Description

New device queued up for install.

Message #

New device queued up for install.

Fields #

Description

Plug and Play install scheduler has started.

Message #

Plug and Play install scheduler has started.

Fields #

Description

Plug and Play install scheduler has exited.

Message #

Plug and Play install scheduler has exited.

Fields #

Description

Plug and Play install worker thread has started.

Message #

Plug and Play install worker thread has started.

Fields #

Description

Plug and Play install worker thread has exited.

Message #

Plug and Play install worker thread has exited.

Fields #

Description

Parent of current device is already ahead in the install queue.

Message #

Parent of current device is already ahead in the install queue.

Fields #

Description

Current device is a volume snapshot device.

Message #

Current device is a volume snapshot device.

Fields #

Description

Client {ClientName} successfully registered for device notifications.

Message #

Client {ClientName} successfully registered for device notifications.

Fields #

Description

Error sending device event notification window message to client {WindowName} (hWnd={hWnd}; Session={SessionId}; Err={ErrorCode}).

Message #

Error sending device event notification window message to client {WindowName} (hWnd={hWnd}; Session={SessionId}; Err={ErrorCode}).

Fields #

Description

Error sending service control for device event notification to client {ClientName} (Session={SessionId}; Err={ErrorCode}).

Message #

Error sending service control for device event notification to client {ClientName} (Session={SessionId}; Err={ErrorCode}).

Fields #

Description

Error broadcasting system message for device event notification (Err={ErrorCode}).

Message #

Error broadcasting system message for device event notification (Err={ErrorCode}).

Fields #

Description

Sending notification for event {EventType} for device: {DeviceID}.

Message #

Sending notification for event {EventType} for device: {DeviceID}.

Fields #

Description

Received device event from Kernel PnP (GUID={EventGuid}; EventCategory={EventCategory}; Async={IsEventAsync}).

Message #

Received device event from Kernel PnP (GUID={EventGuid}; EventCategory={EventCategory}; Async={IsEventAsync}).

Fields #

Description

User PnP completed handling of the device event (GUID={EventGuid}; EventCategory={EventCategory}; Async={IsEventAsync}).

Message #

User PnP completed handling of the device event (GUID={EventGuid}; EventCategory={EventCategory}; Async={IsEventAsync}).

Fields #

Description

Start processing 'DIF_CODE'.

Message #

Start processing '%1'.

Fields #

Description

Finished processing 'DIF_CODE' (Err=ErrorCode).

Message #

Finished processing '%1' (Err=%2).

Fields #

Description

START: Core device install operations.

Message #

START: Core device install operations.

Description

END: Core device install operations.

Message #

END: Core device install operations.

Description

ENTER: Synchronization wait for core device install.

Message #

ENTER: Synchronization wait for core device install.

Description

EXIT: Synchronization wait for core device install.

Message #

EXIT: Synchronization wait for core device install.

Description

ENTER: Stage driver package.

Message #

ENTER: Stage driver package

Description

EXIT: Stage driver package.

Message #

EXIT: Stage driver package

Description

ENTER: Sending event notification to service ({ClientName}).

Message #

ENTER: Sending event notification to service ({ClientName}).

Fields #

Description

EXIT: Sending event notification to service ({ClientName}).

Message #

EXIT: Sending event notification to service ({ClientName}).

Fields #

Description

ENTER: Sending event notification to window ({ClientName}).

Message #

ENTER: Sending event notification to window ({ClientName}).

Fields #

Description

EXIT: Sending event notification to window ({ClientName}).

Message #

EXIT: Sending event notification to window ({ClientName}).

Fields #

Description

ENTER: Device installation restrictions policy check.

Message #

ENTER: Device installation restrictions policy check.

Description

EXIT: Device installation restrictions policy check.

Message #

EXIT: Device installation restrictions policy check.

Description

ENTER: Build driver info list.

Message #

ENTER: Build driver info list.

Description

EXIT: Build driver info list.

Message #

EXIT: Build driver info list.

Description

ENTER: Build driver info list - search published INFs.

Message #

ENTER: Build driver info list - search published INFs.

Description

EXIT: Build driver info list - search published INFs.

Message #

EXIT: Build driver info list - search published INFs.

Description

ENTER: Build driver info list - search Device Path.

Message #

ENTER: Build driver info list - search Device Path.

Description

EXIT: Build driver info list - search Device Path.

Message #

EXIT: Build driver info list - search Device Path.

Description

ENTER: Build driver info list - search caller specified folder.

Message #

ENTER: Build driver info list - search caller specified folder.

Description

EXIT: Build driver info list - search caller specified folder.

Message #

EXIT: Build driver info list - search caller specified folder.

Description

ENTER: PnpInstallDevice - install device instance.

Message #

ENTER: PnpInstallDevice - install device instance.

Description

EXIT: PnpInstallDevice - install device instance.

Message #

EXIT: PnpInstallDevice - install device instance.

Description

START: Searching WMIS for metadata package.

Message #

START: Searching WMIS for metadata package

Description

STOP: Searching WMIS for metadata package.

Message #

STOP: Searching WMIS for metadata package

Description

START: Downloading metadata package from WMIS.

Message #

START: Downloading metadata package from WMIS

Description

STOP: Downloading metadata package from WMIS.

Message #

STOP: Downloading metadata package from WMIS

Description

START: Searching local index for metadata package.

Message #

START: Searching local index for metadata package

Description

STOP: Searching local index for metadata package.

Message #

STOP: Searching local index for metadata package

Description

START: Unpacking metadata package into cache.

Message #

START: Unpacking metadata package into cache

Description

STOP: Unpacking metadata package into cache.

Message #

STOP: Unpacking metadata package into cache

Description

START: Parsing packageinfo.xml for metadata properties.

Message #

START: Parsing packageinfo.xml for metadata properties

Description

STOP: Parsing packageinfo.xml for metadata properties.

Message #

STOP: Parsing packageinfo.xml for metadata properties

Description

START: Scanning local store for new metadata packages.

Message #

START: Scanning local store for new metadata packages

Description

STOP: Scanning local store for new metadata packages.

Message #

STOP: Scanning local store for new metadata packages

Description

START: Initializing DMRC.

Message #

START: Initializing DMRC

Description

STOP: Initializing DMRC.

Message #

STOP: Initializing DMRC

Description

START: Uninitialize DMRC.

Message #

START: Uninitialize DMRC

Description

STOP: Uninitializing DMRC.

Message #

STOP: Uninitializing DMRC

Description

Message (Package: Package Error Code = ErrorCode, Win32 Error Code = Win32ErrorCode).

Message #

%1 (Package: %2 Error Code = %3, Win32 Error Code = %4)

Fields #

Description

A new device metadata package was downloaded from WMIS. (Path: PackagePath).

Message #

A new device metadata package was downloaded from WMIS. (Path: %1)

Fields #

Description

Message (Package: Package Error Code = ErrorCode, Win32 Error Code = Win32ErrorCode).

Message #

%1 (Package: %2 Error Code = %3, Win32 Error Code = %4)

Fields #

Description

Successfully parsed device metadata file. (File: File, Language: Language).

Message #

Successfully parsed device metadata file. (File: %1, Language: %2)

Fields #

Description

A new device metadata package was discovered. (Package Name: PackageName, Path: PackagePath).

Message #

A new device metadata package was discovered. (Package Name: %1, Path: %2)

Fields #

Description

DMRC was queried for type 'QueryType' with lookup key 'LookupKey'.

Message #

DMRC was queried for type '%1' with lookup key '%2'

Fields #

Description

Message (Error Code = NetworkErrorCode, Last Http Status Code = HttpStatusCode).

Message #

%1 (Error Code = %2, Last Http Status Code = %3)

Fields #

Description

A reboot is required to complete device installation of device 'ERR_DEVICE_ID.DeviceId'.

Message #

A reboot is required to complete device installation of device '%1'

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-UserPnp",
    "guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
    "event_source_name": "",
    "event_id": 8000,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 576460752303423490,
    "time_created": "2023-10-25T22:50:39.873740+00:00",
    "event_record_id": 21,
    "correlation": {},
    "execution": {
      "process_id": 3600,
      "thread_id": 1060
    },
    "channel": "Microsoft-Windows-UserPnp/DeviceInstall",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "ERR_DEVICE_ID": {
      "DeviceId": "ACPI\\VMW0003\\4&1BD7F811&0"
    }
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The DeviceInstall service has started.

Message #

The DeviceInstall service has started.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-UserPnp",
    "guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
    "event_source_name": "",
    "event_id": 8001,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 576460752303423490,
    "time_created": "2023-11-06T06:25:29.349729+00:00",
    "event_record_id": 30,
    "correlation": {},
    "execution": {
      "process_id": 1080,
      "thread_id": 1096
    },
    "channel": "Microsoft-Windows-UserPnp/DeviceInstall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The DeviceInstall service is stopping (idle).

Message #

The DeviceInstall service is stopping (idle).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-UserPnp",
    "guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
    "event_source_name": "",
    "event_id": 8002,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 576460752303423490,
    "time_created": "2023-11-06T01:04:11.781477+00:00",
    "event_record_id": 44,
    "correlation": {},
    "execution": {
      "process_id": 16172,
      "thread_id": 12452
    },
    "channel": "Microsoft-Windows-UserPnp/DeviceInstall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The DeviceInstall service is stopping (stop control).

Message #

The DeviceInstall service is stopping (stop control).

Description

The DeviceInstall service is stopping (shutdown).

Message #

The DeviceInstall service is stopping (shutdown).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-UserPnp",
    "guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
    "event_source_name": "",
    "event_id": 8004,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 576460752303423490,
    "time_created": "2023-11-06T06:23:40.089953+00:00",
    "event_record_id": 27,
    "correlation": {},
    "execution": {
      "process_id": 1068,
      "thread_id": 1072
    },
    "channel": "Microsoft-Windows-UserPnp/DeviceInstall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The DeviceInstall service has stopped.

Message #

The DeviceInstall service has stopped.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-UserPnp",
    "guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
    "event_source_name": "",
    "event_id": 8005,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 576460752303423490,
    "time_created": "2023-11-06T06:23:40.106579+00:00",
    "event_record_id": 28,
    "correlation": {},
    "execution": {
      "process_id": 1068,
      "thread_id": 1092
    },
    "channel": "Microsoft-Windows-UserPnp/DeviceInstall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

There are pending driver updates to install.

Message #

There are pending driver updates to install.

Description

A timeout was detected during the installation of device 'DeviceId'.

Message #

A timeout was detected during the installation of device '%1'

Fields #

Description

The DeviceInstall service is starting.

Message #

The DeviceInstall service is starting.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-UserPnp",
    "guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
    "event_source_name": "",
    "event_id": 8008,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 576460752303423490,
    "time_created": "2023-11-06T06:25:29.340577+00:00",
    "event_record_id": 29,
    "correlation": {},
    "execution": {
      "process_id": 1080,
      "thread_id": 1096
    },
    "channel": "Microsoft-Windows-UserPnp/DeviceInstall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The DeviceInstall service failed to start with error ErrorCode.

Message #

The DeviceInstall service failed to start with error %1.

Fields #

Description

Finish install operation state changed to hc_stateid.

Message #

Finish install operation state changed to %1.

Fields #

Description

Device installation is currently disabled.

Message #

Device installation is currently disabled.

Description

Device installation has been disabled.

Message #

Device installation has been disabled.

Description

Device installation has been enabled.

Message #

Device installation has been enabled.

Description

The DeviceInstall service will not idle stop.

Message #

The DeviceInstall service will not idle stop.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-UserPnp",
    "guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
    "event_source_name": "",
    "event_id": 8030,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 576460752303423490,
    "time_created": "2023-11-06T06:25:29.352092+00:00",
    "event_record_id": 31,
    "correlation": {},
    "execution": {
      "process_id": 1080,
      "thread_id": 1096
    },
    "channel": "Microsoft-Windows-UserPnp/DeviceInstall",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Fields #

Description

Driver Management concluded the process to install driver for Device Instance ID with the following status: .

Message #

Driver Management concluded the process to install driver %1 for Device Instance ID %4 with the following status: %9.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-UserPnp",
    "guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
    "event_source_name": "",
    "event_id": 20001,
    "version": 0,
    "level": 4,
    "task": 7005,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2013-10-23T16:17:53.968750+00:00",
    "event_record_id": 250,
    "correlation": {},
    "execution": {
      "process_id": 1536,
      "thread_id": 1900
    },
    "channel": "System",
    "computer": "37L4247D28-05",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "InstallDeviceID": {
      "xmlns:auto-ns2": "http://schemas.microsoft.com/win/2004/08/events",
      "DriverName": "FileRepository\\rdpbus.inf_x86_neutral_27637529205407be\\rdpbus.inf",
      "DriverVersion": "6.1.7600.16385",
      "DriverProvider": "Microsoft",
      "DeviceInstanceID": "ROOT\\RDPBUS\\0000",
      "SetupClass": "4D36E97D-E325-11CE-BFC1-08002BE10318",
      "RebootOption": false,
      "UpgradeDevice": false,
      "IsDriverOEM": false,
      "InstallStatus": 0,
      "DriverDescription": "Remote Desktop Device Redirector Bus"
    }
  },
  "message": "Driver Management concluded the process to install driver http://schemas.microsoft.com/win/2004/08/events for Device Instance ID Microsoft with the following status: false."
}

References #

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Description

Driver Management concluded the process to remove driver DriverName from Device Instance ID DeviceInstanceID with the following status: InstallStatus.

Message #

Driver Management concluded the process to remove driver %1 from Device Instance ID %4 with the following status: %9.

Fields #

Description

Driver Management has concluded the process to add Service AddServiceID.ServiceName for Device Instance ID AddServiceID.DeviceInstanceID with the following status: AddServiceID.AddServiceStatus.

Message #

Driver Management has concluded the process to add Service %1 for Device Instance ID %3 with the following status: %6.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-UserPnp",
    "guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
    "event_source_name": "",
    "event_id": 20003,
    "version": 0,
    "level": 4,
    "task": 7005,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-05T22:30:40.551666+00:00",
    "event_record_id": 1844,
    "correlation": {},
    "execution": {
      "process_id": 7864,
      "thread_id": 8460
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "AddServiceID": {
      "ServiceName": "VM3DService",
      "DriverFileName": "%SystemRoot%\\system32\\vm3dservice.exe",
      "DeviceInstanceID": "PCI\\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\\3&61AAA01&0&78",
      "PrimaryService": false,
      "UpdateService": false,
      "AddServiceStatus": 0
    }
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Description

Driver Management has concluded the process to remove Service ServiceName for Device Instance ID DeviceInstanceID with the following status: AddServiceStatus.

Message #

Driver Management has concluded the process to remove Service %1 for Device Instance ID %3 with the following status: %6.

Fields #

Description

Driver Management has restricted the installation of Device Instance ID DeviceId because of a Device Installation Restriction policy setting.

Message #

Driver Management has restricted the installation of Device Instance ID %1 because of a Device Installation Restriction policy setting.

Fields #

Description

Driver Management has deferred the process to install Device Instance ID DeviceId until a driver has been selected because of a Device Installation Restriction policy setting.

Message #

Driver Management has deferred the process to install Device Instance ID %1 until a driver has been selected because of a Device Installation Restriction policy setting.

Fields #

Description

Driver Management has removed Device Instance ID DeviceId because of a Device Installation Restriction policy setting.

Message #

Driver Management has removed Device Instance ID %1 because of a Device Installation Restriction policy setting.

Fields #

Description

Driver Management has not removed Device Instance ID DeviceId with matching policy restriction because it is a required system device.

Message #

Driver Management has not removed Device Instance ID %1 with matching policy restriction because it is a required system device.

Fields #

Description

Driver Management will reboot the system in RebootTime seconds to enforce a Device Installation Restriction policy setting.

Message #

Driver Management will reboot the system in %1 seconds to enforce a Device Installation Restriction policy setting.

Fields #

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-UserPnp",
    "guid": "96F4A050-7E31-453C-88BE-9634F4E02139",
    "event_source_name": "",
    "event_id": 20010,
    "version": 0,
    "level": 4,
    "task": 7010,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2013-10-23T16:18:04.750000+00:00",
    "event_record_id": 255,
    "correlation": {},
    "execution": {
      "process_id": 616,
      "thread_id": 1644
    },
    "channel": "System",
    "computer": "37L4247D28-05",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "INFO_PNP_STATE": {
      "xmlns:auto-ns2": "http://schemas.microsoft.com/win/2004/08/events",
      "InstallSubsystemState": true,
      "CachingSubsystemState": true
    }
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Description

Device action request for device '{VetoDevice}' was vetoed by '{VetoName}' with veto type {VetoType}.

Message #

Device action request for device '{VetoDevice}' was vetoed by '{VetoName}' with veto type {VetoType}.

Fields #