Microsoft-Windows-Privacy-Auditing-DiagnosticData

2 events across 1 channel

Event ID	Title	Channel
1000	The Diagnostic Data Value was changed from OldConsentValue to NewConsentValue by …	Operational
1001	The Diagnostic Data Value failed to change from OldConsentValue to …	Operational

Event ID 1000 — The Diagnostic Data Value was changed from OldConsentValue to NewConsentValue by CallerProcessName.

Provider: Microsoft-Windows-Privacy-Auditing-DiagnosticData
Channel: Operational
Level: Informational
Task: Diagnostic Data Value Changed

Description

The Diagnostic Data Value was changed from OldConsentValue to NewConsentValue by CallerProcessName.

Message #

The Diagnostic Data Value was changed from %4 to %5 by %2

Fields #

Name	Description
`CallerUserSid` UnicodeString	—
`CallerProcessName` UnicodeString	—
`CallerAppPackageFamilyName` UnicodeString	—
`OldConsentValue` UnicodeString	—
`NewConsentValue` UnicodeString	—
`SetByHigherAuthority` Boolean	—
`EffectiveConsentValue` UnicodeString	—
`TargetUserSid` UnicodeString	—
`ConsentID` UnicodeString	—
`AppPackageFamilyName` UnicodeString	—
`HResult` HexInt32	—
`SettingName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Privacy-Auditing-DiagnosticData",
    "guid": "D3610DCA-4501-5A5D-21A7-30CA91130711",
    "event_source_name": "",
    "event_id": 1000,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 9223372036854775809,
    "time_created": "2025-12-31T19:32:58.273545+00:00",
    "event_record_id": 6,
    "correlation": {},
    "execution": {
      "process_id": 3076,
      "thread_id": 3612
    },
    "channel": "Microsoft-Windows-Privacy-Auditing/Operational",
    "computer": "WIN11-22H2-X64",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "CallerUserSid": "",
    "CallerProcessName": "",
    "CallerAppPackageFamilyName": "NULL",
    "OldConsentValue": "Core",
    "NewConsentValue": "Core",
    "SetByHigherAuthority": false,
    "EffectiveConsentValue": "Core",
    "TargetUserSid": "NULL",
    "ConsentID": "NULL",
    "AppPackageFamilyName": "NULL",
    "HResult": "0x0",
    "SettingName": "DiagnosticData"
  },
  "message": ""
}

Event ID 1001 — The Diagnostic Data Value failed to change from OldConsentValue to NewConsentValue by CallerProcessName.

Provider: Microsoft-Windows-Privacy-Auditing-DiagnosticData
Channel: Operational
Task: Diagnostic Data Value Changed

Description

The Diagnostic Data Value failed to change from OldConsentValue to NewConsentValue by CallerProcessName.

Message #

The Diagnostic Data Value failed to change from %4 to %5 by %2

Fields #

Name	Description
`CallerUserSid` UnicodeString	—
`CallerProcessName` UnicodeString	—
`CallerAppPackageFamilyName` UnicodeString	—
`OldConsentValue` UnicodeString	—
`NewConsentValue` UnicodeString	—
`SetByHigherAuthority` Boolean	—
`EffectiveConsentValue` UnicodeString	—
`TargetUserSid` UnicodeString	—
`ConsentID` UnicodeString	—
`AppPackageFamilyName` UnicodeString	—
`HResult` HexInt32	—
`SettingName` UnicodeString	—