Microsoft-Windows-Kernel-Power

353 events across 5 channels

Event ID	Title	Channel
1		Diagnostic
2		Diagnostic
3		Diagnostic
4		Diagnostic
5		Diagnostic
6		Diagnostic
7		Diagnostic
8		Diagnostic
9	The application %4 stopped the power transition.	System
10	The service %3 stopped the power transition.	System
11		Diagnostic
12		Diagnostic
13		Diagnostic
14		Diagnostic
15		Diagnostic
16		Diagnostic
17		Diagnostic
18		Diagnostic
19		Diagnostic
20		Diagnostic
21		Diagnostic
22		Diagnostic
23		Diagnostic
24		Diagnostic
25		Diagnostic
26		Diagnostic
27		Diagnostic
28		Diagnostic
29		Diagnostic
30		Diagnostic
31		Diagnostic
32		Diagnostic
33		Diagnostic
34		Diagnostic
35		Diagnostic
36		Diagnostic
37		Diagnostic
38		Diagnostic
39		Diagnostic
40	The driver %2 for device %4 stopped the power transition.	System
41	The last sleep transition was unsuccessful.	System
42	The system is entering sleep.	System
43		Diagnostic
44		Diagnostic
45		Diagnostic
46		Diagnostic
47		Diagnostic
48		Diagnostic
49		Diagnostic
50		Diagnostic
51		Diagnostic
52		Diagnostic
53		Diagnostic
54		Diagnostic
55		Diagnostic
56		Diagnostic
57		Diagnostic
58		Diagnostic
59	The system is entering Away Mode.	System
60		Diagnostic
61		Diagnostic
62	The application or service %3 has overridden user power management settings with …	Diagnostic
63	The application or service %3 is attempting to update the system timer …	Diagnostic
64		Diagnostic
65		Diagnostic
66		Diagnostic
67		Diagnostic
68		Diagnostic
69		Diagnostic
70		Diagnostic
71		Diagnostic
72		Diagnostic
73		Diagnostic
74		Diagnostic
75		Diagnostic
76		Diagnostic
77		Diagnostic
78		Diagnostic
79	Timer tick distribution policy: Disabled: %1 Overridden: %2.	Diagnostic
80	ACPI thermal zone %2 has changed to %4 cooling.	Thermal-Diagnostic
81	ACPI thermal zone %2 has %5 passive cooling.	Thermal-Diagnostic
82	ACPI thermal zone %2 has %5 passive cooling.	Thermal-Operational
83	ACPI thermal zone %2 has %5 active cooling.	Thermal-Diagnostic
84	ACPI thermal zone %2 has %5 active cooling.	Thermal-Operational
85	The system was shut down due to a critical thermal event.	Thermal-Diagnostic
86	The system was shut down due to a critical thermal event.	System
87	The system was hibernated due to a critical thermal event.	Thermal-Diagnostic
88	The system was hibernated due to a critical thermal event.	System
89	ACPI thermal zone %2 has been enumerated.	System
90	Processor %1 was throttled by an entity other than the kernel power manager.	Thermal-Diagnostic
91	Processor %1 was throttled by an entity other than the kernel power manager.	Thermal-Operational
92		Diagnostic
93		Diagnostic
94		Diagnostic
95	The system timer resolution has changed to a value of %1.	Diagnostic
96	The system timer resolution currently has a value of %1.	Diagnostic
97	The system timer resolution currently has a value of %1.	Diagnostic
98	A driver is attempting to update the system timer resolution to a value of %1.	Diagnostic
99		Diagnostic
100		Diagnostic
101		Diagnostic
102		Diagnostic
103		Diagnostic
104		Diagnostic
105	Power source change.	System
106		Diagnostic
107		Diagnostic
107	The system has resumed from sleep.	System
108		Diagnostic
109	The kernel power manager has initiated a shutdown transition.	System
110		Diagnostic
111		Diagnostic
112		Diagnostic
113	ACPI thermal zone %2 has %4 passive cooling.	Thermal-Diagnostic
114	ACPI thermal zone %2 has %4 passive cooling.	Thermal-Operational
115	ACPI thermal zone %2 has %4 active cooling.	Thermal-Diagnostic
116	ACPI thermal zone %2 has %4 active cooling.	Thermal-Operational
117		Diagnostic
118	Idle resiliency activated with requested clock period: %1(Internal flags:%2, …	Diagnostic
119	Idle resiliency deactivated (Internal flags:%2).	Diagnostic
120		Diagnostic
121		Diagnostic
122		Diagnostic
123		Diagnostic
124		Diagnostic
125	ACPI thermal zone %2 has been enumerated.	System
126		Diagnostic
127		Diagnostic
128		Diagnostic
129		Diagnostic
130	Firmware S3 times.	System
131	Firmware S3 times.	System
132		Diagnostic
133		Diagnostic
134		Diagnostic
135		Diagnostic
136		Diagnostic
137	The system firmware has changed the processor's memory type range registers …	System
138		Diagnostic
139		Diagnostic
140		Diagnostic
141		Diagnostic
142	The system has rebooted without cleanly shutting down first.	System
143		Diagnostic
144		Thermal-Diagnostic
145		Thermal-Diagnostic
146		Diagnostic
147		Diagnostic
148		Diagnostic
149		Diagnostic
150		Diagnostic
151		Thermal-Diagnostic
152		Thermal-Diagnostic
153		Thermal-Diagnostic
154		Thermal-Diagnostic
155		Thermal-Diagnostic
156		Thermal-Diagnostic
157		Thermal-Diagnostic
158		Thermal-Diagnostic
159		Thermal-Diagnostic
160		Thermal-Diagnostic
161		Diagnostic
162		Thermal-Diagnostic
163		Thermal-Diagnostic
164		Thermal-Diagnostic
165		Diagnostic
166		Diagnostic
167		Diagnostic
168		Diagnostic
169		Diagnostic
170		Diagnostic
171		Diagnostic
172	Connectivity state in standby: %1, Reason: %2.	System
173		Diagnostic
174		Diagnostic
175		Diagnostic
176		Diagnostic
177		Diagnostic
178	Background Activity Policy updated from %1 to %2.	Diagnostic
179		Diagnostic
180		Diagnostic
181		Diagnostic
182		Diagnostic
183		Diagnostic
184		Diagnostic
185		Diagnostic
186		Diagnostic
187	User-mode process attempted to change the system state by calling …	System
188		Diagnostic
189		Diagnostic
190		Diagnostic
191		Diagnostic
200		Operational
201		Operational
202		Operational
203		Operational
204		Operational
205		Operational
206		Operational
207		Operational
208		Operational
300		Operational
301		Operational
302		Operational
303		Operational
304		Operational
305		Operational
306		Operational
307		Operational
308		Operational
309		Operational
310		Operational
311		Operational
312		Operational
313		Operational
314		Operational
315		Operational
316		Operational
317		Operational
318		Operational
319		Operational
320		Operational
321		Operational
322		Operational
323		Operational
324		Operational
325		Operational
326		Operational
327		Operational
328		Operational
329		Operational
330		Operational
331		Operational
332		Operational
333		Operational
400	SessionId: %1, Console:%2.	Diagnostic
401	SessionId: %1, Console:%2.	Diagnostic
402	SessionId: %1, Console:%2.	Diagnostic
403	SessionId: %1, Console:%2.	Diagnostic
404	SessionId: %1, Console:%2.	Diagnostic
405	SessionId: %1, Console:%2.	Diagnostic
406	SessionId: %1, Console:%2.	Diagnostic
407	SessionId: %1, Console:%2.	Diagnostic
408	User presence.	Diagnostic
409	Reason code.	Diagnostic
410	Engaged.	Diagnostic
411	Engaged.	Diagnostic
412	Session Id:%1, Value: %2.	Diagnostic
413	Session Id:%1, Value: %2.	Diagnostic
414	Session Id:%1, Value: %2.	Diagnostic
415	Old value:%1, New value: %2.	Diagnostic
416	Value:%1, Zeroed: %2, Computed: %3.	Diagnostic
417	Value:%1, Zeroed: %2, Computed: %3.	Diagnostic
418	Value:%1, Zeroed: %2, Computed: %3.	Diagnostic
500	IO coalescing activated with spindown period: %1, Timer:%2, Flush:%3, Flags:%4.	Diagnostic
501	IO coalescing deactivated.	Diagnostic
502	IO coalescing flush command generated.	Diagnostic
503	IO coalescing disk device %1 is about to be spun down.	Diagnostic
504		Diagnostic
505		Diagnostic
506	The system is entering Modern Standby Reason.	System
507	The system is exiting Modern Standby Reason.	System
508	The system has been constrained to a periodic tick Reason.	System
509		Diagnostic
510	Scenario Power Manager (SPM) policy framework has current status.	Diagnostic
511		Diagnostic
512		Diagnostic
513		Diagnostic
518		Diagnostic
519		Diagnostic
520	The brightness on this system is managed by high-precision brightness aware …	System
521	Active battery count change.	System
522		Diagnostic
523		Diagnostic
524	%1 Battery Trigger Met.	System
525		Diagnostic
526		Diagnostic
527		Diagnostic
528		Diagnostic
529		Diagnostic
530		Diagnostic
531		Diagnostic
532		Diagnostic
533		Diagnostic
534		Diagnostic
535		Diagnostic
536		Diagnostic
537		Diagnostic
538		Diagnostic
539		Diagnostic
540		Diagnostic
541		Diagnostic
542		Diagnostic
544		Diagnostic
545		Diagnostic
546		Diagnostic
547		Diagnostic
548		Diagnostic
549		Diagnostic
550		Diagnostic
551		Diagnostic
552		Diagnostic
553		Diagnostic
554		Diagnostic
555		Diagnostic
556		Diagnostic
557	A driver is attempting to update the system timer resolution to a value of %1.	Diagnostic
558		Diagnostic
559		Diagnostic
560		Diagnostic
561		Diagnostic
562		Diagnostic
563		Diagnostic
564		Diagnostic
565		Diagnostic
566	The system session has transitioned from %3 to %10.	System
567		Diagnostic
568		Diagnostic
569		Diagnostic
570		Diagnostic
571		Diagnostic
572		Diagnostic
573		Diagnostic
574		Diagnostic
575		Diagnostic
576		Diagnostic
577	The system has prepared for a system initiated reboot from %1.	System
578	The system has detected a system initiated reboot from %1.	System
579		Diagnostic
580		Diagnostic
581		Diagnostic
582		Diagnostic
583		Diagnostic
584		Diagnostic
585		Diagnostic
586		Diagnostic
587		Diagnostic
588		Diagnostic
589		Diagnostic
590		Diagnostic
591		Thermal-Diagnostic
592		Thermal-Diagnostic
593		Thermal-Diagnostic
594		Thermal-Diagnostic
595		Thermal-Diagnostic
596		Thermal-Diagnostic
597		Thermal-Diagnostic
598		Thermal-Diagnostic
599		Diagnostic
600		Diagnostic
601		Operational
601	Hibernate was disabled because invalid system binaries were detected.	System
602		Operational

Event ID 1 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Reason`	—
`Flags`	—
`Time`	—

Event ID 2 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Status`	—
`Time`	—
`WakeSourceTypeLength`	—
`WakeSourceSubTypeLength`	—
`WakeSourceLength`	—
`WakeSourceContextLength`	—
`WakeSourceType`	—
`WakeSourceSubType`	—
`WakeSource`	—
`WakeSourceContext`	—

Event ID 3 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 4 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Status`	—

Event ID 5 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 6 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Status`	—

Event ID 7 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Irp`	—
`PowerStateType`	—
`MinorFunction`	—
`TargetDevice`	—
`InstanceNameLength`	—
`InstanceName`	—
`PowerState`	—

Event ID 8 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Irp`	—
`Status`	—
`FailedDriver`	—

Event ID 9 — The application %4 stopped the power transition.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

The application %4 stopped the power transition.

Fields

Name	Description
`Pid`	—
`Window`	—
`AppNameLength`	—
`AppName`	—

Event ID 10 — The service %3 stopped the power transition.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

The service %3 stopped the power transition.

Fields

Name	Description
`Pid`	—
`ServiceNameLength`	—
`ServiceName`	—

Event ID 11 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Irp`	—

Event ID 12 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Pid`	—
`NameLength`	—
`Name`	—

Event ID 13 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Pid`	—

Event ID 14 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`NameLength`	—
`Name`	—

Event ID 15 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`NameLength`	—
`Name`	—

Event ID 16 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Pid`	—
`NameLength`	—
`Name`	—

Event ID 17 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Pid`	—

Event ID 18 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`NameLength`	—
`Name`	—

Event ID 19 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`NameLength`	—
`Name`	—

Event ID 20 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Irp`	—
`Device`	—
`DriverName`	—

Event ID 21 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Irp`	—
`Device`	—

Event ID 22 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 23 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 24 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 25 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 26 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 27 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 28 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Pid`	—
`NameLength`	—
`Name`	—

Event ID 29 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`NameLength`	—
`Name`	—

Event ID 30 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 31 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 32 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Pid`	—
`NameLength`	—
`Name`	—

Event ID 33 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`NameLength`	—
`Name`	—

Event ID 34 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Status`	—

Event ID 35 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Query`	—
`TargetState`	—
`EffectiveState`	—

Event ID 36 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 37 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 38 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 39 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`SleepTime`	—
`ResumeTime`	—
`DriverWakeTime`	—
`HiberWriteTime`	—
`HiberReadTime`	—
`HiberPagesWritten`	—
`BiosInitTime`	—
`CheckpointTime`	—

Event ID 40 — The driver %2 for device %4 stopped the power transition.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

The driver %2 for device %4 stopped the power transition.

Fields

Name	Description
`DriverNameLength`	—
`DriverName`	—
`InstanceNameLength`	—
`InstanceName`	—

Event ID 41 — The last sleep transition was unsuccessful.

Provider: Microsoft-Windows-Kernel-Power
Channel: System
Level: 1
Samples: 1

Message

The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.

Fields

Name	Description
`BugcheckCode`	—
`BugcheckParameter1`	—
`BugcheckParameter2`	—
`BugcheckParameter3`	—
`BugcheckParameter4`	—
`SleepInProgress`	—
`PowerButtonTimestamp`	—
`BootAppStatus`	—
`Checkpoint`	—
`ConnectedStandbyInProgress`	—
`SystemSleepTransitionsToOn`	—
`CsEntryScenarioInstanceId`	—
`BugcheckInfoFromEFI`	—
`CheckpointStatus`	—
`CsEntryScenarioInstanceIdV2`	—
`LongPowerButtonPressDetected`	—
`LidReliability`	—
`InputSuppressionState`	—
`PowerButtonSuppressionState`	—
`LidState`	—
`WHEABootErrorCount`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-Power
  guid: 331C3B3A-2005-44C2-AC5E-77220C37D6B4
  event_source_name: ''
  event_id: 41
  version: 2
  level: 1
  task: 63
  opcode: 0
  keywords: 9223372036854775810
  time_created: '2012-04-06T19:11:29.968750Z'
  event_record_id: 13534
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: System
  computer: WKS-WIN764BITB.shieldbase.local
  security:
    user_id: S-1-5-18
event_data:
  BugcheckCode: 0
  BugcheckParameter1: '0x0'
  BugcheckParameter2: '0x0'
  BugcheckParameter3: '0x0'
  BugcheckParameter4: '0x0'
  SleepInProgress: false
  PowerButtonTimestamp: 0

Event ID 42 — The system is entering sleep.

Provider: Microsoft-Windows-Kernel-Power
Channel: System
Level: 4
Samples: 1

Message

The system is entering sleep.

Fields

Name	Description
`TargetState`	—
`EffectiveState`	—
`Reason`	—
`Flags`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-Power
  guid: 331C3B3A-2005-44C2-AC5E-77220C37D6B4
  event_source_name: ''
  event_id: 42
  version: 2
  level: 4
  task: 64
  opcode: 0
  keywords: 9223372036854775812
  time_created: '2016-08-18T16:22:13.389648Z'
  event_record_id: 5523
  correlation: {}
  execution:
    process_id: 4
    thread_id: 60
  channel: System
  computer: IE10Win7
  security:
    user_id: ''
event_data:
  TargetState: 2
  EffectiveState: 2
  Reason: 7
  Flags: 0

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 43 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 44 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 45 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 46 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 47 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 48 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 49 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 50 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 51 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 52 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 53 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 54 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 55 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 56 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 57 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 58 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 59 — The system is entering Away Mode.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

The system is entering Away Mode.

Event ID 60 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Value`	—

Event ID 61 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Value`	—

Event ID 62 — The application or service %3 has overridden user power management settings with a code of %1.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

The application or service %3 has overridden user power management settings with a code of %1.

Fields

Name	Description
`ExecutionState`	—
`AppNameLength`	—
`AppName`	—
`Pid`	—
`Tid`	—
`EffectiveExecutionState`	—
`IgnoreReason`	—

Event ID 63 — The application or service %3 is attempting to update the system timer resolution to a value of %1.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

The application or service %3 is attempting to update the system timer resolution to a value of %1.

Fields

Name	Description
`RequestedResolution`	—
`Pid`	—
`AppNameLength`	—
`AppName`	—
`SubProcessTag`	—
`RequestIgnored`	—

Event ID 64 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 65 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 66 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 67 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 68 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 69 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 70 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 71 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 72 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Threshold`	—
`LowestIdleness`	—
`AverageIdleness`	—
`AccruedIdleTime`	—
`NonIdleIgnored`	—
`IdleToSleep`	—
`NonIdleReferences`	—

Event ID 73 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ExecutionState`	—
`MonitorReason`	—

Event ID 74 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ExecutionState`	—
`StateHandle`	—

Event ID 75 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 76 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 77 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Device`	—
`Pdo`	—
`InstancePathLength`	—
`InstancePath`	—
`ConservativeTimeout`	—
`PerformanceTimeout`	—
`IdleTime`	—
`BusyCount`	—
`TotalBusyCount`	—
`IdlePowerState`	—
`CurrentPowerState`	—

Event ID 78 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Device`	—
`Timeout`	—
`IgnoreThreshold`	—
`IdleTime`	—
`NonIdleTime`	—

Event ID 79 — Timer tick distribution policy: Disabled: %1 Overridden: %2.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

Timer tick distribution policy:             
             
Disabled: %1             
Overridden: %2

Fields

Name	Description
`Disabled`	[Timer tick distribution policy] Disabled.
`Overridden`	[Timer tick distribution policy] Overridden.

Event ID 80 — ACPI thermal zone %2 has changed to %4 cooling.

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Message

ACPI thermal zone %2 has changed to %4 cooling.

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`CoolingModeLength`	—
`CoolingMode`	—

Event ID 81 — ACPI thermal zone %2 has %5 passive cooling.

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Message

ACPI thermal zone %2 has %5 passive cooling.             
EventTime = %3             
_PSV = %7K             
_TMP = %8K             
_TC1 = %9             
_TC2 = %10             
_TSP = %11ms             
Delta P = %12             
_PSL - see event data.

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`EventTime`	—
`PassiveCoolingStateLength`	—
`PassiveCoolingState`	—
`AffinityCount`	—
`_PSV`	—
`_TMP`	—
`_TC1`	—
`_TC2`	—
`_TSP`	—
`DeltaP`	—
`_PSL`	—

Event ID 82 — ACPI thermal zone %2 has %5 passive cooling.

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Operational

Message

ACPI thermal zone %2 has %5 passive cooling.             
EventTime = %3             
_PSV = %7K             
_TMP = %8K             
_TC1 = %9             
_TC2 = %10             
_TSP = %11ms             
Delta P = %12             
_PSL - see event data.

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`EventTime`	—
`PassiveCoolingStateLength`	—
`PassiveCoolingState`	—
`AffinityCount`	—
`_PSV`	—
`_TMP`	—
`_TC1`	—
`_TC2`	—
`_TSP`	—
`DeltaP`	—
`_PSL`	—

Event ID 83 — ACPI thermal zone %2 has %5 active cooling.

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Message

ACPI thermal zone %2 has %5 active cooling.             
EventTime = %3             
_AC0 = %6K             
_AC1 = %7K             
_AC2 = %8K             
_AC3 = %9K             
_AC4 = %10K             
_AC5 = %11K             
_AC6 = %12K             
_AC7 = %13K             
_AC8 = %14K             
_AC9 = %15K             
_TMP = %16K

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`EventTime`	—
`ActiveCoolingStateLength`	—
`ActiveCoolingState`	—
`_AC0`	—
`_AC1`	—
`_AC2`	—
`_AC3`	—
`_AC4`	—
`_AC5`	—
`_AC6`	—
`_AC7`	—
`_AC8`	—
`_AC9`	—
`_TMP`	—

Event ID 84 — ACPI thermal zone %2 has %5 active cooling.

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Operational

Message

ACPI thermal zone %2 has %5 active cooling.             
EventTime = %3             
_AC0 = %6K             
_AC1 = %7K             
_AC2 = %8K             
_AC3 = %9K             
_AC4 = %10K             
_AC5 = %11K             
_AC6 = %12K             
_AC7 = %13K             
_AC8 = %14K             
_AC9 = %15K             
_TMP = %16K

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`EventTime`	—
`ActiveCoolingStateLength`	—
`ActiveCoolingState`	—
`_AC0`	—
`_AC1`	—
`_AC2`	—
`_AC3`	—
`_AC4`	—
`_AC5`	—
`_AC6`	—
`_AC7`	—
`_AC8`	—
`_AC9`	—
`_TMP`	—

Event ID 85 — The system was shut down due to a critical thermal event.

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Message

The system was shut down due to a critical thermal event.             
Shutdown Time = %3             
ACPI Thermal Zone = %2             
_CRT = %4K

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`ShutdownTime`	—
`_CRT`	—

Event ID 86 — The system was shut down due to a critical thermal event.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

The system was shut down due to a critical thermal event.             
Shutdown Time = %3             
ACPI Thermal Zone = %2             
_CRT = %4K

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`ShutdownTime`	—
`_CRT`	—

Event ID 87 — The system was hibernated due to a critical thermal event.

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Message

The system was hibernated due to a critical thermal event.
Hibernate Time = %3             
ACPI Thermal Zone = %2             
_HOT = %4K

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`HibernateTime`	—
`_HOT`	—

Event ID 88 — The system was hibernated due to a critical thermal event.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

The system was hibernated due to a critical thermal event.
Hibernate Time = %3             
ACPI Thermal Zone = %2             
_HOT = %4K

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`HibernateTime`	—
`_HOT`	—

Event ID 89 — ACPI thermal zone %2 has been enumerated.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

ACPI thermal zone %2 has been enumerated.             
_PSV = %4K             
_TC1 = %5             
_TC2 = %6             
_TSP = %7ms             
_AC0 = %8K             
_AC1 = %9K             
_AC2 = %10K             
_AC3 = %11K             
_AC4 = %12K             
_AC5 = %13K             
_AC6 = %14K             
_AC7 = %15K             
_AC8 = %16K             
_AC9 = %17K             
_CRT = %18K             
_HOT = %19K             
_PSL - see event data.

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`AffinityCount`	—
`_PSV`	—
`_TC1`	—
`_TC2`	—
`_TSP`	—
`_AC0`	—
`_AC1`	—
`_AC2`	—
`_AC3`	—
`_AC4`	—
`_AC5`	—
`_AC6`	—
`_AC7`	—
`_AC8`	—
`_AC9`	—
`_CRT`	—
`_HOT`	—
`_PSL`	—

Event ID 90 — Processor %1 was throttled by an entity other than the kernel power manager.

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Message

Processor %1 was throttled by an entity other than the kernel power manager. 
IA32_CLOCK_MODULATION MSR = %2. 
Elapsed time since last event logged = %3s. 
Log interval = %4 events.

Fields

Name	Description
`ProcessorId`	—
`ThrottleMSR`	—
`ElapsedTime`	—
`LogInterval`	—

Event ID 91 — Processor %1 was throttled by an entity other than the kernel power manager.

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Operational

Message

Processor %1 was throttled by an entity other than the kernel power manager. 
IA32_CLOCK_MODULATION MSR = %2. 
Elapsed time since last event logged = %3s. 
Log interval = %4 events.

Fields

Name	Description
`ProcessorId`	—
`ThrottleMSR`	—
`ElapsedTime`	—
`LogInterval`	—

Event ID 92 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Token`	—
`Type`	—
`ProcessID`	—
`SessionID`	—
`Legacy`	—
`SystemAllowed`	—
`DisplayAllowed`	—
`AwayModeAllowed`	—
`SystemCount`	—
`DisplayCount`	—
`AwayModeCount`	—
`CallerLength`	—
`ContextLength`	—
`Caller`	—
`Context`	—
`ExecutionRequiredAllowed`	—
`PerformanceBoostAllowed`	—
`FullScreenVideoAllowed`	—
`ExecutionRequiredCount`	—
`PerformanceBoostCount`	—
`FullScreenVideoCount`	—

Event ID 93 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Token`	—
`SystemCount`	—
`DisplayCount`	—
`AwayModeCount`	—
`ExecutionRequiredCount`	—
`PerformanceBoostCount`	—
`FullScreenVideoCount`	—

Event ID 94 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Token`	—

Event ID 95 — The system timer resolution has changed to a value of %1.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

The system timer resolution has changed to a value of %1.

Fields

Name	Description
`NewResolution`	—

Event ID 96 — The system timer resolution currently has a value of %1.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

The system timer resolution currently has a value of %1.

Fields

Name	Description
`CurrentPeriod`	—
`MinimumPeriod`	—
`MaximumPeriod`	—
`KernelRequestCount`	—
`KernelRequestedPeriod`	—
`InternalSetPeriod`	—

Event ID 97 — The system timer resolution currently has a value of %1.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

The system timer resolution currently has a value of %1.

Fields

Name	Description
`RequestedPeriod`	—
`Pid`	—
`AppNameLength`	—
`AppName`	—
`RequestIgnored`	—

Event ID 98 — A driver is attempting to update the system timer resolution to a value of %1.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

A driver is attempting to update the system timer resolution to a value of %1.

Fields

Name	Description
`RequestedResolution`	—
`Tag`	—

Event ID 99 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Token`	—
`Type`	—
`ProcessID`	—
`SessionID`	—
`Legacy`	—
`SystemAllowed`	—
`DisplayAllowed`	—
`AwayModeAllowed`	—
`SystemCount`	—
`DisplayCount`	—
`AwayModeCount`	—
`CallerLength`	—
`ContextLength`	—
`Caller`	—
`Context`	—
`ExecutionRequiredAllowed`	—
`PerformanceBoostAllowed`	—
`FullScreenVideoAllowed`	—
`ExecutionRequiredCount`	—
`PerformanceBoostCount`	—
`FullScreenVideoCount`	—

Event ID 100 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 101 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 102 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 103 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 104 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`AffectedState`	—
`PowerReasonCode`	—
`PowerReasonLength`	—
`PowerReasonInfo`	—

Event ID 105 — Power source change.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

Power source change.

Fields

Name	Description
`AcOnline`	—
`RemainingCapacity`	—
`FullChargeCapacity`	—

Event ID 106 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`AcOnline`	—

Event ID 107 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`TargetState`	—
`EffectiveState`	—
`WakeFromState`	—

Event ID 107 — The system has resumed from sleep.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

The system has resumed from sleep.

Fields

Name	Description
`TargetState`	—
`EffectiveState`	—
`WakeFromState`	—
`ProgrammedWakeTimeAc`	—
`ProgrammedWakeTimeDc`	—
`WakeRequesterTypeAc`	—
`WakeRequesterTypeDc`	—

Event ID 108 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`CopyBytes`	—
`ElapsedTime`	—
`IoTime`	—
`InitTime`	—
`CopyTime`	—
`PagesWritten`	—
`PagesProcessed`	—
`DumpCount`	—
`FileRuns`	—
`ReadTime`	—
`ResumeAppTime`	—
`CompressTime`	—

Event ID 109 — The kernel power manager has initiated a shutdown transition.

Provider: Microsoft-Windows-Kernel-Power
Channel: System
Level: 4
Samples: 1

Message

The kernel power manager has initiated a shutdown transition.

Action: %1 
Event Code: %2 
Reason: %3

Fields

Name	Description
`ShutdownActionType`	Action.
`ShutdownEventCode`	Event Code.
`ShutdownReason`	Reason.

Example Event

system:
  provider: Microsoft-Windows-Kernel-Power
  guid: 331C3B3A-2005-44C2-AC5E-77220C37D6B4
  event_source_name: ''
  event_id: 109
  version: 0
  level: 4
  task: 103
  opcode: 0
  keywords: 9223442405598954500
  time_created: '2023-11-06T06:23:40.686261+00:00'
  event_record_id: 1621
  correlation: {}
  execution:
    process_id: 680
    thread_id: 684
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  ShutdownActionType: 5
  ShutdownEventCode: 0
  ShutdownReason: 5
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 110 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`RequestedPeriod`	—
`Pid`	—
`AppNameLength`	—
`AppName`	—
`StackSize`	—
`Stack`	—

Event ID 111 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`SettingGuid`	—
`DataSize`	—
`Data`	—
`Override`	—

Event ID 112 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`SettingGuid`	—
`DataSize`	—
`Data`	—
`Override`	—

Event ID 113 — ACPI thermal zone %2 has %4 passive cooling.

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Message

ACPI thermal zone %2 has %4 passive cooling.             
EventTime = %3             
_PSV = %5K             
_TMP = %6K             
_TC1 = %7             
_TC2 = %8             
_TSP = %9ms             
Delta P = %10

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`EventTime`	—
`PassiveCoolingState`	—
`_PSV`	—
`_TMP`	—
`_TC1`	—
`_TC2`	—
`_TSP`	—
`DeltaP`	—
`MinimumThrottle`	—

Event ID 114 — ACPI thermal zone %2 has %4 passive cooling.

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Operational

Message

ACPI thermal zone %2 has %4 passive cooling.             
EventTime = %3             
_PSV = %5K             
_TMP = %6K             
_TC1 = %7             
_TC2 = %8             
_TSP = %9ms             
Delta P = %10

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`EventTime`	—
`PassiveCoolingState`	—
`_PSV`	—
`_TMP`	—
`_TC1`	—
`_TC2`	—
`_TSP`	—
`DeltaP`	—
`MinimumThrottle`	—

Event ID 115 — ACPI thermal zone %2 has %4 active cooling.

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Message

ACPI thermal zone %2 has %4 active cooling.             
EventTime = %3             
_AC0 = %5K             
_AC1 = %6K             
_AC2 = %7K             
_AC3 = %8K             
_AC4 = %9K             
_AC5 = %10K             
_AC6 = %11K             
_AC7 = %12K             
_AC8 = %13K             
_AC9 = %14K             
_TMP = %15K

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`EventTime`	—
`ActiveCoolingState`	—
`_AC0`	—
`_AC1`	—
`_AC2`	—
`_AC3`	—
`_AC4`	—
`_AC5`	—
`_AC6`	—
`_AC7`	—
`_AC8`	—
`_AC9`	—
`_TMP`	—

Event ID 116 — ACPI thermal zone %2 has %4 active cooling.

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Operational

Message

ACPI thermal zone %2 has %4 active cooling.             
EventTime = %3             
_AC0 = %5K             
_AC1 = %6K             
_AC2 = %7K             
_AC3 = %8K             
_AC4 = %9K             
_AC5 = %10K             
_AC6 = %11K             
_AC7 = %12K             
_AC8 = %13K             
_AC9 = %14K             
_TMP = %15K

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`EventTime`	—
`ActiveCoolingState`	—
`_AC0`	—
`_AC1`	—
`_AC2`	—
`_AC3`	—
`_AC4`	—
`_AC5`	—
`_AC6`	—
`_AC7`	—
`_AC8`	—
`_AC9`	—
`_TMP`	—

Event ID 117 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`TotalResumeTime`	—
`POSTTime`	—
`ResumeBootMgrTime`	—
`ResumeAppTime`	—
`ResumeAppStartTime`	—
`ResumeLibraryInitTime`	—
`ResumeInitTime`	—
`ResumeHiberFileTime`	—
`ResumeRestoreImageStartTimestamp`	—
`ResumeIoTime`	—
`ResumeDecompressTime`	—
`ResumeMapTime`	—
`ResumeUnmapTime`	—
`ResumeUserInOutTime`	—
`ResumeAllocateTime`	—
`ResumeKernelSwitchTimestamp`	—
`KernelReturnFromHandlerTimestamp`	—
`SleeperThreadEndTimestamp`	—
`TimeStampCounterAtSwitchTime`	—
`KernelReturnSystemPowerStateTimestamp`	—
`HiberHiberFileTime`	—
`InitTime`	—
`HiberSharedBufferTime`	—
`TotalHibernateTime`	—
`KernelResumeHiberFileTime`	—
`KernelResumeInitTime`	—
`KernelResumeSharedBufferTime`	—
`DeviceResumeTime`	—
`KernelAnimationTime`	—
`KernelPagesProcessed`	—
`KernelPagesWritten`	—
`BootPagesProcessed`	—
`BootPagesWritten`	—
`HiberWriteRate`	—
`HiberCompressRate`	—
`ResumeReadRate`	—
`ResumeDecompressRate`	—
`FileRuns`	—
`NoMultiStageResumeReason`	—
`MaxHuffRatio`	—
`SecurePagesProcessed`	—
`HiberChecksumTime`	—
`HiberChecksumIoTime`	—
`ResumeChecksumTime`	—
`ResumeChecksumIoTime`	—
`KernelChecksumTime`	—
`KernelChecksumIoTime`	—
`WinresumeExitTimestamp`	—
`TcbLoaderStartTimestamp`	—
`TcbLoaderEndTimestamp`	—
`RemappedPageLookupCycles`	—
`TcbLaunchPrepareCycles`	—
`TcbLaunchPrepareDataCycles`	—
`DecryptVsmPagesPhase0Cycles`	—
`DecryptVsmPagesPhase1Cycles`	—
`DecryptVsmPagesPhase2Cycles`	—
`TcbLoaderAuthenticateCycles`	—
`TcbLoaderDecryptCycles`	—
`TcbLoaderValidateCycles`	—

Event ID 118 — Idle resiliency activated with requested clock period: %1(Internal flags:%2, Ticks:%3).

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

Idle resiliency activated with requested clock period: %1(Internal flags:%2, Ticks:%3).

Fields

Name	Description
`RequestedResolution`	—
`Flags`	—
`Ticks`	—

Event ID 119 — Idle resiliency deactivated (Internal flags:%2).

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

Idle resiliency deactivated (Internal flags:%2).

Fields

Name	Description
`RequestedResolution`	—
`Flags`	—
`Ticks`	—

Event ID 120 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`HiberfileSizeKB`	—
`TotalHibernateTime`	—
`HiberHiberFileTime`	—

Event ID 121 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`DriverWakeTime`	—
`TotalResumeTime`	—
`BiosInitTime`	—
`ResumeAppsTime`	—
`ResumeServicesTime`	—

Event ID 122 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`TotalResumeTime`	—
`PhasePagesWrittenMB`	—
`ResumeAppAndKernelResumeHiberFileTime`	—
`POSTAndDeviceResumeTime`	—
`RatesAndResumeAppsServicesTime`	—
`PhasePagesProcessedMB`	—

Event ID 123 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`HiberfileSize`	—
`TotalHybridShutdownTime`	—
`HiberfileCreateTime`	—
`SystemShutdownTime`	—

Event ID 124 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`TotalResumeTime`	—
`PhasePagesWrittenMB`	—
`ResumeAppAndKernelResumeHiberFileTime`	—
`POSTAndDeviceResumeTime`	—
`RatesAndResumeAppsServicesTime`	—
`PhasePagesProcessedMB`	—

Event ID 125 — ACPI thermal zone %2 has been enumerated.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

ACPI thermal zone %2 has been enumerated.             
_PSV = %3K             
_TC1 = %4             
_TC2 = %5             
_TSP = %6ms             
_AC0 = %7K             
_AC1 = %8K             
_AC2 = %9K             
_AC3 = %10K             
_AC4 = %11K             
_AC5 = %12K             
_AC6 = %13K             
_AC7 = %14K             
_AC8 = %15K             
_AC9 = %16K             
_CRT = %17K             
_HOT = %18K

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`_PSV`	—
`_TC1`	—
`_TC2`	—
`_TSP`	—
`_AC0`	—
`_AC1`	—
`_AC2`	—
`_AC3`	—
`_AC4`	—
`_AC5`	—
`_AC6`	—
`_AC7`	—
`_AC8`	—
`_AC9`	—
`_CRT`	—
`_HOT`	—
`MinimumThrottle`	—
`_CR3`	—
`OverThrottleThreshold`	—
`DescriptionLength`	—
`Description`	—
`_TZP`	—

Event ID 126 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Level`	—
`MinorFunction`	—

Event ID 127 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Level`	—
`MinorFunction`	—

Event ID 128 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Level`	—
`MinorFunction`	—

Event ID 129 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Level`	—
`MinorFunction`	—

Event ID 130 — Firmware S3 times.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

Firmware S3 times. SuspendStart: %1, SuspendEnd: %2

Fields

Name	Description
`Firmware_S3_times_SuspendStart`	Firmware S3 times. SuspendStart.
`SuspendEnd`	—
`SuspendStart`	—

Event ID 131 — Firmware S3 times.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

Firmware S3 times. ResumeCount: %1, FullResume: %2, AverageResume: %3

Fields

Name	Description
`Firmware_S3_times_ResumeCount`	Firmware S3 times. ResumeCount.
`FullResume`	—
`AverageResume`	—
`ResumeCount`	—

Event ID 132 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`PlatformRole`	—

Event ID 133 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 134 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 135 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`DisplayState`	—

Event ID 136 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`DeviceNode`	—
`PowerState`	—
`InstancePathLength`	—
`InstancePath`	—
`FriendlyNameLength`	—
`FriendlyName`	—

Event ID 137 — The system firmware has changed the processor's memory type range registers (MTRRs) across a sleep state transition (S%1).

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

The system firmware has changed the processor's memory type range registers (MTRRs) across a sleep state transition (S%1). This can result in reduced resume performance.

Fields

Name	Description
`SleepState`	—

Event ID 138 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Throttle`	—
`Temperature`	—
`ZoneLength`	—
`Zone`	—

Event ID 139 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ThrottleDuration`	—
`ZoneLength`	—
`Zone`	—

Event ID 140 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`EnergyDrain`	—
`Duration`	—
`DripsTransitions`	—
`Flags`	—

Event ID 141 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`FanDuration`	—
`ActivationDelay`	—

Event ID 142 — The system has rebooted without cleanly shutting down first.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

The system has rebooted without cleanly shutting down first. This error is caused because the system stopped responding and the hardware watchdog triggered a system reset.

Fields

Name	Description
`ResetReasonMask`	—

Event ID 143 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ResiliencyPhaseNonActivatedNoDripsMs`	—
`NonActivatedCpuTimeMs`	—
`DurationThisPeriodMs`	—
`ActionsTakenAndOnAc`	—

Event ID 144 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`InitiatorLength`	—
`Initiator`	—
`Type`	—
`Temperature`	—
`TripPointTemperature`	—

Event ID 145 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`ActiveCoolingState`	—
`ActivePoint`	—
`PassiveCoolingState`	—
`ThrottleLimit`	—
`ThermalStandby`	—
`OverThrottled`	—
`DescriptionLength`	—
`Description`	—

Event ID 146 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Callback`	—
`SettingGuid`	—
`DataSize`	—
`Data`	—

Event ID 147 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Callback`	—
`SettingGuid`	—

Event ID 148 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`State`	—
`Reason`	—

Event ID 149 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Session`	—
`Console`	—
`Reason`	—

Event ID 150 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Session`	—
`Console`	—
`Reason`	—

Event ID 151 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`PassiveSupported`	—
`ActiveSupported`	—
`Throttle`	—
`ActiveEngaged`	—
`Token`	—
`DeviceIdLength`	—
`DeviceId`	—

Event ID 152 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`PassiveSupported`	—
`ActiveSupported`	—
`Throttle`	—
`ActiveEngaged`	—
`Token`	—
`DeviceIdLength`	—
`DeviceId`	—

Event ID 153 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`PassiveSupported`	—
`ActiveSupported`	—
`Throttle`	—
`ActiveEngaged`	—
`Token`	—
`DeviceIdLength`	—
`DeviceId`	—

Event ID 154 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`Throttle`	—
`Token`	—

Event ID 155 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`ActiveEngaged`	—
`Token`	—

Event ID 156 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`Throttle`	—
`ActiveEngaged`	—
`Token`	—
`DeviceIdLength`	—
`CallerLength`	—
`ContextLength`	—
`PolicyLength`	—
`DeviceId`	—
`Caller`	—
`Context`	—
`Policy`	—

Event ID 157 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`Throttle`	—
`ActiveEngaged`	—
`Token`	—
`DeviceIdLength`	—
`CallerLength`	—
`ContextLength`	—
`PolicyLength`	—
`DeviceId`	—
`Caller`	—
`Context`	—
`Policy`	—

Event ID 158 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`Throttle`	—
`ActiveEngaged`	—
`Token`	—
`DeviceIdLength`	—
`CallerLength`	—
`ContextLength`	—
`PolicyLength`	—
`DeviceId`	—
`Caller`	—
`Context`	—
`Policy`	—

Event ID 159 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`Throttle`	—
`Token`	—

Event ID 160 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`ActiveEngaged`	—
`Token`	—

Event ID 161 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ResiliencyPhaseNonActivatedNoDripsMs`	—
`NonActivatedCpuTimeMs`	—
`DurationThisPeriodMs`	—
`OnAc`	—
`EnergyDrainMw`	—
`DeviceConstraint`	—
`ActionsTaken`	—
`DeviceServiceNameLength`	—
`DeviceServiceName`	—
`ChildServiceNameLength`	—
`ChildServiceName`	—
`PepPreVeto`	—
`InvocationCount`	—

Event ID 162 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`Engaged`	—

Event ID 163 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`ThermalZoneDeviceInstanceLength`	—
`ThermalZoneDeviceInstance`	—
`Engaged`	—

Event ID 164 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Event ID 165 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`IdleInformationUpdated`	—
`TimeoutSource`	—
`Action`	—
`MinState`	—
`Timeout`	—
`Flags`	—
`Reason`	—

Event ID 166 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`AccumulatedIdleTime`	—
`SystemIdle`	—
`Flags`	—
`Action`	—
`MinState`	—
`DozeS4Timeout`	—
`PredictedUserReturnTime`	—

Event ID 167 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Reason`	—
`S0LowPowerDozeTimerCancelled`	—

Event ID 168 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`CancelledDueToUserInput`	—

Event ID 169 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Source`	—
`Time`	—

Event ID 170 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Reason`	—

Event ID 171 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ResiliencyPhaseNonActivatedNoDeepSleepMs`	—
`NonActivatedCpuTimeMs`	—
`DurationThisPeriodMs`	—
`OnAc`	—
`ActionsTaken`	—
`PowerSettingPending`	—

Event ID 172 — Connectivity state in standby: %1, Reason: %2.

Provider: Microsoft-Windows-Kernel-Power
Channel: System
Level: 4
Samples: 1

Message

Connectivity state in standby: %1, Reason: %2

Fields

Name	Description
`State`	Connectivity state in standby.
`Reason`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-Power
  guid: 331C3B3A-2005-44C2-AC5E-77220C37D6B4
  event_source_name: ''
  event_id: 172
  version: 0
  level: 4
  task: 203
  opcode: 0
  keywords: 9223372036854776836
  time_created: '2023-11-06T06:25:19.594800+00:00'
  event_record_id: 1646
  correlation: {}
  execution:
    process_id: 4
    thread_id: 228
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  State: 2
  Reason: 6
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 173 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 174 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 175 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`State`	—
`Reason`	—

Event ID 176 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Type`	—
`State`	—

Event ID 177 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Type`	—
`State`	—

Event ID 178 — Background Activity Policy updated from %1 to %2.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

Background Activity Policy updated from %1 to %2.

Fields

Name	Description
`PreviousPolicy`	—
`NewPolicy`	—

Event ID 179 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`PrevState`	—
`NewState`	—

Event ID 180 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Reason`	—

Event ID 181 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Constraint`	—

Event ID 182 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Constraint`	—

Event ID 183 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ConstraintCount`	—
`Constraints`	—

Event ID 184 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ExpiryCount`	—
`RelativeId`	—
`ComponentName`	—

Event ID 185 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`WokeSystem`	—
`RejectReason`	—
`Uncertain`	—
`Spurious`	—
`FixedWakeSourceMask`	—
`AcAlarmSignaled`	—
`DcAlarmSignaled`	—
`RtcSignaled`	—
`AcProgrammedTime`	—
`DcProgrammedTime`	—
`UsingAcTime`	—
`WakeTime`	—
`AdjustedWakeTime`	—
`FullWake`	—

Event ID 186 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Irp`	—

Event ID 187 — User-mode process attempted to change the system state by calling SetSuspendState or SetSystemPowerState APIs.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

User-mode process attempted to change the system state by calling SetSuspendState or SetSystemPowerState APIs.

Fields

Name	Description
`ApiCallerNameLength`	—
`ApiCallerName`	—
`SystemAction`	—
`LightestSystemState`	—

Event ID 188 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 189 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 190 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`RequestIgnored`	—
`Pid`	—

Event ID 191 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Count`	—

Event ID 200 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmSid`	—
`SqmWindowsSessionId`	—
`SqmSessionFlags`	—

Event ID 201 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—

Event ID 202 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmID`	—
`SqmDWORDDatapointValue`	—

Event ID 203 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmID`	—
`SqmDWORDDatapointValue`	—

Event ID 204 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmID`	—
`SqmDWORDDatapointValue`	—

Event ID 205 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmID`	—
`SqmDWORDDatapointValue`	—

Event ID 206 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmID`	—
`SqmDWORDDatapointValue`	—

Event ID 207 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmID`	—
`SqmStringDatapointValue`	—

Event ID 208 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`SqmType`	—
`SqmSessionGuid`	—
`SqmID`	—
`SqmStreamRowLength`	—
`SqmStreamRow`	—

Event ID 300 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Plugin`	—
`Attributes`	—

Event ID 301 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Plugin`	—
`Attributes`	—

Event ID 302 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Plugin`	—
`IdLength`	—
`Id`	—
`Prepared`	—

Event ID 303 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Plugin`	—
`PowerState`	—
`Status`	—
`IdLength`	—
`Id`	—
`ComponentCount`	—
`VetoMasks`	—

Event ID 304 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Plugin`	—
`PowerState`	—
`Status`	—
`IdLength`	—
`Id`	—
`ComponentCount`	—
`VetoMasks`	—

Event ID 305 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—

Event ID 306 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—

Event ID 307 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`PowerRequired`	—

Event ID 308 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`PowerState`	—

Event ID 309 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—

Event ID 310 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`Active`	—
`IdleState`	—
`IdleStateCount`	—
`IdleStates`	—

Event ID 311 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`Active`	—
`IdleState`	—
`IdleStateCount`	—
`IdleStates`	—

Event ID 312 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`Active`	—

Event ID 313 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`IdleState`	—

Event ID 314 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`Latency`	—

Event ID 315 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`Residency`	—

Event ID 316 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`ArmedForWake`	—

Event ID 317 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`PowerRequired`	—

Event ID 318 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`StateCount`	—
`MinimumDStates`	—

Event ID 319 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`StateCount`	—
`MinimumFStates`	—

Event ID 320 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`DeviceNode`	—
`DeviceIdLength`	—
`DeviceId`	—
`InstancePathLength`	—
`InstancePath`	—
`ServiceNameLength`	—
`ServiceName`	—
`PlatformStateDependents`	—
`Pdo`	—
`ParentDeviceNode`	—
`Flags`	—
`FriendlyNameLength`	—
`FriendlyName`	—
`DripsRequiredState`	—

Event ID 321 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`SetCount`	—

Event ID 322 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`SetCount`	—

Event ID 323 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`Set`	—
`NameLength`	—
`Name`	—
`Type`	—
`Unit`	—
`Minimum`	—
`Maximum`	—
`StateCount`	—
`StateValues`	—
`CurrentState`	—

Event ID 324 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`Set`	—
`NameLength`	—
`Name`	—
`Type`	—
`Unit`	—
`Minimum`	—
`Maximum`	—
`StateCount`	—
`StateValues`	—
`CurrentState`	—

Event ID 325 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`PerformanceStateSetCount`	—
`PerformanceStateSets`	—

Event ID 326 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`Progress`	—

Event ID 327 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`Succeeded`	—

Event ID 328 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`Component`	—
`DeviceTransition`	—
`PowerState`	—
`PerformanceStateSetCount`	—
`PerformanceStateSets`	—

Event ID 329 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`Token`	—
`StateCount`	—
`TransitionRequired`	—

Event ID 330 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`StartDevice`	—

Event ID 331 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`EndDevice`	—
`WorkType`	—
`Phase`	—
`NumberExtraDevices`	—

Event ID 332 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`EndDevice`	—
`WorkType`	—
`Phase`	—
`NumberExtraDevices`	—

Event ID 333 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`EndDevice`	—
`WorkType`	—
`Phase`	—
`NumberExtraDevices`	—

Event ID 400 — SessionId: %1, Console:%2.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

SessionId: %1, Console:%2

Fields

Name	Description
`SessionId`	—
`Console`	—

Event ID 401 — SessionId: %1, Console:%2.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

SessionId: %1, Console:%2

Fields

Name	Description
`SessionId`	—
`Console`	—

Event ID 402 — SessionId: %1, Console:%2.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

SessionId: %1, Console:%2

Fields

Name	Description
`SessionId`	—
`Console`	—

Event ID 403 — SessionId: %1, Console:%2.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

SessionId: %1, Console:%2

Fields

Name	Description
`SessionId`	—
`Console`	—

Event ID 404 — SessionId: %1, Console:%2.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

SessionId: %1, Console:%2

Fields

Name	Description
`SessionId`	—
`Console`	—

Event ID 405 — SessionId: %1, Console:%2.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

SessionId: %1, Console:%2

Fields

Name	Description
`SessionId`	—
`Console`	—

Event ID 406 — SessionId: %1, Console:%2.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

SessionId: %1, Console:%2

Fields

Name	Description
`SessionId`	—
`Console`	—

Event ID 407 — SessionId: %1, Console:%2.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

SessionId: %1, Console:%2

Fields

Name	Description
`SessionId`	—
`Console`	—

Event ID 408 — User presence.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

User presence:%1

Fields

Name	Description
`User_presence`	—
`UserPresence`	—

Event ID 409 — Reason code.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

Reason code:%1

Fields

Name	Description
`Reason_code`	—
`Code`	—

Event ID 410 — Engaged.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

Engaged:%1

Fields

Name	Description
`Engaged`	—

Event ID 411 — Engaged.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

Engaged:%1

Fields

Name	Description
`Engaged`	—

Event ID 412 — Session Id:%1, Value: %2.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

Session Id:%1, Value: %2

Fields

Name	Description
`Session_Id`	—
`Value`	—
`SessionId`	—
`State`	—

Event ID 413 — Session Id:%1, Value: %2.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

Session Id:%1, Value: %2

Fields

Name	Description
`Session_Id`	—
`Value`	—
`SessionId`	—
`State`	—

Event ID 414 — Session Id:%1, Value: %2.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

Session Id:%1, Value: %2

Fields

Name	Description
`Session_Id`	—
`Value`	—
`SessionId`	—
`State`	—
`TransitionCount`	—

Event ID 415 — Old value:%1, New value: %2.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

Old value:%1, New value: %2

Fields

Name	Description
`Old_value`	—
`New_value`	—
`Old`	—
`New`	—

Event ID 416 — Value:%1, Zeroed: %2, Computed: %3.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

Value:%1, Zeroed: %2, Computed: %3

Fields

Name	Description
`Value`	—
`Zeroed`	—
`Computed`	—

Event ID 417 — Value:%1, Zeroed: %2, Computed: %3.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

Value:%1, Zeroed: %2, Computed: %3

Fields

Name	Description
`Value`	—
`Zeroed`	—
`Computed`	—

Event ID 418 — Value:%1, Zeroed: %2, Computed: %3.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

Value:%1, Zeroed: %2, Computed: %3

Fields

Name	Description
`Value`	—
`Zeroed`	—
`Computed`	—
`SensorDisplayTimeout`	—
`DisplayTimeout`	—
`SensorInputTimeout`	—
`InputTimeout`	—
`SessionLockedTimeout`	—
`SensorEnabled`	—

Event ID 500 — IO coalescing activated with spindown period: %1, Timer:%2, Flush:%3, Flags:%4.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

IO coalescing activated with spindown period: %1, Timer:%2, Flush:%3, Flags:%4.

Fields

Name	Description
`SpindownTimeout`	—
`TimerInterval`	—
`FlushInterval`	—
`Flags`	—

Event ID 501 — IO coalescing deactivated.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

IO coalescing deactivated.

Event ID 502 — IO coalescing flush command generated.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

IO coalescing flush command generated.

Event ID 503 — IO coalescing disk device %1 is about to be spun down.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

IO coalescing disk device %1 is about to be spun down.

Fields

Name	Description
`DiskDeviceObject`	—

Event ID 504 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`SystemLatency`	—

Event ID 505 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`SystemLatency`	—

Event ID 506 — The system is entering Modern Standby Reason.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

The system is entering Modern Standby 

Reason: %1.

Fields

Name	Description
`Reason`	—
`LidOpenState`	—
`ExternalMonitorConnectedState`	—
`ScenarioInstanceId`	—
`BatteryRemainingCapacityOnEnter`	—
`BatteryFullChargeCapacityOnEnter`	—
`ScenarioInstanceIdV2`	—
`BootId`	—

Event ID 507 — The system is exiting Modern Standby Reason.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

The system is exiting Modern Standby 

Reason: %10.

Fields

Name	Description
`Reason`	—
`EnergyDrain`	—
`ActiveResidencyInUs`	—
`NonDripsTimeActivatedInUs`	—
`FirstDripsEntryInUs`	—
`DripsResidencyInUs`	—
`DurationInUs`	—
`DripsTransitions`	—
`FullChargeCapacityRatio`	—
`AudioPlaying`	—
`AudioPlaybackInUs`	—
`NonActivatedCpuInUs`	—
`PowerStateAc`	—
`HwDripsResidencyInUs`	—
`ExitLatencyInUs`	—
`DisconnectedStandby`	—
`AoAcCompliantNic`	—
`NonAttributedCpuInUs`	—
`ModernSleepEnabledActionsBitmask`	—
`ModernSleepAppliedActionsBitmask`	—
`LidOpenState`	—
`ExternalMonitorConnectedState`	—
`ScenarioInstanceId`	—
`IsCsSessionInProgressOnExit`	—
`BatteryRemainingCapacityOnExit`	—
`BatteryFullChargeCapacityOnExit`	—
`ScenarioInstanceIdV2`	—
`BootId`	—
`InputSuppressionActionCount`	—
`NonResiliencyTimeInUs`	—
`ResiliencyDripsTimeInUs`	—
`ResiliencyHwDripsTimeInUs`	—
`GdiOnTime`	—
`DwmSyncFlushTime`	—
`MonitorPowerOnTime`	—
`SleepEntered`	—
`ScreenOffEnergyCapacityAtStart`	—
`ScreenOffEnergyCapacityAtEnd`	—
`ScreenOffDurationInUs`	—
`SleepEnergyCapacityAtStart`	—
`SleepEnergyCapacityAtEnd`	—
`SleepDurationInUs`	—
`ScreenOffFullEnergyCapacityAtStart`	—
`ScreenOffFullEnergyCapacityAtEnd`	—
`SleepFullEnergyCapacityAtStart`	—
`SleepFullEnergyCapacityAtEnd`	—
`PowerSchemeInfo`	—
`PowerButtonSuppressionActionCount`	—
`ScreenOffSwDripsResidencyInUs`	—
`ScreenOffHwDripsResidencyInUs`	—
`SleepSwDripsResidencyInUs`	—
`SleepHwDripsResidencyInUs`	—

Event ID 508 — The system has been constrained to a periodic tick Reason.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

The system has been constrained to a periodic tick 

Reason: %1.

Fields

Name	Description
`Reason`	—

Event ID 509 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Flags`	—

Event ID 510 — Scenario Power Manager (SPM) policy framework has current status.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

Scenario Power Manager (SPM) policy framework has current status: %1.

Fields

Name	Description
`SpmStatus`	—

Event ID 511 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`SpmStatus`	—

Event ID 512 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`PolicyGuid`	—
`PolicyAliasLength`	—
`PolicyAlias`	—

Event ID 513 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ScenarioGuid`	—
`ScenarioNameLength`	—
`ScenarioName`	—
`Flags`	—
`DefaultSettingsScenarioGuid`	—
`PolicyCount`	—
`PolicySettings`	—

Event ID 518 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 519 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 520 — The brightness on this system is managed by high-precision brightness aware service.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

The brightness on this system is managed by high-precision brightness aware service.

Event ID 521 — Active battery count change.

Provider: Microsoft-Windows-Kernel-Power
Channel: System
Level: 4
Samples: 1

Message

Active battery count change.

Fields

Name	Description
`ValidBatteryCount`	—
`ErrorBatteryCount`	—
`AbandonedBatteryCount`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-Power
  guid: 331C3B3A-2005-44C2-AC5E-77220C37D6B4
  event_source_name: ''
  event_id: 521
  version: 0
  level: 4
  task: 220
  opcode: 0
  keywords: 9223372036854776836
  time_created: '2022-04-04T13:11:11.019552+00:00'
  event_record_id: 1541
  correlation: {}
  execution:
    process_id: 4
    thread_id: 260
  channel: System
  computer: WIN-TKC15D7KHUR
  security:
    user_id: S-1-5-18
event_data:
  ValidBatteryCount: 1
  ErrorBatteryCount: 0
  AbandonedBatteryCount: 0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 522 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`HwDripsTotalTimeValid`	—
`DripsTotalTimeThisPeriodUs`	—
`HwDripsTotalTimeThisPeriodUs`	—
`PopDripsSwHwDivergenceThreshold`	—

Event ID 523 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Irp`	—
`Status`	—
`FailedDriver`	—
`ElapsedTime`	—

Event ID 524 — %1 Battery Trigger Met.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

%1 Battery Trigger Met

Fields

Name	Description
`Index`	—
`ActiveBatteryCount`	—
`RemainingPercentage`	—
`IsAcOnline`	—
`BatteryActionInternalFlags`	—
`IsPowerActionCallIgnored`	—
`IsPowerPolicyEnabled`	—
`PowerPolicyAction`	—
`PowerPolicyBatteryLevel`	—
`PowerPolicyEventCode`	—
`PowerPolicyMinState`	—

Event ID 525 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`DurationInUs`	—

Event ID 526 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 527 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Event`	—
`Class`	—
`Count`	—

Event ID 528 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Event`	—
`Intent`	—

Event ID 529 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Intent`	—
`Class`	—
`PowerEvent`	—

Event ID 530 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`SessionId`	—
`RequestQueueId`	—
`Intent`	—
`Class`	—
`PowerEvent`	—
`VetoReason`	—

Event ID 531 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`SessionId`	—
`Action`	—
`Result`	—

Event ID 532 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`SessionId`	—
`Result`	—

Event ID 533 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`SessionId`	—
`PowerEvent`	—
`Action`	—
`AudioActivity`	—
`DisconnectedStandbyMode`	—
`DsEnabled`	—

Event ID 534 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`SessionId`	—
`Result`	—

Event ID 535 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`CsSessionId`	—
`Engaged`	—
`CsSessionIdV2`	—

Event ID 536 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`CsSessionId`	—
`WorkFlags`	—
`CsSessionIdV2`	—

Event ID 537 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`CsSessionId`	—
`DeviceObject`	—

Event ID 538 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`CsSessionId`	—
`Suspended`	—
`Result`	—
`DurationMs`	—
`CsSessionIdV2`	—

Event ID 539 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`CsSessionId`	—
`Suspended`	—
`Result`	—
`DurationMs`	—
`CsSessionIdV2`	—

Event ID 540 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`EnableResult`	—
`InitializationResult`	—

Event ID 541 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`SystemIdle`	—
`Status`	—
`TimeoutSource`	—

Event ID 542 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`RequestIndex`	—
`NumberOfRequests`	—
`QueueSize`	—

Event ID 544 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`OldMask`	—
`NewMask`	—
`SetFlags`	—
`ClearedFlags`	—

Event ID 545 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`BroadcastTreeId`	—
`IsRootDevice`	—
`DeviceNode`	—
`InstancePathLength`	—
`InstancePath`	—
`VisitType`	—

Event ID 546 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`BroadcastTreeId`	—
`DeviceNode`	—
`Reason`	—

Event ID 547 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`DeviceNode`	—
`PowerDown`	—

Event ID 548 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`DeviceNode`	—
`PowerDown`	—
`DevicePowerState`	—

Event ID 549 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`IdleTimeout`	—
`NotIdleEvents`	—
`IsSystemIdle`	—

Event ID 550 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`EventType`	—
`TimeSinceEvent`	—
`IdleTimeout`	—
`WasIgnored`	—
`BusyReason`	—

Event ID 551 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ScanInterval`	—

Event ID 552 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Reason`	—
`PreviousTimeoutSource`	—
`PreviousTimeout`	—
`NewTimeoutSource`	—
`NewTimeout`	—

Event ID 553 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`FxDevice`	—
`DeviceNode`	—
`InstancePathLength`	—
`InstancePath`	—

Event ID 554 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`CsSessionId`	—
`DeviceNode`	—
`FriendlyNameLength`	—
`FriendlyName`	—
`HardwareIdLength`	—
`HardwareId`	—
`DeviceClassNameLength`	—
`DeviceClassName`	—
`DeviceClassGuidLength`	—
`DeviceClassGuid`	—
`BroadcastTreeId`	—
`DfxTransitionCount`	—
`Ps4TransitionCount`	—
`Flags`	—

Event ID 555 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Reason`	—
`TriggerFlags`	—
`UserNotify`	—
`PowerAction`	—
`PowerActionFlags`	—
`PowerActionEventCode`	—
`MinState`	—
`SubstitutionPolicy`	—
`LocalPowerAction`	—
`LocalPowerActionFlags`	—
`LocalPowerActionEventCode`	—
`Disabled`	—
`RequesterNameLength`	—
`RequesterName`	—

Event ID 556 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`SessionId`	—
`RootDeviceNode`	—
`ErrorDeviceNode`	—
`ReasonCode`	—
`Count`	—

Event ID 557 — A driver is attempting to update the system timer resolution to a value of %1.

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Message

A driver is attempting to update the system timer resolution to a value of %1.

Fields

Name	Description
`RequestedResolution`	—
`Tag`	—

Event ID 558 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Intent`	—
`Class`	—
`Cause`	—
`Status`	—
`CurrentTargetState`	—
`NextTargetState`	—
`PartA_PrivTags`	—
`TriageContextLength`	—
`TriageContext`	—

Event ID 559 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 560 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 561 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`CurrentInternalState`	—
`NextInternalState`	—

Event ID 562 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`CurrentTargetState`	—
`CurrentInternalState`	—

Event ID 563 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 564 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`IsSleepEnter`	—
`Token`	—
`CurrentTargetState`	—
`CurrentInternalState`	—
`Status`	—

Event ID 565 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Suspended`	—
`SuspendCount`	—

Event ID 566 — The system session has transitioned from %3 to %10.

Provider: Microsoft-Windows-Kernel-Power
Channel: System
Level: 4
Samples: 1

Message

The system session has transitioned from %3 to %10.

Reason %2 

BootId: %1

Fields

Name	Description
`BootId`	—
`Reason`	—
`PreviousSessionId`	—
`PreviousSessionType`	—
`PreviousSessionDurationInUs`	—
`PreviousEnergyCapacityAtStart`	—
`PreviousFullEnergyCapacityAtStart`	—
`PreviousEnergyCapacityAtEnd`	—
`PreviousFullEnergyCapacityAtEnd`	—
`NextSessionId`	—
`NextSessionType`	—
`PowerStateAc`	—
`MonitorReason`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-Power
  guid: 331C3B3A-2005-44C2-AC5E-77220C37D6B4
  event_source_name: ''
  event_id: 566
  version: 0
  level: 4
  task: 268
  opcode: 0
  keywords: 9223372036854777348
  time_created: '2023-11-06T01:08:04.643524+00:00'
  event_record_id: 2153
  correlation: {}
  execution:
    process_id: 4
    thread_id: 9012
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  BootId: 13
  Reason: 32
  PreviousSessionId: 1
  PreviousSessionType: 1
  PreviousSessionDurationInUs: 324168323
  PreviousEnergyCapacityAtStart: 0
  PreviousFullEnergyCapacityAtStart: 0
  PreviousEnergyCapacityAtEnd: 0
  PreviousFullEnergyCapacityAtEnd: 0
  NextSessionId: 3
  NextSessionType: 0
  PowerStateAc: true
  MonitorReason: 32
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 567 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 568 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 569 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 570 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 571 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 572 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 573 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 574 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Event ID 575 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Token`	—
`ReasonDescriptionLength`	—
`ReasonDescription`	—

Event ID 576 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`SessionId`	—
`LastInputTimestamp`	—
`LastDisplayOffTimestamp`	—
`SessionDisplayState`	—
`DisplayTimeout`	—
`InputTimeout`	—
`NotifyOnNextUserInput`	—
`DisplayTimeoutSource`	—
`DimTimeout`	—
`DimTimeoutSource`	—

Event ID 577 — The system has prepared for a system initiated reboot from %1.

Provider: Microsoft-Windows-Kernel-Power
Channel: System
Level: 4
Samples: 1

Message

The system has prepared for a system initiated reboot from %1.

Fields

Name	Description
`AdaptiveTargetState`	—
`IsUnattended`	—
`Status`	—

Example Event

system:
  provider: Microsoft-Windows-Kernel-Power
  guid: 331C3B3A-2005-44C2-AC5E-77220C37D6B4
  event_source_name: ''
  event_id: 577
  version: 0
  level: 4
  task: 280
  opcode: 0
  keywords: 9223372036854775812
  time_created: '2023-11-06T06:23:40.830310+00:00'
  event_record_id: 1622
  correlation: {}
  execution:
    process_id: 4
    thread_id: 388
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: ''
event_data:
  AdaptiveTargetState: 0
  IsUnattended: false
  Status: 279
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 578 — The system has detected a system initiated reboot from %1.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

The system has detected a system initiated reboot from %1.

Fields

Name	Description
`AdaptiveTargetState`	—
`IsUnattended`	—

Event ID 579 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ThreadToken`	—
`Status`	—
`FailurePoint`	—

Event ID 580 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Result`	—
`VirtualConsole`	—
`SessionId`	—
`MonitorOnReason`	—

Event ID 581 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ParamToken`	—
`AttachMode`	—
`IsSingleSession`	—
`SessionId`	—
`Type`	—
`IsSync`	—

Event ID 582 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ParamToken`	—
`PsStatus`	—
`SkipReason`	—

Event ID 583 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ParamToken`	—
`AttachMode`	—
`IsSingleSession`	—
`SessionId`	—
`EventNumber`	—
`EventCode`	—

Event ID 584 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ParamToken`	—
`PsStatus`	—
`SkipReason`	—

Event ID 585 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ParameterToken`	—
`AttachMode`	—
`IsSingleSession`	—
`SessionId`	—
`PowerAction`	—
`MinState`	—
`PowerActionFlags`	—
`PowerStateTask`	—

Event ID 586 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`ParamToken`	—
`PsStatus`	—
`SkipReason`	—

Event ID 587 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Irp`	—
`DeviceInstancePathLength`	—
`DeviceInstancePath`	—

Event ID 588 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`TimerType`	—
`Duration`	—

Event ID 589 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`TimerType`	—

Event ID 590 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`TimerType`	—

Event ID 591 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`Token`	—
`DeviceIdLength`	—
`DeviceId`	—
`CallerLength`	—
`Caller`	—
`ContextLength`	—
`Context`	—
`ReasonLength`	—
`Reason`	—
`LimitCount`	—
`Values`	—

Event ID 592 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`Token`	—
`DeviceIdLength`	—
`DeviceId`	—
`CallerLength`	—
`Caller`	—
`ContextLength`	—
`Context`	—
`ReasonLength`	—
`Reason`	—
`LimitCount`	—
`Values`	—

Event ID 593 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`Token`	—
`DeviceIdLength`	—
`DeviceId`	—
`CallerLength`	—
`Caller`	—
`ContextLength`	—
`Context`	—
`ReasonLength`	—
`Reason`	—
`LimitCount`	—
`Values`	—

Event ID 594 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`Token`	—
`ReasonLength`	—
`Reason`	—
`LimitCount`	—
`Values`	—

Event ID 595 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`Token`	—
`DeviceIdLength`	—
`DeviceId`	—
`LimitCount`	—
`Attributes`	—

Event ID 596 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`Token`	—
`DeviceIdLength`	—
`DeviceId`	—
`LimitCount`	—
`Attributes`	—

Event ID 597 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`Token`	—
`DeviceIdLength`	—
`DeviceId`	—
`LimitCount`	—
`Attributes`	—

Event ID 598 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Thermal-Diagnostic

Fields

Name	Description
`Token`	—
`LimitCount`	—
`Values`	—

Event ID 599 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`State`	—
`Reason`	—

Event ID 600 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Diagnostic

Fields

Name	Description
`Status`	—
`FailurePoint`	—

Event ID 601 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`MinSVN`	—
`HiberrsmSVN`	—
`HiberrsmOSVersion`	—

Event ID 601 — Hibernate was disabled because invalid system binaries were detected.

Provider: Microsoft-Windows-Kernel-Power
Channel: System

Message

Hibernate was disabled because invalid system binaries were detected. Min SVN required was %1, Actual SVN is %2. OS version of Invalid Binary: %3.

Fields

Name	Description
`MinSVN`	—
`HiberrsmSVN`	—
`HiberrsmOSVersion`	—

Event ID 602 —

Provider: Microsoft-Windows-Kernel-Power
Channel: Operational

Fields

Name	Description
`PrevState`	—
`TargetState`	—
`Promoted`	—
`Entered`	—
`SettingGuid`	—
`NewSettingValue`	—