MZ@ !L!This program cannot be run in DOS mode. $Rؕ3}3}3}H̴3}H̱3}Rich3}PEd:c"  *@z`).rsrc)*@@(@Xp   9@#0 WEVT_TEMPLATEMUI04VS_VERSION_INFOP%P%?StringFileInfoj040904B0LCompanyNameMicrosoft Corporation|*FileDescriptionMicrosoft-Windows-System-Events Resources1FileVersion6.3.9600.20625 (winblue_ltsb_escrow.221003-0335)h$InternalNamemicrosoft-windows-system-events.dll.LegalCopyright Microsoft Corporation. All rights reserved.p$OriginalFilenamemicrosoft-windows-system-events.dllj%ProductNameMicrosoft Windows Operating SystemBProductVersion6.3.9600.20625DVarFileInfo$Translation CRIM#$/G!D?84Oצ]!,"{+B/`SOpsOQ3=Tc#w[HV]s]Jd+:WcL.?w;3?YFKBx^7vPY0J~W4hs"SKDuiU?FMEOCEl, `{MKf/e@ڊR_O](a$9BJ;?&0: '2 RCR۫AYP=^񿿁E|چw56wuC$E7ĺ^apx*uOȮ ϛ#JM <WEVT0Hxp8HCHAN0 PMicrosoft-Windows-Kernel-WDI/AnalyticLMicrosoft-Windows-Kernel-WDI/DebugXMicrosoft-Windows-Kernel-WDI/OperationalTTBL TEMP H-Wxgz_vD EventDataA?oData'KName ProviderID A9oData!KNameEventID AMoData5KNameDroppedEventCount AAoData)KName ActionCount AMZ ComplexData'KName SemActions $@T|  0ProviderIDEventID(DroppedEventCountActionCountSemActionsProviderIDLevelReservedKeyword$EnablePropertyNTStatusTEMP, f*Ƥ&gAD EventDataA?oData'KName ProviderID A9oData!KNameEventID D ` ProviderIDEventIDTEMP C>ҞSD EventDataA?oData'KName ProviderID A9oData!KNameEventID A;oData#KNameNTStatus    ProviderIDEventIDNTStatusTEMP QoJoJ]:VD EventDataA?oData'KName ProviderID A9oData!KNameEventID AEoData-KName ScenarioCount AcZ ComplexData=KNameScenarioInflightItems < X l     ProviderIDEventID ScenarioCount0ScenarioInflightItemsProviderIDEventIDReserved InflightCountTEMP,f*Ƥ&gAD EventDataA?oData'KName ProviderID A9oData!KNameEventID  <ProviderIDEventIDTEMPL׋Q&è@e*`D EventDataA?oData'KName ProviderID ProviderIDTEMP,C>ҞSD EventDataA?oData'KName ProviderID A9oData!KNameEventID A;oData#KNameNTStatus hProviderIDEventIDNTStatusTEMP|*B3TMD EventDataA9oData!KNameSqmType A7oDataKNameSqmSid SqmTypeSqmSidTEMPDD:LsTBD EventDataAGoData/KNameSqmSessionGuid A5oDataKNameSqmID A9oData!KNameSqmType AWoData?KNameSqmDWORDDatapointValue $SqmSessionGuidSqmIDSqmType4SqmDWORDDatapointValueTEMP`3f!LF+VfNHD EventDataAGoData/KNameSqmSessionGuid A5oDataKNameSqmID A9oData!KNameSqmType AOoData7KNameSqmStreamRowLength AQZ ComplexData+KName SqmStreamRow x ,L$SqmSessionGuidSqmIDSqmType,SqmStreamRowLength SqmStreamRow SqmTypeEntry SqmDWORDEntry$SqmStringEntryOPCO< 0 0L 0 00<0004000\LWDI_SEM_TASK_SCENARIO_OPCODE_STARTHWDI_SEM_TASK_SCENARIO_OPCODE_ENDPWDI_SEM_TASK_SCENARIO_OPCODE_TIMEOUTXWDI_SEM_TASK_SCENARIO_OPCODE_START_FAILEDTWDI_SEM_TASK_SCENARIO_OPCODE_END_FAILEDXWDI_SEM_TASK_SCENARIO_OPCODE_INFLIGHT_MAXLWDI_SEM_TASK_INIT_OPCODE_MISCONFIGPWDI_SEM_TASK_INIT_OPCODE_SCENARIO_MAXtWDI_SEM_TASK_INIT_OPCODE_SCENARIO_CONTEXT_PROVIDER_MAXdWDI_SEM_TASK_INIT_OPCODE_SCENARIO_END_EVENT_MAXPWDI_SEM_TASK_INIT_OPCODE_PROVIDER_MAXLEVLPPPwin:Errorwin:Warning(win:InformationalTASK p| p0WDI_SEM_TASK_SCENARIO(WDI_SEM_TASK_INITKEYWt!"$44contextdiagwin:SQMEVNT   |D T! !D T" "HD!T# @# Dd$ @$t Dd% @%t Dd& &$`t' '$`t( ($`t) )P`t* *`t+!,!- !WEVTP2x!!,"N OOOPCHAN0!SystemMAPS!VMAP4!@Ex:SystemTimeChange.ReasonMapTTBL, TEMP #z <!{AD EventDataA9oData!KNameNewTime A9oData!KNameOldTime 0#D#NewTimeOldTimeTEMPd$wӓMuWD EventDataA9oData!KNameNewTime A9oData!KNameOldTime A7oDataKNameReason $$!$NewTimeOldTimeReasonTEMPP,%ygػ$<[7J.D EventDataTEMP`&"{_ui69:D EventDataAAoData)KName FinalStatus AMoData5KNameExtraStringLength AAoData)KName ExtraString &&&FinalStatus(ExtraStringLengthExtraStringTEMP0("{_ui69:D EventDataAAoData)KName FinalStatus AMoData5KNameExtraStringLength AAoData)KName ExtraString l(((FinalStatus(ExtraStringLengthExtraStringTEMP*y73D EventDataAMoData5KNameExtraStringLength AAoData)KName ExtraString A3oDataKNameTmId A3oDataKNameRmId A7oDataKNameStatus ACoData+KName InternalCode ,+T+p++++(ExtraStringLengthExtraStringTmIdRmIdStatus InternalCodeTEMP(,-gkSM4# ܔc4D EventDataAGoData/KNameHiveNameLength A;oData#KNameHiveName ACoData+KName OriginalSize A9oData!KNameNewSize |----$HiveNameLengthHiveName OriginalSizeNewSizeTEMP0X/ܡ^KN8D EventDataAGoData/KNameHiveNameLength A;oData#KNameHiveName AAoData)KName KeysUpdated A?oData'KName DirtyPages ///0$HiveNameLengthHiveNameKeysUpdatedDirtyPagesTEMPd2/wmUWFD EventDataACoData+KName MajorVersion ACoData+KName MinorVersion ACoData+KName BuildVersion A?oData'KName QfeVersion AGoData/KNameServiceVersion A;oData#KNameBootMode A=oData%KName StartTime 2303P3l333 MajorVersion MinorVersion BuildVersionQfeVersion$ServiceVersionBootModeStartTimeTEMPP4 %C+Wi4\D EventDataA;oData#KNameStopTime d4StopTimeTEMP*=.^Jk D EventDataA3oDataKNameMode A?oData'KName ObjectType A?oData'KName ObjectName AAoData)KName ProcessName A[oDataCKNameObjectCreatorProcessName A?oData'KName AccessMask A=oData%KName TokenType AOoData7KNameImpersonationLevel A=oData%KName SessionId ACoData+KName LowBoxNumber AKoData3KNameTokenGroupsCount AOZ ComplexData)KName TokenGroups AMoData5KNameTokenPackageCount AQZ ComplexData+KName TokenPackage ASoData;KNameTokenCapabilityCount A[Z ComplexData5KNameTokenCapabilities ASoData;KNameTokenTrustLevelCount AWZ ComplexData1KNameTokenTrustLevel A_oDataGKNameSecurityDescriptorRevision A]oDataEKNameSecurityDescriptorControl AYoDataAKNameSecurityDescriptorOwner AYoDataAKNameSecurityDescriptorGroup ACoData+KName DaclRevision ACoData+KName DaclAceCount AGZ ComplexData!KNameDaclAce ACoData+KName SaclRevision ACoData+KName SaclAceCount AGZ ComplexData!KNameSaclAce AA4APAlAAAABB 8  D EventDataA=oData%KName ImageBase A=oData%KName ImageSize A=oData%KName ProcessID AEoData-KName ImageCheckSum AEoData-KName TimeDateStamp AAoData)KName DefaultBase A=oData%KName ImageName L{d{|{{{{{ImageBaseImageSizeProcessID ImageCheckSum TimeDateStampDefaultBaseImageNameTEMPH~qogE> 8  D EventDataA=oData%KName ImageBase A=oData%KName ImageSize A=oData%KName ProcessID AEoData-KName ImageCheckSum AEoData-KName TimeDateStamp AAoData)KName DefaultBase A=oData%KName ImageName ~~<\xImageBaseImageSizeProcessID ImageCheckSum TimeDateStampDefaultBaseImageNameTEMP0oy:Sa_60D EventDataA=oData%KName ProcessID A;oData#KNameThreadID AAoData)KName OldPriority AAoData)KName NewPriority D\tProcessIDThreadIDOldPriorityNewPriorityTEMPLQb{6X>ʴjD EventDataAIoData1KNameFrozenProcessID `$FrozenProcessIDOPCOx12̂2win:Infowin:Startwin:StopLEVL@P(win:InformationalTASK Ԅ $@p ą  ProcessStartProcessStopThreadStartThreadStopImageLoadImageUnload0CpuBasePriorityChange(CpuPriorityChange,PagePriorityChange(IoPriorityChange ProcessFreeze$ProcessRundownKEYW Ԇ@<|8WINEVENT_KEYWORD_PROCESS4WINEVENT_KEYWORD_THREAD4WINEVENT_KEYWORD_IMAGE@WINEVENT_KEYWORD_CPU_PRIORITYDWINEVENT_KEYWORD_OTHER_PRIORITYDWINEVENT_KEYWORD_PROCESS_FREEZEEVNTTHxS0WH|S,ZHS(]dSadS iS  nS iS sS@xS@|ԃSS S   (S   DS   `S   `S,Z|S<<<<<LLLL\\ll||<WEVTF(|xCHANT\Microsoft-Windows-Kernel-Registry/Analytic`Microsoft-Windows-Kernel-Registry/PerformanceTTBLl/TEMPE!5Ġ8D EventDataA?oData'KName BaseObject A=oData%KName KeyObject A7oDataKNameStatus AAoData)KName Disposition A;oData#KNameBaseName ACoData+KName RelativeName ȏBaseObjectKeyObjectStatusDispositionBaseName RelativeNameTEMP,odkl)n$sD EventDataA=oData%KName KeyObject A7oDataKNameStatus A9oData!KNameKeyName hKeyObjectStatusKeyNameTEMPxܓFt MQAD EventDataA=oData%KName KeyObject A7oDataKNameStatus A=oData%KName InfoClass A;oData#KNameDataSize A9oData!KNameKeyName AKoData3KNameCapturedDataSize ACoData+KName CapturedData hĔؔKeyObjectStatusInfoClassDataSizeKeyName(CapturedDataSize CapturedDataTEMP ܘ,4qnڦD EventDataA=oData%KName KeyObject A7oDataKNameStatus A3oDataKNameType A;oData#KNameDataSize A9oData!KNameKeyName A=oData%KName ValueName AKoData3KNameCapturedDataSize ACoData+KName CapturedData AKoData3KNamePreviousDataType AKoData3KNamePreviousDataSize A[oDataCKNamePreviousDataCapturedSize ACoData+KName PreviousData ̙ 4Lt KeyObjectStatusTypeDataSizeKeyNameValueName(CapturedDataSize CapturedData(PreviousDataType(PreviousDataSize8PreviousDataCapturedSize PreviousDataTEMPgӼhy3\ D EventDataA=oData%KName KeyObject A7oDataKNameStatus A9oData!KNameKeyName A=oData%KName ValueName   KeyObjectStatusKeyNameValueNameTEMPW[M MBD EventDataA=oData%KName KeyObject A7oDataKNameStatus A=oData%KName InfoClass A;oData#KNameDataSize A9oData!KNameKeyName A=oData%KName ValueName AKoData3KNameCapturedDataSize ACoData+KName CapturedData Ph|ؠKeyObjectStatusInfoClassDataSizeKeyNameValueName(CapturedDataSize CapturedDataTEMP ԐC54`:D EventDataA=oData%KName KeyObject A7oDataKNameStatus A5oDataKNameIndex A=oData%KName InfoClass A;oData#KNameDataSize A9oData!KNameKeyName AKoData3KNameCapturedDataSize ACoData+KName CapturedData 0H\lؤKeyObjectStatusIndexInfoClassDataSizeKeyName(CapturedDataSize CapturedDataTEMPp_z28tѳtc)dD EventDataA=oData%KName KeyObject A7oDataKNameStatus A?oData'KName EntryCount A;oData#KNameDataSize A9oData!KNameKeyName   <TKeyObjectStatusEntryCountDataSizeKeyNameTEMPxFt MQAD EventDataA=oData%KName KeyObject A7oDataKNameStatus A=oData%KName InfoClass A;oData#KNameDataSize A9oData!KNameKeyName AKoData3KNameCapturedDataSize ACoData+KName CapturedData (@TlKeyObjectStatusInfoClassDataSizeKeyName(CapturedDataSize CapturedDataTEMP<FD:'fCPD EventDataACoData+KName HiveFilePath A;oData#KNameFileSize  HiveFilePathFileSizeTEMP\~iV'abiRkD EventDataAGoData/KNameTotalEntrySize AGoData/KNameBytesRecovered 0T$TotalEntrySize$BytesRecoveredTEMP `CL羫6a`D EventDataA?oData'KName StatusCode  StatusCodeTEMPT$ sӨg5HD EventDataACoData+KName HiveFilePath AGoData/KNameHiveMountPoint Ll HiveFilePath$HiveMountPointTEMP$`CL羫6a`D EventDataA?oData'KName StatusCode 8StatusCodeTEMPKz<̽֕tn&D EventDataACoData+KName HiveFilePath AGoData/KNameHiveMountPoint A?oData'KName FlushFlags ܱ HiveFilePath$HiveMountPointFlushFlagsTEMPz01Vt`UgfD EventDataAEoData-KName BytesGathered ̲ BytesGatheredTEMPz01Vt`UgfD EventDataAEoData-KName BytesGathered  BytesGatheredTEMPL.]6(2xK%G~Г]|D EventDataACoData+KName WritesIssued ACoData+KName BytesWritten ȴ WritesIssued BytesWrittenTEMPL.]6(2xK%G~Г]|D EventDataACoData+KName WritesIssued ACoData+KName BytesWritten 4 WritesIssued BytesWrittenTEMP`CL羫6a`D EventDataA?oData'KName StatusCode StatusCodeTEMP$Ѱbk,~`L;D EventDataA?oData'KName SourceFile A5oDataKNameFlags ,SourceFileFlagsTEMPи`CL羫6a`D EventDataA?oData'KName StatusCode StatusCodeTEMP$йѰbk,~`L;D EventDataA?oData'KName SourceFile A5oDataKNameFlags SourceFileFlagsTEMP`CL羫6a`D EventDataA?oData'KName StatusCode ̺StatusCodeTEMPz IJ_wB fD EventDataAEoData-KName SourceKeyPath  SourceKeyPathTEMPL`CL羫6a`D EventDataA?oData'KName StatusCode `StatusCodeOPCO!22, D  ܾ $ X   $ X   `P !"#$%&<'\(|)*+,-,.Twin:Startwin:StopHRegPerfOpHiveMountBaseFileMountedPRegPerfOpHiveFlushBecameActiveFlusherHRegPerfOpShutdownRundownComplete4RegPerfOpSaveFileCopiedHRegPerfOpHiveMountLogEntryAppliedHRegPerfOpHiveFlushGatheredLogData<RegPerfOpShutdownFlushStart4RegPerfOpSaveTreeCopiedPRegPerfOpHiveFlushGatheredPrimaryData<RegPerfOpShutdownFlushStop8RegPerfOpSaveFileWrittenDRegPerfOpHiveFlushWroteLogFileLRegPerfOpHiveFlushWrotePrimaryFileTRegPerfOpHiveFlushBoostedActiveFlusherPRegPerfOpHiveFlushStartWaitForActivePRegPerfOpHiveFlushFinishWaitForActiveCreateKeyOpenKeyDeleteKeyQueryKeySetValueKey$DeleteValueKey QueryValueKey EnumerateKey(EnumerateValueKey0QueryMultipleValueKey(SetInformationKeyFlushKeyCloseKey(QuerySecurityKey$SetSecurityKeyLEVL@P(win:InformationalTASKsssssDsps0RegPerfTaskHiveMount0RegPerfTaskHiveUnload0RegPerfTaskHiveFlush,RegPerfTaskShutdown,RegPerfTaskHiveLoad4RegPerfTaskHiveRestore,RegPerfTaskHiveSaveKEYW 0 X@(H `@tCloseKey(QuerySecurityKey$SetSecurityKey(EnumerateValueKey0QueryMultipleValueKey(SetInformationKeyFlushKeySetValueKey$DeleteValueKey QueryValueKey EnumerateKeyCreateKeyOpenKeyDeleteKeyQueryKeyEVNT- `(4! l,4"@x04#44$ 84%<<4&8@4' D4 ( H4 ) ̽L4 *@hؽP4 +T4 ,X4-\4.`4@D @D @мD@xD@<D@D@TD @D @ܼD @D @$D@0D@<D@HD@TD@TD @D!@D" @D# @ D$@D%@4D&@<4D'@PD(@$PD)@lD* @ļlD+ @lD, @lD-@lDL\l| ,<WEVT`@ (()l..CHANtXMicrosoft-Windows-Kernel-Acpi/DiagnosticMAPSTxVMAP$VMAP$HMapActiveCoolingDevicePowerState<MapAmlMethodInvocationStateTTBLTTEMPL{$JG5[#%tD EventDataACoData+KName ResourceFlag AAoData)KName GeneralFlag AKoData3KNameTypeSpecificFlag AAoData)KName Granularity  A?oData'KName AddressMin  A?oData'KName AddressMax  AOoData7KNameAddressTranslation  AEoData-KName AddressLength  t    , X ResourceFlagGeneralFlag(TypeSpecificFlagGranularityAddressMinAddressMax,AddressTranslation AddressLengthTEMP\d1D%z\vϫ|D EventDataAAoData)KName GpeRegister AOoData7KNameUnexpectedEventMap GpeRegister,UnexpectedEventMapTEMP$3O v]a?]́D EventDataAioDataQKNameThermalZoneDeviceInstanceLength A]oDataEKNameThermalZoneDeviceInstance A3oDataKName_TMP A3oDataKName_PSV A3oDataKName_AC0 A3oDataKName_AC1 A3oDataKName_AC2 A3oDataKName_AC3 A3oDataKName_AC4 A3oDataKName_AC5 A3oDataKName_AC6 A3oDataKName_AC7 A3oDataKName_AC8 A3oDataKName_AC9 A3oDataKName_HOT A3oDataKName_CRT d 0@P`pDThermalZoneDeviceInstanceLength8ThermalZoneDeviceInstance_TMP_PSV_AC0_AC1_AC2_AC3_AC4_AC5_AC6_AC7_AC8_AC9_HOT_CRTTEMPH6})Y5D EventDataAioDataQKNameThermalZoneDeviceInstanceLength A]oDataEKNameThermalZoneDeviceInstance AOoData7KNameActiveCoolingLevel A[oDataCKNameActiveCoolingDeviceIndex AYoDataAKNameFanDeviceInstanceLength AMoData5KNameFanDeviceInstance AKoData3KNamePowerStateLength A?oData'KName PowerState 0hDThermalZoneDeviceInstanceLength8ThermalZoneDeviceInstance,ActiveCoolingLevel8ActiveCoolingDeviceIndex4FanDeviceInstanceLength(FanDeviceInstance(PowerStateLengthPowerStateTEMP/~#n];HnD EventDataAioDataQKNameThermalZoneDeviceInstanceLength A]oDataEKNameThermalZoneDeviceInstance AOoData7KNameActiveCoolingLevel A[oDataCKNameActiveCoolingDeviceIndex AYoDataAKNameFanDeviceInstanceLength AMoData5KNameFanDeviceInstance A?oData'KName PowerState hH|TDThermalZoneDeviceInstanceLength8ThermalZoneDeviceInstance,ActiveCoolingLevel8ActiveCoolingDeviceIndex4FanDeviceInstanceLength(FanDeviceInstancePowerStateTEMPxnwX.eנD EventDataASoData;KNameDeviceInstanceLength AGoData/KNameDeviceInstance A?oData'KName PowerState 8hT0DeviceInstanceLength$DeviceInstancePowerStateTEMP@ݳҊ`xD EventDataASoData;KNameDeviceInstanceLength AGoData/KNameDeviceInstance A;oData#KNameThrottle Lp0DeviceInstanceLength$DeviceInstanceThrottleTEMPXt[P&HU`xJD EventDataASoData;KNameDeviceInstanceLength AGoData/KNameDeviceInstance A?oData'KName PowerState A;oData#KNameThrottle XT0DeviceInstanceLength$DeviceInstancePowerStateThrottleTEMP@Lf5JT8lB6D EventDataAioDataQKNameThermalZoneDeviceInstanceLength A]oDataEKNameThermalZoneDeviceInstance AAoData)KName Temperature DThermalZoneDeviceInstanceLength8ThermalZoneDeviceInstanceTemperatureTEMP` S\Uj0k[n D EventDataAQoData9KNameAmlMethodNameLength AEoData-KName AmlMethodName AGoData/KNameAmlMethodState x,AmlMethodNameLength AmlMethodName$AmlMethodStateTEMP,,S8ZW+z D EventDataA]oDataEKNameThermalZoneBiosNameLength AQoData9KNameThermalZoneBiosName A3oDataKName_TMP A3oDataKName_PSV A3oDataKName_TC1 A3oDataKName_TC2 A3oDataKName_TSP A3oDataKName_AC0 A3oDataKName_AC1 A3oDataKName_AC2 A3oDataKName_AC3 A3oDataKName_AC4 A3oDataKName_AC5 A3oDataKName_AC6 A3oDataKName_AC7 A3oDataKName_AC8 A3oDataKName_AC9 A3oDataKName_HOT A3oDataKName_CRT A3oDataKName_NTT A=oData%KName _PSLCount AAoData)KName _PSLEntries A=oData%KName _TZDCount AAoData)KName _TZDEntries A=oData%KName _AL0Count AAoData)KName _AL0Entries A=oData%KName _AL1Count AAoData)KName _AL1Entries A=oData%KName _AL2Count AAoData)KName _AL2Entries A=oData%KName _AL3Count AAoData)KName _AL3Entries A=oData%KName _AL4Count AAoData)KName _AL4Entries !A=oData%KName _AL5Count "AAoData)KName _AL5Entries #A=oData%KName _AL6Count $AAoData)KName _AL6Entries %A=oData%KName _AL7Count &AAoData)KName _AL7Entries 'A=oData%KName _AL8Count (AAoData)KName _AL8Entries )A=oData%KName _AL9Count *AAoData)KName _AL9Entries +,d 0@P`p0Ld "4P$h&(*8ThermalZoneBiosNameLength,ThermalZoneBiosName_TMP_PSV_TC1_TC2_TSP_AC0_AC1_AC2_AC3_AC4_AC5_AC6_AC7_AC8_AC9_HOT_CRT_NTT_PSLCount_PSLEntries_TZDCount_TZDEntries_AL0Count_AL0Entries_AL1Count_AL1Entries_AL2Count_AL2Entries_AL3Count_AL3Entries_AL4Count_AL4Entries_AL5Count_AL5Entries_AL6Count_AL6Entries_AL7Count_AL7Entries_AL8Count_AL8Entries_AL9Count_AL9EntriesTEMP-- ,PG퀦:~F˵ D EventDataA]oDataEKNameThermalZoneBiosNameLength AQoData9KNameThermalZoneBiosName A3oDataKName_TMP A3oDataKName_PSV A3oDataKName_TC1 A3oDataKName_TC2 A3oDataKName_TSP A3oDataKName_AC0 A3oDataKName_AC1 A3oDataKName_AC2 A3oDataKName_AC3 A3oDataKName_AC4 A3oDataKName_AC5 A3oDataKName_AC6 A3oDataKName_AC7 A3oDataKName_AC8 A3oDataKName_AC9 A3oDataKName_HOT A3oDataKName_CRT A3oDataKName_NTT A=oData%KName _PSLCount AAoData)KName _PSLEntries A=oData%KName _TZDCount AAoData)KName _TZDEntries A=oData%KName _AL0Count AAoData)KName _AL0Entries A=oData%KName _AL1Count AAoData)KName _AL1Entries A=oData%KName _AL2Count AAoData)KName _AL2Entries A=oData%KName _AL3Count AAoData)KName _AL3Entries A=oData%KName _AL4Count AAoData)KName _AL4Entries !A=oData%KName _AL5Count "AAoData)KName _AL5Entries #A=oData%KName _AL6Count $AAoData)KName _AL6Entries %A=oData%KName _AL7Count &AAoData)KName _AL7Entries 'A=oData%KName _AL8Count (AAoData)KName _AL8Entries )A=oData%KName _AL9Count *AAoData)KName _AL9Entries +AIoData1KNameMinimumThrottle ,(8HXhx(@\t,D` x"$&0(Hd*|8ThermalZoneBiosNameLength,ThermalZoneBiosName_TMP_PSV_TC1_TC2_TSP_AC0_AC1_AC2_AC3_AC4_AC5_AC6_AC7_AC8_AC9_HOT_CRT_NTT_PSLCount_PSLEntries_TZDCount_TZDEntries_AL0Count_AL0Entries_AL1Count_AL1Entries_AL2Count_AL2Entries_AL3Count_AL3Entries_AL4Count_AL4Entries_AL5Count_AL5Entries_AL6Count_AL6Entries_AL7Count_AL7Entries_AL8Count_AL8Entries_AL9Count_AL9Entries$MinimumThrottleTEMPx !ԝlD EventDataAMoData5KNameFanBiosNameLength AAoData)KName FanBiosName ACoData+KName FstSupported  A?oData'KName PowerState A9oData!KNameControl  T@\(FanBiosNameLengthFanBiosName FstSupportedPowerStateControlTEMPůtj/D^D EventDataAMoData5KNameFanBiosNameLength AAoData)KName FanBiosName A?oData'KName PowerState  T (FanBiosNameLengthFanBiosNamePowerStateTEMPh!52<t6P2D EventDataAMoData5KNameFanBiosNameLength AAoData)KName FanBiosName A9oData!KNameControl !!!(FanBiosNameLengthFanBiosNameControlTEMP` $ԝmwYE`D EventDataAioDataQKNameThermalZoneDeviceInstanceLength A]oDataEKNameThermalZoneDeviceInstance ASoData;KNameDeviceInstanceLength AGoData/KNameDeviceInstance A?oData'KName PowerState p$$$%T@%DThermalZoneDeviceInstanceLength8ThermalZoneDeviceInstance0DeviceInstanceLength$DeviceInstancePowerStateTEMPlt'ƗG=稡 D EventDataAioDataQKNameThermalZoneDeviceInstanceLength A]oDataEKNameThermalZoneDeviceInstance ASoData;KNameDeviceInstanceLength AGoData/KNameDeviceInstance AEoData-KName ThrottleLimit '(T(((DThermalZoneDeviceInstanceLength8ThermalZoneDeviceInstance0DeviceInstanceLength$DeviceInstance ThrottleLimitOPCOLEVL@P((win:InformationalTASKXd+eD+fl+g+h+i,j,,kX,l,m,n,o -p(-qT-rx-s-t-u(.,ResourceTranslation(GpeEventHandling4TemperatureNotification0TripPointNotification8ActiveCoolingDevicePower$AmlMethodTrace,DeviceActiveCooling0DevicePassiveCooling0DeviceCoolingRundown(TemperatureChange,ThermalZoneRundownFanRundown,FanPowerStateChange$FanStatusChange4ActiveCoolingConstraintDActiveCoolingConstraintRundown8PassiveCoolingConstraintDPassiveCoolingConstraintRundownKEYWp..$acpi:Diagnostic acpi:ThermalEVNT d,( )2ex(<)2f(X)2g(t)2h()2h()2i ()2j()2 k ()2 l (*2 m(*2 n (8*2 n (8*2 o(T*2pp(p*2q< (*2r!(*2s!(*2t\%(*2u\%(*2x.x.....x..............WEVTx+h330QRRTTCHANx3\Microsoft-Windows-International/OperationalTTBLPTEMP5>/C;WyP8D EventDataAAoData)KName RegistryKey A=oData%KName ErrorCode A9oData!KNameMessage D5`5x5RegistryKeyErrorCodeMessageTEMP<h6u^C/ 7 D EventDataAAoData)KName RegistryKey A?oData'KName StatusCode 66RegistryKeyStatusCodeTEMP`7ܼa"g II89rY`bD EventDataAAoData)KName RegistryKey t7RegistryKeyTEMP,d8 ^Q撌D EventDataA;oData#KNameCodePage A;oData#KNameFileName 88CodePageFileNameTEMP,9P#IonD EventDataA?oData'KName LocaleName A7oDataKNameWinDir 99LocaleNameWinDirTEMPp;.Ŀ[9TdD EventDataA=oData%KName ProcessId AAoData)KName ProdessName A7oDataKNameLocale A7oDataKNameLCType A;oData#KNamelpLCData ;;<,<@<ProcessIdProdessNameLocaleLCTypelpLCDataTEMP8>7j&T`3-lD EventDataA=oData%KName ProcessId AAoData)KName ProdessName A7oDataKNameLocale A;oData#KNameCalendar A9oData!KNameCalType A?oData'KName lpLCalData >>>>?$?ProcessIdProdessNameLocaleCalendarCalTypelpLCalDataTEMPX@BSl봃lֆD EventDataA=oData%KName ProcessId AAoData)KName ProdessName A5oDataKNameGeoId @@@ProcessIdProdessNameGeoIdTEMP|B6Ƣ2EìJE킿WnD EventDataA?oData'KName LocaleName A5oDataKNameFlags A=oData%KName ProcessId AAoData)KName ProdessName A?oData'KName ReturnCode BB C$C@CLocaleNameFlagsProcessIdProdessNameReturnCodeTEMP88DOۓǃg|1pD EventDataA=oData%KName ProcessId AAoData)KName ProdessName `DxDProcessIdProdessNameTEMPEV*ZK_vi|D EventDataA;oData#KNameFileName A?oData'KName LineNumber A7oDataKNameReason EEFFileNameLineNumberReasonTEMPFCE,ja-jTq\D EventDataA;oData#KNameFileName FFileNameTEMP|GE R^`l`D EventDataA?oData'KName StatusCode GStatusCodeTEMP@H 7`]x`D EventDataA?oData'KName LocaleName THLocaleNameTEMP<LI?QwbUoFID EventDataA?oData'KName LocaleName A?oData'KName StatusCode tIILocaleNameStatusCodeTEMP8JwwVvP#VD EventDataA5oDataKNameValue LJValueTEMPK^'@fsU"wD EventDataA5oDataKNameValue AGoData/KNameWin32ErrorCode AMoData5KNameWin32ErrorMessage KKKValue$Win32ErrorCode(Win32ErrorMessageTEMPL$йRqjXD EventDataA7oDataKNameString LStringTEMPMj\K/uE5vD EventDataA9oData!KNameAltSort A7oDataKNameLocale MMAltSortLocaleTEMP,\O(7/{^4qq6D EventDataA7oDataKNameLCType A5oDataKNameValue AGoData/KNameWin32ErrorCode AMoData5KNameWin32ErrorMessage OOOOLCTypeValue$Win32ErrorCode(Win32ErrorMessageTEMPPl <€?zD EventDataA7oDataKNameLCType A5oDataKNameValue  Q QLCTypeValueOPCO5xQ5Q 5Q!!5Q""5QDataTableInitialize,ConfigurationChangeOperationCleanupLEVLULRPlRPRPRUR win:Criticalwin:Errorwin:Warning(win:Informationalwin:VerboseTASK$u|S uS!!uS""uS##uS(CharacterEncoding(DateTimeCalendar CMEGroupPolicyLocaleKEYWEVNT` 7#3HQR`St3#5HQR`St37I<:D EventDataAAoData)KName FeatureGuid ACoData+KName CallerIdType ACoData+KName cchImagePath A=oData%KName ImagePath FeatureGuid CallerIdType cchImagePathImagePathTEMP#kLҥ]lk`D EventDataAioDataQKNamecchParentImagePathIncludingNull AAoData)KName FeatureGuid AcoDataKKNameParentProcessImageHeaderHash AIoData1KNameParentImagePath ,pDcchParentImagePathIncludingNullFeatureGuid@ParentProcessImageHeaderHash$ParentImagePathTEMP jjWD EventDataA5oDataKNameFlags A[oDataCKNamecchIdStringIncludingNull AYoDataAKNamecchDllPathIncludingNull A;oData#KNameCategory AIoData1KNameManifestVersion AEoData-KName DllHeaderHash A_oDataGKNameApplicationImageHeaderHash A;oData#KNameIdString A9oData!KNameDllPath 4LpFlags8cchIdStringIncludingNull4cchDllPathIncludingNullCategory$ManifestVersion DllHeaderHash<ApplicationImageHeaderHashIdStringDllPathTEMPx ш-G LRR6=D EventDataA5oDataKNameFlags A[oDataCKNamecchIdStringIncludingNull A;oData#KNameCategory AIoData1KNameManifestVersion A_oDataGKNameApplicationImageHeaderHash A;oData#KNameIdString XFlags8cchIdStringIncludingNullCategory$ManifestVersion<ApplicationImageHeaderHashIdStringOPCOLEVL@P(win:InformationalTASKHhAitFeature,AitParentAitFeatureAitAppInfo,AitSystemUsageByDll,AitSystemUsageByExe AitProcessEndKitFeatureKEYWEVNT`lX8TpWEVT0XT`TTBLTEMPuuUU`SKEvD EventDataAUoData=KNameAeLookupServieTrigger $0AeLookupServieTriggerOPCOLEVL@Px(win:InformationalTASKKEYWEVNT@dlWEVTx.`HTCHANd`hMicrosoft-Windows-Kernel-ApphelpCache/Operational\Microsoft-Windows-Kernel-ApphelpCache/DebugdMicrosoft-Windows-Kernel-ApphelpCache/AnalyticTTBLTEMPtqyPёJOZ'pD EventDataAOoData7KNameOperationalMessage ,OperationalMessageTEMPL!W+ 1 N bD EventDataAAoData)KName InfoMessage `InfoMessageTEMPN^`zDuPGdD EventDataACoData+KName DebugMessage ( DebugMessageOPCOLEVLdPxPwin:Error(win:InformationalTASKKEYWEVNT3ll 4l@5|`|WEVT@ /TTBL TEMPxXdj ;󏺒D EventDataAKoData3KNameSwitchBranchGuid AWoData?KNameSwitchBranchNameLength AKoData3KNameSwitchBranchName AeoDataMKNameSwitchBranchDescriptionLength AYoDataAKNameSwitchBranchDescription d((SwitchBranchGuid4SwitchBranchNameLength(SwitchBranchName@SwitchBranchDescriptionLength4SwitchBranchDescriptionTEMPq ʥ4 ,D EventDataASoData;KNameSwitchBranchImplGuid A_oDataGKNameSwitchBranchImplNameLength ASoData;KNameSwitchBranchImplName AmoDataUKName!SwitchBranchImplDescriptionLength AaoDataIKNameSwitchBranchImplDescription 4p0SwitchBranchImplGuid<SwitchBranchImplNameLength0SwitchBranchImplNameHSwitchBranchImplDescriptionLength<SwitchBranchImplDescriptionTEMPt?F/3)ZD EventDataAMoData5KNameTargetContextGuid AMoData5KNameTargetContextType AKoData3KNameModuleNameLength A?oData'KName ModuleName ,T|(TargetContextGuid(TargetContextType(ModuleNameLengthModuleNameTEMP@ Q|#S ,tD EventDataASoData;KNameContextUpdateCounter  T0ContextUpdateCounterOPCOLEVL@P(win:InformationalTASKLd|AeSbCallAeSbImpl(AeSbContextUpdate0AeSbContextReadRetryKEYWEVNT\$0WEVT ' @CHANt4XMicrosoft-Windows-Kernel-Network/AnalyticTTBLtTEMP( H=BnɅ6* {@zD EventDataA1oDataKNamePID A3oDataKNamesize A5oDataKNamedaddr A5oDataKNamesaddr A5oDataKNamedport A5oDataKNamesport A;oData#KNamestartime A9oData!KNameendtime A7oDataKNameseqnum A7oDataKNameconnid ,<L\l PIDsizedaddrsaddrdportsportstartimeendtimeseqnumconnidTEMPP7 [jID EventDataA1oDataKNamePID A3oDataKNamesize A5oDataKNamedaddr A5oDataKNamesaddr A5oDataKNamedport A5oDataKNamesport A7oDataKNameseqnum A7oDataKNameconnid  PIDsizedaddrsaddrdportsportseqnumconnidTEMP(XMSܬm/D EventDataA1oDataKNamePID A3oDataKNamesize A5oDataKNamedaddr A5oDataKNamesaddr A5oDataKNamedport A5oDataKNamesport A1oDataKNamemss A9oData!KNamesackopt A5oDataKNametsopt A5oDataKNamewsopt A7oDataKNamercvwin AAoData)KName rcvwinscale AAoData)KName sndwinscale A7oDataKNameseqnum A7oDataKNameconnid (4DTdt$ PIDsizedaddrsaddrdportsport msssackopttsoptwsoptrcvwinrcvwinscalesndwinscaleseqnumconnidTEMP( ֫t=tn4mqD EventDataA5oDataKNameProto AAoData)KName FailureCode 4DProtoFailureCodeTEMP( 0GVse6t"D EventDataA1oDataKNameIrp A;oData#KNameThreadId A?oData'KName FileObject A9oData!KNameFileKey A7oDataKNameLength A=oData%KName InfoClass A=oData%KName FileIndex A;oData#KNameFileName `lȐ IrpThreadIdFileObjectFileKeyLengthInfoClassFileIndexFileNameTEMP`ѬQ/qS%D EventDataA1oDataKNameIrp A;oData#KNameThreadId A?oData'KName FileObject A9oData!KNameFileKey Ԓ IrpThreadIdFileObjectFileKeyTEMPH4׋:=ڜvzD EventDataA1oDataKNameIrp A?oData'KName FileObject AIoData1KNameIssuingThreadId AEoData-KName CreateOptions AKoData3KNameCreateAttributes AAoData)KName ShareAccess A;oData#KNameFileName ԕ @h IrpFileObject$IssuingThreadId CreateOptions(CreateAttributesShareAccessFileNameTEMP02D EventDataA?oData'KName ByteOffset A1oDataKNameIrp A?oData'KName FileObject A9oData!KNameFileKey AIoData1KNameIssuingThreadId A7oDataKNameIOSize A9oData!KNameIOFlags A?oData'KName ExtraFlags  ̙ 4HByteOffset IrpFileObjectFileKey$IssuingThreadIdIOSizeIOFlagsExtraFlagsTEMP XqPU?ƘD EventDataA1oDataKNameIrp A?oData'KName FileObject A9oData!KNameFileKey AKoData3KNameExtraInformation AIoData1KNameIssuingThreadId A=oData%KName InfoClass Мܜ 4X IrpFileObjectFileKey(ExtraInformation$IssuingThreadIdInfoClassTEMPx9ͽ`#F/RD EventDataA1oDataKNameIrp A?oData'KName FileObject A9oData!KNameFileKey AKoData3KNameExtraInformation AIoData1KNameIssuingThreadId A=oData%KName InfoClass A;oData#KNameFilePath 0<XlР IrpFileObjectFileKey(ExtraInformation$IssuingThreadIdInfoClassFilePathTEMPL]ON0D EventDataA1oDataKNameIrp A?oData'KName FileObject A9oData!KNameFileKey AIoData1KNameIssuingThreadId A7oDataKNameLength A=oData%KName InfoClass A=oData%KName FileIndex A;oData#KNameFileName (L`x IrpFileObjectFileKey$IssuingThreadIdLengthInfoClassFileIndexFileNameTEMP 0f߉ %eg(D EventDataA1oDataKNameIrp A?oData'KName FileObject A9oData!KNameFileKey AIoData1KNameIssuingThreadId T`| IrpFileObjectFileKey$IssuingThreadIdTEMP̧E't!k/ciHD EventDataA1oDataKNameIrp AKoData3KNameExtraInformation A7oDataKNameStatus < Irp(ExtraInformationStatusTEMP$ KT%Œu5'D EventDataA9oData!KNameFileKey A;oData#KNameFileName H\FileKeyFileNameOPCO01win:InfoLEVL@P(win:InformationalTASKT < X t ̬0@hx̭NameCreateNameDeleteCreateCleanupCloseReadWrite$SetInformationSetDeleteRenameDirEnumFlush(QueryInformationFSCTL OperationEndDirNotifyDeletePathRenamePathSetLinkPathSetLink CreateNewFileKEYW Ԯ @Pȯ8|а@KERNEL_FILE_KEYWORD_FILENAME<KERNEL_FILE_KEYWORD_FILEIO<KERNEL_FILE_KEYWORD_OP_END<KERNEL_FILE_KEYWORD_CREATE8KERNEL_FILE_KEYWORD_READ8KERNEL_FILE_KEYWORD_WRITEDKERNEL_FILE_KEYWORD_DELETE_PATHTKERNEL_FILE_KEYWORD_RENAME_SETLINK_PATHLKERNEL_FILE_KEYWORD_CREATE_NEW_FILEEVNT'  P  P   `(  (  D  D ` ` | |   ȸ d̸ Ъи dЪԸ ظ dܸ h  $ $ @ d@ \ d\`x h  p̫p̫ p$ ( d,` 0 4DDTtTtTTTTTTTTTTTTTTTTTTTTTTTdTTTTĮĮWEVT4tĺCHANdHMicrosoft-Windows-PCI/DiagnosticOPCO01win:InfoLEVL@PL(win:InformationalTASKP (AspmErrataRundownKEYW,DiagEVNTD  @0кWEVTt,L4CHANȻ$\Microsoft-Windows-Kernel-StoreMgr/Analytic`Microsoft-Windows-Kernel-StoreMgr/OperationalMAPSVMAP$VMAP$4CacheTerminationMsgMap8StoreMgrCorruptPageMsgMapTTBL TEMP|dLBD EventDataA?oData'KName FailReason A?oData'KName FailStatus AKoData3KNameObjectPathLength A?oData'KName ObjectPath lFailReasonFailStatus(ObjectPathLengthObjectPathTEMP i.G&o2BPD EventDataA3oDataKNameSize A3oDataKNameData SizeDataTEMPx 7$X8ZŐD EventDataA;oData#KNameStoreKey A3oDataKNameSize A3oDataKNameData 4L\StoreKeySizeDataTEMP89KQ0VJg0D EventDataA;oData#KNameStoreKey A5oDataKNameParam `xStoreKeyParamTEMPL#eʻ D EventDataA7oDataKNameReason A?oData'KName FailStatus AKoData3KNameDeviceDescLength AMoData5KNameDeviceDescription AKoData3KNameObjectPathLength A?oData'KName ObjectPath $@hReasonFailStatus(DeviceDescLength(DeviceDescription(ObjectPathLengthObjectPathTEMP`eCj{FD EventDataA9oData!KNameSqmType AGoData/KNameSqmSessionGuid A5oDataKNameSqmID AOoData7KNameSqmStreamRowLength AQZ ComplexData+KName SqmStreamRow <PtSqmType$SqmSessionGuidSqmID,SqmStreamRowLength SqmStreamRow SqmTypeEntry SqmDWORDEntry$SqmStringEntryOPCOx1d2|2win:Infowin:Startwin:StopLEVL@P(win:InformationalTASK$@`    , HdStoreAddStoreRemoveStoreCreateStoreDelete StoreRundown$StoreCorruption(StorePageRundownRegionEvictRegionWrite(UnpersistFailure StoreIoStatsGlobalStatsStoreEmpty RegionRelease RegionCompact RegionRundown(CacheTerminationKEYW8@Ph4StoreOpsStoreDiag0StoreContentsRundownwin:SQMEVNTX@PԿ@Tl@0X@L\l@h`P@@dX@l@p  @t  P@@x  @  @,  l@H@dLX@P@@(WEVT`lTTBLPTEMPD9vDf>BD EventDataA9oData!KNameSqmType AGoData/KNameSqmSessionGuid A5oDataKNameSqmID AWoData?KNameSqmDWORDDatapointValue ,SqmType$SqmSessionGuidSqmID4SqmDWORDDatapointValueOPCOLEVL@P(win:InformationalTASKKEYW04win:SQMEVNTDx(WEVTl8xCHANtXMicrosoft-Windows-Kernel-Memory/AnalyticTTBL TEMP  rH*Պ1^D EventDataAGoData/KNamePriorityLevels AEoData-KName ZeroPageCount AEoData-KName FreePageCount AMoData5KNameModifiedPageCount A[oDataCKNameModifiedNoWritePageCount ACoData+KName BadPageCount AMoData5KNameStandbyPageCounts ASoData;KNameRepurposedPageCounts A]oDataEKNameModifiedPageCountPageFile AOoData7KNamePagedPoolPageCount AUoData=KNameNonPagedPoolPageCount ACoData+KName MdlPageCount AIoData1KNameCommitPageCount 8p L|$PriorityLevels ZeroPageCount FreePageCount(ModifiedPageCount8ModifiedNoWritePageCount BadPageCount(StandbyPageCounts0RepurposedPageCounts8ModifiedPageCountPageFile,PagedPoolPageCount0NonPagedPoolPageCount MdlPageCount$CommitPageCountTEMPpyDnK'+dD EventDataA5oDataKNameCount AQZ ComplexData+KName WSCommitInfo 0@`xCount WSCommitInfoProcessID,WorkingSetPageCount$CommitPageCount,VirtualSizeInPages<PrivateWorkingSetPageCountTEMP IC޾?D EventDataA5oDataKNameCount A_Z ComplexData9KNameSessionWSCommitInfo ,P|Count,SessionWSCommitInfoSessionId,WorkingSetPageCount$CommitPageCount,PagedPoolPageCount<PrivateWorkingSetPageCountTEMPLLL_/6p}d^D EventDataA=oData%KName ProcessId `ProcessIdTEMP H ܧ8h@#2D EventDataA=oData%KName ProcessId A5oDataKNameFlags pProcessIdFlagsTEMP2w ?'iD EventDataA=oData%KName ProcessId A7oDataKNameStatus AGoData/KNamePagesProcessed   ProcessIdStatus$PagesProcessedTEMP"E},yQPD EventDataA=oData%KName ProcessId A7oDataKNameStatus AGoData/KNamePagesProcessed A_oDataGKNameWriteCombinePagesProcessed AWoData?KNameUncachedPagesProcessed AQoData9KNameCleanPagesProcessed $HProcessIdStatus$PagesProcessed<WriteCombinePagesProcessed4UncachedPagesProcessed,CleanPagesProcessedTEMP$i.tҺ7nD EventDataA=oData%KName ProcessId A7oDataKNameStatus ProcessIdStatusTEMP%JPSR.9mlJZD EventDataA9oData!KNameAcgFlag AcgFlagOPCOx122 win:Infowin:Startwin:StopLEVL@PP(win:InformationalTASKd,@XMemInfoMemInfoWS(MemInfoSessionWS(WorkingSetOutSwap(WorkingSetInSwap AcgKEYW8 (@d<KERNEL_MEM_KEYWORD_MEMINFO@KERNEL_MEM_KEYWORD_MEMINFO_EX<KERNEL_MEM_KEYWORD_WS_SWAP4KERNEL_MEM_KEYWORD_ACGEVNT  Dh@Dl@0DpDtxDxD|DDDxDDD DWEVT1\ P 2 333H5CHAN\<XMicrosoft-Windows-Kernel-ShimEngine/DebugdMicrosoft-Windows-Kernel-ShimEngine/OperationaldMicrosoft-Windows-Kernel-ShimEngine/DiagnosticMAPS p VMAP$ VMAP$ LKSE:DeviceFlagApplied.FlagSourceMapLKSE:DriverShimApplied.ShimSourceMapTTBL(TEMP44 as 7!#δD EventDataA9oData!KNameEventId ACoData+KName DebugMessage \ p EventId DebugMessageTEMP( bo>ǧw,ܞV(4D EventDataA?oData'KName DriverName A?oData'KName ShimSource A=oData%KName ShimCount ACoData+KName AppliedGuids H p d   DriverNameShimSourceShimCount AppliedGuidsTEMPl= ofC*D EventDataA?oData'KName DeviceName AAoData)KName DeviceClass A?oData'KName FlagSource A5oDataKNameFlags  h  DeviceNameDeviceClassFlagSourceFlagsTEMPj%D EventDataA9oData!KNameAddress A7oDataKNameCaller A1oDataKNameTag AddressCaller TagTEMP|y@Q@ ߱D EventDataACoData+KName DriverObject A1oDataKNameFdo A1oDataKNameIrp <H DriverObject Fdo IrpTEMPHCV$>jD EventDataACoData+KName DriverObject A1oDataKNameFdo A?oData'KName DeviceType AUoData=KNameDeviceCharacteristics A=oData%KName Exclusive A7oDataKNameStatus 8P DriverObject FdoDeviceType0DeviceCharacteristicsExclusiveStatusTEMPT _}:+eac?VD EventDataACoData+KName DriverObject A1oDataKNameFdo A1oDataKNameIrp A=oData%KName MajorCode A7oDataKNameStatus T!t!!!! DriverObject Fdo IrpMajorCodeStatusTEMPTD# o.gl )H)VD EventDataACoData+KName DriverObject A1oDataKNameFdo A1oDataKNameIrp A=oData%KName MinorCode A7oDataKNameStatus ##### DriverObject Fdo IrpMinorCodeStatusTEMPT%2 {osegcQD EventDataACoData+KName DriverObject A1oDataKNameFdo A1oDataKNameIrp A7oDataKNameStatus %%%% DriverObject Fdo IrpStatusTEMP8'2 {osegcQD EventDataACoData+KName DriverObject A1oDataKNameFdo A1oDataKNameIrp A7oDataKNameStatus '''' DriverObject Fdo IrpStatusTEMP8)]1D EventDataACoData+KName DriverObject A1oDataKNameFdo A1oDataKNameIrp A=oData%KName MinorCode A=oData%KName PowerType A?oData'KName PowerState A7oDataKNameStatus t******* DriverObject Fdo IrpMinorCodePowerTypePowerStateStatusTEMP8 -]1D EventDataACoData+KName DriverObject A1oDataKNameFdo A1oDataKNameIrp A=oData%KName MinorCode A=oData%KName PowerType A?oData'KName PowerState A7oDataKNameStatus -----.0. DriverObject Fdo IrpMinorCodePowerTypePowerStateStatusTEMP02ԵR D EventDataACoData+KName DriverObject A1oDataKNameFdo A1oDataKNameIrp A=oData%KName MinorCode A?oData'KName PowerState A7oDataKNameStatus 000000 DriverObject Fdo IrpMinorCodePowerStateStatusTEMPT22 {osegcQD EventDataACoData+KName DriverObject A1oDataKNameFdo A1oDataKNameIrp A7oDataKNameStatus 2222 DriverObject Fdo IrpStatusOPCO013win:InfoLEVLPP3Ph3U3win:Error(win:Informationalwin:VerboseTASKKEYW44\44445$5(ShimEngineEvents,ShimEngineMessages,DriverScopeGeneral$DriverScopePnp(DriverScopePower$DriverScopeIrps$DriverScopePoolEVNT\ ,3 \ 83 @ 283@ 283  D38,  D38,  D38,  4D38, dD38, D38, TD39, dD39, !D39, $D3 9, %D39, 'D39, +D39, D.D39, 1D3 9,333$4$44343334444WEVT 99999OPCOLEVL@P9(win:InformationalTASKKEYWEVNT@9WEVT :;@;;p<<CHANx:\Microsoft-Windows-Kernel-IoTrace/DiagnosticOPCO01(;win:InfoLEVLhPd;U;(win:Informationalwin:VerboseTASK<,<D<$UserInitiatedIoKernelIo,ActivityIdTransferKEYWEVNT;L;;:;X;;:;X;;:;L;;:WEVT@:=8?]0^^d8eCHAN>  >|>>Application\Microsoft-Windows-AppModel-Runtime/AnalyticXMicrosoft-Windows-AppModel-Runtime/AdmindMicrosoft-Windows-AppModel-Runtime/DiagnosticsTTBLTEMPtlAYKU1/dAD EventDataA=oData%KName ProcessID A?oData'KName CreateTime AIoData1KNameParentProcessID AIoData1KNamePackageFullName A=oData%KName ImageName AcoDataKKNamePackageRelativeApplicationId AABgD EventDataA;oData#KNameFileName A=oData%KName ErrorCode A3oDataKNameSize  A?oData'KName HeaderAddr A9oData!KNameSection A=oData%KName ProcessId LL LLLMFileNameErrorCodeSizeHeaderAddrSectionProcessIdTEMPO⓼vy$D EventDataA;oData#KNameFileName A=oData%KName ErrorCode A3oDataKNameSize  A?oData'KName HeaderAddr AWoData?KNameApplicationUserModelId A=oData%KName ProcessId OO OOOPFileNameErrorCodeSizeHeaderAddr4ApplicationUserModelIdProcessIdTEMPpQ>q@dD EventDataA;oData#KNameFileName A=oData%KName ErrorCode A3oDataKNameSize  A?oData'KName HeaderAddr A=oData%KName ProcessId ,RDR \RlRRFileNameErrorCodeSizeHeaderAddrProcessIdTEMPSnJ],5ED EventDataA;oData#KNameFileName A=oData%KName ErrorCode A=oData%KName ProcessId S T$TFileNameErrorCodeProcessIdTEMP<U8qB &D EventDataA;oData#KNameFileName AEoData-KName ExceptionCode @UXUFileName ExceptionCodeTEMP(LVfG%+8D EventDataA=oData%KName ErrorCode A9oData!KNameContext tVVErrorCodeContextTEMP(tWfG%+8D EventDataA=oData%KName ErrorCode A9oData!KNameContext WWErrorCodeContextTEMP\XpgT;OIt^D EventDataA=oData%KName ErrorCode pXErrorCodeTEMP(Y]eIw,OzlD EventDataAKoData3KNameAppContainerName  >D EventDataAAoData)KName ErrorString A5oDataKNameError z$zErrorStringErrorTEMPT{Z?!)= KD EventDataACoData+KName FolderString AEoData-KName PackageString A5oDataKNameError {{{ FolderString PackageStringErrorOPCOT2|2|win:Startwin:StopLEVLdPX|Pp|win:Error(win:InformationalTASK*<ȁdLdefpgh`ijxk lm$no<pЉqdrst uvHw܍xpyz{ |}4~Pܒhؔ@HAppModel.Task.State.WriteSettingDAppModel.Task.State.ReadSettingHAppModel.Task.State.DeleteSettingTAppModel.Task.State.WriteSettingInAtomPAppModel.Task.State.ReadSettingInAtomTAppModel.Task.State.DeleteSettingInAtomDAppModel.Task.State.CommitAtomDAppModel.Task.State.LoadAppHivelAppModel.Task.StateWinRT.AppDataFactory_ActivationtAppModel.Task.StateWinRT.ApplicationDataServer_LifespanxAppModel.Task.StateWinRT.ApplicationDataServer_GetVersionxAppModel.Task.StateWinRT.ApplicationDataServer_SetVersionAppModel.Task.StateWinRT.ApplicationDataServer_RoamingStorageQuotaAppModel.Task.StateWinRT.ApplicationDataServer_RoamingStorageUsageAppModel.Task.StateWinRT.ApplicationDataServer_ActivateContainerServerAppModel.Task.StateWinRT.ApplicationDataServer_ActivateFileItemServerAppModel.Task.StateWinRT.ApplicationDataContainerServer_LifespanAppModel.Task.StateWinRT.ApplicationDataContainerServer_GetValuesAppModel.Task.StateWinRT.ApplicationDataContainerServer_GetContainersAppModel.Task.StateWinRT.ApplicationDataContainerServer_CreateContainerAppModel.Task.StateWinRT.ApplicationDataContainerServer_DeleteContainerAppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_LifespanAppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_LookupAppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_SizeAppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_HasKeyAppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_GetViewAppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_InsertAppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_RemoveAppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_ClearAppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_FirstAppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_LifespanAppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_LookupAppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_SizeAppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_HasKeyAppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_GetViewAppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_InsertAppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_RemoveAppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_ClearAppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_FirstXAppModel.Task.StateWinRT.RoamingRpcSignalhAppModel.Task.StateWinRT.DataChangedEventDispatchPAppModel.Task.StateWinRT.TempCleanupKEYWT (Pl 1Structured(UnstructuredResetOutOfMemoryApiSetErrorWinRT$DataStoreError(win:ResponseTimeEVNT_@ yL|Ȩx@ yL|̨x@@|Шx@ y@|Ԩx @ y@|بx@L|x@L|x@ y@|x @ @|x   y@|x   y@|x   y@|x  4z@|x2 {L||ܨ$x3 {L||$x< {L||$x= {L||$xF {L||$xG {L||$xP {L|| $xQ {L||$xZ {L|}$x[ {L|}$$xd {L|0},$xe {L|0}4$xn {L|L}<$xo {L|L}D$xx {L|h}L$xy {L|h}T$xd {L|}\$xd {L|}d$xe {L|}l$xe {L|}t$xf {L|}|$xf {L|}$xg {L|}$xg {L|}$xh {L|}$xh {L|}$xj {L|,~$xj {L|,~$xk {L|H~$xk {L|H~ĩ$xl {L|d~̩$xl {L|d~ԩ$xm {L|~ܩ$xm {L|~$xn {L|~$xn {L|~$xo {L|~$xo {L|~$xp {L|~ $xp {L|~$xq {L|~$xq {L|~$$x"r {L| ,$x#r {L| 4$x,s {L|(<$x-s {L|(D$x6t {L|DL$x7t {L|DT$x@u {L|`\$xAu {L|`d$xJv {L||l$xKv {L||t$xTw {L||$xUw {L|$x^x {L|$x_x {L|$xhy {L|$xiy {L|$xrz {L|$xsz {L|$x|{ {L|$x}{ {L|Ī$x| {L|$̪$x| {L|$Ԫ$x} {L|@ܪ$x} {L|@$x~ {L|\$x~ {L|\$x {L|x$x {L|x$x {L| $x {L|$x {L|$x {L|$$x {L|̀,$x {L|̀4$x {L|<$x {L|D$x {L|L$x {L|T$x {L| \$x {L| d$x̕ܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕܕWEVT ԫ ,8OPCOLEVL@P(win:InformationalTASKKEYWEVNT@WEVTLX`TXhCHANxM\Microsoft-Windows-Kernel-LiveDump/AnalyticTTBL TEMP|0(2tR[\D EventDataA;oData#KNameNTStatus NTStatusTEMPX$[>F.FΏfUzD EventDataAqoDataYKName#NtEstimatedRequiredPrimaryDataBytes AaoDataIKNameNtEstimatedPrimaryDataBytes  AaoDataIKNameHvEstimatedPrimaryDataBytes  AeoDataMKNameHvEstimatedSecondaryDataBytes   t   8LNtEstimatedRequiredPrimaryDataBytes<NtEstimatedPrimaryDataBytes<HvEstimatedPrimaryDataBytes@HvEstimatedSecondaryDataBytesTEMP̲62cb<Wphn. D EventDataAOoData7KNameNtPrimaryDataBytes AOoData7KNameHvPrimaryDataBytes  ASoData;KNameHvSecondaryDataBytes    4 `,NtPrimaryDataBytes,HvPrimaryDataBytes0HvSecondaryDataBytesTEMPXhփA}8D EventDataA;oData#KNameNTStatus A?oData'KName TotalBytes  AAoData)KName HeaderBytes  AKoData3KNamePrimaryDataBytes  AOoData7KNameSecondaryDataBytes   Ե   4NTStatusTotalBytesHeaderBytes(PrimaryDataBytes,SecondaryDataBytesOPCO c d  e4 flghķijkHlpmvĸwAPIStartAPIEnd8WriteDumpDataToFileStart4WriteDumpDataToFileEnd$MirroringStart,MirroringPhase0End,MirroringPhase1End,SystemQuiesceStart(SystemQuiesceEnd,PageBufferingStart(PageBufferingEnd(BufferEstimation(BufferAllocationLEVL@P,(win:InformationalTASKNO$PdQR8LIVEDUMP_TASK_CAPTURE_API@LIVEDUMP_TASK_SIZING_WORKFLOWPLIVEDUMP_TASK_CAPTURE_PAGES_WORKFLOWPLIVEDUMP_TASK_WRITE_DEFERRED_DATA_APITLIVEDUMP_TASK_DISCARD_DEFERRED_DATA_APIKEYWEVNT _l ` `dx ` a ` b `eS |fT |gU |hV |iW̶ |jt  |kux |X Y Z [ \̶ ]ض ^  nl  odx  p  q  rl й sdx йWEVT`8DPTTBLh TEMP :+b"`D EventDataA?oData'KName ReturnCode ReturnCodeTEMPd 4ɥ|\sD EventDataASoData;KNameNotifyRoutineAddress A?oData'KName ReturnCode Hx0NotifyRoutineAddressReturnCodeTEMPLx 18u tD EventDataAIoData1KNameTargetProcessId A?oData'KName ReturnCode $TargetProcessIdReturnCodeTEMPJ#R{;>cOD EventDataAIoData1KNameTargetProcessId AEoData-KName DesiredAccess A?oData'KName ReturnCode Lp$TargetProcessId DesiredAccessReturnCodeTEMPT,`L{e/mE^&N16kJD EventDataAIoData1KNameTargetProcessId AGoData/KNameTargetThreatId AEoData-KName DesiredAccess A?oData'KName ReturnCode |$TargetProcessId$TargetThreatId DesiredAccessReturnCodeTEMP<IǫS)52h%D EventDataA?oData'KName DriverName A?oData'KName ReturnCode  DriverNameReturnCodeTEMP<IǫS)52h%D EventDataA?oData'KName DriverName A?oData'KName ReturnCode @\DriverNameReturnCodeTEMPPԙ@F5{6HD EventDataAGoData/KNameLinkSourceName AGoData/KNameLinkTargetName AEoData-KName DesiredAccess A?oData'KName ReturnCode Dh$LinkSourceName$LinkTargetName DesiredAccessReturnCodeOPCO01win:InfoLEVL@P(win:InformationalTASKKEYWEVNT0xl<WEVTTlH@`CHANtmnhMicrosoft-Windows-Security-Mitigations/KernelModedMicrosoft-Windows-Security-Mitigations/UserModeMAPS|PVMAP,|@RedirectionTrustPolicyTypeMapTTBL@GTEMP pln~DyNYtD EventDataAMoData5KNameProcessPathLength AAoData)KName ProcessPath A[oDataCKNameProcessCommandLineLength AOoData7KNameProcessCommandLine AKoData3KNameCallingProcessId A[oDataCKNameCallingProcessCreateTime AWoData?KNameCallingProcessStartKey  AcoDataKKNameCallingProcessSignatureLevel AqoDataYKName#CallingProcessSectionSignatureLevel A[oDataCKNameCallingProcessProtection AIoData1KNameCallingThreadId AYoDataAKNameCallingThreadCreateTime `0 h(`(ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLine(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTimeTEMPh GtrB&=D EventDataAMoData5KNameProcessPathLength AAoData)KName ProcessPath A[oDataCKNameProcessCommandLineLength AOoData7KNameProcessCommandLine AKoData3KNameCallingProcessId A[oDataCKNameCallingProcessCreateTime AWoData?KNameCallingProcessStartKey  AcoDataKKNameCallingProcessSignatureLevel AqoDataYKName#CallingProcessSectionSignatureLevel A[oDataCKNameCallingProcessProtection AIoData1KNameCallingThreadId AYoDataAKNameCallingThreadCreateTime A[oDataCKNameChildImagePathNameLength AOoData7KNameChildImagePathName AWoData?KNameChildCommandLineLength AKoData3KNameChildCommandLine 0L D,` (ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLine(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTime8ChildImagePathNameLength,ChildImagePathName4ChildCommandLineLength(ChildCommandLineTEMP4bbDl3D EventDataAMoData5KNameProcessPathLength AAoData)KName ProcessPath A[oDataCKNameProcessCommandLineLength AOoData7KNameProcessCommandLine A=oData%KName ProcessId AMoData5KNameProcessCreateTime AIoData1KNameProcessStartKey  AUoData=KNameProcessSignatureLevel AcoDataKKNameProcessSectionSignatureLevel AMoData5KNameProcessProtection AGoData/KNameTargetThreadId AWoData?KNameTargetThreadCreateTime AIoData1KNameImageNameLength A=oData%KName ImageName D` (X <(ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLineProcessId(ProcessCreateTime$ProcessStartKey0ProcessSignatureLevel@ProcessSectionSignatureLevel(ProcessProtection$TargetThreadId4TargetThreadCreateTime$ImageNameLengthImageNameTEMP` \4clR ?&~\D EventDataAMoData5KNameProcessPathLength AAoData)KName ProcessPath A[oDataCKNameProcessCommandLineLength AOoData7KNameProcessCommandLine A=oData%KName ProcessId AMoData5KNameProcessCreateTime AIoData1KNameProcessStartKey  AUoData=KNameProcessSignatureLevel AcoDataKKNameProcessSectionSignatureLevel AMoData5KNameProcessProtection AGoData/KNameTargetThreadId AWoData?KNameTargetThreadCreateTime AWoData?KNameRequiredSignatureLevel AGoData/KNameSignatureLevel AIoData1KNameImageNameLength A=oData%KName ImageName $Lh 0` Tx(ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLineProcessId(ProcessCreateTime$ProcessStartKey0ProcessSignatureLevel@ProcessSectionSignatureLevel(ProcessProtection$TargetThreadId4TargetThreadCreateTime4RequiredSignatureLevel$SignatureLevel$ImageNameLengthImageNameTEMP h6Y0OwD EventDataA9oData!KNameSubcode AAoData)KName ProcessPath A=oData%KName ProcessId AGoData/KNameModuleFullPath A?oData'KName ModuleBase AEoData-KName ModuleAddress A?oData'KName MemAddress AMoData5KNameMemModuleFullPath AEoData-KName MemModuleBase A9oData!KNameAPIName AKoData3KNameProcessStartTime A;oData#KNameThreadId XlDdxSubcodeProcessPathProcessId$ModuleFullPathModuleBase ModuleAddressMemAddress(MemModuleFullPath MemModuleBaseAPIName(ProcessStartTimeThreadIdTEMP@ ιnV194D EventDataA9oData!KNameSubcode AAoData)KName ProcessPath A=oData%KName ProcessId A=oData%KName HookedAPI AEoData-KName ReturnAddress AEoData-KName CalledAddress AEoData-KName TargetAddress ACoData+KName StackAddress ACoData+KName FrameAddress AaoDataIKNameReturnAddressModuleFullPath AKoData3KNameProcessStartTime A;oData#KNameThreadId |<\|SubcodeProcessPathProcessIdHookedAPI ReturnAddress CalledAddress TargetAddress StackAddress FrameAddress<ReturnAddressModuleFullPath(ProcessStartTimeThreadIdTEMP..E@N D EventDataAMoData5KNameProcessPathLength AAoData)KName ProcessPath A[oDataCKNameProcessCommandLineLength AOoData7KNameProcessCommandLine A=oData%KName ProcessId AMoData5KNameProcessCreateTime AIoData1KNameProcessStartKey  AUoData=KNameProcessSignatureLevel AcoDataKKNameProcessSectionSignatureLevel AMoData5KNameProcessProtection AIoData1KNameRedirectionType AQoData9KNameOperationPathLength AEoData-KName OperationPath AEoData-KName Impersonating A9oData!KNameModule1 AEoData-KName Module1Offset  A9oData!KNameModule2 AEoData-KName Module2Offset  A9oData!KNameModule3 AEoData-KName Module3Offset  A9oData!KNameModule4 AEoData-KName Module4Offset  A9oData!KNameModule5 AEoData-KName Module5Offset  A9oData!KNameModule6 AEoData-KName Module6Offset  A9oData!KNameModule7 AEoData-KName Module7Offset  A9oData!KNameModule8 AEoData-KName Module8Offset  A9oData!KNameModule9 AEoData-KName Module9Offset  A;oData#KNameModule10 AGoData/KNameModule10Offset ! A;oData#KNameModule11 "AGoData/KNameModule11Offset # A;oData#KNameModule12 $AGoData/KNameModule12Offset % A;oData#KNameModule13 &AGoData/KNameModule13Offset ' A;oData#KNameModule14 (AGoData/KNameModule14Offset ) A;oData#KNameModule15 *AGoData/KNameModule15Offset + A;oData#KNameModule16 ,AGoData/KNameModule16Offset - Px 8\P D d     4T h   $ 8X p    $H `  (ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLineProcessId(ProcessCreateTime$ProcessStartKey0ProcessSignatureLevel@ProcessSectionSignatureLevel(ProcessProtection$RedirectionType,OperationPathLength OperationPath ImpersonatingModule1 Module1OffsetModule2 Module2OffsetModule3 Module3OffsetModule4 Module4OffsetModule5 Module5OffsetModule6 Module6OffsetModule7 Module7OffsetModule8 Module8OffsetModule9 Module9OffsetModule10$Module10OffsetModule11$Module11OffsetModule12$Module12OffsetModule13$Module13OffsetModule14$Module14OffsetModule15$Module15OffsetModule16$Module16OffsetOPCOLEVLXP,PDwin:Errorwin:WarningTASK\ 8xX  t  X`KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODEtKERNEL_MITIGATION_TASK_PROHIBIT_CHILD_PROCESS_CREATIONhKERNEL_MITIGATION_TASK_PROHIBIT_REMOTE_IMAGE_MAPdKERNEL_MITIGATION_TASK_PROHIBIT_LOWIL_IMAGE_MAPlKERNEL_MITIGATION_TASK_PROHIBIT_WIN32K_SYSTEM_CALLStKERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIES\USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTERdUSER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER_PLUS\USER_MITIGATION_TASK_IMPORT_ADDRESS_FILTERLUSER_MITIGATION_TASK_ROP_STACKPIVOTPUSER_MITIGATION_TASK_ROP_CALLERCHECKHUSER_MITIGATION_TASK_ROP_SIMEXECdKERNEL_MITIGATION_TASK_REDIRECTION_TRUST_POLICYKEYWEVNTolTp lTqTr Ts Tt  TuTv T wT x T yTT zT T @{d@| d@{0d@| 0d @}Ld @~ Ld @hd @ hd @d @ d @d @ d T T3.71 PDUgO/^:r%u * WEVT_TEMPLATEMUIMUI en-US