Message

Performance counters for the %1 (%2) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.

Fields

Example Event

system:
  provider: Microsoft-Windows-LoadPerf
  guid: 122EE297-BB47-41AE-B265-1CA8D1886D40
  event_source_name: ''
  event_id: 1000
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T16:59:11.051894+00:00'
  event_record_id: 207
  correlation: {}
  execution:
    process_id: 4204
    thread_id: 4208
  channel: Application
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
user_data:
  EventXML:
    param1: WmiApRpl
    param2: WmiApRpl
    binaryDataSize: 16
    binaryData: 7igAAJQpAADvKAAAlSkAAA==
message: Performance counters for the WmiApRpl!s! (WmiApRpl!s!) service were loaded
  successfully. The Record Data in the data section contains the new index values
  assigned to this service.

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

Performance counters for the %1 (%2) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.

Fields

Example Event

system:
  provider: Microsoft-Windows-LoadPerf
  guid: 122EE297-BB47-41AE-B265-1CA8D1886D40
  event_source_name: ''
  event_id: 1001
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T16:59:10.681381+00:00'
  event_record_id: 206
  correlation: {}
  execution:
    process_id: 4204
    thread_id: 4208
  channel: Application
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
user_data:
  EventXML:
    param1: WmiApRpl
    param2: WmiApRpl
    binaryDataSize: 12
    binaryData: 7CgAAO0oAADSBQAA
message: Performance counters for the WmiApRpl!s! (WmiApRpl!s!) service were removed
  successfully. The Record Data contains the new values of the system Last Counter
  and Last Help registry entries.

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

Performance counters for the %1 (%2) service are already in the registry, no need to reinstall. This only happens when you install the same counter twice. The second time install will generate this event.

Fields

Example Event

system:
  provider: Microsoft-Windows-LoadPerf
  guid: 122EE297-BB47-41AE-B265-1CA8D1886D40
  event_source_name: ''
  event_id: 1002
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2013-10-23T18:31:55.566626+00:00'
  event_record_id: 266
  correlation: {}
  execution:
    process_id: 836
    thread_id: 3012
  channel: Application
  computer: IE8Win7
  security:
    user_id: S-1-5-18
user_data:
  EventXML:
    xmlns:auto-ns2: http://schemas.microsoft.com/win/2004/08/events
    param1: .NET CLR Networking 4.0.0.0
    param2: .NET CLR Networking 4.0.0.0
    binaryDataSize: 4
    binaryData: whIAAA==
message: Performance counters for the http://schemas.microsoft.com/win/2004/08/events!s!
  (.NET CLR Networking 4.0.0.0!s!) service are already in the registry, no need to
  reinstall. This only happens when you install the same counter twice. The second
  time install will generate this event.

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

No MOF file %2 was created for the %1 service. Before the performance counters of this service can be collected by WMI, a MOF file will need to be created and loaded manually. Contact the vendor of this service for additional information.

Fields

Message

The MOF file created for the %1 service could not be loaded. The record data contains the error code returned by the MOF Compiler. Before the performance counters of this service can be collected by WMI, the MOF file will need to be loaded manually. Contact the vendor of this service for additional information.

Fields

Message

The MOF file created for the %1 service cannot be deleted as requested. The automatic recovery function requires the MOF file.

Fields

Message

The Performance registry value %1 string is corrupted. Skip string \"%2\".

Fields

Message

No COUNTER/HELP definition for Language %1.

Fields

Message

The LastCounter and LastHelp values of the performance registry are corrupted and need to be updated. The first and second DWORDs in the Data Section contain the original LastCounter and LastHelp values, respectively, while the third and fourth DWORDs in the Data Section contain the updated new values.

Message

Cannot repair performance counters for %1 service. Reinstall the performance counters manually using the LODCTR tool.

Fields

Message

The performance strings in the registry do not match the index values stored in Performance registry key. The first DWORD in the Data section contains the last index value from performance registry key and the second DWORD in the Data section contains the index of the last string.

Message

The performance counter name string value in the registry is not formatted correctly. The malformed string is %1. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Fields

Message

The performance counter explain text string value in the registry is not formatted correctly. The malformed string is %1. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Fields

Message

Unable to install counter strings because the %1 key could not be opened or accessed. The first DWORD in the Data section contains the Win32 error code.

Fields

Message

Unable to read the %1 registry value. The first DWORD in the Data section contains the Win32 error code.

Fields

Message

Unable to open the registry key for the performance counter strings defined for the %1 language ID. The first DWORD in the Data section contains the Win32 error code.

Fields

Message

Unable to read the performance counter strings defined for the %1 language ID. The first DWORD in the Data section contains the Win32 error code.

Fields

Message

Unable to read the performance counter explain text strings defined for the %1 language ID. The first DWORD in the Data section contains the Win32 error code.

Fields

Message

Unable to allocate a required memory buffer.

Message

Installing the performance counter strings for service %1 (%2) failed. The first DWORD in the Data section contains the error code.

Fields

Message

Unloading the performance counter strings for service %1 (%2) failed. The first DWORD in the Data section contains the error code.

Fields

Message

The performance strings in the Performance registry value is corrupted when process %1 extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Fields

Message

Unable to update the performance counter strings defined for the %1 language ID. The first DWORD in the Data section contains the error code.

Fields

Message

Unable to update the performance counter explain text strings of the %1 language ID. The first DWORD in the Data section contains the error code.

Fields

Message

Index for %1 is corrupted. The first DWORD in the Data section contains the index value.

Fields

Message

Cannot update %1 value of %2 key. The first DWORD in the Data section contains the error code and the second DWORD contains the updated value.

Fields

Message

Cannot update %1 value of %2 key. The first DWORD in the Data section contains the error code.

Fields

Message

%1 index range of service %2 is corrupted. The first DWORD in the Data section contains the first index value used and the second DWORD in the Data section contains last index value used.

Fields

Message

Performance counters for the {param1} ({param2}) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.

Fields

Message

Performance counters for the {param1} ({param2}) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.

Fields

Message

Performance counters for the {param1} ({param2}) service are already in the registry; no need to reinstall. This only happens when you install the same counter twice. The second time install will generate this event.

Fields

Message

No MOF file {param2} was created for the {param1} service. Before the performance counters of this service can be collected by WMI; a MOF file will need to be created and loaded manually. Contact the vendor of this service for additional information.

Fields

Message

The MOF file created for the {param1} service could not be loaded. The record data contains the error code returned by the MOF Compiler. Before the performance counters of this service can be collected by WMI; the MOF file will need to be loaded manually. Contact the vendor of this service for additional information.

Fields

Message

The MOF file created for the {param1} service cannot be deleted as requested. The automatic recovery function requires the MOF file.

Fields

Message

The Performance registry value {param1} string is corrupted. Skip string \'{param2}\'.

Fields

Message

No COUNTER/HELP definition for Language {param1}.

Fields

Message

Cannot repair performance counters for {param1} service. Reinstall the performance counters manually using the LODCTR tool.

Fields

Message

The performance counter name string value in the registry is not formatted correctly. The malformed string is {param1}. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Fields

Message

The performance counter explain text string value in the registry is not formatted correctly. The malformed string is {param1}. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Fields

Message

Unable to install counter strings because the {param1} key could not be opened or accessed. The first DWORD in the Data section contains the Win32 error code.

Fields

Message

Unable to read the {param1} registry value. The first DWORD in the Data section contains the Win32 error code.

Fields

Message

Unable to open the registry key for the performance counter strings defined for the {param1} language ID. The first DWORD in the Data section contains the Win32 error code.

Fields

Message

Unable to read the performance counter strings defined for the {param1} language ID. The first DWORD in the Data section contains the Win32 error code.

Fields

Message

Unable to read the performance counter explain text strings defined for the {param1} language ID. The first DWORD in the Data section contains the Win32 error code.

Fields

Message

Installing the performance counter strings for service {param1} ({param2}) failed. The first DWORD in the Data section contains the error code.

Fields

Message

Unloading the performance counter strings for service {param1} ({param2}) failed. The first DWORD in the Data section contains the error code.

Fields

Message

The performance strings in the Performance registry value is corrupted when process {param1} extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section; LastCounter value is the second DWORD in the Data section; and LastHelp value is the third DWORD in the Data section.

Fields

Message

Unable to update the performance counter strings defined for the {param1} language ID. The first DWORD in the Data section contains the error code.

Fields

Message

Unable to update the performance counter explain text strings of the {param1} language ID. The first DWORD in the Data section contains the error code.

Fields

Message

Index for {param1} is corrupted. The first DWORD in the Data section contains the index value.

Fields

Message

Cannot update {param1} value of {param2} key. The first DWORD in the Data section contains the error code and the second DWORD contains the updated value.

Fields

Message

Cannot update {param1} value of {param2} key. The first DWORD in the Data section contains the error code.

Fields

Message

{param1} index range of service {param2} is corrupted. The first DWORD in the Data section contains the first index value used and the second DWORD in the Data section contains last index value used.

Fields