Microsoft-Windows-Kernel-Power
353 events across 5 channels
| Event ID | Title | Channel |
|---|---|---|
| 1 | Diagnostic | |
| 2 | Diagnostic | |
| 3 | Diagnostic | |
| 4 | Diagnostic | |
| 5 | Diagnostic | |
| 6 | Diagnostic | |
| 7 | Diagnostic | |
| 8 | Diagnostic | |
| 9 | The application AppName stopped the power transition. | System |
| 10 | The service ServiceName stopped the power transition. | System |
| 11 | Diagnostic | |
| 12 | Diagnostic | |
| 13 | Diagnostic | |
| 14 | Diagnostic | |
| 15 | Diagnostic | |
| 16 | Diagnostic | |
| 17 | Diagnostic | |
| 18 | Diagnostic | |
| 19 | Diagnostic | |
| 20 | Diagnostic | |
| 21 | Diagnostic | |
| 22 | Diagnostic | |
| 23 | Diagnostic | |
| 24 | Diagnostic | |
| 25 | Diagnostic | |
| 26 | Diagnostic | |
| 27 | Diagnostic | |
| 28 | Diagnostic | |
| 29 | Diagnostic | |
| 30 | Diagnostic | |
| 31 | Diagnostic | |
| 32 | Diagnostic | |
| 33 | Diagnostic | |
| 34 | Diagnostic | |
| 35 | Diagnostic | |
| 36 | Diagnostic | |
| 37 | Diagnostic | |
| 38 | Diagnostic | |
| 39 | Diagnostic | |
| 40 | The driver DriverName for device InstanceName stopped the power transition. | System |
| 41 | The last sleep transition was unsuccessful. | System |
| 42 | The system is entering sleep. | System |
| 43 | Diagnostic | |
| 44 | Diagnostic | |
| 45 | Diagnostic | |
| 46 | Diagnostic | |
| 47 | Diagnostic | |
| 48 | Diagnostic | |
| 49 | Diagnostic | |
| 50 | Diagnostic | |
| 51 | Diagnostic | |
| 52 | Diagnostic | |
| 53 | Diagnostic | |
| 54 | Diagnostic | |
| 55 | Diagnostic | |
| 56 | Diagnostic | |
| 57 | Diagnostic | |
| 58 | Diagnostic | |
| 59 | The system is entering Away Mode. | System |
| 60 | Diagnostic | |
| 61 | Diagnostic | |
| 62 | The application or service AppName has overridden user power management settings … | Diagnostic |
| 63 | The application or service AppNameLength is attempting to update the system … | Diagnostic |
| 64 | Diagnostic | |
| 65 | Diagnostic | |
| 66 | Diagnostic | |
| 67 | Diagnostic | |
| 68 | Diagnostic | |
| 69 | Diagnostic | |
| 70 | Diagnostic | |
| 71 | Diagnostic | |
| 72 | Diagnostic | |
| 73 | Diagnostic | |
| 74 | Diagnostic | |
| 75 | Diagnostic | |
| 76 | Diagnostic | |
| 77 | Diagnostic | |
| 78 | Diagnostic | |
| 79 | Timer tick distribution policy. | Diagnostic |
| 80 | ACPI thermal zone ThermalZoneDeviceInstance has changed to CoolingMode cooling. | Thermal-Diagnostic |
| 81 | ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive … | Thermal-Diagnostic |
| 82 | ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive … | Thermal-Operational |
| 83 | ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active … | Thermal-Diagnostic |
| 84 | ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active … | Thermal-Operational |
| 85 | The system was shut down due to a critical thermal event. | Thermal-Diagnostic |
| 86 | The system was shut down due to a critical thermal event. | System |
| 87 | The system was hibernated due to a critical thermal event. | Thermal-Diagnostic |
| 88 | The system was hibernated due to a critical thermal event. | System |
| 89 | ACPI thermal zone ThermalZoneDeviceInstance has been enumerated. | System |
| 90 | Processor ProcessorId was throttled by an entity other than the kernel power … | Thermal-Diagnostic |
| 91 | Processor ProcessorId was throttled by an entity other than the kernel power … | Thermal-Operational |
| 92 | Diagnostic | |
| 93 | Diagnostic | |
| 94 | Diagnostic | |
| 95 | The system timer resolution has changed to a value of NewResolution. | Diagnostic |
| 96 | The system timer resolution currently has a value of CurrentPeriod. | Diagnostic |
| 97 | The system timer resolution currently has a value of RequestedPeriod. | Diagnostic |
| 98 | A driver is attempting to update the system timer resolution to a value of … | Diagnostic |
| 99 | Diagnostic | |
| 100 | Diagnostic | |
| 101 | Diagnostic | |
| 102 | Diagnostic | |
| 103 | Diagnostic | |
| 104 | Diagnostic | |
| 105 | Power source change. | System |
| 106 | Diagnostic | |
| 107 | Diagnostic | |
| 107 | The system has resumed from sleep. | System |
| 108 | Diagnostic | |
| 109 | The kernel power manager has initiated a shutdown transition. | System |
| 110 | Diagnostic | |
| 111 | Diagnostic | |
| 112 | Diagnostic | |
| 113 | ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive … | Thermal-Diagnostic |
| 114 | ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive … | Thermal-Operational |
| 115 | ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active … | Thermal-Diagnostic |
| 116 | ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active … | Thermal-Operational |
| 117 | Diagnostic | |
| 118 | Idle resiliency activated with requested clock period: … | Diagnostic |
| 119 | Idle resiliency deactivated (Internal flags:Flags). | Diagnostic |
| 120 | Diagnostic | |
| 121 | Diagnostic | |
| 122 | Diagnostic | |
| 123 | Diagnostic | |
| 124 | Diagnostic | |
| 125 | ACPI thermal zone ThermalZoneDeviceInstance has been enumerated. | System |
| 126 | Diagnostic | |
| 127 | Diagnostic | |
| 128 | Diagnostic | |
| 129 | Diagnostic | |
| 130 | Firmware S3 times. | System |
| 131 | Firmware S3 times. | System |
| 132 | Diagnostic | |
| 133 | Diagnostic | |
| 134 | Diagnostic | |
| 135 | Diagnostic | |
| 136 | Diagnostic | |
| 137 | The system firmware has changed the processor's memory type range registers … | System |
| 138 | Diagnostic | |
| 139 | Diagnostic | |
| 140 | Diagnostic | |
| 141 | Diagnostic | |
| 142 | The system has rebooted without cleanly shutting down first. | System |
| 143 | Diagnostic | |
| 144 | Thermal-Diagnostic | |
| 145 | Thermal-Diagnostic | |
| 146 | Diagnostic | |
| 147 | Diagnostic | |
| 148 | Diagnostic | |
| 149 | Diagnostic | |
| 150 | Diagnostic | |
| 151 | Thermal-Diagnostic | |
| 152 | Thermal-Diagnostic | |
| 153 | Thermal-Diagnostic | |
| 154 | Thermal-Diagnostic | |
| 155 | Thermal-Diagnostic | |
| 156 | Thermal-Diagnostic | |
| 157 | Thermal-Diagnostic | |
| 158 | Thermal-Diagnostic | |
| 159 | Thermal-Diagnostic | |
| 160 | Thermal-Diagnostic | |
| 161 | Diagnostic | |
| 162 | Thermal-Diagnostic | |
| 163 | Thermal-Diagnostic | |
| 164 | Thermal-Diagnostic | |
| 165 | Diagnostic | |
| 166 | Diagnostic | |
| 167 | Diagnostic | |
| 168 | Diagnostic | |
| 169 | Diagnostic | |
| 170 | Diagnostic | |
| 171 | Diagnostic | |
| 172 | Connectivity state in standby: State, Reason: Reason. | System |
| 173 | Diagnostic | |
| 174 | Diagnostic | |
| 175 | Diagnostic | |
| 176 | Diagnostic | |
| 177 | Diagnostic | |
| 178 | Background Activity Policy updated from PreviousPolicy to NewPolicy. | Diagnostic |
| 179 | Diagnostic | |
| 180 | Diagnostic | |
| 181 | Diagnostic | |
| 182 | Diagnostic | |
| 183 | Diagnostic | |
| 184 | Diagnostic | |
| 185 | Diagnostic | |
| 186 | Diagnostic | |
| 187 | User-mode process attempted to change the system state by calling … | System |
| 188 | Diagnostic | |
| 189 | Diagnostic | |
| 190 | Diagnostic | |
| 191 | Diagnostic | |
| 200 | Operational | |
| 201 | Operational | |
| 202 | Operational | |
| 203 | Operational | |
| 204 | Operational | |
| 205 | Operational | |
| 206 | Operational | |
| 207 | Operational | |
| 208 | Operational | |
| 300 | Operational | |
| 301 | Operational | |
| 302 | Operational | |
| 303 | Operational | |
| 304 | Operational | |
| 305 | Operational | |
| 306 | Operational | |
| 307 | Operational | |
| 308 | Operational | |
| 309 | Operational | |
| 310 | Operational | |
| 311 | Operational | |
| 312 | Operational | |
| 313 | Operational | |
| 314 | Operational | |
| 315 | Operational | |
| 316 | Operational | |
| 317 | Operational | |
| 318 | Operational | |
| 319 | Operational | |
| 320 | Operational | |
| 321 | Operational | |
| 322 | Operational | |
| 323 | Operational | |
| 324 | Operational | |
| 325 | Operational | |
| 326 | Operational | |
| 327 | Operational | |
| 328 | Operational | |
| 329 | Operational | |
| 330 | Operational | |
| 331 | Operational | |
| 332 | Operational | |
| 333 | Operational | |
| 400 | SessionId: SessionId, Console:Console. | Diagnostic |
| 401 | SessionId: SessionId, Console:Console. | Diagnostic |
| 402 | SessionId: SessionId, Console:Console. | Diagnostic |
| 403 | SessionId: SessionId, Console:Console. | Diagnostic |
| 404 | SessionId: SessionId, Console:Console. | Diagnostic |
| 405 | SessionId: SessionId, Console:Console. | Diagnostic |
| 406 | SessionId: SessionId, Console:Console. | Diagnostic |
| 407 | SessionId: SessionId, Console:Console. | Diagnostic |
| 408 | User presence:User_presence. | Diagnostic |
| 409 | Reason code:Reason_code. | Diagnostic |
| 410 | Engaged. | Diagnostic |
| 411 | Engaged. | Diagnostic |
| 412 | Session Id:Session_Id, Value: Value. | Diagnostic |
| 413 | Session Id:Session_Id, Value: Value. | Diagnostic |
| 414 | Session Id:Session_Id, Value: Value. | Diagnostic |
| 415 | Old value:Old_value, New value: New_value. | Diagnostic |
| 416 | Value:Value, Zeroed: Zeroed, Computed: Computed. | Diagnostic |
| 417 | Value:Value, Zeroed: Zeroed, Computed: Computed. | Diagnostic |
| 418 | Value:Value, Zeroed: Zeroed, Computed: Computed. | Diagnostic |
| 500 | IO coalescing activated with spindown period: SpindownTimeout, … | Diagnostic |
| 501 | IO coalescing deactivated. | Diagnostic |
| 502 | IO coalescing flush command generated. | Diagnostic |
| 503 | IO coalescing disk device DiskDeviceObject is about to be spun down. | Diagnostic |
| 504 | Diagnostic | |
| 505 | Diagnostic | |
| 506 | The system is entering Modern Standby Reason. | System |
| 507 | The system is exiting Modern Standby Reason. | System |
| 508 | The system has been constrained to a periodic tick Reason. | System |
| 509 | Diagnostic | |
| 510 | Scenario Power Manager (SPM) policy framework has current status: SpmStatus. | Diagnostic |
| 511 | Diagnostic | |
| 512 | Diagnostic | |
| 513 | Diagnostic | |
| 518 | Diagnostic | |
| 519 | Diagnostic | |
| 520 | The brightness on this system is managed by high-precision brightness aware … | System |
| 521 | Active battery count change. | System |
| 522 | Diagnostic | |
| 523 | Diagnostic | |
| 524 | Index Battery Trigger Met. | System |
| 525 | Diagnostic | |
| 526 | Diagnostic | |
| 527 | Diagnostic | |
| 528 | Diagnostic | |
| 529 | Diagnostic | |
| 530 | Diagnostic | |
| 531 | Diagnostic | |
| 532 | Diagnostic | |
| 533 | Diagnostic | |
| 534 | Diagnostic | |
| 535 | Diagnostic | |
| 536 | Diagnostic | |
| 537 | Diagnostic | |
| 538 | Diagnostic | |
| 539 | Diagnostic | |
| 540 | Diagnostic | |
| 541 | Diagnostic | |
| 542 | Diagnostic | |
| 544 | Diagnostic | |
| 545 | Diagnostic | |
| 546 | Diagnostic | |
| 547 | Diagnostic | |
| 548 | Diagnostic | |
| 549 | Diagnostic | |
| 550 | Diagnostic | |
| 551 | Diagnostic | |
| 552 | Diagnostic | |
| 553 | Diagnostic | |
| 554 | Diagnostic | |
| 555 | Diagnostic | |
| 556 | Diagnostic | |
| 557 | A driver is attempting to update the system timer resolution to a value of … | Diagnostic |
| 558 | Diagnostic | |
| 559 | Diagnostic | |
| 560 | Diagnostic | |
| 561 | Diagnostic | |
| 562 | Diagnostic | |
| 563 | Diagnostic | |
| 564 | Diagnostic | |
| 565 | Diagnostic | |
| 566 | The system session has transitioned from PreviousSessionId to NextSessionId. | System |
| 567 | Diagnostic | |
| 568 | Diagnostic | |
| 569 | Diagnostic | |
| 570 | Diagnostic | |
| 571 | Diagnostic | |
| 572 | Diagnostic | |
| 573 | Diagnostic | |
| 574 | Diagnostic | |
| 575 | Diagnostic | |
| 576 | Diagnostic | |
| 577 | The system has prepared for a system initiated reboot from AdaptiveTargetState. | System |
| 578 | The system has detected a system initiated reboot from AdaptiveTargetState. | System |
| 579 | Diagnostic | |
| 580 | Diagnostic | |
| 581 | Diagnostic | |
| 582 | Diagnostic | |
| 583 | Diagnostic | |
| 584 | Diagnostic | |
| 585 | Diagnostic | |
| 586 | Diagnostic | |
| 587 | Diagnostic | |
| 588 | Diagnostic | |
| 589 | Diagnostic | |
| 590 | Diagnostic | |
| 591 | Thermal-Diagnostic | |
| 592 | Thermal-Diagnostic | |
| 593 | Thermal-Diagnostic | |
| 594 | Thermal-Diagnostic | |
| 595 | Thermal-Diagnostic | |
| 596 | Thermal-Diagnostic | |
| 597 | Thermal-Diagnostic | |
| 598 | Thermal-Diagnostic | |
| 599 | Diagnostic | |
| 600 | Diagnostic | |
| 601 | Operational | |
| 601 | Hibernate was disabled because invalid system binaries were detected. | System |
| 602 | Operational |
Event ID 1 —
Fields #
| Name | Description |
|---|---|
Reason UInt32 | — |
Flags UInt32 | — |
Time FILETIME | — |
Event ID 2 —
Fields #
| Name | Description |
|---|---|
Status UInt32 | — NTSTATUS reference |
Time FILETIME | — |
WakeSourceTypeLength UInt16 | — |
WakeSourceSubTypeLength UInt16 | — |
WakeSourceLength UInt16 | — |
WakeSourceContextLength UInt16 | — |
WakeSourceType UnicodeString | — |
WakeSourceSubType UnicodeString | — |
WakeSource UnicodeString | — |
WakeSourceContext UnicodeString | — |
Event ID 3 —
Event ID 4 —
Fields #
| Name | Description |
|---|---|
Status UInt32 | — NTSTATUS reference |
Event ID 5 —
Event ID 6 —
Fields #
| Name | Description |
|---|---|
Status UInt32 | — NTSTATUS reference |
Event ID 7 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
PowerStateType UInt32 | — |
MinorFunction UInt8 | — |
TargetDevice Pointer | — |
InstanceNameLength UInt16 | — |
InstanceName UnicodeString | — |
PowerState UInt8 | — |
Event ID 8 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
Status UInt32 | — NTSTATUS reference |
FailedDriver UnicodeString | — |
Event ID 9 — The application AppName stopped the power transition.
Event ID 10 — The service ServiceName stopped the power transition.
Event ID 11 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
Event ID 12 —
Fields #
| Name | Description |
|---|---|
Pid UInt32 | — |
NameLength UInt16 | — |
Name UnicodeString | — |
Event ID 13 —
Fields #
| Name | Description |
|---|---|
Pid UInt32 | — |
Event ID 14 —
Fields #
| Name | Description |
|---|---|
NameLength UInt16 | — |
Name UnicodeString | — |
Event ID 15 —
Fields #
| Name | Description |
|---|---|
NameLength UInt16 | — |
Name UnicodeString | — |
Event ID 16 —
Fields #
| Name | Description |
|---|---|
Pid UInt32 | — |
NameLength UInt16 | — |
Name UnicodeString | — |
Event ID 17 —
Fields #
| Name | Description |
|---|---|
Pid UInt32 | — |
Event ID 18 —
Fields #
| Name | Description |
|---|---|
NameLength UInt16 | — |
Name UnicodeString | — |
Event ID 19 —
Fields #
| Name | Description |
|---|---|
NameLength UInt16 | — |
Name UnicodeString | — |
Event ID 20 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
Device Pointer | — |
DriverName UnicodeString | — |
Event ID 21 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
Device Pointer | — |
Event ID 22 —
Event ID 23 —
Event ID 24 —
Event ID 25 —
Event ID 26 —
Event ID 27 —
Event ID 28 —
Fields #
| Name | Description |
|---|---|
Pid UInt32 | — |
NameLength UInt16 | — |
Name UnicodeString | — |
Event ID 29 —
Fields #
| Name | Description |
|---|---|
NameLength UInt16 | — |
Name UnicodeString | — |
Event ID 30 —
Event ID 31 —
Event ID 32 —
Fields #
| Name | Description |
|---|---|
Pid UInt32 | — |
NameLength UInt16 | — |
Name UnicodeString | — |
Event ID 33 —
Fields #
| Name | Description |
|---|---|
NameLength UInt16 | — |
Name UnicodeString | — |
Event ID 34 —
Fields #
| Name | Description |
|---|---|
Status UInt32 | — NTSTATUS reference |
Event ID 35 —
Fields #
| Name | Description |
|---|---|
Query Boolean | — |
TargetState UInt32 | — |
EffectiveState UInt32 | — |
Event ID 36 —
Event ID 37 —
Event ID 38 —
Event ID 39 —
Fields #
| Name | Description |
|---|---|
SleepTime UInt32 | — |
ResumeTime UInt32 | — |
DriverWakeTime UInt32 | — |
HiberWriteTime UInt32 | — |
HiberReadTime UInt32 | — |
HiberPagesWritten UInt32 | — |
BiosInitTime UInt32 | — |
CheckpointTime UInt32 | — |
Event ID 40 — The driver DriverName for device InstanceName stopped the power transition.
Event ID 41 — The last sleep transition was unsuccessful.
Description
The last sleep transition was unsuccessful. This error could be caused if the system stopped responding, failed, or lost power during the sleep transition.
Message #
Fields #
| Name | Description |
|---|---|
BugcheckCode UInt32 | — |
BugcheckParameter1 Pointer | — |
BugcheckParameter2 Pointer | — |
BugcheckParameter3 Pointer | — |
BugcheckParameter4 Pointer | — |
SleepInProgress UInt32 | — |
PowerButtonTimestamp UInt64 | — |
BootAppStatus UInt32 | — |
Checkpoint UInt8 | — |
ConnectedStandbyInProgress Boolean | — |
SystemSleepTransitionsToOn UInt32 | — |
CsEntryScenarioInstanceId UInt8 | — |
BugcheckInfoFromEFI Boolean | — |
CheckpointStatus UInt8 | — |
CsEntryScenarioInstanceIdV2 UInt64 | — |
LongPowerButtonPressDetected Boolean | — |
LidReliability Boolean | — |
InputSuppressionState UInt8 | — |
PowerButtonSuppressionState UInt8 | — |
LidState UInt8 | — |
WHEABootErrorCount UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "331C3B3A-2005-44C2-AC5E-77220C37D6B4",
"event_source_name": "",
"event_id": 41,
"version": 2,
"level": 1,
"task": 63,
"opcode": 0,
"keywords": 9223372036854775810,
"time_created": "2012-04-06T19:11:29.968750Z",
"event_record_id": 13534,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8
},
"channel": "System",
"computer": "WKS-WIN764BITB.shieldbase.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"BugcheckCode": 0,
"BugcheckParameter1": "0x0",
"BugcheckParameter2": "0x0",
"BugcheckParameter3": "0x0",
"BugcheckParameter4": "0x0",
"SleepInProgress": false,
"PowerButtonTimestamp": 0
}
}
Event ID 42 — The system is entering sleep.
#Description
The system is entering sleep.
Message #
Fields #
| Name | Description |
|---|---|
TargetState UInt32 | — |
EffectiveState UInt32 | — |
Reason UInt32 | — |
Flags UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "331C3B3A-2005-44C2-AC5E-77220C37D6B4",
"event_source_name": "",
"event_id": 42,
"version": 2,
"level": 4,
"task": 64,
"opcode": 0,
"keywords": 9223372036854775812,
"time_created": "2016-08-18T16:22:13.389648Z",
"event_record_id": 5523,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 60
},
"channel": "System",
"computer": "IE10Win7",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetState": 2,
"EffectiveState": 2,
"Reason": 7,
"Flags": 0
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 43 —
Event ID 44 —
Event ID 45 —
Event ID 46 —
Event ID 47 —
Event ID 48 —
Event ID 49 —
Event ID 50 —
Event ID 51 —
Event ID 52 —
Event ID 53 —
Event ID 54 —
Event ID 55 —
Event ID 56 —
Event ID 57 —
Event ID 58 —
Event ID 59 — The system is entering Away Mode.
Description
The system is entering Away Mode.
Message #
Event ID 60 —
Fields #
| Name | Description |
|---|---|
Value Boolean | — |
Event ID 61 —
Fields #
| Name | Description |
|---|---|
Value Boolean | — |
Event ID 62 — The application or service AppName has overridden user power management settings with a code of ExecutionState.
Event ID 63 — The application or service AppNameLength is attempting to update the system timer resolution to a value of RequestedResolution.
Event ID 64 —
Event ID 65 —
Event ID 66 —
Event ID 67 —
Event ID 68 —
Event ID 69 —
Event ID 70 —
Event ID 71 —
Event ID 72 —
Fields #
| Name | Description |
|---|---|
Threshold UInt32 | — |
LowestIdleness UInt32 | — |
AverageIdleness UInt32 | — |
AccruedIdleTime UInt32 | — |
NonIdleIgnored Boolean | — |
IdleToSleep Boolean | — |
NonIdleReferences Boolean | — |
Event ID 73 —
Fields #
| Name | Description |
|---|---|
ExecutionState UInt32 | — |
MonitorReason UInt32 | — |
Event ID 74 —
Fields #
| Name | Description |
|---|---|
ExecutionState UInt32 | — |
StateHandle Pointer | — |
Event ID 75 —
Event ID 76 —
Event ID 77 —
Fields #
| Name | Description |
|---|---|
Device Pointer | — |
Pdo Pointer | — |
InstancePathLength UInt16 | — |
InstancePath UnicodeString | — |
ConservativeTimeout UInt32 | — |
PerformanceTimeout UInt32 | — |
IdleTime UInt32 | — |
BusyCount UInt32 | — |
TotalBusyCount UInt32 | — |
IdlePowerState UInt8 | — |
CurrentPowerState UInt8 | — |
Event ID 78 —
Fields #
| Name | Description |
|---|---|
Device Pointer | — |
Timeout UInt32 | — |
IgnoreThreshold UInt32 | — |
IdleTime UInt32 | — |
NonIdleTime UInt32 | — |
Event ID 79 — Timer tick distribution policy.
Event ID 80 — ACPI thermal zone ThermalZoneDeviceInstance has changed to CoolingMode cooling.
Event ID 81 — ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
Description
ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | — |
ThermalZoneDeviceInstance UnicodeString | — |
EventTime FILETIME | — |
PassiveCoolingStateLength UInt16 | — |
PassiveCoolingState UnicodeString | — |
AffinityCount UInt16 | — |
_PSV UInt32 | — |
_TMP UInt32 | — |
_TC1 UInt32 | — |
_TC2 UInt32 | — |
_TSP UInt32 | — |
DeltaP Int32 | — |
_PSL Boolean | — |
Event ID 82 — ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
Description
ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | — |
ThermalZoneDeviceInstance UnicodeString | — |
EventTime FILETIME | — |
PassiveCoolingStateLength UInt16 | — |
PassiveCoolingState UnicodeString | — |
AffinityCount UInt16 | — |
_PSV UInt32 | — |
_TMP UInt32 | — |
_TC1 UInt32 | — |
_TC2 UInt32 | — |
_TSP UInt32 | — |
DeltaP Int32 | — |
_PSL Boolean | — |
Event ID 83 — ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
Description
ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | — |
ThermalZoneDeviceInstance UnicodeString | — |
EventTime FILETIME | — |
ActiveCoolingStateLength UInt16 | — |
ActiveCoolingState UnicodeString | — |
_AC0 UInt32 | — |
_AC1 UInt32 | — |
_AC2 UInt32 | — |
_AC3 UInt32 | — |
_AC4 UInt32 | — |
_AC5 UInt32 | — |
_AC6 UInt32 | — |
_AC7 UInt32 | — |
_AC8 UInt32 | — |
_AC9 UInt32 | — |
_TMP UInt32 | — |
Event ID 84 — ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
Description
ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | — |
ThermalZoneDeviceInstance UnicodeString | — |
EventTime FILETIME | — |
ActiveCoolingStateLength UInt16 | — |
ActiveCoolingState UnicodeString | — |
_AC0 UInt32 | — |
_AC1 UInt32 | — |
_AC2 UInt32 | — |
_AC3 UInt32 | — |
_AC4 UInt32 | — |
_AC5 UInt32 | — |
_AC6 UInt32 | — |
_AC7 UInt32 | — |
_AC8 UInt32 | — |
_AC9 UInt32 | — |
_TMP UInt32 | — |
Event ID 85 — The system was shut down due to a critical thermal event.
Event ID 86 — The system was shut down due to a critical thermal event.
Event ID 87 — The system was hibernated due to a critical thermal event.
Event ID 88 — The system was hibernated due to a critical thermal event.
Event ID 89 — ACPI thermal zone ThermalZoneDeviceInstance has been enumerated.
Description
ACPI thermal zone ThermalZoneDeviceInstance has been enumerated.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | — |
ThermalZoneDeviceInstance UnicodeString | — |
AffinityCount UInt16 | — |
_PSV UInt32 | — |
_TC1 UInt32 | — |
_TC2 UInt32 | — |
_TSP UInt32 | — |
_AC0 UInt32 | — |
_AC1 UInt32 | — |
_AC2 UInt32 | — |
_AC3 UInt32 | — |
_AC4 UInt32 | — |
_AC5 UInt32 | — |
_AC6 UInt32 | — |
_AC7 UInt32 | — |
_AC8 UInt32 | — |
_AC9 UInt32 | — |
_CRT UInt32 | — |
_HOT UInt32 | — |
_PSL HexInt32 | — |
Event ID 90 — Processor ProcessorId was throttled by an entity other than the kernel power manager.
Event ID 91 — Processor ProcessorId was throttled by an entity other than the kernel power manager.
Event ID 92 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Type UInt32 | — |
ProcessID UInt32 | — |
SessionID UInt32 | — |
Legacy Boolean | — |
SystemAllowed Boolean | — |
DisplayAllowed Boolean | — |
AwayModeAllowed Boolean | — |
SystemCount UInt32 | — |
DisplayCount UInt32 | — |
AwayModeCount UInt32 | — |
CallerLength UInt16 | — |
ContextLength UInt16 | — |
Caller UnicodeString | — |
Context UnicodeString | — |
ExecutionRequiredAllowed Boolean | — |
PerformanceBoostAllowed Boolean | — |
FullScreenVideoAllowed Boolean | — |
ExecutionRequiredCount UInt32 | — |
PerformanceBoostCount UInt32 | — |
FullScreenVideoCount UInt32 | — |
Event ID 93 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
SystemCount UInt32 | — |
DisplayCount UInt32 | — |
AwayModeCount UInt32 | — |
ExecutionRequiredCount UInt32 | — |
PerformanceBoostCount UInt32 | — |
FullScreenVideoCount UInt32 | — |
Event ID 94 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Event ID 95 — The system timer resolution has changed to a value of NewResolution.
Event ID 96 — The system timer resolution currently has a value of CurrentPeriod.
Event ID 97 — The system timer resolution currently has a value of RequestedPeriod.
Event ID 98 — A driver is attempting to update the system timer resolution to a value of RequestedResolution.
Event ID 99 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Type UInt32 | — |
ProcessID UInt32 | — |
SessionID UInt32 | — |
Legacy Boolean | — |
SystemAllowed Boolean | — |
DisplayAllowed Boolean | — |
AwayModeAllowed Boolean | — |
SystemCount UInt32 | — |
DisplayCount UInt32 | — |
AwayModeCount UInt32 | — |
CallerLength UInt16 | — |
ContextLength UInt16 | — |
Caller UnicodeString | — |
Context UnicodeString | — |
ExecutionRequiredAllowed Boolean | — |
PerformanceBoostAllowed Boolean | — |
FullScreenVideoAllowed Boolean | — |
ExecutionRequiredCount UInt32 | — |
PerformanceBoostCount UInt32 | — |
FullScreenVideoCount UInt32 | — |
Event ID 100 —
Event ID 101 —
Event ID 102 —
Event ID 103 —
Event ID 104 —
Fields #
| Name | Description |
|---|---|
AffectedState UInt8 | — |
PowerReasonCode UInt32 | — |
PowerReasonLength UInt32 | — |
PowerReasonInfo Binary | — |
Event ID 105 — Power source change.
Event ID 106 —
Fields #
| Name | Description |
|---|---|
AcOnline Boolean | — |
Event ID 107 —
Description
The system has resumed from sleep.
Fields #
| Name | Description |
|---|---|
TargetState UInt32 | — |
EffectiveState UInt32 | — |
WakeFromState UInt32 | — |
Event ID 107 — The system has resumed from sleep.
Event ID 108 —
Fields #
| Name | Description |
|---|---|
CopyBytes UInt64 | — |
ElapsedTime UInt32 | — |
IoTime UInt32 | — |
InitTime UInt32 | — |
CopyTime UInt32 | — |
PagesWritten UInt32 | — |
PagesProcessed UInt32 | — |
DumpCount UInt32 | — |
FileRuns UInt32 | — |
ReadTime UInt32 | — |
ResumeAppTime UInt32 | — |
CompressTime UInt32 | — |
Event ID 109 — The kernel power manager has initiated a shutdown transition.
#Description
The kernel power manager has initiated a shutdown transition.
Message #
Fields #
| Name | Description |
|---|---|
ShutdownActionType UInt32 | Action. |
ShutdownEventCode UInt32 | Event Code. |
ShutdownReason UInt32 | Reason. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "331C3B3A-2005-44C2-AC5E-77220C37D6B4",
"event_source_name": "",
"event_id": 109,
"version": 0,
"level": 4,
"task": 103,
"opcode": 0,
"keywords": 9223442405598954500,
"time_created": "2023-11-06T06:23:40.686261+00:00",
"event_record_id": 1621,
"correlation": {},
"execution": {
"process_id": 680,
"thread_id": 684
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"ShutdownActionType": 5,
"ShutdownEventCode": 0,
"ShutdownReason": 5
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 110 —
Fields #
| Name | Description |
|---|---|
RequestedPeriod UInt32 | — |
Pid UInt32 | — |
AppNameLength UInt16 | — |
AppName UnicodeString | — |
StackSize UInt32 | — |
Stack Pointer | — |
Event ID 111 —
Fields #
| Name | Description |
|---|---|
SettingGuid GUID | — |
DataSize UInt32 | — |
Data Binary | — |
Override Boolean | — |
Event ID 112 —
Fields #
| Name | Description |
|---|---|
SettingGuid GUID | — |
DataSize UInt32 | — |
Data Binary | — |
Override Boolean | — |
Event ID 113 — ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
Description
ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | — |
ThermalZoneDeviceInstance UnicodeString | — |
EventTime FILETIME | — |
PassiveCoolingState UInt16 | — |
_PSV UInt32 | — |
_TMP UInt32 | — |
_TC1 UInt32 | — |
_TC2 UInt32 | — |
_TSP UInt32 | — |
DeltaP Int32 | — |
MinimumThrottle Int32 | — |
Event ID 114 — ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
Description
ACPI thermal zone ThermalZoneDeviceInstance has PassiveCoolingState passive cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | — |
ThermalZoneDeviceInstance UnicodeString | — |
EventTime FILETIME | — |
PassiveCoolingState UInt16 | — |
_PSV UInt32 | — |
_TMP UInt32 | — |
_TC1 UInt32 | — |
_TC2 UInt32 | — |
_TSP UInt32 | — |
DeltaP Int32 | — |
MinimumThrottle Int32 | — |
Event ID 115 — ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
Description
ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | — |
ThermalZoneDeviceInstance UnicodeString | — |
EventTime FILETIME | — |
ActiveCoolingState UInt16 | — |
_AC0 UInt32 | — |
_AC1 UInt32 | — |
_AC2 UInt32 | — |
_AC3 UInt32 | — |
_AC4 UInt32 | — |
_AC5 UInt32 | — |
_AC6 UInt32 | — |
_AC7 UInt32 | — |
_AC8 UInt32 | — |
_AC9 UInt32 | — |
_TMP UInt32 | — |
Event ID 116 — ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
Description
ACPI thermal zone ThermalZoneDeviceInstance has ActiveCoolingState active cooling.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | — |
ThermalZoneDeviceInstance UnicodeString | — |
EventTime FILETIME | — |
ActiveCoolingState UInt16 | — |
_AC0 UInt32 | — |
_AC1 UInt32 | — |
_AC2 UInt32 | — |
_AC3 UInt32 | — |
_AC4 UInt32 | — |
_AC5 UInt32 | — |
_AC6 UInt32 | — |
_AC7 UInt32 | — |
_AC8 UInt32 | — |
_AC9 UInt32 | — |
_TMP UInt32 | — |
Event ID 117 —
Fields #
| Name | Description |
|---|---|
TotalResumeTime UInt32 | — |
POSTTime UInt32 | — |
ResumeBootMgrTime UInt32 | — |
ResumeAppTime UInt32 | — |
ResumeAppStartTime UInt32 | — |
ResumeLibraryInitTime UInt32 | — |
ResumeInitTime UInt32 | — |
ResumeHiberFileTime UInt32 | — |
ResumeRestoreImageStartTimestamp UInt32 | — |
ResumeIoTime UInt32 | — |
ResumeDecompressTime UInt32 | — |
ResumeMapTime UInt32 | — |
ResumeUnmapTime UInt32 | — |
ResumeUserInOutTime UInt32 | — |
ResumeAllocateTime UInt32 | — |
ResumeKernelSwitchTimestamp UInt32 | — |
KernelReturnFromHandlerTimestamp UInt32 | — |
SleeperThreadEndTimestamp UInt32 | — |
TimeStampCounterAtSwitchTime UInt32 | — |
KernelReturnSystemPowerStateTimestamp UInt32 | — |
HiberHiberFileTime UInt32 | — |
InitTime UInt32 | — |
HiberSharedBufferTime UInt32 | — |
TotalHibernateTime UInt32 | — |
KernelResumeHiberFileTime UInt32 | — |
KernelResumeInitTime UInt32 | — |
KernelResumeSharedBufferTime UInt32 | — |
DeviceResumeTime UInt32 | — |
KernelAnimationTime UInt32 | — |
KernelPagesProcessed UInt32 | — |
KernelPagesWritten UInt64 | — |
BootPagesProcessed UInt32 | — |
BootPagesWritten UInt64 | — |
HiberWriteRate UInt32 | — |
HiberCompressRate UInt32 | — |
ResumeReadRate UInt32 | — |
ResumeDecompressRate UInt32 | — |
FileRuns UInt32 | — |
NoMultiStageResumeReason UInt32 | — |
MaxHuffRatio UInt32 | — |
SecurePagesProcessed UInt32 | — |
HiberChecksumTime UInt32 | — |
HiberChecksumIoTime UInt32 | — |
ResumeChecksumTime UInt32 | — |
ResumeChecksumIoTime UInt32 | — |
KernelChecksumTime UInt32 | — |
KernelChecksumIoTime UInt32 | — |
WinresumeExitTimestamp UInt32 | — |
TcbLoaderStartTimestamp UInt32 | — |
TcbLoaderEndTimestamp UInt32 | — |
RemappedPageLookupCycles UInt32 | — |
TcbLaunchPrepareCycles UInt32 | — |
TcbLaunchPrepareDataCycles UInt32 | — |
DecryptVsmPagesPhase0Cycles UInt32 | — |
DecryptVsmPagesPhase1Cycles UInt32 | — |
DecryptVsmPagesPhase2Cycles UInt32 | — |
TcbLoaderAuthenticateCycles UInt32 | — |
TcbLoaderDecryptCycles UInt32 | — |
TcbLoaderValidateCycles UInt32 | — |
Event ID 118 — Idle resiliency activated with requested clock period: RequestedResolution(Internal flags:Flags, Ticks:Ticks).
Event ID 119 — Idle resiliency deactivated (Internal flags:Flags).
Event ID 120 —
Fields #
| Name | Description |
|---|---|
HiberfileSizeKB UInt32 | — |
TotalHibernateTime UInt32 | — |
HiberHiberFileTime UInt32 | — |
Event ID 121 —
Fields #
| Name | Description |
|---|---|
DriverWakeTime UInt32 | — |
TotalResumeTime UInt32 | — |
BiosInitTime UInt32 | — |
ResumeAppsTime UInt32 | — |
ResumeServicesTime UInt32 | — |
Event ID 122 —
Fields #
| Name | Description |
|---|---|
TotalResumeTime UInt32 | — |
PhasePagesWrittenMB UInt32 | — |
ResumeAppAndKernelResumeHiberFileTime UInt32 | — |
POSTAndDeviceResumeTime UInt32 | — |
RatesAndResumeAppsServicesTime UInt32 | — |
PhasePagesProcessedMB UInt32 | — |
Event ID 123 —
Fields #
| Name | Description |
|---|---|
HiberfileSize UInt32 | — |
TotalHybridShutdownTime UInt32 | — |
HiberfileCreateTime UInt32 | — |
SystemShutdownTime UInt32 | — |
Event ID 124 —
Fields #
| Name | Description |
|---|---|
TotalResumeTime UInt32 | — |
PhasePagesWrittenMB UInt32 | — |
ResumeAppAndKernelResumeHiberFileTime UInt32 | — |
POSTAndDeviceResumeTime UInt32 | — |
RatesAndResumeAppsServicesTime UInt32 | — |
PhasePagesProcessedMB UInt32 | — |
Event ID 125 — ACPI thermal zone ThermalZoneDeviceInstance has been enumerated.
Description
ACPI thermal zone ThermalZoneDeviceInstance has been enumerated.
Message #
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | — |
ThermalZoneDeviceInstance UnicodeString | — |
_PSV UInt32 | — |
_TC1 UInt32 | — |
_TC2 UInt32 | — |
_TSP UInt32 | — |
_AC0 UInt32 | — |
_AC1 UInt32 | — |
_AC2 UInt32 | — |
_AC3 UInt32 | — |
_AC4 UInt32 | — |
_AC5 UInt32 | — |
_AC6 UInt32 | — |
_AC7 UInt32 | — |
_AC8 UInt32 | — |
_AC9 UInt32 | — |
_CRT UInt32 | — |
_HOT UInt32 | — |
MinimumThrottle Int32 | — |
_CR3 UInt32 | — |
OverThrottleThreshold UInt32 | — |
DescriptionLength UInt16 | — |
Description UnicodeString | — |
_TZP UInt32 | — |
Event ID 126 —
Fields #
| Name | Description |
|---|---|
Level UInt32 | — |
MinorFunction UInt8 | — |
Event ID 127 —
Fields #
| Name | Description |
|---|---|
Level UInt32 | — |
MinorFunction UInt8 | — |
Event ID 128 —
Fields #
| Name | Description |
|---|---|
Level UInt32 | — |
MinorFunction UInt8 | — |
Event ID 129 —
Fields #
| Name | Description |
|---|---|
Level UInt32 | — |
MinorFunction UInt8 | — |
Event ID 130 — Firmware S3 times.
Event ID 131 — Firmware S3 times.
Event ID 132 —
Fields #
| Name | Description |
|---|---|
PlatformRole UInt32 | — |
Event ID 133 —
Event ID 134 —
Event ID 135 —
Fields #
| Name | Description |
|---|---|
DisplayState UInt32 | — |
Event ID 136 —
Fields #
| Name | Description |
|---|---|
DeviceNode Pointer | — |
PowerState UInt8 | — |
InstancePathLength UInt16 | — |
InstancePath UnicodeString | — |
FriendlyNameLength UInt16 | — |
FriendlyName UnicodeString | — |
Event ID 137 — The system firmware has changed the processor's memory type range registers (MTRRs) across a sleep state transition (SSleepState).
Event ID 138 —
Fields #
| Name | Description |
|---|---|
Throttle UInt32 | — |
Temperature UInt32 | — |
ZoneLength UInt16 | — |
Zone UnicodeString | — |
Event ID 139 —
Fields #
| Name | Description |
|---|---|
ThrottleDuration UInt32 | — |
ZoneLength UInt16 | — |
Zone UnicodeString | — |
Event ID 140 —
Fields #
| Name | Description |
|---|---|
EnergyDrain UInt32 | — |
Duration UInt32 | — |
DripsTransitions UInt32 | — |
Flags UInt32 | — |
Event ID 141 —
Fields #
| Name | Description |
|---|---|
FanDuration UInt32 | — |
ActivationDelay UInt32 | — |
Event ID 142 — The system has rebooted without cleanly shutting down first.
Event ID 143 —
Fields #
| Name | Description |
|---|---|
ResiliencyPhaseNonActivatedNoDripsMs UInt32 | — |
NonActivatedCpuTimeMs UInt32 | — |
DurationThisPeriodMs UInt32 | — |
ActionsTakenAndOnAc UInt32 | — |
Event ID 144 —
Fields #
| Name | Description |
|---|---|
InitiatorLength UInt16 | — |
Initiator UnicodeString | — |
Type UInt32 | — |
Temperature UInt32 | — |
TripPointTemperature UInt32 | — |
Event ID 145 —
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | — |
ThermalZoneDeviceInstance UnicodeString | — |
ActiveCoolingState UInt16 | — |
ActivePoint Int32 | — |
PassiveCoolingState UInt16 | — |
ThrottleLimit Int32 | — |
ThermalStandby Boolean | — |
OverThrottled Boolean | — |
DescriptionLength UInt16 | — |
Description UnicodeString | — |
Event ID 146 —
Fields #
| Name | Description |
|---|---|
Callback Pointer | — |
SettingGuid GUID | — |
DataSize UInt32 | — |
Data Binary | — |
Event ID 147 —
Fields #
| Name | Description |
|---|---|
Callback Pointer | — |
SettingGuid GUID | — |
Event ID 148 —
Fields #
| Name | Description |
|---|---|
State Int32 | — |
Reason Int32 | — |
Event ID 149 —
Fields #
| Name | Description |
|---|---|
Session UInt32 | — |
Console Boolean | — |
Reason UInt32 | — |
Event ID 150 —
Fields #
| Name | Description |
|---|---|
Session UInt32 | — |
Console Boolean | — |
Reason UInt32 | — |
Event ID 151 —
Fields #
| Name | Description |
|---|---|
PassiveSupported Boolean | — |
ActiveSupported Boolean | — |
Throttle UInt8 | — |
ActiveEngaged Boolean | — |
Token Pointer | — |
DeviceIdLength UInt16 | — |
DeviceId UnicodeString | — |
Event ID 152 —
Fields #
| Name | Description |
|---|---|
PassiveSupported Boolean | — |
ActiveSupported Boolean | — |
Throttle UInt8 | — |
ActiveEngaged Boolean | — |
Token Pointer | — |
DeviceIdLength UInt16 | — |
DeviceId UnicodeString | — |
Event ID 153 —
Fields #
| Name | Description |
|---|---|
PassiveSupported Boolean | — |
ActiveSupported Boolean | — |
Throttle UInt8 | — |
ActiveEngaged Boolean | — |
Token Pointer | — |
DeviceIdLength UInt16 | — |
DeviceId UnicodeString | — |
Event ID 154 —
Fields #
| Name | Description |
|---|---|
Throttle UInt8 | — |
Token Pointer | — |
Event ID 155 —
Fields #
| Name | Description |
|---|---|
ActiveEngaged Boolean | — |
Token Pointer | — |
Event ID 156 —
Fields #
| Name | Description |
|---|---|
Throttle UInt8 | — |
ActiveEngaged Boolean | — |
Token Pointer | — |
DeviceIdLength UInt16 | — |
CallerLength UInt16 | — |
ContextLength UInt16 | — |
PolicyLength UInt16 | — |
DeviceId UnicodeString | — |
Caller UnicodeString | — |
Context UnicodeString | — |
Policy Binary | — |
Event ID 157 —
Fields #
| Name | Description |
|---|---|
Throttle UInt8 | — |
ActiveEngaged Boolean | — |
Token Pointer | — |
DeviceIdLength UInt16 | — |
CallerLength UInt16 | — |
ContextLength UInt16 | — |
PolicyLength UInt16 | — |
DeviceId UnicodeString | — |
Caller UnicodeString | — |
Context UnicodeString | — |
Policy Binary | — |
Event ID 158 —
Fields #
| Name | Description |
|---|---|
Throttle UInt8 | — |
ActiveEngaged Boolean | — |
Token Pointer | — |
DeviceIdLength UInt16 | — |
CallerLength UInt16 | — |
ContextLength UInt16 | — |
PolicyLength UInt16 | — |
DeviceId UnicodeString | — |
Caller UnicodeString | — |
Context UnicodeString | — |
Policy Binary | — |
Event ID 159 —
Fields #
| Name | Description |
|---|---|
Throttle UInt8 | — |
Token Pointer | — |
Event ID 160 —
Fields #
| Name | Description |
|---|---|
ActiveEngaged Boolean | — |
Token Pointer | — |
Event ID 161 —
Fields #
| Name | Description |
|---|---|
ResiliencyPhaseNonActivatedNoDripsMs UInt32 | — |
NonActivatedCpuTimeMs UInt32 | — |
DurationThisPeriodMs UInt32 | — |
OnAc Boolean | — |
EnergyDrainMw UInt32 | — |
DeviceConstraint Boolean | — |
ActionsTaken UInt32 | — |
DeviceServiceNameLength UInt16 | — |
DeviceServiceName UnicodeString | — |
ChildServiceNameLength UInt16 | — |
ChildServiceName UnicodeString | — |
PepPreVeto UInt32 | — |
InvocationCount UInt32 | — |
Event ID 162 —
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | — |
ThermalZoneDeviceInstance UnicodeString | — |
Engaged Boolean | — |
Event ID 163 —
Fields #
| Name | Description |
|---|---|
ThermalZoneDeviceInstanceLength UInt16 | — |
ThermalZoneDeviceInstance UnicodeString | — |
Engaged Boolean | — |
Event ID 164 —
Event ID 165 —
Fields #
| Name | Description |
|---|---|
IdleInformationUpdated Boolean | — |
TimeoutSource UInt32 | — |
Action UInt32 | — |
MinState UInt32 | — |
Timeout UInt32 | — |
Flags UInt32 | — |
Reason UInt32 | — |
Event ID 166 —
Fields #
| Name | Description |
|---|---|
AccumulatedIdleTime UInt32 | — |
SystemIdle Boolean | — |
Flags UInt32 | — |
Action UInt32 | — |
MinState UInt32 | — |
DozeS4Timeout UInt32 | — |
PredictedUserReturnTime FILETIME | — |
Event ID 167 —
Fields #
| Name | Description |
|---|---|
Reason UInt32 | — |
S0LowPowerDozeTimerCancelled Boolean | — |
Event ID 168 —
Fields #
| Name | Description |
|---|---|
CancelledDueToUserInput Boolean | — |
Event ID 169 —
Fields #
| Name | Description |
|---|---|
Source UInt32 | — |
Time FILETIME | — |
Event ID 170 —
Fields #
| Name | Description |
|---|---|
Reason UInt32 | — |
Event ID 171 —
Fields #
| Name | Description |
|---|---|
ResiliencyPhaseNonActivatedNoDeepSleepMs UInt32 | — |
NonActivatedCpuTimeMs UInt32 | — |
DurationThisPeriodMs UInt32 | — |
OnAc Boolean | — |
ActionsTaken UInt32 | — |
PowerSettingPending Boolean | — |
Event ID 172 — Connectivity state in standby: State, Reason: Reason.
#Description
Connectivity state in standby: State, Reason: Reason.
Message #
Fields #
| Name | Description |
|---|---|
State UInt32 | Connectivity state in standby. |
Reason UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "331C3B3A-2005-44C2-AC5E-77220C37D6B4",
"event_source_name": "",
"event_id": 172,
"version": 0,
"level": 4,
"task": 203,
"opcode": 0,
"keywords": 9223372036854776836,
"time_created": "2023-11-06T06:25:19.594800+00:00",
"event_record_id": 1646,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 228
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"State": 2,
"Reason": 6
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 173 —
Event ID 174 —
Event ID 175 —
Fields #
| Name | Description |
|---|---|
State UInt32 | — |
Reason UInt32 | — |
Event ID 176 —
Fields #
| Name | Description |
|---|---|
Type UInt32 | — |
State UInt32 | — |
Event ID 177 —
Fields #
| Name | Description |
|---|---|
Type UInt32 | — |
State UInt32 | — |
Event ID 178 — Background Activity Policy updated from PreviousPolicy to NewPolicy.
Event ID 179 —
Fields #
| Name | Description |
|---|---|
PrevState UInt32 | — |
NewState UInt32 | — |
Event ID 180 —
Fields #
| Name | Description |
|---|---|
Reason UInt32 | — |
Event ID 181 —
Fields #
| Name | Description |
|---|---|
Constraint UInt32 | — |
Event ID 182 —
Fields #
| Name | Description |
|---|---|
Constraint UInt32 | — |
Event ID 183 —
Fields #
| Name | Description |
|---|---|
ConstraintCount UInt16 | — |
Constraints AnsiString | — |
Event ID 184 —
Fields #
| Name | Description |
|---|---|
ExpiryCount UInt32 | — |
RelativeId UInt16 | — |
ComponentName UnicodeString | — |
Event ID 185 —
Fields #
| Name | Description |
|---|---|
WokeSystem Boolean | — |
RejectReason UInt32 | — |
Uncertain Boolean | — |
Spurious Boolean | — |
FixedWakeSourceMask UInt32 | — |
AcAlarmSignaled Boolean | — |
DcAlarmSignaled Boolean | — |
RtcSignaled Boolean | — |
AcProgrammedTime FILETIME | — |
DcProgrammedTime FILETIME | — |
UsingAcTime Boolean | — |
WakeTime FILETIME | — |
AdjustedWakeTime FILETIME | — |
FullWake Boolean | — |
Event ID 186 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
Event ID 187 — User-mode process attempted to change the system state by calling SetSuspendState or SetSystemPowerState APIs.
Event ID 188 —
Event ID 189 —
Event ID 190 —
Fields #
| Name | Description |
|---|---|
RequestIgnored Boolean | — |
Pid UInt32 | — |
Event ID 191 —
Fields #
| Name | Description |
|---|---|
Count UInt32 | — |
Event ID 200 —
Fields #
| Name | Description |
|---|---|
SqmType UInt32 | — |
SqmSessionGuid GUID | — |
SqmSid SID | — |
SqmWindowsSessionId UInt32 | — |
SqmSessionFlags UInt32 | — |
Event ID 201 —
Fields #
| Name | Description |
|---|---|
SqmType UInt32 | — |
SqmSessionGuid GUID | — |
Event ID 202 —
Fields #
| Name | Description |
|---|---|
SqmType UInt32 | — |
SqmSessionGuid GUID | — |
SqmID UInt32 | — |
SqmDWORDDatapointValue UInt32 | — |
Event ID 203 —
Fields #
| Name | Description |
|---|---|
SqmType UInt32 | — |
SqmSessionGuid GUID | — |
SqmID UInt32 | — |
SqmDWORDDatapointValue UInt32 | — |
Event ID 204 —
Fields #
| Name | Description |
|---|---|
SqmType UInt32 | — |
SqmSessionGuid GUID | — |
SqmID UInt32 | — |
SqmDWORDDatapointValue UInt32 | — |
Event ID 205 —
Fields #
| Name | Description |
|---|---|
SqmType UInt32 | — |
SqmSessionGuid GUID | — |
SqmID UInt32 | — |
SqmDWORDDatapointValue UInt32 | — |
Event ID 206 —
Fields #
| Name | Description |
|---|---|
SqmType UInt32 | — |
SqmSessionGuid GUID | — |
SqmID UInt32 | — |
SqmDWORDDatapointValue UInt32 | — |
Event ID 207 —
Fields #
| Name | Description |
|---|---|
SqmType UInt32 | — |
SqmSessionGuid GUID | — |
SqmID UInt32 | — |
SqmStringDatapointValue UnicodeString | — |
Event ID 208 —
Fields #
| Name | Description |
|---|---|
SqmType UInt32 | — |
SqmSessionGuid GUID | — |
SqmID UInt32 | — |
SqmStreamRowLength UInt32 | — |
SqmStreamRow Int16 | — |
Event ID 300 —
Fields #
| Name | Description |
|---|---|
Plugin Pointer | — |
Attributes UInt64 | — |
Event ID 301 —
Fields #
| Name | Description |
|---|---|
Plugin Pointer | — |
Attributes UInt64 | — |
Event ID 302 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Plugin Pointer | — |
IdLength UInt16 | — |
Id UnicodeString | — |
Prepared Boolean | — |
Event ID 303 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Plugin Pointer | — |
PowerState UInt8 | — |
Status UInt32 | — NTSTATUS reference |
IdLength UInt16 | — |
Id UnicodeString | — |
ComponentCount UInt32 | — |
VetoMasks UInt32 | — |
Event ID 304 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Plugin Pointer | — |
PowerState UInt8 | — |
Status UInt32 | — NTSTATUS reference |
IdLength UInt16 | — |
Id UnicodeString | — |
ComponentCount UInt32 | — |
VetoMasks UInt32 | — |
Event ID 305 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Event ID 306 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Event ID 307 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
PowerRequired Boolean | — |
Event ID 308 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
PowerState UInt8 | — |
Event ID 309 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Event ID 310 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
Active Boolean | — |
IdleState UInt32 | — |
IdleStateCount UInt32 | — |
IdleStates UInt16 | — |
Event ID 311 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
Active Boolean | — |
IdleState UInt32 | — |
IdleStateCount UInt32 | — |
IdleStates UInt16 | — |
Event ID 312 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
Active Boolean | — |
Event ID 313 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
IdleState UInt32 | — |
Event ID 314 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
Latency UInt64 | — |
Event ID 315 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
Residency UInt64 | — |
Event ID 316 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
ArmedForWake Boolean | — |
Event ID 317 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
PowerRequired Boolean | — |
Event ID 318 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
StateCount UInt32 | — |
MinimumDStates UInt32 | — |
Event ID 319 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
StateCount UInt32 | — |
MinimumFStates UInt32 | — |
Event ID 320 —
Fields #
| Name | Description |
|---|---|
DeviceNode Pointer | — |
DeviceIdLength UInt16 | — |
DeviceId UnicodeString | — |
InstancePathLength UInt16 | — |
InstancePath UnicodeString | — |
ServiceNameLength UInt16 | — |
ServiceName UnicodeString | — |
PlatformStateDependents UInt32 | — |
Pdo Pointer | — |
ParentDeviceNode Pointer | — |
Flags UInt32 | — |
FriendlyNameLength UInt16 | — |
FriendlyName UnicodeString | — |
DripsRequiredState UInt32 | — |
Event ID 321 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
SetCount UInt32 | — |
Event ID 322 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
SetCount UInt32 | — |
Event ID 323 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
Set UInt32 | — |
NameLength UInt16 | — |
Name UnicodeString | — |
Type UInt32 | — |
Unit UInt32 | — |
Minimum UInt64 | — |
Maximum UInt64 | — |
StateCount UInt32 | — |
StateValues UInt64 | — |
CurrentState UInt64 | — |
Event ID 324 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
Set UInt32 | — |
NameLength UInt16 | — |
Name UnicodeString | — |
Type UInt32 | — |
Unit UInt32 | — |
Minimum UInt64 | — |
Maximum UInt64 | — |
StateCount UInt32 | — |
StateValues UInt64 | — |
CurrentState UInt64 | — |
Event ID 325 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
PerformanceStateSetCount UInt32 | — |
PerformanceStateSets UInt8 | — |
Event ID 326 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
Progress UInt32 | — |
Event ID 327 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
Succeeded Boolean | — |
Event ID 328 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
Component UInt32 | — |
DeviceTransition Boolean | — |
PowerState UInt32 | — |
PerformanceStateSetCount UInt32 | — |
PerformanceStateSets UInt16 | — |
Event ID 329 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
StateCount UInt32 | — |
TransitionRequired UInt8 | — |
Event ID 330 —
Fields #
| Name | Description |
|---|---|
StartDevice Pointer | — |
Event ID 331 —
Fields #
| Name | Description |
|---|---|
EndDevice Pointer | — |
WorkType Int8 | — |
Phase UInt8 | — |
NumberExtraDevices UInt8 | — |
Event ID 332 —
Fields #
| Name | Description |
|---|---|
EndDevice Pointer | — |
WorkType Int8 | — |
Phase UInt8 | — |
NumberExtraDevices UInt8 | — |
Event ID 333 —
Fields #
| Name | Description |
|---|---|
EndDevice Pointer | — |
WorkType Int8 | — |
Phase UInt8 | — |
NumberExtraDevices UInt8 | — |
Event ID 400 — SessionId: SessionId, Console:Console.
Event ID 401 — SessionId: SessionId, Console:Console.
Event ID 402 — SessionId: SessionId, Console:Console.
Event ID 403 — SessionId: SessionId, Console:Console.
Event ID 404 — SessionId: SessionId, Console:Console.
Event ID 405 — SessionId: SessionId, Console:Console.
Event ID 406 — SessionId: SessionId, Console:Console.
Event ID 407 — SessionId: SessionId, Console:Console.
Event ID 408 — User presence:User_presence.
Event ID 409 — Reason code:Reason_code.
Event ID 412 — Session Id:Session_Id, Value: Value.
Event ID 413 — Session Id:Session_Id, Value: Value.
Event ID 414 — Session Id:Session_Id, Value: Value.
Event ID 415 — Old value:Old_value, New value: New_value.
Event ID 416 — Value:Value, Zeroed: Zeroed, Computed: Computed.
Event ID 417 — Value:Value, Zeroed: Zeroed, Computed: Computed.
Event ID 418 — Value:Value, Zeroed: Zeroed, Computed: Computed.
Event ID 500 — IO coalescing activated with spindown period: SpindownTimeout, Timer:TimerInterval, Flush:FlushInterval, Flags:Flags.
Event ID 501 — IO coalescing deactivated.
Description
IO coalescing deactivated.
Message #
Event ID 502 — IO coalescing flush command generated.
Description
IO coalescing flush command generated.
Message #
Event ID 503 — IO coalescing disk device DiskDeviceObject is about to be spun down.
Event ID 504 —
Fields #
| Name | Description |
|---|---|
SystemLatency UInt32 | — |
Event ID 505 —
Fields #
| Name | Description |
|---|---|
SystemLatency UInt32 | — |
Event ID 506 — The system is entering Modern Standby Reason.
Description
The system is entering Modern Standby.
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | — |
LidOpenState Boolean | — |
ExternalMonitorConnectedState Boolean | — |
ScenarioInstanceId UInt8 | — |
BatteryRemainingCapacityOnEnter UInt32 | — |
BatteryFullChargeCapacityOnEnter UInt32 | — |
ScenarioInstanceIdV2 UInt64 | — |
BootId UInt32 | — |
Event ID 507 — The system is exiting Modern Standby Reason.
Description
The system is exiting Modern Standby.
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | — |
EnergyDrain UInt32 | — |
ActiveResidencyInUs UInt64 | — |
NonDripsTimeActivatedInUs UInt64 | — |
FirstDripsEntryInUs UInt64 | — |
DripsResidencyInUs UInt64 | — |
DurationInUs UInt64 | — |
DripsTransitions UInt32 | — |
FullChargeCapacityRatio UInt8 | — |
AudioPlaying Boolean | — |
AudioPlaybackInUs UInt64 | — |
NonActivatedCpuInUs UInt64 | — |
PowerStateAc Boolean | — |
HwDripsResidencyInUs UInt64 | — |
ExitLatencyInUs UInt64 | — |
DisconnectedStandby Boolean | — |
AoAcCompliantNic Boolean | — |
NonAttributedCpuInUs UInt64 | — |
ModernSleepEnabledActionsBitmask UInt32 | — |
ModernSleepAppliedActionsBitmask UInt32 | — |
LidOpenState Boolean | — |
ExternalMonitorConnectedState Boolean | — |
ScenarioInstanceId UInt8 | — |
IsCsSessionInProgressOnExit Boolean | — |
BatteryRemainingCapacityOnExit UInt32 | — |
BatteryFullChargeCapacityOnExit UInt32 | — |
ScenarioInstanceIdV2 UInt64 | — |
BootId UInt32 | — |
InputSuppressionActionCount UInt32 | — |
NonResiliencyTimeInUs UInt64 | — |
ResiliencyDripsTimeInUs UInt64 | — |
ResiliencyHwDripsTimeInUs UInt64 | — |
GdiOnTime UInt64 | — |
DwmSyncFlushTime UInt64 | — |
MonitorPowerOnTime UInt64 | — |
SleepEntered Boolean | — |
ScreenOffEnergyCapacityAtStart UInt32 | — |
ScreenOffEnergyCapacityAtEnd UInt32 | — |
ScreenOffDurationInUs UInt64 | — |
SleepEnergyCapacityAtStart UInt32 | — |
SleepEnergyCapacityAtEnd UInt32 | — |
SleepDurationInUs UInt64 | — |
ScreenOffFullEnergyCapacityAtStart UInt32 | — |
ScreenOffFullEnergyCapacityAtEnd UInt32 | — |
SleepFullEnergyCapacityAtStart UInt32 | — |
SleepFullEnergyCapacityAtEnd UInt32 | — |
PowerSchemeInfo UInt32 | — |
PowerButtonSuppressionActionCount UInt32 | — |
ScreenOffSwDripsResidencyInUs UInt64 | — |
ScreenOffHwDripsResidencyInUs UInt64 | — |
SleepSwDripsResidencyInUs UInt64 | — |
SleepHwDripsResidencyInUs UInt64 | — |
Event ID 508 — The system has been constrained to a periodic tick Reason.
Event ID 509 —
Fields #
| Name | Description |
|---|---|
Flags UInt8 | — |
Event ID 510 — Scenario Power Manager (SPM) policy framework has current status: SpmStatus.
Event ID 511 —
Fields #
| Name | Description |
|---|---|
SpmStatus UInt8 | — |
Event ID 512 —
Fields #
| Name | Description |
|---|---|
PolicyGuid GUID | — |
PolicyAliasLength UInt16 | — |
PolicyAlias UnicodeString | — |
Event ID 513 —
Fields #
| Name | Description |
|---|---|
ScenarioGuid GUID | — |
ScenarioNameLength UInt16 | — |
ScenarioName UnicodeString | — |
Flags UInt32 | — |
DefaultSettingsScenarioGuid GUID | — |
PolicyCount UInt16 | — |
PolicySettings Int32 | — |
Event ID 518 —
Event ID 519 —
Event ID 520 — The brightness on this system is managed by high-precision brightness aware service.
Description
The brightness on this system is managed by high-precision brightness aware service.
Message #
Event ID 521 — Active battery count change.
#Description
Active battery count change.
Message #
Fields #
| Name | Description |
|---|---|
ValidBatteryCount UInt32 | — |
ErrorBatteryCount UInt32 | — |
AbandonedBatteryCount UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "331C3B3A-2005-44C2-AC5E-77220C37D6B4",
"event_source_name": "",
"event_id": 521,
"version": 0,
"level": 4,
"task": 220,
"opcode": 0,
"keywords": 9223372036854776836,
"time_created": "2022-04-04T13:11:11.019552+00:00",
"event_record_id": 1541,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 260
},
"channel": "System",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ValidBatteryCount": 1,
"ErrorBatteryCount": 0,
"AbandonedBatteryCount": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 522 —
Fields #
| Name | Description |
|---|---|
HwDripsTotalTimeValid Boolean | — |
DripsTotalTimeThisPeriodUs UInt64 | — |
HwDripsTotalTimeThisPeriodUs UInt64 | — |
PopDripsSwHwDivergenceThreshold UInt32 | — |
Event ID 523 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
Status UInt32 | — NTSTATUS reference |
FailedDriver UnicodeString | — |
ElapsedTime UInt64 | — |
Event ID 524 — Index Battery Trigger Met.
Description
Index Battery Trigger Met.
Message #
Fields #
| Name | Description |
|---|---|
Index UInt32 | — |
ActiveBatteryCount UInt32 | — |
RemainingPercentage UInt32 | — |
IsAcOnline UInt32 | — |
BatteryActionInternalFlags HexInt32 | — |
IsPowerActionCallIgnored UInt32 | — |
IsPowerPolicyEnabled UInt32 | — |
PowerPolicyAction UInt32 | — |
PowerPolicyBatteryLevel UInt32 | — |
PowerPolicyEventCode UInt32 | — |
PowerPolicyMinState UInt32 | — |
Event ID 525 —
Fields #
| Name | Description |
|---|---|
DurationInUs UInt64 | — |
Event ID 526 —
Event ID 527 —
Fields #
| Name | Description |
|---|---|
Event UInt32 | — |
Class UInt32 | — |
Count UInt64 | — |
Event ID 528 —
Fields #
| Name | Description |
|---|---|
Event UInt32 | — |
Intent UInt32 | — |
Event ID 529 —
Fields #
| Name | Description |
|---|---|
Intent UInt32 | — |
Class UInt32 | — |
PowerEvent UInt32 | — |
Event ID 530 —
Fields #
| Name | Description |
|---|---|
SessionId UInt32 | — |
RequestQueueId UInt32 | — |
Intent UInt32 | — |
Class UInt32 | — |
PowerEvent UInt32 | — |
VetoReason UInt32 | — |
Event ID 531 —
Fields #
| Name | Description |
|---|---|
SessionId UInt32 | — |
Action UInt32 | — |
Result UInt32 | — |
Event ID 532 —
Fields #
| Name | Description |
|---|---|
SessionId UInt32 | — |
Result UInt32 | — |
Event ID 533 —
Fields #
| Name | Description |
|---|---|
SessionId UInt32 | — |
PowerEvent UInt32 | — |
Action UInt32 | — |
AudioActivity Boolean | — |
DisconnectedStandbyMode UInt32 | — |
DsEnabled Boolean | — |
Event ID 534 —
Fields #
| Name | Description |
|---|---|
SessionId UInt32 | — |
Result UInt32 | — |
Event ID 535 —
Fields #
| Name | Description |
|---|---|
CsSessionId UInt8 | — |
Engaged Boolean | — |
CsSessionIdV2 UInt64 | — |
Event ID 536 —
Fields #
| Name | Description |
|---|---|
CsSessionId UInt8 | — |
WorkFlags UInt64 | — |
CsSessionIdV2 UInt64 | — |
Event ID 537 —
Fields #
| Name | Description |
|---|---|
CsSessionId UInt8 | — |
DeviceObject Pointer | — |
Event ID 538 —
Fields #
| Name | Description |
|---|---|
CsSessionId UInt8 | — |
Suspended Boolean | — |
Result UInt32 | — |
DurationMs UInt64 | — |
CsSessionIdV2 UInt64 | — |
Event ID 539 —
Fields #
| Name | Description |
|---|---|
CsSessionId UInt8 | — |
Suspended Boolean | — |
Result UInt32 | — |
DurationMs UInt64 | — |
CsSessionIdV2 UInt64 | — |
Event ID 540 —
Fields #
| Name | Description |
|---|---|
EnableResult UInt32 | — |
InitializationResult UInt32 | — |
Event ID 541 —
Fields #
| Name | Description |
|---|---|
SystemIdle Boolean | — |
Status UInt32 | — NTSTATUS reference |
TimeoutSource UInt32 | — |
Event ID 542 —
Fields #
| Name | Description |
|---|---|
RequestIndex UInt32 | — |
NumberOfRequests UInt32 | — |
QueueSize UInt32 | — |
Event ID 544 —
Fields #
| Name | Description |
|---|---|
OldMask UInt32 | — |
NewMask UInt32 | — |
SetFlags UInt32 | — |
ClearedFlags UInt32 | — |
Event ID 545 —
Fields #
| Name | Description |
|---|---|
BroadcastTreeId UInt32 | — |
IsRootDevice Boolean | — |
DeviceNode Pointer | — |
InstancePathLength UInt32 | — |
InstancePath UnicodeString | — |
VisitType UInt32 | — |
Event ID 546 —
Fields #
| Name | Description |
|---|---|
BroadcastTreeId UInt32 | — |
DeviceNode Pointer | — |
Reason UInt32 | — |
Event ID 547 —
Fields #
| Name | Description |
|---|---|
DeviceNode Pointer | — |
PowerDown Boolean | — |
Event ID 548 —
Fields #
| Name | Description |
|---|---|
DeviceNode Pointer | — |
PowerDown Boolean | — |
DevicePowerState UInt32 | — |
Event ID 549 —
Fields #
| Name | Description |
|---|---|
IdleTimeout UInt32 | — |
NotIdleEvents UInt32 | — |
IsSystemIdle Boolean | — |
Event ID 550 —
Fields #
| Name | Description |
|---|---|
EventType UInt32 | — |
TimeSinceEvent UInt32 | — |
IdleTimeout UInt32 | — |
WasIgnored Boolean | — |
BusyReason UInt32 | — |
Event ID 551 —
Fields #
| Name | Description |
|---|---|
ScanInterval UInt32 | — |
Event ID 552 —
Fields #
| Name | Description |
|---|---|
Reason UInt32 | — |
PreviousTimeoutSource UInt32 | — |
PreviousTimeout UInt32 | — |
NewTimeoutSource UInt32 | — |
NewTimeout UInt32 | — |
Event ID 553 —
Fields #
| Name | Description |
|---|---|
FxDevice Pointer | — |
DeviceNode Pointer | — |
InstancePathLength UInt32 | — |
InstancePath UnicodeString | — |
Event ID 554 —
Fields #
| Name | Description |
|---|---|
CsSessionId UInt8 | — |
DeviceNode Pointer | — |
FriendlyNameLength UInt32 | — |
FriendlyName UnicodeString | — |
HardwareIdLength UInt32 | — |
HardwareId UnicodeString | — |
DeviceClassNameLength UInt32 | — |
DeviceClassName UnicodeString | — |
DeviceClassGuidLength UInt32 | — |
DeviceClassGuid UnicodeString | — |
BroadcastTreeId UInt32 | — |
DfxTransitionCount UInt32 | — |
Ps4TransitionCount UInt32 | — |
Flags UInt32 | — |
Event ID 555 —
Fields #
| Name | Description |
|---|---|
Reason UInt32 | — |
TriggerFlags UInt32 | — |
UserNotify UInt32 | — |
PowerAction UInt32 | — |
PowerActionFlags UInt32 | — |
PowerActionEventCode UInt32 | — |
MinState UInt32 | — |
SubstitutionPolicy UInt32 | — |
LocalPowerAction UInt32 | — |
LocalPowerActionFlags UInt32 | — |
LocalPowerActionEventCode UInt32 | — |
Disabled Boolean | — |
RequesterNameLength UInt32 | — |
RequesterName AnsiString | — |
Event ID 556 —
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | — |
RootDeviceNode Pointer | — |
ErrorDeviceNode Pointer | — |
ReasonCode UInt32 | — |
Count UInt32 | — |
Event ID 557 — A driver is attempting to update the system timer resolution to a value of RequestedResolution.
Event ID 558 —
Fields #
| Name | Description |
|---|---|
Intent UInt32 | — |
Class UInt32 | — |
Cause UInt32 | — |
Status UInt32 | — NTSTATUS reference |
CurrentTargetState UInt32 | — |
NextTargetState UInt32 | — |
PartA_PrivTags UInt64 | — |
TriageContextLength UInt32 | — |
TriageContext Binary | — |
Event ID 559 —
Event ID 560 —
Event ID 561 —
Fields #
| Name | Description |
|---|---|
CurrentInternalState UInt32 | — |
NextInternalState UInt32 | — |
Event ID 562 —
Fields #
| Name | Description |
|---|---|
CurrentTargetState UInt32 | — |
CurrentInternalState UInt32 | — |
Event ID 563 —
Event ID 564 —
Fields #
| Name | Description |
|---|---|
IsSleepEnter Boolean | — |
Token UInt32 | — |
CurrentTargetState UInt32 | — |
CurrentInternalState UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 565 —
Fields #
| Name | Description |
|---|---|
Suspended Boolean | — |
SuspendCount Int32 | — |
Event ID 566 — The system session has transitioned from PreviousSessionId to NextSessionId.
#Description
The system session has transitioned from PreviousSessionId to NextSessionId.
Message #
Fields #
| Name | Description |
|---|---|
BootId UInt32 | — |
Reason UInt32 | — |
PreviousSessionId UInt64 | — |
PreviousSessionType UInt32 | — |
PreviousSessionDurationInUs UInt64 | — |
PreviousEnergyCapacityAtStart UInt32 | — |
PreviousFullEnergyCapacityAtStart UInt32 | — |
PreviousEnergyCapacityAtEnd UInt32 | — |
PreviousFullEnergyCapacityAtEnd UInt32 | — |
NextSessionId UInt64 | — |
NextSessionType UInt32 | — |
PowerStateAc Boolean | — |
MonitorReason UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "331C3B3A-2005-44C2-AC5E-77220C37D6B4",
"event_source_name": "",
"event_id": 566,
"version": 0,
"level": 4,
"task": 268,
"opcode": 0,
"keywords": 9223372036854777348,
"time_created": "2023-11-06T01:08:04.643524+00:00",
"event_record_id": 2153,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 9012
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"BootId": 13,
"Reason": 32,
"PreviousSessionId": 1,
"PreviousSessionType": 1,
"PreviousSessionDurationInUs": 324168323,
"PreviousEnergyCapacityAtStart": 0,
"PreviousFullEnergyCapacityAtStart": 0,
"PreviousEnergyCapacityAtEnd": 0,
"PreviousFullEnergyCapacityAtEnd": 0,
"NextSessionId": 3,
"NextSessionType": 0,
"PowerStateAc": true,
"MonitorReason": 32
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 567 —
Event ID 568 —
Event ID 569 —
Event ID 570 —
Event ID 571 —
Event ID 572 —
Event ID 573 —
Event ID 574 —
Event ID 575 —
Fields #
| Name | Description |
|---|---|
Token UInt32 | — |
ReasonDescriptionLength UInt32 | — |
ReasonDescription UnicodeString | — |
Event ID 576 —
Fields #
| Name | Description |
|---|---|
SessionId UInt32 | — |
LastInputTimestamp UInt64 | — |
LastDisplayOffTimestamp UInt64 | — |
SessionDisplayState UInt32 | — |
DisplayTimeout UInt32 | — |
InputTimeout UInt32 | — |
NotifyOnNextUserInput Boolean | — |
DisplayTimeoutSource UInt32 | — |
DimTimeout UInt32 | — |
DimTimeoutSource UInt32 | — |
Event ID 577 — The system has prepared for a system initiated reboot from AdaptiveTargetState.
#Description
The system has prepared for a system initiated reboot from AdaptiveTargetState.
Message #
Fields #
| Name | Description |
|---|---|
AdaptiveTargetState UInt32 | — |
IsUnattended Boolean | — |
Status UInt32 | — NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "331C3B3A-2005-44C2-AC5E-77220C37D6B4",
"event_source_name": "",
"event_id": 577,
"version": 0,
"level": 4,
"task": 280,
"opcode": 0,
"keywords": 9223372036854775812,
"time_created": "2023-11-06T06:23:40.830310+00:00",
"event_record_id": 1622,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 388
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"AdaptiveTargetState": 0,
"IsUnattended": false,
"Status": 279
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 578 — The system has detected a system initiated reboot from AdaptiveTargetState.
Description
The system has detected a system initiated reboot from AdaptiveTargetState.
Message #
Fields #
| Name | Description |
|---|---|
AdaptiveTargetState UInt32 | — |
IsUnattended Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Power",
"guid": "331C3B3A-2005-44C2-AC5E-77220C37D6B4",
"event_source_name": "",
"event_id": 578,
"version": 0,
"level": 4,
"task": 281,
"opcode": 0,
"keywords": 9223372036854775812,
"time_created": "2026-03-14T01:39:48.147324+00:00",
"event_record_id": 2398,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8
},
"channel": "System",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"AdaptiveTargetState": 6,
"IsUnattended": false
},
"message": ""
}
Event ID 579 —
Fields #
| Name | Description |
|---|---|
ThreadToken Pointer | — |
Status UInt32 | — NTSTATUS reference |
FailurePoint UInt32 | — |
Event ID 580 —
Fields #
| Name | Description |
|---|---|
Result UInt8 | — |
VirtualConsole UInt8 | — |
SessionId UInt32 | — |
MonitorOnReason UInt32 | — |
Event ID 581 —
Fields #
| Name | Description |
|---|---|
ParamToken Pointer | — |
AttachMode UInt8 | — |
IsSingleSession UInt8 | — |
SessionId UInt32 | — |
Type UInt8 | — |
IsSync UInt8 | — |
Event ID 582 —
Fields #
| Name | Description |
|---|---|
ParamToken Pointer | — |
PsStatus UInt32 | — |
SkipReason UInt32 | — |
Event ID 583 —
Fields #
| Name | Description |
|---|---|
ParamToken Pointer | — |
AttachMode UInt8 | — |
IsSingleSession UInt8 | — |
SessionId UInt32 | — |
EventNumber UInt8 | — |
EventCode Pointer | — |
Event ID 584 —
Fields #
| Name | Description |
|---|---|
ParamToken Pointer | — |
PsStatus UInt32 | — |
SkipReason UInt32 | — |
Event ID 585 —
Fields #
| Name | Description |
|---|---|
ParameterToken Pointer | — |
AttachMode UInt8 | — |
IsSingleSession UInt8 | — |
SessionId UInt32 | — |
PowerAction UInt32 | — |
MinState UInt32 | — |
PowerActionFlags UInt32 | — |
PowerStateTask UInt32 | — |
Event ID 586 —
Fields #
| Name | Description |
|---|---|
ParamToken Pointer | — |
PsStatus UInt32 | — |
SkipReason UInt32 | — |
Event ID 587 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
DeviceInstancePathLength UInt32 | — |
DeviceInstancePath UnicodeString | — |
Event ID 588 —
Fields #
| Name | Description |
|---|---|
TimerType UInt32 | — |
Duration Int64 | — |
Event ID 589 —
Fields #
| Name | Description |
|---|---|
TimerType UInt32 | — |
Event ID 590 —
Fields #
| Name | Description |
|---|---|
TimerType UInt32 | — |
Event ID 591 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
DeviceIdLength UInt32 | — |
DeviceId UnicodeString | — |
CallerLength UInt32 | — |
Caller UnicodeString | — |
ContextLength UInt32 | — |
Context UnicodeString | — |
ReasonLength UInt32 | — |
Reason Binary | — |
LimitCount UInt32 | — |
Values Float | — |
Event ID 592 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
DeviceIdLength UInt32 | — |
DeviceId UnicodeString | — |
CallerLength UInt32 | — |
Caller UnicodeString | — |
ContextLength UInt32 | — |
Context UnicodeString | — |
ReasonLength UInt32 | — |
Reason Binary | — |
LimitCount UInt32 | — |
Values Float | — |
Event ID 593 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
DeviceIdLength UInt32 | — |
DeviceId UnicodeString | — |
CallerLength UInt32 | — |
Caller UnicodeString | — |
ContextLength UInt32 | — |
Context UnicodeString | — |
ReasonLength UInt32 | — |
Reason Binary | — |
LimitCount UInt32 | — |
Values Float | — |
Event ID 594 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
ReasonLength UInt32 | — |
Reason Binary | — |
LimitCount UInt32 | — |
Values Int16 | — |
Event ID 595 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
DeviceIdLength UInt32 | — |
DeviceId UnicodeString | — |
LimitCount UInt32 | — |
Attributes Int16 | — |
Event ID 596 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
DeviceIdLength UInt32 | — |
DeviceId UnicodeString | — |
LimitCount UInt32 | — |
Attributes Int16 | — |
Event ID 597 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
DeviceIdLength UInt32 | — |
DeviceId UnicodeString | — |
LimitCount UInt32 | — |
Attributes Int16 | — |
Event ID 598 —
Fields #
| Name | Description |
|---|---|
Token Pointer | — |
LimitCount UInt32 | — |
Values Int8 | — |
Event ID 599 —
Fields #
| Name | Description |
|---|---|
State Int32 | — |
Reason Int32 | — |
Event ID 600 —
Fields #
| Name | Description |
|---|---|
Status UInt32 | — NTSTATUS reference |
FailurePoint UInt32 | — |
Event ID 601 —
Description
Hibernate was disabled because invalid system binaries were detected. Min SVN required was , Actual SVN is . OS version of Invalid Binary: .
Fields #
| Name | Description |
|---|---|
MinSVN UInt32 | — |
HiberrsmSVN UInt32 | — |
HiberrsmOSVersion UInt32 | — |
Event ID 601 — Hibernate was disabled because invalid system binaries were detected.
Event ID 602 —
Fields #
| Name | Description |
|---|---|
PrevState UInt32 | — |
TargetState UInt32 | — |
Promoted UInt32 | — |
Entered UInt32 | — |
SettingGuid GUID | — |
NewSettingValue UInt32 | — |