Microsoft-Windows-Kernel-Process
27 events across 2 channels
Event ID 1 — Process ProcessID started at time ProcessSequenceNumber by parent CreateTime running in session ParentProcessID with name ParentProcessSequenceNumber.
Description
Process ProcessID started at time ProcessSequenceNumber by parent CreateTime running in session ParentProcessID with name ParentProcessSequenceNumber.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | — |
ProcessSequenceNumber UInt64 | — |
CreateTime FILETIME | — |
ParentProcessID UInt32 | — |
ParentProcessSequenceNumber UInt64 | — |
SessionID UInt32 | — |
Flags UInt32 | — |
ProcessTokenElevationType UInt32 | — |
ProcessTokenIsElevated UInt32 | — |
MandatoryLabel SID | — |
ImageName UnicodeString | — |
ImageChecksum UInt32 | — |
TimeDateStamp UInt32 | — |
PackageFullName UnicodeString | — |
PackageRelativeAppId UnicodeString | — |
SecurityMitigations UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "1",
"version": "3",
"level": "4",
"task": "1",
"opcode": "1",
"keywords": 9223372036854775824,
"time_created": "2026-03-16T00:21:34.692445600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10736",
"thread_id": "11352"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 12824",
"ProcessSequenceNumber": "11445",
"CreateTime": "2026-03-16T00:21:34.692334100Z",
"ParentProcessID": " 10736",
"ParentProcessSequenceNumber": "11430",
"SessionID": " 0",
"Flags": " 0",
"ProcessTokenElevationType": " 1",
"ProcessTokenIsElevated": " 1",
"MandatoryLabel": "S-1-16-12288",
"ImageName": "\\Device\\HarddiskVolume4\\Windows\\System32\\logman.exe",
"ImageChecksum": "0x23D2D",
"TimeDateStamp": "0x4E0C0A88",
"PackageFullName": "",
"PackageRelativeAppId": ""
},
"message": ""
}
Event ID 2 — Process ProcessID (which started at time CreateTime) stopped at time ExitTime with exit code ExitCode.
Description
Process ProcessID (which started at time CreateTime) stopped at time ExitTime with exit code ExitCode.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | — |
ProcessSequenceNumber UInt64 | — |
CreateTime FILETIME | — |
ExitTime FILETIME | — |
ExitCode UInt32 | — |
TokenElevationType UInt32 | — Known values
|
HandleCount UInt32 | — |
CommitCharge UInt64 | — |
CommitPeak UInt64 | — |
CPUCycleCount UInt64 | — |
ReadOperationCount UInt32 | — |
WriteOperationCount UInt32 | — |
ReadTransferKiloBytes UInt32 | — |
WriteTransferKiloBytes UInt32 | — |
HardFaultCount UInt32 | — |
ImageName AnsiString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "2",
"version": "2",
"level": "4",
"task": "2",
"opcode": "2",
"keywords": 9223372036854775824,
"time_created": "2026-03-16T00:21:34.683819100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12260",
"thread_id": "12100"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 12260",
"ProcessSequenceNumber": "11443",
"CreateTime": "2026-03-16T00:21:34.308419900Z",
"ExitTime": "2026-03-16T00:21:34.682710100Z",
"ExitCode": " 0",
"TokenElevationType": " 1",
"HandleCount": " 122",
"CommitCharge": "1835008",
"CommitPeak": "2371584",
"CPUCycleCount": "365618549",
"ReadOperationCount": " 0",
"WriteOperationCount": " 1",
"ReadTransferKiloBytes": " 0",
"WriteTransferKiloBytes": " 0",
"HardFaultCount": " 0",
"ImageName": "logman.exe"
},
"message": ""
}
Event ID 3 — Thread ThreadID (in Process ProcessID) started.
Description
Thread ThreadID (in Process ProcessID) started.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | — |
ThreadID UInt32 | — |
StackBase Pointer | — |
StackLimit Pointer | — |
UserStackBase Pointer | — |
UserStackLimit Pointer | — |
StartAddr Pointer | — |
Win32StartAddr Pointer | — |
TebBase Pointer | — |
SubProcessTag UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "3",
"version": "1",
"level": "4",
"task": "3",
"opcode": "1",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:21:34.697172400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10736",
"thread_id": "11352"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 12824",
"ThreadID": " 8012",
"StackBase": "0xFFFF95027FC38000",
"StackLimit": "0xFFFF95027FC32000",
"UserStackBase": "0xE6783B0000",
"UserStackLimit": "0xE6783AE000",
"StartAddr": "0x7FF7CE4D1BE0",
"Win32StartAddr": "0x7FF7CE4D1BE0",
"TebBase": "0xE6784AA000",
"SubProcessTag": " 0"
},
"message": ""
}
Event ID 4 — Thread ThreadID (in Process ProcessID) stopped.
Description
Thread ThreadID (in Process ProcessID) stopped.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | — |
ThreadID UInt32 | — |
StackBase Pointer | — |
StackLimit Pointer | — |
UserStackBase Pointer | — |
UserStackLimit Pointer | — |
StartAddr Pointer | — |
Win32StartAddr Pointer | — |
TebBase Pointer | — |
SubProcessTag UInt32 | — |
CycleTime UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "4",
"version": "1",
"level": "4",
"task": "4",
"opcode": "2",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:21:34.681762900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12260",
"thread_id": "10668"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 12260",
"ThreadID": " 10668",
"StackBase": "0xFFFF95027FBAB000",
"StackLimit": "0xFFFF95027FBA5000",
"UserStackBase": "0xF308500000",
"UserStackLimit": "0xF3084FE000",
"StartAddr": "0x7FFC84CA5720",
"Win32StartAddr": "0x7FFC84CA5720",
"TebBase": "0xF308318000",
"SubProcessTag": " 0",
"CycleTime": "0x7BC303"
},
"message": ""
}
Event ID 5 — Process ProcessID had an image loaded with name ImageName.
Description
Process ProcessID had an image loaded with name ImageName.
Message #
Fields #
| Name | Description |
|---|---|
ImageBase Pointer | — |
ImageSize Pointer | — |
ProcessID UInt32 | — |
ImageCheckSum UInt32 | — |
TimeDateStamp UInt32 | — |
DefaultBase Pointer | — |
ImageName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "5",
"version": "0",
"level": "4",
"task": "5",
"opcode": "0",
"keywords": 9223372036854775872,
"time_created": "2026-03-16T00:21:34.701692800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12824",
"thread_id": "8012"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ImageBase": "0x7FF7CE4C0000",
"ImageSize": "0x1E000",
"ProcessID": " 12824",
"ImageCheckSum": " 146733",
"TimeDateStamp": "1309411976",
"DefaultBase": "0x7FF7CE4C0000",
"ImageName": "\\Device\\HarddiskVolume4\\Windows\\System32\\logman.exe"
},
"message": ""
}
Event ID 6 — Process ProcessID had an image unloaded with name ImageName.
Description
Process ProcessID had an image unloaded with name ImageName.
Message #
Fields #
| Name | Description |
|---|---|
ImageBase Pointer | — |
ImageSize Pointer | — |
ProcessID UInt32 | — |
ImageCheckSum UInt32 | — |
TimeDateStamp UInt32 | — |
DefaultBase Pointer | — |
ImageName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "6",
"version": "0",
"level": "4",
"task": "6",
"opcode": "0",
"keywords": 9223372036854775872,
"time_created": "2026-03-16T00:21:34.680221700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12260",
"thread_id": "12100"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ImageBase": "0x7FFC81110000",
"ImageSize": "0x34000",
"ProcessID": " 12260",
"ImageCheckSum": " 240996",
"TimeDateStamp": "4066697849",
"DefaultBase": "0x7FFC81110000",
"ImageName": "\\Device\\HarddiskVolume4\\Windows\\System32\\ntmarta.dll"
},
"message": ""
}
Event ID 7 — Base CPU priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
Description
Base CPU priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | — |
ThreadID UInt32 | — |
OldPriority UInt8 | — |
NewPriority UInt8 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "7",
"version": "0",
"level": "4",
"task": "7",
"opcode": "0",
"keywords": 9223372036854775936,
"time_created": "2026-03-16T00:21:34.685256600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "3668",
"thread_id": "9620"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 3668",
"ThreadID": " 9620",
"OldPriority": "14",
"NewPriority": "8"
},
"message": ""
}
Event ID 8 — CPU priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
Description
CPU priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | — |
ThreadID UInt32 | — |
OldPriority UInt8 | — |
NewPriority UInt8 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "8",
"version": "0",
"level": "4",
"task": "8",
"opcode": "0",
"keywords": 9223372036854775936,
"time_created": "2026-03-16T00:21:34.751233600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "4168",
"thread_id": "6828"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 4168",
"ThreadID": " 6828",
"OldPriority": "8",
"NewPriority": "16"
},
"message": ""
}
Event ID 9 — Page priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
Description
Page priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | — |
ThreadID UInt32 | — |
OldPriority UInt8 | — |
NewPriority UInt8 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "9",
"version": "0",
"level": "4",
"task": "9",
"opcode": "0",
"keywords": 9223372036854776064,
"time_created": "2026-03-16T00:21:34.685648100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "3264",
"thread_id": "3448"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 3264",
"ThreadID": " 3448",
"OldPriority": "5",
"NewPriority": "1"
},
"message": ""
}
Event ID 10 — I/O priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
Description
I/O priority of thread ThreadID in process ProcessID was changed from OldPriority to NewPriority.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | — |
ThreadID UInt32 | — |
OldPriority UInt8 | — |
NewPriority UInt8 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "10",
"version": "0",
"level": "4",
"task": "10",
"opcode": "0",
"keywords": 9223372036854776064,
"time_created": "2026-03-16T00:22:35.850157400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "3752",
"thread_id": "5952"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ProcessID": " 3752",
"ThreadID": " 5952",
"OldPriority": "2",
"NewPriority": "0"
},
"message": ""
}
Event ID 11 — Execution of the process FrozenProcessID has been suspended.
Event ID 12 — Execution of the process FrozenProcessID has been resumed.
Event ID 13 — Job Container ID started with status code Job ID.
Description
Job Container ID started with status code Job ID.
Message #
Fields #
| Name | Description |
|---|---|
Container ID GUID | — |
Job ID UInt32 | — |
StatusCode UInt32 | — |
ContainerID GUID | — |
JobID UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "13",
"version": "0",
"level": "4",
"task": "13",
"opcode": "1",
"keywords": 9223372036854776832,
"time_created": "2026-03-16T00:22:30.860225400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "7124",
"thread_id": "4244"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Container ID": "{b0b7d412-20cb-11f1-9fbf-00155d284e57}",
"Job ID": " 880",
"StatusCode": " 0"
},
"message": ""
}
Event ID 14 — Job Container ID terminated with status code Job ID.
Description
Job Container ID terminated with status code Job ID.
Message #
Fields #
| Name | Description |
|---|---|
Container ID GUID | — |
Job ID UInt32 | — |
StatusCode UInt32 | — |
ContainerID GUID | — |
JobID UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "14",
"version": "0",
"level": "4",
"task": "14",
"opcode": "2",
"keywords": 9223372036854776832,
"time_created": "2026-03-16T00:21:38.751901900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10736",
"thread_id": "12560"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Container ID": "{b0b7d3db-20cb-11f1-9fbf-00155d284e57}",
"Job ID": " 856",
"StatusCode": " 0"
},
"message": ""
}
Event ID 15 — Enumerated process ProcessID had started at time ProcessSequenceNumber by parent CreateTime running in session ParentProcessID with name SessionID.
Description
Enumerated process ProcessID had started at time ProcessSequenceNumber by parent CreateTime running in session ParentProcessID with name SessionID.
Message #
Fields #
| Name | Description |
|---|---|
ProcessID UInt32 | — |
ProcessSequenceNumber UInt64 | — |
CreateTime FILETIME | — |
ParentProcessID UInt32 | — |
ParentProcessSequenceNumber UInt64 | — |
SessionID UInt32 | — |
Flags UInt32 | — |
ProcessTokenElevationType UInt32 | — |
ProcessTokenIsElevated UInt32 | — |
MandatoryLabel SID | — |
ImageName UnicodeString | — |
ImageChecksum UInt32 | — |
TimeDateStamp UInt32 | — |
PackageFullName UnicodeString | — |
PackageRelativeAppId UnicodeString | — |
SecurityMitigations UInt32 | — |
Event ID 16 —
Event ID 17 —
Fields #
| Name | Description |
|---|---|
Job ID UInt32 | — |
DiskIoAttribution Pointer | — |
StatusCode UInt32 | — |
JobID UInt32 | — |
Event ID 18 —
Fields #
| Name | Description |
|---|---|
Job ID UInt32 | — |
DiskIoAttribution Pointer | — |
StatusCode UInt32 | — |
JobID UInt32 | — |
Event ID 19 —
Fields #
| Name | Description |
|---|---|
Job ID UInt32 | — |
IoRateControl Pointer | — |
MaxIops UInt64 | — |
MaxBandwidth UInt64 | — |
MaxTimePercent UInt64 | — |
ReservationIops UInt64 | — |
ReservationBandwidth UInt64 | — |
ReservationTimePercent UInt64 | — |
CriticalReservationIops UInt64 | — |
CriticalReservationBandwidth UInt64 | — |
CriticalReservationTimePercent UInt64 | — |
SoftMaxIops UInt64 | — |
SoftMaxBandwidth UInt64 | — |
SoftMaxTimePercent UInt64 | — |
ControlFlags UInt32 | — |
VolumeName UnicodeString | — |
StatusCode UInt32 | — |
JobID UInt32 | — |
Event ID 20 —
Fields #
| Name | Description |
|---|---|
Job ID UInt32 | — |
IoRateControl Pointer | — |
MaxIops UInt64 | — |
MaxBandwidth UInt64 | — |
MaxTimePercent UInt64 | — |
ReservationIops UInt64 | — |
ReservationBandwidth UInt64 | — |
ReservationTimePercent UInt64 | — |
CriticalReservationIops UInt64 | — |
CriticalReservationBandwidth UInt64 | — |
CriticalReservationTimePercent UInt64 | — |
SoftMaxIops UInt64 | — |
SoftMaxBandwidth UInt64 | — |
SoftMaxTimePercent UInt64 | — |
ControlFlags UInt32 | — |
VolumeName UnicodeString | — |
StatusCode UInt32 | — |
JobID UInt32 | — |
Event ID 21 —
Fields #
| Name | Description |
|---|---|
OldWorkOnBehalfThreadID UInt32 | — |
NewWorkOnBehalfThreadID UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-Process",
"guid": "{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}",
"event_source_name": "",
"event_id": "21",
"version": "0",
"level": "4",
"task": "18",
"opcode": "0",
"keywords": 9223372036854784000,
"time_created": "2026-03-16T00:21:34.678731600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "1356",
"thread_id": "12108"
},
"channel": "Microsoft-Windows-Kernel-Process/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"OldWorkOnBehalfThreadID": " 0",
"NewWorkOnBehalfThreadID": " 12100"
},
"message": ""
}
Event ID 22 —
Fields #
| Name | Description |
|---|---|
Container ID GUID | — |
Job ID UInt32 | — |
State UInt16 | — |
ContainerID GUID | — |
JobID UInt32 | — |
Event ID 23 —
Fields #
| Name | Description |
|---|---|
Container ID GUID | — |
Job ID UInt32 | — |
MonitorName UnicodeString | — |
ContainerID GUID | — |
JobID UInt32 | — |
Event ID 24 —
Fields #
| Name | Description |
|---|---|
Container ID GUID | — |
Job ID UInt32 | — |
Status UInt32 | — NTSTATUS reference |
MonitorName UnicodeString | — |
ContainerID GUID | — |
JobID UInt32 | — |
Event ID 25 —
Fields #
| Name | Description |
|---|---|
Container ID GUID | — |
Job ID UInt32 | — |
MonitorName UnicodeString | — |
ContainerID GUID | — |
JobID UInt32 | — |
Event ID 26 —
Fields #
| Name | Description |
|---|---|
Container ID GUID | — |
Job ID UInt32 | — |
MonitorName UnicodeString | — |
ContainerID GUID | — |
JobID UInt32 | — |
Event ID 27 —
Fields #
| Name | Description |
|---|---|
ProcessName UnicodeString | — |
ProcessID UInt32 | — |