Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Perflib",
    "guid": "13B197BD-7CEE-4B4E-8DD0-59314CE374CE",
    "event_source_name": "",
    "event_id": 0,
    "version": 0,
    "level": 5,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-05T22:40:53.996726+00:00",
    "event_record_id": 177,
    "correlation": {},
    "execution": {
      "process_id": 4360,
      "thread_id": 4224
    },
    "channel": "Microsoft-Windows-Perflib/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Name": "LoadPerfCounterTextStrings-End",
    "Status": 0
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message #

Access to performance data was denied to user "%1" (value from GetUserName() for the running thread) as attempted from module "%2" (value from GetModuleFileName() for the binary that issued the query).

Fields #

Message #

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned buffer size %3, which is larger than the space available. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields #

Description

A Guard Page was modified by a Collect procedure in Extensible Counter DLL "Library" for the "Service" service. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Message #

A Guard Page was modified by a Collect procedure in Extensible Counter DLL "%1" for the "%2" service. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields #

Description

The Extensible Counter DLL "Library" for the "Service" service returned an incorrect object length. The sum of the ObjectCount object lengths returned did not match the size of the buffer returned.

Message #

The Extensible Counter DLL "%1" for the "%2" service returned an incorrect object length. The sum of the %3 object lengths returned did not match the size of the buffer returned.

Fields #

Message #

The Extensible Counter DLL "%1" for the "%2" service returned an incorrect instance length for the object with title index %3. The sum of the instance lengths plus the object definition structures did not match the size of the object. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields #

Description

The attempt to locate the Open procedure "ProcName" in DLL "Library" for the "Service" service failed with Win32 error code Win32Error. Performance data for this service will not be available.

Message #

The attempt to locate the Open procedure "%1" in DLL "%2" for the "%3" service failed with Win32 error code %4. Performance data for this service will not be available.

Fields #

Description

The attempt to locate the Collect procedure "ProcName" in DLL "Library" for the "Service" service failed with Win32 error code Win32Error. Performance data for this service will not be available.

Message #

The attempt to locate the Collect procedure "%1" in DLL "%2" for the "%3" service failed with Win32 error code %4. Performance data for this service will not be available.

Fields #

Description

The attempt to locate the Close procedure "ProcName" in DLL "Library" for the "Service" service failed with Win32 error code Win32Error. Performance data for this service will not be available.

Message #

The attempt to locate the Close procedure "%1" in DLL "%2" for the "%3" service failed with Win32 error code %4. Performance data for this service will not be available.

Fields #

Description

The Open procedure for service "Service" in DLL "Library" failed with error code Win32Error. Performance data for this service will not be available.

Message #

The Open procedure for service "%1" in DLL "%2" failed with error code %3. Performance data for this service will not be available.

Fields #

Description

The Open procedure in Extensible Counter DLL "Library" for the "Service" service generated exception ExceptionCode at address ExceptionAddress. Performance data for this service will not be available.

Message #

The Open procedure in Extensible Counter DLL "%1" for the "%2" service generated exception %3 at address %4. Performance data for this service will not be available.

Fields #

Message #

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service generated exception %3 at address %4. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields #

Message #

The Close procedure in Extensible Counter DLL "%1" for the "%2" service generated exception %3 at address %4. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields #

Message #

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned a buffer that was larger (by %3 bytes) than the space allocated and may have corrupted the application's heap. This DLL should be disabled or removed from the system until the problem has been corrected to prevent further corruption. The application accessing this performance data should be restarted. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields #

Description

The Collect procedure for service "Service" in DLL "Library" failed with error code Win32Error. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Message #

The Collect procedure for service "%1" in DLL "%2" failed with error code %3. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields #

Message #

The performance data collection function for the "%1" service in the "%2" library did not complete in the allowed time. There may be a problem with this extensible counter, the service from which the counter is collecting data, or the system may have been very busy when this call was attempted.

Fields #

Message #

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned pointer %3 which is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.

Fields #

Message #

Disabled performance counter data collection from the "%1" service because the performance counter library for that service has generated one or more errors. The errors that forced this action have been written to the application event log. Correct the errors before enabling the performance counters for this service.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Perflib",
    "guid": "13B197BD-7CEE-4B4E-8DD0-59314CE374CE",
    "event_source_name": "",
    "event_id": 1017,
    "version": 1,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:14:32.809990+00:00",
    "event_record_id": 35951,
    "correlation": {
      "ActivityID": "7BEB09B9-CFB7-40A8-960D-B58001198067"
    },
    "execution": {
      "process_id": 320,
      "thread_id": 10536
    },
    "channel": "Application",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Service": "ASP.NET_2.0.50727"
  },
  "message": ""
}

Message #

Disabled performance counter data collection for this session from the "%1" service because the performance counter library for that service has generated one or more errors. The errors that forced this action have been written to the application event log.

Fields #

Message #

A definition field in an object returned by Extensible Counter DLL "%1" for the "%2" service was not correct. The sum of the definitions block lengths in the object definition structures did not match the size specified in the object definition header. The object title index of the invalid object is %3. The performance data returned by this counter DLL will not be returned in the Perf Data Block.

Fields #

Message #

The required buffer size is greater than the buffer size passed to the Collect function of the "%1" Extensible Counter DLL for the "%2" service. The given buffer size was %3 and the required size was %4.

Fields #

Message #

Windows cannot open the 32-bit extensible counter DLL "%1" in a 64-bit environment (Win32 error code %2). Contact the file vendor to obtain a 64-bit version. Alternatively, you can open the 32-bit extensible counter DLL by using the 32-bit version of Performance Monitor. To use this tool, open the Windows folder, open the Syswow64 folder, and then start Perfmon.exe.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Perflib",
    "guid": "13B197BD-7CEE-4B4E-8DD0-59314CE374CE",
    "event_source_name": "",
    "event_id": 1021,
    "version": 1,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:14:32.809867+00:00",
    "event_record_id": 35950,
    "correlation": {
      "ActivityID": "7BEB09B9-CFB7-40A8-960D-B58001198067"
    },
    "execution": {
      "process_id": 320,
      "thread_id": 10536
    },
    "channel": "Application",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Library": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\aspnet_perf.dll",
    "Win32Error": 193
  },
  "message": ""
}

Message #

Windows cannot open the 64-bit extensible counter DLL %1 in a 32-bit environment (Win32 error code %2). Contact the file vendor to obtain a 32-bit version. Alternatively if you are running a 64-bit native environment, you can open the 64-bit extensible counter DLL by using the 64-bit version of Performance Monitor. To use this tool, open the Windows folder, open the System32 folder, and then start Perfmon.exe.

Fields #

Description

Windows cannot load the extensible counter DLL "C:\Windows\system32\ntdsperf.dll" (Win32 error code 126!s!).

Message #

Windows cannot load the extensible counter DLL "%1" (Win32 error code %2).

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Perflib",
    "guid": "13B197BD-7CEE-4B4E-8DD0-59314CE374CE",
    "event_source_name": "",
    "event_id": 1023,
    "version": 1,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T08:15:12.496963+00:00",
    "event_record_id": 107,
    "correlation": {},
    "execution": {
      "process_id": 2644,
      "thread_id": 3324
    },
    "channel": "Application",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Library": "C:\\Windows\\system32\\ntdsperf.dll",
    "Win32Error": 126
  },
  "message": "Windows cannot load the extensible counter DLL \"C:\\Windows\\system32\\ntdsperf.dll\" (Win32 error code 126!s!)."
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message #

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned a length (%3) that did not match the expected length (%4). The length will be adjusted to match the buffer length and the performance data will appear in the Perf Data Block.

Fields #

Description

The "Service" service does not have a Performance subkey or the key could not be opened (Win32 error code NTSTATUS). No performance counters will be collected for this service.

Message #

The "%1" service does not have a Performance subkey or the key could not be opened (Win32 error code %3). No performance counters will be collected for this service.

Fields #

Message #

The Open procedure for service "%1" in DLL "%2" did not complete in the allowed time. There may be a problem with this extensible counter, the service from which the counter is collecting data, or the system may have been very busy when this call was attempted.

Fields #

Message #

The configuration information of the performance library "%1" for the "%2" service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.

Fields #

Description

The number of objects allowed in a performance library has exceeded the maximum supported.

Message #

The number of objects allowed in a performance library has exceeded the maximum supported.

Message #

Unable to find the %1 procedure name in the registry for service "%2". Check the application event log to make sure there were no problems encountered during installation of the "%2" service and reinstall its performance counter DLL.

Fields #

Message #

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned pointer %3 which is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.

Fields #

Message #

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned a length (%3) that did not match the expected length (%4). The length will be adjusted to match the buffer length and the performance data will appear in the Perf Data Block.

Fields #

Description

The "param1" service does not have a Performance subkey or the key could not be opened (Win32 error code %3). No performance counters will be collected for this service.

Message #

The "%1" service does not have a Performance subkey or the key could not be opened (Win32 error code %3). No performance counters will be collected for this service.

Fields #

Message #

The Open procedure for service "%1" in DLL "%2" did not complete in the allowed time. There may be a problem with this extensible counter, the service from which the counter is collecting data, or the system may have been very busy when this call was attempted.

Fields #

Message #

The configuration information of the performance library "%1" for the "%2" service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.

Fields #

Message #

Access to performance data was denied to user "%1" (value from GetUserName() for the running thread) as attempted from module "%2" (value from GetModuleFileName() for the binary that issued the query).

Fields #

Message #

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned buffer size %3, which is larger than the space available. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields #

Description

A Guard Page was modified by a Collect procedure in Extensible Counter DLL "param1" for the "param2" service. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Message #

A Guard Page was modified by a Collect procedure in Extensible Counter DLL "%1" for the "%2" service. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields #

Description

The Extensible Counter DLL "param1" for the "param2" service returned an incorrect object length. The sum of the binary object lengths returned did not match the size of the buffer returned.

Message #

The Extensible Counter DLL "%1" for the "%2" service returned an incorrect object length. The sum of the %3 object lengths returned did not match the size of the buffer returned.

Fields #

Message #

The Extensible Counter DLL "%1" for the "%2" service returned an incorrect instance length for the object with title index %3. The sum of the instance lengths plus the object definition structures did not match the size of the object. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields #

Description

The attempt to locate the Open procedure "param1" in DLL "param2" for the "param3" service failed with Win32 error code binary. Performance data for this service will not be available.

Message #

The attempt to locate the Open procedure "%1" in DLL "%2" for the "%3" service failed with Win32 error code %4. Performance data for this service will not be available.

Fields #

Description

The attempt to locate the Collect procedure "param1" in DLL "param2" for the "param3" service failed with Win32 error code binary. Performance data for this service will not be available.

Message #

The attempt to locate the Collect procedure "%1" in DLL "%2" for the "%3" service failed with Win32 error code %4. Performance data for this service will not be available.

Fields #

Description

The attempt to locate the Close procedure "param1" in DLL "param2" for the "param3" service failed with Win32 error code binary. Performance data for this service will not be available.

Message #

The attempt to locate the Close procedure "%1" in DLL "%2" for the "%3" service failed with Win32 error code %4. Performance data for this service will not be available.

Fields #

Description

The Open procedure for service "param1" in DLL "param2" failed with error code binary. Performance data for this service will not be available.

Message #

The Open procedure for service "%1" in DLL "%2" failed with error code %3. Performance data for this service will not be available.

Fields #

Description

The Open procedure in Extensible Counter DLL "param1" for the "param2" service generated exception binary at address %4. Performance data for this service will not be available.

Message #

The Open procedure in Extensible Counter DLL "%1" for the "%2" service generated exception %3 at address %4. Performance data for this service will not be available.

Fields #

Message #

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service generated exception %3 at address %4. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields #

Message #

The Close procedure in Extensible Counter DLL "%1" for the "%2" service generated exception %3 at address %4. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields #

Message #

The Collect procedure in Extensible Counter DLL "%1" for the "%2" service returned a buffer that was larger (by %3 bytes) than the space allocated and may have corrupted the application's heap. This DLL should be disabled or removed from the system until the problem has been corrected to prevent further corruption. The application accessing this performance data should be restarted. The performance data returned by the counter DLL will not be returned in the Perf Data Block.

Fields #

Message #

The performance data collection function for the "%1" service in the "%2" library did not complete in the allowed time. There may be a problem with this extensible counter, the service from which the counter is collecting data, or the system may have been very busy when this call was attempted.

Fields #

Message #

Disabled performance counter data collection from the "%1" service because the performance counter library for that service has generated one or more errors. The errors that forced this action have been written to the application event log. Correct the errors before enabling the performance counters for this service.

Fields #

Message #

Disabled performance counter data collection for this session from the "%1" service because the performance counter library for that service has generated one or more errors. The errors that forced this action have been written to the application event log.

Fields #

Message #

A definition field in an object returned by Extensible Counter DLL "%1" for the "%2" service was not correct. The sum of the definitions block lengths in the object definition structures did not match the size specified in the object definition header. The object title index of the invalid object is %3. The performance data returned by this counter DLL will not be returned in the Perf Data Block.

Fields #

Message #

The required buffer size is greater than the buffer size passed to the Collect function of the "%1" Extensible Counter DLL for the "%2" service. The given buffer size was %3 and the required size was %4.

Fields #

Message #

Windows cannot open the 32-bit extensible counter DLL "%1" in a 64-bit environment (Win32 error code %2). Contact the file vendor to obtain a 64-bit version. Alternatively, you can open the 32-bit extensible counter DLL by using the 32-bit version of Performance Monitor. To use this tool, open the Windows folder, open the Syswow64 folder, and then start Perfmon.exe.

Fields #

Message #

Windows cannot open the 64-bit extensible counter DLL %1 in a 32-bit environment (Win32 error code %2). Contact the file vendor to obtain a 32-bit version. Alternatively if you are running a 64-bit native environment, you can open the 64-bit extensible counter DLL by using the 64-bit version of Performance Monitor. To use this tool, open the Windows folder, open the System32 folder, and then start Perfmon.exe.

Fields #

Description

Windows cannot load the extensible counter DLL "param1" (Win32 error code binary).

Message #

Windows cannot load the extensible counter DLL "%1" (Win32 error code %2).

Fields #

Description

The number of objects allowed in a performance library has exceeded the maximum supported.

Message #

The number of objects allowed in a performance library has exceeded the maximum supported.

Message #

Unable to find the %1 procedure name in the registry for service "%2". Check the application event log to make sure there were no problems encountered during installation of the "%2" service and reinstall its performance counter DLL.

Fields #

Message #

Unable to find valid registry value '{param1}' in the registry for service '{param2}'. Check the application event log to make sure there were no problems encountered during installation of the '{param2}' service and reinstall its performance counter DLL.

Fields #