Fields

Example Event

system:
  provider: Microsoft-Windows-Perflib
  guid: 13B197BD-7CEE-4B4E-8DD0-59314CE374CE
  event_source_name: ''
  event_id: 0
  version: 0
  level: 5
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-05T22:40:53.996726+00:00'
  event_record_id: 177
  correlation: {}
  execution:
    process_id: 4360
    thread_id: 4224
  channel: Microsoft-Windows-Perflib/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Name: LoadPerfCounterTextStrings-End
  Status: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Access to performance data was denied to user "%1" (value from GetUserName() for the running thread) as attempted from module "%2" (value from GetModuleFileName() for the binary that issued the query).

Fields

Message

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned buffer size %3, which is larger than the space available. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields

Message

A Guard Page was modified by a Collect procedure in Extensible Counter DLL "%1" for the "%2" service. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields

Message

The Extensible Counter DLL "%1" for the "%2" service returned an incorrect object length. The sum of the %3 object lengths returned did not match the size of the buffer returned.

Fields

Message

The Extensible Counter DLL "%1" for the "%2" service returned an incorrect instance length for the object with title index %3. The sum of the instance lengths plus the object definition structures did not match the size of the object. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields

Message

The attempt to locate the Open procedure "%1" in DLL "%2" for the "%3" service failed with Win32 error code %4. Performance data for this service will not be available.

Fields

Message

The attempt to locate the Collect procedure "%1" in DLL "%2" for the "%3" service failed with Win32 error code %4. Performance data for this service will not be available.

Fields

Message

The attempt to locate the Close procedure "%1" in DLL "%2" for the "%3" service failed with Win32 error code %4. Performance data for this service will not be available.

Fields

Message

The Open procedure for service "%1" in DLL "%2" failed with error code %3. Performance data for this service will not be available.

Fields

Message

The Open procedure in Extensible Counter DLL "%1" for the "%2" service generated exception %3 at address %4. Performance data for this service will not be available.

Fields

Message

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service generated exception %3 at address %4. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields

Message

The Close procedure in Extensible Counter DLL "%1" for the "%2" service generated exception %3 at address %4. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields

Message

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned a buffer that was larger (by %3 bytes) than the space allocated and may have corrupted the application's heap. This DLL should be disabled or removed from the system until the problem has been corrected to prevent further corruption. The application accessing this performance data should be restarted. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields

Message

The Collect procedure for service "%1" in DLL "%2" failed with error code %3. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields

Message

The performance data collection function for the "%1" service in the "%2" library did not complete in the allowed time. There may be a problem with this extensible counter, the service from which the counter is collecting data, or the system may have been very busy when this call was attempted.

Fields

Message

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned pointer %3 which is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.

Fields

Message

Disabled performance counter data collection from the "%1" service because the performance counter library for that service has generated one or more errors. The errors that forced this action have been written to the application event log. Correct the errors before enabling the performance counters for this service.

Fields

Message

Disabled performance counter data collection for this session from the "%1" service because the performance counter library for that service has generated one or more errors. The errors that forced this action have been written to the application event log.

Fields

Message

A definition field in an object returned by Extensible Counter DLL "%1" for the "%2" service was not correct. The sum of the definitions block lengths in the object definition structures did not match the size specified in the object definition header. The object title index of the invalid object is %3. The performance data returned by this counter DLL will not be returned in the Perf Data Block.

Fields

Message

The required buffer size is greater than the buffer size passed to the Collect function of the "%1" Extensible Counter DLL for the "%2" service. The given buffer size was %3 and the required size was %4.

Fields

Message

Windows cannot open the 32-bit extensible counter DLL "%1" in a 64-bit environment (Win32 error code %2). Contact the file vendor to obtain a 64-bit version. Alternatively, you can open the 32-bit extensible counter DLL by using the 32-bit version of Performance Monitor. To use this tool, open the Windows folder, open the Syswow64 folder, and then start Perfmon.exe.

Fields

Message

Windows cannot open the 64-bit extensible counter DLL %1 in a 32-bit environment (Win32 error code %2). Contact the file vendor to obtain a 32-bit version. Alternatively if you are running a 64-bit native environment, you can open the 64-bit extensible counter DLL by using the 64-bit version of Performance Monitor. To use this tool, open the Windows folder, open the System32 folder, and then start Perfmon.exe.

Fields

Message

Windows cannot load the extensible counter DLL "%1" (Win32 error code %2).

Fields

Example Event

system:
  provider: Microsoft-Windows-Perflib
  guid: 13B197BD-7CEE-4B4E-8DD0-59314CE374CE
  event_source_name: ''
  event_id: 1023
  version: 1
  level: 2
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T08:15:12.496963+00:00'
  event_record_id: 107
  correlation: {}
  execution:
    process_id: 2644
    thread_id: 3324
  channel: Application
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Library: C:\Windows\system32\ntdsperf.dll
  Win32Error: 126
message: Windows cannot load the extensible counter DLL "C:\Windows\system32\ntdsperf.dll"
  (Win32 error code 126!s!).

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned a length (%3) that did not match the expected length (%4). The length will be adjusted to match the buffer length and the performance data will appear in the Perf Data Block.

Fields

Message

The "%1" service does not have a Performance subkey or the key could not be opened (Win32 error code %3). No performance counters will be collected for this service.

Fields

Message

The Open procedure for service "%1" in DLL "%2" did not complete in the allowed time. There may be a problem with this extensible counter, the service from which the counter is collecting data, or the system may have been very busy when this call was attempted.

Fields

Message

The configuration information of the performance library "%1" for the "%2" service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.

Fields

Message

The number of objects allowed in a performance library has exceeded the maximum supported.

Message

Unable to find the %1 procedure name in the registry for service "%2". Check the application event log to make sure there were no problems encountered during installation of the "%2" service and reinstall its performance counter DLL.

Fields

Message

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned pointer %3 which is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.

Fields

Message

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned a length (%3) that did not match the expected length (%4). The length will be adjusted to match the buffer length and the performance data will appear in the Perf Data Block.

Fields

Message

The "%1" service does not have a Performance subkey or the key could not be opened (Win32 error code %3). No performance counters will be collected for this service.

Fields

Message

The Open procedure for service "%1" in DLL "%2" did not complete in the allowed time. There may be a problem with this extensible counter, the service from which the counter is collecting data, or the system may have been very busy when this call was attempted.

Fields

Message

The configuration information of the performance library "%1" for the "%2" service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.

Fields

Message

Access to performance data was denied to user "%1" (value from GetUserName() for the running thread) as attempted from module "%2" (value from GetModuleFileName() for the binary that issued the query).

Fields

Message

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned buffer size %3, which is larger than the space available. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields

Message

A Guard Page was modified by a Collect procedure in Extensible Counter DLL "%1" for the "%2" service. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields

Message

The Extensible Counter DLL "%1" for the "%2" service returned an incorrect object length. The sum of the %3 object lengths returned did not match the size of the buffer returned.

Fields

Message

The Extensible Counter DLL "%1" for the "%2" service returned an incorrect instance length for the object with title index %3. The sum of the instance lengths plus the object definition structures did not match the size of the object. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields

Message

The attempt to locate the Open procedure "%1" in DLL "%2" for the "%3" service failed with Win32 error code %4. Performance data for this service will not be available.

Fields

Message

The attempt to locate the Collect procedure "%1" in DLL "%2" for the "%3" service failed with Win32 error code %4. Performance data for this service will not be available.

Fields

Message

The attempt to locate the Close procedure "%1" in DLL "%2" for the "%3" service failed with Win32 error code %4. Performance data for this service will not be available.

Fields

Message

The Open procedure for service "%1" in DLL "%2" failed with error code %3. Performance data for this service will not be available.

Fields

Message

The Open procedure in Extensible Counter DLL "%1" for the "%2" service generated exception %3 at address %4. Performance data for this service will not be available.

Fields

Message

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service generated exception %3 at address %4. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields

Message

The Close procedure in Extensible Counter DLL "%1" for the "%2" service generated exception %3 at address %4. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields

Message

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned a buffer that was larger (by %3 bytes) than the space allocated and may have corrupted the application's heap. This DLL should be disabled or removed from the system until the problem has been corrected to prevent further corruption. The application accessing this performance data should be restarted. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields

Message

The performance data collection function for the "%1" service in the "%2" library did not complete in the allowed time. There may be a problem with this extensible counter, the service from which the counter is collecting data, or the system may have been very busy when this call was attempted.

Fields

Message

Disabled performance counter data collection from the "%1" service because the performance counter library for that service has generated one or more errors. The errors that forced this action have been written to the application event log. Correct the errors before enabling the performance counters for this service.

Fields

Message

Disabled performance counter data collection for this session from the "%1" service because the performance counter library for that service has generated one or more errors. The errors that forced this action have been written to the application event log.

Fields

Message

A definition field in an object returned by Extensible Counter DLL "%1" for the "%2" service was not correct. The sum of the definitions block lengths in the object definition structures did not match the size specified in the object definition header. The object title index of the invalid object is %3. The performance data returned by this counter DLL will not be returned in the Perf Data Block.

Fields

Message

The required buffer size is greater than the buffer size passed to the Collect function of the "%1" Extensible Counter DLL for the "%2" service. The given buffer size was %3 and the required size was %4.

Fields

Message

Windows cannot open the 32-bit extensible counter DLL "%1" in a 64-bit environment (Win32 error code %2). Contact the file vendor to obtain a 64-bit version. Alternatively, you can open the 32-bit extensible counter DLL by using the 32-bit version of Performance Monitor. To use this tool, open the Windows folder, open the Syswow64 folder, and then start Perfmon.exe.

Fields

Message

Windows cannot open the 64-bit extensible counter DLL %1 in a 32-bit environment (Win32 error code %2). Contact the file vendor to obtain a 32-bit version. Alternatively if you are running a 64-bit native environment, you can open the 64-bit extensible counter DLL by using the 64-bit version of Performance Monitor. To use this tool, open the Windows folder, open the System32 folder, and then start Perfmon.exe.

Fields

Message

Windows cannot load the extensible counter DLL "%1" (Win32 error code %2).

Fields

Message

The number of objects allowed in a performance library has exceeded the maximum supported.

Message

Unable to find the %1 procedure name in the registry for service "%2". Check the application event log to make sure there were no problems encountered during installation of the "%2" service and reinstall its performance counter DLL.

Fields

Message

Unable to find valid registry value '{param1}' in the registry for service '{param2}'. Check the application event log to make sure there were no problems encountered during installation of the '{param2}' service and reinstall its performance counter DLL.

Fields