mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-29 13:47:23 +00:00
all events and fields entered. still needs intro text
This commit is contained in:
jaimeo
parent
47978aeb38
commit
ed3dacf604
@ -7,6 +7,7 @@ ms.mktglfcycl: manage
|
|||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
ms.pagetype: security
|
ms.pagetype: security
|
||||||
ms.localizationpriority: high
|
ms.localizationpriority: high
|
||||||
|
ms.date: 10/17/2017
|
||||||
author: jaimeo
|
author: jaimeo
|
||||||
ms.author: jaimeo
|
ms.author: jaimeo
|
||||||
---
|
---
|
||||||
@ -18,7 +19,7 @@ ms.author: jaimeo
|
|||||||
|
|
||||||
- Windows 10, version 1709 and later
|
- Windows 10, version 1709 and later
|
||||||
|
|
||||||
The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information,
|
LOREM IPSUM DOLOR EST [intro/framing material to come from Matt]
|
||||||
|
|
||||||
## KernelProcess.AppStateChangeSummary
|
## KernelProcess.AppStateChangeSummary
|
||||||
This event summarizes application usage and performance characteristics to help Microsoft improve performance and reliability. Organizations can use this event with Windows Analytics to gain insights into application reliability.
|
This event summarizes application usage and performance characteristics to help Microsoft improve performance and reliability. Organizations can use this event with Windows Analytics to gain insights into application reliability.
|
||||||
@ -70,132 +71,181 @@ This event indicates the result of an attempt to authenticate a user with a cred
|
|||||||
The following fields are available:
|
The following fields are available:
|
||||||
|
|
||||||
- **CredTileProviderId:** ID of the Credential Provider
|
- **CredTileProviderId:** ID of the Credential Provider
|
||||||
- **IsConnectedUser:** Flag indicating whether a user is connected or not |
|
- **IsConnectedUser:** Flag indicating whether a user is connected or not
|
||||||
| Microsoft.OSG.OSS.CredProvFramework.ReportResultStop | Field | IsPLAPTile | Flag indicating whether this credential tile is a pre-logon access provider or not |
|
- **IsPLAPTile:** Flag indicating whether this credential tile is a pre-logon access provider or not
|
||||||
| Microsoft.OSG.OSS.CredProvFramework.ReportResultStop | Field | IsRemoteSession | Flag indicating whether the session is remote or not |
|
- **IsRemoteSession:** Flag indicating whether the session is remote or not
|
||||||
| Microsoft.OSG.OSS.CredProvFramework.ReportResultStop | Field | IsV2CredProv | Flag indicating whether the credential provider of V2 or not |
|
- **IsV2CredProv:** Flag indicating whether the credential provider of V2 or not
|
||||||
| Microsoft.OSG.OSS.CredProvFramework.ReportResultStop | Field | OpitonalStatusText | Status text |
|
- **OpitonalStatusText:** Status text
|
||||||
| Microsoft.OSG.OSS.CredProvFramework.ReportResultStop | Field | ProcessImage | Image path to the process |
|
- **ProcessImage:** Image path to the process
|
||||||
| Microsoft.OSG.OSS.CredProvFramework.ReportResultStop | Field | ProviderId | Credential provider ID |
|
- **ProviderId:** Credential provider ID
|
||||||
| Microsoft.OSG.OSS.CredProvFramework.ReportResultStop | Field | ProviderStatusIcon | Indicates which status icon should be displayed |
|
- **ProviderStatusIcon:** Indicates which status icon should be displayed
|
||||||
| Microsoft.OSG.OSS.CredProvFramework.ReportResultStop | Field | ReturnCode | Output of the ReportResult function |
|
- **ReturnCode:** Output of the ReportResult function
|
||||||
| Microsoft.OSG.OSS.CredProvFramework.ReportResultStop | Field | SessionId | Session identifier |
|
- **SessionId:** Session identifier
|
||||||
| Microsoft.OSG.OSS.CredProvFramework.ReportResultStop | Field | Status | Sign-in error status |
|
- **Sign-in error status:**
|
||||||
| Microsoft.OSG.OSS.CredProvFramework.ReportResultStop | Field | SubStatus | Sign-in error sub-status |
|
- **SubStatus:** Sign-in error sub-status
|
||||||
| Microsoft.OSG.OSS.CredProvFramework.ReportResultStop | Field | UserTag | Count of the number of times a user has selected a provider |
|
- **UserTag:** Count of the number of times a user has selected a provider |
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | EventItself | EventDescription | This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event with Windows Analytics, organizations can use this to monitor reliability and performance of managed devices |
|
## Microsoft.Windows.Kernel.Power.OSStateChange
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | AcPowerOnline | If "TRUE," the device is using AC power. If "FALSE," the device is using battery power. |
|
This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event with Windows Analytics, organizations can use this to monitor reliability and performance of managed devices
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | ActualTransitions | The number of transitions between operating system states since the last system boot |
|
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | BatteryCapacity | Maximum battery capacity in mWh |
|
The following fields are available:
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | BatteryCharge | Current battery charge as a percentage of total capacity |
|
|
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | BatteryDischarging | Flag indicating whether the battery is discharging or charging |
|
- **AcPowerOnline:** If "TRUE," the device is using AC power. If "FALSE," the device is using battery power.
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | BootId | Total boot count since the operating system was installed |
|
- **ActualTransitions:** The number of transitions between operating system states since the last system boot
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | BootTimeUTC | Date and time of a particular boot event (identified by BootId) |
|
- **BatteryCapacity:** Maximum battery capacity in mWh
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | EnergyChangeV2 | A snapshot value in mWh reflecting a change in power usage |
|
- **BatteryCharge:** Current battery charge as a percentage of total capacity
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | EnergyChangeV2Flags | Flags for disambiguating EnergyChangeV2 context |
|
- **BatteryDischarging:** Flag indicating whether the battery is discharging or charging
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | EventSequence | A sequential number used to evaluate the completeness of the data |
|
- **BootId:** Total boot count since the operating system was installed
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | LastStateTransition | ID of the last operating system state transition |
|
- **BootTimeUTC:** Date and time of a particular boot event (identified by BootId)
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | LastStateTransitionSub | ID of the last operating system sub-state transition |
|
- **EnergyChangeV2:** A snapshot value in mWh reflecting a change in power usage
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | StateDurationMS | Number of milliseconds spent in the last operating system state |
|
- **EnergyChangeV2Flags:** Flags for disambiguating EnergyChangeV2 context
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | StateTransition | ID of the operating system state the system is transitioning to |
|
- **EventSequence:** A sequential number used to evaluate the completeness of the data
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | StateTransitionSub | ID of the operating system sub-state the system is transitioning to |
|
- **LastStateTransition:** ID of the last operating system state transition
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | TotalDurationMS | Total time (in milliseconds) spent in all states since the last boot |
|
- **LastStateTransitionSub:** ID of the last operating system sub-state transition
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | TotalUptimeMS | Total time (in milliseconds) the device was in Up or Running states since the last boot |
|
- **StateDurationMS:** Number of milliseconds spent in the last operating system state
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | TransitionsToOn | Number of transitions to the Powered On state since the last boot |
|
- **StateTransition:** ID of the operating system state the system is transitioning to
|
||||||
| Microsoft.Windows.Kernel.Power.OSStateChange | Field | UptimeDeltaMS | Total time (in milliseconds) added to Uptime since the last event |
|
- **StateTransitionSub:** ID of the operating system sub-state the system is transitioning to
|
||||||
| Microsoft.Windows.LogonController.LogonAndUnlockSubmit | EventItself | EventDescription | Sends details of the user attempting to sign into or unlock the device. |
|
- **TotalDurationMS:** Total time (in milliseconds) spent in all states since the last boot
|
||||||
| Microsoft.Windows.LogonController.LogonAndUnlockSubmit | Field | isSystemManagedAccount | Indicates if the user's account is System Managed |
|
- **TotalUptimeMS:** Total time (in milliseconds) the device was in Up or Running states since the last boot
|
||||||
| Microsoft.Windows.LogonController.LogonAndUnlockSubmit | Field | isUnlockScenario | Flag indicating whether the event is a Logon or an Unlock |
|
- **TransitionsToOn:** Number of transitions to the Powered On state since the last boot
|
||||||
| Microsoft.Windows.LogonController.LogonAndUnlockSubmit | Field | PartA_UserSid | The security identifier of the user |
|
- **UptimeDeltaMS:** Total time (in milliseconds) added to Uptime since the last event
|
||||||
| Microsoft.Windows.LogonController.LogonAndUnlockSubmit | Field | userType | Indicates the user type: 0 = unknown; 1 = local; 2 = Active Directory domain user; 3 = Microsoft Account; 4 = Azure Active Directory user |
|
|
||||||
| Microsoft.Windows.LogonController.SignInFailure | EventItself | EventDescription | Sends details about any error codes detected during a failed sign-in |
|
## Microsoft.Windows.LogonController.LogonAndUnlockSubmit
|
||||||
| Microsoft.Windows.LogonController.SignInFailure | Field | ntsStatus | The NTSTATUS error code status returned from an attempted sign-in |
|
Sends details of the user attempting to sign into or unlock the device.
|
||||||
| Microsoft.Windows.LogonController.SignInFailure | Field | ntsSubstatus | The NTSTATUS error code sub-status returned from an attempted sign-in |
|
|
||||||
| Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCapture | EventItself | EventDescription | Indicates that a biometric capture was compared to known templates |
|
The following fields are available: |
|
||||||
| Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCapture | Field | captureDetail | Result of biometric capture, either matched to an enrollment or an error |
|
- **isSystemManagedAccount:** Indicates if the user's account is System Managed
|
||||||
| Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCapture | Field | captureSuccessful | Indicates whether a biometric capture was successfully matched or not |
|
- **isUnlockScenario:** Flag indicating whether the event is a Logon or an Unlock
|
||||||
| Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCapture | Field | hardwareId | ID of the sensor that collected the biometric capture |
|
- **PartA_UserSid:** The security identifier of the user
|
||||||
| Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCapture | Field | isSecureSensor | Flag indicating whether a biometric sensor was in enhanced security mode |
|
- **userType:** Indicates the user type: 0 = unknown; 1 = local; 2 = Active Directory domain user; 3 = Microsoft Account; 4 = Azure Active Directory user
|
||||||
| Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCapture | Field | isTrustletRunning | Indicates whether an enhanced security component is currently running |
|
|
||||||
| Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCapture | Field | isVsmCfg | Flag indicating whether virtual secure mode is configured or not |
|
## Microsoft.Windows.LogonController.SignInFailure
|
||||||
| Microsoft.Windows.Security.Certificates.PinRulesCaCertUsedAnalytics | EventItself | EventDescription | The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations. |
|
Sends details about any error codes detected during a failed sign-in.
|
||||||
| Microsoft.Windows.Security.Certificates.PinRulesCaCertUsedAnalytics | Field | certBinary | Binary blob of public certificate as presented to the client (does not include any private keys) |
|
|
||||||
| Microsoft.Windows.Security.Certificates.PinRulesCaCertUsedAnalytics | Field | certThumbprint | Certificate thumbprint |
|
The following fields are available:
|
||||||
| Microsoft.Windows.Security.Certificates.PinRulesCheckedAnalytics | EventItself | EventDescription | The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations. |
|
|
||||||
| Microsoft.Windows.Security.Certificates.PinRulesCheckedAnalytics | Field | caThumbprints | Intermediate certificate thumbprints |
|
- **ntsStatus:** The NTSTATUS error code status returned from an attempted sign-in
|
||||||
| Microsoft.Windows.Security.Certificates.PinRulesCheckedAnalytics | Field | rootThumbprint | Root certificate thumbprint |
|
- **ntsSubstatus:** The NTSTATUS error code sub-status returned from an attempted sign-in |
|
||||||
| Microsoft.Windows.Security.Certificates.PinRulesCheckedAnalytics | Field | serverName | Server name associated with the certificate |
|
## Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCapture
|
||||||
| Microsoft.Windows.Security.Certificates.PinRulesCheckedAnalytics | Field | serverThumbprint | Server certificate thumbprint |
|
Indicates that a biometric capture was compared to known templates
|
||||||
| Microsoft.Windows.Security.Certificates.PinRulesCheckedAnalytics | Field | statusBits | Certificate status |
|
|
||||||
| Microsoft.Windows.Security.Certificates.PinRulesServerCertUsedAnalytics | EventItself | EventDescription | The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations. |
|
The following fields are available: |
|
||||||
| Microsoft.Windows.Security.Certificates.PinRulesServerCertUsedAnalytics | Field | certBinary | Binary blob of public certificate as presented to the client (does not include any private keys) |
|
- **captureDetail:** Result of biometric capture, either matched to an enrollment or an error
|
||||||
| Microsoft.Windows.Security.Certificates.PinRulesServerCertUsedAnalytics | Field | certThumbprint | Certificate thumbprint |
|
- **captureSuccessful:** Indicates whether a biometric capture was successfully matched or not
|
||||||
| Microsoft.Windows.Security.Winlogon.SystemBootStop | EventItself | EventDescription | System boot complete |
|
- **hardwareId:** ID of the sensor that collected the biometric capture
|
||||||
| Microsoft.Windows.Security.Winlogon.SystemBootStop | Field | ticksSinceBoot | Duration of boot event (milliseconds) |
|
- **isSecureSensor:** Flag indicating whether a biometric sensor was in enhanced security mode
|
||||||
| Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks | EventItself | EventDescription | This event summarizes the logon procedure to help Microsoft improve performance and reliability. By using this event with Windows Analytics organizations can help identify logon problems on managed devices. |
|
- **isTrustletRunning:** Indicates whether an enhanced security component is currently running
|
||||||
| Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks | Field | isAadUser | Indicates whether the current logon is for an Azure Active Directory account |
|
- **isVsmCfg:** Flag indicating whether virtual secure mode is configured or not
|
||||||
| Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks | Field | isDomainUser | Indicates whether the current logon is for a domain account |
|
|
||||||
| Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks | Field | isMSA | Indicates whether the current logon is for a Microsoft Account |
|
## Microsoft.Windows.Security.Certificates.PinRulesCaCertUsedAnalytics
|
||||||
| Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks | Field | logonOptimizationFlags | Flags indicating optimization settings for this logon session |
|
The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations.
|
||||||
| Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks | Field | logonTypeFlags | Flags indicating logon type (first logon vs. a later logon) |
|
|
||||||
| Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks | Field | systemManufacturer | Device manufacturer |
|
The following fields are available:
|
||||||
| Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks | Field | systemProductName | Device product name |
|
|
||||||
| Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks | Field | wilActivity | Indicates errors in the task to help Microsoft improve reliability. |
|
- **certBinary:** Binary blob of public certificate as presented to the client (does not include any private keys)
|
||||||
| Microsoft.Windows.Shell.Desktop.LogonFramework.LogonTask | EventItself | EventDescription | This event describes system tasks which are part of the user logon sequence and helps Microsoft to improve reliability. |
|
- **certThumbprint:** Certificate thumbprint |
|
||||||
| Microsoft.Windows.Shell.Desktop.LogonFramework.LogonTask | Field | isStartWaitTask | Flag indicating whether the task starts a background task |
|
## Microsoft.Windows.Security.Certificates.PinRulesCheckedAnalytics
|
||||||
| Microsoft.Windows.Shell.Desktop.LogonFramework.LogonTask | Field | isWaitMethod | Flag indicating the task is waiting on a background task |
|
The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations.
|
||||||
| Microsoft.Windows.Shell.Desktop.LogonFramework.LogonTask | Field | logonTask | Indicates which logon step is currently occurring |
|
|
||||||
| Microsoft.Windows.Shell.Desktop.LogonFramework.LogonTask | Field | wilActivity | Indicates errors in the task to help Microsoft improve reliability. |
|
The following fields are available:
|
||||||
| Microsoft.Windows.Shell.Explorer.DesktopReady | EventItself | EventDescription | Initialization of Explorer is complete |
|
|
|
||||||
| Microsoft-Windows-Security-EFS-EDPAudit-ApplicationLearning.EdpAuditLogApplicationLearning | EventItself | EventDescription | For a device subject to Windows Information Protection policy, learning events are generated when an app encounters a policy boundary (for example, trying to open a work document from a personal app). These events help the WIP administrator tune policy rules and prevent unnecessary user disruption. |
|
- **caThumbprints:** Intermediate certificate thumbprints
|
||||||
| Microsoft-Windows-Security-EFS-EDPAudit-ApplicationLearning.EdpAuditLogApplicationLearning | Field | actiontype | Indicates what type of resource access the app was attempting (for example, opening a local document vs. a network resource) when it encountered a policy boundary. Useful for Windows Information Protection administrators to tune policy rules. |
|
- **rootThumbprint:** Root certificate thumbprint
|
||||||
| Microsoft-Windows-Security-EFS-EDPAudit-ApplicationLearning.EdpAuditLogApplicationLearning | Field | appIdType | Based on the type of application, this indicates what type of app rule a Windows Information Protection administrator would need to create for this app. |
|
- **serverName:** Server name associated with the certificate
|
||||||
| Microsoft-Windows-Security-EFS-EDPAudit-ApplicationLearning.EdpAuditLogApplicationLearning | Field | appname | App that triggered the event |
|
- **serverThumbprint:** Server certificate thumbprint
|
||||||
| Microsoft-Windows-Security-EFS-EDPAudit-ApplicationLearning.EdpAuditLogApplicationLearning | Field | status | Indicates whether errors occurred during WIP learning events |
|
- **statusBits:** Certificate status |
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | EventItself | EventDescription | Summarizes which app windows are being used (for example, have focus) to help Microsoft improve compatibility and user experience. Also helps organizations (by using Windows Analytics) to understand and improve application reliability on managed devices. |
|
## Microsoft.Windows.Security.Certificates.PinRulesServerCertUsedAnalytics
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | AggregationDurationMS | Actual duration of aggregation period (in milliseconds) |
|
The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations.
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | AggregationFlags | Flags denoting aggregation settings |
|
|
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | AggregationPeriodMS | Intended duration of aggregation period (in milliseconds) |
|
The following fields are available:
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | AggregationStartTime | Start date and time of AppInteractivity aggregation |
|
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | AppId | Application ID for usage |
|
- **certBinary:** Binary blob of public certificate as presented to the client (does not include any private keys)
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | AppSessionId | GUID identifying the application's usage session |
|
- **certThumbprint:** Certificate thumbprint |
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | AppVersion | Version of the application that produced this event |
|
## Microsoft.Windows.Security.Winlogon.SystemBootStop
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | AudioInMS | Audio capture duration (in milliseconds) |
|
System boot has completed.
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | AudioOutMS | Audio playback duration (in milliseconds) |
|
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | BackgroundMouseSec | indicates that there was a mouse hover event while the app was in the background |
|
The following field is available: |
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | BitPeriodMS | Length of the period represented by InFocusBitmap |
|
- **ticksSinceBoot:** Duration of boot event (milliseconds) |
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | CommandLineHash | A hash of the command line |
|
## Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | CompositionDirtyGeneratedSec | Represents the amount of time (in seconds) during which the active app reported that it had an update |
|
This event summarizes the logon procedure to help Microsoft improve performance and reliability. By using this event with Windows Analytics organizations can help identify logon problems on managed devices.
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | CompositionDirtyPropagatedSec | Total time (in seconds) that a separate process with visuals hosted in an app signaled updates |
|
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | CompositionRenderedSec | Time (in seconds) that an app's contents were rendered |
|
The following fields are available:
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | EventSequence | [need more info] |
|
|
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | FocusLostCount | Number of times that an app lost focus during the aggregation period |
|
- **isAadUser:** Indicates whether the current logon is for an Azure Active Directory account
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | GameInputSec | Time (in seconds) there was user input using a game controller |
|
- **isDomainUser:** Indicates whether the current logon is for a domain account
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | HidInputSec | Time (in seconds) there was user input using devices other than a game controller |
|
- **isMSA:** Indicates whether the current logon is for a Microsoft Account
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | InFocusBitmap | Series of bits representing application having and losing focus |
|
- **logonOptimizationFlags:** Flags indicating optimization settings for this logon session
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | InFocusDurationMS | Total time (in milliseconds) the application had focus |
|
- **logonTypeFlags:** Flags indicating logon type (first logon vs. a later logon)
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | InputSec | Total number of seconds during which there was any user input |
|
- **systemManufacturer:** Device manufacturer
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | InteractiveTimeoutPeriodMS | Total time (in milliseconds) that inactivity expired interactivity sessions |
|
- **systemProductName:** Device product name
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | KeyboardInputSec | Total number of seconds during which there was keyboard input |
|
- **wilActivity:** Indicates errors in the task to help Microsoft improve reliability. |
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | MonitorFlags | Flags indicating app use of individual monitor(s) |
|
## Microsoft.Windows.Shell.Desktop.LogonFramework.LogonTask
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | MonitorHeight | Number of vertical pixels in the application host monitor resolution |
|
This event describes system tasks which are part of the user logon sequence and helps Microsoft to improve reliability.
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | MonitorWidth | Number of horizontal pixels in the application host monitor resolution |
|
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | MouseInputSec | Total number of seconds during which there was mouse input |
|
The following fields are available:
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | NewProcessCount | Number of new processes contributing to the aggregate |
|
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | PartATransform_AppSessionGuidToUserSid | Flag which influences how other parts of the event are constructed |
|
- **isStartWaitTask:** Flag indicating whether the task starts a background task
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | PenInputSec | Total number of seconds during which there was pen input |
|
- **isWaitMethod:** Flag indicating the task is waiting on a background task
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | SpeechRecognitionSec | Total number of seconds of speech recognition |
|
- **logonTask:** Indicates which logon step is currently occurring
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | SummaryRound | Incrementing number indicating the round (batch) being summarized |
|
- **wilActivity:** Indicates errors in the task to help Microsoft improve reliability. |
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | TargetAsId | Flag which influences how other parts of the event are constructed |
|
## Microsoft.Windows.Shell.Explorer.DesktopReady
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | TotalUserOrDisplayActiveDurationMS | Total time the user or the display was active (in milliseconds) |
|
Initialization of Explorer is complete. |
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | TouchInputSec | Total number of seconds during which there was touch input |
|
## Microsoft-Windows-Security-EFS-EDPAudit-ApplicationLearning.EdpAuditLogApplicationLearning
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | UserActiveDurationMS | Total time that the user was active including all input methods |
|
For a device subject to Windows Information Protection policy, learning events are generated when an app encounters a policy boundary (for example, trying to open a work document from a personal app). These events help the WIP administrator tune policy rules and prevent unnecessary user disruption.
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | UserActiveTransitionCount | Number of transitions in and out of user activity |
|
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | UserOrDisplayActiveDurationMS | Total time the user was using the display |
|
The following fields are available:
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | UTCReplace_AppId | |
|
|
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | UTCReplace_AppVersion | |
|
- **actiontype:** Indicates what type of resource access the app was attempting (for example, opening a local document vs. a network resource) when it encountered a policy boundary. Useful for Windows Information Protection administrators to tune policy rules.
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | UTCReplace_CommandLineHash | |
|
- **appIdType:** Based on the type of application, this indicates what type of app rule a Windows Information Protection administrator would need to create for this app.
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | ViewFlags | Flags denoting properties of an app view (for example, special VR view or not) |
|
- **appname:** App that triggered the event
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | WindowFlags | Flags denoting runtime properties of an app window |
|
- **status:** Indicates whether errors occurred during WIP learning events |
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | WindowHeight | Number of vertical pixels in the application window |
|
## Win32kTraceLogging.AppInteractivitySummary
|
||||||
| Win32kTraceLogging.AppInteractivitySummary | Field | WindowWidth | Number of horizontal pixels in the application window |
|
Summarizes which app windows are being used (for example, have focus) to help Microsoft improve compatibility and user experience. Also helps organizations (by using Windows Analytics) to understand and improve application reliability on managed devices.
|
||||||
|
|
||||||
|
The following fields are available:
|
||||||
|
|
|
||||||
|
- **AggregationDurationMS:** Actual duration of aggregation period (in milliseconds)
|
||||||
|
- **AggregationFlags:** Flags denoting aggregation settings
|
||||||
|
- **AggregationPeriodMS:** Intended duration of aggregation period (in milliseconds)
|
||||||
|
- **AggregationStartTime:** Start date and time of AppInteractivity aggregation
|
||||||
|
- **AppId:** Application ID for usage
|
||||||
|
- **AppSessionId:** GUID identifying the application's usage session
|
||||||
|
- **AppVersion:** Version of the application that produced this event
|
||||||
|
- **AudioInMS:** Audio capture duration (in milliseconds)
|
||||||
|
- **AudioOutMS:** Audio playback duration (in milliseconds)
|
||||||
|
- **BackgroundMouseSec:** Indicates that there was a mouse hover event while the app was in the background
|
||||||
|
- **BitPeriodMS:** Length of the period represented by InFocusBitmap
|
||||||
|
- **CommandLineHash:** A hash of the command line
|
||||||
|
- **CompositionDirtyGeneratedSec:** Represents the amount of time (in seconds) during which the active app reported that it had an update
|
||||||
|
- **CompositionDirtyPropagatedSec:** Total time (in seconds) that a separate process with visuals hosted in an app signaled updates
|
||||||
|
- **CompositionRenderedSec:** Time (in seconds) that an app's contents were rendered
|
||||||
|
- **EventSequence:** [need more info]
|
||||||
|
- **FocusLostCount:** Number of times that an app lost focus during the aggregation period
|
||||||
|
- **GameInputSec:** Time (in seconds) there was user input using a game controller
|
||||||
|
- **HidInputSec:** Time (in seconds) there was user input using devices other than a game controller
|
||||||
|
- **InFocusBitmap:** Series of bits representing application having and losing focus
|
||||||
|
- **InFocusDurationMS:** Total time (in milliseconds) the application had focus
|
||||||
|
- **InputSec:** Total number of seconds during which there was any user input
|
||||||
|
- **InteractiveTimeoutPeriodMS:** Total time (in milliseconds) that inactivity expired interactivity sessions
|
||||||
|
- **KeyboardInputSec:** Total number of seconds during which there was keyboard input
|
||||||
|
- **MonitorFlags:** Flags indicating app use of individual monitor(s)
|
||||||
|
- **MonitorHeight:** Number of vertical pixels in the application host monitor resolution
|
||||||
|
- **MonitorWidth:** Number of horizontal pixels in the application host monitor resolution
|
||||||
|
- **MouseInputSec:** Total number of seconds during which there was mouse input
|
||||||
|
- **NewProcessCount:** Number of new processes contributing to the aggregate
|
||||||
|
- **PartATransform_AppSessionGuidToUserSid:** Flag which influences how other parts of the event are constructed
|
||||||
|
- **PenInputSec:** Total number of seconds during which there was pen input
|
||||||
|
- **SpeechRecognitionSec:** Total number of seconds of speech recognition
|
||||||
|
- **SummaryRound:** Incrementing number indicating the round (batch) being summarized
|
||||||
|
- **TargetAsId:** Flag which influences how other parts of the event are constructed
|
||||||
|
- **TotalUserOrDisplayActiveDurationMS:** Total time the user or the display was active (in milliseconds)
|
||||||
|
- **TouchInputSec:** Total number of seconds during which there was touch input
|
||||||
|
- **UserActiveDurationMS:** Total time that the user was active including all input methods
|
||||||
|
- **UserActiveTransitionCount:** Number of transitions in and out of user activity
|
||||||
|
- **UserOrDisplayActiveDurationMS:** Total time the user was using the display
|
||||||
|
- **UTCReplace_AppId:**
|
||||||
|
- **UTCReplace_AppVersion:**
|
||||||
|
- **UTCReplace_CommandLineHash:**
|
||||||
|
- **ViewFlags:** Flags denoting properties of an app view (for example, special VR view or not)
|
||||||
|
- **WindowFlags:** Flags denoting runtime properties of an app window
|
||||||
|
- **WindowHeight:** Number of vertical pixels in the application window
|
||||||
|
- **WindowWidth:** Number of horizontal pixels in the application window|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user