detection.wiki

Microsoft-Windows-Kernel-Registry

45 events across 2 channels

Event IDTitleChannel
1Analytic
2Analytic
3Analytic
4Analytic
5Analytic
6Analytic
7Analytic
8Analytic
9Analytic
10Analytic
11Analytic
12Analytic
13Analytic
14Analytic
15Analytic
16Performance
17Performance
18Performance
19Performance
20Performance
21Performance
22Performance
23Performance
24Performance
25Performance
26Performance
27Performance
28Performance
29Performance
30Performance
31Performance
32Performance
33Performance
34Performance
35Performance
36Performance
37Performance
38Performance
39Performance
40Performance
41Performance
42Performance
43Performance
44Performance
45Performance

Event ID 1 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Analytic
Level
Error
Opcode
CreateKey

Fields #

NameDescription
BaseObject Pointer
KeyObject Pointer
Status UInt32NTSTATUS reference
Disposition UInt32
BaseName UnicodeString
RelativeName UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "1",
    "version": "0",
    "level": "2",
    "task": "0",
    "opcode": "32",
    "keywords": 9223372036854779904,
    "time_created": "2026-03-16T00:21:35.785504900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "9144",
      "thread_id": "1104"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "BaseObject": "0xFFFF810C5DD6DD50",
    "KeyObject": "0xFFFF810C5DD72260",
    "Status": "0x0",
    "Disposition": "       2",
    "BaseName": "",
    "RelativeName": "Software\\Microsoft\\WBEM\\CIMOM"
  },
  "message": ""
}

Event ID 2 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Analytic
Level
Error
Opcode
OpenKey

Fields #

NameDescription
BaseObject Pointer
KeyObject Pointer
Status UInt32NTSTATUS reference
Disposition UInt32
BaseName UnicodeString
RelativeName UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "2",
    "version": "0",
    "level": "2",
    "task": "0",
    "opcode": "33",
    "keywords": 9223372036854784000,
    "time_created": "2026-03-16T00:21:35.507079800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "1032",
      "thread_id": "12928"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "BaseObject": "0xFFFF810C2A657DB0",
    "KeyObject": "0xFFFF810C5DD71F30",
    "Status": "0x0",
    "Disposition": "       0",
    "BaseName": "",
    "RelativeName": "\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize"
  },
  "message": ""
}

Event ID 3 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Analytic
Level
Error
Opcode
DeleteKey

Fields #

NameDescription
KeyObject Pointer
Status UInt32NTSTATUS reference
KeyName UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "3",
    "version": "0",
    "level": "2",
    "task": "0",
    "opcode": "34",
    "keywords": 9223372036854792192,
    "time_created": "2026-03-16T00:21:57.097838200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "9060",
      "thread_id": "12368"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "KeyObject": "0xFFFF810C4E440E30",
    "Status": "0x0",
    "KeyName": ""
  },
  "message": ""
}

Event ID 4 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Analytic
Level
Error
Opcode
QueryKey

Fields #

NameDescription
KeyObject Pointer
Status UInt32NTSTATUS reference
InfoClass UInt32
DataSize UInt32
KeyName UnicodeString
CapturedDataSize UInt16
CapturedData Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "4",
    "version": "0",
    "level": "2",
    "task": "0",
    "opcode": "35",
    "keywords": 9223372036854808576,
    "time_created": "2026-03-16T00:21:35.516631000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "9772",
      "thread_id": "4452"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "KeyObject": "0xFFFF810C31D05F00",
    "Status": "0x0",
    "InfoClass": "       7",
    "DataSize": "       4",
    "KeyName": "",
    "CapturedDataSize": "0",
    "CapturedData": ""
  },
  "message": ""
}

Event ID 5 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Analytic
Level
Error
Opcode
SetValueKey

Fields #

NameDescription
KeyObject Pointer
Status UInt32NTSTATUS reference
Type UInt32
DataSize UInt32
KeyName UnicodeString
ValueName UnicodeString
CapturedDataSize UInt16
CapturedData Binary
PreviousDataType UInt32
PreviousDataSize UInt32
PreviousDataCapturedSize UInt16
PreviousData Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "5",
    "version": "0",
    "level": "2",
    "task": "0",
    "opcode": "36",
    "keywords": 9223372036854776064,
    "time_created": "2026-03-16T00:21:40.590478500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "7552"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "KeyObject": "0xFFFF810C5DD4DC20",
    "Status": "0x0",
    "Type": "      11",
    "DataSize": "       8",
    "KeyName": "",
    "ValueName": "LastSuccessfulUploadTime",
    "CapturedDataSize": "0",
    "CapturedData": "",
    "PreviousDataType": "       0",
    "PreviousDataSize": "       0",
    "PreviousDataCapturedSize": "0",
    "PreviousData": ""
  },
  "message": ""
}

Event ID 6 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Analytic
Level
Critical
Opcode
DeleteValueKey

Fields #

NameDescription
KeyObject Pointer
Status UInt32NTSTATUS reference
KeyName UnicodeString
ValueName UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "6",
    "version": "0",
    "level": "1",
    "task": "0",
    "opcode": "37",
    "keywords": 9223372036854776320,
    "time_created": "2026-03-16T00:22:34.277328900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "3668",
      "thread_id": "7712"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "KeyObject": "0xFFFF810C42CA9410",
    "Status": "0xC0000034",
    "KeyName": "",
    "ValueName": "97eb03fb6ad64051d2fd3a6dc2ad7390"
  },
  "message": ""
}

Event ID 7 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Analytic
Level
Critical
Opcode
QueryValueKey

Fields #

NameDescription
KeyObject Pointer
Status UInt32NTSTATUS reference
InfoClass UInt32
DataSize UInt32
KeyName UnicodeString
ValueName UnicodeString
CapturedDataSize UInt16
CapturedData Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "7",
    "version": "0",
    "level": "1",
    "task": "0",
    "opcode": "38",
    "keywords": 9223372036854776832,
    "time_created": "2026-03-16T00:21:35.507114200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "1032",
      "thread_id": "12928"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "KeyObject": "0xFFFF810C5DD71F30",
    "Status": "0xC0000034",
    "InfoClass": "       2",
    "DataSize": "       2",
    "KeyName": "",
    "ValueName": "DisableMetaFiles",
    "CapturedDataSize": "0",
    "CapturedData": ""
  },
  "message": ""
}

Event ID 8 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Analytic
Level
Error
Opcode
EnumerateKey

Fields #

NameDescription
KeyObject Pointer
Status UInt32NTSTATUS reference
Index UInt32
InfoClass UInt32
DataSize UInt32
KeyName UnicodeString
CapturedDataSize UInt16
CapturedData Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "8",
    "version": "0",
    "level": "2",
    "task": "0",
    "opcode": "39",
    "keywords": 9223372036854777856,
    "time_created": "2026-03-16T00:21:35.816738500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "9144",
      "thread_id": "1104"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "KeyObject": "0xFFFF810C33B2F6C0",
    "Status": "0x0",
    "Index": "       0",
    "InfoClass": "       0",
    "DataSize": "      92",
    "KeyName": "",
    "CapturedDataSize": "0",
    "CapturedData": ""
  },
  "message": ""
}

Event ID 9 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Analytic
Level
Error
Opcode
EnumerateValueKey

Fields #

NameDescription
KeyObject Pointer
Status UInt32NTSTATUS reference
Index UInt32
InfoClass UInt32
DataSize UInt32
KeyName UnicodeString
CapturedDataSize UInt16
CapturedData Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "9",
    "version": "0",
    "level": "2",
    "task": "0",
    "opcode": "40",
    "keywords": 9223372036854775824,
    "time_created": "2026-03-16T00:21:35.527894500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "10736",
      "thread_id": "11352"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "KeyObject": "0xFFFF810C5DD54550",
    "Status": "0x0",
    "Index": "       0",
    "InfoClass": "       2",
    "DataSize": "      36",
    "KeyName": "",
    "CapturedDataSize": "0",
    "CapturedData": ""
  },
  "message": ""
}

Event ID 10 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Analytic
Level
Error
Opcode
QueryMultipleValueKey

Fields #

NameDescription
KeyObject Pointer
Status UInt32NTSTATUS reference
EntryCount UInt32
DataSize UInt32
KeyName UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "10",
    "version": "0",
    "level": "2",
    "task": "0",
    "opcode": "41",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:35.626480500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "5012",
      "thread_id": "3304"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "KeyObject": "0xFFFF810C5DD6DA20",
    "Status": "0x0",
    "EntryCount": "      30",
    "DataSize": "     264",
    "KeyName": ""
  },
  "message": ""
}

Event ID 11 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Analytic
Level
Error
Opcode
SetInformationKey

Fields #

NameDescription
KeyObject Pointer
Status UInt32NTSTATUS reference
InfoClass UInt32
DataSize UInt32
KeyName UnicodeString
CapturedDataSize UInt16
CapturedData Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "11",
    "version": "0",
    "level": "2",
    "task": "0",
    "opcode": "42",
    "keywords": 9223372036854775872,
    "time_created": "2026-03-16T00:21:35.634196200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "5012",
      "thread_id": "3304"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "KeyObject": "0xFFFF810C5DD6E080",
    "Status": "0x0",
    "InfoClass": "       5",
    "DataSize": "       4",
    "KeyName": "",
    "CapturedDataSize": "0",
    "CapturedData": ""
  },
  "message": ""
}

Event ID 12 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Analytic
Opcode
FlushKey

Fields #

NameDescription
KeyObject Pointer
Status UInt32NTSTATUS reference
KeyName UnicodeString

Event ID 13 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Analytic
Level
Error
Opcode
CloseKey

Fields #

NameDescription
KeyObject Pointer
Status UInt32NTSTATUS reference
KeyName UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "13",
    "version": "0",
    "level": "2",
    "task": "0",
    "opcode": "44",
    "keywords": 9223372036854775809,
    "time_created": "2026-03-16T00:21:35.505174000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "1032",
      "thread_id": "12928"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "KeyObject": "0xFFFF810C35F58620",
    "Status": "0x0",
    "KeyName": ""
  },
  "message": ""
}

Event ID 14 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Analytic
Level
Error
Opcode
QuerySecurityKey

Fields #

NameDescription
KeyObject Pointer
Status UInt32NTSTATUS reference
KeyName UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "14",
    "version": "0",
    "level": "2",
    "task": "0",
    "opcode": "45",
    "keywords": 9223372036854775810,
    "time_created": "2026-03-16T00:21:57.923947000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "9060",
      "thread_id": "12368"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "KeyObject": "0xFFFF810C5DD62140",
    "Status": "0x0",
    "KeyName": ""
  },
  "message": ""
}

Event ID 15 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Analytic
Level
Error
Opcode
SetSecurityKey

Fields #

NameDescription
KeyObject Pointer
Status UInt32NTSTATUS reference
KeyName UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "15",
    "version": "0",
    "level": "2",
    "task": "0",
    "opcode": "46",
    "keywords": 9223372036854775812,
    "time_created": "2026-03-16T00:24:09.957774700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "6472",
      "thread_id": "10124"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "KeyObject": "0xFFFF810C5DD61260",
    "Status": "0x0",
    "KeyName": ""
  },
  "message": ""
}

Event ID 16 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Level
Informational
Task
Thisgroupofeventstrackstheperformanceofmountinghivesfromexistingfiles.
Opcode
Start

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "16",
    "version": "0",
    "level": "4",
    "task": "1",
    "opcode": "1",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-16T00:23:58.966769000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7308"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Performance",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 17 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Level
Informational
Task
Thisgroupofeventstrackstheperformanceofmountinghivesfromexistingfiles.
Opcode
RegPerfOpHiveMountBaseFileMounted

Fields #

NameDescription
HiveFilePath UnicodeString
FileSize UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "17",
    "version": "0",
    "level": "4",
    "task": "1",
    "opcode": "10",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-16T00:23:59.073398500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7308"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Performance",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "HiveFilePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\config\\DRIVERS",
    "FileSize": " 4648960"
  },
  "message": ""
}

Event ID 18 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofmountinghivesfromexistingfiles.
Opcode
RegPerfOpHiveMountLogEntryApplied

Fields #

NameDescription
TotalEntrySize UInt32
BytesRecovered UInt32

Event ID 19 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Level
Informational
Task
Thisgroupofeventstrackstheperformanceofmountinghivesfromexistingfiles.
Opcode
Stop

Fields #

NameDescription
StatusCode HexInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "19",
    "version": "0",
    "level": "4",
    "task": "1",
    "opcode": "2",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-16T00:23:59.074329800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7308"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Performance",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "StatusCode": "0x0"
  },
  "message": ""
}

Event ID 20 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofunloadinghives.
Opcode
Start

Fields #

NameDescription
HiveFilePath UnicodeString
HiveMountPoint UnicodeString

Event ID 21 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofunloadinghives.
Opcode
Stop

Fields #

NameDescription
StatusCode HexInt32

Event ID 22 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Level
Informational
Task
Thisgroupofeventstrackstheperformanceofflushinghives.
Opcode
Start

Fields #

NameDescription
HiveFilePath UnicodeString
HiveMountPoint UnicodeString
FlushFlags HexInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "22",
    "version": "0",
    "level": "4",
    "task": "3",
    "opcode": "1",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-16T00:21:56.773417700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "240",
      "thread_id": "928"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Performance",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "HiveFilePath": "\\SystemRoot\\System32\\Config\\SOFTWARE",
    "HiveMountPoint": "\\REGISTRY\\MACHINE\\SOFTWARE",
    "FlushFlags": "0x12"
  },
  "message": ""
}

Event ID 23 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofflushinghives.
Opcode
RegPerfOpHiveFlushBecameActiveFlusher

Event ID 24 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofflushinghives.
Opcode
RegPerfOpHiveFlushGatheredLogData

Fields #

NameDescription
BytesGathered UInt32

Event ID 25 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofflushinghives.
Opcode
RegPerfOpHiveFlushGatheredPrimaryData

Fields #

NameDescription
BytesGathered UInt32

Event ID 26 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Level
Informational
Task
Thisgroupofeventstrackstheperformanceofflushinghives.
Opcode
RegPerfOpHiveFlushWroteLogFile

Fields #

NameDescription
WritesIssued UInt32
BytesWritten UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "26",
    "version": "0",
    "level": "4",
    "task": "3",
    "opcode": "13",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-16T00:21:56.779540300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "240",
      "thread_id": "928"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Performance",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "WritesIssued": "       1",
    "BytesWritten": "   98304"
  },
  "message": ""
}

Event ID 27 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Level
Informational
Task
Thisgroupofeventstrackstheperformanceofflushinghives.
Opcode
RegPerfOpHiveFlushWrotePrimaryFile

Fields #

NameDescription
WritesIssued UInt32
BytesWritten UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "27",
    "version": "0",
    "level": "4",
    "task": "3",
    "opcode": "14",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-16T00:24:00.216602900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "240",
      "thread_id": "932"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Performance",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "WritesIssued": "     880",
    "BytesWritten": "  450560"
  },
  "message": ""
}

Event ID 28 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofflushinghives.
Opcode
RegPerfOpHiveFlushBoostedActiveFlusher

Event ID 29 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofflushinghives.
Opcode
RegPerfOpHiveFlushStartWaitForActive

Event ID 30 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofflushinghives.
Opcode
RegPerfOpHiveFlushFinishWaitForActive

Event ID 31 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Level
Informational
Task
Thisgroupofeventstrackstheperformanceofflushinghives.
Opcode
Stop

Fields #

NameDescription
StatusCode HexInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "31",
    "version": "0",
    "level": "4",
    "task": "3",
    "opcode": "2",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-16T00:21:56.779593400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "240",
      "thread_id": "928"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Performance",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "StatusCode": "0x0"
  },
  "message": ""
}

Event ID 32 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofregistryshutdown.
Opcode
Start

Event ID 33 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofregistryshutdown.
Opcode
Start

Event ID 34 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofregistryshutdown.
Opcode
RegPerfOpShutdownFlushStart

Event ID 35 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofregistryshutdown.
Opcode
RegPerfOpShutdownFlushStop

Event ID 36 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofregistryshutdown.
Opcode
Stop

Event ID 37 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Level
Informational
Task
Thisgroupofeventstrackstheperformanceofloadinghives.
Opcode
Start

Fields #

NameDescription
SourceFile UnicodeString
Flags HexInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "37",
    "version": "0",
    "level": "4",
    "task": "5",
    "opcode": "1",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-16T00:23:58.962727700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7308"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Performance",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SourceFile": "\\SystemRoot\\System32\\config\\DRIVERS",
    "Flags": "0x80"
  },
  "message": ""
}

Event ID 38 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Level
Informational
Task
Thisgroupofeventstrackstheperformanceofloadinghives.
Opcode
Stop

Fields #

NameDescription
StatusCode HexInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-Registry",
    "guid": "{70eb4f03-c1de-4f73-a051-33d13d5413bd}",
    "event_source_name": "",
    "event_id": "38",
    "version": "0",
    "level": "4",
    "task": "5",
    "opcode": "2",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-16T00:23:59.366363400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7308"
    },
    "channel": "Microsoft-Windows-Kernel-Registry/Performance",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "StatusCode": "0x0"
  },
  "message": ""
}

Event ID 39 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofrestoringhives.
Opcode
Start

Fields #

NameDescription
SourceFile UnicodeString
Flags HexInt32

Event ID 40 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofrestoringhives.
Opcode
Stop

Fields #

NameDescription
StatusCode HexInt32

Event ID 41 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofexportinghives.
Opcode
Start

Fields #

NameDescription
SourceKeyPath UnicodeString

Event ID 42 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofexportinghives.
Opcode
RegPerfOpSaveFileCopied

Event ID 43 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofexportinghives.
Opcode
RegPerfOpSaveTreeCopied

Event ID 44 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofexportinghives.
Opcode
RegPerfOpSaveFileWritten

Event ID 45 —

Provider
Microsoft-Windows-Kernel-Registry
Channel
Performance
Task
Thisgroupofeventstrackstheperformanceofexportinghives.
Opcode
Stop

Fields #

NameDescription
StatusCode HexInt32