Welcome to the winevt-kb documentation

winevt-kb is a project to build a Windows Event Log knowledge base.

winevtrc is a Python module part of winevt-kb to allow reuse of Windows Event Log resources.

The source code is available from the project page.

Event Log providers

.NET Runtime

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	.NET Runtime
Log type:	Application
Event message file(s):	%systemroot%\system32\mscoree.dll

.NET Runtime Optimization Service

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	.NET Runtime Optimization Service
Log type:	Application
Event message file(s):	%systemroot%\system32\mscoree.dll

3ware

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	3ware
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

ACPI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	ACPI
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\acpi.sys
	%systemroot%\system32\iologmsg.dll

ADP80XX

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	ADP80XX
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

AFD

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	AFD
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

AmdK8

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	AmdK8
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\amdk8.sys
	%systemroot%\system32\iologmsg.dll

AmdPPM

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	AmdPPM
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\amdppm.sys
	%systemroot%\system32\iologmsg.dll

AppReadiness

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	AppReadiness
	Microsoft-Windows-AppReadiness
Log type:	System
Identifier:	{f0be35f8-237b-4814-86b5-ade51192e503}
Event message file(s):	%systemroot%\system32\appreadiness.dll

AppleSSD

Seen on:

Windows 11 (21H2)

Log source(s):	AppleSSD
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

Application

Seen on:

Windows 2000
Windows 2003
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Application
Log type:	Application
Category message file(s):	%systemroot%\system32\eventlog.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Application
Log type:	Application
Category message file(s):	%systemroot%\system32\wevtapi.dll

Application Error

Seen on:

Windows 2003
Windows XP 64-bit

Log source(s):	Application Error
Log type:	Application
Event message file(s):	%systemroot%\system32\faultrep.dll
	%systemroot%\system32\ws03res.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Application Error
Log type:	Application
Category message file(s):	%systemroot%\system32\wer.dll
Event message file(s):	%systemroot%\system32\wer.dll

Seen on:

Windows XP 32-bit

Log source(s):	Application Error
Log type:	Application
Event message file(s):	%systemroot%\system32\faultrep.dll
	%systemroot%\system32\xpsp2res.dll

Seen on:

Windows Vista

Log source(s):	Application Error
Log type:	Application
Event message file(s):	%systemroot%\system32\wer.dll

Application Hang

Seen on:

Windows 2003
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Application Hang
Log type:	Application
Event message file(s):	%systemroot%\system32\faultrep.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Application Hang
Log type:	Application
Event message file(s):	%systemroot%\system32\wersvc.dll

Application Management

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Application Management
Log type:	Application
Event message file(s):	%systemroot%\system32\appmgmts.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

Application Management Group Policy

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Application Management Group Policy
Log type:	System
Event message file(s):	%systemroot%\system32\appmgmts.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

Application-Addon-Event-Provider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Application-Addon-Event-Provider
Log type:	Application
Identifier:	{a83fa99f-c356-4ded-9fd6-5a5eb8546d68}
Event message file(s):	%systemroot%\system32\ieframe.dll

AsyncMac

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	AsyncMac
Log type:	System
Event message file(s):	%systemroot%\system32\mprmsg.dll

AutoEnrollment

Seen on:

Windows 2003
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	AutoEnrollment
Log type:	Application
Event message file(s):	%systemroot%\system32\pautoenr.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	AutoEnrollment
	Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Log type:	Application
Identifier:	{f0db7ef8-b6f3-4005-9937-feb77b9e1b43}
Event message file(s):	%systemroot%\system32\pautoenr.dll

BTHPORT

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	BTHPORT
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\bthport.sys
	%systemroot%\system32\iologmsg.dll

BTHUSB

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	BTHUSB
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\bthport.sys
	%systemroot%\system32\drivers\bthusb.sys
	%systemroot%\system32\iologmsg.dll

BasicRender

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	BasicRender
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

BthEnum

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	BthEnum
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\bthenum.sys
	%systemroot%\system32\iologmsg.dll

BthLEEnum

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	BthLEEnum
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\microsoft.bluetooth.legacy.leenumerator.sys
	%systemroot%\system32\iologmsg.dll

BthMini

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	BthMini
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\bthmini.sys
	%systemroot%\system32\drivers\bthport.sys
	%systemroot%\system32\iologmsg.dll

BugCheck

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	BugCheck
	Microsoft-Windows-WER-SystemErrorReporting
Log type:	System
Identifier:	{abce23e7-de45-4366-8631-84fa6c525952}
Event message file(s):	%systemroot%\system32\werfault.exe

COM

Seen on:

Windows 2003
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	COM
Log type:	Application
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\xpsp2res.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

Seen on:

Windows 2008
Windows 7
Windows Vista

Log source(s):	COM
	Microsoft-Windows-COMRuntime
Log type:	Application
Identifier:	{bf406804-6afa-46e7-8a48-6c357e1d6d61}
Event message file(s):	%systemroot%\system32\oleres.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	COM
	Microsoft-Windows-COMRuntime
Log type:	Application
Identifier:	{bf406804-6afa-46e7-8a48-6c357e1d6d61}
Event message file(s):	%systemroot%\system32\combase.dll

COM+

Seen on:

Windows 2000

Log source(s):	COM+
Log type:	Application
Category message file(s):	%systemroot%\system32\comsvcs.dll
Event message file(s):	%systemroot%\system32\comsvcs.dll
Parameter message file(s):	%systemroot%\system32\comsvcs.dll

Seen on:

Windows 2003

Log source(s):	COM+
Log type:	Application
Category message file(s):	%systemroot%\system32\comres.dll
Event message file(s):	%systemroot%\system32\comres.dll
	%systemroot%\system32\w03a2409.dll
	%systemroot%\system32\ws03res.dll
Parameter message file(s):	%systemroot%\system32\comres.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	COM+
	Microsoft-Windows-Complus
Log type:	Application
Identifier:	{0f177893-4a9c-4709-b921-f432d67f43d5}
Event message file(s):	%systemroot%\system32\comres.dll

Seen on:

Windows XP 32-bit

Log source(s):	COM+
Log type:	Application
Category message file(s):	%systemroot%\system32\comres.dll
Event message file(s):	%systemroot%\system32\comres.dll
Parameter message file(s):	%systemroot%\system32\comres.dll

Seen on:

Windows XP 64-bit

Log source(s):	COM+
Log type:	Application
Category message file(s):	%systemroot%\system32\comres.dll
Event message file(s):	%systemroot%\system32\comres.dll
	%systemroot%\system32\ws03res.dll
Parameter message file(s):	%systemroot%\system32\comres.dll

CardSpace 4.0.0.0

Seen on:

Windows 2008

Log source(s):	CardSpace 4.0.0.0
Log type:	Application
Category message file(s):	%systemroot%\system32\icardres.dll.mui
Event message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll
	%systemroot%\system32\icardres.dll.mui

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	CardSpace 4.0.0.0
Log type:	Application
Category message file(s):	%systemroot%\system32\icardres.dll
Event message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll
	%systemroot%\system32\icardres.dll

Seen on:

Windows 8.0

Log source(s):	CardSpace 4.0.0.0
Log type:	Application
Category message file(s):	%systemroot%\system32\icardres.dll
Event message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll
	%systemroot%\system32\icardres.dll

CertCa

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	CertCa
	CertCli
	Microsoft-Windows-CertificationAuthorityClient-CertCli
Log type:	Application
Identifier:	{98bf1cd3-583e-4926-95ee-a61bf3f46470}
Event message file(s):	%systemroot%\system32\certcli.dll

CertEnroll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	CertEnroll
	Microsoft-Windows-CertificateServicesClient-CertEnroll
Log type:	Application
Identifier:	{54164045-7c50-4905-963f-e5bc1eef0cca}
Event message file(s):	%systemroot%\system32\certenroll.dll

Chkdsk

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Chkdsk
Log type:	Application
Event message file(s):	%systemroot%\system32\ulib.dll

Seen on:

Windows 2003

Log source(s):	Chkdsk
Log type:	Application
Event message file(s):	%systemroot%\system32\ulib.dll
	%systemroot%\system32\w03a2409.dll

DCOM

Seen on:

Windows 2000

Log source(s):	DCOM
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

Seen on:

Windows 2003
Windows XP 64-bit

Log source(s):	DCOM
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\ws03res.dll
	%systemroot%\system32\xpsp2res.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

Seen on:

Windows 2008
Windows 7
Windows Vista

Log source(s):	DCOM
	Microsoft-Windows-DistributedCOM
Log type:	System
Identifier:	{1b562e86-b7aa-4131-badc-b6f3a001407e}
Event message file(s):	%systemroot%\system32\oleres.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	DCOM
	Microsoft-Windows-DistributedCOM
Log type:	System
Identifier:	{1b562e86-b7aa-4131-badc-b6f3a001407e}
Event message file(s):	%systemroot%\system32\combase.dll

Seen on:

Windows XP 32-bit

Log source(s):	DCOM
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\xpsp2res.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

DS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	DS
Log type:	Security
Parameter message file(s):	%systemroot%\system32\msobjs.dll

DeliveryOptimization

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	DeliveryOptimization
Log type:	Application
Event message file(s):	%systemroot%\system32\dosvc.dll

Desktop Window Manager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Desktop Window Manager
Log type:	Application
Event message file(s):	%systemroot%\system32\dwm.exe

DfsSvc

Seen on:

Windows 2000
Windows XP 32-bit

Log source(s):	DfsSvc
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

Seen on:

Windows 2003

Log source(s):	DfsSvc
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\w03a2409.dll
	%systemroot%\system32\ws03res.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	DfsSvc
	Microsoft-Windows-DfsSvc
Log type:	System
Identifier:	{7da4fe0e-fd42-4708-9aa5-89b77a224885}
Event message file(s):	%systemroot%\system32\netevent.dll

Seen on:

Windows XP 64-bit

Log source(s):	DfsSvc
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\ws03res.dll

Dhcp

Seen on:

Windows 2000
Windows 2003
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Dhcp
Log type:	System
Event message file(s):	%systemroot%\system32\dhcpcsvc.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Dhcp
	Microsoft-Windows-Dhcp-Client
Log type:	System
Identifier:	{15a7a4f8-0072-4eab-abad-f98a4d666aed}
Event message file(s):	%systemroot%\system32\dhcpcore.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

Seen on:

Windows Vista

Log source(s):	Dhcp
	Microsoft-Windows-Dhcp-Client
Log type:	System
Identifier:	{15a7a4f8-0072-4eab-abad-f98a4d666aed}
Event message file(s):	%systemroot%\system32\dhcpcsvc.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

Dhcpv6

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Dhcpv6
	Microsoft-Windows-DHCPv6-Client
Log type:	System
Identifier:	{6a1f2b00-6a90-4c38-95a5-5cab3b056778}
Event message file(s):	%systemroot%\system32\dhcpcore6.dll
Parameter message file(s):	%systemroot%\system32\kernelbase.dll

Seen on:

Windows Vista

Log source(s):	Dhcpv6
	Microsoft-Windows-DHCPv6-Client
Log type:	System
Identifier:	{6a1f2b00-6a90-4c38-95a5-5cab3b056778}
Event message file(s):	%systemroot%\system32\dhcpcsvc6.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

DiskQuota

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	DiskQuota
Log type:	Application
Event message file(s):	%systemroot%\system32\dskquota.dll

Display

Seen on:

Windows 2008
Windows 7
Windows Vista

Log source(s):	Display
Log type:	System
Event message file(s):	%systemroot%\system32\dispci.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Display
Log type:	System
Event message file(s):	%systemroot%\system32\dxgwdi.dll

Dnsapi

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Dnsapi
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

Dnscache

Seen on:

Windows 2000

Log source(s):	Dnscache
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

Seen on:

Windows 2003
Windows XP 64-bit

Log source(s):	Dnscache
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\ws03res.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Dnscache
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

Seen on:

Windows XP 32-bit

Log source(s):	Dnscache
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\xpsp2res.dll

Dwminit

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Dwminit
Log type:	Application
Event message file(s):	%systemroot%\system32\dwminit.dll

ESENT

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	ESENT
Log type:	Application
Category message file(s):	%systemroot%\system32\esent.dll
Event message file(s):	%systemroot%\system32\esent.dll

Edge

Seen on:

Windows 10 (1909)

Log source(s):	Edge
Log type:	Application
Category message file(s):	\program files (x86)\microsoft\edge\application\87.0.664.60\eventlog_provider.dll
Event message file(s):	\program files (x86)\microsoft\edge\application\87.0.664.60\eventlog_provider.dll
Parameter message file(s):	\program files (x86)\microsoft\edge\application\87.0.664.60\eventlog_provider.dll

Seen on:

Windows 10 (20H2)

Log source(s):	Edge
Log type:	Application
Category message file(s):	\program files (x86)\microsoft\edge\application\84.0.522.52\eventlog_provider.dll
Event message file(s):	\program files (x86)\microsoft\edge\application\84.0.522.52\eventlog_provider.dll
Parameter message file(s):	\program files (x86)\microsoft\edge\application\84.0.522.52\eventlog_provider.dll

Seen on:

Windows 11 (21H2)

Log source(s):	Edge
Log type:	Application
Category message file(s):	\program files (x86)\microsoft\edge\application\94.0.992.50\eventlog_provider.dll
Event message file(s):	\program files (x86)\microsoft\edge\application\94.0.992.50\eventlog_provider.dll
Parameter message file(s):	\program files (x86)\microsoft\edge\application\94.0.992.50\eventlog_provider.dll

Error Instrument

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Error Instrument
Log type:	Application
Identifier:	{cd7cf0d0-02cc-4872-9b65-0dba0a90efe8}
Event message file(s):	%systemroot%\system32\user32.dll

EventLog

Seen on:

Windows 11 (21H2)

Log source(s):	EventLog
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

EventSystem

Seen on:

Windows 2000

Log source(s):	EventSystem
Log type:	Application
Category message file(s):	%systemroot%\system32\es.dll
Event message file(s):	%systemroot%\system32\es.dll

Seen on:

Windows 2003
Windows XP 64-bit

Log source(s):	EventSystem
Log type:	Application
Category message file(s):	%systemroot%\system32\comres.dll
Event message file(s):	%systemroot%\system32\comres.dll
	%systemroot%\system32\ws03res.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	EventSystem
	Microsoft-Windows-EventSystem
Log type:	Application
Identifier:	{899daace-4868-4295-afcd-9eb8fb497561}
Event message file(s):	%systemroot%\system32\comres.dll

Seen on:

Windows XP 32-bit

Log source(s):	EventSystem
Log type:	Application
Category message file(s):	%systemroot%\system32\comres.dll
Event message file(s):	%systemroot%\system32\comres.dll

FltMgr

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	FltMgr
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\fltmgr.sys
	%systemroot%\system32\iologmsg.dll

Folder Redirection

Seen on:

Windows 2000
Windows 2003
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Folder Redirection
Log type:	Application
Event message file(s):	%systemroot%\system32\fdeploy.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Folder Redirection
	Microsoft-Windows-Folder Redirection
Log type:	Application
Identifier:	{7d7b0c39-93f6-4100-bd96-4dda859652c5}
Event message file(s):	%systemroot%\system32\fdeploy.dll

Seen on:

Windows Vista

Log source(s):	Folder Redirection
	Microsoft-Windows-Folder Redirection
Log type:	Application
Identifier:	{7d7b0c39-93f6-4100-bd96-4dda859652c5}
Event message file(s):	%systemroot%\system32\fdeploy.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

Group Policy Applications

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Applications
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Client

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Client
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Data Sources

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Data Sources
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Device Settings

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Device Settings
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Drive Maps

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Drive Maps
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Environment

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Environment
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Files

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Files
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Folder Options

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Folder Options
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Folders

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Folders
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Ini Files

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Ini Files
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Internet Settings

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Internet Settings
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Local Users and Groups

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Local Users and Groups
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Mail Profiles

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Mail Profiles
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Network Options

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Network Options
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Network Shares

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Network Shares
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Power Options

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Power Options
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Printers

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Printers
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Regional Options

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Regional Options
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Registry

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Registry
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Scheduled Tasks

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Scheduled Tasks
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Services

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Services
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Shortcuts

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Shortcuts
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Standard Edition

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Standard Edition
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

Group Policy Start Menu Settings

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Group Policy Start Menu Settings
Log type:	Application
Category message file(s):	%systemroot%\system32\gpprefcl.dll
Event message file(s):	%systemroot%\system32\gpprefcl.dll
Parameter message file(s):	%systemroot%\system32\gpprefcl.dll

GroupPolicy

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	GroupPolicy
Log type:	Application
Event message file(s):	%systemroot%\system32\gpapi.dll

Handwriting Recognition

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Handwriting Recognition
Log type:	Application
Category message file(s):	%commonprogramfiles%\microsoft shared\ink\ipseventlogmsg.dll
Event message file(s):	%commonprogramfiles%\microsoft shared\ink\ipseventlogmsg.dll

HidBth

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	HidBth
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\hidbth.sys
	%systemroot%\system32\iologmsg.dll

HpSAMD

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	HpSAMD
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

Http

Seen on:

Windows 2003
Windows XP 64-bit

Log source(s):	Http
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\ws03res.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Http
	Microsoft-Windows-HttpEvent
Log type:	System
Identifier:	{7b6bc78c-898b-4170-bbf8-1a469ea43fc5}
Event message file(s):	%systemroot%\system32\drivers\http.sys

Seen on:

Windows XP 32-bit

Log source(s):	Http
Log type:	System
Event message file(s):	%systemroot%\system32\xpsp2res.dll

IPMGM

Seen on:

Windows 2003
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	IPMGM
Log type:	System
Event message file(s):	%systemroot%\system32\rtm.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	IPMGM
	Microsoft-Windows-RasServer
Log type:	System
Identifier:	{29d13147-1c2e-48ec-9994-e29dfe496eb3}
Event message file(s):	%systemroot%\system32\rtm.dll

IPMIDRV

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	IPMIDRV
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\ipmidrv.sys

IPNATHLP

Seen on:

Windows 2000
Windows XP 32-bit

Log source(s):	IPNATHLP
Log type:	System
Event message file(s):	%systemroot%\system32\ipnathlp.dll

Seen on:

Windows 2003
Windows XP 64-bit

Log source(s):	IPNATHLP
Log type:	System
Event message file(s):	%systemroot%\system32\ipnathlp.dll
	%systemroot%\system32\ws03res.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	IPNATHLP
	Microsoft-Windows-SharedAccess_NAT
Log type:	System
Identifier:	{a6f32731-9a38-4159-a220-3d9b7fc5fe5d}
Event message file(s):	%systemroot%\system32\ipnathlp.dll

Seen on:

Windows Vista

Log source(s):	IPNATHLP
	Microsoft-Windows-SharedAccess_NAT
Log type:	System
Identifier:	{a6f32731-9a38-4159-a220-3d9b7fc5fe5d}
Event message file(s):	%systemroot%\system32\ipnathlp.dll
	%systemroot%\system32\ws03res.dll

IPRouterManager

Seen on:

Windows 2000
Windows 2003
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	IPRouterManager
Log type:	System
Event message file(s):	%systemroot%\system32\mprmsg.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	IPRouterManager
	Microsoft-Windows-MPRMSG
Log type:	System
Identifier:	{f2c628ae-d26c-4352-9c45-74754e1e2f9f}
Event message file(s):	%systemroot%\system32\mprmsg.dll

IPxlatCfg

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	IPxlatCfg
	Microsoft-Windows-IPxlatCfg
Log type:	System
Identifier:	{3e5ac668-af52-4c15-b99b-a3e7a6616ebd}
Event message file(s):	%systemroot%\system32\ipxlatcfg.dll

Intel-iaLPSS-GPIO

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Intel-iaLPSS-GPIO
Log type:	System
Identifier:	{d386cc7a-620a-41c1-abf5-55018c6c699a}
Event message file(s):	%systemroot%\system32\drivers\ialpssi_gpio.sys
	%systemroot%\system32\iologmsg.dll

Intel-iaLPSS-I2C

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Intel-iaLPSS-I2C
Log type:	System
Identifier:	{d4aeac44-ad44-456e-9c90-33f8cdced6af}
Event message file(s):	%systemroot%\system32\drivers\ialpssi_i2c.sys
	%systemroot%\system32\iologmsg.dll

Intel-iaLPSS2-GPIO2

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Intel-iaLPSS2-GPIO2
Log type:	System
Identifier:	{63848cff-3ec7-4ddf-8072-5f95e8c8eb98}
Event message file(s):	%systemroot%\system32\drivers\ialpss2i_gpio2.sys
	%systemroot%\system32\iologmsg.dll

Intel-iaLPSS2-I2C

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Intel-iaLPSS2-I2C
Log type:	System
Identifier:	{c2f86198-03ca-4771-8d4c-ce6e15cbca56}
Event message file(s):	%systemroot%\system32\drivers\ialpss2i_i2c.sys
	%systemroot%\system32\iologmsg.dll

ItSas35i

Seen on:

Windows 10 (1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	ItSas35i
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

Kerberos

Seen on:

Windows 2000

Log source(s):	Kerberos
Log type:	System
Event message file(s):	%systemroot%\system32\kerberos.dll
	%systemroot%\system32\sp3res.dll

Seen on:

Windows 2003
Windows XP 64-bit

Log source(s):	Kerberos
Log type:	System
Event message file(s):	%systemroot%\system32\kerberos.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Kerberos
	Microsoft-Windows-Security-Kerberos
Log type:	System
Identifier:	{98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1}
Event message file(s):	%systemroot%\system32\kerberos.dll

Seen on:

Windows XP 32-bit

Log source(s):	Kerberos
Log type:	System
Event message file(s):	%systemroot%\system32\kerberos.dll
	%systemroot%\system32\xpsp2res.dll

KmsRequests

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	KmsRequests
	Microsoft-Windows-Security-SPP
	Software Protection Platform Service
Log type:	Application
Identifier:	{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}
Event message file(s):	%systemroot%\system32\sppsvc.exe

Seen on:

Windows Vista

Log source(s):	KmsRequests
	Microsoft-Windows-Security-Licensing-SLC
	Software Licensing Service
Log type:	Application
Identifier:	{1fd7c1d2-d037-4620-8d29-b2c7e5fcc13a}
Event message file(s):	%systemroot%\system32\slsvc.exe

LSA

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	LSA
Log type:	Security
Parameter message file(s):	%systemroot%\system32\msobjs.dll

LSI_SAS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	LSI_SAS
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

LSI_SAS2i

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	LSI_SAS2i
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

LSI_SAS3i

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	LSI_SAS3i
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

LSM

Seen on:

Windows 2008
Windows 7

Log source(s):	LSM
	Microsoft-Windows-TerminalServices-LocalSessionManager
Log type:	System
Identifier:	{5d896912-022d-40aa-a3a8-4fa5515c76d7}
Event message file(s):	%systemroot%\system32\lsm.exe

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	LSM
	Microsoft-Windows-TerminalServices-LocalSessionManager
Log type:	System
Identifier:	{5d896912-022d-40aa-a3a8-4fa5515c76d7}
Event message file(s):	%systemroot%\system32\lsm.dll

Seen on:

Windows Vista

Log source(s):	LSM
Log type:	System
Event message file(s):	%systemroot%\system32\lsm.exe

Lfsvc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Lfsvc
Log type:	System
Event message file(s):	%systemroot%\system32\locationframework.dll

LmHosts

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	LmHosts
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

Seen on:

Windows 2003
Windows XP 64-bit

Log source(s):	LmHosts
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\ws03res.dll

Seen on:

Windows XP 32-bit

Log source(s):	LmHosts
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\xpsp2res.dll

LsaSrv

Seen on:

Windows 2000

Log source(s):	LsaSrv
Log type:	System
Event message file(s):	%systemroot%\system32\lsasrv.dll
	%systemroot%\system32\sp3res.dll

Seen on:

Windows 2003
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	LsaSrv
Log type:	System
Category message file(s):	%systemroot%\system32\lsasrv.dll
Event message file(s):	%systemroot%\system32\lsasrv.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	LsaSrv
Log type:	System
Identifier:	{199fe037-2b82-40a9-82ac-e1d46c792b99}
Event message file(s):	%systemroot%\system32\lsasrv.dll

MSDTC

Seen on:

Windows 2000

Log source(s):	MSDTC
Log type:	Application
Category message file(s):	%systemroot%\system32\msdtcprx.dll
Event message file(s):	%systemroot%\system32\msdtcprx.dll

Seen on:

Windows 2003
Windows XP 64-bit

Log source(s):	MSDTC
Log type:	Application
Category message file(s):	%systemroot%\system32\comres.dll
Event message file(s):	%systemroot%\system32\comres.dll
	%systemroot%\system32\ws03res.dll
	%systemroot%\system32\xpsp2res.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	MSDTC
	Microsoft-Windows-MSDTC
Log type:	Application
Identifier:	{719be4ed-e9bc-4dd8-a7cf-c85ce8e4975d}
Event message file(s):	%systemroot%\system32\comres.dll

Seen on:

Windows XP 32-bit

Log source(s):	MSDTC
Log type:	Application
Category message file(s):	%systemroot%\system32\comres.dll
	%systemroot%\system32\xpsp2res.dll
Event message file(s):	%systemroot%\system32\comres.dll
	%systemroot%\system32\xpsp2res.dll

MSDTC 2

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	MSDTC 2
	Microsoft-Windows-MSDTC 2
Log type:	Application
Identifier:	{5d9e0020-3761-4f36-90c8-38ce6511bd12}
Event message file(s):	%systemroot%\system32\msdtcvsp1res.dll

MSDTC Client

Seen on:

Windows 2000

Log source(s):	MSDTC Client
Log type:	Application
Category message file(s):	%systemroot%\system32\msdtcprx.dll
Event message file(s):	%systemroot%\system32\msdtcprx.dll

Seen on:

Windows 2003
Windows XP 64-bit

Log source(s):	MSDTC Client
Log type:	Application
Category message file(s):	%systemroot%\system32\comres.dll
Event message file(s):	%systemroot%\system32\comres.dll
	%systemroot%\system32\ws03res.dll
	%systemroot%\system32\xpsp2res.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	MSDTC Client
	Microsoft-Windows-MSDTC Client
Log type:	Application
Identifier:	{7a67066e-193f-4d3a-82d3-322fee5259de}
Event message file(s):	%systemroot%\system32\comres.dll

Seen on:

Windows XP 32-bit

Log source(s):	MSDTC Client
Log type:	Application
Category message file(s):	%systemroot%\system32\comres.dll
	%systemroot%\system32\xpsp2res.dll
Event message file(s):	%systemroot%\system32\comres.dll
	%systemroot%\system32\xpsp2res.dll

MSDTC Client 2

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	MSDTC Client 2
	Microsoft-Windows-MSDTC Client 2
Log type:	Application
Identifier:	{155cb334-3d7f-4ff1-b107-df8afc3c0363}
Event message file(s):	%systemroot%\system32\msdtcvsp1res.dll

MSiSCSI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	MSiSCSI
Log type:	System
Event message file(s):	%systemroot%\system32\iscsiexe.dll

MTConfig

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	MTConfig
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\mtconfig.sys
	%systemroot%\system32\iologmsg.dll

Microsoft Fax

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft Fax
Log type:	Application
Category message file(s):	%systemroot%\system32\fxsevent.dll
Event message file(s):	%systemroot%\system32\fxsevent.dll

Microsoft-Antimalware-AMFilter

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Antimalware-AMFilter
Identifier:	{cfeb0608-330e-4410-b00d-56d8da9986e6}
Event message file(s):	%systemroot%\system32\drivers\wdfilter.sys

Seen on:

Windows 10 (2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Antimalware-AMFilter
Identifier:	{cfeb0608-330e-4410-b00d-56d8da9986e6}
Event message file(s):	system32\drivers\wdfilter.sys

Microsoft-Antimalware-Engine

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Antimalware-Engine
Identifier:	{0a002690-3839-4e3a-b3b6-96d8df868d99}
Event message file(s):	%programdata%\microsoft\windows defender\definition updates\default\mpengine.dll

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Antimalware-Engine
Identifier:	{0a002690-3839-4e3a-b3b6-96d8df868d99}
Event message file(s):	\programdata\microsoft\windows defender\definition updates\stableengineetwlocation\mpengine_etw.dll

Microsoft-Antimalware-Protection

Seen on:

Windows 8.0

Log source(s):	Microsoft-Antimalware-Protection
Identifier:	{e4b70372-261f-4c54-8fa6-a5a7914d73da}
Event message file(s):	%programfiles%\windows defender\mprtp.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.1

Log source(s):	Microsoft-Antimalware-Protection
Identifier:	{e4b70372-261f-4c54-8fa6-a5a7914d73da}
Event message file(s):	%programfiles%\windows defender\mpclient.dll

Microsoft-Antimalware-RTP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Antimalware-RTP
Identifier:	{8e92deef-5e17-413b-b927-59b2f06a3cfc}
Event message file(s):	%programfiles%\windows defender\mprtp.dll

Microsoft-Antimalware-Scan-Interface

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Antimalware-Scan-Interface
Identifier:	{2a576b87-09a7-520e-c21a-4942f0271d67}
Event message file(s):	%systemroot%\system32\amsi.dll

Microsoft-Antimalware-Service

Seen on:

Windows 8.0

Log source(s):	Microsoft-Antimalware-Service
Identifier:	{751ef305-6c6e-4fed-b847-02ef79d26aef}
Event message file(s):	%programfiles%\windows defender\mprtp.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.1

Log source(s):	Microsoft-Antimalware-Service
Identifier:	{751ef305-6c6e-4fed-b847-02ef79d26aef}
Event message file(s):	%programfiles%\windows defender\mpsvc.dll

Microsoft-Antimalware-UacScan

Seen on:

Windows 10 (20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Antimalware-UacScan
Identifier:	{d37e7910-79c8-57c4-da77-52bb646364cd}
Event message file(s):	%systemroot%\system32\amsi.dll

Microsoft-AppV-Client

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-AppV-Client
Identifier:	{e4f68870-5ae8-4e5b-9ce7-ca9ed75b0245}
Event message file(s):	%systemroot%\system32\appvetwclientres.dll

Microsoft-AppV-Client-StreamingUX

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-AppV-Client-StreamingUX
Identifier:	{28cb46c7-4003-4e50-8bd9-442086762d12}
Event message file(s):	%systemroot%\system32\appvetwstreamingux.dll

Microsoft-AppV-ServiceLog

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-AppV-ServiceLog
Identifier:	{9cc69d1c-7917-4acd-8066-6bf8b63e551b}
Event message file(s):	%systemroot%\system32\appvclienteventlog.dll

Microsoft-AppV-SharedPerformance

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-AppV-SharedPerformance
Identifier:	{fb4a19ee-eb5a-47a4-bc52-e71aac6d0859}
Event message file(s):	%systemroot%\system32\appvetwsharedperformance.dll

Microsoft-Client-Licensing-Platform

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Client-Licensing-Platform
Identifier:	{b6cc0d55-9ecc-49a8-b929-2b9022426f2a}
Event message file(s):	%systemroot%\system32\clipsvc.dll

Microsoft-Gaming-Services

Seen on:

Windows 10 (1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Gaming-Services
Identifier:	{bc1bdb57-71a2-581a-147b-e0b49474a2d4}
Event message file(s):	%systemroot%\system32\installservicetasks.dll

Microsoft-IE

Seen on:

Windows 10 (1511)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-IE
Identifier:	{9e3b3947-ca5d-4614-91a2-7b624e0e7244}
Event message file(s):	%systemroot%\system32\mshtml.dll

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-IE
Identifier:	{9e3b3947-ca5d-4614-91a2-7b624e0e7244}
Event message file(s):	%systemroot%\system32\edgehtml.dll

Microsoft-IE-JSDumpHeap

Seen on:

Windows 10 (1511)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-IE-JSDumpHeap
Identifier:	{7f8e35ca-68e8-41b9-86fe-d6adc5b327e7}
Event message file(s):	%systemroot%\system32\mshtml.dll

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-IE-JSDumpHeap
Identifier:	{7f8e35ca-68e8-41b9-86fe-d6adc5b327e7}
Event message file(s):	%systemroot%\system32\edgehtml.dll

Microsoft-IEFRAME

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-IEFRAME
Identifier:	{5c8bb950-959e-4309-8908-67961a1205d5}
Event message file(s):	%systemroot%\system32\ieframe.dll

Microsoft-JScript

Seen on:

Windows 10 (1703, 1709)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-JScript
Identifier:	{57277741-3638-4a4b-bdba-0ac6e45da56c}
Event message file(s):	%systemroot%\system32\jscript9.dll

Seen on:

Windows 10 (1511, 1607, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-JScript
Identifier:	{57277741-3638-4a4b-bdba-0ac6e45da56c}
Event message file(s):	%systemroot%\system32\chakra.dll

Microsoft-OneCore-OnlineSetup

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-OneCore-OnlineSetup
Identifier:	{41862974-da3b-4f0b-97d5-bb29fbb9b71e}
Event message file(s):	%systemroot%\system32\setupetw.dll

Microsoft-PerfTrack-IEFRAME

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-PerfTrack-IEFRAME
Identifier:	{b2a40f1f-a05a-4dfd-886a-4c4f18c4334c}
Event message file(s):	%systemroot%\system32\ieframe.dll

Microsoft-PerfTrack-MSHTML

Seen on:

Windows 10 (1511)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-PerfTrack-MSHTML
Identifier:	{ffdb9886-80f3-4540-aa8b-b85192217ddf}
Event message file(s):	%systemroot%\system32\mshtml.dll

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-PerfTrack-MSHTML
Identifier:	{ffdb9886-80f3-4540-aa8b-b85192217ddf}
Event message file(s):	%systemroot%\system32\edgehtml.dll

Microsoft-Quic

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Quic
Identifier:	{ff15e657-4f26-570e-88ab-0796b258d11c}
Event message file(s):	%systemroot%\system32\drivers\msquic.sys

Microsoft-System-Diagnostics-DiagnosticInvoker

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-System-Diagnostics-DiagnosticInvoker
Identifier:	{9068a924-f97e-5506-c3a3-5c020c00e8e0}
Event message file(s):	%systemroot%\system32\diagnosticinvoker.dll

Microsoft-User Experience Virtualization-Admin

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-User Experience Virtualization-Admin
Identifier:	{61bc445e-7a8d-420e-ab36-9c7143881b98}
Event message file(s):	%systemroot%\system32\microsoft.uev.eventlogmessages.dll

Microsoft-User Experience Virtualization-Agent Driver

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-User Experience Virtualization-Agent Driver
Identifier:	{de29cf61-5ee6-43ff-9aac-959c4e13cc6c}
Event message file(s):	%systemroot%\system32\microsoft.uev.agentdriverevents.dll

Microsoft-User Experience Virtualization-App Agent

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-User Experience Virtualization-App Agent
Identifier:	{1ed6976a-4171-4764-b415-7ea08bc46c51}
Event message file(s):	%systemroot%\system32\microsoft.uev.eventlogmessages.dll

Microsoft-User Experience Virtualization-IPC

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-User Experience Virtualization-IPC
Identifier:	{21d79db0-8e03-41cd-9589-f3ef7001a92a}
Event message file(s):	%systemroot%\system32\microsoft.uev.eventlogmessages.dll

Microsoft-User Experience Virtualization-SQM Uploader

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-User Experience Virtualization-SQM Uploader
Identifier:	{57003e21-269b-4bdc-8434-b3bf8d57d2d5}
Event message file(s):	%systemroot%\system32\microsoft.uev.eventlogmessages.dll

Microsoft-Windows Networking VPN Plugin Platform

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.1

Log source(s):	Microsoft-Windows Networking VPN Plugin Platform
Identifier:	{e5fc4a0f-7198-492f-9b0f-88fdcbfded48}
Event message file(s):	%systemroot%\system32\windows.networking.vpn.dll

Microsoft-Windows-AAD

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-AAD
Log type:	Application
Identifier:	{4de9bc9c-b27a-43c9-8994-0915f1a5e24f}
Event message file(s):	%systemroot%\system32\aadcloudap.dll

Microsoft-Windows-ACL-UI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ACL-UI
Identifier:	{ea4cc8b8-a150-47a3-afb9-c8d194b19452}
Event message file(s):	%systemroot%\system32\aclui.dll

Microsoft-Windows-ADSI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-ADSI
Identifier:	{7288c9f8-d63c-4932-a345-89d6b060174d}
Event message file(s):	%systemroot%\system32\adsldpc.dll

Microsoft-Windows-AIT

Seen on:

Windows 2008
Windows 7
Windows 8.0

Log source(s):	Microsoft-Windows-AIT
Identifier:	{6addabf4-8c54-4eab-bf4f-fbef61b62eb0}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-AIT
Identifier:	{6addabf4-8c54-4eab-bf4f-fbef61b62eb0}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-ASN1

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ASN1
Log type:	Application
Identifier:	{d92ef8ac-99dd-4ab8-b91d-c6eba85f3755}
Event message file(s):	%systemroot%\system32\ntasn1.dll

Microsoft-Windows-ATAPort

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ATAPort
Identifier:	{cb587ad1-cc35-4ef1-ad93-36cc82a2d319}
Event message file(s):	%systemroot%\system32\drivers\ataport.sys

Microsoft-Windows-ActionQueue

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ActionQueue
Identifier:	{0dd4d48e-2bbf-452f-a7ec-ba3dba8407ae}
Event message file(s):	%systemroot%\system32\actionqueue.dll

Microsoft-Windows-All-User-Install-Agent

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-All-User-Install-Agent
Identifier:	{d2e990da-8504-4702-a5e5-367fc2f823bf}
Event message file(s):	%systemroot%\system32\rdsappxhelper.dll

Microsoft-Windows-AllJoyn

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-AllJoyn
Identifier:	{2ed299d2-2f6b-411d-8d15-f4cc6fde0c70}
Event message file(s):	%systemroot%\system32\ajrouter.dll

Microsoft-Windows-AppHost

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-AppHost
Identifier:	{98e0765d-8c42-44a3-a57b-760d7f93225a}
Event message file(s):	%systemroot%\system32\wwahost.exe

Microsoft-Windows-AppID

Seen on:

Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-AppID
Identifier:	{3cb2a168-fe19-4a4e-bdad-dcf422f13473}
Event message file(s):	%systemroot%\system32\appidapi.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-AppID
Identifier:	{3cb2a168-fe19-4a4e-bdad-dcf422f13473}
Event message file(s):	%systemroot%\system32\srpapi.dll

Microsoft-Windows-AppIDServiceTrigger

Seen on:

Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-AppIDServiceTrigger
Identifier:	{d02a9c27-79b8-40d6-9b97-cf3f8b7b5d60}
Event message file(s):	%systemroot%\system32\appidapi.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-AppIDServiceTrigger
Identifier:	{d02a9c27-79b8-40d6-9b97-cf3f8b7b5d60}
Event message file(s):	%systemroot%\system32\srpapi.dll

Microsoft-Windows-AppLocker

Seen on:

Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-AppLocker
Identifier:	{cbda4dbf-8d5d-4f69-9578-be14aa540d22}
Event message file(s):	%systemroot%\system32\appidapi.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-AppLocker
Identifier:	{cbda4dbf-8d5d-4f69-9578-be14aa540d22}
Event message file(s):	%systemroot%\system32\srpapi.dll

Microsoft-Windows-AppModel-Exec

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-AppModel-Exec
Identifier:	{eb65a492-86c0-406a-bace-9912d595bd69}
Event message file(s):	%systemroot%\system32\microsoft-windows-appmodelexecevents.dll

Microsoft-Windows-AppModel-MessagingDataModel

Seen on:

Windows 10 (1511, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-AppModel-MessagingDataModel
Identifier:	{1e2462be-b025-48da-8c1f-7b60b8ccae53}
Event message file(s):	%systemroot%\system32\messagingdatamodel2.dll

Microsoft-Windows-AppModel-Runtime

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-AppModel-Runtime
Log type:	Application
Identifier:	{f1ef270a-0d32-4352-ba52-dbab41e1d859}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Seen on:

Windows 8.0

Log source(s):	Microsoft-Windows-AppModel-Runtime
Log type:	Application
Identifier:	{f1ef270a-0d32-4352-ba52-dbab41e1d859}
Event message file(s):	%systemroot%\system32\advapi32.dll

Microsoft-Windows-AppModel-State

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-AppModel-State
Log type:	Application
Identifier:	{bff15e13-81bf-45ee-8b16-7cfead00da86}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Seen on:

Windows 8.0

Log source(s):	Microsoft-Windows-AppModel-State
Identifier:	{bff15e13-81bf-45ee-8b16-7cfead00da86}
Event message file(s):	%systemroot%\system32\advapi32.dll

Microsoft-Windows-AppSruProv

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-AppSruProv
Identifier:	{0cc157b3-cf07-4fc2-91ee-31ac92e05fe1}
Event message file(s):	%systemroot%\system32\appsruprov.dll

Microsoft-Windows-AppXDeployment

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-AppXDeployment
Identifier:	{8127f6d4-59f9-4abf-8952-3e3a02073d5f}
Event message file(s):	%systemroot%\system32\appxdeploymentclient.dll

Microsoft-Windows-AppXDeployment-Server

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-AppXDeployment-Server
Identifier:	{3f471139-acb7-4a01-b7a7-ff5da4ba2d43}
Event message file(s):	%systemroot%\system32\appxdeploymentserver.dll

Microsoft-Windows-ApplicabilityEngine

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-ApplicabilityEngine
Identifier:	{10a208dd-a372-421c-9d99-4fad6db68b62}
Event message file(s):	%systemroot%\system32\appxapplicabilityengine.dll

Microsoft-Windows-Application Server-Applications

Seen on:

Windows 2008
Windows 8.0

Log source(s):	Microsoft-Windows-Application Server-Applications
Identifier:	{c651f5f6-1c0d-492e-8ae1-b4efd7c9d503}
Event message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\microsoft.windows.applicationserver.applications.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Application Server-Applications
Identifier:	{c651f5f6-1c0d-492e-8ae1-b4efd7c9d503}
Event message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\microsoft.windows.applicationserver.applications.dll

Microsoft-Windows-Application-Experience

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Application-Experience
Log type:	Application
Identifier:	{eef54e71-0661-422d-9a98-82fd4940b820}
Event message file(s):	%systemroot%\system32\aeevts.dll

Microsoft-Windows-ApplicationExperience-Cache

Seen on:

Windows 2008
Windows 7
Windows 8.0

Log source(s):	Microsoft-Windows-ApplicationExperience-Cache
Identifier:	{6d8a3a60-40af-445a-98ca-99359e500146}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-ApplicationExperience-Cache
Identifier:	{6d8a3a60-40af-445a-98ca-99359e500146}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-ApplicationExperience-LookupServiceTrigger

Seen on:

Windows 2008
Windows 7
Windows 8.0

Log source(s):	Microsoft-Windows-ApplicationExperience-LookupServiceTrigger
Identifier:	{18f4a5fd-fd3b-40a5-8fc2-e5d261c5d02e}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-ApplicationExperience-LookupServiceTrigger
Identifier:	{18f4a5fd-fd3b-40a5-8fc2-e5d261c5d02e}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-ApplicationExperience-SwitchBack

Seen on:

Windows 2008
Windows 7
Windows 8.0

Log source(s):	Microsoft-Windows-ApplicationExperience-SwitchBack
Identifier:	{17d6e590-f5fe-11dc-95ff-0800200c9a66}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-ApplicationExperience-SwitchBack
Identifier:	{17d6e590-f5fe-11dc-95ff-0800200c9a66}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-ApplicationExperienceInfrastructure

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-ApplicationExperienceInfrastructure
Log type:	Application
Identifier:	{5ec13d8e-4b3f-422e-a7e7-3121a1d90c7a}
Event message file(s):	%systemroot%\system32\apphelp.dll

Microsoft-Windows-AppxPackagingOM

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-AppxPackagingOM
Identifier:	{ba723d81-0d0c-4f1e-80c8-54740f508ddf}
Event message file(s):	%systemroot%\system32\appxpackaging.dll

Microsoft-Windows-AssignedAccess

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803)
Windows 8.1

Log source(s):	Microsoft-Windows-AssignedAccess
Identifier:	{8530db6e-51c0-43d6-9d02-a8c2088526cd}
Event message file(s):	%systemroot%\system32\wbem\embeddedlockdownwmi.dll

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-AssignedAccess
Identifier:	{8530db6e-51c0-43d6-9d02-a8c2088526cd}
Event message file(s):	%systemroot%\system32\assignedaccessproviderevents.dll

Microsoft-Windows-AssignedAccessBroker

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-AssignedAccessBroker
Identifier:	{f2311b48-32be-4902-a22a-7240371dbb2c}
Event message file(s):	%systemroot%\system32\iotassignedaccesslockframework.dll

Microsoft-Windows-AsynchronousCausality

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-AsynchronousCausality
Identifier:	{19a4c69a-28eb-4d4b-8d94-5f19055a1b5c}
Event message file(s):	%systemroot%\system32\combase.dll

Microsoft-Windows-Audio

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Audio
Log type:	Application
Identifier:	{ae4bd3be-f36f-45b6-8d21-bdd6fb832853}
Event message file(s):	%systemroot%\system32\audioses.dll

Microsoft-Windows-Audit

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Audit
Identifier:	{75ebc33e-0936-4a55-9d26-5f298f3180bf}
Event message file(s):	%systemroot%\system32\oobe\audit.exe

Microsoft-Windows-Audit-CVE

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Audit-CVE
Log type:	Application
Identifier:	{85a62a0d-7e17-485f-9d4f-749a287193a6}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-AuthenticationProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-AuthenticationProvider
Identifier:	{dddc1d91-51a1-4a8d-95b5-350c4ee3d809}
Event message file(s):	%systemroot%\system32\lsasrv.dll

Microsoft-Windows-AxInstallService

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-AxInstallService
Log type:	Application
Identifier:	{dab3b18c-3c0f-43e8-80b1-e44bc0dad901}
Event message file(s):	%systemroot%\system32\axinstsv.dll

Microsoft-Windows-BTH-BTHPORT

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-BTH-BTHPORT
Identifier:	{8a1f9517-3a8c-4a9e-a018-4f17a200f277}
Event message file(s):	%systemroot%\system32\drivers\bthport.sys

Microsoft-Windows-BTH-BTHUSB

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-BTH-BTHUSB
Identifier:	{33693e1d-246a-471b-83be-3e75f47a832d}
Event message file(s):	%systemroot%\system32\drivers\bthusb.sys

Microsoft-Windows-BackgroundTransfer-ContentPrefetcher

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.1

Log source(s):	Microsoft-Windows-BackgroundTransfer-ContentPrefetcher
Identifier:	{648a0644-7d62-4fd3-8841-440064762f95}
Event message file(s):	%systemroot%\system32\windows.networking.backgroundtransfer.contentprefetchtask.dll

Microsoft-Windows-Backup

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Backup
Log type:	Application
Identifier:	{1db28f2e-8f80-4027-8c5a-a11f7f10f62d}
Event message file(s):	%systemroot%\system32\blbevents.dll

Microsoft-Windows-Base-Filtering-Engine-Connections

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Base-Filtering-Engine-Connections
Identifier:	{121d3da8-baf1-4dcb-929f-2d4c9a47f7ab}
Event message file(s):	%systemroot%\system32\bfe.dll

Microsoft-Windows-Base-Filtering-Engine-Resource-Flows

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Base-Filtering-Engine-Resource-Flows
Identifier:	{92765247-03a9-4ae3-a575-b42264616e78}
Event message file(s):	%systemroot%\system32\drivers\fwpkclnt.sys

Microsoft-Windows-Battery

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Battery
Identifier:	{59819d0a-adaf-46b2-8d7c-990bc39c7c15}
Event message file(s):	%systemroot%\system32\microsoft-windows-battery-events.dll

Microsoft-Windows-BfeTriggerProvider

Seen on:

Windows 2008
Windows 7

Log source(s):	Microsoft-Windows-BfeTriggerProvider
Identifier:	{54732ee5-61ca-4727-9da1-10be5a4f773d}
Event message file(s):	%systemroot%\system32\bfe.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-BfeTriggerProvider
Identifier:	{54732ee5-61ca-4727-9da1-10be5a4f773d}
Event message file(s):	%systemroot%\system32\drivers\fwpkclnt.sys

Microsoft-Windows-Biometrics

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Biometrics
	Microsoft-Windows-WBioSrvc
Log type:	Application
Identifier:	{a0e3d8ea-c34f-4419-a1db-90435b8b21d0}
Event message file(s):	%systemroot%\system32\wbiosrvc.dll

Microsoft-Windows-BitLocker-API

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-BitLocker-API
Log type:	System
Identifier:	{5d674230-ca9f-11da-a94d-0800200c9a66}
Event message file(s):	%systemroot%\system32\fveapi.dll

Microsoft-Windows-BitLocker-DrivePreparationTool

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-BitLocker-DrivePreparationTool
Identifier:	{632f767e-0ec3-47b9-ba1c-a0e62a74728a}
Event message file(s):	%systemroot%\system32\bdehdcfglib.dll

Microsoft-Windows-BitLocker-Driver

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-BitLocker-Driver
	fvevol
Log type:	System
Identifier:	{651df93b-5053-4d1e-94c5-f6e6d25908d0}
Event message file(s):	%systemroot%\system32\drivers\fvevol.sys

Microsoft-Windows-BitLocker-Driver-Performance

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-BitLocker-Driver-Performance
Identifier:	{1de130e1-c026-4cbf-ba0f-ab608e40aeea}
Event message file(s):	%systemroot%\system32\drivers\fvevol.sys

Microsoft-Windows-Bits-Client

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Bits-Client
Log type:	System
Identifier:	{ef1cc15b-46c1-414e-bb95-e76b077bd51e}
Event message file(s):	%systemroot%\system32\qmgr.dll

Microsoft-Windows-Bluetooth-BthLEPrepairing

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Bluetooth-BthLEPrepairing
Log type:	System
Identifier:	{4af188ac-e9c4-4c11-b07b-1fabc07dfeb2}
Event message file(s):	%systemroot%\system32\bthserv.dll

Microsoft-Windows-Bluetooth-Bthmini

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Bluetooth-Bthmini
Identifier:	{db25b328-a6f6-444f-9d97-a50e20217d16}
Event message file(s):	%systemroot%\system32\drivers\bthmini.sys

Microsoft-Windows-Bluetooth-MTPEnum

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Bluetooth-MTPEnum
Identifier:	{04268430-d489-424d-b914-0cff741d6684}
Event message file(s):	%systemroot%\system32\wpd_ci.dll

Microsoft-Windows-Bluetooth-Policy

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Bluetooth-Policy
Identifier:	{0602ecef-6381-4bc0-aeda-eb9bb919b276}
Event message file(s):	%systemroot%\system32\drivers\bthport.sys

Microsoft-Windows-BootUX

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-BootUX
Identifier:	{67d781bd-cbd2-4bd2-ad1f-6152fb891246}
Event message file(s):	%systemroot%\system32\bootux.dll

Microsoft-Windows-BranchCache

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-BranchCache
Identifier:	{7eafcf79-06a7-460b-8a55-bd0a0c9248aa}
Event message file(s):	%systemroot%\system32\peerdistsvc.dll

Microsoft-Windows-BranchCacheClientEventProvider

Seen on:

Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-BranchCacheClientEventProvider
Identifier:	{e837619c-a2a8-4689-833f-47b48ebd2442}
Event message file(s):	%systemroot%\system32\peerdistsvc.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-BranchCacheClientEventProvider
Identifier:	{e837619c-a2a8-4689-833f-47b48ebd2442}
Event message file(s):	%systemroot%\system32\peerdist.dll

Microsoft-Windows-BranchCacheEventProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-BranchCacheEventProvider
Identifier:	{dd85457f-4e2d-44a5-a7a7-6253362e34dc}
Event message file(s):	%systemroot%\system32\peerdistsvc.dll

Microsoft-Windows-BranchCacheMonitoring

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-BranchCacheMonitoring
Identifier:	{a2f55524-8ebc-45fd-88e4-a1b39f169e08}
Event message file(s):	%systemroot%\system32\peerdistsvc.dll

Microsoft-Windows-BranchCacheSMB

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-BranchCacheSMB
Identifier:	{4a933674-fb3d-4e8d-b01d-17ee14e91a3e}
Event message file(s):	%systemroot%\system32\cscsvc.dll

Microsoft-Windows-BrokerInfrastructure

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-BrokerInfrastructure
Identifier:	{e6835967-e0d2-41fb-bcec-58387404e25a}
Event message file(s):	%systemroot%\system32\bisrv.dll

Microsoft-Windows-Build-RegDll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Build-RegDll
Identifier:	{d39b6336-cfcb-483b-8c76-7c3e7d02bcb8}
Event message file(s):	%systemroot%\system32\regsvr32.exe

Microsoft-Windows-CAPI2

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-CAPI2
Log type:	Application
Identifier:	{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}
Event message file(s):	%systemroot%\system32\crypt32.dll

Microsoft-Windows-CDROM

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-CDROM
Identifier:	{9b6123dc-9af6-4430-80d7-7d36f054fb9f}
Event message file(s):	%systemroot%\system32\drivers\cdrom.sys

Microsoft-Windows-COM

Seen on:

Windows 2008
Windows 7
Windows 8.0
Windows Vista

Log source(s):	Microsoft-Windows-COM
Identifier:	{d4263c98-310c-4d97-ba39-b55354f08584}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-COM
Identifier:	{d4263c98-310c-4d97-ba39-b55354f08584}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-COM-Perf

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-COM-Perf
Identifier:	{b8d6861b-d20f-4eec-bbae-87e0dd80602b}
Event message file(s):	%systemroot%\system32\combase.dll

Microsoft-Windows-COM-RundownInstrumentation

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-COM-RundownInstrumentation
Identifier:	{2957313d-fcaa-5d4a-2f69-32ce5f0ac44e}
Event message file(s):	%systemroot%\system32\combase.dll

Microsoft-Windows-CertPolEng

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-CertPolEng
Identifier:	{af9cc194-e9a8-42bd-b0d1-834e9cfab799}
Event message file(s):	%systemroot%\system32\certpoleng.dll

Microsoft-Windows-CertificateServicesClient

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-CertificateServicesClient
Log type:	Application
Identifier:	{73370bd6-85e5-430b-b60a-fea1285808a7}
Event message file(s):	%systemroot%\system32\dimsjob.dll

Microsoft-Windows-CertificateServicesClient-CredentialRoaming

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-CertificateServicesClient-CredentialRoaming
Log type:	Application
Identifier:	{89a2278b-c662-4aff-a06c-46ad3f220bca}
Event message file(s):	%systemroot%\system32\dimsroam.dll

Microsoft-Windows-CertificateServicesClient-Lifecycle-System

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-CertificateServicesClient-Lifecycle-System
Identifier:	{bc0669e1-a10d-4a78-834e-1ca3c806c93b}
Event message file(s):	%systemroot%\system32\certenroll.dll

Microsoft-Windows-CertificateServicesClient-Lifecycle-User

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-CertificateServicesClient-Lifecycle-User
Identifier:	{bea18b89-126f-4155-9ee4-d36038b02680}
Event message file(s):	%systemroot%\system32\certenroll.dll

Microsoft-Windows-Cleanmgr

Seen on:

Windows 10 (2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Cleanmgr
Identifier:	{9ae87b12-a014-5288-92df-e3030981ebab}
Event message file(s):	%systemroot%\system32\cleanmgr.exe

Microsoft-Windows-ClearTypeTextTuner

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ClearTypeTextTuner
Identifier:	{0a88862d-20a3-4c1f-b76f-162c55adbf93}
Event message file(s):	%systemroot%\system32\cttune.exe

Microsoft-Windows-CloudStore

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-CloudStore
Identifier:	{741bb90c-a7a3-49d6-bd82-1e6b858403f7}
Event message file(s):	%systemroot%\system32\windows.cloudstore.dll

Microsoft-Windows-CmiSetup

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-CmiSetup
Identifier:	{75ebc33e-0cc6-49da-8cd9-8903a5222aa0}
Event message file(s):	%systemroot%\system32\oobe\cmisetup.dll

Microsoft-Windows-CodeIntegrity

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-CodeIntegrity
Identifier:	{4ee76bd8-3cf4-44a0-a0ac-3937643e37a3}
Event message file(s):	%systemroot%\system32\ci.dll

Microsoft-Windows-ComDlg32

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ComDlg32
Identifier:	{7f912b92-21ad-496e-b97a-88622a72bc42}
Event message file(s):	%systemroot%\system32\comdlg32.dll

Microsoft-Windows-Compat-Appraiser

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Compat-Appraiser
Identifier:	{442c11c5-304b-45a4-ae73-dc2194c4e876}
Event message file(s):	%systemroot%\system32\appraiser.dll

Microsoft-Windows-Containers-BindFlt

Seen on:

Windows 10 (1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Containers-BindFlt
Identifier:	{fc4e8f51-7a04-4bab-8b91-6321416f72ab}
Event message file(s):	%systemroot%\system32\drivers\bindflt.sys

Microsoft-Windows-Containers-Wcifs

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Containers-Wcifs
Identifier:	{aec5c129-7c10-407d-be97-91a042c61aaa}
Event message file(s):	%systemroot%\system32\drivers\wcifs.sys

Microsoft-Windows-CoreSystem-InitMachineConfig

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-CoreSystem-InitMachineConfig
Log type:	System
Identifier:	{0b886108-1899-4d3a-9c0d-42d8fc4b9108}
Event message file(s):	%systemroot%\system32\drivers\cmimcext.sys

Microsoft-Windows-CoreSystem-NetProvision-JoinProviderOnline

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-CoreSystem-NetProvision-JoinProviderOnline
Log type:	System
Identifier:	{3629dd4d-d6f1-4302-a623-0768b51501c7}
Event message file(s):	%systemroot%\system32\joinproviderol.dll

Microsoft-Windows-CoreSystem-SmsRouter

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-CoreSystem-SmsRouter
Identifier:	{a9c11050-9e93-4fa4-8fe0-7c4750a345b2}
Event message file(s):	%systemroot%\system32\smsroutersvc.dll

Microsoft-Windows-CoreWindow

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-CoreWindow
Identifier:	{a3d95055-34cc-4e4a-b99f-ec88f5370495}
Event message file(s):	%systemroot%\system32\windows.ui.dll

Microsoft-Windows-CorruptedFileRecovery-Client

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-CorruptedFileRecovery-Client
Log type:	System
Identifier:	{ba093605-3909-4345-990b-26b746adee0a}
Event message file(s):	%systemroot%\system32\cofiredm.dll

Microsoft-Windows-CorruptedFileRecovery-Server

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-CorruptedFileRecovery-Server
Log type:	System
Identifier:	{d6f68875-cdf5-43a5-a3e3-53ffd683311c}
Event message file(s):	%systemroot%\system32\cofiredm.dll

Microsoft-Windows-Crashdump

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Crashdump
Identifier:	{ecdaacfa-6fe9-477c-b5f0-85b76f8f50aa}
Event message file(s):	%systemroot%\system32\drivers\crashdmp.sys

Microsoft-Windows-CredUI

Seen on:

Windows 10 (1511)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-CredUI
Identifier:	{5a24fcdb-1cf3-477b-b422-ef4909d51223}
Event message file(s):	%systemroot%\system32\credui.dll

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-CredUI
Identifier:	{5a24fcdb-1cf3-477b-b422-ef4909d51223}
Event message file(s):	%systemroot%\system32\wincredui.dll

Microsoft-Windows-Crypto-BCrypt

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Crypto-BCrypt
Log type:	Application
Identifier:	{c7e089ac-ba2a-11e0-9af7-68384824019b}
Event message file(s):	%systemroot%\system32\bcrypt.dll

Microsoft-Windows-Crypto-CNG

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Crypto-CNG
Log type:	Application
Identifier:	{e3e0e2f0-c9c5-11e0-8ab9-9ebc4824019b}
Event message file(s):	%systemroot%\system32\drivers\cng.sys

Microsoft-Windows-Crypto-DPAPI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Crypto-DPAPI
Log type:	Application
Identifier:	{89fe8f40-cdce-464e-8217-15ef97d4c7c3}
Event message file(s):	%systemroot%\system32\dpapisrv.dll

Microsoft-Windows-Crypto-DSSEnh

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Crypto-DSSEnh
Log type:	Application
Identifier:	{43dad447-735f-4829-a6ff-9829a87419ff}
Event message file(s):	%systemroot%\system32\dssenh.dll

Microsoft-Windows-Crypto-NCrypt

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Crypto-NCrypt
Log type:	Application
Identifier:	{e8ed09dc-100c-45e2-9fc8-b53399ec1f70}
Event message file(s):	%systemroot%\system32\ncrypt.dll

Microsoft-Windows-Crypto-RNG

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Crypto-RNG
Log type:	Application
Identifier:	{54d5ac20-e14f-4fda-92da-ebf7556ff176}
Event message file(s):	%systemroot%\system32\drivers\cng.sys

Microsoft-Windows-Crypto-RSAEnh

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Crypto-RSAEnh
Log type:	Application
Identifier:	{152fdb2b-6e9d-4b60-b317-815d5f174c4a}
Event message file(s):	%systemroot%\system32\rsaenh.dll

Microsoft-Windows-D3D10Level9

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-D3D10Level9
Identifier:	{7e7d3382-023c-43cb-95d2-6f0ca6d70381}
Event message file(s):	%systemroot%\system32\d3d10level9.dll

Microsoft-Windows-D3D9

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-D3D9
Identifier:	{783aca0a-790e-4d7f-8451-aa850511c6b9}
Event message file(s):	%systemroot%\system32\d3d9.dll

Microsoft-Windows-DAL-Provider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-DAL-Provider
Identifier:	{7e87506f-bace-4bf1-bc09-3a1f37045c71}
Event message file(s):	%systemroot%\system32\pcsvdevice.dll

Microsoft-Windows-DCLocator

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DCLocator
Identifier:	{cfaa5446-c6c4-4f5c-866f-31c9b55b962d}
Event message file(s):	%systemroot%\system32\logoncli.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-DCLocator
Identifier:	{cfaa5446-c6c4-4f5c-866f-31c9b55b962d}
Event message file(s):	%systemroot%\system32\netapi32.dll

Microsoft-Windows-DDisplay

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-DDisplay
Identifier:	{75051c9d-2833-4a29-8923-046db7a432ca}
Event message file(s):	%systemroot%\system32\ddisplay.dll

Microsoft-Windows-DLNA-Namespace

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DLNA-Namespace
Identifier:	{d38fb874-33e4-4dcf-911e-1b53bb106d53}
Event message file(s):	%systemroot%\system32\dlnashext.dll

Microsoft-Windows-DNS-Client

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DNS-Client
Log type:	System
Identifier:	{1c95126e-7eea-49a9-a3fe-a378b03ddb4d}
Event message file(s):	%systemroot%\system32\dnsapi.dll

Microsoft-Windows-DNS-Client-DiagTrack

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-DNS-Client-DiagTrack
Identifier:	{80e30bfe-62cf-5c77-5dc4-425d2c7734a3}
Event message file(s):	%systemroot%\system32\dnsapi.dll

Microsoft-Windows-DSC

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-DSC
Identifier:	{50df9e12-a8c4-4939-b281-47e1325ba63e}
Event message file(s):	%systemroot%\system32\dsc\dsccorer.dll

Microsoft-Windows-DUI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DUI
Identifier:	{8360bd0f-a7dc-4391-91a7-a457c5c381e4}
Event message file(s):	%systemroot%\system32\dui70.dll

Microsoft-Windows-DUSER

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DUSER
Identifier:	{8429e243-345b-47c1-8a91-2c94caf0daab}
Event message file(s):	%systemroot%\system32\duser.dll

Microsoft-Windows-DVD

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-DVD
Identifier:	{e18d0fca-9515-4232-98e4-89e456d8551b}
Event message file(s):	%systemroot%\system32\qdvd.dll

Microsoft-Windows-DXGI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DXGI
Identifier:	{ca11c036-0102-4a2d-a6ad-f03cfed5d3c9}
Event message file(s):	%systemroot%\system32\dxgi.dll

Microsoft-Windows-DXP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DXP
Identifier:	{728b8c72-0f0f-4071-9bcc-27cb3b6dacbe}
Event message file(s):	%systemroot%\system32\dxpserver.exe

Microsoft-Windows-Data-Pdf

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Data-Pdf
Identifier:	{b97561fe-b27a-4c48-aa3e-7d3addc105b1}
Event message file(s):	%systemroot%\system32\windows.data.pdf.dll

Microsoft-Windows-DataIntegrityScan

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DataIntegrityScan
Identifier:	{13bc4371-4e21-4e46-a84f-8c0ffb548ced}
Event message file(s):	%systemroot%\system32\discan.dll

Microsoft-Windows-DateTimeControlPanel

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-DateTimeControlPanel
Identifier:	{741fc222-44ed-4ba7-98e3-f405b2d2c4b4}
Event message file(s):	%systemroot%\system32\timedate.cpl

Microsoft-Windows-Deduplication

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Deduplication
Log type:	Application
Identifier:	{f9fe3908-44b8-48d9-9a32-5a763ff5ed79}
Event message file(s):	%systemroot%\system32\ddputils.dll

Microsoft-Windows-Deduplication-Change

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Deduplication-Change
Identifier:	{1d5e499d-739c-45a6-a3e1-8cbe0a352beb}
Event message file(s):	%systemroot%\system32\ddputils.dll

Microsoft-Windows-Defrag

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Defrag
Log type:	Application
Event message file(s):	%systemroot%\system32\defragsvc.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-Defrag
Log type:	Application
Event message file(s):	%systemroot%\system32\dfrgres.dll

Microsoft-Windows-Defrag-Core

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Defrag-Core
Identifier:	{e3257c8c-c7cb-444f-9da0-5d92a2625289}
Event message file(s):	%systemroot%\system32\defragres.dll

Microsoft-Windows-DeliveryOptimization

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-DeliveryOptimization
Log type:	Application
Identifier:	{f8ad09ba-419c-5134-1750-270f4d0fb889}
Event message file(s):	%systemroot%\system32\dosvc.dll

Microsoft-Windows-Deplorch

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Deplorch
Identifier:	{b9da9fe6-ae5f-4f3e-b2fa-8e623c11dc75}
Event message file(s):	%systemroot%\system32\setupetw.dll

Microsoft-Windows-DesktopActivityModerator

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DesktopActivityModerator
Identifier:	{32dd13df-9c0b-4c3b-b854-ee76c050f5f4}
Event message file(s):	%systemroot%\system32\drivers\dam.sys

Microsoft-Windows-DesktopWindowManager-Diag

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DesktopWindowManager-Diag
Identifier:	{31f60101-3703-48ea-8143-451f8de779d2}
Event message file(s):	%systemroot%\system32\dwmcore.dll

Microsoft-Windows-DevMgmt-UefiCsp

Seen on:

Windows 10 (1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-DevMgmt-UefiCsp
Identifier:	{739d66d8-76c4-4004-873f-169ae5c6eaca}
Event message file(s):	%systemroot%\system32\ueficsp.dll

Microsoft-Windows-DeviceAssociationService

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DeviceAssociationService
Identifier:	{56c71c31-cfbd-4cdd-8559-505e042bbbe1}
Event message file(s):	%systemroot%\system32\das.dll

Microsoft-Windows-DeviceConfidence

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DeviceConfidence
Identifier:	{1d5990c1-ec62-49f0-9e37-1f4db12db41e}
Event message file(s):	%systemroot%\system32\consentux.dll

Microsoft-Windows-DeviceGuard

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809)

Log source(s):	Microsoft-Windows-DeviceGuard
Log type:	Application
Identifier:	{f717d024-f5b4-4f03-9ab9-331b2dc38ffb}
Event message file(s):	%systemroot%\system32\dggpext.dll

Seen on:

Windows 10 (1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-DeviceGuard
Log type:	Application
Identifier:	{f717d024-f5b4-4f03-9ab9-331b2dc38ffb}
Event message file(s):	%systemroot%\system32\manageci.dll

Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Identifier:	{3da494e4-0fe2-415c-b895-fb5265c5c83b}
Event message file(s):	%systemroot%\system32\dmenterprisediagnostics.dll

Microsoft-Windows-DeviceManagement-Pushrouter

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-DeviceManagement-Pushrouter
Identifier:	{f1201b5a-e170-42b6-8d20-b57ac57e6416}
Event message file(s):	%systemroot%\system32\dmpushroutercore.dll

Microsoft-Windows-DeviceSetupManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DeviceSetupManager
Identifier:	{fcbb06bb-6a2a-46e3-abaa-246cb4e508b2}
Event message file(s):	%systemroot%\system32\devicesetupmanager.dll

Microsoft-Windows-DeviceSync

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DeviceSync
Identifier:	{09ec9687-d7ad-40ca-9c5e-78a04a5ae993}
Event message file(s):	%systemroot%\system32\syncinfrastructure.dll

Microsoft-Windows-DeviceUpdateAgent

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-DeviceUpdateAgent
Identifier:	{e8f9af91-afbe-5a03-dfec-5d591686326c}
Event message file(s):	%systemroot%\system32\deviceupdateagent.dll

Microsoft-Windows-DeviceUx

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DeviceUx
Identifier:	{ded165cf-485d-4770-a3e7-9c5f0320e80c}
Event message file(s):	%systemroot%\system32\deviceuxres.dll

Microsoft-Windows-Devices-Background

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Devices-Background
Log type:	System
Identifier:	{64ef2b1c-4ae1-4e64-8599-1636e441ec88}
Event message file(s):	%systemroot%\system32\deviceaccess.dll

Microsoft-Windows-DiagCpl

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DiagCpl
Identifier:	{1a396961-5f3c-4c71-8310-44c653c0bf8a}
Event message file(s):	%systemroot%\system32\diagcpl.dll

Microsoft-Windows-Diagnosis-AdvancedTaskManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Diagnosis-AdvancedTaskManager
Identifier:	{178dadaf-7ac4-4593-ab3e-a45fda6d0d55}
Event message file(s):	%systemroot%\system32\taskmgr.exe

Microsoft-Windows-Diagnosis-DPS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Diagnosis-DPS
Identifier:	{6bba3851-2c7e-4dea-8f54-31e5afd029e3}
Event message file(s):	%systemroot%\system32\dps.dll

Microsoft-Windows-Diagnosis-MSDE

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Diagnosis-MSDE
Identifier:	{a50b09f8-93eb-4396-84c9-dc921259f952}
Event message file(s):	%systemroot%\system32\msdt.exe

Microsoft-Windows-Diagnosis-PCW

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Diagnosis-PCW
Identifier:	{aabf8b86-7936-4fa2-acb0-63127f879dbf}
Event message file(s):	%systemroot%\system32\pcwum.dll

Microsoft-Windows-Diagnosis-PLA

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Diagnosis-PLA
Identifier:	{e4d53f84-7de3-11d8-9435-505054503030}
Event message file(s):	%systemroot%\system32\pla.dll

Microsoft-Windows-Diagnosis-Scheduled

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Diagnosis-Scheduled
Identifier:	{40ab57c2-1c53-4df9-9324-ff7cf898a02c}
Event message file(s):	%systemroot%\system32\sdiagschd.dll

Microsoft-Windows-Diagnosis-Scripted

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Diagnosis-Scripted
Identifier:	{e1dd7e52-621d-44e3-a1ad-0370c2b25946}
Event message file(s):	%systemroot%\system32\sdiageng.dll

Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider
Identifier:	{9363ccd9-d429-4452-9adb-2501e704b810}
Event message file(s):	%systemroot%\system32\sdiagprv.dll

Microsoft-Windows-Diagnosis-WDC

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Diagnosis-WDC
Identifier:	{05921578-2261-42c7-a0d3-26ddbce6c50d}
Event message file(s):	%systemroot%\system32\wdc.dll

Microsoft-Windows-Diagnosis-WDI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Diagnosis-WDI
Identifier:	{e01b1a7c-c5c9-4e67-99a9-5e85acfb2e10}
Event message file(s):	%systemroot%\system32\dps.dll

Microsoft-Windows-Diagnostics-LoggingChannel

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.1

Log source(s):	Microsoft-Windows-Diagnostics-LoggingChannel
Identifier:	{4bd2826e-54a1-4ba9-bf63-92b73ea1ac4a}
Event message file(s):	%systemroot%\system32\winrttracing.dll

Microsoft-Windows-Diagnostics-Networking

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Diagnostics-Networking
Log type:	System
Identifier:	{36c23e18-0e66-11d9-bbeb-505054503030}
Event message file(s):	%systemroot%\system32\netdiagfx.dll

Microsoft-Windows-Diagnostics-PerfTrack

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Diagnostics-PerfTrack
Identifier:	{030f2f57-abd0-4427-bcf1-3a3587d7dc7d}
Event message file(s):	%systemroot%\system32\perftrack.dll

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Diagnostics-PerfTrack
Identifier:	{030f2f57-abd0-4427-bcf1-3a3587d7dc7d}
Event message file(s):	%systemroot%\system32\diagtrack.dll

Microsoft-Windows-Diagnostics-Performance

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Diagnostics-Performance
Identifier:	{cfc18ec0-96b1-4eba-961b-622caee05b0a}
Event message file(s):	%systemroot%\system32\diagperf.dll

Microsoft-Windows-Direct3D10

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Direct3D10
Identifier:	{9b7e4c0f-342c-4106-a19f-4f2704f689f0}
Event message file(s):	%systemroot%\system32\d3d10core.dll

Microsoft-Windows-Direct3D10_1

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Direct3D10_1
Identifier:	{9b7e4c8f-342c-4106-a19f-4f2704f689f0}
Event message file(s):	%systemroot%\system32\d3d10_1core.dll

Microsoft-Windows-Direct3D11

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Direct3D11
Identifier:	{db6f6ddb-ac77-4e88-8253-819df9bbf140}
Event message file(s):	%systemroot%\system32\d3d11.dll

Microsoft-Windows-Direct3D12

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)

Log source(s):	Microsoft-Windows-Direct3D12
Identifier:	{5d8087dd-3a9b-4f56-90df-49196cdc4f11}
Event message file(s):	%systemroot%\system32\d3d12.dll

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Direct3D12
Identifier:	{5d8087dd-3a9b-4f56-90df-49196cdc4f11}
Event message file(s):	%systemroot%\system32\d3d12core.dll

Microsoft-Windows-Direct3DShaderCache

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Direct3DShaderCache
Identifier:	{2d4ebca6-ea64-453f-a292-ae2ea0ee513b}
Event message file(s):	%systemroot%\system32\d3dscache.dll

Microsoft-Windows-DirectAccess-MediaManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DirectAccess-MediaManager
Identifier:	{dd2fe441-6c12-41fd-8232-3709c6045f63}
Event message file(s):	%systemroot%\system32\damm.dll

Microsoft-Windows-DirectComposition

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DirectComposition
Identifier:	{c44219d0-f344-11df-a5e2-b307dfd72085}
Event message file(s):	%systemroot%\system32\dcomp.dll

Microsoft-Windows-DirectManipulation

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-DirectManipulation
Identifier:	{5786e035-ef2d-4178-84f2-5a6bbedbb947}
Event message file(s):	%systemroot%\system32\directmanipulation.dll

Microsoft-Windows-DirectShow-Core

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-DirectShow-Core
Log type:	Application
Identifier:	{968f313b-097f-4e09-9cdd-bc62692d138b}
Event message file(s):	%systemroot%\system32\quartz.dll

Microsoft-Windows-DirectShow-KernelSupport

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DirectShow-KernelSupport
Log type:	Application
Identifier:	{3cc2d4af-da5e-4ed4-bcbe-3cf995940483}
Event message file(s):	%systemroot%\system32\ksproxy.ax

Microsoft-Windows-DirectSound

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DirectSound
Identifier:	{8a93b54b-c75a-49b5-a5be-9060715b1a33}
Event message file(s):	%systemroot%\system32\dsound.dll

Microsoft-Windows-Directory-Services-SAM

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Directory-Services-SAM
	SAM
Log type:	System
Identifier:	{0d4fdc09-8c27-494a-bda0-505e4fd8adae}
Event message file(s):	%systemroot%\system32\samsrv.dll

Microsoft-Windows-Directory-Services-SAM-Utility

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Directory-Services-SAM-Utility
Identifier:	{bd8fea17-5549-4b49-aa03-1981d16396a9}
Event message file(s):	%systemroot%\system32\samsrv.dll

Microsoft-Windows-Disk

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Disk
Identifier:	{6b4db0bc-9a3d-467d-81b9-a84c6f2f3d40}
Event message file(s):	%systemroot%\system32\drivers\disk.sys

Microsoft-Windows-DiskDiagnostic

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-DiskDiagnostic
Identifier:	{e670a5a2-ce74-4ab4-9347-61b815319f4c}
Event message file(s):	%systemroot%\system32\dfdts.dll

Microsoft-Windows-DiskDiagnosticDataCollector

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-DiskDiagnosticDataCollector
Identifier:	{e104fb41-6b04-4f3a-b47d-f0df2f02b954}
Event message file(s):	%systemroot%\system32\dfdts.dll

Microsoft-Windows-DiskDiagnosticResolver

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows Vista

Log source(s):	Microsoft-Windows-DiskDiagnosticResolver
Identifier:	{6b1ffe48-5b1e-4793-9f7f-ae926454499d}
Event message file(s):	%systemroot%\system32\dfdwiz.exe

Seen on:

Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DiskDiagnosticResolver
Identifier:	{6b1ffe48-5b1e-4793-9f7f-ae926454499d}
Event message file(s):	%systemroot%\system32\dfdts.dll

Microsoft-Windows-Dism-Api

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Dism-Api
Identifier:	{75b0da21-8b50-42eb-9448-ec48b1729b57}
Event message file(s):	%systemroot%\system32\dismapi.dll

Microsoft-Windows-Dism-Cli

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Dism-Cli
Identifier:	{2f959466-24d4-4972-8729-0d5e3539ebc3}
Event message file(s):	%systemroot%\system32\dism.exe

Microsoft-Windows-Display

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Display
Identifier:	{6ece3302-fee1-4ea9-8b88-086d459ed976}
Event message file(s):	%systemroot%\system32\display.dll

Microsoft-Windows-DisplayColorCalibration

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DisplayColorCalibration
Identifier:	{3239eb6f-c7fc-4953-aa15-646829a4ca4c}
Event message file(s):	%systemroot%\system32\dccw.exe

Microsoft-Windows-DisplaySwitch

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DisplaySwitch
Identifier:	{192ede41-9175-4c86-ac02-9d003c9d43ab}
Event message file(s):	%systemroot%\system32\displayswitch.exe

Microsoft-Windows-Documents

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Documents
Identifier:	{c89b991e-3b48-49b2-80d3-ac000dfc9749}
Event message file(s):	%systemroot%\system32\documentperformanceevents.dll

Microsoft-Windows-DomainJoinManagerTriggerProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DomainJoinManagerTriggerProvider
Identifier:	{5b004607-1087-4f16-b10e-979685a8d131}
Event message file(s):	%systemroot%\system32\lsasrv.dll

Microsoft-Windows-Dot3MM

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Dot3MM
Identifier:	{f3419a17-e994-4c40-b593-79b8edec54e9}
Event message file(s):	%systemroot%\system32\dot3mm.dll

Microsoft-Windows-DotNETRuntime

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012

Log source(s):	Microsoft-Windows-DotNETRuntime
Identifier:	{e13c0d23-ccbc-4e12-931b-d9cc2eee27e4}
Event message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\clretwrc.dll

Microsoft-Windows-DotNETRuntimeRundown

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012

Log source(s):	Microsoft-Windows-DotNETRuntimeRundown
Identifier:	{a669021c-c450-4609-a035-5af59af4df18}
Event message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\clretwrc.dll

Microsoft-Windows-DriverFrameworks-KernelMode-Performance

Seen on:

Windows 10 (1511, 1607, 1703)

Log source(s):	Microsoft-Windows-DriverFrameworks-KernelMode-Performance
Identifier:	{486a5c7c-11cc-46c5-9de7-43dfe0bb57c1}
Event message file(s):	%systemroot%\system32\wudfsvc.dll

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-DriverFrameworks-KernelMode-Performance
Identifier:	{486a5c7c-11cc-46c5-9de7-43dfe0bb57c1}
Event message file(s):	%systemroot%\system32\drivers\wdf01000.sys

Microsoft-Windows-DriverFrameworks-UserMode

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-DriverFrameworks-UserMode
Log type:	System
Identifier:	{2e35aaeb-857f-4beb-a418-2e6c0e54d988}
Event message file(s):	%systemroot%\system32\wudfplatform.dll

Microsoft-Windows-DriverFrameworks-UserMode-Performance

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-DriverFrameworks-UserMode-Performance
Identifier:	{9fa5dd5d-999e-466a-8ca9-7b3a66f8882f}
Event message file(s):	%systemroot%\system32\wudfplatform.dll

Microsoft-Windows-Dwm-Api

Seen on:

Windows 2008
Windows 7

Log source(s):	Microsoft-Windows-Dwm-Api
Identifier:	{92ae46d7-6d9c-4727-9ed5-e49af9c24cbf}
Event message file(s):	%systemroot%\system32\dwmapi.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Dwm-Api
Identifier:	{292a52c4-fa27-4461-b526-54a46430bd54}
Event message file(s):	%systemroot%\system32\dwmapi.dll

Microsoft-Windows-Dwm-Core

Seen on:

Windows 2008
Windows 7

Log source(s):	Microsoft-Windows-Dwm-Core
Identifier:	{8c9dd1ad-e6e5-4b07-b455-684a9d879900}
Event message file(s):	%systemroot%\system32\dwmcore.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Dwm-Core
Identifier:	{9e9bba3c-2e38-40cb-99f4-9e8281425164}
Event message file(s):	%systemroot%\system32\dwmcore.dll

Microsoft-Windows-Dwm-Dwm

Seen on:

Windows 2008
Windows 7

Log source(s):	Microsoft-Windows-Dwm-Dwm
Identifier:	{bc2eeeec-b77a-4a52-b6a4-dffb1b1370cb}
Event message file(s):	%systemroot%\system32\dwm.exe

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Dwm-Dwm
Identifier:	{d29d56ea-4867-4221-b02e-cfd998834075}
Event message file(s):	%systemroot%\system32\dwm.exe

Microsoft-Windows-Dwm-Redir

Seen on:

Windows 2008
Windows 7

Log source(s):	Microsoft-Windows-Dwm-Redir
Identifier:	{57e0b31d-de8c-4181-bcd1-f70e880b49fc}
Event message file(s):	%systemroot%\system32\dwmredir.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Dwm-Redir
Identifier:	{7d99f6a4-1bec-4c09-9703-3aaa8148347f}
Event message file(s):	%systemroot%\system32\dwmredir.dll

Microsoft-Windows-Dwm-Udwm

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Dwm-Udwm
Identifier:	{a2d1c713-093b-43a7-b445-d09370ec9f47}
Event message file(s):	%systemroot%\system32\udwm.dll

Seen on:

Windows 7

Log source(s):	Microsoft-Windows-Dwm-Udwm
Identifier:	{98583af0-fc93-4e71-96d5-9f8da716c6b8}
Event message file(s):	%systemroot%\system32\udwm.dll

Microsoft-Windows-DxgKrnl

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DxgKrnl
Identifier:	{802ec45a-1e99-4b83-9920-87c98277ba9d}
Event message file(s):	%systemroot%\system32\drivers\dxgkrnl.sys

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-DxgKrnl
Identifier:	{802ec45a-1e99-4b83-9920-87c98277ba9d}

Microsoft-Windows-DxpTaskSyncProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-DxpTaskSyncProvider
Identifier:	{271c5228-c3fe-4e47-831f-48c3652ce5ac}
Event message file(s):	%systemroot%\system32\dxptasksync.dll

Microsoft-Windows-EDP-AppLearning

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-EDP-AppLearning
Identifier:	{9803daa0-81ba-483a-986c-f0e395b9f8d1}
Event message file(s):	%systemroot%\system32\edpauditapi.dll

Microsoft-Windows-EDP-Audit-Regular

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-EDP-Audit-Regular
Identifier:	{50f99b2d-96d2-421f-be4c-222c4140da9f}
Event message file(s):	%systemroot%\system32\edpauditapi.dll

Microsoft-Windows-EDP-Audit-TCB

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-EDP-Audit-TCB
Identifier:	{287d59b6-79ba-4741-a08b-2fedeede6435}
Event message file(s):	%systemroot%\system32\edpauditapi.dll

Microsoft-Windows-EFS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-EFS
Log type:	Application
Identifier:	{3663a992-84be-40ea-bba9-90c7ed544222}
Event message file(s):	%systemroot%\system32\efscore.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-EFS
Identifier:	{3663a992-84be-40ea-bba9-90c7ed544222}
Event message file(s):	%systemroot%\system32\feclient.dll

Microsoft-Windows-ELS-Hyphenation

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ELS-Hyphenation
Identifier:	{51aedb05-890b-4ade-8ba1-0ba14b8e8973}
Event message file(s):	%systemroot%\system32\elshyph.dll

Microsoft-Windows-EQoS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-EQoS
Identifier:	{54cb22ff-26b4-4393-a8c2-6b0715912c5f}
Event message file(s):	%systemroot%\system32\eqossnap.dll

Microsoft-Windows-ESE

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-ESE
Identifier:	{478ea8a8-00be-4ba6-8e75-8b9dc7db9f78}
Event message file(s):	%systemroot%\system32\etweseproviderresources.dll

Microsoft-Windows-EapHost

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-EapHost
Log type:	Application
Identifier:	{6eb8db94-fe96-443f-a366-5fe0cee7fb1c}
Event message file(s):	%systemroot%\system32\eapsvc.dll

Microsoft-Windows-EapMethods-RasChap

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-EapMethods-RasChap
Identifier:	{58980f4b-bd39-4a3e-b344-492ed2254a4e}
Event message file(s):	%systemroot%\system32\raschap.dll

Microsoft-Windows-EapMethods-RasTls

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-EapMethods-RasTls
Identifier:	{9cc0413e-5717-4af5-82eb-6103d8707b45}
Event message file(s):	%systemroot%\system32\rastls.dll

Microsoft-Windows-EapMethods-Sim

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-EapMethods-Sim
Identifier:	{3d42a67d-9ce8-4284-b755-2550672b0ce0}
Event message file(s):	%systemroot%\system32\simauth.dll

Microsoft-Windows-EapMethods-Ttls

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-EapMethods-Ttls
Identifier:	{d710d46c-235d-4798-ac20-9f83e1dcd557}
Event message file(s):	%systemroot%\system32\ttlsauth.dll

Microsoft-Windows-EaseOfAccess

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-EaseOfAccess
Identifier:	{74b4a4b1-2302-4768-ac5b-9773dd456b08}
Event message file(s):	%systemroot%\system32\magnify.exe

Microsoft-Windows-EndpointTriggerProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-EndpointTriggerProvider
Identifier:	{92aab24d-d9a9-4a60-9f94-201fed3e3e88}
Event message file(s):	%systemroot%\system32\rpcepmap.dll

Microsoft-Windows-Energy-Estimation-Engine

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Energy-Estimation-Engine
Identifier:	{ddcc3826-a68a-4e0d-bcfd-9c06c27c6948}
Event message file(s):	%systemroot%\system32\eeprov.dll

Microsoft-Windows-EnergyEfficiencyWizard

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-EnergyEfficiencyWizard
Identifier:	{1a772f65-be1e-4fc6-96bb-248e03fa60f5}
Event message file(s):	%systemroot%\system32\energy.dll

Microsoft-Windows-EnhancedStorage-ClassDriver

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-EnhancedStorage-ClassDriver
Identifier:	{f6cf91be-e7d7-57d6-2a3d-278ca406d190}
Event message file(s):	%systemroot%\system32\drivers\ehstorclass.sys

Microsoft-Windows-EnhancedStorage-EhStorTcgDrv

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-EnhancedStorage-EhStorTcgDrv
Log type:	System
Identifier:	{aa3aa23b-bb6d-425a-b58c-1d7e37f5d02a}
Event message file(s):	%systemroot%\system32\drivers\ehstortcgdrv.sys

Microsoft-Windows-ErrorReportingConsole

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ErrorReportingConsole
Identifier:	{017247f2-7e96-11dc-8314-0800200c9a66}
Event message file(s):	%systemroot%\system32\werconcpl.dll

Microsoft-Windows-EventCollector

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-EventCollector
Log type:	Application
Identifier:	{b977cf02-76f6-df84-cc1a-6a4b232322b6}
Event message file(s):	%systemroot%\system32\wecsvc.dll

Microsoft-Windows-EventLog-WMIProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-EventLog-WMIProvider
Identifier:	{35ac6ce8-6104-411d-976c-877f183d2d32}
Event message file(s):	%systemroot%\system32\wbem\ntevt.dll

Microsoft-Windows-Eventlog

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Eventlog
Log type:	Security
Identifier:	{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}
Event message file(s):	%systemroot%\system32\wevtsvc.dll

Microsoft-Windows-FMS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-FMS
Log type:	System
Identifier:	{dea07764-0790-44de-b9c4-49677b17174f}
Event message file(s):	%systemroot%\system32\fms.dll

Microsoft-Windows-FailoverClustering-Client

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-FailoverClustering-Client
Identifier:	{a82fda5d-745f-409c-b0fe-18ae0678a0e0}
Event message file(s):	%systemroot%\system32\clusapi.dll

Microsoft-Windows-Fat-SQM

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Fat-SQM
Log type:	System
Identifier:	{3e59a529-b0b3-4a11-8129-9ffe6bb46eb9}
Event message file(s):	%systemroot%\system32\drivers\fastfat.sys

Microsoft-Windows-Fault-Tolerant-Heap

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Fault-Tolerant-Heap
Log type:	System
Identifier:	{6b93bf66-a922-4c11-a617-cf60d95c133d}
Event message file(s):	%systemroot%\system32\fthsvc.dll

Microsoft-Windows-FeatureConfiguration

Seen on:

Windows 10 (1803, 1809, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-FeatureConfiguration
Identifier:	{c2f36562-a1e4-4bc3-a6f6-01a7adb643e8}
Event message file(s):	%systemroot%\system32\fcon.dll

Microsoft-Windows-Feedback-Service-TriggerProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Feedback-Service-TriggerProvider
Identifier:	{e46eead8-0c54-4489-9898-8fa79d059e0e}
Event message file(s):	%systemroot%\system32\wersvc.dll

Microsoft-Windows-FileHistory-Catalog

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-FileHistory-Catalog
Identifier:	{b447b4dc-7780-11e0-ada3-18a90531a85a}
Event message file(s):	%systemroot%\system32\fhsvc.dll

Microsoft-Windows-FileHistory-ConfigManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-FileHistory-ConfigManager
Identifier:	{b447b4dd-7780-11e0-ada3-18a90531a85a}
Event message file(s):	%systemroot%\system32\fhsvc.dll

Microsoft-Windows-FileHistory-Core

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-FileHistory-Core
Identifier:	{b447b4db-7780-11e0-ada3-18a90531a85a}
Event message file(s):	%systemroot%\system32\fhsvc.dll

Microsoft-Windows-FileHistory-Engine

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-FileHistory-Engine
Identifier:	{b447b4de-7780-11e0-ada3-18a90531a85a}
Event message file(s):	%systemroot%\system32\fhsvc.dll

Microsoft-Windows-FileHistory-EventListener

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-FileHistory-EventListener
Identifier:	{b447b4df-7780-11e0-ada3-18a90531a85a}
Event message file(s):	%systemroot%\system32\fhsvc.dll

Microsoft-Windows-FileHistory-Service

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-FileHistory-Service
Identifier:	{b447b4e0-7780-11e0-ada3-18a90531a85a}
Event message file(s):	%systemroot%\system32\fhsvc.dll

Microsoft-Windows-FileHistory-UI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-FileHistory-UI
Identifier:	{b447b4e1-7780-11e0-ada3-18a90531a85a}
Event message file(s):	%systemroot%\system32\fhuxcommon.dll

Microsoft-Windows-FileInfoMinifilter

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-FileInfoMinifilter
Identifier:	{a319d300-015c-48be-acdb-47746e154751}
Event message file(s):	%systemroot%\system32\drivers\fileinfo.sys

Microsoft-Windows-FilterManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-FilterManager
Log type:	System
Identifier:	{f3c5e28e-63f6-49c7-a204-e48a1bc4b09d}
Event message file(s):	%systemroot%\system32\drivers\fltmgr.sys

Microsoft-Windows-Firewall

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Firewall
Log type:	System
Identifier:	{e595f735-b42a-494b-afcd-b68666945cd3}
Event message file(s):	%systemroot%\system32\mpssvc.dll

Microsoft-Windows-Firewall-CPL

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Firewall-CPL
Identifier:	{546549be-9d63-46aa-9154-4f6eb9526378}
Event message file(s):	%systemroot%\system32\firewallcontrolpanel.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-Firewall-CPL
Identifier:	{546549be-9d63-46aa-9154-4f6eb9526378}
Event message file(s):	%systemroot%\system32\firewall.cpl

Microsoft-Windows-FirstUX-PerfInstrumentation

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-FirstUX-PerfInstrumentation
Identifier:	{fbef8096-2ca3-4082-acde-dcfb47e96b72}
Event message file(s):	%systemroot%\system32\oobe\winlgdep.dll

Microsoft-Windows-Forwarding

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Forwarding
Identifier:	{699e309c-e782-4400-98c8-e21d162d7b7b}
Event message file(s):	%systemroot%\system32\wevtfwd.dll

Microsoft-Windows-FunctionDiscovery

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-FunctionDiscovery
Identifier:	{9db0fdb5-3b21-440e-a94b-63738a4be5de}
Event message file(s):	%systemroot%\system32\fundisc.dll

Microsoft-Windows-FunctionDiscoveryHost

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-FunctionDiscoveryHost
Log type:	System
Identifier:	{538cbbad-4877-4eb2-b26e-7caee8f0f8cb}
Event message file(s):	%systemroot%\system32\fdphost.dll

Microsoft-Windows-GPIO-ClassExtension

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-GPIO-ClassExtension
Log type:	System
Identifier:	{55ab77f6-fa04-43ef-af45-688fbf500482}
Event message file(s):	%systemroot%\system32\drivers\msgpioclx.sys

Microsoft-Windows-GPIOButtons

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.1

Log source(s):	Microsoft-Windows-GPIOButtons
Identifier:	{e13ff11e-e989-4838-a9fa-38a4d13914cf}
Event message file(s):	%systemroot%\system32\drivers\msgpiowin32.sys

Microsoft-Windows-GenericRoaming

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-GenericRoaming
Log type:	Application
Identifier:	{4eacb4d0-263b-4b93-8cd6-778a278e5642}
Event message file(s):	%systemroot%\system32\vaultroaming.dll

Microsoft-Windows-Graphics-Capture-Server

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Graphics-Capture-Server
Identifier:	{7d0cbd25-390e-524d-8c1e-2a8e846055c0}
Event message file(s):	%systemroot%\system32\captureservice.dll

Microsoft-Windows-Graphics-Printing

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Graphics-Printing
Identifier:	{e7aa32fb-77d0-477f-987d-7e83df1b7ed0}
Event message file(s):	%systemroot%\system32\windows.graphics.printing.dll

Microsoft-Windows-Graphics-Printing3D

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Graphics-Printing3D
Identifier:	{be967569-e3c8-425b-ad0e-4f2c790b1848}
Event message file(s):	%systemroot%\system32\windows.graphics.printing.3d.dll

Microsoft-Windows-GroupPolicy

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-GroupPolicy
Log type:	System
Identifier:	{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}
Event message file(s):	%systemroot%\system32\gpsvc.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-GroupPolicy
Log type:	System
Identifier:	{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}
Event message file(s):	%systemroot%\system32\gpsvc.dll
Parameter message file(s):	%systemroot%\system32\gpsvc.dll

Microsoft-Windows-GroupPolicyTriggerProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-GroupPolicyTriggerProvider
Identifier:	{bd2f4252-5e1e-49fc-9a30-f3978ad89ee2}
Event message file(s):	%systemroot%\system32\gpsvc.dll

Microsoft-Windows-HAL

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-HAL
Log type:	System
Identifier:	{63d1e632-95cc-4443-9312-af927761d52a}
Event message file(s):	%systemroot%\system32\microsoft-windows-hal-events.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-HAL
Identifier:	{63d1e632-95cc-4443-9312-af927761d52a}
Event message file(s):	%systemroot%\system32\advapi32.dll

Microsoft-Windows-HealthCenter

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-HealthCenter
Identifier:	{588c5c5a-ffc5-44a2-9a7f-d5e8dbe6efd7}
Event message file(s):	%systemroot%\system32\actioncenter.dll

Microsoft-Windows-HealthCenterCPL

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-HealthCenterCPL
Identifier:	{959f1fac-7ca8-4ed1-89dc-cdfa7e093cb0}
Event message file(s):	%systemroot%\system32\actioncentercpl.dll

Microsoft-Windows-Heap-Snapshot

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Heap-Snapshot
Identifier:	{901d2afa-4ff6-46d7-8d0e-53645e1a47f5}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-HelloForBusiness

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-HelloForBusiness
Identifier:	{906b8a99-63ce-58d7-86ab-10989bbd5567}
Event message file(s):	%systemroot%\system32\cryptngc.dll

Microsoft-Windows-Help

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Help
Identifier:	{de513a55-c345-438b-9a74-e18cac5c5cc5}
Event message file(s):	%systemroot%\system32\apds.dll

Microsoft-Windows-HomeGroup-ControlPanel

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-HomeGroup-ControlPanel
Identifier:	{134ea407-755d-4a93-b8a6-f290cd155023}
Event message file(s):	%systemroot%\system32\hgcpl.dll

Microsoft-Windows-HotspotAuth

Seen on:

Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-HotspotAuth
Identifier:	{de095dbe-8667-4168-94c2-48ca61665aca}
Event message file(s):	%systemroot%\system32\hotspotauth.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-HotspotAuth
Identifier:	{de095dbe-8667-4168-94c2-48ca61665aca}
Event message file(s):	%systemroot%\system32\wifinetworkmanager.dll

Microsoft-Windows-Http-SQM-Provider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Http-SQM-Provider
Identifier:	{f5344219-87a4-4399-b14a-e59cd118abb8}
Event message file(s):	%systemroot%\system32\drivers\http.sys

Microsoft-Windows-HttpLog

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-HttpLog
Identifier:	{c42a2738-2333-40a5-a32f-6acc36449dcc}
Event message file(s):	%systemroot%\system32\drivers\http.sys

Microsoft-Windows-HttpService

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-HttpService
Identifier:	{dd5ef90a-6398-47a4-ad34-4dcecdef795f}
Event message file(s):	%systemroot%\system32\drivers\http.sys

Microsoft-Windows-Hyper-V-ComputeLib

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Hyper-V-ComputeLib
Identifier:	{af7fd3a7-b248-460c-a9f5-fec39ef8468c}
Event message file(s):	%systemroot%\system32\computelibeventlog.dll

Microsoft-Windows-Hyper-V-Guest-Drivers-Dynamic-Memory

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Hyper-V-Guest-Drivers-Dynamic-Memory
Identifier:	{ba2ffb5c-e20a-4fb9-91b4-45f61b4b66a0}
Event message file(s):	%systemroot%\system32\drivers\dmvsc.sys

Microsoft-Windows-Hyper-V-Guest-Drivers-Storage-Filter

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Hyper-V-Guest-Drivers-Storage-Filter
Identifier:	{0b9fdccc-451c-449c-9bd8-6756fcc6091a}
Event message file(s):	%systemroot%\system32\drivers\vmstorfl.sys

Microsoft-Windows-Hyper-V-Guest-Drivers-Vmbus

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Hyper-V-Guest-Drivers-Vmbus
Identifier:	{f2e2ce31-0e8a-4e46-a03b-2e0fe97e93c2}
Event message file(s):	%systemroot%\system32\drivers\vmbus.sys

Microsoft-Windows-Hyper-V-Hypervisor

Seen on:

Windows 10 (1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Hyper-V-Hypervisor
Log type:	System
Identifier:	{52fc89f8-995e-434c-a91e-199986449890}
Event message file(s):	%systemroot%\system32\drivers\hvservice.sys

Microsoft-Windows-Hyper-V-KMCL-Child

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Hyper-V-KMCL-Child
Identifier:	{16d90d71-caca-5cd9-a618-8210d93015f3}
Event message file(s):	%systemroot%\system32\drivers\vmbkmcl.sys

Microsoft-Windows-Hyper-V-Netvsc

Seen on:

Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Hyper-V-Netvsc
Identifier:	{152fbe4b-c7ad-4f68-bada-a4fcc1464f6c}
Event message file(s):	%systemroot%\system32\drivers\netvsc63.sys

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Hyper-V-Netvsc
Identifier:	{152fbe4b-c7ad-4f68-bada-a4fcc1464f6c}
Event message file(s):	%systemroot%\system32\drivers\netvsc.sys

Microsoft-Windows-Hyper-V-VID

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Hyper-V-VID
Identifier:	{5931d877-4860-4ee7-a95c-610a5f0d1407}
Event message file(s):	%systemroot%\system32\drivers\vid.sys

Microsoft-Windows-IE-F12-Provider

Seen on:

Windows 2012

Log source(s):	Microsoft-Windows-IE-F12-Provider
Identifier:	{d17fff2f-392d-478c-a41d-737a216eb2a4}
Event message file(s):	%programfiles%\internet explorer\f12.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-IE-F12-Provider
Identifier:	{d17fff2f-392d-478c-a41d-737a216eb2a4}
Event message file(s):	%systemroot%\system32\f12\f12platform.dll

Microsoft-Windows-IE-SmartScreen

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-IE-SmartScreen
Identifier:	{52f82079-1974-4c67-81da-807b892778bb}
Event message file(s):	%systemroot%\system32\ieapfltr.dll

Microsoft-Windows-IME-Broker

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IME-Broker
Identifier:	{e2c15fd7-8924-4c8c-8cfe-da0be539ce27}
Event message file(s):	%systemroot%\system32\ime\shared\imebroker.exe

Microsoft-Windows-IME-CandidateUI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IME-CandidateUI
Identifier:	{7c4117b1-ed82-4f47-b2ca-29e4e25719c7}
Event message file(s):	%systemroot%\system32\ime\shared\mscand20.dll

Microsoft-Windows-IME-CustomerFeedbackManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IME-CustomerFeedbackManager
Identifier:	{e2242b38-9453-42fd-b446-00746e76eb82}
Event message file(s):	%systemroot%\system32\ime\shared\imecfm.dll

Microsoft-Windows-IME-CustomerFeedbackManagerUI

Seen on:

Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IME-CustomerFeedbackManagerUI
Identifier:	{1b734b40-a458-4b81-954f-ad7c9461bed8}
Event message file(s):	%systemroot%\system32\ime\shared\imecfm.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-IME-CustomerFeedbackManagerUI
Identifier:	{1b734b40-a458-4b81-954f-ad7c9461bed8}
Event message file(s):	%systemroot%\system32\ime\shared\imecfmui.exe

Microsoft-Windows-IME-JPAPI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IME-JPAPI
Identifier:	{31bcac7f-4ab8-47a1-b73a-a161ee68d585}
Event message file(s):	%systemroot%\system32\ime\imejp\imjpapi.dll

Microsoft-Windows-IME-JPLMP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IME-JPLMP
Identifier:	{dbc388bc-89c2-4fe0-b71f-6e4881fb575c}
Event message file(s):	%systemroot%\system32\ime\imejp\imjplmp.dll

Microsoft-Windows-IME-JPPRED

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IME-JPPRED
Identifier:	{3ad571f3-bdae-4942-8733-4d1b85870a1e}
Event message file(s):	%systemroot%\system32\ime\imejp\imjppred.dll

Microsoft-Windows-IME-JPSetting

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IME-JPSetting
Identifier:	{14371053-1813-471a-9510-1cf1d0a055a8}
Event message file(s):	%systemroot%\system32\ime\imejp\imjpset.exe

Microsoft-Windows-IME-JPTIP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IME-JPTIP
Identifier:	{8c8a69ad-cc89-481f-bbad-fd95b5006256}
Event message file(s):	%systemroot%\system32\ime\imejp\imjptip.dll

Microsoft-Windows-IME-KRAPI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IME-KRAPI
Identifier:	{7562948e-2671-4dda-8f8f-bf945ef984a1}
Event message file(s):	%systemroot%\system32\ime\imekr\imkrapi.dll

Microsoft-Windows-IME-KRTIP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IME-KRTIP
Identifier:	{e013e74b-97f4-4e1c-a120-596e5629ecfe}
Event message file(s):	%systemroot%\system32\ime\imekr\imkrtip.dll

Microsoft-Windows-IME-OEDCompiler

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IME-OEDCompiler
Identifier:	{fd44a6e7-580f-4a9c-83d9-d820b7d3a033}
Event message file(s):	%systemroot%\system32\ime\shared\imewdbld.exe

Microsoft-Windows-IME-TCCORE

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IME-TCCORE
Identifier:	{f67b2345-47fa-4721-a6fb-fe08110eecf7}
Event message file(s):	%systemroot%\system32\ime\imetc\imtccore.dll

Microsoft-Windows-IME-TCTIP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IME-TCTIP
Identifier:	{d5268c02-6f51-436f-983b-74f2efbfaf3a}
Event message file(s):	%systemroot%\system32\ime\imetc\imtctip.dll

Microsoft-Windows-IME-TIP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IME-TIP
Identifier:	{bdd4b92e-19ef-4497-9c4a-e10e7fd2e227}
Event message file(s):	%systemroot%\system32\ime\shared\imetip.dll

Microsoft-Windows-IPMIProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IPMIProvider
	ipmiprv
Log type:	Application
Identifier:	{2a45d52e-bbf3-4843-8e18-b356ed5f6a65}
Event message file(s):	%systemroot%\system32\wbem\ipmiprr.dll

Microsoft-Windows-IPNAT

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IPNAT
Identifier:	{a67075c2-3e39-4109-b6cd-6d750058a732}
Event message file(s):	%systemroot%\system32\drivers\ipnat.sys

Microsoft-Windows-IPSEC-SRV

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-IPSEC-SRV
Identifier:	{c91ef675-842f-4fcf-a5c9-6ea93f2e4f8b}
Event message file(s):	%systemroot%\system32\ipsecsvc.dll

Microsoft-Windows-IdCtrls

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IdCtrls
Identifier:	{6d7662a9-034e-4b1f-a167-67819c401632}
Event message file(s):	%systemroot%\system32\idctrls.dll

Microsoft-Windows-IdleTriggerProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-IdleTriggerProvider
Identifier:	{9e03f75a-bcbe-428a-8f3c-d46f2a444935}
Event message file(s):	%systemroot%\system32\schedsvc.dll

Microsoft-Windows-Immersive-Shell

Seen on:

Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Immersive-Shell
Log type:	Application
Identifier:	{315a8872-923e-4ea2-9889-33cd4754bf64}
Event message file(s):	%systemroot%\system32\twinui.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Immersive-Shell
Log type:	Application
Identifier:	{315a8872-923e-4ea2-9889-33cd4754bf64}
Event message file(s):	%systemroot%\system32\twinui.appcore.dll

Microsoft-Windows-Immersive-Shell-API

Seen on:

Windows 10 (1511)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Immersive-Shell-API
Identifier:	{5f0e257f-c224-43e5-9555-2adcb8540a58}
Event message file(s):	%systemroot%\system32\twinapi.dll

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Immersive-Shell-API
Identifier:	{5f0e257f-c224-43e5-9555-2adcb8540a58}
Event message file(s):	%systemroot%\system32\twinapi.appcore.dll

Microsoft-Windows-IndirectDisplays-ClassExtension-Events

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-IndirectDisplays-ClassExtension-Events
Identifier:	{966cd1c0-3f69-42ad-9877-517dce8462b4}
Event message file(s):	%systemroot%\system32\drivers\umdf\iddcx.dll

Microsoft-Windows-Input-HIDCLASS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Input-HIDCLASS
Identifier:	{6465da78-e7a0-4f39-b084-8f53c7c30dc6}
Event message file(s):	%systemroot%\system32\drivers\hidclass.sys

Microsoft-Windows-InputSwitch

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-InputSwitch
Identifier:	{bb8e7234-bbf4-48a7-8741-339206ed1dfb}
Event message file(s):	%systemroot%\system32\inputswitch.dll

Microsoft-Windows-Install-Agent

Seen on:

Windows 10 (1511, 1607, 1703)

Log source(s):	Microsoft-Windows-Install-Agent
Identifier:	{e0c6f6de-258a-50e0-ac1a-103482d118bc}
Event message file(s):	%systemroot%\system32\storeagent.dll

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Install-Agent
Identifier:	{e0c6f6de-258a-50e0-ac1a-103482d118bc}
Event message file(s):	%systemroot%\system32\installservice.dll

Microsoft-Windows-International-RegionalOptionsControlPanel

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-International-RegionalOptionsControlPanel
Identifier:	{c6bf6832-f7bd-4151-ac21-753ce4707453}
Event message file(s):	%systemroot%\system32\intl.cpl

Microsoft-Windows-Iphlpsvc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Iphlpsvc
Log type:	System
Identifier:	{66a5c15c-4f8e-4044-bf6e-71d896038977}
Event message file(s):	%systemroot%\system32\iphlpsvc.dll

Microsoft-Windows-Iphlpsvc-Trace

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Iphlpsvc-Trace
Identifier:	{6600e712-c3b6-44a2-8a48-935c511f28c8}
Event message file(s):	%systemroot%\system32\iphlpsvc.dll

Microsoft-Windows-IsolatedUserMode

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-IsolatedUserMode
Log type:	System
Identifier:	{73a33ab2-1966-4999-8add-868c41415269}
Event message file(s):	%systemroot%\system32\iumbase.dll

Microsoft-Windows-KdsSvc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-KdsSvc
Log type:	Application
Identifier:	{89203471-d554-47d4-bde4-7552ec219999}
Additional identifier:	{d4be7726-dc7a-11df-a6e6-0902dfd72085}
Event message file(s):	%systemroot%\system32\kdscli.dll

Microsoft-Windows-Kernel-Acpi

Seen on:

Windows 2008
Windows 7
Windows 8.0
Windows Vista

Log source(s):	Microsoft-Windows-Kernel-Acpi
Identifier:	{c514638f-7723-485b-bcfc-96565d735d4a}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-Acpi
Identifier:	{c514638f-7723-485b-bcfc-96565d735d4a}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-AppCompat

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-AppCompat
Identifier:	{16a1adc1-9b7f-4cd9-94b3-d8296ab1b130}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Seen on:

Windows 8.0

Log source(s):	Microsoft-Windows-Kernel-AppCompat
Identifier:	{16a1adc1-9b7f-4cd9-94b3-d8296ab1b130}
Event message file(s):	%systemroot%\system32\advapi32.dll

Microsoft-Windows-Kernel-Audit-API-Calls

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012

Log source(s):	Microsoft-Windows-Kernel-Audit-API-Calls
Identifier:	{e02a841c-75a3-4fa7-afc8-ae09cf9b7f23}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-Boot

Seen on:

Windows 2008
Windows 7
Windows 8.0

Log source(s):	Microsoft-Windows-Kernel-Boot
Log type:	System
Identifier:	{15ca44ff-4d7a-4baa-bba5-0998955e531e}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-Boot
Log type:	System
Identifier:	{15ca44ff-4d7a-4baa-bba5-0998955e531e}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-BootDiagnostics

Seen on:

Windows 2008
Windows 7
Windows 8.0
Windows Vista

Log source(s):	Microsoft-Windows-Kernel-BootDiagnostics
Identifier:	{96ac7637-5950-4a30-b8f7-e07e8e5734c1}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-BootDiagnostics
Identifier:	{96ac7637-5950-4a30-b8f7-e07e8e5734c1}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-CPU-Starvation

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Kernel-CPU-Starvation
Identifier:	{7f54ca8a-6c72-5cbc-b96f-d0ef905b8bce}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-Cache

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Kernel-Cache
Identifier:	{a2d34bf1-70ab-5b21-c819-5a0dd42748fd}
Event message file(s):	%systemroot%\system32\microsoft-windows-kernel-cc-events.dll

Microsoft-Windows-Kernel-Disk

Seen on:

Windows 2008
Windows 7
Windows 8.0

Log source(s):	Microsoft-Windows-Kernel-Disk
Identifier:	{c7bde69a-e1e0-4177-b6ef-283ad1525271}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-Disk
Identifier:	{c7bde69a-e1e0-4177-b6ef-283ad1525271}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-Dump

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Kernel-Dump
Identifier:	{17d2a329-4539-5f4d-3435-f510634ce3b9}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-EventTracing

Seen on:

Windows 2008
Windows 7
Windows 8.0

Log source(s):	Microsoft-Windows-Kernel-EventTracing
Identifier:	{b675ec37-bdb6-4648-bc92-f3fdc74d3ca2}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-EventTracing
Identifier:	{b675ec37-bdb6-4648-bc92-f3fdc74d3ca2}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-File

Seen on:

Windows 2008
Windows 7
Windows 8.0

Log source(s):	Microsoft-Windows-Kernel-File
Identifier:	{edd08927-9cc4-4e65-b970-c2560fb5c289}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-File
Identifier:	{edd08927-9cc4-4e65-b970-c2560fb5c289}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-General

Seen on:

Windows 2008
Windows 7
Windows 8.0
Windows Vista

Log source(s):	Microsoft-Windows-Kernel-General
Log type:	System
Identifier:	{a68ca8b7-004f-d7b6-a698-07e2de0f1f5d}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-General
Log type:	System
Identifier:	{a68ca8b7-004f-d7b6-a698-07e2de0f1f5d}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-IO

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Kernel-IO
Identifier:	{abf1f586-2e50-4ba8-928d-49044e6f0db7}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-Interrupt-Steering

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-Interrupt-Steering
Log type:	System
Identifier:	{951b41ea-c830-44dc-a671-e2c9958809b8}
Event message file(s):	%systemroot%\system32\microsoft-windows-kernel-processor-power-events.dll

Microsoft-Windows-Kernel-IoTrace

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-IoTrace
Identifier:	{a103cabd-8242-4a93-8df5-1cdf3b3f26a6}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Seen on:

Windows 8.0

Log source(s):	Microsoft-Windows-Kernel-IoTrace
Identifier:	{a103cabd-8242-4a93-8df5-1cdf3b3f26a6}
Event message file(s):	%systemroot%\system32\advapi32.dll

Microsoft-Windows-Kernel-Licensing-StartServiceTrigger

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-Licensing-StartServiceTrigger
Identifier:	{f5528ada-be5f-4f14-8aef-a95de7281161}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Seen on:

Windows 8.0

Log source(s):	Microsoft-Windows-Kernel-Licensing-StartServiceTrigger
Identifier:	{f5528ada-be5f-4f14-8aef-a95de7281161}
Event message file(s):	%systemroot%\system32\advapi32.dll

Microsoft-Windows-Kernel-LicensingSqm

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-LicensingSqm
Identifier:	{a0af438f-4431-41cb-a675-a265050ee947}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Seen on:

Windows 8.0

Log source(s):	Microsoft-Windows-Kernel-LicensingSqm
Identifier:	{a0af438f-4431-41cb-a675-a265050ee947}
Event message file(s):	%systemroot%\system32\advapi32.dll

Microsoft-Windows-Kernel-LiveDump

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-LiveDump
Identifier:	{bef2aa8e-81cd-11e2-a7bb-5eac6188709b}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-Memory

Seen on:

Windows 2008
Windows 7
Windows 8.0

Log source(s):	Microsoft-Windows-Kernel-Memory
Identifier:	{d1d93ef7-e1f2-4f45-9943-03d245fe6c00}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-Memory
Identifier:	{d1d93ef7-e1f2-4f45-9943-03d245fe6c00}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-Network

Seen on:

Windows 2008
Windows 7
Windows 8.0

Log source(s):	Microsoft-Windows-Kernel-Network
Identifier:	{7dd42a49-5329-4832-8dfd-43d979153a88}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-Network
Identifier:	{7dd42a49-5329-4832-8dfd-43d979153a88}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-Pep

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-Pep
Identifier:	{5412704e-b2e1-4624-8ffd-55777b8f7373}
Event message file(s):	%systemroot%\system32\microsoft-windows-kernel-power-events.dll

Microsoft-Windows-Kernel-PnP

Seen on:

Windows 2008
Windows 7
Windows Vista

Log source(s):	Microsoft-Windows-Kernel-PnP
Log type:	System
Identifier:	{9c205a39-1250-487d-abd7-e831c6290539}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-PnP
Log type:	System
Identifier:	{9c205a39-1250-487d-abd7-e831c6290539}
Event message file(s):	%systemroot%\system32\microsoft-windows-kernel-pnp-events.dll

Microsoft-Windows-Kernel-PnP-Rundown

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Kernel-PnP-Rundown
Identifier:	{b3a0c2c8-83bb-4ddf-9f8d-4b22d3c38ad7}
Event message file(s):	%systemroot%\system32\microsoft-windows-kernel-pnp-events.dll

Microsoft-Windows-Kernel-Power

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-Power
Log type:	System
Identifier:	{331c3b3a-2005-44c2-ac5e-77220c37d6b4}
Event message file(s):	%systemroot%\system32\microsoft-windows-kernel-power-events.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-Kernel-Power
Identifier:	{331c3b3a-2005-44c2-ac5e-77220c37d6b4}
Event message file(s):	%systemroot%\system32\advapi32.dll

Microsoft-Windows-Kernel-PowerTrigger

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-PowerTrigger
Identifier:	{aa1f73e8-15fd-45d2-abfd-e7f64f78eb11}
Event message file(s):	%systemroot%\system32\microsoft-windows-kernel-power-events.dll

Microsoft-Windows-Kernel-Prefetch

Seen on:

Windows 2008
Windows 7
Windows 8.0
Windows Vista

Log source(s):	Microsoft-Windows-Kernel-Prefetch
Identifier:	{5322d61a-9efa-4bc3-a3f9-14be95c144f8}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-Prefetch
Identifier:	{5322d61a-9efa-4bc3-a3f9-14be95c144f8}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-Prm

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Kernel-Prm
Identifier:	{b931ed29-66f4-576e-0579-0b8818a5dc6b}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-Process

Seen on:

Windows 2008
Windows 7
Windows 8.0
Windows Vista

Log source(s):	Microsoft-Windows-Kernel-Process
Identifier:	{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-Process
Identifier:	{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-Processor-Power

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-Processor-Power
Log type:	System
Identifier:	{0f67e49f-fe51-4e9f-b490-6f2948cc6027}
Event message file(s):	%systemroot%\system32\microsoft-windows-kernel-processor-power-events.dll

Microsoft-Windows-Kernel-Registry

Seen on:

Windows 2008
Windows 7
Windows 8.0
Windows Vista

Log source(s):	Microsoft-Windows-Kernel-Registry
Identifier:	{70eb4f03-c1de-4f73-a051-33d13d5413bd}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-Registry
Identifier:	{70eb4f03-c1de-4f73-a051-33d13d5413bd}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-ShimEngine

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-ShimEngine
Identifier:	{0bf2fb94-7b60-4b4d-9766-e82f658df540}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Seen on:

Windows 8.0

Log source(s):	Microsoft-Windows-Kernel-ShimEngine
Identifier:	{0bf2fb94-7b60-4b4d-9766-e82f658df540}
Event message file(s):	%systemroot%\system32\advapi32.dll

Microsoft-Windows-Kernel-StoreMgr

Seen on:

Windows 2008
Windows 7
Windows 8.0

Log source(s):	Microsoft-Windows-Kernel-StoreMgr
Identifier:	{a6ad76e3-867a-4635-91b3-4904ba6374d7}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-StoreMgr
Identifier:	{a6ad76e3-867a-4635-91b3-4904ba6374d7}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-Tm

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-Tm
Log type:	System
Identifier:	{4cec9c95-a65f-4591-b5c4-30100e51d870}
Event message file(s):	%systemroot%\system32\ktmw32.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-Kernel-Tm
Identifier:	{4cec9c95-a65f-4591-b5c4-30100e51d870}
Event message file(s):	%systemroot%\system32\advapi32.dll

Microsoft-Windows-Kernel-Tm-Trigger

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-Tm-Trigger
Identifier:	{ce20d1c3-a247-4c41-bcb8-3c7f52c8b805}
Event message file(s):	%systemroot%\system32\ktmw32.dll

Microsoft-Windows-Kernel-WDI

Seen on:

Windows 2008
Windows 7
Windows 8.0
Windows Vista

Log source(s):	Microsoft-Windows-Kernel-WDI
Identifier:	{2ff3e6b7-cb90-4700-9621-443f389734ed}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-WDI
Identifier:	{2ff3e6b7-cb90-4700-9621-443f389734ed}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Kernel-WHEA

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Kernel-WHEA
Log type:	System
Identifier:	{7b563579-53c8-44e7-8236-0f87b9fe6594}
Event message file(s):	%systemroot%\system32\pshed.dll

Microsoft-Windows-Kernel-WSService-StartServiceTrigger

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-WSService-StartServiceTrigger
Identifier:	{3635d4b6-77e3-4375-8124-d545b7149337}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Seen on:

Windows 8.0

Log source(s):	Microsoft-Windows-Kernel-WSService-StartServiceTrigger
Identifier:	{3635d4b6-77e3-4375-8124-d545b7149337}
Event message file(s):	%systemroot%\system32\advapi32.dll

Microsoft-Windows-Kernel-XDV

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Kernel-XDV
Log type:	System
Identifier:	{f029ac39-38f0-4a40-b7de-404d244004cb}
Event message file(s):	%systemroot%\system32\drivers\verifierext.sys

Microsoft-Windows-KernelStreaming

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-KernelStreaming
Identifier:	{548c4417-ce45-41ff-99dd-528f01ce0fe1}
Event message file(s):	%systemroot%\system32\drivers\ks.sys

Microsoft-Windows-KeyboardFilter

Seen on:

Windows 11 (21H2)
Windows 8.1

Log source(s):	Microsoft-Windows-KeyboardFilter
Identifier:	{84de80eb-86e8-4ff6-85a6-9319abd578a4}
Event message file(s):	%systemroot%\system32\keyboardfiltersvc.dll

Microsoft-Windows-KnownFolders

Seen on:

Windows 10 (1511)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-KnownFolders
Identifier:	{8939299f-2315-4c5c-9b91-abb86aa0627d}
Event message file(s):	%systemroot%\system32\shell32.dll

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-KnownFolders
Identifier:	{8939299f-2315-4c5c-9b91-abb86aa0627d}
Event message file(s):	%systemroot%\system32\windows.storage.dll

Microsoft-Windows-L2NACP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-L2NACP
Identifier:	{85fe7609-ff4a-48e9-9d50-12918e43e1da}
Event message file(s):	%systemroot%\system32\l2nacp.dll

Microsoft-Windows-LDAP-Client

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-LDAP-Client
Identifier:	{099614a5-5dd7-4788-8bc9-e29f43db28fc}
Event message file(s):	%systemroot%\system32\wldap32.dll

Microsoft-Windows-LUA

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-LUA
Identifier:	{93c05d69-51a3-485e-877f-1806a8731346}
Event message file(s):	%systemroot%\system32\appinfo.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-LUA
Identifier:	{93c05d69-51a3-485e-877f-1806a8731346}

Microsoft-Windows-LanGPA

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-LanGPA
Identifier:	{cb070027-1534-4cf3-98ea-b9751f508376}
Event message file(s):	%systemroot%\system32\dot3gpclnt.dll

Microsoft-Windows-LanguagePackSetup

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-LanguagePackSetup
Log type:	System
Identifier:	{7237fff9-a08a-4804-9c79-4a8704b70b87}
Event message file(s):	%systemroot%\system32\lpksetup.exe

Microsoft-Windows-LimitsManagement

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-LimitsManagement
Identifier:	{73aa0094-facb-4aeb-bd1d-a7b98dd5c799}
Event message file(s):	%systemroot%\system32\powrprof.dll

Microsoft-Windows-LinkLayerDiscoveryProtocol

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-LinkLayerDiscoveryProtocol
Identifier:	{dcbfb8f0-cd19-4f1c-a27d-23ac706ded72}
Event message file(s):	%systemroot%\system32\drivers\mslldp.sys

Microsoft-Windows-LiveId

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-LiveId
Log type:	Application
Identifier:	{05f02597-fe85-4e67-8542-69567ab8fd4f}
Event message file(s):	%systemroot%\system32\wlidres.dll

Microsoft-Windows-MCCS-AccountAccessor

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MCCS-AccountAccessor
Identifier:	{4025d192-273d-42ec-bdf8-940ec34eedca}
Event message file(s):	%systemroot%\system32\accountaccessor.dll

Microsoft-Windows-MCCS-AccountsHost

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MCCS-AccountsHost
Identifier:	{04eccf8e-8490-4ad1-8ed5-0ae7750e69e6}
Event message file(s):	%systemroot%\system32\aphostres.dll

Microsoft-Windows-MCCS-AccountsRT

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MCCS-AccountsRT
Identifier:	{dd2743c6-1722-4674-9f6f-c80044c4232e}
Event message file(s):	%systemroot%\system32\accountsrt.dll

Microsoft-Windows-MCCS-ActiveSyncCsp

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MCCS-ActiveSyncCsp
Identifier:	{602a0873-9bde-48b3-b6b7-277035293458}
Event message file(s):	%systemroot%\system32\activesynccsp.dll

Microsoft-Windows-MCCS-ActiveSyncProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MCCS-ActiveSyncProvider
Identifier:	{4a155f10-25ad-47e6-aba8-2c4f5eee7846}
Event message file(s):	%systemroot%\system32\activesyncprovider.dll

Microsoft-Windows-MCCS-DavSyncProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MCCS-DavSyncProvider
Identifier:	{5d86c4e2-8fcd-48d7-a713-9a04609c0189}
Event message file(s):	%systemroot%\system32\davsyncprovider.dll

Microsoft-Windows-MCCS-EngineShared

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MCCS-EngineShared
Identifier:	{bf460fc6-45c5-4119-add3-e361a6e7d5ac}
Event message file(s):	%systemroot%\system32\mccsengineshared.dll

Microsoft-Windows-MCCS-InternetMail

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MCCS-InternetMail
Identifier:	{618473bc-8eef-4868-adff-a1b640b06411}
Event message file(s):	%systemroot%\system32\internetmail.dll

Microsoft-Windows-MCCS-InternetMailCsp

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MCCS-InternetMailCsp
Identifier:	{bec5e7a4-0527-42e8-8174-fabde799ad7f}
Event message file(s):	%systemroot%\system32\internetmailcsp.dll

Microsoft-Windows-MCCS-NetworkHelper

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MCCS-NetworkHelper
Identifier:	{25b99a4c-2f80-4fcd-982d-69cd1f77badf}
Event message file(s):	%systemroot%\system32\networkhelper.dll

Microsoft-Windows-MCCS-SyncController

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MCCS-SyncController
Identifier:	{7fcb9791-f481-46d1-846e-2eb6f003c4d3}
Event message file(s):	%systemroot%\system32\synccontroller.dll

Microsoft-Windows-MCCS-SyncUtil

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MCCS-SyncUtil
Identifier:	{dca074ce-547c-4595-ae90-56229b8e3bd9}
Event message file(s):	%systemroot%\system32\syncutil.dll

Microsoft-Windows-MF

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-MF
Identifier:	{a7364e1a-894f-4b3d-a930-2ed9c8c4c811}
Event message file(s):	%systemroot%\system32\mf.dll

Microsoft-Windows-MF-FrameServer

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MF-FrameServer
Identifier:	{9e22a3ed-7b32-4b99-b6c2-21dd6ace01e1}
Event message file(s):	%systemroot%\system32\frameserver.dll

Microsoft-Windows-MFH264Enc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-MFH264Enc
Identifier:	{2a49de31-8a5b-4d3a-a904-7fc7409ae90d}
Event message file(s):	%systemroot%\system32\mfh264enc.dll

Microsoft-Windows-MMCSS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MMCSS
Identifier:	{36008301-e154-466c-acec-5f4cbd6b4694}
Event message file(s):	%systemroot%\system32\avrt.dll

Microsoft-Windows-MP4SDECD

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-MP4SDECD
Identifier:	{7f2bd991-ae93-454a-b219-0bc23f02262a}
Event message file(s):	%systemroot%\system32\mp4sdecd.dll

Microsoft-Windows-MPEG2_DLNA-Encoder

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-MPEG2_DLNA-Encoder
Identifier:	{86efff39-2bdd-4efd-bd0b-853d71b2a9dc}
Event message file(s):	%systemroot%\system32\msmpeg2enc.dll

Microsoft-Windows-MPS-CLNT

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-MPS-CLNT
Identifier:	{37945dc2-899b-44d1-b79c-dd4a9e57ff98}
Event message file(s):	%systemroot%\system32\mpssvc.dll

Microsoft-Windows-MPS-DRV

Seen on:

Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-MPS-DRV
Identifier:	{50bd1bfd-936b-4db3-86be-e25b96c25898}
Event message file(s):	%systemroot%\system32\mpssvc.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MPS-DRV
Identifier:	{50bd1bfd-936b-4db3-86be-e25b96c25898}
Event message file(s):	%systemroot%\system32\drivers\mpsdrv.sys

Microsoft-Windows-MPS-SRV

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-MPS-SRV
Identifier:	{5444519f-2484-45a2-991e-953e4b54c8e0}
Event message file(s):	%systemroot%\system32\mpssvc.dll

Microsoft-Windows-MSFTEDIT

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-MSFTEDIT
Identifier:	{9640427c-7d03-4331-b8ee-fb77625bf381}
Event message file(s):	%systemroot%\system32\msftedit.dll

Microsoft-Windows-MSMPEG2ADEC

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-MSMPEG2ADEC
Identifier:	{51311de3-d55e-454a-9c58-43dc7b4c01d2}
Event message file(s):	%systemroot%\system32\msmpeg2adec.dll

Microsoft-Windows-MSMPEG2VDEC

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-MSMPEG2VDEC
Identifier:	{ae5cf422-786a-476a-ac96-753b05877c99}
Event message file(s):	%systemroot%\system32\msmpeg2vdec.dll

Microsoft-Windows-MUI

Seen on:

Windows 2008
Windows 7
Windows 8.0
Windows Vista

Log source(s):	Microsoft-Windows-MUI
Identifier:	{a8a1f2f6-a13a-45e9-b1fe-3419569e5ef2}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-MUI
Identifier:	{a8a1f2f6-a13a-45e9-b1fe-3419569e5ef2}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Magnification

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Magnification
Identifier:	{c882ff1d-7585-4b33-b135-95c577179137}
Event message file(s):	%systemroot%\system32\magnification.dll

Microsoft-Windows-Management-SecureAssessment

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Management-SecureAssessment
Identifier:	{a329cf81-57ec-46ed-ab7c-261a52b0754a}
Event message file(s):	%systemroot%\system32\windows.management.secureassessment.diagnostics.dll

Microsoft-Windows-MapControls

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MapControls
Identifier:	{acd88d21-e1d4-4483-b974-0c1da66cc529}
Event message file(s):	%systemroot%\system32\microsoft-windows-mapcontrols.dll

Microsoft-Windows-Media-Protection-PlayReady-Performance

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Media-Protection-PlayReady-Performance
Identifier:	{d2402fde-7526-5a7b-501a-25dc7c9c282e}
Event message file(s):	%systemroot%\system32\windows.media.protection.playready.dll

Microsoft-Windows-Media-Streaming

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Media-Streaming
Identifier:	{982824e5-e446-46ae-bc74-836401ffb7b6}
Event message file(s):	%systemroot%\system32\windows.media.streaming.dll

Microsoft-Windows-MediaEngine

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-MediaEngine
Identifier:	{8f2048e0-f260-4f57-a8d1-932376291682}
Event message file(s):	%systemroot%\system32\mfmediaengine.dll

Microsoft-Windows-MediaFoundation-MFCaptureEngine

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-MediaFoundation-MFCaptureEngine
Identifier:	{b8197c10-845f-40ca-82ab-9341e98cfc2b}
Event message file(s):	%systemroot%\system32\mfcaptureengine.dll

Microsoft-Windows-MediaFoundation-MFReadWrite

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-MediaFoundation-MFReadWrite
Identifier:	{4b7eac67-fc53-448c-a49d-7cc6db524da7}
Event message file(s):	%systemroot%\system32\mfreadwrite.dll

Microsoft-Windows-MediaFoundation-MSVProc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-MediaFoundation-MSVProc
Identifier:	{a4112d1a-6dfa-476e-bb75-e350d24934e1}
Event message file(s):	%systemroot%\system32\msvproc.dll

Microsoft-Windows-MediaFoundation-Performance

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-MediaFoundation-Performance
Identifier:	{f404b94e-27e0-4384-bfe8-1d8d390b0aa3}
Event message file(s):	%systemroot%\system32\mfplat.dll

Microsoft-Windows-MediaFoundation-Performance-Core

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.1

Log source(s):	Microsoft-Windows-MediaFoundation-Performance-Core
Identifier:	{b20e65ac-c905-4014-8f78-1b6a508142eb}
Event message file(s):	%systemroot%\system32\mfcore.dll

Microsoft-Windows-MediaFoundation-Platform

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-MediaFoundation-Platform
Identifier:	{bc97b970-d001-482f-8745-b8d7d5759f99}
Event message file(s):	%systemroot%\system32\mfplat.dll

Microsoft-Windows-MediaFoundation-PlayAPI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-MediaFoundation-PlayAPI
Identifier:	{b65471e1-019d-436f-bc38-e15fa8e87f53}
Event message file(s):	%systemroot%\system32\mfplay.dll

Microsoft-Windows-Memory-Diagnostic-Task-Handler

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Memory-Diagnostic-Task-Handler
Log type:	System
Identifier:	{babda89a-4d5e-48eb-af3d-e0e8410207c0}
Event message file(s):	%systemroot%\system32\memorydiagnostic.dll

Microsoft-Windows-MemoryDiagnostics-Results

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-MemoryDiagnostics-Results
Log type:	System
Identifier:	{5f92bc59-248f-4111-86a9-e393e12c6139}
Event message file(s):	%systemroot%\system32\relpost.exe

Microsoft-Windows-MemoryDiagnostics-Schedule

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-MemoryDiagnostics-Schedule
Log type:	System
Identifier:	{73e9c9de-a148-41f7-b1db-4da051fdc327}
Event message file(s):	%systemroot%\system32\mdsched.exe

Microsoft-Windows-Minstore

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Minstore
Identifier:	{55b24b1d-dd9c-44c0-ba77-4f749f1b6976}
Event message file(s):	%systemroot%\system32\minstoreevents.dll

Microsoft-Windows-Mobile-Broadband-Experience-Api

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Mobile-Broadband-Experience-Api
Identifier:	{2e2bbb16-0c36-4b9b-a567-40924a199fd5}
Event message file(s):	%systemroot%\system32\mbaeapipublic.dll

Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal
Identifier:	{2aabd03b-f48b-419a-b4ce-7a14403f4a46}
Event message file(s):	%systemroot%\system32\mbaeapi.dll

Microsoft-Windows-Mobile-Broadband-Experience-SmsApi

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Mobile-Broadband-Experience-SmsApi
Identifier:	{0ff1c24b-7f05-45c0-abdc-3c8521be4f62}
Event message file(s):	%systemroot%\system32\mbsmsapi.dll

Microsoft-Windows-MobilityCenter

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-MobilityCenter
Identifier:	{91f42016-0b4e-4a4b-9bbb-825d06cbed35}
Event message file(s):	%systemroot%\system32\mblctr.exe

Microsoft-Windows-ModernDeployment-Diagnostics-Provider

Seen on:

Windows 10 (1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-ModernDeployment-Diagnostics-Provider
Identifier:	{bab3ad92-fb96-5902-450b-b8421bdec7bd}
Event message file(s):	%systemroot%\system32\autopilotdiag.dll

Microsoft-Windows-MosHost

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-MosHost
Identifier:	{d116f0f2-a6d6-4f1f-bdda-0c88c8d1f2e9}
Event message file(s):	%systemroot%\system32\microsoft-windows-moshost.dll

Microsoft-Windows-MountMgr

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012

Log source(s):	Microsoft-Windows-MountMgr
Log type:	System
Identifier:	{e3bac9f8-27be-4823-8d7f-1cc320c05fa7}
Event message file(s):	%systemroot%\system32\drivers\mountmgr.sys

Microsoft-Windows-Mprddm

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Mprddm
Identifier:	{3a5bef13-d0f7-4e7f-9ec8-5e707df711d0}
Event message file(s):	%systemroot%\system32\mprddm.dll

Microsoft-Windows-MsiServer

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-MsiServer
Identifier:	{17e92e2a-3d08-413e-baeb-a79a262bf486}
Event message file(s):	%systemroot%\system32\msimsg.dll

Microsoft-Windows-NCSI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NCSI
Identifier:	{314de49f-ce63-4779-ba2b-d616f6963a88}
Event message file(s):	%systemroot%\system32\ncsi.dll

Microsoft-Windows-NDF-HelperClassDiscovery

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NDF-HelperClassDiscovery
Identifier:	{fc3bc8a7-2f61-449c-a8b4-22ac22058f92}
Event message file(s):	%systemroot%\system32\netdiagfx.dll

Microsoft-Windows-NDIS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NDIS
Identifier:	{cdead503-17f5-4a3e-b7ae-df8cc2902eb9}
Event message file(s):	%systemroot%\system32\drivers\ndis.sys

Microsoft-Windows-NDIS-PacketCapture

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NDIS-PacketCapture
Identifier:	{2ed6006e-4729-4609-b423-3ee7bcd678ef}
Event message file(s):	%systemroot%\system32\drivers\ndiscap.sys

Microsoft-Windows-NTLM

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NTLM
Identifier:	{ac43300d-5fcc-4800-8e99-1bd3f85f0320}
Event message file(s):	%systemroot%\system32\msv1_0.dll

Microsoft-Windows-NWiFi

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NWiFi
Identifier:	{0bd3506a-9030-4f76-9b88-3e8fe1f7cfb6}
Event message file(s):	%systemroot%\system32\drivers\nwifi.sys

Microsoft-Windows-Narrator

Seen on:

Windows 2008
Windows 7

Log source(s):	Microsoft-Windows-Narrator
Identifier:	{835b79e2-e76a-44c4-9885-26ad122d3b4d}
Event message file(s):	%systemroot%\system32\narrator.exe

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Narrator
Identifier:	{835b79e2-e76a-44c4-9885-26ad122d3b4d}
Event message file(s):	%systemroot%\system32\srh.dll

Microsoft-Windows-Ncasvc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Ncasvc
Identifier:	{126ded58-a28d-4113-8e7a-59d7444b2af1}
Event message file(s):	%systemroot%\system32\ncasvc.dll

Microsoft-Windows-NcdAutoSetup

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NcdAutoSetup
Identifier:	{ec23f986-ae2d-4269-b52f-4e20765c1a94}
Event message file(s):	%systemroot%\system32\ncdautosetup.dll

Microsoft-Windows-NdisImPlatformEventProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NdisImPlatformEventProvider
Identifier:	{11c5d8ad-756a-42c2-8087-eb1b4a72a846}
Event message file(s):	%systemroot%\system32\drivers\ndisimplatform.sys

Microsoft-Windows-NdisImPlatformSysEvtProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NdisImPlatformSysEvtProvider
	NdisImPlatformSysEvtProvider
Log type:	System
Identifier:	{62de9e48-90c6-4755-8813-6a7d655b0802}
Event message file(s):	%systemroot%\system32\drivers\ndisimplatform.sys

Microsoft-Windows-Ndu

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Ndu
Identifier:	{df271536-4298-45e1-b0f2-e88f78619c5d}
Event message file(s):	%systemroot%\system32\drivers\ndu.sys

Microsoft-Windows-Netshell

Seen on:

Windows 2008
Windows 7

Log source(s):	Microsoft-Windows-Netshell
Identifier:	{af2e340c-0743-4f5a-b2d3-2f7225d215de}
Event message file(s):	%systemroot%\system32\pnidui.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Netshell
Identifier:	{af2e340c-0743-4f5a-b2d3-2f7225d215de}
Event message file(s):	%systemroot%\system32\netshell.dll

Microsoft-Windows-Network-Connection-Broker

Seen on:

Windows 8.0

Log source(s):	Microsoft-Windows-Network-Connection-Broker
Identifier:	{3eb875eb-8f4a-4800-a00b-e484c97d7551}
Event message file(s):	%systemroot%\system32\iphlpsvc.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.1

Log source(s):	Microsoft-Windows-Network-Connection-Broker
Identifier:	{3eb875eb-8f4a-4800-a00b-e484c97d7551}
Event message file(s):	%systemroot%\system32\ncbservice.dll

Microsoft-Windows-Network-DataUsage

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Network-DataUsage
Identifier:	{5c1c9ab3-8689-4e41-90fa-85858306d7b7}
Event message file(s):	%systemroot%\system32\datusage.dll

Microsoft-Windows-Network-ExecutionContext

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Network-ExecutionContext
Log type:	System
Identifier:	{0075e1ab-e1d1-5d1f-35f5-da36fb4f41b1}
Event message file(s):	%systemroot%\system32\drivers\executioncontext.sys

Microsoft-Windows-Network-Setup

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Network-Setup
Identifier:	{a111f1c2-5923-47c0-9a68-d0bafb577901}
Event message file(s):	%systemroot%\system32\netsetupsvc.dll

Microsoft-Windows-NetworkBridge

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NetworkBridge
Log type:	System
Identifier:	{a67075c2-3e39-4109-b6cd-6d750058a731}
Event message file(s):	%systemroot%\system32\drivers\bridge.sys

Microsoft-Windows-NetworkGCW

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NetworkGCW
Identifier:	{be932b00-0f8e-4386-ab89-873f7d0274aa}
Event message file(s):	%systemroot%\system32\connect.dll

Microsoft-Windows-NetworkManagerTriggerProvider

Seen on:

Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NetworkManagerTriggerProvider
Identifier:	{9b307223-4e4d-4bf5-9be8-995cd8e7420b}
Event message file(s):	%systemroot%\system32\ws2_32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-NetworkManagerTriggerProvider
Identifier:	{9b307223-4e4d-4bf5-9be8-995cd8e7420b}
Event message file(s):	%systemroot%\system32\drivers\afd.sys

Microsoft-Windows-NetworkProfile

Seen on:

Windows 2008
Windows 7

Log source(s):	Microsoft-Windows-NetworkProfile
Identifier:	{fbcfac3f-8459-419f-8e48-1f0b49cdb85e}
Event message file(s):	%systemroot%\system32\netprofm.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NetworkProfile
Identifier:	{fbcfac3f-8459-419f-8e48-1f0b49cdb85e}
Event message file(s):	%systemroot%\system32\netprofmsvc.dll

Microsoft-Windows-NetworkProfileTriggerProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NetworkProfileTriggerProvider
Identifier:	{fbcfac3f-8460-419f-8e48-1f0b49cdb85e}
Event message file(s):	%systemroot%\system32\netprofmsvc.dll

Microsoft-Windows-NetworkProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-NetworkProvider
Identifier:	{1e9a4978-78c2-441e-8858-75b5d1326bc5}
Event message file(s):	%systemroot%\system32\drivers\mup.sys

Microsoft-Windows-NetworkProvisioning

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NetworkProvisioning
Identifier:	{93a19ab3-fb2c-46eb-91ef-56b0a318b983}
Event message file(s):	%systemroot%\system32\provcore.dll

Microsoft-Windows-NetworkSecurity

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-NetworkSecurity
Identifier:	{7b702970-90bc-4584-8b20-c0799086ee5a}
Event message file(s):	%systemroot%\system32\fwpuclnt.dll

Microsoft-Windows-Networking-Correlation

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Networking-Correlation
Identifier:	{83ed54f0-4d48-4e45-b16e-726ffd1fa4af}
Event message file(s):	%systemroot%\system32\nettrace.dll

Microsoft-Windows-Networking-RealTimeCommunication

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Networking-RealTimeCommunication
Identifier:	{1e39b4ce-d1e6-46ce-b65b-5ab05d6cc266}
Event message file(s):	%systemroot%\system32\windows.networking.sockets.pushenabledapplication.dll

Microsoft-Windows-NlaSvc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-NlaSvc
Identifier:	{63b530f8-29c9-4880-a5b4-b8179096e7b8}
Event message file(s):	%systemroot%\system32\nlasvc.dll

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-NlaSvc
Identifier:	{63b530f8-29c9-4880-a5b4-b8179096e7b8}
Event message file(s):	%systemroot%\system32\netprofmsvc.dll

Microsoft-Windows-Ntfs

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Ntfs
Log type:	System
Identifier:	{3ff37a1c-a68d-4d6e-8c9b-f79e8b16c482}
Event message file(s):	%systemroot%\system32\drivers\ntfs.sys

Microsoft-Windows-Ntfs-UBPM

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Ntfs-UBPM
Log type:	System
Identifier:	{8e6a5303-a4ce-498f-afdb-e03a8a82b077}
Event message file(s):	%systemroot%\system32\drivers\ntfs.sys

Microsoft-Windows-NtfsLog_2fa848f80350371e48dfc224687745af

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-NtfsLog_2fa848f80350371e48dfc224687745af
Identifier:	{2fa848f8-0350-371e-48df-c224687745af}
Event message file(s):	%systemroot%\system32\ntfsres.dll

Microsoft-Windows-NvmeDisk

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-NvmeDisk
Identifier:	{9799276c-fb04-47e8-845e-36946045c218}
Event message file(s):	%systemroot%\system32\drivers\nvmedisk.sys

Microsoft-Windows-OLE-Perf

Seen on:

Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-OLE-Perf
Identifier:	{84958368-7da7-49a0-b33d-07fabb879626}
Event message file(s):	%systemroot%\system32\combase.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-OLE-Perf
Identifier:	{84958368-7da7-49a0-b33d-07fabb879626}
Event message file(s):	%systemroot%\system32\ole32.dll

Microsoft-Windows-OLEACC

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-OLEACC
Identifier:	{19d2c934-ee9b-49e5-aaeb-9cce721d2c65}
Event message file(s):	%systemroot%\system32\oleaccrc.dll

Microsoft-Windows-OOBE-FirstLogonAnim

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-OOBE-FirstLogonAnim
Identifier:	{2d4c0c5e-6704-493a-a44b-f5add4fc9283}
Event message file(s):	%systemroot%\system32\oobe\msoobefirstlogonanim.dll

Microsoft-Windows-OOBE-Machine-Core

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-OOBE-Machine-Core
Identifier:	{ec276cde-2a17-473c-a010-2ff78d5426d2}
Event message file(s):	%systemroot%\system32\oobe\msoobe.exe

Microsoft-Windows-OOBE-Machine-DUI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-OOBE-Machine-DUI
Identifier:	{f5dbaa02-15d6-4644-a784-7032d508bf64}
Event message file(s):	%systemroot%\system32\oobe\msoobedui.dll

Microsoft-Windows-OOBE-Machine-Plugins-Wireless

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-OOBE-Machine-Plugins-Wireless
Identifier:	{0f352580-e9e2-46c2-8336-6ac66e986416}
Event message file(s):	%systemroot%\system32\oobe\msoobewirelessplugin.dll

Microsoft-Windows-OfflineFiles

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-OfflineFiles
Identifier:	{95353826-4fbe-41d4-9c42-f521c6e86360}
Event message file(s):	%systemroot%\system32\cscsvc.dll

Microsoft-Windows-OneBackup

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-OneBackup
Identifier:	{72561cf0-c85c-4f78-9e8d-cba9093df62d}
Event message file(s):	%systemroot%\system32\onebackuphandler.dll

Microsoft-Windows-OneX

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-OneX
Identifier:	{ab0d8ef9-866d-4d39-b83f-453f3b8f6325}
Event message file(s):	%systemroot%\system32\onex.dll

Microsoft-Windows-OobeLdr

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-OobeLdr
Identifier:	{75ebc33e-8670-4eb6-b535-3b9d6bb222fd}
Event message file(s):	%systemroot%\system32\oobe\oobeldr.exe

Microsoft-Windows-OtpCredentialProviderEvt

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-OtpCredentialProviderEvt
Identifier:	{5cad485a-210f-4c16-80c5-f892de74e28d}
Event message file(s):	%systemroot%\system32\daotpcredentialprovider.dll

Microsoft-Windows-OverlayFilter

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-OverlayFilter
Log type:	System
Identifier:	{46c78e5c-a213-46a8-8a6b-622f6916201d}
Event message file(s):	%systemroot%\system32\drivers\wof.sys

Microsoft-Windows-P2PIMSvc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-P2PIMSvc
	P2PIMSvc
Log type:	System
Identifier:	{2992e9cf-4f99-48f5-a0b6-b99b11cd387d}
Event message file(s):	%systemroot%\system32\pnrpsvc.dll

Microsoft-Windows-PCI

Seen on:

Windows 2008
Windows 7
Windows 8.0

Log source(s):	Microsoft-Windows-PCI
Identifier:	{1a9443d4-b099-44d6-8eb1-829b9c2fe290}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-PCI
Identifier:	{1a9443d4-b099-44d6-8eb1-829b9c2fe290}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-PDC

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-PDC
Identifier:	{a6bf0deb-3659-40ad-9f81-e25af62ce3c7}
Event message file(s):	%systemroot%\system32\microsoft-windows-pdc.dll

Microsoft-Windows-PDFReader

Seen on:

Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-PDFReader
Identifier:	{dfa86faa-2c55-4140-bff9-5cc586217a7b}
Event message file(s):	%systemroot%\system32\glcndfilter.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-PDFReader
Identifier:	{dfa86faa-2c55-4140-bff9-5cc586217a7b}
Event message file(s):	%systemroot%\system32\windows.data.pdf.dll

Microsoft-Windows-PDH

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-PDH
	PDH
Log type:	Application
Identifier:	{04d66358-c4a1-419b-8023-23b73902de2c}
Event message file(s):	%systemroot%\system32\pdh.dll

Microsoft-Windows-PNRPSvc

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-PNRPSvc
	PNRPSvc
Log type:	System
Identifier:	{bbe94f36-f8dc-4c33-8227-81602b7a3d53}
Event message file(s):	%systemroot%\system32\p2psvc.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-PNRPSvc
	PNRPSvc
Log type:	System
Identifier:	{bbe94f36-f8dc-4c33-8227-81602b7a3d53}
Event message file(s):	%systemroot%\system32\pnrpsvc.dll

Microsoft-Windows-ParentalControls

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ParentalControls
Identifier:	{01090065-b467-4503-9b28-533766761087}
Event message file(s):	%systemroot%\system32\wpc.dll

Microsoft-Windows-Partition

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Partition
Identifier:	{412bdff2-a8c4-470d-8f33-63fe0d8c20e2}
Event message file(s):	%systemroot%\system32\drivers\partmgr.sys

Microsoft-Windows-PeerToPeerDrtEventProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-PeerToPeerDrtEventProvider
Identifier:	{40ae003c-6f3d-4590-ae1c-0e8be526b50f}
Event message file(s):	%systemroot%\system32\drt.dll

Microsoft-Windows-PerceptionRuntime

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-PerceptionRuntime
Identifier:	{add0de40-32b0-4b58-9d5e-938b2f5c1d1f}
Event message file(s):	%systemroot%\system32\windows.devices.perception.dll

Microsoft-Windows-PerceptionSensorDataService

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-PerceptionSensorDataService
Identifier:	{85be49ea-38f1-4547-a604-80060202fb27}
Event message file(s):	%systemroot%\system32\sensordataservice.exe

Microsoft-Windows-PerfDisk

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-PerfDisk
	PerfDisk
Log type:	Application
Identifier:	{7f9d83de-8abb-457f-98e8-4ad161449ecc}
Event message file(s):	%systemroot%\system32\perfdisk.dll

Microsoft-Windows-PerfNet

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-PerfNet
	PerfNet
Log type:	Application
Identifier:	{cab2b8a5-49b9-4eec-b1b0-fac21da05a3b}
Event message file(s):	%systemroot%\system32\perfnet.dll

Microsoft-Windows-PerfOS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-PerfOS
	PerfOs
Log type:	Application
Identifier:	{f82fb576-e941-4956-a2c7-a0cf83f6450a}
Event message file(s):	%systemroot%\system32\perfos.dll

Microsoft-Windows-PerfProc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-PerfProc
	PerfProc
Log type:	Application
Identifier:	{72d211e1-4c54-4a93-9520-4901681b2271}
Event message file(s):	%systemroot%\system32\perfproc.dll

Microsoft-Windows-Perflib

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Perflib
	Perflib
Log type:	Application
Identifier:	{13b197bd-7cee-4b4e-8dd0-59314ce374ce}
Event message file(s):	%systemroot%\system32\prflbmsg.dll

Microsoft-Windows-Performance-Recorder-Control

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Performance-Recorder-Control
Identifier:	{36b6f488-aad7-48c2-afe3-d4ec2c8b46fa}
Event message file(s):	%systemroot%\system32\windowsperformancerecordercontrol.dll

Microsoft-Windows-PersistentMemory-Nvdimm

Seen on:

Windows 10 (1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-PersistentMemory-Nvdimm
Log type:	System
Identifier:	{a7f2235f-be51-51ed-decf-f4498812a9a2}
Event message file(s):	%systemroot%\system32\drivers\nvdimm.sys

Microsoft-Windows-PersistentMemory-PmemDisk

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-PersistentMemory-PmemDisk
Log type:	System
Identifier:	{0fa2ee03-1feb-5057-3bb3-eb25521b8482}
Event message file(s):	%systemroot%\system32\drivers\pmem.sys

Microsoft-Windows-PersistentMemory-ScmBus

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-PersistentMemory-ScmBus
Identifier:	{c03715ce-ea6f-5b67-4449-da1d1e1afeb8}
Event message file(s):	%systemroot%\system32\drivers\scmbus.sys

Microsoft-Windows-Photo-Image-Codec

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Photo-Image-Codec
Identifier:	{be3a31ea-aa6c-4196-9dcc-9ca13a49e09f}
Event message file(s):	%systemroot%\system32\wmphoto.dll

Microsoft-Windows-PhotoAcq

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-PhotoAcq
Identifier:	{76cfa528-b26e-b773-62d0-9588270442a6}
Event message file(s):	%programfiles%\windows photo viewer\photoacq.dll

Microsoft-Windows-PktMon

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-PktMon
Identifier:	{4d4f80d9-c8bd-4d73-bb5b-19c90402c5ac}
Event message file(s):	%systemroot%\system32\drivers\pktmon.sys

Microsoft-Windows-PlayToManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-PlayToManager
Identifier:	{bb311100-2d9f-4cd3-b2d6-f4ea3839c548}
Event message file(s):	%systemroot%\system32\playtomanager.dll

Microsoft-Windows-PortableDeviceStatusProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-PortableDeviceStatusProvider
Identifier:	{8c63b5a5-b484-4381-892d-edd424582df7}
Event message file(s):	%systemroot%\system32\portabledevicestatus.dll

Microsoft-Windows-PortableDeviceSyncProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-PortableDeviceSyncProvider
Identifier:	{a3e1697b-a12c-46b9-84d1-7ffe73c4b678}
Event message file(s):	%systemroot%\system32\portabledevicesyncprovider.dll

Microsoft-Windows-Power-CAD

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Power-CAD
Identifier:	{daba4d32-cc40-4266-bb95-c30344dbc680}
Event message file(s):	%systemroot%\system32\microsoft-windows-power-cad-events.dll

Microsoft-Windows-Power-Meter-Polling

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Power-Meter-Polling
Log type:	System
Identifier:	{306c4e0b-e148-543d-315b-c618eb93157c}
Event message file(s):	%systemroot%\system32\umpoext.dll

Microsoft-Windows-Power-Troubleshooter

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Power-Troubleshooter
Log type:	System
Identifier:	{cdc05e28-c449-49c6-b9d2-88cf761644df}
Event message file(s):	%systemroot%\system32\pots.dll

Microsoft-Windows-PowerCfg

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-PowerCfg
Identifier:	{9f0c4ea8-ec01-4200-a00d-b9701cbea5d8}
Event message file(s):	%systemroot%\system32\powercfg.cpl

Microsoft-Windows-PowerCpl

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-PowerCpl
Identifier:	{b1f90b27-4551-49d6-b2bd-dfc6453762a6}
Event message file(s):	%systemroot%\system32\powercpl.dll

Microsoft-Windows-PowerShell

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-PowerShell
Identifier:	{a0c1853b-5c40-4b15-8766-3cf1c58f985a}
Event message file(s):	%systemroot%\system32\windowspowershell\v1.0\psevents.dll

Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager
Identifier:	{aaf67066-0bf8-469f-ab76-275590c434ee}
Event message file(s):	%systemroot%\system32\dsc\psdscfiledownloadmanagerevents.dll

Microsoft-Windows-PrimaryNetworkIcon

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-PrimaryNetworkIcon
Identifier:	{8ce93926-bdae-4409-9155-2fe4799ef4d3}
Event message file(s):	%systemroot%\system32\pnidui.dll

Microsoft-Windows-PrintBRM

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-PrintBRM
	PrintBrm
Log type:	Application
Identifier:	{cf3f502e-b40d-4071-996f-00981edf938e}
Event message file(s):	%systemroot%\system32\spool\tools\printbrmengine.exe

Microsoft-Windows-PrintService

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-PrintService
	Print
Log type:	System
Identifier:	{747ef6fd-e535-4d16-b510-42c90f6873a1}
Event message file(s):	%systemroot%\system32\ntprint.dll

Microsoft-Windows-PrintService-USBMon

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-PrintService-USBMon
Identifier:	{7f812073-b28d-4afc-9ced-b8010f914ef6}
Event message file(s):	%systemroot%\system32\usbmon.dll

Microsoft-Windows-Privacy-Auditing

Seen on:

Windows 10 (2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Privacy-Auditing
Identifier:	{d67fbb76-d18a-5ae3-24a3-8c1db52d6c62}
Event message file(s):	%systemroot%\system32\capabilityaccessmanager.dll

Microsoft-Windows-Privacy-Auditing-Activity-History-Privacy-Settings

Seen on:

Windows 10 (2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Privacy-Auditing-Activity-History-Privacy-Settings
Identifier:	{63dd5dfb-2488-5e1f-7895-d49ff5bc7125}
Event message file(s):	%systemroot%\system32\windows.data.activities.dll

Microsoft-Windows-Privacy-Auditing-CPSS

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Privacy-Auditing-CPSS
Identifier:	{15f4cd44-ca53-5422-db17-4e76821b5a69}
Event message file(s):	%systemroot%\system32\coreprivacysettingsstore.dll

Microsoft-Windows-Privacy-Auditing-DiagnosticData

Seen on:

Windows 10 (2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Privacy-Auditing-DiagnosticData
Identifier:	{d3610dca-4501-5a5d-21a7-30ca91130711}
Event message file(s):	%systemroot%\system32\diagtrack.dll

Microsoft-Windows-Privacy-Auditing-ImproveInkingAndTyping

Seen on:

Windows 10 (2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Privacy-Auditing-ImproveInkingAndTyping
Identifier:	{34b02aa4-be24-55e0-4eb1-d29469a2d79c}
Event message file(s):	%systemroot%\system32\mtffuzzyds.dll

Microsoft-Windows-Privacy-Auditing-OneSettingsClient

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Privacy-Auditing-OneSettingsClient
Identifier:	{23f0f2c7-c77c-51ee-0ac1-5ac7796a85df}
Event message file(s):	%systemroot%\system32\onesettingsclient.dll

Microsoft-Windows-Privacy-Auditing-PersonalInkingAndTyping

Seen on:

Windows 10 (2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Privacy-Auditing-PersonalInkingAndTyping
Identifier:	{aa018a01-3747-532b-94ec-5d87dc3a5085}
Event message file(s):	%systemroot%\system32\mtffuzzyds.dll

Microsoft-Windows-Privacy-Auditing-TailoredExperiences

Seen on:

Windows 10 (2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Privacy-Auditing-TailoredExperiences
Identifier:	{1bd672b8-445e-53fc-35ef-09f53672c385}
Event message file(s):	%systemroot%\system32\diagtrack.dll

Microsoft-Windows-ProcessExitMonitor

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ProcessExitMonitor
	Process Exit Monitor
Log type:	Application
Identifier:	{fd771d53-8492-4057-8e35-8c02813af49b}
Event message file(s):	%systemroot%\system32\werfault.exe

Microsoft-Windows-ProcessStateManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ProcessStateManager
Identifier:	{d49918cf-9489-4bf1-9d7b-014d864cf71f}
Event message file(s):	%systemroot%\system32\psmsrv.dll

Microsoft-Windows-Processor-Aggregator

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Processor-Aggregator
Identifier:	{cba16cf2-2fab-49f8-89ae-894e718649e7}
Event message file(s):	%systemroot%\system32\microsoft-windows-processor-aggregator-events.dll

Microsoft-Windows-Program-Compatibility-Assistant

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-Program-Compatibility-Assistant
Identifier:	{4cb314df-c11f-47d7-9c04-65fb0051561b}
Event message file(s):	%systemroot%\system32\pcaui.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Program-Compatibility-Assistant
Identifier:	{4cb314df-c11f-47d7-9c04-65fb0051561b}
Event message file(s):	%systemroot%\system32\pcaevts.dll

Microsoft-Windows-Provisioning-Diagnostics-Provider

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Provisioning-Diagnostics-Provider
Identifier:	{ed8b9bd3-f66e-4ff2-b86b-75c7925f72a9}
Event message file(s):	%systemroot%\system32\provdiagnostics.dll

Microsoft-Windows-Proximity-Common

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Proximity-Common
Identifier:	{28058203-d394-4afc-b2a6-2f9155a3bb95}
Event message file(s):	%systemroot%\system32\proximitycommon.dll

Microsoft-Windows-Push-To-Install-Service

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Push-To-Install-Service
Identifier:	{3a718a68-6974-4075-abd3-e8243caef398}
Event message file(s):	%systemroot%\system32\pushtoinstall.dll

Microsoft-Windows-PushNotifications-Developer

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-PushNotifications-Developer
Identifier:	{5cad3597-5fec-4c62-9ce1-9d7abc723d3a}
Event message file(s):	%systemroot%\system32\wpnapps.dll

Microsoft-Windows-PushNotifications-InProc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-PushNotifications-InProc
Identifier:	{815a1f4a-3f8d-4b37-9b31-5142f9d724a5}
Event message file(s):	%systemroot%\system32\wpninprc.dll

Microsoft-Windows-PushNotifications-Platform

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-PushNotifications-Platform
Identifier:	{88cd9180-4491-4640-b571-e3bee2527943}
Event message file(s):	%systemroot%\system32\wpncore.dll

Microsoft-Windows-QoS-Pacer

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-QoS-Pacer
Identifier:	{914ed502-b70d-4add-b758-95692854f8a3}
Event message file(s):	%systemroot%\system32\drivers\pacer.sys

Microsoft-Windows-QoS-qWAVE

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-QoS-qWAVE
Identifier:	{6ba132c4-da49-415b-a7f4-31870dc9fe25}
Event message file(s):	%systemroot%\system32\qwave.dll

Microsoft-Windows-RPC

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-RPC
Identifier:	{6ad52b32-d609-4be9-ae07-ce8dae937e39}
Event message file(s):	%systemroot%\system32\rpcrt4.dll

Microsoft-Windows-RPC-Events

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-RPC-Events
Log type:	Application
Identifier:	{f4aed7c7-a898-4627-b053-44a7caa12fcd}
Event message file(s):	%systemroot%\system32\rpcrt4.dll

Microsoft-Windows-RPC-FirewallManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-RPC-FirewallManager
Identifier:	{f997cd11-0fc9-4ab4-acba-bc742a4c0dd3}
Event message file(s):	%systemroot%\system32\rpcepmap.dll

Microsoft-Windows-RPC-Proxy-LBS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-RPC-Proxy-LBS
Identifier:	{272a979b-34b5-48ec-94f5-7225a59c85a0}
Event message file(s):	%systemroot%\system32\rpchttp.dll

Microsoft-Windows-RPCSS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-RPCSS
Identifier:	{d8975f88-7ddb-4ed0-91bf-3adf48c48e0c}
Event message file(s):	%systemroot%\system32\rpcepmap.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-RPCSS
Identifier:	{d8975f88-7ddb-4ed0-91bf-3adf48c48e0c}
Event message file(s):	%systemroot%\system32\rpcss.dll

Microsoft-Windows-RRAS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-RRAS
Identifier:	{24989972-0967-4e21-a926-93854033638e}
Event message file(s):	%systemroot%\system32\rtutils.dll

Microsoft-Windows-RTWorkQueue-Extended

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-RTWorkQueue-Extended
Identifier:	{83faaa86-63c8-4dd8-a2da-fbadddfc0655}
Event message file(s):	%systemroot%\system32\rtworkq.dll

Microsoft-Windows-RTWorkQueue-Threading

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-RTWorkQueue-Threading
Identifier:	{e18d0fc9-9515-4232-98e4-89e456d8551b}
Event message file(s):	%systemroot%\system32\rtworkq.dll

Microsoft-Windows-RadioManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-RadioManager
Identifier:	{92061e3d-21cd-45bc-a3df-0e8ae5e8580a}
Event message file(s):	%systemroot%\system32\rmapi.dll

Microsoft-Windows-Ras-AgileVpn

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Ras-AgileVpn
Identifier:	{b5325cd6-438e-4ec1-aa46-14f46f2570e4}
Event message file(s):	%systemroot%\system32\drivers\agilevpn.sys

Microsoft-Windows-Ras-NdisWanPacketCapture

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Ras-NdisWanPacketCapture
Identifier:	{d84521f7-2235-4237-a7c0-14e3a9676286}
Event message file(s):	%systemroot%\system32\drivers\ndiswan.sys

Microsoft-Windows-RasSstp

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-RasSstp
	RasSstp
Log type:	System
Identifier:	{6c260f2c-049a-43d8-bf4d-d350a4e6611a}
Event message file(s):	%systemroot%\system32\sstpsvc.dll

Microsoft-Windows-ReFS

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-ReFS
Log type:	System
Identifier:	{cd9c6198-bf73-4106-803b-c17d26559018}
Event message file(s):	%systemroot%\system32\drivers\refs.sys

Microsoft-Windows-ReFS-v1

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-ReFS-v1
Log type:	System
Identifier:	{059f0f37-910e-4ff0-a7ee-ae8d49dd319b}
Event message file(s):	%systemroot%\system32\drivers\refsv1.sys

Microsoft-Windows-ReadyBoost

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ReadyBoost
Identifier:	{e6307a09-292c-497e-aad6-498f68e2b619}
Event message file(s):	%systemroot%\system32\sysmain.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-ReadyBoost
Identifier:	{e6307a09-292c-497e-aad6-498f68e2b619}
Event message file(s):	%systemroot%\system32\emdmgmt.dll

Microsoft-Windows-ReadyBoostDriver

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ReadyBoostDriver
Identifier:	{2a274310-42d5-4019-b816-e4b8c7abe95c}
Event message file(s):	%systemroot%\system32\drivers\rdyboost.sys

Microsoft-Windows-RemoteApp and Desktop Connections

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-RemoteApp and Desktop Connections
Log type:	Application
Identifier:	{1b8b402d-78dc-46fb-bf71-46e64aedf165}
Event message file(s):	%systemroot%\system32\tsworkspace.dll

Microsoft-Windows-RemoteAssistance

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-RemoteAssistance
Identifier:	{5b0a651a-8807-45cc-9656-7579815b6af0}
Event message file(s):	%systemroot%\system32\msra.exe

Microsoft-Windows-RemoteDesktopServices-RdpCoreTS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Identifier:	{1139c61b-b549-4251-8ed3-27250a1edec8}
Event message file(s):	%systemroot%\system32\rdpcorets.dll

Microsoft-Windows-RemoteDesktopServices-SessionServices

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-RemoteDesktopServices-SessionServices
Identifier:	{f1394de0-32c7-4a76-a6de-b245e48f4615}
Event message file(s):	%systemroot%\system32\rdpclip.exe

Microsoft-Windows-Remotefs-Rdbss

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Remotefs-Rdbss
Identifier:	{1a870028-f191-4699-8473-6fcd299eab77}
Event message file(s):	%systemroot%\system32\drivers\rdbss.sys

Microsoft-Windows-ResetEng

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ResetEng
Log type:	System
Identifier:	{a4445c76-ed85-c8a3-02c1-532a38614a9e}
Event message file(s):	%systemroot%\system32\reseteng.dll

Microsoft-Windows-ResetEng-Trace

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.1

Log source(s):	Microsoft-Windows-ResetEng-Trace
Identifier:	{7fa514b5-a023-4b62-a6ab-2946a483e065}
Event message file(s):	%systemroot%\system32\reseteng.dll

Microsoft-Windows-Resource-Exhaustion-Detector

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Resource-Exhaustion-Detector
Log type:	System
Identifier:	{9988748e-c2e8-4054-85f6-0c3e1cad2470}
Event message file(s):	%systemroot%\system32\radardt.dll

Microsoft-Windows-Resource-Exhaustion-Resolver

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Resource-Exhaustion-Resolver
Identifier:	{91f5fb12-fdea-4095-85d5-614b495cd9de}
Event message file(s):	%systemroot%\system32\radarrs.dll

Microsoft-Windows-ResourcePublication

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-ResourcePublication
Log type:	System
Identifier:	{74c2135f-cc76-45c3-879a-ef3bb1eeaf86}
Event message file(s):	%systemroot%\system32\fdrespub.dll

Microsoft-Windows-RestartManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-RestartManager
Log type:	Application
Identifier:	{0888e5ef-9b98-4695-979d-e92ce4247224}
Event message file(s):	%systemroot%\system32\rstrtmgr.dll

Microsoft-Windows-RetailDemo

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-RetailDemo
	RetailDemo
Log type:	System
Identifier:	{d3f29eda-805d-428a-9902-b259b937f84b}
Event message file(s):	%systemroot%\system32\rdxservice.dll

Microsoft-Windows-Runtime-Graphics

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Runtime-Graphics
Identifier:	{fa5cf675-72eb-49e2-b447-de5552faff1c}
Event message file(s):	%systemroot%\system32\windows.graphics.dll

Microsoft-Windows-Runtime-Media

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Runtime-Media
Identifier:	{8f0db3a8-299b-4d64-a4ed-907b409d4584}
Event message file(s):	%systemroot%\system32\windows.media.dll

Microsoft-Windows-Runtime-Networking

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Runtime-Networking
Identifier:	{6eb875eb-8f4a-4800-a00b-e484c97d7561}
Event message file(s):	%systemroot%\system32\windows.networking.dll

Microsoft-Windows-Runtime-Networking-BackgroundTransfer

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Runtime-Networking-BackgroundTransfer
Identifier:	{b9d5b35d-bbb8-4625-9450-f71a5d414f4f}
Event message file(s):	%systemroot%\system32\windows.networking.backgroundtransfer.dll

Microsoft-Windows-Runtime-Web-Http

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Runtime-Web-Http
Identifier:	{41877cb4-11fc-4188-b590-712c143c881d}
Event message file(s):	%systemroot%\system32\windows.web.http.dll

Microsoft-Windows-Runtime-WebAPI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Runtime-WebAPI
Identifier:	{6bd96334-dc49-441a-b9c4-41425ba628d8}
Event message file(s):	%systemroot%\system32\windows.web.dll

Microsoft-Windows-SCPNP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SCPNP
Log type:	System
Identifier:	{9f650c63-9409-453c-a652-83d7185a2e83}
Event message file(s):	%systemroot%\system32\certprop.dll

Microsoft-Windows-SEC

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-SEC
Identifier:	{16c6501a-ff2d-46ea-868d-8f96cb0cb52d}
Event message file(s):	%systemroot%\system32\drivers\mssecflt.sys

Microsoft-Windows-SENSE

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-SENSE
Identifier:	{fae96d09-ade1-5223-0098-af7b67348531}
Event message file(s):	%programfiles%\windows defender advanced threat protection\mssense.exe

Microsoft-Windows-SMBClient

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SMBClient
Identifier:	{988c59c5-0a1c-45b6-a555-0c62276e327d}
Event message file(s):	%systemroot%\system32\drivers\mrxsmb.sys

Microsoft-Windows-SMBDirect

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012

Log source(s):	Microsoft-Windows-SMBDirect
Identifier:	{db66ea65-b7bb-4ca9-8748-334cb5c32400}
Event message file(s):	%systemroot%\system32\drivers\smbdirect.sys

Microsoft-Windows-SMBServer

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-SMBServer
Identifier:	{d48ce617-33a2-4bc3-a5c7-11aa4f29619e}
Event message file(s):	%systemroot%\system32\drivers\srv2.sys

Microsoft-Windows-SMBWitnessClient

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SMBWitnessClient
Identifier:	{32254f6c-aa33-46f0-a5e3-1cbcc74bf683}
Event message file(s):	%systemroot%\system32\wkssvc.dll

Microsoft-Windows-SPB-ClassExtension

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SPB-ClassExtension
Log type:	System
Identifier:	{72cd9ff7-4af8-4b89-aede-5f26fda13567}
Event message file(s):	%systemroot%\system32\drivers\spbcx.sys

Microsoft-Windows-SPB-HIDI2C

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SPB-HIDI2C
Log type:	System
Identifier:	{991f8fe6-249d-44d6-b93d-5a3060c1dedb}
Event message file(s):	%systemroot%\system32\drivers\hidi2c.sys

Microsoft-Windows-Schannel-Events

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Schannel-Events
Identifier:	{91cc1150-71aa-47e2-ae18-c96e61736b6f}
Event message file(s):	%systemroot%\system32\schannel.dll

Microsoft-Windows-Sdbus

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Sdbus
Identifier:	{fe28004e-b08f-4407-92b3-bad3a2c51708}
Event message file(s):	%systemroot%\system32\drivers\sdbus.sys

Microsoft-Windows-Sdstor

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Sdstor
Identifier:	{afe654eb-0a83-4eb4-948f-d4510ec39c30}
Event message file(s):	%systemroot%\system32\drivers\sdstor.sys

Microsoft-Windows-Search

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Search
	Windows Search Service
Log type:	Application
Identifier:	{ca4e628d-8567-4896-ab6b-835b221f373f}
Category message file(s):	%systemroot%\system32\tquery.dll
Event message file(s):	%systemroot%\system32\tquery.dll

Microsoft-Windows-Search-Core

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-Search-Core
Identifier:	{49c2c27c-fe2d-40bf-8c4e-c3fb518037e7}

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Search-Core
Identifier:	{49c2c27c-fe2d-40bf-8c4e-c3fb518037e7}
Event message file(s):	%systemroot%\system32\searchindexer.exe

Microsoft-Windows-Search-ProfileNotify

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Search-ProfileNotify
	Windows Search Service Profile Notification
Log type:	Application
Identifier:	{fc6f77dd-769a-470e-bcf9-1b6555a118be}
Event message file(s):	%systemroot%\system32\wsepno.dll

Microsoft-Windows-Search-ProtocolHandlers

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Search-ProtocolHandlers
Identifier:	{dab065a9-620f-45ba-b5d6-d6bb8efedee9}
Event message file(s):	%systemroot%\system32\searchindexer.exe

Microsoft-Windows-Security-Audit-Configuration-Client

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Security-Audit-Configuration-Client
Identifier:	{08466062-aed4-4834-8b04-cddb414504e5}
Event message file(s):	%systemroot%\system32\auditcse.dll

Microsoft-Windows-Security-Auditing

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Security-Auditing
Log type:	Security
Identifier:	{54849625-5478-4994-a5ba-3e3b0328c30d}
Event message file(s):	%systemroot%\system32\adtschema.dll

Microsoft-Windows-Security-EnterpriseData-FileRevocationManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Security-EnterpriseData-FileRevocationManager
Log type:	Application
Identifier:	{2cd58181-0bb6-463e-828a-056ff837f966}
Event message file(s):	%systemroot%\system32\efswrt.dll

Microsoft-Windows-Security-ExchangeActiveSyncProvisioning

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Security-ExchangeActiveSyncProvisioning
Identifier:	{9249d0d0-f034-402f-a29b-92fa8853d9f3}
Event message file(s):	%systemroot%\system32\easwrt.dll

Microsoft-Windows-Security-IdentityStore

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Security-IdentityStore
Identifier:	{00b7e1df-b469-4c69-9c41-53a6576e3dad}
Event message file(s):	%systemroot%\system32\idstore.dll

Microsoft-Windows-Security-LessPrivilegedAppContainer

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Security-LessPrivilegedAppContainer
Identifier:	{45eec9e5-4a1b-5446-7ad8-a4ab1313c437}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Security-Mitigations

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Security-Mitigations
Identifier:	{fae10392-f0af-4ac0-b8ff-9f4d920c3cdf}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Security-Netlogon

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Security-Netlogon
Identifier:	{e5ba83f6-07d0-46b1-8bc7-7e669a1d31dc}
Event message file(s):	%systemroot%\system32\netlogon.dll

Microsoft-Windows-Security-SPP-UX

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Security-SPP-UX
Identifier:	{6bdadc96-673e-468c-9f5b-f382f95b2832}
Event message file(s):	%systemroot%\system32\slui.exe

Microsoft-Windows-Security-SPP-UX-GC

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Security-SPP-UX-GC
Identifier:	{bbbdd6a3-f35e-449b-a471-4d830c8eda1f}
Event message file(s):	%systemroot%\system32\sppcommdlg.dll

Seen on:

Windows 8.0

Log source(s):	Microsoft-Windows-Security-SPP-UX-GC
Identifier:	{bbbdd6a3-f35e-449b-a471-4d830c8eda1f}
Event message file(s):	%systemroot%\system32\genuinecenter.dll

Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging
Identifier:	{fb829150-cd7d-44c3-af5b-711a3c31cedc}
Event message file(s):	%systemroot%\system32\sppcommdlg.dll

Seen on:

Windows 8.0

Log source(s):	Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging
Identifier:	{fb829150-cd7d-44c3-af5b-711a3c31cedc}
Event message file(s):	%systemroot%\system32\genuinecenter.dll

Microsoft-Windows-Security-SPP-UX-Notifications

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Security-SPP-UX-Notifications
Identifier:	{c4efc9bb-2570-4821-8923-1bad317d2d4b}
Event message file(s):	%systemroot%\system32\slui.exe

Microsoft-Windows-Security-UserConsentVerifier

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Security-UserConsentVerifier
Identifier:	{40783728-8921-45d0-b231-919037b4b4fd}
Event message file(s):	%systemroot%\system32\windows.security.credentials.ui.userconsentverifier.dll

Microsoft-Windows-Security-Vault

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Security-Vault
Identifier:	{e6c92fb8-89d7-4d1f-be46-d56e59804783}
Event message file(s):	%systemroot%\system32\vaultcli.dll

Microsoft-Windows-SecurityMitigationsBroker

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-SecurityMitigationsBroker
Identifier:	{ea8cd8a5-78ff-4418-b292-aadc6a7181df}
Event message file(s):	%systemroot%\system32\windows.internal.securitymitigationsbroker.dll

Microsoft-Windows-SendTo

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SendTo
Identifier:	{35642cf5-da5e-410b-9d9c-a45f3638042b}
Event message file(s):	%systemroot%\system32\sendmail.dll

Microsoft-Windows-Sens

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Sens
Identifier:	{be69781c-b63b-41a1-8e24-a4fc7b3fc498}
Event message file(s):	%systemroot%\system32\sens.dll

Microsoft-Windows-SenseIR

Seen on:

Windows 10 (1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-SenseIR
Identifier:	{b6d775ef-1436-4fe6-bad3-9e436319e218}
Event message file(s):	%programfiles%\windows defender advanced threat protection\senseir.exe

Microsoft-Windows-Sensors

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Sensors
Identifier:	{d8900e18-36cb-4548-966f-13f068d1f78e}
Event message file(s):	%systemroot%\system32\sensorperformanceevents.dll

Microsoft-Windows-Sensors-Core

Seen on:

Windows 10 (1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Sensors-Core
Identifier:	{751c292b-23e6-58cf-1fd4-38f8512c66c2}
Event message file(s):	%systemroot%\system32\sensorsutilsv2.dll

Microsoft-Windows-Sensors-Core-Performance

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Sensors-Core-Performance
Identifier:	{9e051eaa-7fee-4f9f-8897-d86f3692e8af}
Event message file(s):	%systemroot%\system32\sensorsutilsv2.dll

Microsoft-Windows-Serial-ClassExtension

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Serial-ClassExtension
Log type:	System
Identifier:	{47bc9477-a8ba-452e-b951-4f2ed3593cf9}
Event message file(s):	%systemroot%\system32\drivers\sercx.sys

Microsoft-Windows-Serial-ClassExtension-V2

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Serial-ClassExtension-V2
Log type:	System
Identifier:	{eee173ef-7ed2-45de-9877-01c70a852fbd}
Event message file(s):	%systemroot%\system32\drivers\sercx2.sys

Microsoft-Windows-ServiceReportingApi

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-ServiceReportingApi
Identifier:	{606a6a38-70ec-4309-b3a3-82ff86f73329}
Event message file(s):	%systemroot%\system32\osbaseln.dll

Microsoft-Windows-ServiceTriggerPerfEventProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ServiceTriggerPerfEventProvider
Identifier:	{6545939f-3398-411a-88b7-6a8914b8cec7}
Event message file(s):	%systemroot%\system32\rpcepmap.dll

Microsoft-Windows-Services

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Services
Identifier:	{0063715b-eeda-4007-9429-ad526f62696e}
Event message file(s):	%systemroot%\system32\services.exe

Microsoft-Windows-Services-Svchost

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Services-Svchost
Identifier:	{06184c97-5201-480e-92af-3a3626c5b140}
Event message file(s):	%systemroot%\system32\services.exe

Microsoft-Windows-Servicing

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Servicing
Log type:	System
Identifier:	{bd12f3b8-fc40-4a61-a307-b7a013a069c1}
Event message file(s):	%systemroot%\servicing\cbsmsg.dll

Microsoft-Windows-Setup

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Setup
Log type:	System
Identifier:	{75ebc33e-997f-49cf-b49f-ecc50184b75d}
Event message file(s):	%systemroot%\system32\oobe\winsetup.dll

Microsoft-Windows-SetupCl

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SetupCl
Identifier:	{75ebc33e-d017-4d0f-93ab-0b4f86579164}
Event message file(s):	%systemroot%\system32\setupcl.exe

Seen on:

Windows 10 (2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-SetupCl
Identifier:	{75ebc33e-d017-4d0f-93ab-0b4f86579164}
Event message file(s):	%systemroot%\system32\setupcl.dll

Microsoft-Windows-SetupPlatform

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-SetupPlatform
Log type:	System
Identifier:	{530fb9b9-c515-4472-9313-fb346f9255e3}
Event message file(s):	%systemroot%\system32\setupetw.dll

Microsoft-Windows-SetupQueue

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SetupQueue
Identifier:	{a615acb9-d5a4-4738-b561-1df301d207f8}
Event message file(s):	%systemroot%\system32\setupetw.dll

Microsoft-Windows-SetupUGC

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SetupUGC
Identifier:	{75ebc33e-0870-49e5-bdce-9d7028279489}
Event message file(s):	%systemroot%\system32\setupugc.exe

Microsoft-Windows-ShareMedia-ControlPanel

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ShareMedia-ControlPanel
Identifier:	{02012a8a-adf5-4fab-92cb-ccb7bb3e689a}
Event message file(s):	%systemroot%\system32\sharemediacpl.dll

Microsoft-Windows-Shell-AppWizCpl

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Shell-AppWizCpl
Identifier:	{08d945eb-c8bd-44aa-994f-86079d8dce35}
Event message file(s):	%systemroot%\system32\appwiz.cpl

Microsoft-Windows-Shell-AuthUI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Shell-AuthUI
Identifier:	{63d2bb1d-e39a-41b8-9a3d-52dd06677588}
Event message file(s):	%systemroot%\system32\authui.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-Shell-AuthUI
Identifier:	{63d2bb1d-e39a-41b8-9a3d-52dd06677588}

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Shell-AuthUI
Identifier:	{63d2bb1d-e39a-41b8-9a3d-52dd06677588}
Event message file(s):	%systemroot%\system32\credprovhost.dll

Microsoft-Windows-Shell-ConnectedAccountState

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Shell-ConnectedAccountState
Identifier:	{6df57621-e7e4-410f-a7e9-e43eeb61b11f}
Event message file(s):	%systemroot%\system32\connectedaccountstate.dll

Microsoft-Windows-Shell-Core

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Shell-Core
Identifier:	{30336ed4-e327-447c-9de0-51b652c86108}
Event message file(s):	%systemroot%\system32\shsvcs.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-Shell-Core
Identifier:	{30336ed4-e327-447c-9de0-51b652c86108}

Microsoft-Windows-Shell-DefaultPrograms

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Shell-DefaultPrograms
Identifier:	{65d99466-7a8e-489c-b8e1-962bc945031e}
Event message file(s):	%systemroot%\system32\sud.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-Shell-DefaultPrograms
Identifier:	{65d99466-7a8e-489c-b8e1-962bc945031e}

Microsoft-Windows-Shell-LockScreenContent

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.1

Log source(s):	Microsoft-Windows-Shell-LockScreenContent
Identifier:	{a3c0d58a-9fe5-4f24-a2ce-e16de8baa0d2}
Event message file(s):	%systemroot%\system32\lockscreencontent.dll

Microsoft-Windows-Shell-OpenWith

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Shell-OpenWith
Identifier:	{11bd2a68-77ff-4991-9658-f451f2eb6ce1}
Event message file(s):	%systemroot%\system32\openwith.exe

Microsoft-Windows-Shell-Shwebsvc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Shell-Shwebsvc
Identifier:	{f61cefc0-aa2e-11da-a746-0800200c9a66}
Event message file(s):	%systemroot%\system32\shwebsvc.dll

Microsoft-Windows-Shell-ZipFolder

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Shell-ZipFolder
Identifier:	{1f84007d-19ce-4b15-9e81-8a3dd8eb9ecb}
Event message file(s):	%systemroot%\system32\zipfldr.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-Shell-ZipFolder
Identifier:	{1f84007d-19ce-4b15-9e81-8a3dd8eb9ecb}

Microsoft-Windows-ShellCommon-StartLayoutPopulation

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-ShellCommon-StartLayoutPopulation
Identifier:	{97ca8142-10b1-4baa-9fbb-70a7d11231c3}
Event message file(s):	%systemroot%\system32\windows.shell.startlayoutpopulationevents.dll

Microsoft-Windows-Shsvcs

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Shsvcs
Identifier:	{059c3e04-5535-4929-85e1-93030e78f47b}
Event message file(s):	%systemroot%\system32\shsvcs.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-Shsvcs
Identifier:	{059c3e04-5535-4929-85e1-93030e78f47b}

Microsoft-Windows-SleepStudy

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-SleepStudy
Identifier:	{d37687e7-8bf0-4d11-b589-a7abe080756a}
Event message file(s):	%systemroot%\system32\microsoft-windows-sleepstudy-events.dll

Microsoft-Windows-SmartCard-Audit

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SmartCard-Audit
Identifier:	{09ac07b9-6ac9-43bc-a50f-58419a797c69}
Event message file(s):	%systemroot%\system32\winscard.dll

Microsoft-Windows-SmartCard-DeviceEnum

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-SmartCard-DeviceEnum
Log type:	Application
Identifier:	{aaeac398-3028-487c-9586-44eacad03637}
Event message file(s):	%systemroot%\system32\scdeviceenum.dll

Microsoft-Windows-SmartCard-TPM-VCard-Module

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SmartCard-TPM-VCard-Module
Identifier:	{125f2cf1-2768-4d33-976e-527137d080f8}
Event message file(s):	%systemroot%\system32\tpmvsc.dll

Microsoft-Windows-SmartScreen

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-SmartScreen
Identifier:	{3cb2a168-fe34-4a4e-bdad-dcf422f34473}
Event message file(s):	%systemroot%\system32\smartscreen.exe

Microsoft-Windows-Smartcard-Server

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Smartcard-Server
	SCardSvr
Log type:	System
Identifier:	{4fcbf664-a33a-4652-b436-9d558983d955}
Event message file(s):	%systemroot%\system32\scardsvr.dll

Microsoft-Windows-Smartcard-Trigger

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Smartcard-Trigger
Identifier:	{aedd909f-41c6-401a-9e41-dfc33006af5d}
Event message file(s):	%systemroot%\system32\scardsvr.dll

Microsoft-Windows-SmbWmiProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SmbWmiProvider
Identifier:	{50b9e206-9d55-4092-92e8-f157a8235799}
Event message file(s):	%systemroot%\system32\smbwmiv2.dll

Microsoft-Windows-SoftwareRestrictionPolicies

Seen on:

Windows 2008
Windows 7
Windows 8.0
Windows Vista

Log source(s):	Microsoft-Windows-SoftwareRestrictionPolicies
Log type:	Application
Identifier:	{7d29d58a-931a-40ac-8743-48c733045548}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-SoftwareRestrictionPolicies
Log type:	Application
Identifier:	{7d29d58a-931a-40ac-8743-48c733045548}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Speech-TTS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Speech-TTS
Identifier:	{74dcc47a-846e-4c98-9e2c-80043ed82b15}
Event message file(s):	%systemroot%\system32\speech\engines\tts\msttsengine.dll

Microsoft-Windows-Speech-UserExperience

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Speech-UserExperience
Identifier:	{13480a22-d79f-4334-9d32-aa239398ad3c}
Event message file(s):	%systemroot%\system32\speech\speechux\speechux.dll

Microsoft-Windows-Spell-Checking

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Spell-Checking
Log type:	Application
Identifier:	{d0e22efc-ac66-4b25-a72d-382736b5e940}
Event message file(s):	%systemroot%\system32\msspellcheckingfacility.dll

Microsoft-Windows-SpellChecker

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SpellChecker
Log type:	Application
Identifier:	{b2fcd41f-9a40-4150-8c92-b224b7d8c8aa}
Event message file(s):	%systemroot%\system32\msspellcheckingfacility.dll

Microsoft-Windows-Spellchecking-Host

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Spellchecking-Host
Log type:	Application
Identifier:	{1bda2ab1-bbc1-4acb-a849-c0ef2b249672}
Event message file(s):	%systemroot%\system32\msspellcheckinghost.exe

Microsoft-Windows-SruMon

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SruMon
Identifier:	{c8dbf506-e3d3-4822-930d-84c557eb6247}
Event message file(s):	%systemroot%\system32\srumapi.dll

Microsoft-Windows-SrumTelemetry

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SrumTelemetry
Identifier:	{48d445a8-2f64-4d49-b093-a5774d8dc531}
Event message file(s):	%systemroot%\system32\energyprov.dll

Microsoft-Windows-StartNameRes

Seen on:

Windows 10 (2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-StartNameRes
Identifier:	{277c9237-51d8-5c1c-b089-f02c683e5ba7}
Event message file(s):	%systemroot%\system32\drivers\afd.sys

Microsoft-Windows-StartupRepair

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-StartupRepair
Log type:	System
Identifier:	{c914f0df-835a-4a22-8c70-732c9a80c634}
Event message file(s):	%systemroot%\system32\reagent.dll

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-StartupRepair
Identifier:	{c914f0df-835a-4a22-8c70-732c9a80c634}
Event message file(s):	%systemroot%\system32\relpost.exe

Microsoft-Windows-StateRepository

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-StateRepository
Identifier:	{89592015-d996-4636-8f61-066b5d4dd739}
Event message file(s):	%systemroot%\system32\windows.staterepository.dll

Microsoft-Windows-StorDiag

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-StorDiag
Identifier:	{f5d05b38-80a6-4653-825d-c414e4ab3c68}
Event message file(s):	%systemroot%\system32\drivers\classpnp.sys

Microsoft-Windows-StorPort

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-StorPort
Identifier:	{c4636a1e-7986-4646-bf10-7bc3b4a76e8e}
Event message file(s):	%systemroot%\system32\drivers\storport.sys

Microsoft-Windows-Storage-Tiering

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012

Log source(s):	Microsoft-Windows-Storage-Tiering
Identifier:	{4a104570-ec6d-4560-a40f-858fa955e84f}
Event message file(s):	%systemroot%\system32\tieringengineservice.exe

Seen on:

Windows 8.1

Log source(s):	Microsoft-Windows-Storage-Tiering
Identifier:	{4a104570-ec6d-4560-a40f-858fa955e84f}
Event message file(s):	%systemroot%\system32\microsoft-windows-storage-tiering-events.dll

Microsoft-Windows-Storage-Tiering-IoHeat

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Storage-Tiering-IoHeat
Identifier:	{990c55fc-2662-47f6-b7d7-eb3c027cb13f}
Event message file(s):	%systemroot%\system32\microsoft-windows-storage-tiering-events.dll

Microsoft-Windows-StorageManagement

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-StorageManagement
Identifier:	{7e58e69a-e361-4f06-b880-ad2f4b64c944}
Event message file(s):	%systemroot%\system32\storagewmi.dll

Microsoft-Windows-StorageManagement-PartUtil

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-StorageManagement-PartUtil
Identifier:	{93db76c2-63ab-5de1-88b3-c068686675b8}
Event message file(s):	%systemroot%\system32\mispace.dll

Microsoft-Windows-StorageManagement-WSP-FS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-StorageManagement-WSP-FS
Identifier:	{435f8e4b-8cc4-430e-9796-28cae4976576}
Event message file(s):	%systemroot%\system32\wsp_fs.dll

Microsoft-Windows-StorageManagement-WSP-Health

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-StorageManagement-WSP-Health
Identifier:	{b1f01d1a-ae3a-4940-81ee-ddccbad380ef}
Event message file(s):	%systemroot%\system32\wsp_health.dll

Microsoft-Windows-StorageManagement-WSP-Host

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-StorageManagement-WSP-Host
Identifier:	{595f33ea-d4af-4f4d-b4dd-9dacdd17fc6e}
Event message file(s):	%systemroot%\system32\smphost.dll

Microsoft-Windows-StorageManagement-WSP-Spaces

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-StorageManagement-WSP-Spaces
Identifier:	{88c09888-118d-48fc-8863-e1c6d39ca4df}
Event message file(s):	%systemroot%\system32\mispace.dll

Microsoft-Windows-StorageSettings

Seen on:

Windows 10 (2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-StorageSettings
Identifier:	{e934e6dd-62be-55d8-1cc8-416d0039498b}
Event message file(s):	%systemroot%\system32\settingshandlers_storagesense.dll

Microsoft-Windows-StorageSpaces-Api

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-StorageSpaces-Api
Identifier:	{bcf0c6a7-6130-5208-f27d-fa77a91f12df}
Event message file(s):	%systemroot%\system32\drivers\spaceport.sys

Microsoft-Windows-StorageSpaces-Driver

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-StorageSpaces-Driver
Identifier:	{595f7f52-c90a-4026-a125-8eb5e083f15e}
Event message file(s):	%systemroot%\system32\drivers\spaceport.sys

Microsoft-Windows-StorageSpaces-ManagementAgent

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-StorageSpaces-ManagementAgent
Identifier:	{aa4c798d-d91b-4b07-a013-787f5803d6fc}
Event message file(s):	%systemroot%\system32\spaceagent.exe

Microsoft-Windows-StorageSpaces-Parser

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-StorageSpaces-Parser
Identifier:	{5bcf2a5c-2e90-5a03-aa4e-2e459bae21b4}
Event message file(s):	%systemroot%\system32\drivers\spaceparser.sys

Microsoft-Windows-StorageSpaces-SpaceManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-StorageSpaces-SpaceManager
Identifier:	{69c8ca7e-1adf-472b-ba4c-a0485986b9f6}
Event message file(s):	%systemroot%\system32\spaceman.exe

Microsoft-Windows-Store

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Store
Identifier:	{9c2a37f3-e5fd-5cae-bcd1-43dafeee1ff0}
Event message file(s):	%systemroot%\system32\licensemanager.dll

Microsoft-Windows-Storsvc

Seen on:

Windows 10 (1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Storsvc
Identifier:	{a963a23c-0058-521d-71ec-a1cce6173f21}
Event message file(s):	%systemroot%\system32\storsvc.dll

Microsoft-Windows-Subsys-Csr

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Subsys-Csr
Identifier:	{e8316a2d-0d94-4f52-85dd-1e15b66c5891}
Event message file(s):	%systemroot%\system32\csrsrv.dll

Microsoft-Windows-Subsys-SMSS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Subsys-SMSS
Log type:	System
Identifier:	{43e63da5-41d1-4fbf-aded-1bbed98fdd1d}
Event message file(s):	%systemroot%\system32\csrsrv.dll

Microsoft-Windows-Superfetch

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Superfetch
Identifier:	{99806515-9f51-4c2f-b918-1eae407aa8cb}
Event message file(s):	%systemroot%\system32\sysmain.dll

Microsoft-Windows-Sysprep

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Sysprep
Identifier:	{75ebc33e-77b8-4ba8-9474-4f4a9db2f5c6}
Event message file(s):	%systemroot%\system32\sysprep\sysprep.exe

Microsoft-Windows-System-Profile-HardwareId

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-System-Profile-HardwareId
Identifier:	{3419de6d-5d7f-4668-acc8-f80566814d96}
Event message file(s):	%systemroot%\system32\windows.system.profile.hardwareid.dll

Microsoft-Windows-System-Restore

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-System-Restore
Log type:	Application
Identifier:	{126cdb97-d346-4894-8a34-658da5eea1b6}
Event message file(s):	%systemroot%\system32\srevents.dll

Microsoft-Windows-SystemEventsBroker

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-SystemEventsBroker
Identifier:	{b6bfcc79-a3af-4089-8d4d-0eecb1b80779}
Event message file(s):	%systemroot%\system32\systemeventsbrokerserver.dll

Microsoft-Windows-SystemSettingsHandlers

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-SystemSettingsHandlers
Identifier:	{fbbd52e1-df97-529d-4b67-53f67da99a98}
Event message file(s):	%systemroot%\system32\networkmobilesettings.dll

Microsoft-Windows-SystemSettingsThreshold

Seen on:

Windows 10 (1511, 1607, 1703)

Log source(s):	Microsoft-Windows-SystemSettingsThreshold
Identifier:	{8bcdf442-3070-4118-8c94-e8843be363b3}
Event message file(s):	%systemroot%\immersivecontrolpanel\systemsettings.exe

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-SystemSettingsThreshold
Identifier:	{8bcdf442-3070-4118-8c94-e8843be363b3}
Event message file(s):	$(runtime.windows)\immersivecontrolpanel\systemsettings.exe

Microsoft-Windows-TCPIP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TCPIP
Identifier:	{2f07e2ee-15db-40f1-90ef-9d7ba282188a}
Event message file(s):	%systemroot%\system32\drivers\tcpip.sys

Microsoft-Windows-TPM-WMI

Seen on:

Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-TPM-WMI
Log type:	System
Identifier:	{7d5387b0-cbe0-11da-a94d-0800200c9a66}
Event message file(s):	%systemroot%\system32\wbem\win32_tpm.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-TPM-WMI
Log type:	System
Identifier:	{7d5387b0-cbe0-11da-a94d-0800200c9a66}
Event message file(s):	%systemroot%\system32\tpmcoreprovisioning.dll

Microsoft-Windows-TSF-UIManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-TSF-UIManager
Identifier:	{4dd778b8-379c-4d8c-b659-517a43d6df7d}
Event message file(s):	%systemroot%\system32\msctfuimanager.dll

Microsoft-Windows-TSF-msctf

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TSF-msctf
Identifier:	{4fba1227-f606-4e5f-b9e8-fab9ab5740f3}
Event message file(s):	%systemroot%\system32\msctf.dll

Microsoft-Windows-TSF-msutb

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TSF-msutb
Identifier:	{74b655a2-8958-410e-80e2-3457051b8dff}
Event message file(s):	%systemroot%\system32\msutb.dll

Microsoft-Windows-TZSync

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-TZSync
Identifier:	{3527cb55-1298-49d4-ab94-1243db0fcaff}
Event message file(s):	%systemroot%\system32\tzsyncres.dll

Microsoft-Windows-TZUtil

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TZUtil
Identifier:	{2d318b91-e6e7-4c46-bd04-bfe6db412cf9}
Event message file(s):	%systemroot%\system32\tzutil.exe

Microsoft-Windows-TabletPC-CoreInkRecognition

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TabletPC-CoreInkRecognition
Identifier:	{c2fa0899-8a10-412b-a42e-9e5b284a2437}
Event message file(s):	%commonprogramfiles%\microsoft shared\ink\mshwlatin.dll

Microsoft-Windows-TabletPC-InputPanel

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TabletPC-InputPanel
Identifier:	{e978f84e-582d-4167-977e-32af52706888}
Event message file(s):	%commonprogramfiles%\microsoft shared\ink\tabskb.dll

Microsoft-Windows-TabletPC-InputPersonalization

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TabletPC-InputPersonalization
Identifier:	{a8106e5c-293a-4cd0-9397-2e6fac7f9749}
Event message file(s):	%commonprogramfiles%\microsoft shared\ink\inputpersonalization.exe

Microsoft-Windows-TabletPC-MathInput

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TabletPC-MathInput
Identifier:	{8443ccb7-feb0-4b8d-8e28-8d4c7cb814e8}
Event message file(s):	%commonprogramfiles%\microsoft shared\ink\mip.exe

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-TabletPC-MathInput
Identifier:	{8443ccb7-feb0-4b8d-8e28-8d4c7cb814e8}
Event message file(s):	%commonprogramfiles%\microsoft shared\ink\micaut.dll

Microsoft-Windows-TabletPC-MathRecognizer

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TabletPC-MathRecognizer
Identifier:	{bdb462fc-a297-49a2-bf2e-4f1809e12abc}
Event message file(s):	%commonprogramfiles%\microsoft shared\ink\mraut.dll

Microsoft-Windows-TabletPC-Platform-Input-Core

Seen on:

Windows 7

Log source(s):	Microsoft-Windows-TabletPC-Platform-Input-Core
Identifier:	{b5fd844a-01d4-4b10-a57f-58b13b561582}
Event message file(s):	%systemroot%\system32\wisptis.exe

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TabletPC-Platform-Input-Core
Identifier:	{b5fd844a-01d4-4b10-a57f-58b13b561582}
Event message file(s):	%systemroot%\system32\tabsvc.dll

Microsoft-Windows-TabletPC-Platform-Input-Ninput

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TabletPC-Platform-Input-Ninput
Identifier:	{2c3e6d9f-8298-450f-8e5d-49b724f1216f}
Event message file(s):	%systemroot%\system32\ninput.dll

Microsoft-Windows-TabletPC-Platform-Input-Wisp

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TabletPC-Platform-Input-Wisp
Identifier:	{e5aa2a53-30be-40f5-8d84-ad3f40a404cd}
Event message file(s):	%systemroot%\system32\wisp.dll

Microsoft-Windows-TabletPC-Platform-Manipulations

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TabletPC-Platform-Manipulations
Identifier:	{2fd7a9a5-b1a1-4fc7-b95c-c32fed818f30}
Event message file(s):	%commonprogramfiles%\microsoft shared\ink\rtscom.dll

Microsoft-Windows-TaskScheduler

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-TaskScheduler
Log type:	System
Identifier:	{de7b24ea-73c8-4a09-985d-5bdadcfa9017}
Event message file(s):	%systemroot%\system32\schedsvc.dll

Microsoft-Windows-TaskbarCPL

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TaskbarCPL
Identifier:	{05d7b0f0-2121-4eff-bf6b-ed3f69b894d7}
Event message file(s):	%systemroot%\system32\taskbarcpl.dll

Microsoft-Windows-TenantRestrictions

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-TenantRestrictions
Identifier:	{4053fada-178b-5aa8-746b-7cf8538b5118}
Event message file(s):	%systemroot%\system32\cloudidsvc.dll

Microsoft-Windows-TerminalServices-ClientActiveXCore

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TerminalServices-ClientActiveXCore
Log type:	Application
Identifier:	{28aa95bb-d444-4719-a36f-40462168127e}
Event message file(s):	%systemroot%\system32\mstscax.dll

Microsoft-Windows-TerminalServices-ClientUSBDevices

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TerminalServices-ClientUSBDevices
	TsUsbFlt
Log type:	System
Identifier:	{6e400999-5b82-475f-b800-cef6fe361539}
Event message file(s):	%systemroot%\system32\drivers\tsusbflt.sys

Microsoft-Windows-TerminalServices-MediaRedirection

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TerminalServices-MediaRedirection
Identifier:	{3f7b2f99-b863-4045-ad05-f6afb62e7af1}
Event message file(s):	%systemroot%\system32\tsmf.dll

Microsoft-Windows-TerminalServices-PnPDevices

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-TerminalServices-PnPDevices
Identifier:	{27a8c1e2-eb19-463e-8424-b399df27a216}
Event message file(s):	%systemroot%\system32\umrdp.dll

Microsoft-Windows-TerminalServices-Printers

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-TerminalServices-Printers
	UmRdpService
Log type:	System
Identifier:	{952773bf-c2b7-49bc-88f4-920744b82c43}
Event message file(s):	%systemroot%\system32\umrdp.dll

Microsoft-Windows-TerminalServices-RdpSoundDriver

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TerminalServices-RdpSoundDriver
Identifier:	{127e0dc5-e13b-4935-985e-78fd508b1d80}
Event message file(s):	%systemroot%\system32\rdpendp.dll

Microsoft-Windows-TerminalServices-RemoteConnectionManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-TerminalServices-RemoteConnectionManager
	TermService
Log type:	System
Identifier:	{c76baa63-ae81-421c-b425-340b4b24157f}
Event message file(s):	%systemroot%\system32\termsrv.dll

Microsoft-Windows-TerminalServices-ServerUSBDevices

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012

Log source(s):	Microsoft-Windows-TerminalServices-ServerUSBDevices
	tsusbhub
Log type:	System
Identifier:	{dcbe5aaa-16e2-457c-9337-366950045f0a}
Event message file(s):	%systemroot%\system32\drivers\tsusbhub.sys

Microsoft-Windows-Tethering-Manager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.1

Log source(s):	Microsoft-Windows-Tethering-Manager
Identifier:	{cc311f1f-623c-4ca4-ba44-a458016555e8}
Event message file(s):	%systemroot%\system32\tetheringmgr.dll

Microsoft-Windows-Tethering-Station

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.1

Log source(s):	Microsoft-Windows-Tethering-Station
Identifier:	{585cab4f-9351-436e-9d99-dc4b41a20de0}
Event message file(s):	%systemroot%\system32\tetheringstation.dll

Microsoft-Windows-TextPredictionEngine

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TextPredictionEngine
Identifier:	{39a63500-7d76-49cd-994f-ffd796ef5a53}
Event message file(s):	%systemroot%\system32\mstextprediction.dll

Microsoft-Windows-ThemeCPL

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ThemeCPL
Identifier:	{61f044af-9104-4ca5-81ee-cb6c51bb01ab}
Event message file(s):	%systemroot%\system32\themecpl.dll

Microsoft-Windows-ThemeUI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ThemeUI
Identifier:	{869fb599-80aa-485d-bca7-db18d72b7219}
Event message file(s):	%systemroot%\system32\themeui.dll

Microsoft-Windows-Thermal-Polling

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Thermal-Polling
Identifier:	{e8a7c168-81ee-465c-8e8e-d39a2ac1ca41}
Event message file(s):	%systemroot%\system32\microsoft-windows-kernel-power-events.dll

Microsoft-Windows-Threat-Intelligence

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Threat-Intelligence
Identifier:	{f4e1897c-bb5d-5668-f1d8-040f4d8dd344}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-Time-Service

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Time-Service
	W32Time
Log type:	System
Identifier:	{06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}
Event message file(s):	%systemroot%\system32\w32time.dll

Microsoft-Windows-Time-Service-PTP-Provider

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Time-Service-PTP-Provider
Identifier:	{cffb980e-327c-5b87-19c6-62c4c3be2290}
Event message file(s):	%systemroot%\system32\ptpprov.dll

Microsoft-Windows-TimeBroker

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TimeBroker
Identifier:	{0657adc1-9ae8-4e18-932d-e6079cda5ab3}
Event message file(s):	%systemroot%\system32\timebrokerserver.dll

Microsoft-Windows-TriggerEmulatorProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TriggerEmulatorProvider
Identifier:	{f230d19a-5d93-47d9-a83f-53829edfb8df}
Event message file(s):	%systemroot%\system32\schedsvc.dll

Microsoft-Windows-Troubleshooting-Recommended

Seen on:

Windows 10 (1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Troubleshooting-Recommended
Identifier:	{4969de67-439c-516f-f805-a82a4f905730}
Event message file(s):	%systemroot%\system32\mitigationclient.dll

Microsoft-Windows-TunnelDriver

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TunnelDriver
Identifier:	{4edbe902-9ed3-4cf0-93e8-b8b5fa920299}
Event message file(s):	%systemroot%\system32\drivers\tunnel.sys

Microsoft-Windows-TunnelDriver-SQM-Provider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-TunnelDriver-SQM-Provider
Identifier:	{4214dcd2-7c33-4f74-9898-719ccceec20f}
Event message file(s):	%systemroot%\system32\drivers\tunnel.sys

Microsoft-Windows-UAC

Seen on:

Windows 2008
Windows 7
Windows 8.0
Windows Vista

Log source(s):	Microsoft-Windows-UAC
Identifier:	{e7558269-3fa5-46ed-9f4d-3c6e282dde55}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-UAC
Identifier:	{e7558269-3fa5-46ed-9f4d-3c6e282dde55}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-UAC-FileVirtualization

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-UAC-FileVirtualization
Identifier:	{c02afc2b-e24e-4449-ad76-bcc2c2575ead}
Event message file(s):	%systemroot%\system32\drivers\luafv.sys

Microsoft-Windows-UI-Input-Inking

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-UI-Input-Inking
Identifier:	{bf1db390-3e67-4d4d-a287-8958044a3db4}
Event message file(s):	%systemroot%\system32\windows.ui.input.inking.dll

Microsoft-Windows-UI-Search

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-UI-Search
Identifier:	{d8965fcf-7397-4e0e-b750-21a4580bd880}
Event message file(s):	%systemroot%\system32\windows.ui.search.dll

Microsoft-Windows-UI-Shell

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-UI-Shell
Identifier:	{e3ee1525-8742-4e05-871b-dd2a60330c53}
Event message file(s):	%systemroot%\system32\windows.ui.shell.dll

Microsoft-Windows-UIAnimation

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-UIAnimation
Identifier:	{e0a40b26-30c4-4656-bc9a-74a5c3a0b2ec}
Event message file(s):	%systemroot%\system32\uianimation.dll

Microsoft-Windows-UIAutomationCore

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-UIAutomationCore
Identifier:	{820a42d8-38c4-465d-b64e-d7d56ea1d612}
Event message file(s):	%systemroot%\system32\uiautomationcore.dll

Microsoft-Windows-UIRibbon

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-UIRibbon
Identifier:	{87d476fe-1a0f-4370-b785-60b028019693}
Event message file(s):	%systemroot%\system32\uiribbon.dll

Microsoft-Windows-URLMon

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-URLMon
Identifier:	{245f975d-909d-49ed-b8f9-9a75691d6b6b}
Event message file(s):	%systemroot%\system32\urlmon.dll

Microsoft-Windows-USB-CCID

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-USB-CCID
Log type:	System
Identifier:	{f708c483-4880-11e6-9121-5cf37068b67b}
Event message file(s):	%systemroot%\system32\drivers\umdf\usbcciddriver.dll

Microsoft-Windows-USB-MAUSBHOST

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-USB-MAUSBHOST
Log type:	System
Identifier:	{7725b5f9-1f2e-4e21-baeb-b2af4690bc87}
Event message file(s):	%systemroot%\system32\drivers\mausbhost.sys

Microsoft-Windows-USB-UCX

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-USB-UCX
Identifier:	{36da592d-e43a-4e28-af6f-4bc57c5a11e8}
Event message file(s):	%systemroot%\system32\drivers\ucx01000.sys

Microsoft-Windows-USB-USB4DeviceRouter-EventLogs

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-USB-USB4DeviceRouter-EventLogs
Log type:	System
Identifier:	{d07e8c3f-78fb-4c22-b77c-2203d00bfdf3}
Event message file(s):	%systemroot%\system32\driverstore\filerepository\usb4devicerouter.inf_amd64_8d9a17bd8e5b4b11\usb4devicerouter.sys

Microsoft-Windows-USB-USBHUB

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-USB-USBHUB
Identifier:	{7426a56b-e2d5-4b30-bdef-b31815c1a74a}
Event message file(s):	%systemroot%\system32\drivers\usbhub.sys

Microsoft-Windows-USB-USBHUB3

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-USB-USBHUB3
Identifier:	{ac52ad17-cc01-4f85-8df5-4dce4333c99b}
Event message file(s):	%systemroot%\system32\drivers\usbhub3.sys

Microsoft-Windows-USB-USBPORT

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-USB-USBPORT
Identifier:	{c88a4ef5-d048-4013-9408-e04b7db2814a}
Event message file(s):	%systemroot%\system32\drivers\usbport.sys

Microsoft-Windows-USB-USBXHCI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-USB-USBXHCI
Log type:	System
Identifier:	{30e1d284-5d88-459c-83fd-6345b39b19ec}
Event message file(s):	%systemroot%\system32\drivers\usbxhci.sys

Microsoft-Windows-UniversalTelemetryClient

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-UniversalTelemetryClient
Identifier:	{6489b27f-7c43-5886-1d00-0a61bb2a375b}
Event message file(s):	%systemroot%\system32\diagtrack.dll

Microsoft-Windows-User Device Registration

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-User Device Registration
Identifier:	{23b8d46b-67dd-40a3-b636-d43e50552c6d}
Event message file(s):	%systemroot%\system32\dsreg.dll

Microsoft-Windows-User Profiles General

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-User Profiles General
	Userenv
Log type:	Application
Identifier:	{db00dfb6-29f9-4a9c-9b3b-1f4f9e7d9770}
Event message file(s):	%systemroot%\system32\userenv.dll

Microsoft-Windows-User Profiles Service

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-User Profiles Service
	Profsvc
Log type:	Application
Identifier:	{89b1e9f0-5aff-44a6-9b44-0a07a7ce5845}
Event message file(s):	%systemroot%\system32\profsvc.dll

Microsoft-Windows-User-ControlPanel

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-User-ControlPanel
Identifier:	{319122a9-1485-4e48-af35-7db2d93b8ad2}
Event message file(s):	%systemroot%\system32\usercpl.dll

Microsoft-Windows-User-Diagnostic

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-User-Diagnostic
Identifier:	{305fc87b-002a-5e26-d297-60223012ca9c}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-User-Loader

Seen on:

Windows 2008
Windows 7
Windows 8.0
Windows Vista

Log source(s):	Microsoft-Windows-User-Loader
Identifier:	{b059b83f-d946-4b13-87ca-4292839dc2f2}
Event message file(s):	%systemroot%\system32\advapi32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-User-Loader
Log type:	Application
Identifier:	{b059b83f-d946-4b13-87ca-4292839dc2f2}
Event message file(s):	%systemroot%\system32\microsoft-windows-system-events.dll

Microsoft-Windows-UserAccountControl

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-UserAccountControl
Identifier:	{2683b597-3cca-410a-97fe-6f7ee3d09b94}
Event message file(s):	%systemroot%\system32\useraccountcontrolsettings.dll

Microsoft-Windows-UserDataAccess-CEMAPI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-UserDataAccess-CEMAPI
Identifier:	{83a9277a-d2fc-4b34-bf81-8ceb4407824f}
Event message file(s):	%systemroot%\system32\cemapi.dll

Microsoft-Windows-UserDataAccess-CallHistoryClient

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-UserDataAccess-CallHistoryClient
Identifier:	{f5988abb-323a-4098-8a34-85a3613d4638}
Event message file(s):	%systemroot%\system32\callhistoryclient.dll

Microsoft-Windows-UserDataAccess-PimIndexMaintenance

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-UserDataAccess-PimIndexMaintenance
Identifier:	{99c66ba7-5a97-40d5-aa01-8a07fb3db292}
Event message file(s):	%systemroot%\system32\pimindexmaintenance.dll

Microsoft-Windows-UserDataAccess-Poom

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-UserDataAccess-Poom
Identifier:	{0bd19909-eb6f-4b16-8074-6dce803f091d}
Event message file(s):	%systemroot%\system32\pimstore.dll

Microsoft-Windows-UserDataAccess-UnifiedStore

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-UserDataAccess-UnifiedStore
Identifier:	{56f519ab-9df6-4345-8491-a4ba21ac825b}
Event message file(s):	%systemroot%\system32\unistore.dll

Microsoft-Windows-UserDataAccess-UserDataApis

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-UserDataAccess-UserDataApis
Identifier:	{b9b2de3c-3fbd-4f42-8ff7-33c3bad35fd4}
Event message file(s):	%systemroot%\system32\appointmentapis.dll

Microsoft-Windows-UserDataAccess-UserDataService

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-UserDataAccess-UserDataService
Identifier:	{fb19ee2c-0d22-4a2e-969e-dd41ae0ce1a9}
Event message file(s):	%systemroot%\system32\userdataservice.dll

Microsoft-Windows-UserDataAccess-UserDataUtils

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-UserDataAccess-UserDataUtils
Identifier:	{d1f688bf-012f-4aec-a38c-e7d4649f8cd2}
Event message file(s):	%systemroot%\system32\userdataaccessres.dll

Microsoft-Windows-UserModePowerService

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-UserModePowerService
Identifier:	{ce8dee0b-d539-4000-b0f8-77bed049c590}
Event message file(s):	%systemroot%\system32\umpo.dll

Microsoft-Windows-UserPnp

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-UserPnp
Log type:	System
Identifier:	{96f4a050-7e31-453c-88be-9634f4e02139}
Event message file(s):	%systemroot%\system32\umpnpmgr.dll

Microsoft-Windows-UxInit

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-UxInit
Identifier:	{4154a29c-40d9-445f-8d65-24da473e8f65}
Event message file(s):	%systemroot%\system32\shsvcs.dll

Microsoft-Windows-UxTheme

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-UxTheme
Identifier:	{422088e6-cd0c-4f99-bd0b-6985fa290bdf}
Event message file(s):	%systemroot%\system32\shsvcs.dll

Microsoft-Windows-VAN

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-VAN
Identifier:	{01578f96-c270-4602-ade0-578d9c29fc0c}
Event message file(s):	%systemroot%\system32\van.dll

Microsoft-Windows-VDRVROOT

Seen on:

Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-VDRVROOT
Identifier:	{e4480490-85b6-11dd-ad8b-0800200c9a66}
Event message file(s):	%systemroot%\system32\drivers\vhdmp.sys

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-VDRVROOT
Identifier:	{e4480490-85b6-11dd-ad8b-0800200c9a66}
Event message file(s):	%systemroot%\system32\drivers\vdrvroot.sys

Microsoft-Windows-VHDMP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-VHDMP
Identifier:	{e2816346-87f4-4f85-95c3-0c79409aa89d}
Event message file(s):	%systemroot%\system32\drivers\vhdmp.sys

Microsoft-Windows-VIRTDISK

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-VIRTDISK
Identifier:	{4d20df22-e177-4514-a369-f1759feedeb3}
Event message file(s):	%systemroot%\system32\virtdisk.dll

Microsoft-Windows-VPN-Client

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-VPN-Client
Identifier:	{3c088e51-65be-40d1-9b90-62bfec076737}
Event message file(s):	%systemroot%\system32\wbem\vpnclientpsprovider.dll

Microsoft-Windows-VWiFi

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-VWiFi
Identifier:	{314b2b0d-81ee-4474-b6e0-c2aaec0ddbde}
Event message file(s):	%systemroot%\system32\drivers\vwififlt.sys

Microsoft-Windows-VerifyHardwareSecurity

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-VerifyHardwareSecurity
Identifier:	{f3f53c76-b06d-4f15-b412-61164a0d2b73}
Event message file(s):	%systemroot%\system32\wldp.dll

Microsoft-Windows-Video-For-Windows

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Video-For-Windows
Log type:	Application
Identifier:	{712abb2d-d806-4b42-9682-26da01d8b307}
Event message file(s):	%systemroot%\system32\mciavi32.dll

Microsoft-Windows-VolumeControl

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-VolumeControl
Identifier:	{07de7879-1c96-41ce-afbd-c659a0e8e643}
Event message file(s):	%systemroot%\system32\sndvolsso.dll

Microsoft-Windows-VolumeSnapshot-Driver

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-VolumeSnapshot-Driver
Identifier:	{67fe2216-727a-40cb-94b2-c02211edb34a}
Event message file(s):	%systemroot%\system32\drivers\volsnap.sys

Microsoft-Windows-WABSyncProvider

Seen on:

Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WABSyncProvider
Identifier:	{17f14a23-551d-40cc-a086-e4194d64ed4c}
Event message file(s):	%systemroot%\system32\portabledevicesyncprovider.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WABSyncProvider
Identifier:	{17f14a23-551d-40cc-a086-e4194d64ed4c}
Event message file(s):	%systemroot%\system32\wabsyncprovider.dll

Microsoft-Windows-WCN-Config-Registrar

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WCN-Config-Registrar
Identifier:	{c100becf-d33a-4a4b-bf23-bbef4663d017}
Event message file(s):	%systemroot%\system32\wcncsvc.dll

Microsoft-Windows-WCN-Config-Registrar-Secure

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WCN-Config-Registrar-Secure
Identifier:	{c100becc-d33a-4a4b-bf23-bbef4663d017}
Event message file(s):	%systemroot%\system32\wcncsvc.dll

Microsoft-Windows-WCNWiz

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WCNWiz
Identifier:	{e8aa5402-26a1-455e-a21b-f240ed62d155}
Event message file(s):	%systemroot%\system32\wcnwiz.dll

Microsoft-Windows-WDAG-PolicyEvaluator-CSP

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WDAG-PolicyEvaluator-CSP
Identifier:	{64a98c25-9e00-404e-84ad-6700dfe02529}
Event message file(s):	%systemroot%\system32\hvsievaluator.exe

Microsoft-Windows-WDAG-PolicyEvaluator-GP

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WDAG-PolicyEvaluator-GP
Identifier:	{e53df8ba-367a-4406-98d5-709ffb169681}
Event message file(s):	%systemroot%\system32\hvsigpext.dll

Microsoft-Windows-WEPHOSTSVC

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-WEPHOSTSVC
Identifier:	{d5f7235b-48e2-4e9c-92fe-0e4950aba9e8}
Event message file(s):	%systemroot%\system32\wephostsvc.dll

Microsoft-Windows-WER-Diag

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WER-Diag
Identifier:	{ad8aa069-a01b-40a0-ba40-948d1d8dedc5}
Event message file(s):	%systemroot%\system32\werfault.exe

Microsoft-Windows-WER-PayloadHealth

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WER-PayloadHealth
Identifier:	{4afddfde-002d-51ac-c109-c3b7897858d0}
Event message file(s):	%systemroot%\system32\wer.dll

Microsoft-Windows-WFP

Seen on:

Windows 2008
Windows 7

Log source(s):	Microsoft-Windows-WFP
Identifier:	{0c478c5b-0351-41b1-8c58-4a6737da32e3}
Event message file(s):	%systemroot%\system32\bfe.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WFP
Identifier:	{0c478c5b-0351-41b1-8c58-4a6737da32e3}
Event message file(s):	%systemroot%\system32\drivers\fwpkclnt.sys

Microsoft-Windows-WHEA-Logger

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WHEA-Logger
Log type:	System
Identifier:	{c26c4f3c-3f66-4e99-8f8a-39405cfed220}
Event message file(s):	%systemroot%\system32\whealogr.dll

Microsoft-Windows-WLAN-AutoConfig

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-WLAN-AutoConfig
Identifier:	{9580d7dd-0379-4658-9870-d5be7d52d6de}
Event message file(s):	%systemroot%\system32\wlansvc.dll

Microsoft-Windows-WLAN-Driver

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WLAN-Driver
Identifier:	{daa6a96b-f3e7-4d4d-a0d6-31a350e6a445}
Event message file(s):	%systemroot%\system32\wlansvc.dll

Microsoft-Windows-WLAN-MediaManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WLAN-MediaManager
Identifier:	{323dad74-d3ec-44a8-8b9d-cafeb4999274}
Event message file(s):	%systemroot%\system32\wlanmm.dll

Microsoft-Windows-WLGPA

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-WLGPA
Identifier:	{46098845-8a94-442d-9095-366a6bcfefa9}
Event message file(s):	%systemroot%\system32\wlgpclnt.dll

Microsoft-Windows-WMI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-WMI
	WinMgmt
Log type:	Application
Identifier:	{1edeee53-0afe-4609-b846-d8c0b2075b1f}
Event message file(s):	%systemroot%\system32\wbem\winmgmtr.dll

Microsoft-Windows-WMI-Activity

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-WMI-Activity
Identifier:	{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}
Event message file(s):	%systemroot%\system32\wbem\winmgmtr.dll

Microsoft-Windows-WMP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WMP
Identifier:	{f3f14ff3-7b80-4868-91d0-d77e497b025e}
Event message file(s):	%systemroot%\system32\wmp.dll

Microsoft-Windows-WMP-Setup_WM

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WMP-Setup_WM
Identifier:	{0d759f0f-cff9-4902-8867-eb9e29d7a98b}
Event message file(s):	%programfiles%\windows media player\setup_wm.exe

Microsoft-Windows-WMPDMCUI

Seen on:

Windows 7

Log source(s):	Microsoft-Windows-WMPDMCUI
Identifier:	{3f9e07bd-0e26-4241-a5a5-28cafa150a75}
Event message file(s):	\program files\windows media player\wmpdmc.exe

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WMPDMCUI
Identifier:	{3f9e07bd-0e26-4241-a5a5-28cafa150a75}
Event message file(s):	%systemroot%\system32\wmpdmc.exe

Microsoft-Windows-WMPNSS-PublicAPI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WMPNSS-PublicAPI
Identifier:	{614696c9-85af-4e64-b389-d2c0db4ff87b}
Event message file(s):	%programfiles%\windows media player\wmpmediasharing.dll

Microsoft-Windows-WMPNSS-Service

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-WMPNSS-Service
	WMPNetworkSvc
Log type:	System
Identifier:	{6a2dc7c1-930a-4fb5-bb44-80b30aebed6c}
Event message file(s):	%programfiles%\windows media player\wmpnetwk.exe

Microsoft-Windows-WMPNSSUI

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WMPNSSUI
Identifier:	{7c314e58-8246-47d1-8f7a-4049dc543e0b}
Event message file(s):	%programfiles%\windows media player\wmpnssui.dll

Microsoft-Windows-WMVENCOD

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WMVENCOD
Identifier:	{313b0545-bf9c-492e-9173-8de4863b8573}
Event message file(s):	%systemroot%\system32\wmvencod.dll

Microsoft-Windows-WPD-API

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WPD-API
Identifier:	{31569dcf-9c6f-4b8e-843a-b7c1cc7ffcba}
Event message file(s):	%systemroot%\system32\wpd_ci.dll

Microsoft-Windows-WPD-CompositeClassDriver

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WPD-CompositeClassDriver
Identifier:	{355c44fe-0c8e-4bf8-be28-8bc7b5a42720}
Event message file(s):	%systemroot%\system32\wpd_ci.dll

Microsoft-Windows-WPD-MTPBT

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WPD-MTPBT
Identifier:	{92ab58d3-f351-4af5-9c72-d52f36ee2c92}
Event message file(s):	%systemroot%\system32\wpd_ci.dll

Microsoft-Windows-WPD-MTPClassDriver

Seen on:

Windows Vista

Log source(s):	Microsoft-Windows-WPD-MTPClassDriver
	WPDMTPDriver
Log type:	System
Identifier:	{21b7c16e-c5af-4a69-a74a-7245481c1b97}
Event message file(s):	%systemroot%\system32\drivers\umdf\wpdmtpdr.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WPD-MTPClassDriver
Identifier:	{21b7c16e-c5af-4a69-a74a-7245481c1b97}
Event message file(s):	%systemroot%\system32\wpd_ci.dll

Microsoft-Windows-WPD-MTPIP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WPD-MTPIP
Identifier:	{c374d21e-69b2-4cd7-9a25-62187c5a5619}
Event message file(s):	%systemroot%\system32\wpd_ci.dll

Microsoft-Windows-WPD-MTPUS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WPD-MTPUS
Identifier:	{dcfc4489-9ce0-403c-99df-a05422c60898}
Event message file(s):	%systemroot%\system32\wpd_ci.dll

Microsoft-Windows-WPDClassInstaller

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-WPDClassInstaller
	WPDClassInstaller
Log type:	System
Identifier:	{ad5162d8-daf0-4a25-88a7-01cbeb33902e}
Event message file(s):	%systemroot%\system32\wpd_ci.dll

Microsoft-Windows-WSC-SRV

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-WSC-SRV
Identifier:	{5857d6ca-9732-4454-809b-2a87b70881f8}
Event message file(s):	%systemroot%\system32\wscui.cpl

Microsoft-Windows-WUSA

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-WUSA
Identifier:	{09608c12-c1da-4104-a6fe-b959cf57560a}
Event message file(s):	%systemroot%\system32\wusa.exe

Microsoft-Windows-WWAN-CFE

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WWAN-CFE
Identifier:	{71c993b8-1e28-4543-9886-fb219b63fdb3}
Event message file(s):	%systemroot%\system32\wwanconn.dll

Microsoft-Windows-WWAN-MM-EVENTS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WWAN-MM-EVENTS
Identifier:	{7839bb2a-2ea3-4eca-a00f-b558ba678bec}
Event message file(s):	%systemroot%\system32\wwansvc.dll

Microsoft-Windows-WWAN-MediaManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WWAN-MediaManager
Identifier:	{f4c9be26-414f-42d7-b540-8bff965e6d32}
Event message file(s):	%systemroot%\system32\wwanconn.dll

Microsoft-Windows-WWAN-NDISUIO-EVENTS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WWAN-NDISUIO-EVENTS
Identifier:	{b3eee223-d0a9-40cd-adfc-50f1888138ab}
Event message file(s):	%systemroot%\system32\drivers\ndisuio.sys

Microsoft-Windows-WWAN-SVC-EVENTS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WWAN-SVC-EVENTS
Identifier:	{3cb40aaa-1145-4fb8-b27b-7e30f0454316}
Event message file(s):	%systemroot%\system32\wwansvc.dll

Microsoft-Windows-Wallet

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Wallet
	WalletService
Log type:	System
Identifier:	{6ed11b00-c1b5-48cb-aecc-ff72ebefbae8}
Event message file(s):	%systemroot%\system32\walletservice.dll

Microsoft-Windows-Wcmsvc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Wcmsvc
Identifier:	{67d07935-283a-4791-8f8d-fa9117f3e6f2}
Event message file(s):	%systemroot%\system32\wcmsvc.dll

Microsoft-Windows-WebAuth

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WebAuth
Identifier:	{db6972b6-dddf-4820-84b1-2ed6ac0b96e5}
Event message file(s):	%systemroot%\system32\authhost.exe

Microsoft-Windows-WebAuthN

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WebAuthN
Identifier:	{3ae1ea61-c002-47fb-b06c-4022a8c98929}
Event message file(s):	%systemroot%\system32\webauthn.dll

Microsoft-Windows-WebIO

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WebIO
Identifier:	{50b3e73c-9370-461d-bb9f-26f32d68887d}
Event message file(s):	%systemroot%\system32\webio.dll

Microsoft-Windows-WebServices

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WebServices
Identifier:	{e04fe2e0-c6cf-4273-b59d-5c97c9c374a4}
Event message file(s):	%systemroot%\system32\webservices.dll

Microsoft-Windows-WebcamExperience

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WebcamExperience
Identifier:	{9e12ceb1-e3ff-46ad-a0aa-11738b122d20}
Event message file(s):	%systemroot%\system32\webcamui.dll

Microsoft-Windows-WebdavClient-LookupServiceTrigger

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WebdavClient-LookupServiceTrigger
Identifier:	{22b6d684-fa63-4578-87c9-effcbe6643c7}
Event message file(s):	%systemroot%\system32\davclnt.dll

Microsoft-Windows-Websocket-Protocol-Component

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Websocket-Protocol-Component
Identifier:	{cba5f63c-e2cf-4b36-8305-bde1311924fc}
Event message file(s):	%systemroot%\system32\websocket.dll

Microsoft-Windows-WerKernel

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WerKernel
Identifier:	{87a623f0-8db5-5c11-7c80-a2ebbcbe5189}
Event message file(s):	%systemroot%\system32\drivers\werkernel.sys

Microsoft-Windows-WiFiDisplay

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.1

Log source(s):	Microsoft-Windows-WiFiDisplay
Identifier:	{712880e9-7813-41a3-8e4c-e4e0c4f6580a}
Event message file(s):	%systemroot%\system32\wifidisplay.dll

Microsoft-Windows-WiFiHotspotService

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WiFiHotspotService
Identifier:	{814182fe-58f7-11e1-853c-78e7d1ca7337}
Event message file(s):	%systemroot%\system32\wifinetworkmanager.dll

Microsoft-Windows-WiFiNetworkManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WiFiNetworkManager
Identifier:	{e5c16d49-2464-4382-bb20-97a4b5465db9}
Event message file(s):	%systemroot%\system32\wifinetworkmanager.dll

Microsoft-Windows-Win32k

Seen on:

Windows 2008
Windows 7

Log source(s):	Microsoft-Windows-Win32k
Identifier:	{e7ef96be-969f-414f-97d7-3ddb7b558ccc}
Event message file(s):	%systemroot%\system32\win32k.sys

Seen on:

Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Win32k
Identifier:	{8c416c79-d49b-4f01-a467-e56d3aa8234c}
Event message file(s):	%systemroot%\system32\win32k.sys

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Win32k
Identifier:	{8c416c79-d49b-4f01-a467-e56d3aa8234c}
Event message file(s):	%systemroot%\system32\win32kbase.sys

Microsoft-Windows-WinHttp

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-WinHttp
	WinHttpAutoProxySvc
Log type:	System
Identifier:	{7d44233d-3055-4b9c-ba64-0d47ca40a232}
Event message file(s):	%systemroot%\system32\winhttp.dll

Microsoft-Windows-WinHttp-Pca

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WinHttp-Pca
Identifier:	{d071ce03-0d7b-5b27-e817-b9c12961934e}
Event message file(s):	%systemroot%\system32\winhttp.dll

Microsoft-Windows-WinINet

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-WinINet
Identifier:	{43d1a55c-76d6-4f7e-995c-64c711e5cafe}
Event message file(s):	%systemroot%\system32\wininet.dll

Microsoft-Windows-WinINet-Capture

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WinINet-Capture
Identifier:	{a70ff94f-570b-4979-ba5c-e59c9feab61b}
Event message file(s):	%systemroot%\system32\wininet.dll

Microsoft-Windows-WinINet-Config

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-WinINet-Config
Identifier:	{5402e5ea-1bdd-4390-82be-e108f1e634f5}
Event message file(s):	%systemroot%\system32\wininet.dll

Seen on:

Windows 10 (1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WinINet-Config
Identifier:	{5402e5ea-1bdd-4390-82be-e108f1e634f5}
Event message file(s):	%systemroot%\system32\winhttp.dll

Microsoft-Windows-WinINet-Pca

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WinINet-Pca
Identifier:	{4860ea43-3f05-5fb8-20ce-7ba346a44747}
Event message file(s):	%systemroot%\system32\wininet.dll

Microsoft-Windows-WinMDE

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WinMDE
Identifier:	{77549803-7bb1-418b-a98e-f2e22f35a873}
Event message file(s):	%systemroot%\system32\winmde.dll

Microsoft-Windows-WinML

Seen on:

Windows 10 (1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WinML
Identifier:	{c8517e09-bea2-5bb6-bef3-50b4c91c431e}
Event message file(s):	%systemroot%\system32\winml.dll

Microsoft-Windows-WinNat

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012

Log source(s):	Microsoft-Windows-WinNat
Identifier:	{66c07ecd-6667-43fc-93f8-05cf07f446ec}
Event message file(s):	%systemroot%\system32\drivers\winnat.sys

Microsoft-Windows-WinRM

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-WinRM
	WinRM
Log type:	System
Identifier:	{a7975c8f-ac13-49f1-87da-5a984a4ab417}
Event message file(s):	%systemroot%\system32\wsmres.dll

Microsoft-Windows-WinRT-Error

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-WinRT-Error
Identifier:	{a86f8471-c31d-4fbc-a035-665d06047b03}
Event message file(s):	%systemroot%\system32\combase.dll

Microsoft-Windows-Windeploy

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Windeploy
Identifier:	{75ebc33e-c8ae-4f93-9ca1-683a53e20cb6}
Event message file(s):	%systemroot%\system32\oobe\windeploy.exe

Microsoft-Windows-Windows Defender

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Windows Defender
	WinDefend
	WinDefendRtp
Log type:	Application
Identifier:	{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}
Event message file(s):	%programfiles%\windows defender\mpevmsg.dll
Parameter message file(s):	%programfiles%\windows defender\mpevmsg.dll

Microsoft-Windows-Windows Firewall With Advanced Security

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Windows Firewall With Advanced Security
Identifier:	{d1bc9aff-2abf-4d71-9146-ecb2a986eb85}
Event message file(s):	%systemroot%\system32\mpssvc.dll

Microsoft-Windows-WindowsBackup

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0

Log source(s):	Microsoft-Windows-WindowsBackup
Identifier:	{01979c6a-42fa-414c-b8aa-eee2c8202018}
Event message file(s):	%systemroot%\system32\sdclt.exe

Microsoft-Windows-WindowsColorSystem

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WindowsColorSystem
Identifier:	{d53270e3-c8cf-4707-958a-dad20c90073c}
Event message file(s):	%systemroot%\system32\mscms.dll

Microsoft-Windows-WindowsSystemAssessmentTool

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WindowsSystemAssessmentTool
Log type:	Application
Identifier:	{11a75546-3234-465e-bec8-2d301cb501ac}
Event message file(s):	%systemroot%\system32\winsat.exe

Microsoft-Windows-WindowsToGo-StartupOptions

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WindowsToGo-StartupOptions
Log type:	System
Identifier:	{2e6cb42e-161d-413b-a6c1-84ca4c1e5890}
Event message file(s):	%systemroot%\system32\pwlauncher.dll

Microsoft-Windows-WindowsUIImmersive

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WindowsUIImmersive
Identifier:	{74827cbb-1e0f-45a2-8523-c605866d2f22}
Event message file(s):	%systemroot%\system32\windows.ui.immersive.dll

Microsoft-Windows-WindowsUpdateClient

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-WindowsUpdateClient
Log type:	System
Identifier:	{945a8954-c147-4acd-923f-40c45405a658}
Event message file(s):	%systemroot%\system32\wuaueng.dll

Microsoft-Windows-Wininit

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Wininit
	Wininit
Log type:	Application
Identifier:	{206f6dea-d3c5-4d10-bc72-989f03c8b84b}
Event message file(s):	%systemroot%\system32\wininit.exe

Microsoft-Windows-Winlogon

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Winlogon
	Winlogon
	Wlclntfy
Log type:	Application
Identifier:	{dbe9b383-7cf3-4331-91cc-a3cb16a3b538}
Event message file(s):	%systemroot%\system32\winlogon.exe

Microsoft-Windows-Winsock-AFD

Seen on:

Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Winsock-AFD
Identifier:	{e53c6823-7bb8-44bb-90dc-3f86090d48a6}
Event message file(s):	%systemroot%\system32\ws2_32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows Vista

Log source(s):	Microsoft-Windows-Winsock-AFD
Identifier:	{e53c6823-7bb8-44bb-90dc-3f86090d48a6}
Event message file(s):	%systemroot%\system32\drivers\afd.sys

Microsoft-Windows-Winsock-NameResolution

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Winsock-NameResolution
Identifier:	{55404e71-4db9-4deb-a5f5-8f86e46dde56}
Event message file(s):	%systemroot%\system32\ws2_32.dll

Microsoft-Windows-Winsock-SQM

Seen on:

Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Winsock-SQM
Identifier:	{093da50c-0bb9-4d7d-b95c-3bb9fcda5ee8}
Event message file(s):	%systemroot%\system32\ws2_32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Winsock-SQM
Identifier:	{093da50c-0bb9-4d7d-b95c-3bb9fcda5ee8}
Event message file(s):	%systemroot%\system32\drivers\afd.sys

Microsoft-Windows-Winsock-Sockets

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Winsock-Sockets
Identifier:	{bde46aea-2357-51fe-7367-d5296f530bd1}
Event message file(s):	%systemroot%\system32\ws2_32.dll

Microsoft-Windows-Winsock-WS2HELP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Winsock-WS2HELP
Identifier:	{d5c25f9a-4d47-493e-9184-40dd397a004d}
Event message file(s):	%systemroot%\system32\ws2_32.dll

Microsoft-Windows-Winsrv

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Winsrv
Log type:	Application
Identifier:	{9d55b53d-449b-4824-a637-24f9d69aa02f}
Event message file(s):	%systemroot%\system32\winsrv.dll

Microsoft-Windows-Wired-AutoConfig

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-Wired-AutoConfig
Identifier:	{b92cf7fd-dc10-4c6b-a72d-1613bf25e597}
Event message file(s):	%systemroot%\system32\dot3svc.dll

Microsoft-Windows-WlanConn

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WlanConn
Identifier:	{239cfb83-cbb7-4bbc-a02e-9bdb496aa7c2}
Event message file(s):	%systemroot%\system32\wlanconn.dll

Microsoft-Windows-WlanDlg

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WlanDlg
Identifier:	{d4afa0dc-4dd1-40af-afce-cb0d0e6736a7}
Event message file(s):	%systemroot%\system32\wlandlg.dll

Microsoft-Windows-WlanPref

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-WlanPref
Identifier:	{ca5ba219-c0d4-4efa-9ceb-72aff92672b0}
Event message file(s):	%systemroot%\system32\wlanpref.dll

Microsoft-Windows-Wmbclass-Opn

Seen on:

Windows 10 (2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-Wmbclass-Opn
Identifier:	{a42fe227-a7bf-4483-a502-6bcda428cd96}
Event message file(s):	%systemroot%\system32\drivers\mbbcx.sys

Microsoft-Windows-Wordpad

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-Wordpad
Identifier:	{54ffd262-99fe-4576-96e7-1adb500370dc}
Event message file(s):	%programfiles%\windows nt\accessories\wordpad.exe

Microsoft-Windows-WorkFolders

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.1

Log source(s):	Microsoft-Windows-WorkFolders
Identifier:	{34a3697e-0f10-4e48-af3c-f869b5babebb}
Event message file(s):	%systemroot%\system32\workfolderssvc.dll

Microsoft-Windows-Workplace Join

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-Workplace Join
Identifier:	{76ab12d5-c986-4e60-9d7c-2a092b284cdd}
Event message file(s):	%systemroot%\system32\deviceregistration.dll

Microsoft-Windows-WwanClient_ba7d1e0209ba3c1618d0ff4e1b3cc41f

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WwanClient_ba7d1e0209ba3c1618d0ff4e1b3cc41f
Identifier:	{ba7d1e02-09ba-3c16-18d0-ff4e1b3cc41f}
Event message file(s):	%systemroot%\system32\wwapi.dll

Microsoft-Windows-WwanProtDim_a4883e4812543bef236935bfe6c0b03c

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-WwanProtDim_a4883e4812543bef236935bfe6c0b03c
Identifier:	{a4883e48-1254-3bef-2369-35bfe6c0b03c}
Event message file(s):	%systemroot%\system32\wwanprotdim.dll

Microsoft-Windows-XAML

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-XAML
Identifier:	{531a35ab-63ce-4bcf-aa98-f88c7a89e455}
Event message file(s):	%systemroot%\system32\windows.ui.xaml.dll

Microsoft-Windows-XAML-Diagnostics

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-XAML-Diagnostics
Identifier:	{59e7a714-73a4-4147-b47e-0957048c75c4}
Event message file(s):	%systemroot%\system32\windows.ui.xaml.dll

Microsoft-Windows-XAudio2

Seen on:

Windows 10 (1607)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-XAudio2
Identifier:	{1ee3abdb-c1fc-4b43-9e56-11064abba866}
Event message file(s):	%systemroot%\system32\xaudio2_8.dll

Seen on:

Windows 10 (1511, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-XAudio2
Identifier:	{1ee3abdb-c1fc-4b43-9e56-11064abba866}
Event message file(s):	%systemroot%\system32\xaudio2_9.dll

Microsoft-Windows-XWizards

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-XWizards
Log type:	Application
Identifier:	{777ba8fe-2498-4875-933a-3067de883070}
Event message file(s):	%systemroot%\system32\xwizards.dll

Microsoft-Windows-ZTraceMaps

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-ZTraceMaps
Identifier:	{b865b57b-bdda-4e1d-a2c8-adfa69fe6ab9}
Event message file(s):	%systemroot%\system32\ztrace_maps.dll

Microsoft-Windows-exFAT-SQM

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	Microsoft-Windows-exFAT-SQM
Log type:	System
Identifier:	{494e7a3d-8db9-4ec4-b43e-2844af6e38d6}
Event message file(s):	%systemroot%\system32\drivers\exfat.sys

Microsoft-Windows-hidcfu

Seen on:

Windows 11 (21H2)

Log source(s):	Microsoft-Windows-hidcfu
Identifier:	{7628e972-6d6f-4974-b58f-6428622ec09a}

Microsoft-Windows-mobsync

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-mobsync
Identifier:	{b44aec44-38f4-4b59-8df3-10306abf19b2}
Event message file(s):	%systemroot%\system32\synccenter.dll

Microsoft-Windows-msmpeg2venc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-msmpeg2venc
Identifier:	{d17b213a-c505-49c9-98cc-734253ef65d4}
Event message file(s):	%systemroot%\system32\msmpeg2enc.dll

Microsoft-Windows-ntshrui

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-ntshrui
Identifier:	{676f167f-f72c-446e-a498-eda43319a5e3}
Event message file(s):	%systemroot%\system32\ntshrui.dll

Microsoft-Windows-osk

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-osk
Identifier:	{4f768be8-9c69-4bbc-87fc-95291d3f9d0c}
Event message file(s):	%systemroot%\system32\osk.exe

Microsoft-Windows-stobject

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Microsoft-Windows-stobject
Identifier:	{86133982-63d7-4741-928e-ef1349b80219}
Event message file(s):	%systemroot%\system32\stobject.dll

Microsoft-Windows-wmbclass

Seen on:

Windows 10 (2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-Windows-wmbclass
Identifier:	{12d25187-6c0d-4783-ad3a-84caa135acfd}
Event message file(s):	%systemroot%\system32\drivers\mbbcx.sys

Microsoft-Windows-wmvdecod

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	Microsoft-Windows-wmvdecod
Identifier:	{55bacc9f-9ac0-46f5-968a-a5a5dd024f8a}
Event message file(s):	%systemroot%\system32\wmvdecod.dll

Microsoft-WindowsPhone-ConfigManager2

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-WindowsPhone-ConfigManager2
Identifier:	{2f94e1cc-a8c5-4fe7-a1c3-53d7bda8e73e}
Event message file(s):	%systemroot%\system32\configmanager2.dll

Microsoft-WindowsPhone-CoreMessaging

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-WindowsPhone-CoreMessaging
Identifier:	{922cdcf3-6123-42da-a877-1a24f23e39c5}
Event message file(s):	%systemroot%\system32\coremessaging.dll

Microsoft-WindowsPhone-CoreUIComponents

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-WindowsPhone-CoreUIComponents
Identifier:	{a0b7550f-4e9a-4f03-ad41-b8042d06a2f7}
Event message file(s):	%systemroot%\system32\etwcoreuicomponentsresources.dll

Microsoft-WindowsPhone-LocationServiceProvider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-WindowsPhone-LocationServiceProvider
Identifier:	{4d13548f-c7b8-4174-bb7a-d7f64bf22d29}
Event message file(s):	%systemroot%\system32\locationframework.dll

Microsoft-WindowsPhone-Ufx

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-WindowsPhone-Ufx
Identifier:	{e98ebdbf-3058-4784-8521-47860b1d2b8e}
Event message file(s):	%systemroot%\system32\drivers\ufx01000.sys

Microsoft-WindowsPhone-UfxSynopsys

Seen on:

Windows 10 (1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft-WindowsPhone-UfxSynopsys
Identifier:	{49b12c7c-4bd5-4f93-bb75-30fce739600b}
Event message file(s):	%systemroot%\system32\drivers\ufxsynopsys.sys

Microsoft.Transactions.Bridge 4.0.0.0

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 8.1

Log source(s):	Microsoft.Transactions.Bridge 4.0.0.0
Log type:	Application
Category message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll
Event message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll

Seen on:

Windows 8.0

Log source(s):	Microsoft.Transactions.Bridge 4.0.0.0
Log type:	Application
Category message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll
Event message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll

Microsoft.Windows.ResourceManager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Microsoft.Windows.ResourceManager
Identifier:	{4180c4f7-e238-5519-338f-ec214f0b49aa}
Event message file(s):	%systemroot%\system32\psmserviceexthost.dll

MsBridge

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	MsBridge
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

MsiInstaller

Seen on:

Windows 2000
Windows 2003
Windows XP 32-bit

Log source(s):	MsiInstaller
Log type:	Application
Event message file(s):	%systemroot%\system32\msi.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	MsiInstaller
Log type:	Application
Event message file(s):	%systemroot%\system32\msimsg.dll

Seen on:

Windows XP 64-bit

Log source(s):	MsiInstaller
Log type:	Application
Event message file(s):	%systemroot%\syswow64\msi.dll

Mup

Seen on:

Windows 2000
Windows 2003
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Mup
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Mup
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll
	%systemroot%\system32\netevent.dll

NdisImPlatform

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	NdisImPlatform
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

NdisWan

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	NdisWan
Log type:	System
Event message file(s):	%systemroot%\system32\mprmsg.dll

NetBIOS

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	NetBIOS
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

NetBT

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	NetBT
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

Seen on:

Windows 2003
Windows XP 64-bit

Log source(s):	NetBT
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\ws03res.dll

Seen on:

Windows XP 32-bit

Log source(s):	NetBT
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\xpsp2res.dll

NetJoin

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	NetJoin
Log type:	System
Identifier:	{9741fd4e-3757-479f-a3c6-fc49f6d5edd0}
Event message file(s):	%systemroot%\system32\netjoin.dll

Netlogon

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Netlogon
Log type:	System
Event message file(s):	%systemroot%\system32\netmsg.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

NisDrvWFP Provider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909)
Windows 8.1

Log source(s):	NisDrvWFP Provider
Identifier:	{49d6ad7b-52c4-4f79-a164-4dcd908391e4}
Event message file(s):	%systemroot%\system32\drivers\wdnisdrv.sys

Seen on:

Windows 10 (2004, 20H2)
Windows 11 (21H2)

Log source(s):	NisDrvWFP Provider
Identifier:	{49d6ad7b-52c4-4f79-a164-4dcd908391e4}
Event message file(s):	system32\drivers\wdnisdrv.sys

Ntfs

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Ntfs
Log type:	System
Identifier:	{dd70bc80-ef44-421b-8ac3-cd31da613a4e}
Event message file(s):	%systemroot%\system32\drivers\ntfs.sys

Seen on:

Windows Vista

Log source(s):	Ntfs
Log type:	System
Identifier:	{dd70bc80-ef44-421b-8ac3-cd31da613a4e}
Event message file(s):	%systemroot%\system32\drivers\ntfs.sys
	%systemroot%\system32\iologmsg.dll

OpenSSH

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	OpenSSH
Identifier:	{c4b57d35-0636-4bc3-a262-370f249f9802}
Event message file(s):	%systemroot%\system32\openssh\ssh-agent.exe

PNPMEM

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	PNPMEM
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\pnpmem.sys
	%systemroot%\system32\iologmsg.dll

Parport

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Parport
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\parport.sys
	%systemroot%\system32\iologmsg.dll

Power

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Power
Log type:	System
Event message file(s):	%systemroot%\system32\umpo.dll

PowerShell

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	PowerShell
Log type:	Windows PowerShell
Category message file(s):	%systemroot%\system32\windowspowershell\v1.0\pwrshmsg.dll
Event message file(s):	%systemroot%\system32\windowspowershell\v1.0\pwrshmsg.dll

PptpMiniport

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	PptpMiniport
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

PrintFilterPipelineSvc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	PrintFilterPipelineSvc
Log type:	System
Identifier:	{5b33145c-1c66-49f3-b4ca-f563c165f2c0}

Processor

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Processor
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\processr.sys
	%systemroot%\system32\iologmsg.dll

RFCOMM

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	RFCOMM
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\rfcomm.sys
	%systemroot%\system32\iologmsg.dll

RasAuto

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows XP 32-bit

Log source(s):	RasAuto
Log type:	System
Event message file(s):	%systemroot%\system32\mprmsg.dll

Seen on:

Windows 2003
Windows Vista
Windows XP 64-bit

Log source(s):	RasAuto
Log type:	System
Event message file(s):	%systemroot%\system32\mprmsg.dll
	%systemroot%\system32\ws03res.dll

RasCfg

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	RasCfg
Log type:	System
Event message file(s):	%systemroot%\system32\mprmsg.dll

RasClient

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	RasClient
Log type:	Application
Event message file(s):	%systemroot%\system32\mprmsg.dll

Rasman

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Rasman
Log type:	System
Event message file(s):	%systemroot%\system32\mprmsg.dll

RemoteAccess

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows XP 32-bit

Log source(s):	RemoteAccess
Log type:	System
Event message file(s):	%systemroot%\system32\mprmsg.dll
Parameter message file(s):	%systemroot%\system32\iassvcs.dll

Seen on:

Windows 2003
Windows Vista
Windows XP 64-bit

Log source(s):	RemoteAccess
Log type:	System
Event message file(s):	%systemroot%\system32\mprmsg.dll
	%systemroot%\system32\ws03res.dll
Parameter message file(s):	%systemroot%\system32\iassvcs.dll

SC Manager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	SC Manager
Log type:	Security
Parameter message file(s):	%systemroot%\system32\msobjs.dll

SMSvcHost 4.0.0.0

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 8.1

Log source(s):	SMSvcHost 4.0.0.0
Log type:	System
Category message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll
Event message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll

Seen on:

Windows 8.0

Log source(s):	SMSvcHost 4.0.0.0
Log type:	System
Category message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll
Event message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll

SNMPTRAP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	SNMPTRAP
Log type:	System
Event message file(s):	%systemroot%\system32\snmptrap.exe

SPP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	SPP
Log type:	Application
Event message file(s):	%systemroot%\system32\sxproxy.dll

SceCli

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	SceCli
Log type:	Application
Event message file(s):	%systemroot%\system32\scecli.dll

SceSrv

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	SceSrv
Log type:	Application
Event message file(s):	%systemroot%\system32\scesrv.dll

Schannel

Seen on:

Windows 2003
Windows Vista

Log source(s):	Schannel
Log type:	System
Event message file(s):	%systemroot%\system32\lsasrv.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Schannel
Log type:	System
Identifier:	{1f678132-5938-4686-9fdc-c8ff68f15c85}
Event message file(s):	%systemroot%\system32\lsasrv.dll

Security

Seen on:

Windows 2000

Log source(s):	Security
Log type:	Security
Category message file(s):	%systemroot%\system32\msaudite.dll
Event message file(s):	%systemroot%\system32\msaudite.dll
	%systemroot%\system32\sp2res.dll
	%systemroot%\system32\sp3res.dll
Parameter message file(s):	%systemroot%\system32\msobjs.dll

Seen on:

Windows 2003
Windows XP 64-bit

Log source(s):	Security
Log type:	Security
Category message file(s):	%systemroot%\system32\msaudite.dll
Event message file(s):	%systemroot%\system32\msaudite.dll
	%systemroot%\system32\ws03res.dll
	%systemroot%\system32\xpsp2res.dll
Parameter message file(s):	%systemroot%\system32\msobjs.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Security
Log type:	Security
Category message file(s):	%systemroot%\system32\msaudite.dll
Event message file(s):	%systemroot%\system32\msaudite.dll
Parameter message file(s):	%systemroot%\system32\msobjs.dll

Seen on:

Windows XP 32-bit

Log source(s):	Security
Log type:	Security
Category message file(s):	%systemroot%\system32\msaudite.dll
Event message file(s):	%systemroot%\system32\msaudite.dll
	%systemroot%\system32\xpsp2res.dll
	%systemroot%\system32\xpsp3res.dll
Parameter message file(s):	%systemroot%\system32\msobjs.dll

Security Account Manager

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Security Account Manager
Log type:	Security
Parameter message file(s):	%systemroot%\system32\msobjs.dll

SecurityCenter

Seen on:

Windows XP 32-bit

Log source(s):	SecurityCenter
Log type:	Application
Event message file(s):	%systemroot%\system32\xpsp2res.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	SecurityCenter
Log type:	Application
Event message file(s):	%systemroot%\system32\wscsvc.dll

Serial

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Serial
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\serial.sys
	%systemroot%\system32\iologmsg.dll

Server

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Server
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

Service Control Manager

Seen on:

Windows 2000
Windows XP 32-bit

Log source(s):	Service Control Manager
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

Seen on:

Windows 2003

Log source(s):	Service Control Manager
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\w03a2409.dll
	%systemroot%\system32\ws03res.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Service Control Manager
Log type:	System
Identifier:	{555908d1-a6d7-4695-8e1e-26931d2012f4}
Event message file(s):	%systemroot%\system32\services.exe

Seen on:

Windows XP 64-bit

Log source(s):	Service Control Manager
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\ws03res.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

ServiceModel 4.0.0.0

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 8.1

Log source(s):	ServiceModel 4.0.0.0
Log type:	Security
Category message file(s):	%systemroot%\system32\msaudite.dll
Event message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll
Parameter message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll

Seen on:

Windows 8.0

Log source(s):	ServiceModel 4.0.0.0
Log type:	Security
Category message file(s):	%systemroot%\system32\msaudite.dll
Event message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll
Parameter message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll

ServiceModel Audit 4.0.0.0

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 8.1

Log source(s):	ServiceModel Audit 4.0.0.0
Log type:	Application
Category message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll
Event message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll

Seen on:

Windows 8.0

Log source(s):	ServiceModel Audit 4.0.0.0
Log type:	Application
Category message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll
Event message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll

SiSRaid2

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	SiSRaid2
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

Seen on:

Windows Vista

Log source(s):	SiSRaid2
Log type:	System

SiSRaid4

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	SiSRaid4
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

Seen on:

Windows Vista

Log source(s):	SiSRaid4
Log type:	System

SideBySide

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	SideBySide
Log type:	System
Event message file(s):	%systemroot%\system32\sxs.dll

SmartSAMD

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	SmartSAMD
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\smartsamd.sys
	%systemroot%\system32\iologmsg.dll

Software Installation

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Software Installation
Log type:	Application
Event message file(s):	%systemroot%\system32\appmgr.dll

SpeechRuntime

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	SpeechRuntime
Log type:	Application
Event message file(s):	%systemroot%\system32\speech_onecore\common\sapi_onecore.dll

Spooler

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Spooler
Log type:	Security
Parameter message file(s):	%systemroot%\system32\msobjs.dll

SrmSvc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	SrmSvc
Log type:	Application
Event message file(s):	%systemroot%\system32\srm.dll

Srv

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Srv
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

Standard TCP/IP Port

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	Standard TCP/IP Port
Log type:	Application
Identifier:	{cad2d809-03d9-4f46-9cf4-72aa4f04b6b9}

StillImage

Seen on:

Windows 2000

Log source(s):	StillImage
Log type:	System
Event message file(s):	%systemroot%\system32\stisvc.exe

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2003
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	StillImage
Log type:	System
Event message file(s):	%systemroot%\system32\wiaservc.dll

System

Seen on:

Windows 2000
Windows 2003
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	System
Log type:	System
Category message file(s):	%systemroot%\system32\eventlog.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	System
Log type:	System
Category message file(s):	%systemroot%\system32\wevtapi.dll

System Restore

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	System Restore
Log type:	Application
Event message file(s):	%systemroot%\system32\srcore.dll

System.IO.Log 4.0.0.0

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 8.1

Log source(s):	System.IO.Log 4.0.0.0
Log type:	Application
Category message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll
Event message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll

Seen on:

Windows 8.0

Log source(s):	System.IO.Log 4.0.0.0
Log type:	Application
Category message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll
Event message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll

System.IdentityModel 4.0.0.0

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 8.1

Log source(s):	System.IdentityModel 4.0.0.0
Log type:	Application
Category message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll
Event message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll

Seen on:

Windows 8.0

Log source(s):	System.IdentityModel 4.0.0.0
Log type:	Application
Category message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll
Event message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll

System.Runtime.Serialization 4.0.0.0

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 8.1

Log source(s):	System.Runtime.Serialization 4.0.0.0
Log type:	Application
Category message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll
Event message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll

Seen on:

Windows 8.0

Log source(s):	System.Runtime.Serialization 4.0.0.0
Log type:	Application
Category message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll
Event message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll

System.ServiceModel 4.0.0.0

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 8.1

Log source(s):	System.ServiceModel 4.0.0.0
Log type:	Application
Category message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll
Event message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\servicemodelevents.dll

Seen on:

Windows 8.0

Log source(s):	System.ServiceModel 4.0.0.0
Log type:	Application
Category message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll
Event message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\servicemodelevents.dll

TCP/IP

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	TCP/IP
Log type:	Security
Parameter message file(s):	%systemroot%\system32\msobjs.dll

TCPMon

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	TCPMon
Log type:	System
Event message file(s):	%systemroot%\system32\tcpmon.dll

TPM

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	TPM
Log type:	System
Identifier:	{1b6b0772-251b-4d42-917d-faca166bc059}
Event message file(s):	%systemroot%\system32\drivers\tpm.sys

Seen on:

Windows 8.0

Log source(s):	TPM
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\tpm.sys
	%systemroot%\system32\iologmsg.dll

Tcpip

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Tcpip
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

Seen on:

Windows 2003
Windows XP 64-bit

Log source(s):	Tcpip
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\ws03res.dll

Seen on:

Windows XP 32-bit

Log source(s):	Tcpip
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll
	%systemroot%\system32\xpsp2res.dll

Tcpip6

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Tcpip6
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

UASPStor

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	UASPStor
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

Universal Print

Seen on:

Windows 11 (21H2)

Log source(s):	Universal Print
Log type:	Application
Event message file(s):	%systemroot%\system32\mcpmanagementservice.dll

User32

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	User32
Log type:	System
Identifier:	{b0aa8734-56f7-41cc-b2f4-de228e98b946}
Event message file(s):	%systemroot%\system32\user32.dll

VBRuntime

Seen on:

Windows 2000

Log source(s):	VBRuntime
Log type:	Application
Event message file(s):	%systemroot%\system32\msvbvm50.dll

Seen on:

Windows 2003
Windows 8.0
Windows XP 32-bit

Log source(s):	VBRuntime
Log type:	Application
Event message file(s):	%systemroot%\system32\msvbvm60.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.1
Windows Vista
Windows XP 64-bit

Log source(s):	VBRuntime
Log type:	Application
Event message file(s):	%systemroot%\syswow64\msvbvm60.dll

VDS Basic Provider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	VDS Basic Provider
Log type:	System
Event message file(s):	%systemroot%\system32\vdsbas.dll

VDS Dynamic Provider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	VDS Dynamic Provider
Log type:	System
Event message file(s):	%systemroot%\system32\vdsdyn.dll

VDS Virtual Disk Provider

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	VDS Virtual Disk Provider
Log type:	System
Event message file(s):	%systemroot%\system32\vdsvd.dll

VSS

Seen on:

Windows 2003
Windows XP 64-bit

Log source(s):	VSS
Log type:	Application
Event message file(s):	%systemroot%\system32\vssvc.exe
	%systemroot%\system32\ws03res.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit

Log source(s):	VSS
Log type:	Application
Event message file(s):	%systemroot%\system32\vssvc.exe

VSSAudit

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	VSSAudit
Log type:	Security
Event message file(s):	%systemroot%\system32\vssvc.exe

VSTXRAID

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	VSTXRAID
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

Virtual Disk Service

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 64-bit

Log source(s):	Virtual Disk Service
Log type:	System
Event message file(s):	%systemroot%\system32\vds.exe

Volsnap

Seen on:

Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Volsnap
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\volsnap.sys
	%systemroot%\system32\iologmsg.dll

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Volsnap
Log type:	System
Identifier:	{cb017cd2-1f37-4e65-82bc-3e91f6a37559}
Event message file(s):	%systemroot%\system32\drivers\volsnap.sys

WINSATAPI_ETW_PROVIDER

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	WINSATAPI_ETW_PROVIDER
Identifier:	{617853d6-728b-4b59-8a78-c3a9a5eade92}
Event message file(s):	%systemroot%\system32\winsatapi.dll

WMI.NET Provider Extension

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 8.1

Log source(s):	WMI.NET Provider Extension
Log type:	Application
Event message file(s):	%systemroot%\microsoft.net\framework64\v4.0.30319\eventlogmessages.dll

Seen on:

Windows 7

Log source(s):	WMI.NET Provider Extension
Log type:	Application
Event message file(s):	%systemroot%\microsoft.net\framework64\v2.0.50727\eventlogmessages.dll

Seen on:

Windows 8.0

Log source(s):	WMI.NET Provider Extension
Log type:	Application
Event message file(s):	%systemroot%\microsoft.net\framework\v4.0.30319\eventlogmessages.dll

WMIxWDM

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 64-bit

Log source(s):	WMIxWDM
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

WSH

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	WSH
Log type:	Application
Event message file(s):	%systemroot%\system32\wshext.dll

WacomPen

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	WacomPen
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\wacompen.sys
	%systemroot%\system32\iologmsg.dll

WerSvc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	WerSvc
Log type:	Application
Event message file(s):	%systemroot%\system32\wersvc.dll

Win32k

Seen on:

Windows 10 (1511, 1607, 1703)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit

Log source(s):	Win32k
Log type:	System
Event message file(s):	%systemroot%\system32\win32k.sys

Seen on:

Windows XP 64-bit

Log source(s):	Win32k
Log type:	System
Event message file(s):	%systemroot%\system32\win32k.sys
	%systemroot%\system32\ws03res.dll

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Win32k
Log type:	System
Event message file(s):	%systemroot%\system32\win32kbase.sys

WinNat

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012

Log source(s):	WinNat
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

Windows Backup

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows Vista

Log source(s):	Windows Backup
Log type:	Application
Event message file(s):	%systemroot%\system32\sdengin2.dll

Windows Disk Diagnostic

Seen on:

Windows Vista

Log source(s):	Windows Disk Diagnostic
Log type:	System
Event message file(s):	%systemroot%\system32\dfdts.dll
	%systemroot%\system32\dfdwiz.exe

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	Windows Disk Diagnostic
Log type:	System
Event message file(s):	%systemroot%\system32\dfdts.dll

Windows Error Reporting

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	Windows Error Reporting
Log type:	Application
Event message file(s):	%systemroot%\system32\wer.dll

Windows Script Host

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Windows Script Host
Log type:	System
Event message file(s):	%systemroot%\system32\wshext.dll

Windows-ApplicationModel-Store-SDK

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	Windows-ApplicationModel-Store-SDK
Identifier:	{ff79a477-c45f-4a52-8ae0-2b324346d4e4}
Event message file(s):	%systemroot%\system32\windows.applicationmodel.store.dll

Workstation

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	Workstation
Log type:	System
Event message file(s):	%systemroot%\system32\netmsg.dll

Wow64 Emulation Layer

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.1
Windows Vista

Log source(s):	Wow64 Emulation Layer
Log type:	Application
Event message file(s):	%systemroot%\system32\ntvdm64.dll

Seen on:

Windows XP 64-bit

Log source(s):	Wow64 Emulation Layer
Log type:	Application
Event message file(s):	%systemroot%\system32\wow64.dll
	%systemroot%\system32\ws03res.dll

amdsata

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	amdsata
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

amdsbs

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	amdsbs
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

amdxata

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	amdxata
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

arcsas

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	arcsas
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

atapi

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	atapi
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

b06bdrv

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.1

Log source(s):	b06bdrv
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\bxvbda.sys
	%systemroot%\system32\iologmsg.dll

beep

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	beep
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

cdrom

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	cdrom
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

cht4iscsi

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	cht4iscsi
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\cht4sx64.sys
	%systemroot%\system32\iologmsg.dll

cht4vbd

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012

Log source(s):	cht4vbd
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\cht4vx64.sys
	%systemroot%\system32\netevent.dll

disk

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	disk
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

e1i68x64

Seen on:

Windows 11 (21H2)

Log source(s):	e1i68x64
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\e1i68x64.sys
	%systemroot%\system32\netevent.dll

ebdrv

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.1

Log source(s):	ebdrv
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\evbda.sys
	%systemroot%\system32\iologmsg.dll

ebdrv0

Seen on:

Windows 11 (21H2)

Log source(s):	ebdrv0
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\evbd0a.sys
	%systemroot%\system32\iologmsg.dll

edgeupdate

Seen on:

Windows 10 (1909)

Log source(s):	edgeupdate
Log type:	Application
Event message file(s):	\program files (x86)\microsoft\edgeupdate\1.3.137.103\msedgeupdate.dll

Seen on:

Windows 10 (20H2)

Log source(s):	edgeupdate
Log type:	Application
Event message file(s):	\program files (x86)\microsoft\edgeupdate\1.3.139.59\msedgeupdate.dll

Seen on:

Windows 11 (21H2)

Log source(s):	edgeupdate
Log type:	Application
Event message file(s):	\program files (x86)\microsoft\edgeupdate\1.3.153.47\msedgeupdate.dll

edgeupdatem

Seen on:

Windows 10 (1909)

Log source(s):	edgeupdatem
Log type:	Application
Event message file(s):	\program files (x86)\microsoft\edgeupdate\1.3.137.103\msedgeupdate.dll

Seen on:

Windows 10 (20H2)

Log source(s):	edgeupdatem
Log type:	Application
Event message file(s):	\program files (x86)\microsoft\edgeupdate\1.3.139.59\msedgeupdate.dll

Seen on:

Windows 11 (21H2)

Log source(s):	edgeupdatem
Log type:	Application
Event message file(s):	\program files (x86)\microsoft\edgeupdate\1.3.153.47\msedgeupdate.dll

exFAT

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	exFAT
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

hidi2c

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 8.0
Windows 8.1

Log source(s):	hidi2c
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\hidi2c.sys
	%systemroot%\system32\iologmsg.dll

hidspi

Seen on:

Windows 10 (1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	hidspi
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\hidspi.sys
	%systemroot%\system32\iologmsg.dll

hvservice

Seen on:

Windows 11 (21H2)

Log source(s):	hvservice
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

i8042prt

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	i8042prt
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\i8042prt.sys
	%systemroot%\system32\iologmsg.dll

iScsiPrt

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	iScsiPrt
Log type:	System
Event message file(s):	%systemroot%\system32\iscsilog.dll

iaStorAVC

Seen on:

Windows 10 (1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	iaStorAVC
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\iastoravc.sys
	%systemroot%\system32\iologmsg.dll

iaStorV

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	iaStorV
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\iastorv.sys
	%systemroot%\system32\iologmsg.dll

ibbus

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012

Log source(s):	ibbus
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\ibbus.sys
	%systemroot%\system32\iologmsg.dll

intelppm

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	intelppm
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\intelppm.sys
	%systemroot%\system32\iologmsg.dll

isapnp

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	isapnp
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\isapnp.sys
	%systemroot%\system32\iologmsg.dll

kbdclass

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	kbdclass
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\kbdclass.sys
	%systemroot%\system32\iologmsg.dll

kbdhid

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	kbdhid
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\kbdhid.sys
	%systemroot%\system32\iologmsg.dll

kdnic

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	kdnic
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

lltdio

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	lltdio
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

megasas2i

Seen on:

Windows 10 (1607, 1703, 1709)

Log source(s):	megasas2i
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

Seen on:

Windows 10 (1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	megasas2i
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\megasas2i.sys
	%systemroot%\system32\iologmsg.dll

megasas35i

Seen on:

Windows 10 (1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	megasas35i
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\megasas35i.sys
	%systemroot%\system32\iologmsg.dll

megasr

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	megasr
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

mlx4_bus

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012

Log source(s):	mlx4_bus
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\mlx4_bus.sys
	%systemroot%\system32\iologmsg.dll

mouclass

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	mouclass
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\mouclass.sys
	%systemroot%\system32\iologmsg.dll

mouhid

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	mouhid
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\mouhid.sys
	%systemroot%\system32\iologmsg.dll

mpi3drvi

Seen on:

Windows 11 (21H2)

Log source(s):	mpi3drvi
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

mrxsmb

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	mrxsmb
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll
	%systemroot%\system32\netevent.dll
Parameter message file(s):	%systemroot%\system32\kernel32.dll

mshidumdf

Seen on:

Windows 10 (1511, 1607)
Windows 8.0
Windows 8.1

Log source(s):	mshidumdf
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\umdf\hidbthle.dll
	%systemroot%\system32\iologmsg.dll

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	mshidumdf
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\umdf\microsoft.bluetooth.profiles.hidovergatt.dll
	%systemroot%\system32\iologmsg.dll

mvumis

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	mvumis
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

ndiswanlegacy

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	ndiswanlegacy
Log type:	System
Event message file(s):	%systemroot%\system32\mprmsg.dll

nvdimm

Seen on:

Windows 10 (1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	nvdimm
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\nvdimm.sys
	%systemroot%\system32\iologmsg.dll

nvmedisk

Seen on:

Windows 11 (21H2)

Log source(s):	nvmedisk
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\nvmedisk.sys
	%systemroot%\system32\iologmsg.dll

nvstor

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	nvstor
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\nvstor.sys
	%systemroot%\system32\iologmsg.dll

partmgr

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	partmgr
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

pcmcia

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2000
Windows 2003
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista
Windows XP 32-bit
Windows XP 64-bit

Log source(s):	pcmcia
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\pcmcia.sys
	%systemroot%\system32\iologmsg.dll

percsas2i

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	percsas2i
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

percsas3i

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	percsas3i
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

pmem

Seen on:

Windows 10 (1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	pmem
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\pmem.sys
	%systemroot%\system32\iologmsg.dll

rdbss

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	rdbss
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

rhproxy

Seen on:

Windows 10 (1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	rhproxy
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\rhproxy.sys
	%systemroot%\system32\iologmsg.dll

rspndr

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	rspndr
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

sbp2port

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	sbp2port
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\sbp2port.sys
	%systemroot%\system32\iologmsg.dll

scmbus

Seen on:

Windows 10 (1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	scmbus
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

sercx

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	sercx
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\sercx.sys

sercx2

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	sercx2
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\sercx2.sys

sermouse

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	sermouse
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\sermouse.sys
	%systemroot%\system32\iologmsg.dll

spaceport

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	spaceport
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

spbcx

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	spbcx
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\spbcx.sys

stexstor

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	stexstor
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

storahci

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	storahci
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

stornvme

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	stornvme
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

tunnel

Seen on:

Windows 10 (1511, 1607, 1703, 1709)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	tunnel
Log type:	System
Event message file(s):	%systemroot%\system32\netevent.dll

Seen on:

Windows 10 (1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	tunnel
Log type:	System

usbaudio2

Seen on:

Windows 10 (1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	usbaudio2
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\usbaudio2.sys
	%systemroot%\system32\iologmsg.dll

usbehci

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.0
Windows 8.1

Log source(s):	usbehci
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\usbehci.sys
	%systemroot%\system32\iologmsg.dll

usbperf

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	usbperf
Log type:	Application
Event message file(s):	%systemroot%\system32\usbperf.dll

usbser

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)

Log source(s):	usbser
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\usbser.sys
	%systemroot%\system32\iologmsg.dll

volmgr

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	volmgr
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

vpci

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2012
Windows 8.1

Log source(s):	vpci
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\vpci.sys
	%systemroot%\system32\iologmsg.dll

vsmraid

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1

Log source(s):	vsmraid
Log type:	System
Event message file(s):	%systemroot%\system32\iologmsg.dll

Seen on:

Windows Vista

Log source(s):	vsmraid
Log type:	System
Event message file(s):	%systemroot%system32\iologmsg.dll

wdf01000

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	wdf01000
Log type:	System
Event message file(s):	%systemroot%\system32\drivers\wdf01000.sys

wecsvc

Seen on:

Windows 10 (1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004, 20H2)
Windows 11 (21H2)
Windows 2008
Windows 2012
Windows 7
Windows 8.0
Windows 8.1
Windows Vista

Log source(s):	wecsvc
Log type:	System
Event message file(s):	%systemroot%\system32\wecsvc.dll

winevtrc package

Submodules

winevtrc.database module

Read from and write to SQLite databases.

class winevtrc.database.EventProvidersSQLite3DatabaseReader[source]

Bases: winevtrc.database.SQLite3DatabaseReader

Event Log providers SQLite database reader.

GetEventLogProviders()[source]

Retrieves the Event Log providers.

Yields: EventLogProvider – event log provider.

GetMessageFiles()[source]

Retrieves the message filenames.

Yields: tuple[str, str] – message filename and corresponding database filename.

class winevtrc.database.EventProvidersSQLite3DatabaseWriter[source]

Bases: winevtrc.database.SQLite3DatabaseWriter

Event Log providers SQLite database writer.

WriteEventLogProvider(event_log_provider)[source]

Writes the Event Log provider.

Parameters: event_log_provider (EventLogProvider) – event log provider.

WriteMessageFile(message_filename, database_filename)[source]

Writes a Windows message file to the database.

Parameters

message_filename (str) – message filename.
database_filename (str) – database filename.

WriteMessageFilesPerEventLogProvider(event_log_provider, message_filename, message_file_type)[source]

Writes the message files used by an Event Log provider.

Parameters

event_log_provider (EventLogProvider) – event log provider.
message_filename (str) – message filename.
message_file_type (str) – message file type.

class winevtrc.database.MessageFileSQLite3DatabaseReader[source]

Bases: winevtrc.database.SQLite3DatabaseReader

Event Log message file SQLite database reader.

GetMessageTables()[source]

Retrieves the message tables.

Yields

tuple[int, str] –

language code identifier (LCID) and the message file: version.

GetMessages(lcid, file_version)[source]

Retrieves the messages of a specific message table.

Parameters

lcid (str) – language code identifier (LCID).
file_version (str) – message file file version.

Yields

tuple[int, str] – message identifier and message string.

GetStringTables()[source]

Retrieves the string tables.

Yields

tuple[int, str] –

language code identifier (LCID) and the message file: version.

GetStrings(lcid, file_version)[source]

Retrieves the strings of a specific string table.

Parameters

lcid (str) – language code identifier (LCID).
file_version (str) – message file file version.

Yields

tuple[int, str] – string identifier and string.

class winevtrc.database.MessageResourceFileSQLite3DatabaseWriter(message_resource_file)[source]

Bases: winevtrc.database.SQLite3DatabaseWriter

Event Log message resource file SQLite database writer.

WriteResources()[source]: Writes the resources.

class winevtrc.database.ResourcesSQLite3DatabaseReader[source]

Bases: winevtrc.database.SQLite3DatabaseReader

Event Log resources SQLite database reader.

GetEventLogProviders()[source]

Retrieves the Event Log providers.

Yields: EventLogProvider – an Event Log provider.

GetMessage(log_source, lcid, message_identifier)[source]

Retrieves a specific message for a specific Event Log source.

Parameters

log_source (str) – Event Log source.
lcid (int) – language code identifier (LCID).
message_identifier (int) – message identifier.

Returns

the message string or None if not available.

Return type

str

GetMessages(log_source, lcid)[source]

Retrieves the messages of a specific Event Log source.

Parameters

log_source (str) – Event Log source.
lcid (int) – language code identifier (LCID).

Yields

tuple[int, str] – message identifier and message string.

GetMetadataAttribute(attribute_name)[source]

Retrieves the metadata attribute.

Parameters

attribute_name (str) – name of the metadata attribute.

Returns

value of the metadata attribute or None.

Return type

str

Raises

IOError – if more than one value is found in the database.
OSError – if more than one value is found in the database.

class winevtrc.database.ResourcesSQLite3DatabaseWriter(string_format='wrc')[source]

Bases: winevtrc.database.SQLite3DatabaseWriter

Event Log resources SQLite database writer.

WriteEventLogProvider(event_log_provider)[source]

Writes the Event Log provider.

Parameters: event_log_provider (EventLogProvider) – event log provider.

WriteMessageFile(message_file)[source]

Writes the Windows Message Resource file.

Parameters: message_file (MessageFile) – message file.

WriteMessageFilesPerEventLogProvider(event_log_provider, message_filename, message_file_type)[source]

Writes the message files used by an Event Log provider.

Parameters

event_log_provider (EventLogProvider) – event log provider.
message_filename (str) – message filename.
message_file_type (str) – message file type.

WriteMetadataAttribute(attribute_name, attribute_value)[source]

Writes a metadata attribute.

Parameters

attribute_name (str) – name of the metadata attribute.
attribute_value (str) – value of the metadata attribute.

class winevtrc.database.SQLite3DatabaseFile[source]

Bases: object

A SQLite database file.

Close()[source]

Closes the database file.

Raises

IOError – if the database is not opened.
OSError – if the database is not opened.

CreateTable(table_name, column_definitions)[source]

Creates a table.

Parameters

table_name (str) – table name.
column_definitions (list[str]) – column definitions.

Raises

BackendError – if the database back-end raises an exception.
IOError – if the database is not opened or if the database is in read-only mode.
OSError – if the database is not opened or if the database is in read-only mode.

GetValues(table_names, column_names, condition)[source]

Retrieves values from a table.

Parameters

table_names (list[str]) – table names.
column_names (list[str]) – column names.
condition (str) – condition.

Returns

values generator.

Return type

generator

Raises

IOError – if the database is not opened.
OSError – if the database is not opened.

HasTable(table_name)[source]

Determines if a specific table exists.

Parameters

table_name (str) – table name.

Returns

True if the table exists, false otherwise.

Return type

bool

Raises

BackendError – if the database back-end raises an exception.
IOError – if the database is not opened.
OSError – if the database is not opened.

InsertValues(table_name, column_names, values)[source]

Inserts values into a table.

Parameters

table_name (str) – table name.
column_names (list[str]) – column names.
values (list[str]) – values formatted as a string.

Raises

BackendError – if the database back-end raises an exception.
IOError – if the database is not opened or if the database is in read-only mode or if an unsupported value type is encountered.
OSError – if the database is not opened or if the database is in read-only mode or if an unsupported value type is encountered.

Open(filename, read_only=False)[source]

Opens the database file.

Parameters

filename (str) – filename of the database.
read_only (Optional[bool]) – True if the database should be opened in read-only mode. Since sqlite3 does not support a real read-only mode we fake it by only permitting SELECT queries.

Returns

True if successful or False if not.

Return type

bool

Raises

BackendError – if the database back-end raises an exception.
IOError – if the database is already opened.
OSError – if the database is already opened.

class winevtrc.database.SQLite3DatabaseReader[source]

Bases: object

SQLite database reader.

Close()[source]: Closes the database reader.

Open(filename)[source]

Opens the database reader.

Parameters: filename (str) – filename of the database.
Returns: True if successful or False if not.
Return type: bool

class winevtrc.database.SQLite3DatabaseWriter[source]

Bases: object

SQLite database writer.

Close()[source]: Closes the database writer.

Open(filename)[source]

Opens the database writer.

Parameters: filename (str) – filename of the database.
Returns: True if successful or False if not.
Return type: bool

winevtrc.definitions module

The Windows Event Log resource definitions.

winevtrc.environment_variables module

Environment variables collector.

class winevtrc.environment_variables.EnvironmentVariablesCollector[source]

Bases: object

Environment variables collector.

Collect(registry)[source]

Collects environment variables.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Yields: EnvironmentVariable – an environment variable.

winevtrc.errors module

The error objects.

exception winevtrc.errors.BackendError[source]

Bases: winevtrc.errors.Error

Error that is raised for database back-end exceptions.

exception winevtrc.errors.Error[source]

Bases: Exception

The error interface.

winevtrc.eventlog_providers module

Windows Event Log providers collector.

class winevtrc.eventlog_providers.EventLogProvidersCollector[source]

Bases: object

Windows Event Log providers collector.

Collect(registry)[source]

Collects Windows Event Log providers from a Windows Registry.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Returns: Event Log provider generator.
Return type: generator[EventLogProvider]

winevtrc.extractor module

Windows Event Log message resource extractor.

class winevtrc.extractor.EventMessageStringExtractor(*args: Any, **kwargs: Any)[source]

Bases: dfvfs.helpers.volume_scanner.WindowsVolumeScanner

Windows Event Log message string extractor.

ascii_codepage

ASCII string codepage.

Type: str

missing_message_filenames

names of message files that were not found or without a resource section.

Type: list[str]

missing_resources_message_filenames

names of message files, where both a string and a message table resource is missing.

Type: list[str]

preferred_language_identifier

preferred language identifier (LCID).

Type: int

CollectEventLogProviders()[source]

Retrieves the Event Log providers.

Returns: Event Log providers generator.
Return type: generator[EventLogProvider]

CollectSystemEnvironmentVariables()[source]: Collects the system environment variables.

GetMessageResourceFile(event_log_provider, message_filename)[source]

Retrieves an Event Log message resource file.

Parameters

event_log_provider (EventLogProvider) – Event Log provider.
message_filename (str) – message filename.

Returns

message resource file or None if not available or: already processed.

Return type

MessageResourceFile

GetNormalizedMessageFilePath(path)[source]

Retrieves a normalized variant of a message file path.

Parameters: path (str) – path of a message file.
Returns: normalized path of a message file.
Return type: str

property windows_version: The Windows version (getter).

class winevtrc.extractor.EventMessageStringRegistryFileReader(*args: Any, **kwargs: Any)[source]

Bases: dfwinreg.interface.WinRegistryFileReader

Class that defines a Windows Registry file reader.

Open(path, ascii_codepage='cp1252')[source]

Opens the Windows Registry file specified by the path.

Parameters

path (str) – path of the Windows Registry file. The path is a Windows path relative to the root of the file system that contains the specific Windows Registry file. E.g. C:WindowsSystem32configSYSTEM
ascii_codepage (Optional[str]) – ASCII string codepage.

Returns

Windows Registry file or None if the file cannot: be opened.

Return type

WinRegistryFile

winevtrc.resource_file module

Windows Message Resource file.

class winevtrc.resource_file.MessageResourceFile(windows_path, ascii_codepage='cp1252', preferred_language_identifier=1033)[source]

Bases: object

Windows Message Resource file.

windows_path

Windows path of the message resource file.

Type: str

Close()[source]

Closes the Windows Message Resource file.

Raises

IOError – if not open.
OSError – if not open.

GetMUILanguage()[source]

Retrieves the MUI language.

Returns: MUI language or None if not available.
Return type: str

GetMUIResource()[source]

Retrieves the MUI resource.

Returns: MUI resource or None if not available.
Return type: pywrc.mui_resource

GetMessageTableResource()[source]

Retrieves the message table resource.

Returns

resource containing the message table resource or None: if not available.

Return type

pywrc.resource

GetStringTableResource()[source]

Retrieves the string table resource.

Returns

resource containing the string table resource or None: if not available.

Return type

pywrc.resource

HasMessageTableResource()[source]

Determines if the resource file as a message table resource.

Returns: True if the resource file as a message table resource.
Return type: bool

HasStringTableResource()[source]

Determines if the resource file as a string table resource.

Returns: True if the resource file as a string table resource.
Return type: bool

OpenFileObject(file_object)[source]

Opens the Windows Message Resource file using a file-like object.

Parameters

file_object (file) – file-like object.

Raises

IOError – if already open.
OSError – if already open.

property file_version

the file version.

Type: str

property product_version

the product version.

Type: str

winevtrc.resources module

Windows Event Log resources.

class winevtrc.resources.EnvironmentVariable(name, value)[source]

Bases: object

Environment variable.

name

name.

Type: str

value

value.

Type: str

class winevtrc.resources.EventLogProvider(identifier, log_source, log_type)[source]

Bases: object

Windows Event Log provider.

additional_identifier

additional identifier of the provider, contains a GUID.

Type: str

category_message_files

filenames of the category message files.

Type: set[str]

event_message_files

filenames of the event message files.

Type: set[str]

identifier

identifier of the provider, contains a GUID.

Type: str

log_sources

names of the Windows Event Log source.

Type: list[str]

log_type

Windows Event Log type.

Type: str

parameter_message_files

filenames of the parameter message files.

Type: set[str]

SetCategoryMessageFilenames(category_message_filenames)[source]

Sets the category message filenames.

Parameters: category_message_filenames (str|list[str]) – category message filenames, where multiple filenames in the same string are separated by ‘;’.

SetEventMessageFilenames(event_message_filenames)[source]

Sets the event message filenames.

Parameters: event_message_filenames (str|list[str]) – event message filenames, where multiple filenames in the same string are separated by ‘;’.

SetParameterMessageFilenames(parameter_message_filenames)[source]

Sets the parameter message filenames.

Parameters: parameter_message_filenames (str|list[str]) – parameter message filenames, where multiple filenames in the same string are separated by ‘;’.

property log_source

name of the Windows Event Log source.

Type: str

class winevtrc.resources.MessageFile(name)[source]

Bases: object

Class that defines a Windows Event Log message file.

name

name.

Type: str

windows_path

Windows path.

Type: str

AppendMessageTable(lcid, file_version)[source]

Appends a message table.

Parameters

lcid (int) – language identifier (LCID).
file_version (str) – Windows Event Log resource file version of the file that contains the message table.

AppendStringTable(lcid, file_version)[source]

Appends a string table.

Parameters

lcid (int) – language identifier (LCID).
file_version (str) – Windows Event Log resource file version of the file that contains the string table.

GetMessageTable(lcid)[source]

Retrieves the message table for a specific language.

Parameters: lcid (int) – language identifier (LCID).
Returns: message table or None.
Return type: MessageTable

GetMessageTables()[source]

Retrieves the message tables.

Yields: MessageTable – message table.

GetStringTable(lcid)[source]

Retrieves the string table for a specific language.

Parameters: lcid (int) – language identifier (LCID).
Returns: string table or None.
Return type: StringTable

GetStringTables()[source]

Retrieves the string tables.

Yields: StringTable – string table.

class winevtrc.resources.MessageTable(lcid)[source]

Bases: object

Class that contains the messages per language.

file_versions

Windows Event Log resource file versions.

Type: list[str]

lcid

language identifier (LCID).

Type: int

message_strings

Windows Event Log resource message strings.

Type: list[str]

class winevtrc.resources.StringTable(lcid)[source]

Bases: object

Class that contains the strings per language.

file_versions

Windows Event Log resource file versions.

Type: list[str]

lcid

language identifier (LCID).

Type: int

strings

Windows Event Log resource strings.

Type: list[str]

Module contents

Windows Event Log resources (winevtrc).

Welcome to the winevt-kb documentation

Event Log providers

.NET Runtime

.NET Runtime Optimization Service

3ware

ACPI

ADP80XX

AFD

AmdK8

AmdPPM

AppReadiness

AppleSSD

Application

Application Error

Application Hang

Application Management

Application Management Group Policy

Application Popup

Application-Addon-Event-Provider

AsyncMac

AutoEnrollment

BTHPORT

BTHUSB

BasicRender

BthEnum

BthLEEnum

BthMini

BugCheck

COM

COM+

CardSpace 4.0.0.0

CertCa

CertEnroll

Chkdsk

DCOM

DS

DeliveryOptimization

Desktop Window Manager

DfsSvc

Dhcp

Dhcpv6

DiskQuota

Display

Dnsapi

Dnscache

Dwminit

ESENT

Edge

Error Instrument

EventLog

EventSystem

FltMgr

Folder Redirection

Group Policy Applications

Group Policy Client

Group Policy Data Sources

Group Policy Device Settings

Group Policy Drive Maps

Group Policy Environment

Group Policy Files

Group Policy Folder Options

Group Policy Folders

Group Policy Ini Files

Group Policy Internet Settings

Group Policy Local Users and Groups

Group Policy Mail Profiles

Group Policy Network Options

Group Policy Network Shares

Group Policy Power Options

Group Policy Printers

Group Policy Regional Options

Group Policy Registry

Group Policy Scheduled Tasks

Group Policy Services

Group Policy Shortcuts

Group Policy Standard Edition

Group Policy Start Menu Settings

GroupPolicy

Handwriting Recognition

HidBth