Microsoft-Windows-LiveId

235 events across 2 channels

Event ID	Title	Channel
1002	LsaApLogonUserEx2_Stop.	Analytic
1004	SpOnProfileLoaded_Stop.	Analytic
1005	ConnectIdentity_Start	Analytic
1006	ConnectIdentity_Stop.	Analytic
1007	DisconnectIdentity_Start	Analytic
1008	DisconnectIdentity_Stop.	Analytic
1010	LiveDoCachedLogon_Stop.	Analytic
1012	LiveAuthenticate_Stop.	Analytic
1013	NetworkCall_Start	Analytic
1014	NetworkCall_Stop.	Analytic
1015	DeviceAuth_Start	Analytic
1016	DeviceAuth_Stop.	Analytic
1017	UserAuth_Start	Analytic
1018	UserAuth_Stop.	Analytic
1019	PromptForCredentials_Start	Analytic
1020	PromptForCredentials_Stop.	Analytic
1021	SignOutUser_RegistryOpenOrReadFailure.	Operational
1022	SignOutUser_RegistryWriteFailure.	Operational
2008	DeviceAuthAsync_Start	Analytic
2009	DeviceAuthAsync_Stop	Analytic
2010	UserAuthAsync_Start	Analytic
2011	UserAuthAsync_Stop	Analytic
2012	SignOutUser_Start	Analytic
2013	SignOutUser_Stop	Analytic
2014	WLIDSvcReady	Analytic
2015	CommandLinkClicked_Start	Analytic
2016	CommandLinkClicked_Stop.	Analytic
2017	UserImageGetBitmapValue_Start	Analytic
2018	UserImageGetBitmapValue_Stop.	Analytic
2019	CredProvSetSerialization_Start	Analytic
2020	CredProvSetSerialization_Stop.	Analytic
2021	CredProvGetSerialization_Start	Analytic
2022	CredProvGetSerialization_Stop.	Analytic
2023	Operation: %1 Details: %2 Status: %3.	Operational
2024	Operation: %1 Details: %2 Status: %3.	Operational
2025	WLIDSvc service failed to start.	Operational
2026	Generic telemetry trigger event.	Analytic
2027	User specific telemetry trigger event for CID %1.	Analytic
2028	ErrorVerifier in function %1 encountered unexpected error code (%2).	Operational
2029	Assertion failure for expression ({Expression}) in function {FunctionName} …	Operational
3000	%3 @%1_%2.	Operational
3001	%3 @%1_%2.	Operational
3002	%3 @%1_%2.	Operational
3003	%3 @%1_%2.	Operational
3004	%3 @%1_%2.	Operational
3005	%3 @%1_%2.	Operational
3006	%3 @%1_%2.	Operational
3007	%3 @%1_%2.	Operational
3008	+.	Operational
3009	-.	Operational
3010	-.	Operational
3011	-.	Operational
3012	Process name %1.	Operational
3013	IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.	Operational
3014	-.	Operational
3015	%3 @%1_%2.	Operational
3016	%3 @%1_%2.	Operational
4000	%3 @%1_%2.	Operational
4001	%3 @%1_%2.	Operational
4002	%3 @%1_%2.	Operational
4003	%3 @%1_%2.	Operational
4004	%3 @%1_%2.	Operational
4005	%3 @%1_%2.	Operational
4006	%3 @%1_%2.	Operational
4007	%3 @%1_%2.	Operational
4008	+.	Operational
4009	-.	Operational
4010	-.	Operational
4011	-.	Operational
4012	Process name %1.	Operational
4013	IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.	Operational
4014	-.	Operational
4015	%3 @%1_%2.	Operational
4016	%3 @%1_%2.	Operational
5000	%3 @%1_%2.	Operational
5001	%3 @%1_%2.	Operational
5002	%3 @%1_%2.	Operational
5003	%3 @%1_%2.	Operational
5004	%3 @%1_%2.	Operational
5005	%3 @%1_%2.	Operational
5006	%3 @%1_%2.	Operational
5007	%3 @%1_%2.	Operational
5008	+.	Operational
5009	-.	Operational
5010	-.	Operational
5011	-.	Operational
5012	Process name %1.	Operational
5013	IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.	Operational
5014	-.	Operational
5015	%3 @%1_%2.	Operational
5016	%3 @%1_%2.	Operational
6000	%3 @%1_%2.	Operational
6001	%3 @%1_%2.	Operational
6002	%3 @%1_%2.	Operational
6003	%3 @%1_%2.	Operational
6004	%3 @%1_%2.	Operational
6005	%3 @%1_%2.	Operational
6006	%3 @%1_%2.	Operational
6007	%3 @%1_%2.	Operational
6008	+.	Operational
6009	-.	Operational
6010	-.	Operational
6011	-.	Operational
6012	Process name %1.	Operational
6013	IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.	Operational
6014	-.	Operational
6015	%3 @%1_%2.	Operational
6016	%3 @%1_%2.	Operational
6100	Service Create Context for [.	Operational
6101	Token with target [.	Operational
6102	Certificate (target = [%1]) has expired.	Operational
6103	RemoveCachedAuthInfo Deleting item for target [.	Operational
6104	RemoveCachedAuthInfo ALL Deleting [.	Operational
6105	RemovePersistedTokens Deleting item for target [.	Operational
6106	Attempting to delete for target [.	Operational
6107	Write to CredMan failed for target [.	Operational
6108	Writing Token for target [.	Operational
6109	CredEnumerateW failed for target [.	Operational
6110	CredEnumerateW found no match for target [.	Operational
6111	DeleteStoredCredential Deleting item for target [.	Operational
6112	CredMan activity skipped.	Operational
6113	RPC call to function %1 returned the following error code: %2.	Operational
6114	SOAP Request of type %1 for user CID '%2' in %4 environment received the …	Operational
6115	## SOAP Request.	Operational
6116	## SOAP Response.	Operational
6117	Acquired Service token.	Operational
7000	%3 @%1_%2.	Operational
7001	%3 @%1_%2.	Operational
7002	%3 @%1_%2.	Operational
7003	%3 @%1_%2.	Operational
7004	%3 @%1_%2.	Operational
7005	%3 @%1_%2.	Operational
7006	%3 @%1_%2.	Operational
7007	%3 @%1_%2.	Operational
7008	+.	Operational
7009	-.	Operational
7010	-.	Operational
7011	-.	Operational
7012	Process name %1.	Operational
7013	IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.	Operational
7014	-.	Operational
7015	%3 @%1_%2.	Operational
7016	%3 @%1_%2.	Operational
7100	Cached ticket for site %1 and policy %2 found which is valid for another %3 …	Operational
7101	ApplicationId Overwritten [.	Operational
7102	ApplicationId [.	Operational
7103	Cached ticket for site %1 and policy %2 not found or has expired.	Operational
7104	Attempts = [.	Operational
7105	WLIDCPersistCredential [.	Operational
8000	%3 @%1_%2.	Operational
8001	%3 @%1_%2.	Operational
8002	%3 @%1_%2.	Operational
8003	%3 @%1_%2.	Operational
8004	%3 @%1_%2.	Operational
8005	%3 @%1_%2.	Operational
8006	%3 @%1_%2.	Operational
8007	%3 @%1_%2.	Operational
8008	+.	Operational
8009	-.	Operational
8010	-.	Operational
8011	-.	Operational
8012	Process name %1.	Operational
8013	IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.	Operational
8014	-.	Operational
8015	%3 @%1_%2.	Operational
8016	%3 @%1_%2.	Operational
9000	%3 @%1_%2.	Operational
9001	%3 @%1_%2.	Operational
9002	%3 @%1_%2.	Operational
9003	%3 @%1_%2.	Operational
9004	%3 @%1_%2.	Operational
9005	%3 @%1_%2.	Operational
9006	%3 @%1_%2.	Operational
9007	%3 @%1_%2.	Operational
9008	+.	Operational
9009	-.	Operational
9010	-.	Operational
9011	-.	Operational
9012	Process name %1.	Operational
9013	IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.	Operational
9014	-.	Operational
9015	%3 @%1_%2.	Operational
9016	%3 @%1_%2.	Operational
9100	WLIDCPersistCredential [.	Operational
10000	%3 @%1_%2.	Operational
10001	%3 @%1_%2.	Operational
10002	%3 @%1_%2.	Operational
10003	%3 @%1_%2.	Operational
10004	%3 @%1_%2.	Operational
10005	%3 @%1_%2.	Operational
10006	%3 @%1_%2.	Operational
10007	%3 @%1_%2.	Operational
10008	+.	Operational
10009	-.	Operational
10010	-.	Operational
10011	-.	Operational
10012	Process name %1.	Operational
10013	IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.	Operational
10014	-.	Operational
10015	%3 @%1_%2.	Operational
10016	%3 @%1_%2.	Operational
11000	%3 @%1_%2.	Operational
11001	%3 @%1_%2.	Operational
11002	%3 @%1_%2.	Operational
11003	%3 @%1_%2.	Operational
11004	%3 @%1_%2.	Operational
11005	%3 @%1_%2.	Operational
11006	%3 @%1_%2.	Operational
11007	%3 @%1_%2.	Operational
11008	+.	Operational
11009	-.	Operational
11010	-.	Operational
11011	-.	Operational
11012	Process name %1.	Operational
11013	IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.	Operational
11014	-.	Operational
11015	%3 @%1_%2.	Operational
11016	%3 @%1_%2.	Operational
12000	%3 @%1_%2.	Operational
12001	%3 @%1_%2.	Operational
12002	%3 @%1_%2.	Operational
12003	%3 @%1_%2.	Operational
12004	%3 @%1_%2.	Operational
12005	%3 @%1_%2.	Operational
12006	%3 @%1_%2.	Operational
12007	%3 @%1_%2.	Operational
12008	+.	Operational
12009	-.	Operational
12010	-.	Operational
12011	-.	Operational
12012	Process name %1.	Operational
12013	IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.	Operational
12014	-.	Operational
12015	%3 @%1_%2.	Operational
12016	%3 @%1_%2.	Operational

Event ID 1002 — LsaApLogonUserEx2_Stop.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

LsaApLogonUserEx2_Stop.Status: {Status}

Fields

Name	Description
`Status`	—

Event ID 1004 — SpOnProfileLoaded_Stop.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

SpOnProfileLoaded_Stop.ServiceCalled: {ServiceCalled}	Status: {Status}

Fields

Name	Description
`ServiceCalled`	—
`Status`	—

Event ID 1005 — ConnectIdentity_Start

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

ConnectIdentity_Start

Event ID 1006 — ConnectIdentity_Stop.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

ConnectIdentity_Stop.
Status: %1

Fields

Name	Description
`Status`	—
`Result`	—

Event ID 1007 — DisconnectIdentity_Start

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

DisconnectIdentity_Start

Event ID 1008 — DisconnectIdentity_Stop.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

DisconnectIdentity_Stop.
Status: %1

Fields

Name	Description
`Status`	—
`Result`	—

Event ID 1010 — LiveDoCachedLogon_Stop.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

LiveDoCachedLogon_Stop.Status: {Result}

Fields

Name	Description
`Result`	—

Event ID 1012 — LiveAuthenticate_Stop.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

LiveAuthenticate_Stop.Status: {Status}

Fields

Name	Description
`Status`	—

Event ID 1013 — NetworkCall_Start

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

NetworkCall_Start

Event ID 1014 — NetworkCall_Stop.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

NetworkCall_Stop.
Number of Targets: %1
RequestType: %2

Fields

Name	Description
`NoOfTargets`	—
`RequestType`	—

Event ID 1015 — DeviceAuth_Start

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

DeviceAuth_Start

Event ID 1016 — DeviceAuth_Stop.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

DeviceAuth_Stop.
Status: %1

Fields

Name	Description
`Status`	—
`TicketsCached`	—
`Result`	—

Event ID 1017 — UserAuth_Start

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

UserAuth_Start

Event ID 1018 — UserAuth_Stop.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

UserAuth_Stop.
Status: %1

Fields

Name	Description
`Status`	—
`TicketsCached`	—
`Result`	—

Event ID 1019 — PromptForCredentials_Start

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

PromptForCredentials_Start

Event ID 1020 — PromptForCredentials_Stop.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

PromptForCredentials_Stop.
Status: %1

Fields

Name	Description
`Status`	—
`Result`	—

Event ID 1021 — SignOutUser_RegistryOpenOrReadFailure.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

SignOutUser_RegistryOpenOrReadFailure. 
RegistryLocation: %1. 
Status: %2

Fields

Name	Description
`RegistryLocation`	—
`Status`	—

Event ID 1022 — SignOutUser_RegistryWriteFailure.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

SignOutUser_RegistryWriteFailure. 
RegistryLocation: %1. 
Status: %2

Fields

Name	Description
`RegistryLocation`	—
`Status`	—

Event ID 2008 — DeviceAuthAsync_Start

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

DeviceAuthAsync_Start

Event ID 2009 — DeviceAuthAsync_Stop

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

DeviceAuthAsync_Stop

Event ID 2010 — UserAuthAsync_Start

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

UserAuthAsync_Start

Event ID 2011 — UserAuthAsync_Stop

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

UserAuthAsync_Stop

Event ID 2012 — SignOutUser_Start

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

SignOutUser_Start

Event ID 2013 — SignOutUser_Stop

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

SignOutUser_Stop

Event ID 2014 — WLIDSvcReady

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

WLIDSvcReady

Event ID 2015 — CommandLinkClicked_Start

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

CommandLinkClicked_Start

Event ID 2016 — CommandLinkClicked_Stop.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

CommandLinkClicked_Stop.
Status: %1

Fields

Name	Description
`Status`	—
`Result`	—

Event ID 2017 — UserImageGetBitmapValue_Start

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

UserImageGetBitmapValue_Start

Event ID 2018 — UserImageGetBitmapValue_Stop.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

UserImageGetBitmapValue_Stop.
Status: %1

Fields

Name	Description
`Status`	—
`Result`	—

Event ID 2019 — CredProvSetSerialization_Start

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

CredProvSetSerialization_Start

Event ID 2020 — CredProvSetSerialization_Stop.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

CredProvSetSerialization_Stop.
Status: %1

Fields

Name	Description
`Status`	—
`Result`	—

Event ID 2021 — CredProvGetSerialization_Start

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

CredProvGetSerialization_Start

Event ID 2022 — CredProvGetSerialization_Stop.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

CredProvGetSerialization_Stop.
Status: %1

Fields

Name	Description
`Status`	—
`Result`	—

Event ID 2023 — Operation: %1 Details: %2 Status: %3.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Operation: %1
Details: %2
Status: %3

Fields

Name	Description
`Operation`	—
`Details`	—
`Status`	—
`Target`	—
`Result`	—

Event ID 2024 — Operation: %1 Details: %2 Status: %3.

Provider: Microsoft-Windows-LiveId
Channel: Operational
Level: 4
Samples: 1

Message

Operation: %1
Details: %2
Status: %3

Fields

Name	Description
`Operation`	—
`Details`	—
`Status`	—

Example Event

system:
  provider: Microsoft-Windows-LiveId
  guid: 05F02597-FE85-4E67-8542-69567AB8FD4F
  event_source_name: ''
  event_id: 2024
  version: 0
  level: 4
  task: 101
  opcode: 0
  keywords: 4611686018427387920
  time_created: '2023-11-06T06:25:38.920252+00:00'
  event_record_id: 264
  correlation: {}
  execution:
    process_id: 1612
    thread_id: 1804
  channel: Microsoft-Windows-LiveId/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Operation: Service started
  Details: The service will auto stop if no requests received for some period of time.
  Status: '0x0'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2025 — WLIDSvc service failed to start.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

WLIDSvc service failed to start.
Function: %1
Reason: %2
Status: %3

Fields

Name	Description
`Function`	—
`Reason`	—
`Status`	—
`Operation`	—
`Result`	—

Event ID 2026 — Generic telemetry trigger event.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

Generic telemetry trigger event.
PointType: %1
AppName: %2
ModuleName: %3
ModuleVersion: %4
FileName: %5
FunctionName: %6
LineNumber: %7
ErrorCode: %8

Fields

Name	Description
`PointType`	—
`AppName`	—
`ModuleName`	—
`ModuleVersion`	—
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`ErrorCode`	—

Event ID 2027 — User specific telemetry trigger event for CID %1.

Provider: Microsoft-Windows-LiveId
Channel: Analytic

Message

User specific telemetry trigger event for CID %1.

Fields

Name	Description
`cid`	—

Event ID 2028 — ErrorVerifier in function %1 encountered unexpected error code (%2).

Provider: Microsoft-Windows-LiveId
Channel: Operational
Level: 2
Samples: 1

Message

ErrorVerifier in function %1 encountered unexpected error code (%2).

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Example Event

system:
  provider: Microsoft-Windows-LiveId
  guid: 05F02597-FE85-4E67-8542-69567AB8FD4F
  event_source_name: ''
  event_id: 2028
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 4611686018427387907
  time_created: '2023-10-25T22:54:26.591047+00:00'
  event_record_id: 263
  correlation:
    ActivityID: 00CC000C-001A-0000-B413-F819803D1770
  execution:
    process_id: 5044
    thread_id: 5856
  channel: Microsoft-Windows-LiveId/Operational
  computer: WinDevEval
  security:
    user_id: S-1-5-21-2533829718-189860685-2477588761-500
event_data:
  FunctionName: TokenProviderImplementation::GetTokensFromService
  ErrorCode: -2147187452
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2029 — Assertion failure for expression ({Expression}) in function {FunctionName} @{FileName}_{LineNumber}.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Assertion failure for expression ({Expression}) in function {FunctionName} @{FileName}_{LineNumber}.

Fields

Name	Description
`Expression`	—
`FunctionName`	—
`FileName`	—
`LineNumber`	—

Event ID 3000 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 3001 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 3002 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 3003 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 3004 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 3005 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 3006 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 3007 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 3008 — +.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

+%2@%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`description`	—

Event ID 3009 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 3010 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 3011 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`Address`	—

Event ID 3012 — Process name %1.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Process name %1

Fields

Name	Description
`ProcessName`	—

Event ID 3013 — IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`Expression`	—
`ErrorCode`	—

Event ID 3014 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 3015 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 3016 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 4000 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 4001 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 4002 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 4003 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 4004 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 4005 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 4006 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 4007 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 4008 — +.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

+%2@%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`description`	—

Event ID 4009 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 4010 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 4011 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`Address`	—

Event ID 4012 — Process name %1.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Process name %1

Fields

Name	Description
`ProcessName`	—

Event ID 4013 — IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`Expression`	—
`ErrorCode`	—

Event ID 4014 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 4015 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 4016 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 5000 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 5001 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 5002 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 5003 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 5004 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 5005 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 5006 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 5007 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 5008 — +.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

+%2@%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`description`	—

Event ID 5009 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 5010 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 5011 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`Address`	—

Event ID 5012 — Process name %1.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Process name %1

Fields

Name	Description
`ProcessName`	—

Event ID 5013 — IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`Expression`	—
`ErrorCode`	—

Event ID 5014 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 5015 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 5016 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 6000 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 6001 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 6002 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 6003 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 6004 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 6005 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 6006 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 6007 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 6008 — +.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

+%2@%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`description`	—

Event ID 6009 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 6010 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 6011 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`Address`	—

Event ID 6012 — Process name %1.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Process name %1

Fields

Name	Description
`ProcessName`	—

Event ID 6013 — IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`Expression`	—
`ErrorCode`	—

Event ID 6014 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 6015 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 6016 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 6100 — Service Create Context for [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Service Create Context for [%1]

Fields

Name	Description
`value`	—

Event ID 6101 — Token with target [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Token with target [%1] expired on %2, Deleting it from CredMan.

Fields

Name	Description
`TargetName`	—
`ExpiryTime`	—

Event ID 6102 — Certificate (target = [%1]) has expired.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Certificate (target = [%1]) has expired. Deleting from CredMan.

Fields

Name	Description
`value`	—

Event ID 6103 — RemoveCachedAuthInfo Deleting item for target [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

RemoveCachedAuthInfo Deleting item for target [%1] from CredMan.

Fields

Name	Description
`value`	—

Event ID 6104 — RemoveCachedAuthInfo ALL Deleting [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

RemoveCachedAuthInfo ALL Deleting [%1] items from CredMan.

Fields

Name	Description
`value`	—

Event ID 6105 — RemovePersistedTokens Deleting item for target [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

RemovePersistedTokens Deleting item for target [%1] from CredMan.

Fields

Name	Description
`value`	—

Event ID 6106 — Attempting to delete for target [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Attempting to delete for target [{TargetName}] from CredMan failed with {ErrorCode}.

Fields

Name	Description
`TargetName`	—
`ErrorCode`	—

Event ID 6107 — Write to CredMan failed for target [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Write to CredMan failed for target [{TargetName}] with {ErrorCode}.

Fields

Name	Description
`TargetName`	—
`ErrorCode`	—

Event ID 6108 — Writing Token for target [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Writing Token for target [{value}] to CredMan.

Fields

Name	Description
`value`	—

Event ID 6109 — CredEnumerateW failed for target [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

CredEnumerateW failed for target [{TargetName}] with {ErrorCode}.

Fields

Name	Description
`TargetName`	—
`ErrorCode`	—

Event ID 6110 — CredEnumerateW found no match for target [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

CredEnumerateW found no match for target [{value}].

Fields

Name	Description
`value`	—

Event ID 6111 — DeleteStoredCredential Deleting item for target [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

DeleteStoredCredential Deleting item for target [{value}] from CredMan.

Fields

Name	Description
`value`	—

Event ID 6112 — CredMan activity skipped.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

CredMan activity skipped. Credential not changed for [WindowsLive:(token):name=%1;serviceuri=%2

Fields

Name	Description
`value1`	—
`value2`	—

Event ID 6113 — RPC call to function %1 returned the following error code: %2.

Provider: Microsoft-Windows-LiveId
Channel: Operational
Level: 2
Samples: 1

Message

RPC call to function %1 returned the following error code: %2.

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	1 returned the following error code.

Example Event

system:
  provider: Microsoft-Windows-LiveId
  guid: 05F02597-FE85-4E67-8542-69567AB8FD4F
  event_source_name: ''
  event_id: 6113
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 4611686018431584274
  time_created: '2023-11-06T06:25:46.083912+00:00'
  event_record_id: 267
  correlation: {}
  execution:
    process_id: 1612
    thread_id: 1804
  channel: Microsoft-Windows-LiveId/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  FunctionName: WLIDCleanupIdentity
  ErrorCode: 2147942487
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 6114 — SOAP Request of type %1 for user CID '%2' in %4 environment received the following error code from the Microsoft Account server: %3.

Provider: Microsoft-Windows-LiveId
Channel: Operational
Level: 2
Samples: 1

Message

SOAP Request of type %1 for user CID '%2' in %4 environment received the following error code from the Microsoft Account server: %3.

Fields

Name	Description
`RequestType`	—
`cid`	—
`ErrorCode`	4 environment received the following error code from the Microsoft Account server.
`MachineEnvironment`	—

Example Event

system:
  provider: Microsoft-Windows-LiveId
  guid: 05F02597-FE85-4E67-8542-69567AB8FD4F
  event_source_name: ''
  event_id: 6114
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 4611686018429487122
  time_created: '2023-11-05T22:32:46.332962+00:00'
  event_record_id: 329
  correlation: {}
  execution:
    process_id: 7324
    thread_id: 7420
  channel: Microsoft-Windows-LiveId/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  RequestType: 2
  cid: 'NULL'
  ErrorCode: 2147759380
  MachineEnvironment: production
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 6115 — ## SOAP Request.

Provider: Microsoft-Windows-LiveId
Channel: Operational
Level: 4
Samples: 1

Message

## SOAP Request: %1

Fields

Name	Description
`Value`	## SOAP Request.

Example Event

system:
  provider: Microsoft-Windows-LiveId
  guid: 05F02597-FE85-4E67-8542-69567AB8FD4F
  event_source_name: ''
  event_id: 6115
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018429487104
  time_created: '2023-11-06T06:25:40.033392+00:00'
  event_record_id: 266
  correlation: {}
  execution:
    process_id: 1612
    thread_id: 1816
  channel: Microsoft-Windows-LiveId/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Value: <DeviceAddRequest><ClientInfo name="IDCRL" version="1.0"><BinaryVersion>*</BinaryVersion></ClientInfo><Authentication><Membername>*</Membername><Password>*</Password></Authentication><OldMembername>*</OldMembername><ReprovisionReason>*</ReprovisionReason></DeviceAddRequest>
message: ''

Community Notes

Windows LiveId sign-in activity.

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 6116 — ## SOAP Response.

Provider: Microsoft-Windows-LiveId
Channel: Operational
Level: 4
Samples: 1

Message

## SOAP Response: %1

Fields

Name	Description
`Value`	## SOAP Response.

Example Event

system:
  provider: Microsoft-Windows-LiveId
  guid: 05F02597-FE85-4E67-8542-69567AB8FD4F
  event_source_name: ''
  event_id: 6116
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018429487104
  time_created: '2023-11-06T01:57:51.138250+00:00'
  event_record_id: 405
  correlation: {}
  execution:
    process_id: 13988
    thread_id: 19532
  channel: Microsoft-Windows-LiveId/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  Value: <S:Envelope><S:Header><wsa:Action wsu:Id="Action" S:mustUnderstand="1">*</wsa:Action><wsa:To
    wsu:Id="To" S:mustUnderstand="1">*</wsa:To><wsse:Security><wsu:Timestamp wsu:Id="TS"><wsu:Created>2023-11-06T01:57:50Z</wsu:Created><wsu:Expires>2023-11-06T02:02:50Z</wsu:Expires></wsu:Timestamp><wssc:DerivedKeyToken
    wsu:Id="SignKey" Algorithm="urn:liveid:SP800108_CTR_HMAC_SHA256_DOUBLEDERIVED"><wsse:SecurityTokenReference><wsse:Reference
    URI="V02OjHTFUWobDCwGy07UJ1IBPq4="></wsse:Reference></wsse:SecurityTokenReference><wssc:Nonce>*</wssc:Nonce></wssc:DerivedKeyToken><wssc:DerivedKeyToken
    wsu:Id="EncKey" Algorithm="urn:liveid:SP800108_CTR_HMAC_SHA256_DOUBLEDERIVED"><wsse:SecurityTokenReference><wsse:Reference
    URI="V02OjHTFUWobDCwGy07UJ1IBPq4="></wsse:Reference></wsse:SecurityTokenReference><wssc:Nonce>*</wssc:Nonce></wssc:DerivedKeyToken><Signature
    xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod
    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod
    Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"></SignatureMethod><Reference
    URI="#EncPsf"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod
    Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference
    URI="#Body"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod
    Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference
    URI="#To"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod
    Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference
    URI="#Action"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod
    Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>*</DigestValue></Reference><Reference
    URI="#TS"><Transforms><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod
    Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>*</DigestValue></Reference></SignedInfo><SignatureValue>*</SignatureValue><KeyInfo><wsse:SecurityTokenReference><wsse:Reference
    URI="#SignKey"></wsse:Reference></wsse:SecurityTokenReference></KeyInfo></Signature><e:ReferenceList
    xmlns:e="http://www.w3.org/2001/04/xmlenc#"><e:DataReference URI="#RSTR"/><e:DataReference
    URI="#EncPsf"/></e:ReferenceList></wsse:Security><psf:EncryptedPP><EncryptedData
    xmlns="http://www.w3.org/2001/04/xmlenc#" Id="EncPsf" Type="http://www.w3.org/2001/04/xmlenc#Element"><EncryptionMethod
    Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod><KeyInfo
    xmlns="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><wsse:Reference
    URI="#EncKey"></wsse:Reference></wsse:SecurityTokenReference></KeyInfo><CipherData><CipherValue>*</CipherValue></CipherData></EncryptedData></psf:EncryptedPP></S:Header><S:Body
    wsu:Id="Body"><EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="RSTR"
    Type="http://www.w3.org/2001/04/xmlenc#Element"><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod><KeyInfo
    xmlns="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><wsse:Reference
    URI="#EncKey"></wsse:Reference></wsse:SecurityTokenReference></KeyInfo><CipherData><CipherValue>*</CipherValue></CipherData></EncryptedData></S:Body></S:Envelope>
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 6117 — Acquired Service token.

Provider: Microsoft-Windows-LiveId
Channel: Operational
Level: 4
Samples: 1

Message

Acquired Service token.
ResourceURI: %1
Created: %2
Expires: %3
TokenType: %4
AuthRequired: %5
RequestStatus: %6
HasFlowUrl: %7
HasAuthUrl: %8
HasEndAuthUrl: %9

Fields

Name	Description
`ResourceURI`	—
`Created`	—
`Expires`	—
`TokenType`	—
`AuthRequired`	—
`RequestStatus`	—
`HasFlowUrl`	—
`HasAuthUrl`	—
`HasEndAuthUrl`	—

Example Event

system:
  provider: Microsoft-Windows-LiveId
  guid: 05F02597-FE85-4E67-8542-69567AB8FD4F
  event_source_name: ''
  event_id: 6117
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018429487104
  time_created: '2023-11-06T01:57:51.264021+00:00'
  event_record_id: 406
  correlation: {}
  execution:
    process_id: 13988
    thread_id: 19532
  channel: Microsoft-Windows-LiveId/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  ResourceURI: https://watson.telemetry.microsoft.com
  Created: '2023-11-05T17:57:50.000000Z'
  Expires: '2023-11-06T17:57:50.000000Z'
  TokenType: urn:passport:compact
  AuthRequired: 0
  RequestStatus: 0
  HasFlowUrl: false
  HasAuthUrl: false
  HasEndAuthUrl: false
message: ''

Community Notes

Windows LiveId sign-in activity.

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 7000 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 7001 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 7002 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 7003 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 7004 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 7005 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 7006 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 7007 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 7008 — +.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

+%2@%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`description`	—

Event ID 7009 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 7010 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 7011 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`Address`	—

Event ID 7012 — Process name %1.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Process name %1

Fields

Name	Description
`ProcessName`	—

Event ID 7013 — IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`Expression`	—
`ErrorCode`	—

Event ID 7014 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 7015 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 7016 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 7100 — Cached ticket for site %1 and policy %2 found which is valid for another %3 seconds.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Cached ticket for site %1 and policy %2 found which is valid for another %3 seconds.

Fields

Name	Description
`Uri`	—
`Policy`	—
`TimeToLive`	—

Event ID 7101 — ApplicationId Overwritten [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

ApplicationId Overwritten [%1] becomes [%2]

Fields

Name	Description
`value1`	—
`value2`	—

Event ID 7102 — ApplicationId [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

ApplicationId [%1]

Fields

Name	Description
`value`	—

Event ID 7103 — Cached ticket for site %1 and policy %2 not found or has expired.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Cached ticket for site %1 and policy %2 not found or has expired.

Fields

Name	Description
`value1`	—
`value2`	—

Event ID 7104 — Attempts = [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Attempts = [%1], latestIterationResult = [%2], continueRetry = [%3], isConnected = [%4], flowUrl = [%5], defaultUser = [%6], promptType = [%7], authUrl = [%8], endAuthUrl = [%8]

Fields

Name	Description
`Attempts`	—
`latestIterationResult`	—
`continueRetry`	—
`isConnected`	—
`flowUrl`	—
`defaultUser`	—
`promptType`	—
`authUrl`	—
`endAuthUrl`	—

Event ID 7105 — WLIDCPersistCredential [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

WLIDCPersistCredential [%1]

Fields

Name	Description
`value`	—

Event ID 8000 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 8001 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 8002 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 8003 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 8004 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 8005 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 8006 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 8007 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 8008 — +.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

+%2@%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`description`	—

Event ID 8009 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 8010 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 8011 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`Address`	—

Event ID 8012 — Process name %1.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Process name %1

Fields

Name	Description
`ProcessName`	—

Event ID 8013 — IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`Expression`	—
`ErrorCode`	—

Event ID 8014 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 8015 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 8016 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 9000 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 9001 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 9002 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 9003 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 9004 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 9005 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 9006 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 9007 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 9008 — +.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

+%2@%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`description`	—

Event ID 9009 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 9010 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 9011 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`Address`	—

Event ID 9012 — Process name %1.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Process name %1

Fields

Name	Description
`ProcessName`	—

Event ID 9013 — IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`Expression`	—
`ErrorCode`	—

Event ID 9014 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 9015 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 9016 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 9100 — WLIDCPersistCredential [.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

WLIDCPersistCredential [%1]

Fields

Name	Description
`value`	—

Event ID 10000 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 10001 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 10002 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 10003 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 10004 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 10005 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 10006 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 10007 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 10008 — +.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

+%2@%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`description`	—

Event ID 10009 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 10010 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 10011 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`Address`	—

Event ID 10012 — Process name %1.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Process name %1

Fields

Name	Description
`ProcessName`	—

Event ID 10013 — IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`Expression`	—
`ErrorCode`	—

Event ID 10014 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 10015 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 10016 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 11000 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 11001 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 11002 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 11003 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 11004 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 11005 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 11006 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 11007 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 11008 — +.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

+%2@%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`description`	—

Event ID 11009 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 11010 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 11011 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`Address`	—

Event ID 11012 — Process name %1.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Process name %1

Fields

Name	Description
`ProcessName`	—

Event ID 11013 — IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`Expression`	—
`ErrorCode`	—

Event ID 11014 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 11015 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 11016 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 12000 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 12001 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 12002 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 12003 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 12004 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 12005 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 12006 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 12007 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 12008 — +.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

+%2@%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`description`	—

Event ID 12009 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 12010 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 12011 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`Address`	—

Event ID 12012 — Process name %1.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

Process name %1

Fields

Name	Description
`ProcessName`	—

Event ID 12013 — IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

IF_FAILEXIT failure: (%4), hr = %5, in %2 @%1_%3

Fields

Name	Description
`FileName`	—
`FunctionName`	—
`LineNumber`	—
`Expression`	—
`ErrorCode`	—

Event ID 12014 — -.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

-%1=%2

Fields

Name	Description
`FunctionName`	—
`ErrorCode`	—

Event ID 12015 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—

Event ID 12016 — %3 @%1_%2.

Provider: Microsoft-Windows-LiveId
Channel: Operational

Message

%3 @%1_%2

Fields

Name	Description
`FileName`	—
`LineNumber`	—
`description`	—