Microsoft-Windows-Kernel-PnP

196 events across 9 channels

Event ID	Title	Channel
200	Begin boot start drivers phase	Boot Diagnostic
201	End boot start drivers phase	Boot Diagnostic
202	Begin system start drivers phase	Boot Diagnostic
203	End system start drivers phase	Boot Diagnostic
204	OS Loader Start: OS_Loader_Start.	Boot Diagnostic
205		Operational
206		Operational
207		Operational
208		Operational
209		Operational
210	Begin initializing boot start driver DriverName.	Driver Diagnostic
211	End initializing boot start driver DriverName.	Driver Diagnostic
212	Begin loading driver DriverName.	Driver Diagnostic
213	End loading driver DriverName.	Driver Diagnostic
214	Begin unloading driver DriverName.	Driver Diagnostic
215	End unloading driver DriverName.	Driver Diagnostic
216	Begin starting device DriverName.	Device Enumeration Diagnostic
217	Pending start of device DriverName.	Device Enumeration Diagnostic
218	End starting device DriverName using driver FailureName.	Device Enumeration Diagnostic
219	The driver FailureName failed to load.	System
220	Begin querying bus relations for device DriverName.	Device Enumeration Diagnostic
221	Pending querying bus relations for device DriverName.	Device Enumeration Diagnostic
222	End querying bus relations for device DriverName.	Device Enumeration Diagnostic
223	Begin attempting to eject device DriverName.	Device Enumeration Diagnostic
224	End attempting to eject device DriverName.	Device Enumeration Diagnostic
225	The application ProcessName with process id ProcessId stopped the removal or …	System
226	Begin calling driver initialization routine for driver DriverName.	Driver Diagnostic
227	End calling driver initialization routine for driver DriverName.	Driver Diagnostic
228		Operational
229		Operational
230		Operational
231		Operational
232		Operational
233		Operational
234		Operational
235		Operational
236		Operational
240	A partition unit replace operation has been initiated.	System
241	A partition unit replace operation has failed.	System
242	A partition unit has been successfully replaced.	System
250	Begin configuration of device DeviceInstance.	Configuration Diagnostic
251	Pending configuration of device DeviceInstance.	Configuration Diagnostic
252	End configuration of device DeviceInstance.	Configuration Diagnostic
260	Begin starting system start drivers part 1	Boot Diagnostic
261	End starting system start drivers part 1	Boot Diagnostic
262	Begin starting system start drivers part 2	Boot Diagnostic
263	End starting system start drivers part 2	Boot Diagnostic
264	Begin processing reinitialization requests for boot start drivers	Driver Diagnostic
265	End processing reinitialization requests for boot start drivers	Driver Diagnostic
266	Begin processing reinitialization requests for system start drivers	Driver Diagnostic
267	End processing reinitialization requests for system start drivers	Driver Diagnostic
270	Begin loading driver database DriverName.	Configuration Diagnostic
271	Pending loading driver database DriverName.	Configuration Diagnostic
272	End loading driver database DriverName.	Configuration Diagnostic
273	Begin unloading driver database DriverName.	Configuration Diagnostic
274	Pending unloading driver database DriverName.	Configuration Diagnostic
275	End unloading driver database DriverName.	Configuration Diagnostic
276		Operational
277		Operational
278		Operational
300	Begin starting initialization of drivers	Boot Diagnostic
301	End starting initialization of drivers	Boot Diagnostic
400	Device DeviceInstanceId was configured.	Configuration
401	Device Driver_Name failed configuration.	Configuration
402	Device Driver_Name had its configuration blocked by policy.	Configuration
403	Device DeviceInstanceId requires a system reboot to complete configuration.	Configuration
410	Device DeviceInstanceId was started.	Configuration
411	Device DeviceInstanceId had a problem starting.	Configuration
412	Device Driver_Name requires a system reboot before it can be started.	Configuration
420	Device DeviceInstanceId was deleted.	Configuration
421	Device Class_Guid could not be deleted.	Configuration
430	Device DeviceInstanceId requires further installation.	Configuration
440	Device settings for Last_Device_Instance_Id were migrated from previous OS …	Configuration
441	Device settings for Last_Device_Instance_Id could not be migrated from previous …	Configuration
442	Device settings for Last_Device_Instance_Id were not migrated from previous OS …	Configuration
500		Operational
501		Operational
502		Operational
503		Operational
600	A start type override of StartType was set for driver Driver in hardware …	Driver Diagnostic
700		Operational
701		Operational
702		Operational
703		Operational
704		Operational
705		Operational
800	Begin processing new device (DeviceNode).	Device Enumeration Diagnostic
801	Processing device DeviceInstancePath (DeviceNode).	Device Enumeration Diagnostic
802	End processing new device (DeviceNode).	Device Enumeration Diagnostic
803	Begin processing phase Phase of starting device Device.	Operational
804	End processing phase Phase of starting device Device.	Operational
805	Begin processing phase Phase of restarting device Device.	Operational
806	End processing phase Phase of restarting device Device.	Operational
807	Begin device add operation for driver DriverName, device DeviceInstancePath.	Device Enumeration Diagnostic
808	End device add, status (Status).	Device Enumeration Diagnostic
809	Duplicate device instance reported by BusId and DeviceId.	Device Management
810	Reenumeration of device tree below Device has been queued.	Device Enumeration Diagnostic
811	Begin reenumeration of device tree below Device.	Device Enumeration Diagnostic
812	End reenumeration of device tree below Device.	Device Enumeration Diagnostic
813	Reenumeration of Device has been queued.	Device Enumeration Diagnostic
814	Begin reenumeration of Device.	Device Enumeration Diagnostic
815	End reenumeration of Device.	Device Enumeration Diagnostic
816	Configuration of device Device for configuration type RequestType has been …	Configuration Diagnostic
817	Begin configuration of device Device for configuration type RequestType.	Configuration Diagnostic
818	End configuration of device Device for configuration type RequestType.	Configuration Diagnostic
819		Operational
820		Operational
821		Operational
830	Removal of Device has been queued.	Device Enumeration Diagnostic
831	Begin removal of Device.	Device Enumeration Diagnostic
832	End removal of Device.	Device Enumeration Diagnostic
840	Begin resetting device DeviceInstance.	Device Enumeration Diagnostic
841	End resetting device DeviceInstance with status Status, veto type VetoType, veto …	Device Enumeration Diagnostic
850	Begin assigning resources to device tree below Device.	Device Enumeration Diagnostic
851	End assigning resources to device tree below Device.	Device Enumeration Diagnostic
852	Begin rebalancing resources for device DeviceInstance.	Device Enumeration Diagnostic
853	End rebalancing resources for device DeviceInstance.	Device Enumeration Diagnostic
860	Updated problem code on device DeviceInstanceId.	Operational
900	A long running thread for the device event queue was detected.	Driver Watchdog
901	A long running thread for the device event queue has been completed.	Driver Watchdog
902	A long running thread for device start processing was detected.	Driver Watchdog
903	A long running thread for device start processing has been completed.	Driver Watchdog
904	A long running thread for device removal was detected.	Driver Watchdog
905	A long running thread for device removal has been completed.	Driver Watchdog
906	A long running thread for device add routine was detected.	Driver Watchdog
907	A long running thread for device add routine has been completed.	Driver Watchdog
908	A long running thread for driver entry was detected.	Driver Watchdog
909	A long running thread for driver entry routine has been completed.	Driver Watchdog
930	Timed out waiting for response from user mode clients to synchronous …	Driver Watchdog
931	Responses from user mode clients to synchronous notification EventGuid took …	Driver Watchdog
932	Synchronous notification EventGuid to process ProcessId (ProcessImageName) was …	Driver Watchdog
933	Notification EventGuid to driver DriverName took ElapsedTimeMs milliseconds.	Driver Watchdog
1000	Device DeviceInstanceId could not be query removed as the removal was vetoed.	Device Management
1010	Device DeviceInstanceId has been surprise removed as it is reported as missing …	Device Management
1011	Device DeviceInstanceId has been surprise removed as it was reported to be …	Device Management
1020	A resource rebalance operation has succeeded.	Device Management
1021	A resource rebalance operation has failed.	Device Management
1030	Device Device has been assigned to a guest partition.	Device Management
1031	Device Device is no longer assigned to a guest partition.	Device Management
1040	Device Flags has requested a platform-level device reset.	Device Management
1041	Device Veto_type has completed a platform-level device reset.	Device Management
1050	Failed to create driver package defined child device of Child_Instance_ID.	Device Management
1060	Failed to create computer device derived from firmware information.	Device Management
1065	Device DeviceInstanceId with problem code ProblemCode and problem status …	Device Management
1070	Failed to open DeviceStackLocation driver service ServiceName for device …	Device Management
1080	The driver FailureName failed to unload.	Device Management
1100		Operational
1101		Operational
1102		Operational
1103		Operational
1104		Operational
1105		Operational
1106		Operational
1107		Operational
1108		Operational
1109		Operational
1110		Operational
1111		Operational
1120		Operational
1121		Operational
1122		Operational
1130		Operational
1131		Operational
1132		Operational
1140		Operational
1141		Operational
1142		Operational
1143		Operational
1144		Operational
1145		Operational
1150		Operational
1151		Operational
1160		Operational
1161		Operational
1170		Operational
1171		Operational
1172		Operational
1173		Operational
1174		Operational
1175		Operational
1176		Operational
1177		Operational
1178		Operational
1190		Operational
1191		Operational
1192		Operational
1200		Operational
1201		Operational
1202		Operational
1300		Operational
1301		Operational
1302		Operational
1303		Operational
1304		Operational
1400	Begin serializing boot with PnP device enumeration	Boot Diagnostic
1401	End serializing boot with PnP device enumeration	Boot Diagnostic

Event ID 200 — Begin boot start drivers phase

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic
Task: BootStart
Opcode: Start

Description

Begin boot start drivers phase.

Message #

Begin boot start drivers phase

Event ID 201 — End boot start drivers phase

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic
Task: BootStart
Opcode: Stop

Description

End boot start drivers phase.

Message #

End boot start drivers phase

Event ID 202 — Begin system start drivers phase

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic
Task: SystemStart
Opcode: Start

Description

Begin system start drivers phase.

Message #

Begin system start drivers phase

Event ID 203 — End system start drivers phase

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic
Task: SystemStart
Opcode: Stop

Description

End system start drivers phase.

Message #

End system start drivers phase

Event ID 204 — OS Loader Start: OS_Loader_Start.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic
Task: OsLoader

Description

OS Loader Start: OS_Loader_Start.

Message #

OS Loader Start: %1
OS Loader End: %2

Fields #

Name	Description
`OS_Loader_Start`	—
`OS_Loader_End`	—
`OSLoaderStart` UInt64	—
`OSLoaderEnd` UInt64	—
`PreloadEndTime` UInt64	—
`TcbLoaderStartTime` UInt64	—
`LoadHypervisorTime` UInt64	—
`LaunchHypervisorTime` UInt64	—
`LoadVsmTime` UInt64	—
`LaunchVsmTime` UInt64	—
`ExecuteTransitionStartTime` UInt64	—
`ExecuteTransitionEndTime` UInt64	—
`PerformanceDataFrequency` UInt64	—

Event ID 205 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: EarlyLaunchAntiMalware
Opcode: Start

Fields #

Name	Description
`ElamDriverNameLength` UInt16	—
`ElamDriverName` UnicodeString	—

Event ID 206 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: EarlyLaunchAntiMalware
Opcode: Stop

Fields #

Name	Description
`ElamDriverNameLength` UInt16	—
`ElamDriverName` UnicodeString	—

Event ID 207 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: EarlyLaunchAntiMalware
Opcode: Start

Fields #

Name	Description
`ElamStatus` UInt32	—

Event ID 208 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: EarlyLaunchAntiMalware
Opcode: Stop

Fields #

Name	Description
`ElamStatus` UInt32	—

Event ID 209 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: EarlyLaunchAntiMalware

Fields #

Name	Description
`Classification` UInt32	—
`Policy` UInt32	—
`Result` UInt32	—

Event ID 210 — Begin initializing boot start driver DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic
Task: BootInit
Opcode: Start

Description

Begin initializing boot start driver DriverName.

Message #

Begin initializing boot start driver %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—

Event ID 211 — End initializing boot start driver DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic
Task: BootInit
Opcode: Stop

Description

End initializing boot start driver DriverName. Status: Status.

Message #

End initializing boot start driver %2.  Status: %3

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 212 — Begin loading driver DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic
Task: DriverLoad
Opcode: Start

Description

Begin loading driver DriverName.

Message #

Begin loading driver %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—

Event ID 213 — End loading driver DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic
Task: DriverLoad
Opcode: Stop

Description

End loading driver DriverName. Status: Status.

Message #

End loading driver %5.  Status: %3

Fields #

Name	Description
`ServiceNameLength` UInt16	—
`ServiceName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—
`Version` UInt32	—

Event ID 214 — Begin unloading driver DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic
Task: DriverUnload
Opcode: Start

Description

Begin unloading driver DriverName.

Message #

Begin unloading driver %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—

Event ID 215 — End unloading driver DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic
Task: DriverUnload
Opcode: Stop

Description

End unloading driver DriverName. Status: Status.

Message #

End unloading driver %5.  Status: %3

Fields #

Name	Description
`ServiceNameLength` UInt16	—
`ServiceName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—
`Version` UInt32	—

Event ID 216 — Begin starting device DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: DeviceStart
Opcode: Start

Description

Begin starting device DriverName.

Message #

Begin starting device %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—

Event ID 217 — Pending start of device DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: DeviceStart
Opcode: Suspend

Description

Pending start of device DriverName.

Message #

Pending start of device %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—

Event ID 218 — End starting device DriverName using driver FailureName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: DeviceStart
Opcode: Stop

Description

End starting device DriverName using driver FailureName. Status: Status.

Message #

End starting device %2 using driver %5.  Status: %3

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference
`FailureNameLength` UInt16	—
`FailureName` UnicodeString	—
`Version` UInt32	—

Event ID 219 — The driver FailureName failed to load.

Provider: Microsoft-Windows-Kernel-PnP
Channel: System
Level: Warning
Collection Priority: Recommended (NSA)
Task: DriverLoad

Description

The driver FailureName failed to load.

Message #

The driver %5 failed to load.
Device: %2
Status: %3

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference
`FailureNameLength` UInt16	—
`FailureName` UnicodeString	—
`Version` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-PnP",
    "guid": "9C205A39-1250-487D-ABD7-E831C6290539",
    "event_source_name": "",
    "event_id": 219,
    "version": 0,
    "level": 3,
    "task": 212,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:19.591886+00:00",
    "event_record_id": 1645,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 224
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DriverNameLength": 15,
    "DriverName": "ROOT\\VMBus\\0000",
    "Status": 3221226341,
    "FailureNameLength": 14,
    "FailureName": "\\Driver\\vmbusr",
    "Version": 0
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/event-id-219-when-device-plugged-in-windows-system
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 220 — Begin querying bus relations for device DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: DeviceEnum
Opcode: Start

Description

Begin querying bus relations for device DriverName.

Message #

Begin querying bus relations for device %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—

Event ID 221 — Pending querying bus relations for device DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: DeviceEnum
Opcode: Suspend

Description

Pending querying bus relations for device DriverName.

Message #

Pending querying bus relations for device %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—

Event ID 222 — End querying bus relations for device DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: DeviceEnum
Opcode: Stop

Description

End querying bus relations for device DriverName.

Message #

End querying bus relations for device %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—

Event ID 223 — Begin attempting to eject device DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: DeviceEject
Opcode: Start

Description

Begin attempting to eject device DriverName.

Message #

Begin attempting to eject device %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—

Event ID 224 — End attempting to eject device DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: DeviceEject
Opcode: Stop

Description

End attempting to eject device DriverName. Status: Status.

Message #

End attempting to eject device %2. Status: %3

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference
`FailureNameLength` UInt16	—
`FailureName` UnicodeString	—
`Version` UInt32	—

Event ID 225 — The application ProcessName with process id ProcessId stopped the removal or ejection for the device DeviceInstance.

Provider: Microsoft-Windows-Kernel-PnP
Channel: System
Task: DeviceEject

Description

The application ProcessName with process id ProcessId stopped the removal or ejection for the device DeviceInstance.

Message #

The application %3 with process id %1 stopped the removal or ejection for the device %5.

Fields #

Name	Description
`ProcessId` UInt32	—
`ProcessNameLength` UInt16	—
`ProcessName` UnicodeString	—
`DeviceInstanceLength` UInt16	—
`DeviceInstance` UnicodeString	—
`CommandLineLength` UInt16	—
`CommandLine` UnicodeString	—
`VetoingDevicesLength` UInt16	—
`VetoingDevices` UnicodeString	—

Event ID 226 — Begin calling driver initialization routine for driver DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic
Task: DriverInit
Opcode: Start

Description

Begin calling driver initialization routine for driver DriverName.

Message #

Begin calling driver initialization routine for driver %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—

Event ID 227 — End calling driver initialization routine for driver DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic
Task: DriverInit
Opcode: Stop

Description

End calling driver initialization routine for driver DriverName. Status: Status.

Message #

End calling driver initialization routine for driver %2. Status: %3

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 228 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SqmType` UInt32	—
`SqmSessionGuid` GUID	—
`SqmSid` SID	—
`SqmWindowsSessionId` UInt32	—
`SqmSessionFlags` UInt32	—

Event ID 229 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SqmType` UInt32	—
`SqmSessionGuid` GUID	—

Event ID 230 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SqmType` UInt32	—
`SqmSessionGuid` GUID	—
`SqmID` UInt32	—
`SqmDWORDDatapointValue` UInt32	—

Event ID 231 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Opcode: Stop

Fields #

Name	Description
`SqmType` UInt32	—
`SqmSessionGuid` GUID	—
`SqmID` UInt32	—
`SqmDWORDDatapointValue` UInt32	—

Event ID 232 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SqmType` UInt32	—
`SqmSessionGuid` GUID	—
`SqmID` UInt32	—
`SqmDWORDDatapointValue` UInt32	—

Event ID 233 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SqmType` UInt32	—
`SqmSessionGuid` GUID	—
`SqmID` UInt32	—
`SqmDWORDDatapointValue` UInt32	—

Event ID 234 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SqmType` UInt32	—
`SqmSessionGuid` GUID	—
`SqmID` UInt32	—
`SqmDWORDDatapointValue` UInt32	—

Event ID 235 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SqmType` UInt32	—
`SqmSessionGuid` GUID	—
`SqmID` UInt32	—
`SqmStringDatapointValue` UnicodeString	—

Event ID 236 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SqmType` UInt32	—
`SqmSessionGuid` GUID	—
`SqmID` UInt32	—
`SqmStreamRowLength` UInt32	—
`SqmStreamRow` Int16	—

Event ID 240 — A partition unit replace operation has been initiated.

Provider: Microsoft-Windows-Kernel-PnP
Channel: System
Opcode: Info

Description

A partition unit replace operation has been initiated.

Message #

A partition unit replace operation has been initiated.

Fields #

Name	Description
`TargetPath` UnicodeString	—
`SparePath` UnicodeString	—

Event ID 241 — A partition unit replace operation has failed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: System
Opcode: Info

Description

A partition unit replace operation has failed.

Message #

A partition unit replace operation has failed.

Fields #

Name	Description
`TargetPath` UnicodeString	—
`SparePath` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference
`Location` UInt32	—
`ExtendedStatus` UInt32	—

Event ID 242 — A partition unit has been successfully replaced.

Provider: Microsoft-Windows-Kernel-PnP
Channel: System
Opcode: Info

Description

A partition unit has been successfully replaced.

Message #

A partition unit has been successfully replaced.

Fields #

Name	Description
`TargetPath` UnicodeString	—
`TargetAffinity` HexInt64	—
`TargetProcessorCount` UInt32	—
`TargetMemoryCount` UInt32	—
`TargetMemorySize` HexInt64	—
`SparePath` UnicodeString	—
`SpareProcessorCount` UInt32	—
`SpareMemoryCount` UInt32	—
`SpareMemorySize` HexInt64	—
`TimeTotal` UInt32	—
`TimeToQuiesce` UInt32	—
`TimeQuiesced` UInt32	—
`TimeToWake` UInt32	—
`TargetProcessors` FILETIME	—
`TargetMemoryRanges` SYSTEMTIME	—
`SpareProcessors` HexInt32	—
`SpareMemoryRanges` HexInt64	—

Event ID 250 — Begin configuration of device DeviceInstance.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic
Task: DeviceConfig
Opcode: Start

Description

Begin configuration of device DeviceInstance.

Message #

Begin configuration of device %2

Fields #

Name	Description
`DeviceInstanceLength` UInt16	—
`DeviceInstance` UnicodeString	—

Event ID 251 — Pending configuration of device DeviceInstance.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic
Task: DeviceConfig
Opcode: Suspend

Description

Pending configuration of device DeviceInstance.

Message #

Pending configuration of device %2

Fields #

Name	Description
`DeviceInstanceLength` UInt16	—
`DeviceInstance` UnicodeString	—

Event ID 252 — End configuration of device DeviceInstance.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic
Task: DeviceConfig
Opcode: Stop

Description

End configuration of device DeviceInstance. Status: Status.

Message #

End configuration of device %2. Status: %3

Fields #

Name	Description
`DeviceInstanceLength` UInt16	—
`DeviceInstance` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 260 — Begin starting system start drivers part 1

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic
Task: SystemStartPnPEnum
Opcode: Start

Description

Begin starting system start drivers part 1.

Message #

Begin starting system start drivers part 1

Event ID 261 — End starting system start drivers part 1

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic
Task: SystemStartPnPEnum
Opcode: Stop

Description

End starting system start drivers part 1.

Message #

End starting system start drivers part 1

Event ID 262 — Begin starting system start drivers part 2

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic
Task: SystemStartLegacyEnum
Opcode: Start

Description

Begin starting system start drivers part 2.

Message #

Begin starting system start drivers part 2

Event ID 263 — End starting system start drivers part 2

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic
Task: SystemStartLegacyEnum
Opcode: Stop

Description

End starting system start drivers part 2.

Message #

End starting system start drivers part 2

Event ID 264 — Begin processing reinitialization requests for boot start drivers

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic
Task: BootDriverReinit
Opcode: Start

Description

Begin processing reinitialization requests for boot start drivers.

Message #

Begin processing reinitialization requests for boot start drivers

Event ID 265 — End processing reinitialization requests for boot start drivers

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic
Task: BootDriverReinit
Opcode: Stop

Description

End processing reinitialization requests for boot start drivers.

Message #

End processing reinitialization requests for boot start drivers

Event ID 266 — Begin processing reinitialization requests for system start drivers

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic
Task: SystemStartDriverReinit
Opcode: Start

Description

Begin processing reinitialization requests for system start drivers.

Message #

Begin processing reinitialization requests for system start drivers

Event ID 267 — End processing reinitialization requests for system start drivers

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic
Task: SystemStartDriverReinit
Opcode: Stop

Description

End processing reinitialization requests for system start drivers.

Message #

End processing reinitialization requests for system start drivers

Event ID 270 — Begin loading driver database DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic
Task: DriverDatabaseLoad
Opcode: Start

Description

Begin loading driver database DriverName.

Message #

Begin loading driver database %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—

Event ID 271 — Pending loading driver database DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic
Task: DriverDatabaseLoad
Opcode: Suspend

Description

Pending loading driver database DriverName.

Message #

Pending loading driver database %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—

Event ID 272 — End loading driver database DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic
Task: DriverDatabaseLoad
Opcode: Stop

Description

End loading driver database DriverName.

Message #

End loading driver database %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 273 — Begin unloading driver database DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic
Task: DriverDatabaseUnload
Opcode: Start

Description

Begin unloading driver database DriverName.

Message #

Begin unloading driver database %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—

Event ID 274 — Pending unloading driver database DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic
Task: DriverDatabaseUnload
Opcode: Suspend

Description

Pending unloading driver database DriverName.

Message #

Pending unloading driver database %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—

Event ID 275 — End unloading driver database DriverName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic
Task: DriverDatabaseUnload
Opcode: Stop

Description

End unloading driver database DriverName.

Message #

End unloading driver database %2

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 276 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: DriverDatabaseLoaded
Opcode: Start

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—

Event ID 277 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: DriverDatabaseLoaded
Opcode: Stop

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 278 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Opcode: Info

Fields #

Name	Description
`BlockedDriverEntry` GUID	—

Event ID 300 — Begin starting initialization of drivers

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic
Opcode: Info

Description

Begin starting initialization of drivers.

Message #

Begin starting initialization of drivers

Event ID 301 — End starting initialization of drivers

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic
Opcode: Info

Description

End starting initialization of drivers.

Message #

End starting initialization of drivers

Event ID 400 — Device DeviceInstanceId was configured.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Level: Informational
Collection Priority: Recommended (NSA)
Opcode: Info

Description

Device DeviceInstanceId was configured.

Message #

Device %1 was configured.

Driver Name: %2
Class GUID: %3
Driver Date: %4
Driver Version: %5
Driver Provider: %6
Driver Section: %8
Driver Rank: %9
Matching Device ID: %10
Outranked Drivers: %11
Device Updated: %12
Parent Device: %14

Fields #

Name	Description
`DeviceInstanceId` UnicodeString	—
`DriverName` UnicodeString	—
`ClassGuid` GUID	—
`DriverDate` UnicodeString	—
`DriverVersion` UnicodeString	—
`DriverProvider` UnicodeString	—
`DriverInbox` Boolean	—
`DriverSection` UnicodeString	—
`DriverRank` HexInt32	—
`MatchingDeviceId` UnicodeString	—
`OutrankedDrivers` UnicodeString	—
`DeviceUpdated` Boolean	—
`Status` HexInt32	— NTSTATUS reference
`ParentDeviceInstanceId` UnicodeString	Parent Device.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-PnP",
    "guid": "9C205A39-1250-487D-ABD7-E831C6290539",
    "event_source_name": "",
    "event_id": 400,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-06T06:20:50.122130+00:00",
    "event_record_id": 211,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Kernel-PnP/Configuration",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DeviceInstanceId": "ACPI\\GenuineIntel_-_Intel64_Family_6_Model_183_-_13th_Gen_Intel(R)_Core(TM)_i9-13980HX\\_3",
    "DriverName": "cpu.inf",
    "ClassGuid": "50127DC3-0F36-415E-A6CC-4CB3BE910B65",
    "DriverDate": "04/21/2009",
    "DriverVersion": "10.0.22621.2215",
    "DriverProvider": "Microsoft",
    "DriverInbox": true,
    "DriverSection": "IntelPPM_Inst.NT",
    "DriverRank": "0xff0004",
    "MatchingDeviceId": "ACPI\\GenuineIntel_-_Intel64",
    "OutrankedDrivers": "cpu.inf:ACPI\\Processor:00FF2000",
    "DeviceUpdated": false,
    "Status": "0x0",
    "ParentDeviceInstanceId": "ACPI_HAL\\PNP0C08\\0"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 401 — Device Driver_Name failed configuration.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Opcode: Info

Description

Device Driver_Name failed configuration.

Message #

Device %1 failed configuration.

Driver Name: %2
Class GUID: %3
Driver Date: %4
Driver Version: %5
Driver Provider: %6
Driver Section: %8
Driver Rank: %9
Matching Device ID: %10
Outranked Drivers: %11
Device Updated: %12
Status: %13
Parent Device: %14

Fields #

Name	Description
`Driver_Name`	—
`Class_Guid`	—
`Driver_Date`	—
`Driver_Version`	—
`Driver_Provider`	—
`Driver_Section`	—
`Driver_Rank`	—
`Matching_Device_Id`	Driver Section.
`Outranked_Drivers`	Driver Rank.
`Device_Updated`	Matching Device Id.
`Status` HexInt32	Outranked Drivers. NTSTATUS reference
`Parent_Device`	Device Updated.
`DeviceInstanceId` UnicodeString	—
`DriverName` UnicodeString	—
`ClassGuid` GUID	—
`DriverDate` UnicodeString	—
`DriverVersion` UnicodeString	—
`DriverProvider` UnicodeString	—
`DriverInbox` Boolean	—
`DriverSection` UnicodeString	—
`DriverRank` HexInt32	—
`MatchingDeviceId` UnicodeString	—
`OutrankedDrivers` UnicodeString	—
`DeviceUpdated` Boolean	—
`ParentDeviceInstanceId` UnicodeString	—
`DriverPackageId` UnicodeString	—

Event ID 402 — Device Driver_Name had its configuration blocked by policy.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Opcode: Info

Description

Device Driver_Name had its configuration blocked by policy.

Message #

Device %1 had its configuration blocked by policy.

Driver Name: %2
Class GUID: %3
Driver Date: %4
Driver Version: %5
Driver Provider: %6
Driver Section: %8
Driver Rank: %9
Matching Device ID: %10
Outranked Drivers: %11
Device Updated: %12
Status: %13
Parent Device: %14

Fields #

Name	Description
`Driver_Name`	—
`Class_Guid`	—
`Driver_Date`	—
`Driver_Version`	—
`Driver_Provider`	—
`Driver_Section`	—
`Driver_Rank`	—
`Matching_Device_Id`	Driver Section.
`Outranked_Drivers`	Driver Rank.
`Device_Updated`	Matching Device Id.
`Status` HexInt32	Outranked Drivers. NTSTATUS reference
`Parent_Device`	Device Updated.
`DeviceInstanceId` UnicodeString	—
`DriverName` UnicodeString	—
`ClassGuid` GUID	—
`DriverDate` UnicodeString	—
`DriverVersion` UnicodeString	—
`DriverProvider` UnicodeString	—
`DriverInbox` Boolean	—
`DriverSection` UnicodeString	—
`DriverRank` HexInt32	—
`MatchingDeviceId` UnicodeString	—
`OutrankedDrivers` UnicodeString	—
`DeviceUpdated` Boolean	—
`ParentDeviceInstanceId` UnicodeString	—
`DriverPackageId` UnicodeString	—

Event ID 403 — Device DeviceInstanceId requires a system reboot to complete configuration.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Level: Warning
Opcode: Info

Description

Device DeviceInstanceId requires a system reboot to complete configuration.

Message #

Device %1 requires a system reboot to complete configuration.

Driver Name: %2
Class GUID: %3
Driver Date: %4
Driver Version: %5
Driver Provider: %6
Driver Section: %8
Driver Rank: %9
Matching Device ID: %10
Outranked Drivers: %11
Device Updated: %12
Status: %13
Parent Device: %14

Fields #

Name	Description
`DeviceInstanceId` UnicodeString	—
`DriverName` UnicodeString	—
`ClassGuid` GUID	—
`DriverDate` UnicodeString	—
`DriverVersion` UnicodeString	—
`DriverProvider` UnicodeString	—
`DriverInbox` Boolean	—
`DriverSection` UnicodeString	—
`DriverRank` HexInt32	—
`MatchingDeviceId` UnicodeString	—
`OutrankedDrivers` UnicodeString	—
`DeviceUpdated` Boolean	—
`Status` HexInt32	— NTSTATUS reference
`ParentDeviceInstanceId` UnicodeString	Parent Device.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-PnP",
    "guid": "9C205A39-1250-487D-ABD7-E831C6290539",
    "event_source_name": "",
    "event_id": 403,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-10-26T04:16:19.107877+00:00",
    "event_record_id": 112,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 248
    },
    "channel": "Microsoft-Windows-Kernel-PnP/Configuration",
    "computer": "WIN-OQ6R0RVA4NF",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DeviceInstanceId": "ROOT\\VOLMGR\\0000",
    "DriverName": "volmgr.inf",
    "ClassGuid": "4D36E97D-E325-11CE-BFC1-08002BE10318",
    "DriverDate": "06/21/2006",
    "DriverVersion": "10.0.22621.608",
    "DriverProvider": "Microsoft",
    "DriverInbox": true,
    "DriverSection": "Volmgr",
    "DriverRank": "0xff0000",
    "MatchingDeviceId": "ROOT\\VOLMGR",
    "OutrankedDrivers": "",
    "DeviceUpdated": false,
    "Status": "0x0",
    "ParentDeviceInstanceId": "HTREE\\ROOT\\0"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 410 — Device DeviceInstanceId was started.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Level: Informational
Collection Priority: Recommended (NSA)
Opcode: Info

Description

Device DeviceInstanceId was started.

Message #

Device %1 was started.

Driver Name: %2
Class GUID: %3
Service: %4
Lower Filters: %5
Upper Filters: %6

Fields #

Name	Description
`DeviceInstanceId` UnicodeString	—
`DriverName` UnicodeString	—
`ClassGuid` GUID	—
`ServiceName` UnicodeString	Service.
`LowerFilters` UnicodeString	—
`UpperFilters` UnicodeString	—
`Problem` HexInt32	—
`Status` HexInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-PnP",
    "guid": "9C205A39-1250-487D-ABD7-E831C6290539",
    "event_source_name": "",
    "event_id": 410,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-06T06:20:59.295648+00:00",
    "event_record_id": 215,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 52
    },
    "channel": "Microsoft-Windows-Kernel-PnP/Configuration",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DeviceInstanceId": "ACPI\\GenuineIntel_-_Intel64_Family_6_Model_183_-_13th_Gen_Intel(R)_Core(TM)_i9-13980HX\\_3",
    "DriverName": "cpu.inf",
    "ClassGuid": "50127DC3-0F36-415E-A6CC-4CB3BE910B65",
    "ServiceName": "intelppm",
    "LowerFilters": "",
    "UpperFilters": "",
    "Problem": "0x0",
    "Status": "0x0"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 411 — Device DeviceInstanceId had a problem starting.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Level: Error
Opcode: Info

Description

Device DeviceInstanceId had a problem starting.

Message #

Device %1 had a problem starting.

Driver Name: %2
Class GUID: %3
Service: %4
Lower Filters: %5
Upper Filters: %6
Problem: %7
Problem Status: %8

Fields #

Name	Description
`DeviceInstanceId` UnicodeString	—
`DriverName` UnicodeString	—
`ClassGuid` GUID	—
`ServiceName` UnicodeString	Service.
`LowerFilters` UnicodeString	—
`UpperFilters` UnicodeString	—
`Problem` HexInt32	—
`Status` HexInt32	Problem Status. NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-PnP",
    "guid": "9C205A39-1250-487D-ABD7-E831C6290539",
    "event_source_name": "",
    "event_id": 411,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-10-26T04:17:42.366175+00:00",
    "event_record_id": 168,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 52
    },
    "channel": "Microsoft-Windows-Kernel-PnP/Configuration",
    "computer": "WIN-OQ6R0RVA4NF",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DeviceInstanceId": "PCI\\VEN_8086&DEV_100F&SUBSYS_075015AD&REV_01\\4&bbf9765&0&0088",
    "DriverName": "nete1g3e.inf",
    "ClassGuid": "4D36E972-E325-11CE-BFC1-08002BE10318",
    "ServiceName": "E1G60",
    "LowerFilters": "",
    "UpperFilters": "",
    "Problem": "0x0",
    "Status": "0xc00000e5"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 412 — Device Driver_Name requires a system reboot before it can be started.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Opcode: Info

Description

Device Driver_Name requires a system reboot before it can be started.

Message #

Device %1 requires a system reboot before it can be started.

Driver Name: %2
Class GUID: %3
Service: %4
Lower Filters: %5
Upper Filters: %6
Problem: %7
Problem Status: %8

Fields #

Name	Description
`Driver_Name`	—
`Class_Guid`	—
`Service`	—
`Lower_Filters`	—
`Upper_Filters`	—
`Problem` HexInt32	—
`Problem_Status`	—
`DeviceInstanceId` UnicodeString	—
`DriverName` UnicodeString	—
`ClassGuid` GUID	—
`ServiceName` UnicodeString	—
`LowerFilters` UnicodeString	—
`UpperFilters` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference

Event ID 420 — Device DeviceInstanceId was deleted.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Level: Informational
Opcode: Info

Description

Device DeviceInstanceId was deleted.

Message #

Device %1 was deleted.

Class GUID: %2

Fields #

Name	Description
`DeviceInstanceId` UnicodeString	—
`ClassGuid` GUID	—
`Problem` HexInt32	—
`Status` HexInt32	— NTSTATUS reference
`Class_Guid`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-PnP",
    "guid": "9C205A39-1250-487D-ABD7-E831C6290539",
    "event_source_name": "",
    "event_id": 420,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-13T17:24:14.944455+00:00",
    "event_record_id": 226,
    "correlation": {},
    "execution": {
      "process_id": 3668,
      "thread_id": 7476
    },
    "channel": "Microsoft-Windows-Kernel-PnP/Configuration",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DeviceInstanceId": "SWD\\PRINTENUM\\{01F312F1-DACA-4AA7-96B1-5CE1A11685FD}",
    "ClassGuid": "1ED2BBF9-11F0-4084-B21F-AD83A8E6DCDC",
    "Problem": "0x2d",
    "Status": "0x0"
  },
  "message": ""
}

Event ID 421 — Device Class_Guid could not be deleted.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Opcode: Info

Description

Device Class_Guid could not be deleted.

Message #

Device %1 could not be deleted.

Class GUID: %2
Problem: %3
Status: %4

Fields #

Name	Description
`Class_Guid`	—
`Problem` HexInt32	—
`Status` HexInt32	— NTSTATUS reference
`DeviceInstanceId` UnicodeString	—
`ClassGuid` GUID	—

Event ID 430 — Device DeviceInstanceId requires further installation.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Level: Informational
Opcode: Info

Description

Device DeviceInstanceId requires further installation.

Message #

Device %1 requires further installation.

Fields #

Name	Description
`DeviceInstanceId` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-PnP",
    "guid": "9C205A39-1250-487D-ABD7-E831C6290539",
    "event_source_name": "",
    "event_id": 430,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-10-26T04:16:49.350000+00:00",
    "event_record_id": 160,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 248
    },
    "channel": "Microsoft-Windows-Kernel-PnP/Configuration",
    "computer": "WIN-OQ6R0RVA4NF",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DeviceInstanceId": "PCI\\VEN_8086&DEV_100F&SUBSYS_075015AD&REV_01\\4&bbf9765&0&0888"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 440 — Device settings for Last_Device_Instance_Id were migrated from previous OS installation.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Opcode: Info

Description

Device settings for Last_Device_Instance_Id were migrated from previous OS installation.

Message #

Device settings for %1 were migrated from previous OS installation.

Last Device Instance ID: %2
Class GUID: %3
Location Path: %4
Migration Rank: %5
Present: %6

Fields #

Name	Description
`Last_Device_Instance_Id`	—
`Class_Guid`	—
`Location_Path`	—
`Migration_Rank`	—
`Present` Boolean	—
`DeviceInstanceId` UnicodeString	—
`LastDeviceInstanceId` UnicodeString	—
`ClassGuid` GUID	—
`LocationPath` UnicodeString	—
`MigrationRank` HexInt64	—
`Status` HexInt32	— NTSTATUS reference

Event ID 441 — Device settings for Last_Device_Instance_Id could not be migrated from previous OS installation.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Opcode: Info

Description

Device settings for Last_Device_Instance_Id could not be migrated from previous OS installation.

Message #

Device settings for %1 could not be migrated from previous OS installation.

Last Device Instance ID: %2
Class GUID: %3
Location Path: %4
Migration Rank: %5
Present: %6
Status: %7

Fields #

Name	Description
`Last_Device_Instance_Id`	—
`Class_Guid`	—
`Location_Path`	—
`Migration_Rank`	—
`Present` Boolean	—
`Status` HexInt32	— NTSTATUS reference
`DeviceInstanceId` UnicodeString	—
`LastDeviceInstanceId` UnicodeString	—
`ClassGuid` GUID	—
`LocationPath` UnicodeString	—
`MigrationRank` HexInt64	—

Event ID 442 — Device settings for Last_Device_Instance_Id were not migrated from previous OS installation due to partial or ambiguous device match.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration
Opcode: Info

Description

Device settings for Last_Device_Instance_Id were not migrated from previous OS installation due to partial or ambiguous device match.

Message #

Device settings for %1 were not migrated from previous OS installation due to partial or ambiguous device match.

Last Device Instance ID: %2
Class GUID: %3
Location Path: %4
Migration Rank: %5
Present: %6
Status: %7

Fields #

Name	Description
`Last_Device_Instance_Id`	—
`Class_Guid`	—
`Location_Path`	—
`Migration_Rank`	—
`Present` Boolean	—
`Status` HexInt32	— NTSTATUS reference
`DeviceInstanceId` UnicodeString	—
`LastDeviceInstanceId` UnicodeString	—
`ClassGuid` GUID	—
`LocationPath` UnicodeString	—
`MigrationRank` HexInt64	—

Event ID 500 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: DevQuery_QueryProcessing
Opcode: QueryStart

Fields #

Name	Description
`QueryAddress` Pointer	—
`ProcessId` UInt32	—
`ObjectType` UnicodeString	—
`QueryType` UnicodeString	—
`ObjectId` UnicodeString	—
`QueryFlags` UnicodeString	—
`PreferredLanguages` UnicodeString	—
`RequestedProperties` UnicodeString	—
`FilterExpression` UnicodeString	—

Event ID 501 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: DevQuery_QueryProcessing
Opcode: ProcessingStart

Fields #

Name	Description
`QueryAddress` Pointer	—

Event ID 502 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: DevQuery_QueryProcessing
Opcode: ProcessingStop

Fields #

Name	Description
`QueryAddress` Pointer	—

Event ID 503 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: DevQuery_QueryProcessing
Opcode: QueryStop

Fields #

Name	Description
`QueryAddress` Pointer	—

Event ID 600 — A start type override of StartType was set for driver Driver in hardware configuration HardwareConfigurationId.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Diagnostic
Task: DriverOverride

Description

A start type override of StartType was set for driver Driver in hardware configuration HardwareConfigurationId.

Message #

A start type override of %3 was set for driver %2 in hardware configuration %1

Fields #

Name	Description
`HardwareConfigurationId` HexInt32	—
`Driver` UnicodeString	—
`StartType` HexInt32	— Known values `0` Boot `1` System `2` Automatic `3` Manual `4` Disabled

Event ID 700 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: CfgMgr_DeviceList
Opcode: Start

Fields #

Name	Description
`Filter` UnicodeString	—
`FilterBy` UnicodeString	—
`OnlyPresent` Boolean	—

Event ID 701 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: CfgMgr_DeviceList
Opcode: Stop

Fields #

Name	Description
`Result` HexInt32	—

Event ID 702 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: CfgMgr_DeviceInterfaceList
Opcode: Start

Fields #

Name	Description
`Class` GUID	—
`Device` UnicodeString	—
`OnlyPresent` Boolean	—

Event ID 703 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: CfgMgr_DeviceInterfaceList
Opcode: Stop

Fields #

Name	Description
`Result` HexInt32	—

Event ID 704 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: CfgMgr_QueryRemove
Opcode: Start

Fields #

Name	Description
`QueryRemoveType` HexInt32	—
`Device` UnicodeString	—

Event ID 705 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: CfgMgr_QueryRemove
Opcode: Stop

Fields #

Name	Description
`Device` UnicodeString	—

Event ID 800 — Begin processing new device (DeviceNode).

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: ProcessNewDevice
Opcode: Start

Description

Begin processing new device (DeviceNode).

Message #

Begin processing new device (%1)

Fields #

Name	Description
`DeviceNode` Pointer	—

Event ID 801 — Processing device DeviceInstancePath (DeviceNode).

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: ProcessNewDevice

Description

Processing device DeviceInstancePath (DeviceNode).

Message #

Processing device %2 (%1)

Fields #

Name	Description
`DeviceNode` Pointer	—
`DeviceInstancePath` UnicodeString	—
`ParentDeviceInstancePath` UnicodeString	—

Event ID 802 — End processing new device (DeviceNode).

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: ProcessNewDevice
Opcode: Stop

Description

End processing new device (DeviceNode).

Message #

End processing new device (%1)

Fields #

Name	Description
`DeviceNode` Pointer	—

Event ID 803 — Begin processing phase Phase of starting device Device.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: ProcessDeviceStart
Opcode: Start

Description

Begin processing phase Phase of starting device Device.

Message #

Begin processing phase %1 of starting device %2

Fields #

Name	Description
`Phase` HexInt32	—
`Device` UnicodeString	—

Event ID 804 — End processing phase Phase of starting device Device.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: ProcessDeviceStart
Opcode: Stop

Description

End processing phase Phase of starting device Device.

Message #

End processing phase %1 of starting device %2

Fields #

Name	Description
`Phase` HexInt32	—
`Device` UnicodeString	—

Event ID 805 — Begin processing phase Phase of restarting device Device.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: ProcessDeviceRestart
Opcode: Start

Description

Begin processing phase Phase of restarting device Device.

Message #

Begin processing phase %1 of restarting device %2

Fields #

Name	Description
`Phase` HexInt32	—
`Device` UnicodeString	—

Event ID 806 — End processing phase Phase of restarting device Device.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: ProcessDeviceRestart
Opcode: Stop

Description

End processing phase Phase of restarting device Device.

Message #

End processing phase %1 of restarting device %2

Fields #

Name	Description
`Phase` HexInt32	—
`Device` UnicodeString	—

Event ID 807 — Begin device add operation for driver DriverName, device DeviceInstancePath.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: DeviceAdd
Opcode: Start

Description

Begin device add operation for driver DriverName, device DeviceInstancePath.

Message #

Begin device add operation for driver %3, device %4

Fields #

Name	Description
`ServiceType` UInt32	— Known values `1` Kernel Driver `2` File System Driver `4` Adapter `8` Recognizer Driver `16` Own Process `32` Share Process `256` Interactive
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—
`DeviceInstancePath` UnicodeString	—

Event ID 808 — End device add, status (Status).

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: DeviceAdd
Opcode: Stop

Description

End device add, status (Status).

Message #

End device add, status (%1)

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 809 — Duplicate device instance reported by BusId and DeviceId.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Opcode: Info

Description

Duplicate device instance reported by BusId and DeviceId.

Message #

Duplicate device instance reported by %4 and %5.
Bus ID: %1
Device ID: %2
Instance ID: %3

Fields #

Name	Description
`Bus_ID`	—
`Device_ID`	—
`Instance_ID`	—
`BusId` UnicodeString	—
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`PreviousParent` UnicodeString	—
`CurrentParent` UnicodeString	—

Event ID 810 — Reenumeration of device tree below Device has been queued.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: ReenumerateDeviceTree

Description

Reenumeration of device tree below Device has been queued.

Message #

Reenumeration of device tree below %1 has been queued.

Fields #

Name	Description
`Device` UnicodeString	—
`ReenumerateType` HexInt32	—

Event ID 811 — Begin reenumeration of device tree below Device.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: ReenumerateDeviceTree
Opcode: Start

Description

Begin reenumeration of device tree below Device.

Message #

Begin reenumeration of device tree below %1.

Fields #

Name	Description
`Device` UnicodeString	—
`ReenumerateType` HexInt32	—

Event ID 812 — End reenumeration of device tree below Device.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: ReenumerateDeviceTree
Opcode: Stop

Description

End reenumeration of device tree below Device.

Message #

End reenumeration of device tree below %1.

Fields #

Name	Description
`Device` UnicodeString	—
`ReenumerateType` HexInt32	—

Event ID 813 — Reenumeration of Device has been queued.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: ReenumerateDeviceOnly

Description

Reenumeration of Device has been queued.

Message #

Reenumeration of %1 has been queued.

Fields #

Name	Description
`Device` UnicodeString	—

Event ID 814 — Begin reenumeration of Device.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: ReenumerateDeviceOnly
Opcode: Start

Description

Begin reenumeration of Device.

Message #

Begin reenumeration of %1.

Fields #

Name	Description
`Device` UnicodeString	—

Event ID 815 — End reenumeration of Device.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: ReenumerateDeviceOnly
Opcode: Stop

Description

End reenumeration of Device.

Message #

End reenumeration of %1.

Fields #

Name	Description
`Device` UnicodeString	—

Event ID 816 — Configuration of device Device for configuration type RequestType has been queued.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic
Task: ConfigureDevice

Description

Configuration of device Device for configuration type RequestType has been queued.

Message #

Configuration of device %1 for configuration type %2 has been queued.

Fields #

Name	Description
`Device` UnicodeString	—
`RequestType` HexInt32	—

Event ID 817 — Begin configuration of device Device for configuration type RequestType.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic
Task: ConfigureDevice
Opcode: Start

Description

Begin configuration of device Device for configuration type RequestType.

Message #

Begin configuration of device %1 for configuration type %2.

Fields #

Name	Description
`Device` UnicodeString	—
`RequestType` HexInt32	—

Event ID 818 — End configuration of device Device for configuration type RequestType.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Configuration Diagnostic
Task: ConfigureDevice
Opcode: Stop

Description

End configuration of device Device for configuration type RequestType. Result is Status.

Message #

End configuration of device %1 for configuration type %2. Result is %3

Fields #

Name	Description
`Device` UnicodeString	—
`RequestType` HexInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 819 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: GenericDeviceAction

Fields #

Name	Description
`Device` UnicodeString	—
`RequestType` HexInt32	—

Event ID 820 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: GenericDeviceAction
Opcode: Start

Fields #

Name	Description
`Device` UnicodeString	—
`RequestType` HexInt32	—

Event ID 821 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: GenericDeviceAction
Opcode: Stop

Fields #

Name	Description
`Device` UnicodeString	—
`RequestType` HexInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 830 — Removal of Device has been queued.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: DeviceRemoval

Description

Removal of Device has been queued.

Message #

Removal of %1 has been queued.

Fields #

Name	Description
`Device` UnicodeString	—
`EventGuid` GUID	—
`ProblemCode` UInt32	—
`ProblemStatus` HexInt32	—
`Synchronous` Boolean	—
`Flags` HexInt32	—

Event ID 831 — Begin removal of Device.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: DeviceRemoval
Opcode: Start

Description

Begin removal of Device.

Message #

Begin removal of %1.

Fields #

Name	Description
`Device` UnicodeString	—

Event ID 832 — End removal of Device.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: DeviceRemoval
Opcode: Stop

Description

End removal of Device.

Message #

End removal of %1.

Fields #

Name	Description
`Device` UnicodeString	—

Event ID 840 — Begin resetting device DeviceInstance.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Opcode: Start

Description

Begin resetting device DeviceInstance.

Message #

Begin resetting device %2.

Fields #

Name	Description
`DeviceInstanceLength` UInt16	—
`DeviceInstance` UnicodeString	—

Event ID 841 — End resetting device DeviceInstance with status Status, veto type VetoType, veto name VetoName.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Opcode: Stop

Description

End resetting device DeviceInstance with status Status, veto type VetoType, veto name VetoName.

Message #

End resetting device %2 with status %3, veto type %4, veto name %6.

Fields #

Name	Description
`DeviceInstanceLength` UInt16	—
`DeviceInstance` UnicodeString	—
`Status` UInt32	— NTSTATUS reference
`VetoType` UInt32	—
`VetoNameLength` UInt16	—
`VetoName` UnicodeString	—

Event ID 850 — Begin assigning resources to device tree below Device.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: AssignResources
Opcode: Start

Description

Begin assigning resources to device tree below Device.

Message #

Begin assigning resources to device tree below %1.

Fields #

Name	Description
`Device` UnicodeString	—

Event ID 851 — End assigning resources to device tree below Device.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: AssignResources
Opcode: Stop

Description

End assigning resources to device tree below Device.

Message #

End assigning resources to device tree below %1.

Fields #

Name	Description
`Device` UnicodeString	—

Event ID 852 — Begin rebalancing resources for device DeviceInstance.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: Rebalance
Opcode: Start

Description

Begin rebalancing resources for device DeviceInstance.

Message #

Begin rebalancing resources for device %2.

Fields #

Name	Description
`DeviceInstanceLength` UInt16	—
`DeviceInstance` UnicodeString	—

Event ID 853 — End rebalancing resources for device DeviceInstance.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Enumeration Diagnostic
Task: Rebalance
Opcode: Stop

Description

End rebalancing resources for device DeviceInstance.

Message #

End rebalancing resources for device %2.

Fields #

Name	Description
`DeviceInstanceLength` UInt16	—
`DeviceInstance` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 860 — Updated problem code on device DeviceInstanceId.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: ProblemCode

Description

Updated problem code on device DeviceInstanceId.

Message #

Updated problem code on device %2.
Service name: %3
New problem code: %4
New problem status: %5
Old problem code: %6
Old problem status: %7

Fields #

Name	Description
`DeviceNode` Pointer	—
`DeviceInstanceId` UnicodeString	—
`ServiceName` UnicodeString	—
`NewProblemCode` UInt32	—
`NewProblemStatus` HexInt32	—
`OldProblemCode` UInt32	—
`OldProblemStatus` HexInt32	—

Event ID 900 — A long running thread for the device event queue was detected.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog
Task: WatchdogTriggered
Opcode: Start

Description

A long running thread for the device event queue was detected. The thread has been running for ThreadId milliseconds.

Message #

A long running thread for the device event queue was detected. The thread has been running for %4 milliseconds.
Thread ID: %1
Device: %2
Service: %3

Fields #

Name	Description
`Thread_ID`	—
`Device`	—
`Service`	—
`ThreadId` HexInt64	—
`DeviceInstanceId` UnicodeString	—
`ServiceName` UnicodeString	—
`ElapsedTimeMs` UInt64	—
`EventCategory` UInt32	—
`EventGuid` GUID	—
`EventArgument` HexInt32	—
`EventArgumentStatus` HexInt32	—
`CategorySpecificData_Guid` GUID	—
`CategorySpecificData_String` UnicodeString	—

Event ID 901 — A long running thread for the device event queue has been completed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog
Task: WatchdogTriggered
Opcode: Stop

Description

A long running thread for the device event queue has been completed.

Message #

A long running thread for the device event queue has been completed.
Thread ID: %1
Device: %2
Service: %3
Total run time in milliseconds: %4

Fields #

Name	Description
`ThreadId` HexInt64	—
`DeviceInstanceId` UnicodeString	—
`ServiceName` UnicodeString	—
`ElapsedTimeMs` UInt64	—
`EventCategory` UInt32	—
`EventGuid` GUID	—
`EventArgument` HexInt32	—
`EventArgumentStatus` HexInt32	—
`CategorySpecificData_Guid` GUID	—
`CategorySpecificData_String` UnicodeString	—

Event ID 902 — A long running thread for device start processing was detected.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog
Task: WatchdogTriggered
Opcode: Start

Description

A long running thread for device start processing was detected. The thread has been running for ThreadId milliseconds.

Message #

A long running thread for device start processing was detected. The thread has been running for %4 milliseconds.
Thread ID: %1
Device: %2
Service: %3

Fields #

Name	Description
`Thread_ID`	—
`Device`	—
`Service`	—
`ThreadId` HexInt64	—
`DeviceInstanceId` UnicodeString	—
`ServiceName` UnicodeString	—
`ElapsedTimeMs` UInt64	—

Event ID 903 — A long running thread for device start processing has been completed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog
Task: WatchdogTriggered
Opcode: Stop

Description

A long running thread for device start processing has been completed.

Message #

A long running thread for device start processing has been completed.
Thread ID: %1
Device: %2
Service: %3
Total run time in milliseconds: %4

Fields #

Name	Description
`ThreadId` HexInt64	—
`DeviceInstanceId` UnicodeString	—
`ServiceName` UnicodeString	—
`ElapsedTimeMs` UInt64	—

Event ID 904 — A long running thread for device removal was detected.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog
Task: WatchdogTriggered
Opcode: Start

Description

A long running thread for device removal was detected. The thread has been running for ThreadId milliseconds.

Message #

A long running thread for device removal was detected. The thread has been running for %4 milliseconds.
Thread ID: %1
Device: %2
Service: %3

Fields #

Name	Description
`Thread_ID`	—
`Device`	—
`Service`	—
`ThreadId` HexInt64	—
`DeviceInstanceId` UnicodeString	—
`ServiceName` UnicodeString	—
`ElapsedTimeMs` UInt64	—

Event ID 905 — A long running thread for device removal has been completed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog
Task: WatchdogTriggered
Opcode: Stop

Description

A long running thread for device removal has been completed.

Message #

A long running thread for device removal has been completed.
Thread ID: %1
Device: %2
Service: %3
Total run time in milliseconds: %4

Fields #

Name	Description
`ThreadId` HexInt64	—
`DeviceInstanceId` UnicodeString	—
`ServiceName` UnicodeString	—
`ElapsedTimeMs` UInt64	—

Event ID 906 — A long running thread for device add routine was detected.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog
Task: WatchdogTriggered
Opcode: Start

Description

A long running thread for device add routine was detected. The thread has been running for ThreadId milliseconds.

Message #

A long running thread for device add routine was detected. The thread has been running for %4 milliseconds.
Thread ID: %1
Device: %2
Driver: %3

Fields #

Name	Description
`Thread_ID`	—
`Device`	—
`Driver`	—
`ThreadId` HexInt64	—
`DeviceInstanceId` UnicodeString	—
`DriverName` UnicodeString	—
`ElapsedTimeMs` UInt64	—

Event ID 907 — A long running thread for device add routine has been completed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog
Task: WatchdogTriggered
Opcode: Stop

Description

A long running thread for device add routine has been completed.

Message #

A long running thread for device add routine has been completed.
Thread ID: %1
Device: %2
Driver: %3
Total run time in milliseconds: %4

Fields #

Name	Description
`ThreadId` HexInt64	—
`DeviceInstanceId` UnicodeString	—
`DriverName` UnicodeString	—
`ElapsedTimeMs` UInt64	—

Event ID 908 — A long running thread for driver entry was detected.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog
Level: Warning
Task: WatchdogTriggered
Opcode: Start

Description

A long running thread for driver entry was detected. The thread has been running for ElapsedTimeMs milliseconds.

Message #

A long running thread for driver entry was detected. The thread has been running for %4 milliseconds.
Thread ID: %1
Driver: %3

Fields #

Name	Description
`ThreadId` HexInt64	—
`DeviceInstanceId` UnicodeString	—
`DriverName` UnicodeString	Driver.
`ElapsedTimeMs` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-PnP",
    "guid": "9C205A39-1250-487D-ABD7-E831C6290539",
    "event_source_name": "",
    "event_id": 908,
    "version": 0,
    "level": 3,
    "task": 900,
    "opcode": 1,
    "keywords": 144115188075855872,
    "time_created": "2023-11-06T00:25:57.930157+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 2352
    },
    "channel": "Microsoft-Windows-Kernel-PnP/Driver Watchdog",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ThreadId": "0x2ba4",
    "DeviceInstanceId": "",
    "DriverName": "avgSP",
    "ElapsedTimeMs": 10005
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 909 — A long running thread for driver entry routine has been completed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog
Level: Informational
Task: WatchdogTriggered
Opcode: Stop

Description

A long running thread for driver entry routine has been completed.

Message #

A long running thread for driver entry routine has been completed.
Thread ID: %1
Driver: %3
Total run time in milliseconds: %4

Fields #

Name	Description
`ThreadId` HexInt64	—
`DeviceInstanceId` UnicodeString	—
`DriverName` UnicodeString	Driver.
`ElapsedTimeMs` UInt64	Total run time in milliseconds.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-PnP",
    "guid": "9C205A39-1250-487D-ABD7-E831C6290539",
    "event_source_name": "",
    "event_id": 909,
    "version": 0,
    "level": 4,
    "task": 900,
    "opcode": 2,
    "keywords": 144115188075855872,
    "time_created": "2023-11-06T00:26:29.468233+00:00",
    "event_record_id": 2,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 11172
    },
    "channel": "Microsoft-Windows-Kernel-PnP/Driver Watchdog",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ThreadId": "0x2ba4",
    "DeviceInstanceId": "",
    "DriverName": "avgSP",
    "ElapsedTimeMs": 41546
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 930 — Timed out waiting for response from user mode clients to synchronous notification EventGuid.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Description

Timed out waiting for response from user mode clients to synchronous notification EventGuid.

Message #

Timed out waiting for response from user mode clients to synchronous notification %1
Event Category: %2
Device Instance ID: %3
Category Specific Data:
%4
%5

Fields #

Name	Description
`EventGuid` GUID	—
`EventCategory` UInt32	—
`DeviceInstanceId` UnicodeString	—
`CategorySpecificData_Guid` GUID	—
`CategorySpecificData_String` UnicodeString	—
`TimeMs` UInt64	—

Event ID 931 — Responses from user mode clients to synchronous notification EventGuid took TimeMs milliseconds.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Description

Responses from user mode clients to synchronous notification EventGuid took TimeMs milliseconds.

Message #

Responses from user mode clients to synchronous notification %1 took %6 milliseconds
Event Category: %2
Device Instance ID: %3
Category Specific Data:
%4
%5

Fields #

Name	Description
`EventGuid` GUID	—
`EventCategory` UInt32	—
`DeviceInstanceId` UnicodeString	—
`CategorySpecificData_Guid` GUID	—
`CategorySpecificData_String` UnicodeString	—
`TimeMs` UInt64	—

Event ID 932 — Synchronous notification EventGuid to process ProcessId (ProcessImageName) was removed after ElapsedTimeMs milliseconds.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Description

Synchronous notification EventGuid to process ProcessId (ProcessImageName) was removed after ElapsedTimeMs milliseconds.

Message #

Synchronous notification %7 to process %2 (%3) was removed after %14 milliseconds
Event Category: %8
Device Instance ID: %9
Category Specific Data:
%10
%11

Fields #

Name	Description
`FilterType` UInt32	—
`ProcessId` UInt32	—
`ProcessImageName` UnicodeString	—
`QueueDepth` UInt32	—
`DropCount` UInt32	—
`RegistrationTeardown` Boolean	—
`EventGuid` GUID	—
`EventCategory` UInt32	—
`DeviceInstanceId` UnicodeString	—
`CategorySpecificData_Guid` GUID	—
`CategorySpecificData_String` UnicodeString	—
`Synchronous` Boolean	—
`NotificationReceivedByClient` Boolean	—
`ElapsedTimeMs` UInt64	—

Event ID 933 — Notification EventGuid to driver DriverName took ElapsedTimeMs milliseconds.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Driver Watchdog

Description

Notification EventGuid to driver DriverName took ElapsedTimeMs milliseconds.

Message #

Notification %4 to driver %3 took %5 milliseconds
Event Category: %1
Notification Specific Data:
%6
%8

Fields #

Name	Description
`EventCategory` UInt32	—
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—
`EventGuid` GUID	—
`ElapsedTimeMs` UInt64	—
`NotificationSpecific_Guid` GUID	—
`UnicodeStringLength` UInt16	—
`NotificationSpecific_UnicodeString` UnicodeString	—

Event ID 1000 — Device DeviceInstanceId could not be query removed as the removal was vetoed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Level: Warning
Opcode: Info

Description

Device DeviceInstanceId could not be query removed as the removal was vetoed.

Message #

Device %1 could not be query removed as the removal was vetoed.

Veto Type: %2
Vetoed By: %3

Fields #

Name	Description
`DeviceInstanceId` UnicodeString	—
`VetoType` UInt32	—
`VetoName` UnicodeString	Vetoed By.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-PnP",
    "guid": "9C205A39-1250-487D-ABD7-E831C6290539",
    "event_source_name": "",
    "event_id": 1000,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 72057594037927936,
    "time_created": "2023-10-25T22:50:39.854895+00:00",
    "event_record_id": 10,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 384
    },
    "channel": "Microsoft-Windows-Kernel-PnP/Device Management",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DeviceInstanceId": "ACPI\\PNP0303\\4&1bd7f811&0",
    "VetoType": 6,
    "VetoName": "ACPI\\PNP0303\\4&1bd7f811&0\\Driver\\i8042prt"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1010 — Device DeviceInstanceId has been surprise removed as it is reported as missing on the bus.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Level: Informational
Opcode: Info

Description

Device DeviceInstanceId has been surprise removed as it is reported as missing on the bus.

Message #

Device %1 has been surprise removed as it is reported as missing on the bus.
Count of devices removed: %2

Fields #

Name	Description
`DeviceInstanceId` UnicodeString	—
`DeviceCount` UInt32	Count of devices removed.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-PnP",
    "guid": "9C205A39-1250-487D-ABD7-E831C6290539",
    "event_source_name": "",
    "event_id": 1010,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 72057594037927936,
    "time_created": "2023-11-06T01:46:52.163431+00:00",
    "event_record_id": 23,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 17804
    },
    "channel": "Microsoft-Windows-Kernel-PnP/Device Management",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DeviceInstanceId": "SWD\\MSDAS\\{ce958e9a-424f-4c88-86f4-11314821e75a}",
    "DeviceCount": 1
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1011 — Device DeviceInstanceId has been surprise removed as it was reported to be failing.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Opcode: Info

Description

Device DeviceInstanceId has been surprise removed as it was reported to be failing.

Message #

Device %1 has been surprise removed as it was reported to be failing.
Count of devices removed: %2

Fields #

Name	Description
`DeviceInstanceId` UnicodeString	—
`DeviceCount` UInt32	—

Event ID 1020 — A resource rebalance operation has succeeded.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Opcode: Info

Description

A resource rebalance operation has succeeded.

Message #

A resource rebalance operation has succeeded.

Device Instance ID: %1
Service Name: %2
Device Count: %3
Rebalance Phase: %4
Subtree Root Instance ID: %5
Subtree Includes Root: %6
Rebalance Due to Dynamic Partitioning: %7
Rebalance Reason: %8
Conflicting Resource Type: %9
Duration in Milliseconds: %10
Device Reset: %11

Fields #

Name	Description
`DeviceInstanceId` UnicodeString	—
`ServiceName` UnicodeString	—
`DeviceCount` UInt32	—
`Phase` UInt32	—
`SubtreeRootInstanceId` UnicodeString	—
`SubtreeIncludesRoot` Boolean	—
`RebalanceDueToDynamicPartitioning` Boolean	—
`RebalanceReason` UInt32	—
`ConflictResourceType` UInt8	—
`DurationInMs` UInt64	—
`ResetDeviceWhileStopped` Boolean	—

Event ID 1021 — A resource rebalance operation has failed.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Opcode: Info

Description

A resource rebalance operation has failed.

Message #

A resource rebalance operation has failed.

Device Instance ID: %1
Service Name: %2
Device Count: %3
Rebalance Phase: %4
Subtree Root Instance ID: %5
Subtree Includes Root: %6
Rebalance Due to Dynamic Partitioning: %7
Rebalance Reason: %8
Conflicting Resource Type: %9
Rebalance Failure: %10
Veto Reason: %11
Vetoing Device Node Instance ID: %12
Duration in Milliseconds: %13
Device Reset: %14

Fields #

Name	Description
`DeviceInstanceId` UnicodeString	—
`ServiceName` UnicodeString	—
`DeviceCount` UInt32	—
`Phase` UInt32	—
`SubtreeRootInstanceId` UnicodeString	—
`SubtreeIncludesRoot` Boolean	—
`RebalanceDueToDynamicPartitioning` Boolean	—
`RebalanceReason` UInt32	—
`ConflictResourceType` UInt8	—
`RebalanceFailure` UInt32	—
`VetoReason` UInt32	—
`VetoNodeInstanceId` UnicodeString	—
`DurationInMs` UInt64	—
`ResetDeviceWhileStopped` Boolean	—

Event ID 1030 — Device Device has been assigned to a guest partition.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Opcode: Info

Description

Device Device has been assigned to a guest partition.

Message #

Device %1 has been assigned to a guest partition.

Fields #

Name	Description
`Device` UnicodeString	—

Event ID 1031 — Device Device is no longer assigned to a guest partition.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Opcode: Info

Description

Device Device is no longer assigned to a guest partition.

Message #

Device %1 is no longer assigned to a guest partition.

Fields #

Name	Description
`Device` UnicodeString	—

Event ID 1040 — Device Flags has requested a platform-level device reset.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Opcode: Start

Description

Device Flags has requested a platform-level device reset.

Message #

Device %1 has requested a platform-level device reset.

Flags: %2

Fields #

Name	Description
`Flags` UInt32	—
`DeviceInstanceId` UnicodeString	—

Event ID 1041 — Device Veto_type has completed a platform-level device reset.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Opcode: Stop

Description

Device Veto_type has completed a platform-level device reset.

Message #

Device %2 has completed a platform-level device reset.

Status: %3
Veto type: %4
Vetoed By: %6

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`Veto_type`	—
`Vetoed_By`	Status.
`DeviceInstanceLength` UInt16	—
`DeviceInstance` UnicodeString	—
`VetoType` UInt32	—
`VetoNameLength` UInt16	—
`VetoName` UnicodeString	—

Event ID 1050 — Failed to create driver package defined child device of Child_Instance_ID.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Opcode: Info

Description

Failed to create driver package defined child device of Child_Instance_ID.

Message #

Failed to create driver package defined child device of %1.

Child Instance ID: %2
Status: %3

Fields #

Name	Description
`Child_Instance_ID`	—
`Status` HexInt32	— NTSTATUS reference
`ParentDeviceInstancePath` UnicodeString	—
`InstanceId` UnicodeString	—

Event ID 1060 — Failed to create computer device derived from firmware information.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Opcode: Info

Description

Failed to create computer device derived from firmware information. Status: Status.

Message #

Failed to create computer device derived from firmware information. Status: %1

Fields #

Name	Description
`Status` HexInt32	— NTSTATUS reference

Event ID 1065 — Device DeviceInstanceId with problem code ProblemCode and problem status ProblemStatus requires the system to be rebooted.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management

Description

Device DeviceInstanceId with problem code ProblemCode and problem status ProblemStatus requires the system to be rebooted.

Message #

Device %1 with problem code %2 and problem status %3 requires the system to be rebooted.
Additional information:
%4

Fields #

Name	Description
`DeviceInstanceId` UnicodeString	—
`ProblemCode` UInt32	—
`ProblemStatus` HexInt32	—
`AdditionalInfo` HexInt64	—

Event ID 1070 — Failed to open DeviceStackLocation driver service ServiceName for device DeviceInstance.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Opcode: Info

Description

Failed to open DeviceStackLocation driver service ServiceName for device DeviceInstance. Status: Status.

Message #

Failed to open %3 driver service %2 for device %1. Status: %4

Fields #

Name	Description
`DeviceInstance` UnicodeString	—
`ServiceName` UnicodeString	—
`DeviceStackLocation` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference

Event ID 1080 — The driver FailureName failed to unload.

Provider: Microsoft-Windows-Kernel-PnP
Channel: Device Management
Task: DriverUnload

Description

The driver FailureName failed to unload.

Message #

The driver %5 failed to unload.
Driver Version: %6
Status: %3

Fields #

Name	Description
`DriverNameLength` UInt16	—
`DriverName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference
`FailureNameLength` UInt16	—
`FailureName` UnicodeString	—
`Version` UInt32	—

Event ID 1100 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_IrpCreate
Opcode: Start

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1100

Event ID 1101 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_IrpCreate
Opcode: Stop

Fields #

Name	Description
`Status` HexInt32	— NTSTATUS reference

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1101

Event ID 1102 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_KernelCreate
Opcode: Start

Fields #

Name	Description
`EnumeratorName` UnicodeString	—
`InstanceId` UnicodeString	—
`ParentDeviceInstanceId` UnicodeString	—

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1102

Event ID 1103 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_KernelCreate
Opcode: Stop

Fields #

Name	Description
`EnumeratorName` UnicodeString	—
`InstanceId` UnicodeString	—
`ParentDeviceInstanceId` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference

Event ID 1104 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Opcode: Info

Fields #

Name	Description
`EnumeratorName` UnicodeString	—
`InstanceId` UnicodeString	—
`ParentDeviceInstanceId` UnicodeString	—
`CapabilityFlags` HexInt32	—
`DeviceDescription` UnicodeString	—
`DeviceLocation` UnicodeString	—
`NumProperties` UInt32	—

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1104

Event ID 1105 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Opcode: Info

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1105

Event ID 1106 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Opcode: Info

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—

Event ID 1107 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Opcode: Info

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`RemovedFromBus` Boolean	—
`HasPrimaryDeviceObject` Boolean	—

Event ID 1108 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_InstanceTable_Add

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`AlreadyExists` Boolean	—

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1108

Event ID 1109 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_InstanceTable_Remove

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—

Event ID 1110 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_DeviceEnumerated
Opcode: Start

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`DeviceInstancePath` UnicodeString	—

Event ID 1111 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_DeviceEnumerated
Opcode: Stop

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference

Event ID 1120 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_RelationAdd
Opcode: Start

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`ParentDeviceInstanceId` UnicodeString	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus

Event ID 1121 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_RelationAdd
Opcode: Stop

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`ParentDeviceInstanceId` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference

References #

Microsoft Learn https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus

Event ID 1122 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_RelationRemove

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`ParentDeviceInstanceId` UnicodeString	—

Event ID 1130 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_LifetimeChange
Opcode: Start

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—

Event ID 1131 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_LifetimeChange
Opcode: Stop

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference

Event ID 1132 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_LifetimeChange

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`OldLifetime` UInt32	—
`NewLifetime` UInt32	—

Event ID 1140 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_RegisterInterface
Opcode: Start

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—

Event ID 1141 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_RegisterInterface
Opcode: Stop

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference

Event ID 1142 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_RegisterInterface

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`SymbolicLink` UnicodeString	—

Event ID 1143 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_SetInterfaceState

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`SymbolicLink` UnicodeString	—
`Enable` Boolean	—

Event ID 1144 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_SetInterfaceState
Opcode: Start

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—

Event ID 1145 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_SetInterfaceState
Opcode: Stop

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference

Event ID 1150 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_SetDeviceProperty
Opcode: Start

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—

Event ID 1151 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_SetDeviceProperty
Opcode: Stop

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference

Event ID 1160 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_SetInterfaceProperty
Opcode: Start

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—

Event ID 1161 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_SetInterfaceProperty
Opcode: Stop

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference

Event ID 1170 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_IrpClose
Opcode: Start

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—

Event ID 1171 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_IrpClose
Opcode: Stop

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`DeviceClosed` Boolean	—

Event ID 1172 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_KernelClose
Opcode: Start

Fields #

Name	Description
`ParentDeviceInstanceId` UnicodeString	—
`EnumeratorName` UnicodeString	—
`InstanceId` UnicodeString	—

Event ID 1173 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_KernelClose
Opcode: Stop

Fields #

Name	Description
`ParentDeviceInstanceId` UnicodeString	—
`EnumeratorName` UnicodeString	—
`InstanceId` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference

Event ID 1174 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_CloseDescendants

Fields #

Name	Description
`ParentDeviceInstanceId` UnicodeString	—

Event ID 1175 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_CloseDevice

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—

Event ID 1176 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_ProcessRemove

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`DeviceInstanceId` UnicodeString	—
`KeepActive` Boolean	—
`SwDeviceFlags` HexInt32	—
`DeviceExtensionFlags` HexInt32	—

Event ID 1177 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_ProcessParentRemove

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`DeviceInstanceId` UnicodeString	—
`ParentDeviceInstanceId` UnicodeString	—
`SwDeviceFlags` HexInt32	—
`DeviceExtensionFlags` HexInt32	—

Event ID 1178 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_UninstallDevice

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`DeviceInstanceId` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference

Event ID 1190 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_GetChildPdo
Opcode: Start

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`ParentDeviceInstanceId` UnicodeString	—
`SwDeviceFlags` HexInt32	—

Event ID 1191 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_GetChildPdo
Opcode: Stop

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`PdoReported` Boolean	—
`NewPdo` Boolean	—

Event ID 1192 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_GetChildPdo

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`SkipCount` UInt32	—

Event ID 1200 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_AttributesChange
Opcode: Start

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—

Event ID 1201 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_AttributesChange
Opcode: Stop

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference

Event ID 1202 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational
Task: SwDevice_AttributesChange

Fields #

Name	Description
`DeviceId` UnicodeString	—
`InstanceId` UnicodeString	—
`OldAttributes` UInt32	—
`NewAttributes` UInt32	—

Event ID 1300 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields #

Name	Description
`FilterType` UInt32	—
`ProcessId` UInt32	—
`ProcessImageName` UnicodeString	—
`QueueDepth` UInt32	—
`DropCount` UInt32	—
`EventGuid` GUID	—
`EventCategory` UInt32	—
`DeviceInstanceId` UnicodeString	—
`CategorySpecificData_Guid` GUID	—
`CategorySpecificData_String` UnicodeString	—
`Synchronous` Boolean	—
`ElapsedTimeMs` UInt64	—

Event ID 1301 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields #

Name	Description
`FilterType` UInt32	—
`ProcessId` UInt32	—
`ProcessImageName` UnicodeString	—
`QueueDepth` UInt32	—
`DropCount` UInt32	—
`EventGuid` GUID	—
`EventCategory` UInt32	—
`DeviceInstanceId` UnicodeString	—
`CategorySpecificData_Guid` GUID	—
`CategorySpecificData_String` UnicodeString	—
`Synchronous` Boolean	—
`ElapsedTimeMs` UInt64	—

Event ID 1302 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields #

Name	Description
`FilterType` UInt32	—
`ProcessId` UInt32	—
`ProcessImageName` UnicodeString	—
`QueueDepth` UInt32	—
`DropCount` UInt32	—
`EventGuid` GUID	—
`EventCategory` UInt32	—
`DeviceInstanceId` UnicodeString	—
`CategorySpecificData_Guid` GUID	—
`CategorySpecificData_String` UnicodeString	—
`Synchronous` Boolean	—
`Status` HexInt32	— NTSTATUS reference

Event ID 1303 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields #

Name	Description
`FilterType` UInt32	—
`ProcessId` UInt32	—
`ProcessImageName` UnicodeString	—
`QueueDepth` UInt32	—
`DropCount` UInt32	—
`EventGuid` GUID	—
`EventCategory` UInt32	—
`DeviceInstanceId` UnicodeString	—
`CategorySpecificData_Guid` GUID	—
`CategorySpecificData_String` UnicodeString	—
`Synchronous` Boolean	—
`Status` HexInt32	— NTSTATUS reference

Event ID 1304 —

Provider: Microsoft-Windows-Kernel-PnP
Channel: Operational

Fields #

Name	Description
`FilterType` UInt32	—
`ProcessId` UInt32	—
`ProcessImageName` UnicodeString	—
`QueueDepth` UInt32	—
`DropCount` UInt32	—
`RegistrationTeardown` Boolean	—
`EventGuid` GUID	—
`EventCategory` UInt32	—
`DeviceInstanceId` UnicodeString	—
`CategorySpecificData_Guid` GUID	—
`CategorySpecificData_String` UnicodeString	—
`Synchronous` Boolean	—
`NotificationReceivedByClient` Boolean	—
`ElapsedTimeMs` UInt64	—

Event ID 1400 — Begin serializing boot with PnP device enumeration

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic
Task: SerializeBoot
Opcode: Start

Description

Begin serializing boot with PnP device enumeration.

Message #

Begin serializing boot with PnP device enumeration

Event ID 1401 — End serializing boot with PnP device enumeration

Provider: Microsoft-Windows-Kernel-PnP
Channel: Boot Diagnostic
Task: SerializeBoot
Opcode: Stop

Description

End serializing boot with PnP device enumeration.

Message #

End serializing boot with PnP device enumeration