mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-21 21:33:38 +00:00
11 KiB
11 KiB
description, title, keywords, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, localizationpriority, author
| description | title | keywords | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | localizationpriority | author |
|---|---|---|---|---|---|---|---|---|
| Use this article to make informed decisions about how you can configure telemetry in your organization. | Basic level Windows telemetry events and fields (Windows 10) | privacy | w10 | manage | library | security | high | brianlic-msft |
Basic level Windows telemetry events and fields
Applies to
- Windows 10
Add preface and cover page here (Steve May to provide)
Common data events
The fields in this section contain common device data that is added to every event.
Common data - Device extension
| Field | Description |
|---|---|
| localId | Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId |
| deviceClass | Represents the classification of the device, the device “family”. For example, Desktop, Server, or Mobile. |
Common data - Envelope extension
| Field | Description |
|---|---|
| Ver | Represents the major and minor version of the envelope. |
| name | Represents the uniquely qualified name for the event. |
| time | Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. |
| popSample | Represents the effective sample rate for this event at the time it was generated by a client. |
| epoch | Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. |
| seqNum | Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. |
| iKey | Represents an ID for applications or other logical groupings of events. |
| flags | Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. |
| os | Represents the operating system name. |
| osVer | Represents the OS version, and its format is OS dependent. |
| appId | Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. |
| appVer | Represents the version number of the application. Used to understand errors by Version, Usage by Version across an App. |
| cV | Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. |
| tags | Represents the pre-release build "flight ID" |
Common data - OS extension
| Field | Description |
|---|---|
| expId | Represents the “experiment ID”. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. |
Common data - Telemetry extension
| Field | Description |
|---|---|
| stId | Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. |
| aId | Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. |
| raId | Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. |
| Op | Represents the ETW Op Code. |
| cat | Represents a bitmask of the ETW Keywords associated with the event. |
| flags | Represents the bitmap that captures various Windows specific flags. |
Common data - User extension
| Field | Description |
|---|---|
| localId | Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. |
Consent UI
This User Account Control (UAC) event collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
| Field | Description |
|---|---|
| eventType | Represents the type of elevation: If it succeeded, was cancelled, or was auto-approved. |
| splitToken | Represents the flag used to distinguish between Admin and Standard Users. |
| friendlyName | Represents the name of the file requesting elevation from low IL. |
| elevationReason | Represents the distinction between various elevation requests sources (appcompat, installer, COM, MSI and so on). |
| exeName | Represents the name of the file requesting elevation from low IL. |
| signatureState | Represents the state of the signature, if it signed, unsigned, OS signed and so on. |
| publisherName | Represents the name of the publisher of the file requesting elevation from low IL. |
| cmdLine | Represents the full command line arguments being used to elevate. |
| Hash.Length | Represents the length of the hash of the file requesting elevation from low IL. |
| Hash | Represents the hash of the file requesting elevation from low IL. |
| HashAlgId | Represents the algorithm ID of the hash of the file requesting elevation from low IL. |
| telemetryFlags | Represents the details about the elevation prompt for CEIP data. |
| timeStamp | Represents the time stamp on the file requesting elevation |
| fileVersionMS | Represents the major version of the file requesting elevation |
| fileVersionLS | Represents the minor version of the file requesting elevation |
Appraiser
Appraiser Core Data events provide an inventory of what is on the device for the purposes of understanding compatibility and upgrade issues. This device inventory gathers information such as all the applications on the device, IE Add-ons, drivers on the device, and peripherals attached to the device. Appraiser reviews the device inventory to see if it is compatible/ready for upgrade, and for problems that might need to be addressed by the upgrade.
Microsoft.Windows.Appraiser.General
These events represent the basic metadata about an application installed on the system.
Microsoft.Windows.Appraiser.General.InventoryApplicationAdd
This event represents the basic metadata about an application installed on the system.
| Field | Description |
|---|---|
| objectInstanceId | ProgramId (a hash of Name, Version, Publisher, and Language of an application used to identify it). Example: 00000144865763f3de24c2ae5a289fde6db300000904 |
| HiddenArp | Indicates whether a program hides itself from showing up in ARP. Example: TRUE |
| InstallDate | The date the application was installed (a best guess based on folder creation date heuristics) Example: 4/12/2015 01:27:52 |
| InstallDateArpLastModified | The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 |
| InstallDateFromLinkFile | The estimated date of install based on the links to the files. Passed as an array. Example: 4/8/2015 01:06:11 |
| InstallDateMsi | The install date if the application was installed via MSI. Passed as an array. Example: 4/11/2015 00:00:00 |
| Language | The language code of the program. Language codes can be found at http://support.microsoft.com/kb/221435 Example: 1033 |
| MsiPackageCode | A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. Example: {1BCC5142-D98C-430B-B74A-484A0328A7CE} |
| MsiProductCode | A GUID that describe the MSI Product. Example: {365812a8-44d6-422e-b737-d540451e5f4e} |
| Name | The name of the application. Location pulled from depends on 'Source' field. Example: |
| OSVersionAtInstallTime | The four octets from the OS version at the time of the application's install. Example: |
| PackageFullName | The package full name for a Store application. Example: Microsoft.Hexic_1.2.0.36_x86__8wekyb3d8bbwe |
| ProgramInstanceId | A hash of the file IDs in a program. Used to identify application install footprint. Example: 00002a54cb9c5bc6946b99d4180fec12d6c1103ad849 |
| Publisher | The Publisher of the application. Location pulled from depends on the 'Source' field. Example: Neudesic |
| RootDirPath | The path to the root directory where the program was installed. Example: %ProgramFiles% (x86)\Neudesic\Azure Storage Explorer 6 |
| Source | Where the data for the application was found, such as Add/Remove Programs (ARP), MSI, AppxPackage, etc. Example: Msi |
| Type | One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. Example: Application |
| Version | The version number of the program. Example: 6.00.000 3 |
Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or are part of an anti-virus program.
| Field | Description |
|---|---|
| objectInstanceId | LongPathHash: A hash of the full file path including the file name. Example: 00002e017145d5fedc3dd5dd4027b1da51d17ca2a0a3 |
| BinFileVersion | An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. Example: 12.0.31101.0 |
| BinProductVersion | An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. Example: 12.0.31101.0 |
| BinaryType | One of ("UNINITIALIZED", "ZERO_BYTE", "DATA_ONLY", "DOS_MODULE", "NE16_MODULE", "PE32_UNKNOWN", "PE32_I386", "PE32_ARM", "PE64_UNKNOWN", "PE64_AMD64", "PE64_ARM64", "PE64_IA64", "PE32_CLR_32", "PE32_CLR_IL", "PE32_CLR_IL_PREFER32", "PE64_CLR_64"). Example: PE32_I386 |
| BoeProgramId | The ProgramId generated from the file metadata if the file is an orphan file (no ARP, MSI, etc. entry). BOE means Bag of Evidence. |
| CompanyName | The company name of the vendor who developed this file. Example: Microsoft Corporation |
| FileId | A hash that uniquely identifies a file. Example: 0000eef5472f6619824665a9c118cffea67b3727f0e1 |
| FileVersion | The File version field from the file metadata under Properties -> Details. Example: 12.0.31101.0 built by: REL |
| LinkDate | The DateTime this file was linked on. Example: 11/1/2014 7:09:24 AM |
| LowerCaseLongPath | The full file path of the executable on the machine this was file was inventoried on. Example: %ProgramFiles% (x86)\microsoft visual studio 12.0\common7\ide\devenv.exe |
| Name | The name of the file that was inventoried. For example, excel.exe |
| ProductName | The Product name field from the file metadata under Properties -> Details. Example: Microsoft® Visual Studio® 2013 |
| ProductVersion | The Product version field from the file metadata under Properties -> Details. Example: 12.0.31101.0 |
| ProgramId | A hash of Name, Version, Publisher, and Language of an application used to identify it. Example: 00004a73716911b8bb891ec1f536f2bf500b00000904 |