Message

New device queued up for install.

Fields

Message

Plug and Play install scheduler has started.

Fields

Message

Plug and Play install scheduler has exited.

Fields

Message

Plug and Play install worker thread has started.

Fields

Message

Plug and Play install worker thread has exited.

Fields

Message

Parent of current device is already ahead in the install queue.

Fields

Message

Current device is a volume snapshot device.

Fields

Message

Client {ClientName} successfully registered for device notifications.

Fields

Message

Error sending device event notification window message to client {WindowName} (hWnd={hWnd}; Session={SessionId}; Err={ErrorCode}).

Fields

Message

Error sending service control for device event notification to client {ClientName} (Session={SessionId}; Err={ErrorCode}).

Fields

Message

Error broadcasting system message for device event notification (Err={ErrorCode}).

Fields

Message

Sending notification for event {EventType} for device: {DeviceID}.

Fields

Message

Received device event from Kernel PnP (GUID={EventGuid}; EventCategory={EventCategory}; Async={IsEventAsync}).

Fields

Message

User PnP completed handling of the device event (GUID={EventGuid}; EventCategory={EventCategory}; Async={IsEventAsync}).

Fields

Message

Start processing '%1'.

Fields

Message

Finished processing '%1' (Err=%2).

Fields

Message

START: Core device install operations.

Message

END: Core device install operations.

Message

ENTER: Synchronization wait for core device install.

Message

EXIT: Synchronization wait for core device install.

Message

ENTER: Stage driver package

Message

EXIT: Stage driver package

Message

ENTER: Sending event notification to service ({ClientName}).

Fields

Message

EXIT: Sending event notification to service ({ClientName}).

Fields

Message

ENTER: Sending event notification to window ({ClientName}).

Fields

Message

EXIT: Sending event notification to window ({ClientName}).

Fields

Message

ENTER: Device installation restrictions policy check.

Message

EXIT: Device installation restrictions policy check.

Message

ENTER: Build driver info list.

Message

EXIT: Build driver info list.

Message

ENTER: Build driver info list - search published INFs.

Message

EXIT: Build driver info list - search published INFs.

Message

ENTER: Build driver info list - search Device Path.

Message

EXIT: Build driver info list - search Device Path.

Message

ENTER: Build driver info list - search caller specified folder.

Message

EXIT: Build driver info list - search caller specified folder.

Message

ENTER: PnpInstallDevice - install device instance.

Message

EXIT: PnpInstallDevice - install device instance.

Message

START: Searching WMIS for metadata package

Message

STOP: Searching WMIS for metadata package

Message

START: Downloading metadata package from WMIS

Message

STOP: Downloading metadata package from WMIS

Message

START: Searching local index for metadata package

Message

STOP: Searching local index for metadata package

Message

START: Unpacking metadata package into cache

Message

STOP: Unpacking metadata package into cache

Message

START: Parsing packageinfo.xml for metadata properties

Message

STOP: Parsing packageinfo.xml for metadata properties

Message

START: Scanning local store for new metadata packages

Message

STOP: Scanning local store for new metadata packages

Message

START: Initializing DMRC

Message

STOP: Initializing DMRC

Message

START: Uninitialize DMRC

Message

STOP: Uninitializing DMRC

Message

%1 (Package: %2 Error Code = %3, Win32 Error Code = %4)

Fields

Message

A new device metadata package was downloaded from WMIS. (Path: %1)

Fields

Message

%1 (Package: %2 Error Code = %3, Win32 Error Code = %4)

Fields

Message

Successfully parsed device metadata file. (File: %1, Language: %2)

Fields

Message

A new device metadata package was discovered. (Package Name: %1, Path: %2)

Fields

Message

DMRC was queried for type '%1' with lookup key '%2'

Fields

Message

%1 (Error Code = %2, Last Http Status Code = %3)

Fields

Message

A reboot is required to complete device installation of device '%1'

Fields

Example Event

system:
  provider: Microsoft-Windows-UserPnp
  guid: 96F4A050-7E31-453C-88BE-9634F4E02139
  event_source_name: ''
  event_id: 8000
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 576460752303423490
  time_created: '2023-10-25T22:50:39.873740+00:00'
  event_record_id: 21
  correlation: {}
  execution:
    process_id: 3600
    thread_id: 1060
  channel: Microsoft-Windows-UserPnp/DeviceInstall
  computer: WinDevEval
  security:
    user_id: S-1-5-18
user_data:
  ERR_DEVICE_ID:
    DeviceId: ACPI\VMW0003\4&1BD7F811&0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The DeviceInstall service has started.

Example Event

system:
  provider: Microsoft-Windows-UserPnp
  guid: 96F4A050-7E31-453C-88BE-9634F4E02139
  event_source_name: ''
  event_id: 8001
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 576460752303423490
  time_created: '2023-11-06T06:25:29.349729+00:00'
  event_record_id: 30
  correlation: {}
  execution:
    process_id: 1080
    thread_id: 1096
  channel: Microsoft-Windows-UserPnp/DeviceInstall
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The DeviceInstall service is stopping (idle).

Example Event

system:
  provider: Microsoft-Windows-UserPnp
  guid: 96F4A050-7E31-453C-88BE-9634F4E02139
  event_source_name: ''
  event_id: 8002
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 576460752303423490
  time_created: '2023-11-06T01:04:11.781477+00:00'
  event_record_id: 44
  correlation: {}
  execution:
    process_id: 16172
    thread_id: 12452
  channel: Microsoft-Windows-UserPnp/DeviceInstall
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The DeviceInstall service is stopping (stop control).

Message

The DeviceInstall service is stopping (shutdown).

Example Event

system:
  provider: Microsoft-Windows-UserPnp
  guid: 96F4A050-7E31-453C-88BE-9634F4E02139
  event_source_name: ''
  event_id: 8004
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 576460752303423490
  time_created: '2023-11-06T06:23:40.089953+00:00'
  event_record_id: 27
  correlation: {}
  execution:
    process_id: 1068
    thread_id: 1072
  channel: Microsoft-Windows-UserPnp/DeviceInstall
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The DeviceInstall service has stopped.

Example Event

system:
  provider: Microsoft-Windows-UserPnp
  guid: 96F4A050-7E31-453C-88BE-9634F4E02139
  event_source_name: ''
  event_id: 8005
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 576460752303423490
  time_created: '2023-11-06T06:23:40.106579+00:00'
  event_record_id: 28
  correlation: {}
  execution:
    process_id: 1068
    thread_id: 1092
  channel: Microsoft-Windows-UserPnp/DeviceInstall
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

There are pending driver updates to install.

Message

A timeout was detected during the installation of device '%1'

Fields

Message

The DeviceInstall service is starting.

Example Event

system:
  provider: Microsoft-Windows-UserPnp
  guid: 96F4A050-7E31-453C-88BE-9634F4E02139
  event_source_name: ''
  event_id: 8008
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 576460752303423490
  time_created: '2023-11-06T06:25:29.340577+00:00'
  event_record_id: 29
  correlation: {}
  execution:
    process_id: 1080
    thread_id: 1096
  channel: Microsoft-Windows-UserPnp/DeviceInstall
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The DeviceInstall service failed to start with error %1.

Fields

Message

Finish install operation state changed to %1.

Fields

Message

Device installation is currently disabled.

Message

Device installation has been disabled.

Message

Device installation has been enabled.

Message

The DeviceInstall service will not idle stop.

Example Event

system:
  provider: Microsoft-Windows-UserPnp
  guid: 96F4A050-7E31-453C-88BE-9634F4E02139
  event_source_name: ''
  event_id: 8030
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 576460752303423490
  time_created: '2023-11-06T06:25:29.352092+00:00'
  event_record_id: 31
  correlation: {}
  execution:
    process_id: 1080
    thread_id: 1096
  channel: Microsoft-Windows-UserPnp/DeviceInstall
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Fields

Message

Driver Management concluded the process to install driver %1 for Device Instance ID %4 with the following status: %9.

Fields

Example Event

system:
  provider: Microsoft-Windows-UserPnp
  guid: 96F4A050-7E31-453C-88BE-9634F4E02139
  event_source_name: ''
  event_id: 20001
  version: 0
  level: 4
  task: 7005
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2013-10-23T16:17:53.968750+00:00'
  event_record_id: 250
  correlation: {}
  execution:
    process_id: 1536
    thread_id: 1900
  channel: System
  computer: 37L4247D28-05
  security:
    user_id: S-1-5-18
user_data:
  InstallDeviceID:
    xmlns:auto-ns2: http://schemas.microsoft.com/win/2004/08/events
    DriverName: FileRepository\rdpbus.inf_x86_neutral_27637529205407be\rdpbus.inf
    DriverVersion: 6.1.7600.16385
    DriverProvider: Microsoft
    DeviceInstanceID: ROOT\RDPBUS\0000
    SetupClass: 4D36E97D-E325-11CE-BFC1-08002BE10318
    RebootOption: false
    UpgradeDevice: false
    IsDriverOEM: false
    InstallStatus: 0
    DriverDescription: Remote Desktop Device Redirector Bus
message: 'Driver Management concluded the process to install driver http://schemas.microsoft.com/win/2004/08/events
  for Device Instance ID Microsoft with the following status: false.'

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

Driver Management concluded the process to remove driver %1 from Device Instance ID %4 with the following status: %9.

Fields

Message

Driver Management has concluded the process to add Service %1 for Device Instance ID %3 with the following status: %6.

Fields

Example Event

system:
  provider: Microsoft-Windows-UserPnp
  guid: 96F4A050-7E31-453C-88BE-9634F4E02139
  event_source_name: ''
  event_id: 20003
  version: 0
  level: 4
  task: 7005
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-05T22:30:40.551666+00:00'
  event_record_id: 1844
  correlation: {}
  execution:
    process_id: 7864
    thread_id: 8460
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
user_data:
  AddServiceID:
    ServiceName: VM3DService
    DriverFileName: '%SystemRoot%\system32\vm3dservice.exe'
    DeviceInstanceID: PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78
    PrimaryService: false
    UpdateService: false
    AddServiceStatus: 0
message: ''

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

Driver Management has concluded the process to remove Service %1 for Device Instance ID %3 with the following status: %6.

Fields

Message

Driver Management has restricted the installation of Device Instance ID %1 because of a Device Installation Restriction policy setting.

Fields

Message

Driver Management has deferred the process to install Device Instance ID %1 until a driver has been selected because of a Device Installation Restriction policy setting.

Fields

Message

Driver Management has removed Device Instance ID %1 because of a Device Installation Restriction policy setting.

Fields

Message

Driver Management has not removed Device Instance ID %1 with matching policy restriction because it is a required system device.

Fields

Message

Driver Management will reboot the system in %1 seconds to enforce a Device Installation Restriction policy setting.

Fields

Fields

Example Event

system:
  provider: Microsoft-Windows-UserPnp
  guid: 96F4A050-7E31-453C-88BE-9634F4E02139
  event_source_name: ''
  event_id: 20010
  version: 0
  level: 4
  task: 7010
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2013-10-23T16:18:04.750000+00:00'
  event_record_id: 255
  correlation: {}
  execution:
    process_id: 616
    thread_id: 1644
  channel: System
  computer: 37L4247D28-05
  security:
    user_id: S-1-5-18
user_data:
  INFO_PNP_STATE:
    xmlns:auto-ns2: http://schemas.microsoft.com/win/2004/08/events
    InstallSubsystemState: true
    CachingSubsystemState: true
message: ''

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

Device action request for device '{VetoDevice}' was vetoed by '{VetoName}' with veto type {VetoType}.

Fields