Microsoft-Windows-Kernel-Process

27 events across 2 channels

Event ID	Title	Channel
1	Process %1 started at time %2 by parent %3 running in session %4 with name %5.	Analytic
2	Process %1 (which started at time %3) stopped at time %4 with exit code %5.	Analytic
3	Thread %2 (in Process %1) started.	Analytic
4	Thread %2 (in Process %1) stopped.	Analytic
5	Process %3 had an image loaded with name %7.	Analytic
6	Process %3 had an image unloaded with name %7.	Analytic
7	Base CPU priority of thread %2 in process %1 was changed from %3 to %4.	Analytic
8	CPU priority of thread %2 in process %1 was changed from %3 to %4.	Analytic
9	Page priority of thread %2 in process %1 was changed from %3 to %4.	Analytic
10	I/O priority of thread %2 in process %1 was changed from %3 to %4.	Analytic
11	Execution of the process %1 has been suspended.	Analytic
12	Execution of the process %1 has been resumed.	Analytic
13	Job %1 started with status code %2.	Analytic
14	Job %1 terminated with status code %2.	Analytic
15	Enumerated process %1 had started at time %2 by parent %3 running in session %4 …	Analytic
16		Operational
17		Analytic
18		Analytic
19		Analytic
20		Analytic
21		Analytic
22		Analytic
23		Analytic
24		Analytic
25		Analytic
26		Analytic
27		Analytic

Event ID 1 — Process %1 started at time %2 by parent %3 running in session %4 with name %5.

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Message

Process %1 started at time %2 by parent %3 running in session %4 with name %5.

Fields

Name	Description
`ProcessID`	—
`ProcessSequenceNumber`	—
`CreateTime`	—
`ParentProcessID`	—
`ParentProcessSequenceNumber`	—
`SessionID`	—
`Flags`	—
`ProcessTokenElevationType`	—
`ProcessTokenIsElevated`	—
`MandatoryLabel`	—
`ImageName`	—
`ImageChecksum`	—
`TimeDateStamp`	—
`PackageFullName`	—
`PackageRelativeAppId`	—
`SecurityMitigations`	—

Event ID 2 — Process %1 (which started at time %3) stopped at time %4 with exit code %5.

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Message

Process %1 (which started at time %3) stopped at time %4 with exit code %5.

Fields

Name	Description
`ProcessID`	—
`ProcessSequenceNumber`	—
`CreateTime`	—
`ExitTime`	—
`ExitCode`	—
`TokenElevationType`	—
`HandleCount`	—
`CommitCharge`	—
`CommitPeak`	—
`CPUCycleCount`	—
`ReadOperationCount`	—
`WriteOperationCount`	—
`ReadTransferKiloBytes`	—
`WriteTransferKiloBytes`	—
`HardFaultCount`	—
`ImageName`	—

Event ID 3 — Thread %2 (in Process %1) started.

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Message

Thread %2 (in Process %1) started.

Fields

Name	Description
`ProcessID`	—
`ThreadID`	—
`StackBase`	—
`StackLimit`	—
`UserStackBase`	—
`UserStackLimit`	—
`StartAddr`	—
`Win32StartAddr`	—
`TebBase`	—
`SubProcessTag`	—

Event ID 4 — Thread %2 (in Process %1) stopped.

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Message

Thread %2 (in Process %1) stopped.

Fields

Name	Description
`ProcessID`	—
`ThreadID`	—
`StackBase`	—
`StackLimit`	—
`UserStackBase`	—
`UserStackLimit`	—
`StartAddr`	—
`Win32StartAddr`	—
`TebBase`	—
`SubProcessTag`	—
`CycleTime`	—

Event ID 5 — Process %3 had an image loaded with name %7.

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Message

Process %3 had an image loaded with name %7.

Fields

Name	Description
`ImageBase`	—
`ImageSize`	—
`ProcessID`	—
`ImageCheckSum`	—
`TimeDateStamp`	—
`DefaultBase`	—
`ImageName`	—

Event ID 6 — Process %3 had an image unloaded with name %7.

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Message

Process %3 had an image unloaded with name %7.

Fields

Name	Description
`ImageBase`	—
`ImageSize`	—
`ProcessID`	—
`ImageCheckSum`	—
`TimeDateStamp`	—
`DefaultBase`	—
`ImageName`	—

Event ID 7 — Base CPU priority of thread %2 in process %1 was changed from %3 to %4.

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Message

Base CPU priority of thread %2 in process %1 was changed from %3 to %4.

Fields

Name	Description
`ProcessID`	—
`ThreadID`	—
`OldPriority`	—
`NewPriority`	—

Event ID 8 — CPU priority of thread %2 in process %1 was changed from %3 to %4.

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Message

CPU priority of thread %2 in process %1 was changed from %3 to %4.

Fields

Name	Description
`ProcessID`	—
`ThreadID`	—
`OldPriority`	—
`NewPriority`	—

Event ID 9 — Page priority of thread %2 in process %1 was changed from %3 to %4.

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Message

Page priority of thread %2 in process %1 was changed from %3 to %4.

Fields

Name	Description
`ProcessID`	—
`ThreadID`	—
`OldPriority`	—
`NewPriority`	—

Event ID 10 — I/O priority of thread %2 in process %1 was changed from %3 to %4.

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Message

I/O priority of thread %2 in process %1 was changed from %3 to %4.

Fields

Name	Description
`ProcessID`	—
`ThreadID`	—
`OldPriority`	—
`NewPriority`	—

Event ID 11 — Execution of the process %1 has been suspended.

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Message

Execution of the process %1 has been suspended.

Fields

Name	Description
`FrozenProcessID`	—
`CreateTime`	—

Event ID 12 — Execution of the process %1 has been resumed.

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Message

Execution of the process %1 has been resumed.

Fields

Name	Description
`FrozenProcessID`	—
`CreateTime`	—

Event ID 13 — Job %1 started with status code %2.

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Message

Job %1 started with status code %2.

Fields

Name	Description
`Container ID`	—
`Job ID`	—
`StatusCode`	—
`ContainerID`	—
`JobID`	—

Event ID 14 — Job %1 terminated with status code %2.

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Message

Job %1 terminated with status code %2.

Fields

Name	Description
`Container ID`	—
`Job ID`	—
`StatusCode`	—
`ContainerID`	—
`JobID`	—

Event ID 15 — Enumerated process %1 had started at time %2 by parent %3 running in session %4 with name %6.

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Message

Enumerated process %1 had started at time %2 by parent %3 running in session %4 with name %6.

Fields

Name	Description
`ProcessID`	—
`ProcessSequenceNumber`	—
`CreateTime`	—
`ParentProcessID`	—
`ParentProcessSequenceNumber`	—
`SessionID`	—
`Flags`	—
`ProcessTokenElevationType`	—
`ProcessTokenIsElevated`	—
`MandatoryLabel`	—
`ImageName`	—
`ImageChecksum`	—
`TimeDateStamp`	—
`PackageFullName`	—
`PackageRelativeAppId`	—
`SecurityMitigations`	—

Event ID 16 —

Provider: Microsoft-Windows-Kernel-Process
Channel: Operational

Event ID 17 —

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Fields

Name	Description
`Job ID`	—
`DiskIoAttribution`	—
`StatusCode`	—
`JobID`	—

Event ID 18 —

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Fields

Name	Description
`Job ID`	—
`DiskIoAttribution`	—
`StatusCode`	—
`JobID`	—

Event ID 19 —

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Fields

Name	Description
`Job ID`	—
`IoRateControl`	—
`MaxIops`	—
`MaxBandwidth`	—
`MaxTimePercent`	—
`ReservationIops`	—
`ReservationBandwidth`	—
`ReservationTimePercent`	—
`CriticalReservationIops`	—
`CriticalReservationBandwidth`	—
`CriticalReservationTimePercent`	—
`SoftMaxIops`	—
`SoftMaxBandwidth`	—
`SoftMaxTimePercent`	—
`ControlFlags`	—
`VolumeName`	—
`StatusCode`	—
`JobID`	—

Event ID 20 —

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Fields

Name	Description
`Job ID`	—
`IoRateControl`	—
`MaxIops`	—
`MaxBandwidth`	—
`MaxTimePercent`	—
`ReservationIops`	—
`ReservationBandwidth`	—
`ReservationTimePercent`	—
`CriticalReservationIops`	—
`CriticalReservationBandwidth`	—
`CriticalReservationTimePercent`	—
`SoftMaxIops`	—
`SoftMaxBandwidth`	—
`SoftMaxTimePercent`	—
`ControlFlags`	—
`VolumeName`	—
`StatusCode`	—
`JobID`	—

Event ID 21 —

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Fields

Name	Description
`OldWorkOnBehalfThreadID`	—
`NewWorkOnBehalfThreadID`	—

Event ID 22 —

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Fields

Name	Description
`Container ID`	—
`Job ID`	—
`State`	—
`ContainerID`	—
`JobID`	—

Event ID 23 —

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Fields

Name	Description
`Container ID`	—
`Job ID`	—
`MonitorName`	—
`ContainerID`	—
`JobID`	—

Event ID 24 —

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Fields

Name	Description
`Container ID`	—
`Job ID`	—
`Status`	—
`MonitorName`	—
`ContainerID`	—
`JobID`	—

Event ID 25 —

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Fields

Name	Description
`Container ID`	—
`Job ID`	—
`MonitorName`	—
`ContainerID`	—
`JobID`	—

Event ID 26 —

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Fields

Name	Description
`Container ID`	—
`Job ID`	—
`MonitorName`	—
`ContainerID`	—
`JobID`	—

Event ID 27 —

Provider: Microsoft-Windows-Kernel-Process
Channel: Analytic

Fields

Name	Description
`ProcessName`	—
`ProcessID`	—