Device Instance ID: %9
Category Specific Data:
%10
%11

Fields

Name	Description
`FilterType`	—
`ProcessId`	—
`ProcessImageName`	—
`QueueDepth`	—
`DropCount`	—
`RegistrationTeardown`	—
`EventGuid`	—
`EventCategory`	—
`DeviceInstanceId`	—
`CategorySpecificData_Guid`	—
`CategorySpecificData_String`	—
`Synchronous`	—
`NotificationReceivedByClient`	—
`ElapsedTimeMs`	—

Event ID 933 — Notification %4 to driver %3 took %5 milliseconds Event Category: %1 Notification Specific Data: %6 %8.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Message

Notification %4 to driver %3 took %5 milliseconds
Event Category: %1
Notification Specific Data:
%6
%8

Fields

Name	Description
`EventCategory`	—
`DriverNameLength`	—
`DriverName`	—
`EventGuid`	—
`ElapsedTimeMs`	—
`NotificationSpecific_Guid`	—
`UnicodeStringLength`	—
`NotificationSpecific_UnicodeString`	—

Event ID 1000 — Device %1 could not be query removed as the removal was vetoed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Level: 3
Samples: 1

Message

Device %1 could not be query removed as the removal was vetoed.

Veto Type: %2
Vetoed By: %3

Fields

Name	Description
`DeviceInstanceId`	—
`VetoType`	—
`VetoName`	Vetoed By.

Example Event

system:
  provider: Microsoft-Windows-Kernel-PnP
  guid: 9C205A39-1250-487D-ABD7-E831C6290539
  event_source_name: ''
  event_id: 1000
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 72057594037927936
  time_created: '2023-10-25T22:50:39.854895+00:00'
  event_record_id: 10
  correlation: {}
  execution:
    process_id: 4
    thread_id: 384
  channel: Microsoft-Windows-Kernel-PnP/Device Management
  computer: WinDevEval
  security:
    user_id: S-1-5-18
event_data:
  DeviceInstanceId: ACPI\PNP0303\4&1bd7f811&0
  VetoType: 6
  VetoName: ACPI\PNP0303\4&1bd7f811&0\Driver\i8042prt
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1010 — Device %1 has been surprise removed as it is reported as missing on the bus.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Level: 4
Samples: 1

Message

Device %1 has been surprise removed as it is reported as missing on the bus.
Count of devices removed: %2

Fields

Name	Description
`DeviceInstanceId`	—
`DeviceCount`	Count of devices removed.

Example Event

system:
  provider: Microsoft-Windows-Kernel-PnP
  guid: 9C205A39-1250-487D-ABD7-E831C6290539
  event_source_name: ''
  event_id: 1010
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 72057594037927936
  time_created: '2023-11-06T01:46:52.163431+00:00'
  event_record_id: 23
  correlation: {}
  execution:
    process_id: 4
    thread_id: 17804
  channel: Microsoft-Windows-Kernel-PnP/Device Management
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  DeviceInstanceId: SWD\MSDAS\{ce958e9a-424f-4c88-86f4-11314821e75a}
  DeviceCount: 1
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1011 — Device %1 has been surprise removed as it was reported to be failing.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management

Message

Device %1 has been surprise removed as it was reported to be failing.
Count of devices removed: %2

Fields

Name	Description
`DeviceInstanceId`	—
`DeviceCount`	—

Event ID 1020 — A resource rebalance operation has succeeded.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management

Message

A resource rebalance operation has succeeded.

Device Instance ID: %1
Service Name: %2
Device Count: %3
Rebalance Phase: %4
Subtree Root Instance ID: %5
Subtree Includes Root: %6
Rebalance Due to Dynamic Partitioning: %7
Rebalance Reason: %8
Conflicting Resource Type: %9
Duration in Milliseconds: %10
Device Reset: %11

Fields

Name	Description
`DeviceInstanceId`	—
`ServiceName`	—
`DeviceCount`	—
`Phase`	—
`SubtreeRootInstanceId`	—
`SubtreeIncludesRoot`	—
`RebalanceDueToDynamicPartitioning`	—
`RebalanceReason`	—
`ConflictResourceType`	—
`DurationInMs`	—
`ResetDeviceWhileStopped`	—

Event ID 1021 — A resource rebalance operation has failed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management

Message

A resource rebalance operation has failed.

Device Instance ID: %1
Service Name: %2
Device Count: %3
Rebalance Phase: %4
Subtree Root Instance ID: %5
Subtree Includes Root: %6
Rebalance Due to Dynamic Partitioning: %7
Rebalance Reason: %8
Conflicting Resource Type: %9
Rebalance Failure: %10
Veto Reason: %11
Vetoing Device Node Instance ID: %12
Duration in Milliseconds: %13
Device Reset: %14

Fields

Name	Description
`DeviceInstanceId`	—
`ServiceName`	—
`DeviceCount`	—
`Phase`	—
`SubtreeRootInstanceId`	—
`SubtreeIncludesRoot`	—
`RebalanceDueToDynamicPartitioning`	—
`RebalanceReason`	—
`ConflictResourceType`	—
`RebalanceFailure`	—
`VetoReason`	—
`VetoNodeInstanceId`	—
`DurationInMs`	—
`ResetDeviceWhileStopped`	—

Event ID 1030 — Device %1 has been assigned to a guest partition.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management

Message

Device %1 has been assigned to a guest partition.

Fields

Name	Description
`Device`	—

Event ID 1031 — Device %1 is no longer assigned to a guest partition.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management

Message

Device %1 is no longer assigned to a guest partition.

Fields

Name	Description
`Device`	—

Event ID 1040 — Device %1 has requested a platform-level device reset.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management

Message

Device %1 has requested a platform-level device reset.

Flags: %2

Fields

Name	Description
`Flags`	—
`DeviceInstanceId`	—

Event ID 1041 — Device %2 has completed a platform-level device reset.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management

Message

Device %2 has completed a platform-level device reset.

Status: %3
Veto type: %4
Vetoed By: %6

Fields

Name	Description
`Status`	—
`Veto_type`	—
`Vetoed_By`	Status.
`DeviceInstanceLength`	—
`DeviceInstance`	—
`VetoType`	—
`VetoNameLength`	—
`VetoName`	—

Event ID 1050 — Failed to create driver package defined child device of %1.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management

Message

Failed to create driver package defined child device of %1.

Child Instance ID: %2
Status: %3

Fields

Name	Description
`Child_Instance_ID`	—
`Status`	—
`ParentDeviceInstancePath`	—
`InstanceId`	—

Event ID 1060 — Failed to create computer device derived from firmware information.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management

Message

Failed to create computer device derived from firmware information. Status: %1

Fields

Name	Description
`Status`	—

Event ID 1065 — Device %1 with problem code %2 and problem status %3 requires the system to be rebooted.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management

Message

Device %1 with problem code %2 and problem status %3 requires the system to be rebooted.
Additional information:
%4

Fields

Name	Description
`DeviceInstanceId`	—
`ProblemCode`	—
`ProblemStatus`	—
`AdditionalInfo`	—

Event ID 1070 — Failed to open %3 driver service %2 for device %1.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management

Message

Failed to open %3 driver service %2 for device %1. Status: %4

Fields

Name	Description
`DeviceInstance`	—
`ServiceName`	—
`DeviceStackLocation`	—
`Status`	—

Event ID 1080 — The driver %5 failed to unload.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management

Message

The driver %5 failed to unload.
Driver Version: %6
Status: %3

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—
`Status`	—
`FailureNameLength`	—
`FailureName`	—
`Version`	—

Event ID 1100 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

References

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1100

Event ID 1101 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`Status`	—

References

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1101

Event ID 1102 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`EnumeratorName`	—
`InstanceId`	—
`ParentDeviceInstanceId`	—

References

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1102

Event ID 1103 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`EnumeratorName`	—
`InstanceId`	—
`ParentDeviceInstanceId`	—
`Status`	—

Event ID 1104 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`EnumeratorName`	—
`InstanceId`	—
`ParentDeviceInstanceId`	—
`CapabilityFlags`	—
`DeviceDescription`	—
`DeviceLocation`	—
`NumProperties`	—

References

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1104

Event ID 1105 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—

References

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1105

Event ID 1106 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—

Event ID 1107 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`RemovedFromBus`	—
`HasPrimaryDeviceObject`	—

Event ID 1108 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`AlreadyExists`	—

References

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1108

Event ID 1109 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—

Event ID 1110 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`DeviceInstancePath`	—

Event ID 1111 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`Status`	—

Event ID 1120 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`ParentDeviceInstanceId`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus

Event ID 1121 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`ParentDeviceInstanceId`	—
`Status`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus

Event ID 1122 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`ParentDeviceInstanceId`	—

Event ID 1130 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—

Event ID 1131 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`Status`	—

Event ID 1132 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`OldLifetime`	—
`NewLifetime`	—

Event ID 1140 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—

Event ID 1141 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`Status`	—

Event ID 1142 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`SymbolicLink`	—

Event ID 1143 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`SymbolicLink`	—
`Enable`	—

Event ID 1144 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—

Event ID 1145 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`Status`	—

Event ID 1150 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—

Event ID 1151 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`Status`	—

Event ID 1160 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—

Event ID 1161 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`Status`	—

Event ID 1170 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—

Event ID 1171 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`DeviceClosed`	—

Event ID 1172 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`ParentDeviceInstanceId`	—
`EnumeratorName`	—
`InstanceId`	—

Event ID 1173 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`ParentDeviceInstanceId`	—
`EnumeratorName`	—
`InstanceId`	—
`Status`	—

Event ID 1174 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`ParentDeviceInstanceId`	—

Event ID 1175 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—

Event ID 1176 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`DeviceInstanceId`	—
`KeepActive`	—
`SwDeviceFlags`	—
`DeviceExtensionFlags`	—

Event ID 1177 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`DeviceInstanceId`	—
`ParentDeviceInstanceId`	—
`SwDeviceFlags`	—
`DeviceExtensionFlags`	—

Event ID 1178 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`DeviceInstanceId`	—
`Status`	—

Event ID 1190 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`ParentDeviceInstanceId`	—
`SwDeviceFlags`	—

Event ID 1191 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`PdoReported`	—
`NewPdo`	—

Event ID 1192 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`SkipCount`	—

Event ID 1200 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—

Event ID 1201 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`Status`	—

Event ID 1202 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`DeviceId`	—
`InstanceId`	—
`OldAttributes`	—
`NewAttributes`	—

Event ID 1300 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`FilterType`	—
`ProcessId`	—
`ProcessImageName`	—
`QueueDepth`	—
`DropCount`	—
`EventGuid`	—
`EventCategory`	—
`DeviceInstanceId`	—
`CategorySpecificData_Guid`	—
`CategorySpecificData_String`	—
`Synchronous`	—
`ElapsedTimeMs`	—

Event ID 1301 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`FilterType`	—
`ProcessId`	—
`ProcessImageName`	—
`QueueDepth`	—
`DropCount`	—
`EventGuid`	—
`EventCategory`	—
`DeviceInstanceId`	—
`CategorySpecificData_Guid`	—
`CategorySpecificData_String`	—
`Synchronous`	—
`ElapsedTimeMs`	—

Event ID 1302 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`FilterType`	—
`ProcessId`	—
`ProcessImageName`	—
`QueueDepth`	—
`DropCount`	—
`EventGuid`	—
`EventCategory`	—
`DeviceInstanceId`	—
`CategorySpecificData_Guid`	—
`CategorySpecificData_String`	—
`Synchronous`	—
`Status`	—

Event ID 1303 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`FilterType`	—
`ProcessId`	—
`ProcessImageName`	—
`QueueDepth`	—
`DropCount`	—
`EventGuid`	—
`EventCategory`	—
`DeviceInstanceId`	—
`CategorySpecificData_Guid`	—
`CategorySpecificData_String`	—
`Synchronous`	—
`Status`	—

Event ID 1304 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields

Name	Description
`FilterType`	—
`ProcessId`	—
`ProcessImageName`	—
`QueueDepth`	—
`DropCount`	—
`RegistrationTeardown`	—
`EventGuid`	—
`EventCategory`	—
`DeviceInstanceId`	—
`CategorySpecificData_Guid`	—
`CategorySpecificData_String`	—
`Synchronous`	—
`NotificationReceivedByClient`	—
`ElapsedTimeMs`	—

Event ID 1400 — Begin serializing boot with PnP device enumeration

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic

Message

Begin serializing boot with PnP device enumeration

Event ID 1401 — End serializing boot with PnP device enumeration

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic

Message

End serializing boot with PnP device enumeration