Message

Recieved user logon notification on session %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-User Profiles Service
  guid: 89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845
  event_source_name: ''
  event_id: 1
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-05T22:32:20.533133+00:00'
  event_record_id: 64
  correlation: {}
  execution:
    process_id: 1428
    thread_id: 1544
  channel: Microsoft-Windows-User Profile Service/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  Session: 1
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Finished processing user logon notification on session %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-User Profiles Service
  guid: 89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845
  event_source_name: ''
  event_id: 2
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-05T22:32:20.859547+00:00'
  event_record_id: 68
  correlation: {}
  execution:
    process_id: 1428
    thread_id: 1544
  channel: Microsoft-Windows-User Profile Service/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  Session: 1
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Recieved user logoff notification on session %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-User Profiles Service
  guid: 89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845
  event_source_name: ''
  event_id: 3
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-05T22:31:34.014942+00:00'
  event_record_id: 62
  correlation: {}
  execution:
    process_id: 1852
    thread_id: 2012
  channel: Microsoft-Windows-User Profile Service/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  Session: 1
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Finished processing user logoff notification on session %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-User Profiles Service
  guid: 89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845
  event_source_name: ''
  event_id: 4
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-05T22:31:34.250458+00:00'
  event_record_id: 63
  correlation: {}
  execution:
    process_id: 1852
    thread_id: 2012
  channel: Microsoft-Windows-User Profile Service/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  Session: 1
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Registry file %1 is loaded at HKU\%2.

Fields

Example Event

system:
  provider: Microsoft-Windows-User Profiles Service
  guid: 89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845
  event_source_name: ''
  event_id: 5
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-05T22:32:20.716085+00:00'
  event_record_id: 66
  correlation: {}
  execution:
    process_id: 1428
    thread_id: 1540
  channel: Microsoft-Windows-User Profile Service/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  File: C:\Users\User\AppData\Local\Microsoft\Windows\\UsrClass.dat
  Key: S-1-5-21-1992711665-1655669231-58201500-1000_Classes
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Starting synchronize profile from %1 to %2.

Fields

Message

Finished synchronize profile from %1 to %2. 

Result: %3

Fields

Message

Background hive upload for user %1 started.

Fields

Message

Background hive upload for user %1 succeeded.

Fields

Message

Background hive upload for user %1 failed.

 Error: %2

Fields

Message

Cannot delete file %1.

 Error: %2

Fields

Message

Open user regisry root key for %1 failed.

 Error: %2

Fields

Message

Save user hive to file %1 failed.

 Error: %2

Fields

Message

Save user hive to file %1 succeeded.

Fields

Message

Enable background user hive upload task succeeded.

Message

Failed to enable background user hive upload task.

 Error: %1

Fields

Message

Disable background user hive upload task succeeded.

Example Event

system:
  provider: Microsoft-Windows-User Profiles Service
  guid: 89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845
  event_source_name: ''
  event_id: 59
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-05T23:50:00.752497+00:00'
  event_record_id: 89
  correlation: {}
  execution:
    process_id: 1428
    thread_id: 1496
  channel: Microsoft-Windows-User Profile Service/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Failed to disable background user hive upload task.

 Error: %1

Fields

Message

Slow network connection detected, abort background user hive upload task.

Message

Windows was unable to successfully evaluate whether this computer is a primary computer for this user. This may be due to failing to access the Active Directory server at this time. The user's roaming profile will be applied as configured. Contact the Administrator for more assistance. Error: %1

Fields

Message

This computer %1 a primary computer for this user.

Fields

Message

The primary computer relationship for this computer and this user was not evaluated due to %1.

Fields

Message

The attempt to create or open the profile key for the user failed with error %1.

Fields

Message

Creating the local profile for the user failed with error %1.

Fields

Message

Logon type: %1 
Local profile location: %2 
Profile type: %3

Fields

Example Event

system:
  provider: Microsoft-Windows-User Profiles Service
  guid: 89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845
  event_source_name: ''
  event_id: 67
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-05T22:32:20.729159+00:00'
  event_record_id: 67
  correlation: {}
  execution:
    process_id: 1428
    thread_id: 1540
  channel: Microsoft-Windows-User Profile Service/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  LogonType: Regular
  LocalPath: C:\Users\User
  ProfileType: Regular
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

LastDownloadTime: %1 
LastUploadTime: %2

Fields

Message

Waiting on network arrivals. Max wait time %1 ms.

Fields

Message

After waiting %1 ms, a network with the necessary capabilities was not ready for use. Allowing profile load to proceed.

Fields

Message

Terminating wait due to unexpected failure %1.

Fields

Message

Wait complete due to connectivity event but network not ready.

Message

Wait completed due to network connectivity or determination that no viable network connection is likely to become available. Allowing profile load to proceed.

Message

Roaming Profiles configuration is being controlled by Group Policy.

Message

Roaming Profiles configuration is being controlled by WMI configuration classes Win32_RoamingProfileUserConfiguration and Win32_RoamingProfileMachineConfiguration.

Message

Begin new user profile creation.

Message

New user profile creation complete.

Message

A network latency of %1 milliseconds has been detected.  Maximum latency to synchronize a roaming profile is set at %2 milliseconds.

Fields

Message

A network bandwidth of %1 kilobits per second has been detected.  Minimum bandwidth to synchronize a roaming profile is set at %2 kilobits per second.

Fields

Message

Delete cached profile %1 since it is older than %2 days.

Fields

Message

Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly. 

 DETAIL - %1

Fields

Message

Windows cannot create a temporary profile directory. This problem may be caused by insufficient security rights. 

 DETAIL - %1

Fields

Message

Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. 

 DETAIL - %1

Fields

Message

Windows cannot set security on your registry. 

 DETAIL - %1

Fields

Message

Windows cannot update your roaming profile completely. Check previous events for more details.

Message

Windows cannot load the user's profile but has logged you on with the default profile for the system. 

 DETAIL - %1

Fields

Message

Your roaming profile is not available. You are logged on with the locally stored profile. Changes to the profile will not be copied to the server. Possible causes of this error include network problems or insufficient security rights.  

 DETAIL - %1

Fields

Message

Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights. 

 DETAIL - %1 for %2

Fields

Message

Windows was unable to load %1.

Fields

Message

Windows cannot load your profile because it appears to be corrupted.

Message

Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Message

Windows cannot unload your registry file. The memory used by the registry has not been freed. This problem is often caused by services running as a user account. Try configuring services to run in either the LocalService or NetworkService account. 

 DETAIL - %1

Fields

Message

Windows cannot copy your profile because it contains encrypted files or directories. The keys to decrypt the files or directories are also stored in the profile and are not available now. Decrypt the files and try again.

Message

The roaming profile path %1 is too long. Windows is logging you on with a default profile.

Fields

Message

Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.

Message

Windows saved user %1 registry while an application or service was still using the registry when the user logged off. The memory used by the user registry has not been freed. The registry will be unloaded when it is no longer in use. 

 This error may be caused by services running as a user account. Try configuring services to run in either the LocalService or NetworkService account.

Fields

Message

Windows cannot create a local profile and is logging you on with a temporary profile. This profile will be deleted when you log off. This problem may be caused by incorrect file system permissions or network problems.

Message

Windows cannot locate your roaming mandatory profile and is attempting to log you on with your local profile. This error may be caused by incorrect file system permissions or network problems. 

 DETAIL - %1

Fields

Message

Windows cannot log you on because your roaming mandatory profile is not available. This error may be caused by incorrect file system permissions or network problems. 

 DETAIL - %1

Fields

Message

Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights. 

 DETAIL - %1

Fields

Message

Windows cannot locate your roaming profile (read only) and is attempting to log you on with your local profile. This error may be caused by network problems or insufficient security rights. 

 DETAIL - %1

Fields

Message

Your roaming profile (read only) is not available. You are logged on with the locally stored profile. This error may be caused by incorrect file system permissions or network problems.  

 DETAIL - %1

Fields

Message

Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Message

Windows has detected that Automatic Offline Caching is enabled on the Roaming Profile share - to avoid potential profile corruption, Offline Caching must be set to manual or disabled on shares where roaming user profiles are stored.

Message

Windows could not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. Windows could not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrators group must be the owner of the folder.

Message

Windows failed to initialize user profiles. Non-console users will be unable to log on.

Message

Roaming user profiles across forests are disabled. Windows did not load your roaming profile and is logging you on with a local profile. Changes to the profile will not be copied to the server when you log off.

Message

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. No user action is required.  

 DETAIL - 
 %1

Fields

Example Event

system:
  provider: Microsoft-Windows-User Profiles Service
  guid: 89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845
  event_source_name: ''
  event_id: 1530
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2013-10-23T17:27:30.004750+00:00'
  event_record_id: 170
  correlation: {}
  execution:
    process_id: 916
    thread_id: 928
  channel: Application
  computer: IE8Win7
  security:
    user_id: S-1-5-18
event_data:
  Name: EVENT_HIVE_LEAK
  Data:
    Name: Detail
    Value: '1 user registry handles leaked from \Registry\User\S-1-5-21-3463664321-2923530833-3546627382-1000:

      Process 432 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened
      key \REGISTRY\USER\S-1-5-21-3463664321-2923530833-3546627382-1000

      '
message: "Windows detected your registry file is still in use by other applications
  or services. The file will be unloaded now. The applications or services that hold
  your registry file may not function properly afterwards. No user action is required.
  \ \n\n DETAIL - \n EVENT_HIVE_LEAK"

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

The User Profile Service has started successfully.

Example Event

system:
  provider: Microsoft-Windows-User Profiles Service
  guid: 89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845
  event_source_name: ''
  event_id: 1531
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:39.296302+00:00'
  event_record_id: 1437
  correlation: {}
  execution:
    process_id: 1900
    thread_id: 2016
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: The User Profile Service has started successfully.  %n%n

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

The User Profile Service has stopped.

Example Event

system:
  provider: Microsoft-Windows-User Profiles Service
  guid: 89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845
  event_source_name: ''
  event_id: 1532
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:23:40.274053+00:00'
  event_record_id: 1436
  correlation: {}
  execution:
    process_id: 1716
    thread_id: 1736
  channel: Application
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: The User Profile Service has stopped.  %n%n

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

Windows cannot delete the profile directory %1. This error may be caused by files in this directory being used by another program. 

 DETAIL - %2

Fields

Message

Profile notification of event %1 for component %2 failed, error code is %3.

Fields

Message

Successfully suspended folder "%1"

Fields

Message

Successfully unsuspended folder "%1"

Fields

Message

Failed to suspend folder "%1"
 DETAIL - %2

Fields

Message

Failed to unsuspend folder "%1"
 DETAIL - %2

Fields

Message

Failed to sync folder "%1"
 DETAIL - %2

Fields

Message

Your roaming profile is not synchronized correctly with the server. Windows will load your previously-saved local profile instead. See the previous events for details.

Message

Failed to apply CSC suspend policy. Cannot connect to CSC service.
 DETAIL - %1

Fields

Message

Windows cannot load classes registry file.
 DETAIL - %1

Fields

Message

A slow network connection is detected for the roaming profile %1. It will not be synchronized with the profile on this computer.

Fields

Message

Windows cannot back up a ProfileList entry because one already exists for this user. Only the existing backup entry will be kept in the ProfileList. Future logons will restore the ProfileList entry from the existing backup entry.

Message

User hive is loaded by another process (File Lock). Process name: %1, PID: %2, ProfSvc PID: %3.

Fields

Message

User hive is loaded by another process (Registry Lock) Process name: %1, PID: %2, ProfSvc PID: %3.

Fields

Message

Windows unloaded user {User} registry when it received a notification that no other applications or services were using the profile.

Fields

Message

Windows saved user {User} registry while an application or service was still using the registry when the user logged off. The memory used by the user registry has not been freed. The registry will be unloaded when it is no longer in use.  This error may be caused by services running as a user account. Try configuring services to run in either the LocalService or NetworkService account.

Fields

Message

The User Profile Service has started successfully.

Message

The User Profile Service has stopped.

Message

Successfully suspended folder '{Folder}'

Fields

Message

Successfully unsuspended folder '{Folder}'

Fields

Message

Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Message

Windows has detected that Automatic Offline Caching is enabled on the Roaming Profile share - to avoid potential profile corruption; Offline Caching must be set to manual or disabled on shares where roaming user profiles are stored.

Message

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.   DETAIL -  {Detail}

Fields

Message

Profile notification of event {Event} for component {Component} failed; error code is {Error}.

Fields

Message

Your roaming profile is not synchronized correctly with the server. Windows will load your previously-saved local profile instead. See the previous events for details.

Message

Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network; and that your network is functioning correctly.  DETAIL - {Error}

Fields

Message

Windows cannot create a temporary profile directory. This problem may be caused by insufficient security rights.  DETAIL - {Error}

Fields

Message

Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile.  DETAIL - {Error}

Fields

Message

Windows cannot set security on your registry.  DETAIL - {Error}

Fields

Message

Windows Windows cannot update your roaming profile completely. Check previous events for more details.

Message

Windows cannot load the user's profile but has logged you on with the default profile for the system.  DETAIL - {Error}

Fields

Message

Your roaming profile is not available. You are logged on with the locally stored profile. Changes to the profile will not be copied to the server. Possible causes of this error include network problems or insufficient security rights.   DETAIL - {Error}

Fields

Message

Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.  DETAIL - {Error} for {File}

Fields

Message

Windows cannot load your profile because it appears to be corrupted.

Message

Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Message

Windows cannot unload your registry file. The memory used by the registry has not been freed. This problem is often caused by services running as a user account. Try configuring services to run in either the LocalService or NetworkService account.  DETAIL - {Error}

Fields

Message

Windows cannot copy your profile because it contains encrypted files or directories. The keys to decrypt the files or directories are also stored in the profile and are not available now. Decrypt the files and try again.

Message

The roaming profile path {File} is too long. Windows is logging you on with a default profile.

Fields

Message

Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.

Message

Windows cannot create a local profile and is logging you on with a temporary profile. This profile will be deleted when you log off. This problem may be caused by incorrect file system permissions or network problems.

Message

Windows cannot locate your roaming mandatory profile and is attempting to log you on with your local profile. This error may be caused by incorrect file system permissions or network problems.  DETAIL - {Error}

Fields

Message

Windows cannot log you on because your roaming mandatory profile is not available. This error may be caused by incorrect file system permissions or network problems.  DETAIL - {Error}

Fields

Message

Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights.  DETAIL - {Error}

Fields

Message

Windows cannot locate your roaming profile (read only) and is attempting to log you on with your local profile. This error may be caused by network problems or insufficient security rights.  DETAIL - {Error}

Fields

Message

Your roaming profile (read only) is not available. You are logged on with the locally stored profile. This error may be caused by incorrect file system permissions or network problems.   DETAIL - {Error}

Fields

Message

Windows could not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. Windows could not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrators group must be the owner of the folder.

Message

Windows failed to initialize user profiles. Non-console users will be unable to log on.

Message

Roaming user profiles across forests are disabled. Windows did not load your roaming profile and is logging you on with a local profile. Changes to the profile will not be copied to the server when you log off.

Message

Windows cannot delete the profile directory {Directory}. This error may be caused by files in this directory being used by another program.  DETAIL - {Error}

Fields

Message

Failed to suspend folder '{Folder}' DETAIL - {Error}

Fields

Message

Failed to unsuspend folder '{Folder}' DETAIL - {Error}

Fields

Message

Failed to sync folder '{Folder}' DETAIL - {Error}

Fields

Message

Failed to apply CSC suspend policy. Cannot connect to CSC service. DETAIL - {Error}

Fields

Message

Windows cannot load classes registry file. DETAIL - {Error}

Fields

Message

A slow network connection is detected for the roaming profile {Path}. It will not be synchronized with the profile on this computer.

Fields