.

KGRKJGETMRETU895U-589TY5MIGM5JGB5SDFESFREWTGR54TY
Server : Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
System : Windows NT SERVER-PC 10.0 build 26200 (Windows 11) AMD64
User : ServerPC ( 0)
PHP Version : 8.2.12
Disable Function : NONE
Directory : C:/Windows/System32/
Upload File :
Current File : C:/Windows/System32/microsoft-windows-system-events.dll
MZ����@���	�!�L�!This program cannot be run in DOS mode.

$A[=�:S�:S�:S�|���:S�|�Q�:S�Rich:S�PEd��h��" &@
�


P
��
` X(
P
�%T.rdata@@.rsrcX(
 0
 @@�h�
lll�h�$���h�����T.rdataT.rdata$voltmdl�.rdata$zzzdbg .rsrc$01!H'
.rsrc$02 ���㣟�
bZ�1T?*���j�撴h��(���@�X�p�����	�	�	�pG
�0%:"
! 
WEVT_TEMPLATEMUI4VS_VERSION_INFO��
E�e
E�e?|StringFileInfoX040904B0LCompanyNameMicrosoft Corporation|*FileDescriptionMicrosoft-Windows-System-Events Resourcesn'FileVersion10.0.26100.6725 (WinBuild.160101.0800)h$InternalNamemicrosoft-windows-system-events.dll�.LegalCopyright� Microsoft Corporation. All rights reserved.p$OriginalFilenamemicrosoft-windows-system-events.dllj%ProductNameMicrosoft� Windows� Operating SystemDProductVersion10.0.26100.6725DVarFileInfo$Translation	�CRIM8"
.���/��G�!D?8�4�����O�צ���]"�,�"{+B��/�����O�p�sO�Q3�=T��)�1��fnWy���kdb�c�#w[H���V]s]J�k?�Y�F�K��B�����lG7v��PY0J���~�W4��\�"S���K�����D�_i�U�?�F�M<n(-�U�����EJFTzؤ��7��<&�1�M�9�ST�h���)}��@�CH�3UH$���:��E��4V�^�������L���)j��0P���jT��N�O��a�.�T����;��@����a��.��`:�m�@ZD�ʙ5�PF���������� �f��I*�})S2H��C�y:�x�����wA��(:�RRq�'7�u���HF����M<�x0�D�zM�K��	��^S��'���ĜeN�p�V�
�C����D�����/␨H�v��z�5F��I�ct�O�C��1D�A�u�e�G}�>����EO�C�E�lĀ���`{MK�f�/e��@@�ڊR�_�O��]�(a����B��J���;?&�8�
'��2
RC�R۫A��Y�^񿿁�E�|��چ�r��56�wuC�$�E��7�����P.�K��INo
�(����́���^�a�p����*�u�O�Ȯ	ϛ#�)
*��~_H�Ot�(q���;{�_0*&^җ`"0ʜ?�*��O�F�Sd^G�A���J���M�<�pF|���]�hV��M��D��)��9EM_45�cL�(�	��Trl�\�o��[����	t6I:�#Z���k��
(D
��E Q�_��p.��
WEVTh��(
 p�8�HCHAN04�����PMicrosoft-Windows-Kernel-WDI/AnalyticLMicrosoft-Windows-Kernel-WDI/DebugXMicrosoft-Windows-Kernel-WDI/OperationalTTBL�
TEMP��p�iS�^(c`lg�ߜ���D�	EventDataA��?�oData'K�Name
ProviderID
A��9�oData!K�NameEventID
A��M�oData5K�NameDroppedEventCount
A��A�oData)K�NameActionCount
A��MZ�ComplexData'K�Name
SemActions
���,Hd��

���ProviderIDEventID(DroppedEventCountActionCountSemActionsProviderIDLevelReservedKeyword$EnablePropertyNTStatusTEMP,�	ڈ6MhY��F�㐍����D�	EventDataA��?�oData'K�Name
ProviderID
A��9�oData!K�NameEventID
�	
ProviderIDEventIDTEMP�<��mx
[�GH kA����D�	EventDataA��?�oData'K�Name
ProviderID
A��9�oData!K�NameEventID
A��;�oData#K�NameNTStatus
x��ProviderIDEventIDNTStatusTEMPL
��kg��T�,�pt����VD�	EventDataA��?�oData'K�Name
ProviderID
A��9�oData!K�NameEventID
A��E�oData-K�Name
ScenarioCount
A��cZ�ComplexData=K�NameScenarioInflightItems
��
<l���ProviderIDEventID ScenarioCount0ScenarioInflightItemsProviderIDEventIDReserved InflightCountTEMP,�ڈ6MhY��F�㐍����D�	EventDataA��?�oData'K�Name
ProviderID
A��9�oData!K�NameEventID
��ProviderIDEventIDTEMP���{�][�9�H�Nh��`D�	EventDataA��?�oData'K�Name
ProviderID
�ProviderIDTEMP����mx
[�GH kA����D�	EventDataA��?�oData'K�Name
ProviderID
A��9�oData!K�NameEventID
A��;�oData#K�NameNTStatus
4HProviderIDEventIDNTStatusTEMP,�^�=y�T�[�L�g����D�	EventDataA��9�oData!K�NameSqmType
A��7�oDataK�NameSqmSid
ThSqmTypeSqmSidTEMPD�4H��5�Sp-	�#;��BD�	EventDataA��G�oData/K�NameSqmSessionGuid
A��5�oDataK�NameSqmID
A��9�oData!K�NameSqmType
A��W�oData?K�NameSqmDWORDDatapointValue
Dhx�$SqmSessionGuidSqmIDSqmType4SqmDWORDDatapointValueTEMP`�/�Z�>]�$�z�q!���D�	EventDataA��G�oData/K�NameSqmSessionGuid
A��5�oDataK�NameSqmID
A��9�oData!K�NameSqmType
A��O�oData7K�NameSqmStreamRowLength
A��QZ�ComplexData+K�NameSqmStreamRow
�(L\p����$SqmSessionGuidSqmIDSqmType,SqmStreamRowLength SqmStreamRow SqmTypeEntry SqmDWORDEntry$SqmStringEntryPRVAP4Microsoft-Windows-Kernel-WDIOPCO<

00L0�

0�0<0�0�040�0�0\LWDI_SEM_TASK_SCENARIO_OPCODE_STARTHWDI_SEM_TASK_SCENARIO_OPCODE_ENDPWDI_SEM_TASK_SCENARIO_OPCODE_TIMEOUTXWDI_SEM_TASK_SCENARIO_OPCODE_START_FAILEDTWDI_SEM_TASK_SCENARIO_OPCODE_END_FAILEDXWDI_SEM_TASK_SCENARIO_OPCODE_INFLIGHT_MAXLWDI_SEM_TASK_INIT_OPCODE_MISCONFIGPWDI_SEM_TASK_INIT_OPCODE_SCENARIO_MAXtWDI_SEM_TASK_INIT_OPCODE_SCENARIO_CONTEXT_PROVIDER_MAXdWDI_SEM_TASK_INIT_OPCODE_SCENARIO_END_EVENT_MAXPWDI_SEM_TASK_INIT_OPCODE_PROVIDER_MAXLEVL�P�P�Pwin:Errorwin:Warning(win:InformationalTASK�		p|

p�0WDI_SEM_TASK_SCENARIO(WDI_SEM_TASK_INITKEYWt!"$44contextdiagwin:SQMEVNT� 
	� �4|�D�!!	�!�4��D�!"	�"����D"#	@#����D$
	@$�$
��D%	@%�$
��D&
 &����`$'
 '����`$(
 (����`$)
 )���`$*
 *����`$+����`�",����|�"-������"���WEVT�y�	h"�"L$
l�ď���Г`�CHAN0�"�SystemMAPS�#�"�"VMAP4$����VMAP$�#��VMAPLT#��	�
���
�dEx:LeapSecondDataParseFailure.FailureResultMapTEx:LeapSecondDataUpdate.UpdateReasonMap@Ex:SystemTimeChange.ReasonMapTTBL kTEMP (%��ۙ�}(V�X}�=����D�	EventDataA��9�oData!K�NameNewTime
A��9�oData!K�NameOldTime
P%d%NewTimeOldTimeTEMP��&�xL��W�ְ�2_����D�	EventDataA��9�oData!K�NameNewTime
A��9�oData!K�NameOldTime
A��7�oDataK�NameReason
�&�&�"�&NewTimeOldTimeReasonTEMPl�(���`�W�.��H�����dD�	EventDataA��9�oData!K�NameNewTime
A��9�oData!K�NameOldTime
A��7�oDataK�NameReason
A��A�oData)K�NameProcessName
A��=�oData%K�Name	ProcessID
�()�" )4)P)NewTimeOldTimeReasonProcessNameProcessIDTEMP�		8,$�w�L�Rw1�I�=�����D�	EventDataA��9�oData!K�NameNewTime
A��9�oData!K�NameOldTime
A��7�oDataK�NameReason
A��A�oData)K�NameProcessName
A��=�oData%K�Name	ProcessID
A��;�oData#K�NameCmosTime
A��C�oData+K�NameTimeZoneBias
A��Q�oData9K�NameRealTimeIsUniversal

A��K�oData3K�NameSystemInCmosMode

�,-�"-(-D-\-t-

�-

�-NewTimeOldTimeReasonProcessNameProcessIDCmosTime TimeZoneBias,RealTimeIsUniversal(SystemInCmosModeTEMP

1Qϗmv�R�u�[
���D�	EventDataA��9�oData!K�NameNewTime
A��9�oData!K�NameOldTime
A��E�oData-K�Name
TimeDeltaInMs
	A��7�oDataK�NameReason
A��A�oData)K�NameProcessName
A��=�oData%K�Name	ProcessID
A��;�oData#K�NameCmosTime
A��C�oData+K�NameTimeZoneBias
A��Q�oData9K�NameRealTimeIsUniversal

A��K�oData3K�NameSystemInCmosMode
	
�1�1		�1�"2(2D2\2t2

�2

�2NewTimeOldTime TimeDeltaInMsReasonProcessNameProcessIDCmosTime TimeZoneBias,RealTimeIsUniversal(SystemInCmosModeTEMP(�5�+�:a�]ԞC�����dD�	EventDataA��?�oData'K�Name
SystemTime
A��?�oData'K�Name
LoaderTime
A��M�oData5K�NameInternalBootFlags

A��I�oData1K�NameHalRtcErrorCode
A��Q�oData9K�NameRealTimeIsUniversal

A��?�oData'K�Name
IsSoftBoot

A��9�oData!K�NameSuccess

A��5�oDataK�NamePhase
 6<6
X6�6

�6

�6

�67SystemTimeLoaderTime(InternalBootFlags$HalRtcErrorCode,RealTimeIsUniversalIsSoftBootSuccessPhaseTEMPP`7)5�H7^A����d����D�	EventDataTEMP��8ݙ!=�YZ	�2:����D�	EventDataA��A�oData)K�NameFinalStatus
A��M�oData5K�NameExtraStringLength
A��A�oData)K�NameExtraString
�8�89FinalStatus(ExtraStringLengthExtraStringTEMP�d:ݙ!=�YZ	�2:����D�	EventDataA��A�oData)K�NameFinalStatus
A��M�oData5K�NameExtraStringLength
A��A�oData)K�NameExtraString
�:�:�:FinalStatus(ExtraStringLengthExtraStringTEMP��<S"��F�Vַkܭy����D�	EventDataA��M�oData5K�NameExtraStringLength
A��A�oData)K�NameExtraString
A��3�oDataK�NameTmId
A��3�oDataK�NameRmId
A��7�oDataK�NameStatus
A��C�oData+K�NameInternalCode
`=�=�=�=�=�=(ExtraStringLengthExtraStringTmIdRmIdStatus InternalCodeTEMP(`?�iC^s�Z<w��i����4D�	EventDataA��G�oData/K�NameHiveNameLength
A��;�oData#K�NameHiveName
A��C�oData+K�NameOriginalSize
A��9�oData!K�NameNewSize
�?�?�?@$HiveNameLengthHiveName OriginalSizeNewSizeTEMP0�A�$3�]SW�=�v���8D�	EventDataA��G�oData/K�NameHiveNameLength
A��;�oData#K�NameHiveName
A��A�oData)K�NameKeysUpdated
A��?�oData'K�Name
DirtyPages
�ABB4B$HiveNameLengthHiveNameKeysUpdatedDirtyPagesTEMP��DIS��Z%ZA��\��D�	EventDataA��C�oData+K�NameMajorVersion
A��C�oData+K�NameMinorVersion
A��C�oData+K�NameBuildVersion
A��?�oData'K�Name
QfeVersion
A��G�oData/K�NameServiceVersion
A��;�oData#K�NameBootMode
A��=�oData%K�Name	StartTime
$EDEdE�E�E�E�E MajorVersion MinorVersion BuildVersionQfeVersion$ServiceVersionBootModeStartTimeTEMP��FzmU�b!A[Ф㸚�7��\D�	EventDataA��;�oData#K�NameStopTime
�FStopTimeTEMP�*�O�>���8U�
�؋����	D�	EventDataA��3�oDataK�NameMode
A��?�oData'K�Name
ObjectType
A��?�oData'K�Name
ObjectName
A��A�oData)K�NameProcessName
A��[�oDataCK�NameObjectCreatorProcessName
A��?�oData'K�Name
AccessMask
A��=�oData%K�Name	TokenType
A��O�oData7K�NameImpersonationLevel
A��=�oData%K�Name	SessionId
A��C�oData+K�NameLowBoxNumber
	A��K�oData3K�NameTokenGroupsCount
A��OZ�ComplexData)K�NameTokenGroups
�A��M�oData5K�NameTokenPackageCount
A��QZ�ComplexData+K�NameTokenPackage

�A��S�oData;K�NameTokenCapabilityCount
A��[Z�ComplexData5K�NameTokenCapabilities
�A��S�oData;K�NameTokenTrustLevelCount
A��WZ�ComplexData1K�NameTokenTrustLevel
�A��_�oDataGK�NameSecurityDescriptorRevision
A��]�oDataEK�NameSecurityDescriptorControl
A��Y�oDataAK�NameSecurityDescriptorOwner
A��Y�oDataAK�NameSecurityDescriptorGroup
A��C�oData+K�NameDaclRevision
A��C�oData+K�NameDaclAceCount
A��GZ�ComplexData!K�NameDaclAce
�A��C�oData+K�NameSaclRevision
A��C�oData+K�NameSaclAceCount
A��GZ�ComplexData!K�NameSaclAce
�<SLShS�S�S�S�ST8TPTpT
�T�T�T�T,UTU!�U�U�UVPV�V�V"�V�V�V&W,WPWhW�W�W�W�WX X<XHX\XtX�XModeObjectTypeObjectNameProcessName8ObjectCreatorProcessNameAccessMaskTokenType,ImpersonationLevelSessionId LowBoxNumber(TokenGroupsCountTokenGroups(TokenPackageCount TokenPackage0TokenCapabilityCount(TokenCapabilities0TokenTrustLevelCount$TokenTrustLevel<SecurityDescriptorRevision8SecurityDescriptorControl4SecurityDescriptorOwner4SecurityDescriptorGroup DaclRevision DaclAceCountDaclAce SaclRevision SaclAceCountSaclAce$GroupAttributesGroupSidPackageSid0CapabilityAttributes CapabilitySid TrustLevelSidAceTypeAceFlagsAccessMaskSidAceTypeAceFlagsAccessMaskSidTEMP��]�(�J�S��1�Ol����D�	EventDataA��?�oData'K�Name
ActionName
A��A�oData)K�NameProcessName
A��A�oData)K�NameAccountName
A��E�oData-K�Name
AuthorityName
A��9�oData!K�NameTokenId
A��K�oData3K�NameAuthenticationId
A��=�oData%K�Name	TokenType
A��O�oData7K�NameImpersonationLevel
A��?�oData'K�Name
TokenFlags
A��Y�oDataAK�NameSidValuesReferenceCount
		A��G�oData/K�NameSidValuesCount
A��KZ�ComplexData%K�Name	SidValues
�A��e�oDataMK�NameSharedSidValuesReferenceCount
	A��S�oData;K�NameSharedSidValuesCount

A��WZ�ComplexData1K�NameSharedSidValues
��^_0_L_l_�_�_�_�_		`<`
``		x`�`
�`aaActionNameProcessNameAccountName AuthorityNameTokenId(AuthenticationIdTokenType,ImpersonationLevelTokenFlags4SidValuesReferenceCount$SidValuesCountSidValues@SharedSidValuesReferenceCount0SharedSidValuesCount$SharedSidValuesSidSidTEMP�dba8vXZ-�.��U5��D�	EventDataA��Q�oData9K�NameTransitionStartTime
A��A�oData)K�NameCurrentTime
A��K�oData3K�NameSoftRestartCount
�b�b�b,TransitionStartTimeCurrentTime(SoftRestartCountTEMP|�d� ��6�\��)������^D�	EventDataA��Q�oData9K�NameTransitionStartTime
A��A�oData)K�NameCurrentTime
A��K�oData3K�NameSoftRestartCount
A��K�oData3K�NameBugcheckRecovery

�d e<e

de,TransitionStartTimeCurrentTime(SoftRestartCount(BugcheckRecoveryTEMPh3�>ʬ�]qX?�o��PD�	EventDataA��E�oData-K�Name
MmPhase0Start

A��C�oData+K�NameMmPhase0Stop

A��A�oData)K�NamePhase1Start

A��M�oData5K�NameKsrExtensionStart

A��K�oData3K�NameKsrExtensionStop

A��S�oData;K�NameStartProcessorsStart

A��Q�oData9K�NameStartProcessorsStop



�h

�h

�h

�h

 i

Hi

xi MmPhase0Start MmPhase0StopPhase1Start(KsrExtensionStart(KsrExtensionStop0StartProcessorsStart,StartProcessorsStopTEMPH		�l.]�7�<P���G����D�	EventDataA��E�oData-K�Name
MmPhase0Start

A��C�oData+K�NameMmPhase0Stop

A��A�oData)K�NamePhase1Start

A��M�oData5K�NameKsrExtensionStart

A��K�oData3K�NameKsrExtensionStop

A��S�oData;K�NameStartProcessorsStart

A��Q�oData9K�NameStartProcessorsStop

A��Q�oData9K�NameAutoLoggerInitStart

A��O�oData7K�NameAutoLoggerInitStop



�m

�m

�m

�m

n

8n

hn

�n

�n MmPhase0Start MmPhase0StopPhase1Start(KsrExtensionStart(KsrExtensionStop0StartProcessorsStart,StartProcessorsStop,AutoLoggerInitStart,AutoLoggerInitStopTEMP�

ts�����Sx1�?D����RD�	EventDataA��E�oData-K�Name
MmPhase0Start

A��C�oData+K�NameMmPhase0Stop

A��A�oData)K�NamePhase1Start

A��M�oData5K�NameKsrExtensionStart

A��K�oData3K�NameKsrExtensionStop

A��S�oData;K�NameStartProcessorsStart

A��Q�oData9K�NameStartProcessorsStop

A��Q�oData9K�NameAutoLoggerInitStart

A��O�oData7K�NameAutoLoggerInitStop

A��E�oData-K�Name
MmPhase1Start
	
A��C�oData+K�NameMmPhase1Stop

A��Y�oDataAK�NameHalPhase0StartCycleTime

A��W�oData?K�NameHalPhase0StopCycleTime



xt

�t

�t

�t

�t

$u

Tu

�u

�u

�u

�u

v

Lv MmPhase0Start MmPhase0StopPhase1Start(KsrExtensionStart(KsrExtensionStop0StartProcessorsStart,StartProcessorsStop,AutoLoggerInitStart,AutoLoggerInitStop MmPhase1Start MmPhase1Stop4HalPhase0StartCycleTime4HalPhase0StopCycleTimeTEMP�D{c	�3�s]ѽ�6����D�	EventDataA��E�oData-K�Name
MmPhase0Start

A��C�oData+K�NameMmPhase0Stop

A��A�oData)K�NamePhase1Start

A��M�oData5K�NameKsrExtensionStart

A��K�oData3K�NameKsrExtensionStop

A��S�oData;K�NameStartProcessorsStart

A��Q�oData9K�NameStartProcessorsStop

A��Q�oData9K�NameAutoLoggerInitStart

A��O�oData7K�NameAutoLoggerInitStop

A��E�oData-K�Name
MmPhase1Start
	
A��C�oData+K�NameMmPhase1Stop

A��Y�oDataAK�NameHalPhase0StartCycleTime

A��W�oData?K�NameHalPhase0StopCycleTime

A��7�oDataK�NameMmMark

�

\|

||

�|

�|

�|

}

8}

d}

�}

�}

�}

�}

0~

d~ MmPhase0Start MmPhase0StopPhase1Start(KsrExtensionStart(KsrExtensionStop0StartProcessorsStart,StartProcessorsStop,AutoLoggerInitStart,AutoLoggerInitStop MmPhase1Start MmPhase1Stop4HalPhase0StartCycleTime4HalPhase0StopCycleTimeMmMarkTEMP �pE�mm��R
f��<�����.D�	EventDataA��C�oData+K�NameUpdateReason
A��?�oData'K�Name
EnabledNew

A��;�oData#K�NameCountNew
A��;�oData#K�NameCountOld
�",�

L�h��� UpdateReasonEnabledNewCountNewCountOldTEMP�4�Ds;��^P�#�@ݕ3��fD�	EventDataA��E�oData-K�Name
FailureResult
#H� FailureResultTEMP 8�U{x��]��ۡ�|�F���D�	EventDataA��9�oData!K�NameNewBias
A��9�oData!K�NameOldBias
`�t�NewBiasOldBiasTEMP		��y��%�P���|����XD�	EventDataA��G�oData/K�NameVsmCleanupTime

A��7�oDataK�NameMark#0

A��7�oDataK�NameMark#1

A��7�oDataK�NameMark#2

A��7�oDataK�NameMark#3

A��7�oDataK�NameMark#4

A��7�oDataK�NameMark#5

A��7�oDataK�NameMark#6

A��7�oDataK�NameMark#7



ȅ

�

�

�

(�

<�

P�

d�

x�$VsmCleanupTimeMark#0Mark#1Mark#2Mark#3Mark#4Mark#5Mark#6Mark#7TEMP�

x���4Ǒ2"Pw%tv�m����D�	EventDataA��G�oData/K�NameVsmCleanupTime

A��7�oDataK�NameMark#0

A��7�oDataK�NameMark#1

A��7�oDataK�NameMark#2

A��7�oDataK�NameMark#3

A��7�oDataK�NameMark#4

A��7�oDataK�NameMark#5

A��7�oDataK�NameMark#6

A��7�oDataK�NameMark#7

A��Y�oDataAK�NameVsmCleanupTimeFrequency
	


@�

d�

x�

��

��

��

Ȋ

܊

�

�$VsmCleanupTimeMark#0Mark#1Mark#2Mark#3Mark#4Mark#5Mark#6Mark#74VsmCleanupTimeFrequencyTEMP����5���X��4_+���D�	EventDataA��?�oData'K�Name
ExitReason
A��A�oData)K�NameCurrentBias
A��M�oData5K�NameCurrentTimeZoneID
A��[�oDataCK�NameTimeZoneInfoCacheUpdated
A��C�oData+K�NameFirstRefresh
x�����؍�ExitReasonCurrentBias(CurrentTimeZoneID8TimeZoneInfoCacheUpdated FirstRefreshTEMP<�<_Z��U#CbG஥����D�	EventDataA��A�oData)K�NameProcessName
A��?�oData'K�Name
PackageSid
4�P�ProcessNamePackageSidPRVAX��Microsoft-Windows-Kernel-GeneralOPCO01܏win:InfoLEVL�P$�P<�PX�win:Errorwin:Warning(win:InformationalTASKP����ܑ���������������4�����`������������������	���� �
����L�����p�������SystemStartSystemStop SoftBootInfo,BootPerformanceData(SystemTimeChange0LeapSecondDataUpdate<LeapSecondDataParseFailure,TimeZoneBiasChange,VsmPerformanceData$ReorganizeHive<TimeZoneInformationRefresh$BootSystemTimeKEYW�,� ����h�@����������������$�<KERNEL_GENERAL_KEYWORD_TIMELKERNEL_GENERAL_SECURITY_ACCESSCHECKLKERNEL_GENERAL_TOKEN_SID_MANAGEMENT$BootPerformance<KERNEL_GENERAL_TOKEN_QUERYEVNT<��X$Џ�@�t"��x%Џ���D�t"���&Џ���H�t"��h)Џ���L�t"��-Џ���P�t"�7Џ�t"�7Џ�t"�7Џ�t"�`7�t"�09�t"�;Џ�t"��PBЏ���T�t"
��
�EЏ���X�t" �����F�\�
��=Џ���t"� @Џ�t"@�����X�`����$aЏ�Đd�t"��cЏ�Đh�t"������eЏ��l�������iЏ��p�������nЏ��t�������vЏ��x��x~Џ��|�t"���Џ�4���t"�h�Џ�P���t"	�������Џ�l���	�������Џ�l����8�Џ�����t"��2Џ�����t"�0�Џ���t"ܓܓܓܓܓ�����������ܓܓܓ��ܓܓ�WEVT��	�h�(�
�	�	�	L�CHANt�����XMicrosoft-Windows-Kernel-Process/AnalyticMAPS�|���BMAPԜ�BMAP<������ ProcessFlags4SecurityMitigationsMapTTBL�kTEMP��
�q���=[�u�����T��|D�	EventDataA��=�oData%K�Name	ProcessID
A��?�oData'K�Name
CreateTime
A��I�oData1K�NameParentProcessID
A��=�oData%K�Name	SessionID
A��=�oData%K�Name	ImageName
H�`�|�����ProcessIDCreateTime$ParentProcessIDSessionIDImageNameTEMP����a#�m6Z�&M�lk���D�	EventDataA��=�oData%K�Name	ProcessID
A��?�oData'K�Name
CreateTime
A��I�oData1K�NameParentProcessID
A��=�oData%K�Name	SessionID
A��5�oDataK�NameFlags
A��=�oData%K�Name	ImageName
4�L�h���|�����ProcessIDCreateTime$ParentProcessIDSessionIDFlagsImageNameTEMP$

��	�	�<RW�@�\:<����D�	EventDataA��=�oData%K�Name	ProcessID
A��?�oData'K�Name
CreateTime
A��I�oData1K�NameParentProcessID
A��=�oData%K�Name	SessionID
A��5�oDataK�NameFlags
A��=�oData%K�Name	ImageName
A��E�oData-K�Name
ImageChecksum
A��E�oData-K�Name
TimeDateStamp
A��I�oData1K�NamePackageFullName
A��S�oData;K�NamePackageRelativeAppId
	Ħܦ���|�4�D�\�|�����ProcessIDCreateTime$ParentProcessIDSessionIDFlagsImageName ImageChecksum TimeDateStamp$PackageFullName0PackageRelativeAppIdTEMPX��}�T#]�Q\c^r����D�	EventDataA��=�oData%K�Name	ProcessID
A��U�oData=K�NameProcessSequenceNumber

A��?�oData'K�Name
CreateTime
A��I�oData1K�NameParentProcessID
A��a�oDataIK�NameParentProcessSequenceNumber

A��=�oData%K�Name	SessionID
A��5�oDataK�NameFlags
A��]�oDataEK�NameProcessTokenElevationType
A��W�oData?K�NameProcessTokenIsElevated
A��G�oData/K�NameMandatoryLabel
	A��=�oData%K�Name	ImageName
A��E�oData-K�Name
ImageChecksum
A��E�oData-K�Name
TimeDateStamp
A��I�oData1K�NamePackageFullName

A��S�oData;K�NamePackageRelativeAppId
 �

8�h���

���|����D�x�����ԯ��ProcessID0ProcessSequenceNumberCreateTime$ParentProcessID<ParentProcessSequenceNumberSessionIDFlags8ProcessTokenElevationType4ProcessTokenIsElevated$MandatoryLabelImageName ImageChecksum TimeDateStamp$PackageFullName0PackageRelativeAppIdTEMP����6�:AcR�q��"����&D�	EventDataA��=�oData%K�Name	ProcessID
A��U�oData=K�NameProcessSequenceNumber

A��?�oData'K�Name
CreateTime
A��I�oData1K�NameParentProcessID
A��a�oDataIK�NameParentProcessSequenceNumber

A��=�oData%K�Name	SessionID
A��5�oDataK�NameFlags
A��]�oDataEK�NameProcessTokenElevationType
A��W�oData?K�NameProcessTokenIsElevated
A��G�oData/K�NameMandatoryLabel
	A��=�oData%K�Name	ImageName
A��E�oData-K�Name
ImageChecksum
A��E�oData-K�Name
TimeDateStamp
A��I�oData1K�NamePackageFullName

A��S�oData;K�NamePackageRelativeAppId
A��Q�oData9K�NameSecurityMitigations
�

��,�H�

l���|���з�<�`�x�����ܸ���ProcessID0ProcessSequenceNumberCreateTime$ParentProcessID<ParentProcessSequenceNumberSessionIDFlags8ProcessTokenElevationType4ProcessTokenIsElevated$MandatoryLabelImageName ImageChecksum TimeDateStamp$PackageFullName0PackageRelativeAppId,SecurityMitigationsTEMP�		�(�G���X�P�@;����D�	EventDataA��=�oData%K�Name	ProcessID
A��?�oData'K�Name
CreateTime
A��;�oData#K�NameExitTime
A��;�oData#K�NameExitCode
A��O�oData7K�NameTokenElevationType
A��A�oData)K�NameHandleCount
A��C�oData+K�NameCommitCharge

A��?�oData'K�Name
CommitPeak

A��=�oData%K�Name	ImageName
��Լ�� �L�

h�

����ProcessIDCreateTimeExitTimeExitCode,TokenElevationTypeHandleCount CommitChargeCommitPeakImageNameTEMP���E��ZY�Aty����D�	EventDataA��=�oData%K�Name	ProcessID
A��?�oData'K�Name
CreateTime
A��;�oData#K�NameExitTime
A��;�oData#K�NameExitCode
A��O�oData7K�NameTokenElevationType
A��A�oData)K�NameHandleCount
A��C�oData+K�NameCommitCharge

A��?�oData'K�Name
CommitPeak

A��E�oData-K�Name
CPUCycleCount

A��O�oData7K�NameReadOperationCount
	A��Q�oData9K�NameWriteOperationCount
A��U�oData=K�NameReadTransferKiloBytes
A��W�oData?K�NameWriteTransferKiloBytes
A��G�oData/K�NameHardFaultCount

A��=�oData%K�Name	ImageName
��������H�

d�

��

�������H�|���ProcessIDCreateTimeExitTimeExitCode,TokenElevationTypeHandleCount CommitChargeCommitPeak CPUCycleCount,ReadOperationCount,WriteOperationCount0ReadTransferKiloBytes4WriteTransferKiloBytes$HardFaultCountImageNameTEMP����Uk ݂Z5g'��י����D�	EventDataA��=�oData%K�Name	ProcessID
A��U�oData=K�NameProcessSequenceNumber

A��?�oData'K�Name
CreateTime
A��;�oData#K�NameExitTime
A��;�oData#K�NameExitCode
A��O�oData7K�NameTokenElevationType
A��A�oData)K�NameHandleCount
A��C�oData+K�NameCommitCharge

A��?�oData'K�Name
CommitPeak

A��E�oData-K�Name
CPUCycleCount
	
A��O�oData7K�NameReadOperationCount
A��Q�oData9K�NameWriteOperationCount
A��U�oData=K�NameReadTransferKiloBytes
A��W�oData?K�NameWriteTransferKiloBytes

A��G�oData/K�NameHardFaultCount
A��=�oData%K�Name	ImageName
$�

<�l���������

�

 �

<�\��������<�ProcessID0ProcessSequenceNumberCreateTimeExitTimeExitCode,TokenElevationTypeHandleCount CommitChargeCommitPeak CPUCycleCount,ReadOperationCount,WriteOperationCount0ReadTransferKiloBytes4WriteTransferKiloBytes$HardFaultCountImageNameTEMPx		 ��nUh�2X�l"�&�����D�	EventDataA��=�oData%K�Name	ProcessID
A��;�oData#K�NameThreadID
A��=�oData%K�Name	StackBase
A��?�oData'K�Name
StackLimit
A��E�oData-K�Name
UserStackBase
A��G�oData/K�NameUserStackLimit
A��=�oData%K�Name	StartAddr
A��G�oData/K�NameWin32StartAddr
A��9�oData!K�NameTebBase
������8�X�|�����ProcessIDThreadIDStackBaseStackLimit UserStackBase$UserStackLimitStartAddr$Win32StartAddrTebBaseTEMP�

��Q���]���1�T���D�	EventDataA��=�oData%K�Name	ProcessID
A��;�oData#K�NameThreadID
A��=�oData%K�Name	StackBase
A��?�oData'K�Name
StackLimit
A��E�oData-K�Name
UserStackBase
A��G�oData/K�NameUserStackLimit
A��=�oData%K�Name	StartAddr
A��G�oData/K�NameWin32StartAddr
A��9�oData!K�NameTebBase
A��E�oData-K�Name
SubProcessTag
	���������0�T�l�����ProcessIDThreadIDStackBaseStackLimit UserStackBase$UserStackLimitStartAddr$Win32StartAddrTebBase SubProcessTagTEMPh ���*my_\ǻ�.���&D�	EventDataA��=�oData%K�Name	ProcessID
A��;�oData#K�NameThreadID
A��=�oData%K�Name	StackBase
A��?�oData'K�Name
StackLimit
A��E�oData-K�Name
UserStackBase
A��G�oData/K�NameUserStackLimit
A��=�oData%K�Name	StartAddr
A��G�oData/K�NameWin32StartAddr
A��9�oData!K�NameTebBase
A��E�oData-K�Name
SubProcessTag
	A��=�oData%K�Name	CycleTime

���,�D�`�����������
�ProcessIDThreadIDStackBaseStackLimit UserStackBase$UserStackLimitStartAddr$Win32StartAddrTebBase SubProcessTagCycleTimeTEMP�l���|hGH}V�Ȋ`�j�%��
D�	EventDataA��=�oData%K�Name	ImageBase
A��=�oData%K�Name	ImageSize
A��=�oData%K�Name	ProcessID
A��E�oData-K�Name
ImageCheckSum
A��E�oData-K�Name
TimeDateStamp
A��A�oData)K�NameDefaultBase
A��=�oData%K�Name	ImageName
���(�@�`�����ImageBaseImageSizeProcessID ImageCheckSum TimeDateStampDefaultBaseImageNameTEMP�����|hGH}V�Ȋ`�j�%��
D�	EventDataA��=�oData%K�Name	ImageBase
A��=�oData%K�Name	ImageSize
A��=�oData%K�Name	ProcessID
A��E�oData-K�Name
ImageCheckSum
A��E�oData-K�Name
TimeDateStamp
A��A�oData)K�NameDefaultBase
A��=�oData%K�Name	ImageName
�����������$�ImageBaseImageSizeProcessID ImageCheckSum TimeDateStampDefaultBaseImageNameTEMP����UU�?��M���0D�	EventDataA��=�oData%K�Name	ProcessID
A��;�oData#K�NameThreadID
A��A�oData)K�NameOldPriority
A��A�oData)K�NameNewPriority
��� �<�ProcessIDThreadIDOldPriorityNewPriorityTEMP���2�>!��xX�6�f��P��jD�	EventDataA��I�oData1K�NameFrozenProcessID
�$FrozenProcessIDTEMPL�Env�z��_�����%�����D�	EventDataA��I�oData1K�NameFrozenProcessID
A��?�oData'K�Name
CreateTime
<�`�$FrozenProcessIDCreateTimeTEMP����7ά��Y���`�������D�	EventDataA��C�oData+K�NameContainer ID
A��7�oDataK�NameJob ID
A��?�oData'K�Name
StatusCode
����� Container IDJob IDStatusCodeTEMP�L�.�n]�y�]b�A��"�h���D�	EventDataA��7�oDataK�NameJob ID
A��M�oData5K�NameDiskIoAttribution
A��?�oData'K�Name
StatusCode
������Job ID(DiskIoAttributionStatusCodeTEMP��w묌
�U��	o	&���D�	EventDataA��7�oDataK�NameJob ID
A��E�oData-K�Name
IoRateControl
A��A�oData)K�NameControlType
A��;�oData#K�NameRateType
A��?�oData'K�Name
RateAmount
A��?�oData'K�Name
StatusCode
H�\�|�������Job ID IoRateControlControlTypeRateTypeRateAmountStatusCodeTEMP�����Z�ePSG�(/7�'���D�	EventDataA��7�oDataK�NameJob ID
A��E�oData-K�Name
IoRateControl
A��9�oData!K�NameMaxIops

A��C�oData+K�NameMaxBandwidth

A��G�oData/K�NameMaxTimePercent

A��I�oData1K�NameReservationIops

A��S�oData;K�NameReservationBandwidth

A��W�oData?K�NameReservationTimePercent

A��Y�oDataAK�NameCriticalReservationIops

A��c�oDataKK�NameCriticalReservationBandwidth
	
A��g�oDataOK�NameCriticalReservationTimePercent

A��C�oData+K�NameControlFlags
A��?�oData'K�Name
VolumeName
A��?�oData'K�Name
StatusCode

����

��

�

0�

T�

x�

��

�

�

P������Job ID IoRateControlMaxIops MaxBandwidth$MaxTimePercent$ReservationIops0ReservationBandwidth4ReservationTimePercent4CriticalReservationIops@CriticalReservationBandwidthDCriticalReservationTimePercent ControlFlagsVolumeNameStatusCodeTEMP�	���̶�:�S�S�[����D�	EventDataA��7�oDataK�NameJob ID
A��E�oData-K�Name
IoRateControl
A��9�oData!K�NameMaxIops

A��C�oData+K�NameMaxBandwidth

A��G�oData/K�NameMaxTimePercent

A��I�oData1K�NameReservationIops

A��S�oData;K�NameReservationBandwidth

A��W�oData?K�NameReservationTimePercent

A��Y�oDataAK�NameCriticalReservationIops

A��c�oDataKK�NameCriticalReservationBandwidth
	
A��g�oDataOK�NameCriticalReservationTimePercent

A��A�oData)K�NameSoftMaxIops

A��K�oData3K�NameSoftMaxBandwidth

A��O�oData7K�NameSoftMaxTimePercent


A��C�oData+K�NameControlFlags
A��?�oData'K�Name
VolumeName
A��?�oData'K�Name
StatusCode
���

,�

@�

`�

��

��

�

�

@�

��

�

�

4TpJob ID IoRateControlMaxIops MaxBandwidth$MaxTimePercent$ReservationIops0ReservationBandwidth4ReservationTimePercent4CriticalReservationIops@CriticalReservationBandwidthDCriticalReservationTimePercentSoftMaxIops(SoftMaxBandwidth,SoftMaxTimePercent ControlFlagsVolumeNameStatusCodeTEMP���_P5Z��<���L���D�	EventDataA��Y�oDataAK�NameOldWorkOnBehalfThreadID
A��Y�oDataAK�NameNewWorkOnBehalfThreadID
��4OldWorkOnBehalfThreadID4NewWorkOnBehalfThreadIDTEMP�@F@mQ�)�Vنo���D�	EventDataA��C�oData+K�NameContainer ID
A��7�oDataK�NameJob ID
A��5�oDataK�NameState
|�� Container IDJob IDStateTEMP���.���U�x`ߑ�ׂ���D�	EventDataA��C�oData+K�NameContainer ID
A��7�oDataK�NameJob ID
A��A�oData)K�NameMonitorName
<P Container IDJob IDMonitorNameTEMP�h���[a�BZ����(D�	EventDataA��C�oData+K�NameContainer ID
A��7�oDataK�NameJob ID
A��7�oDataK�NameStatus
A��A�oData)K�NameMonitorName
8L` Container IDJob IDStatusMonitorNameTEMP8X!��03\���|��#���D�	EventDataA��A�oData)K�NameProcessName
A��=�oData%K�Name	ProcessID
��ProcessNameProcessIDPRVAX�Microsoft-Windows-Kernel-ProcessOPCOx1<	2T	2l	win:Infowin:Startwin:StopLEVL@P�	(win:InformationalTASK���������<����X����t��������������������	����

����H
����p

�����
�����
�����
�����
��������<����t�������������� ProcessStartProcessStopThreadStartThreadStopImageLoadImageUnload0CpuBasePriorityChange(CpuPriorityChange,PagePriorityChange(IoPriorityChange ProcessFreezeJobStart JobTerminate$ProcessRundown,PsDiskIoAttribution$PsIoRateControl8ThreadWorkOnBehalfUpdate8JobServerSiloStateChange,ProcessInPrivateSet8ServerSiloCreateCallback<ServerSiloTerminateCallbackKEYWl���� ����@@����t���������������,����p��������� ����<@�����8WINEVENT_KEYWORD_PROCESS4WINEVENT_KEYWORD_THREAD4WINEVENT_KEYWORD_IMAGE@WINEVENT_KEYWORD_CPU_PRIORITYDWINEVENT_KEYWORD_OTHER_PRIORITYDWINEVENT_KEYWORD_PROCESS_FREEZE0WINEVENT_KEYWORD_JOBhWINEVENT_KEYWORD_ENABLE_PROCESS_TRACING_CALLBACKS4WINEVENT_KEYWORD_JOB_IODWINEVENT_KEYWORD_WORK_ON_BEHALF8WINEVENT_KEYWORD_JOB_SILOEVNT�+��4�$	�	�	����П$	�	�	����̢$	�	�	�����$	�	�	����H�$	�	�	����8�0	�	�	������0	�	�	������0	�	�	�� ��T�$	�	
�� ����$	�	
�� ��T�0	�	$
� ����0	�	$
�@��,�	�	@
�@����	�	\
����<�	�	x
����<�	�	�
�		�	�<�	�	�
�

�
�<�	�	�
���X�$	�	�
 ���0�$	�	�
$���X�0	�	�
(���0�0	�	�
,�

�
�|�$	�	0���|�0	�	 4���̢	�	<8����	�	<<���H�	�	<@�����	�	D�����$�$	�	XH������$�0	�	XL��������$	�	tP��������$	�	tT�������$	�	tX��������0	�	t\��������0	�	t`�������0	�	td� ������	�	�h�@�����,	�	�l�@������$	�	�p�@�����l0	�	�t�@������$	�	x�@������0	�	|������|	�	���XXXXXXXXhhhhxx����������XXX���������������XWEVT�F���
(L�L|T�T�V�YCHAN�����\����\Microsoft-Windows-Kernel-Registry/Analytic`Microsoft-Windows-Kernel-Registry/PerformanceTTBLl/TEMP�4��zw�_Q
f��i�N���D�	EventDataA��?�oData'K�Name
BaseObject
A��=�oData%K�Name	KeyObject
A��7�oDataK�NameStatus
A��A�oData)K�NameDisposition
A��;�oData#K�NameBaseName
A��C�oData+K�NameRelativeName
,H`t��BaseObjectKeyObjectStatusDispositionBaseName RelativeNameTEMP�� ����u�Y[`q��BsK���D�	EventDataA��=�oData%K�Name	KeyObject
A��7�oDataK�NameStatus
A��9�oData!K�NameKeyName
!,!@!KeyObjectStatusKeyNameTEMPx�#C���^ζUGr������D�	EventDataA��=�oData%K�Name	KeyObject
A��7�oDataK�NameStatus
A��=�oData%K�Name	InfoClass
A��;�oData#K�NameDataSize
A��9�oData!K�NameKeyName
A��K�oData3K�NameCapturedDataSize
A��C�oData+K�NameCapturedData
$,$@$X$p$�$�$KeyObjectStatusInfoClassDataSizeKeyName(CapturedDataSize CapturedDataTEMP�(�U���yZ[A��u����D�	EventDataA��=�oData%K�Name	KeyObject
A��7�oDataK�NameStatus
A��3�oDataK�NameType
A��;�oData#K�NameDataSize
A��9�oData!K�NameKeyName
A��=�oData%K�Name	ValueName
A��K�oData3K�NameCapturedDataSize
A��C�oData+K�NameCapturedData
A��K�oData3K�NamePreviousDataType
A��K�oData3K�NamePreviousDataSize
	A��[�oDataCK�NamePreviousDataCapturedSize
A��C�oData+K�NamePreviousData
x)�)�)�)�)�)�) *@*h*�*
�*KeyObjectStatusTypeDataSizeKeyNameValueName(CapturedDataSize CapturedData(PreviousDataType(PreviousDataSize8PreviousDataCapturedSize PreviousDataTEMP�<,5|��
U'VO��C���� D�	EventDataA��=�oData%K�Name	KeyObject
A��7�oDataK�NameStatus
A��9�oData!K�NameKeyName
A��=�oData%K�Name	ValueName
�,�,�,�,KeyObjectStatusKeyNameValueNameTEMP�\/�Y܄$[�F�@L����BD�	EventDataA��=�oData%K�Name	KeyObject
A��7�oDataK�NameStatus
A��=�oData%K�Name	InfoClass
A��;�oData#K�NameDataSize
A��9�oData!K�NameKeyName
A��=�oData%K�Name	ValueName
A��K�oData3K�NameCapturedDataSize
A��C�oData+K�NameCapturedData
�/0(0@0X0l0�0�0KeyObjectStatusInfoClassDataSizeKeyNameValueName(CapturedDataSize CapturedDataTEMP�<3�f�C��V��`����%��:D�	EventDataA��=�oData%K�Name	KeyObject
A��7�oDataK�NameStatus
A��5�oDataK�NameIndex
A��=�oData%K�Name	InfoClass
A��;�oData#K�NameDataSize
A��9�oData!K�NameKeyName
A��K�oData3K�NameCapturedDataSize
A��C�oData+K�NameCapturedData
�3�34404H4\4�4KeyObjectStatusIndexInfoClassDataSizeKeyName(CapturedDataSize CapturedDataTEMPp<6B!��Q>�Ƅ����dD�	EventDataA��=�oData%K�Name	KeyObject
A��7�oDataK�NameStatus
A��?�oData'K�Name
EntryCount
A��;�oData#K�NameDataSize
A��9�oData!K�NameKeyName
�6�6�6�67KeyObjectStatusEntryCountDataSizeKeyNameTEMPxH9C���^ζUGr������D�	EventDataA��=�oData%K�Name	KeyObject
A��7�oDataK�NameStatus
A��=�oData%K�Name	InfoClass
A��;�oData#K�NameDataSize
A��9�oData!K�NameKeyName
A��K�oData3K�NameCapturedDataSize
A��C�oData+K�NameCapturedData
�9�9::0:D:l:KeyObjectStatusInfoClassDataSizeKeyName(CapturedDataSize CapturedDataTEMP<h;Zv��NɋP�};�ɖ���D�	EventDataA��C�oData+K�NameHiveFilePath
A��;�oData#K�NameFileSize
�;�; HiveFilePathFileSizeTEMP\�<%{�1�Uϫ+F�����D�	EventDataA��G�oData/K�NameTotalEntrySize
A��G�oData/K�NameBytesRecovered
�<=$TotalEntrySize$BytesRecoveredTEMP��=9�̡^`U�@��w ���`D�	EventDataA��?�oData'K�Name
StatusCode
�=StatusCodeTEMPT�>/���mT6#W�|4����D�	EventDataA��C�oData+K�NameHiveFilePath
A��G�oData/K�NameHiveMountPoint
�>? HiveFilePath$HiveMountPointTEMP��?9�̡^`U�@��w ���`D�	EventDataA��?�oData'K�Name
StatusCode
�?StatusCodeTEMP�,Aݯ��I^vo��X���D�	EventDataA��C�oData+K�NameHiveFilePath
A��G�oData/K�NameHiveMountPoint
A��?�oData'K�Name
FlushFlags
hA�A�A HiveFilePath$HiveMountPointFlushFlagsTEMP�dBi����T;�qW��w��fD�	EventDataA��E�oData-K�Name
BytesGathered
xB BytesGatheredTEMP�4Ci����T;�qW��w��fD�	EventDataA��E�oData-K�Name
BytesGathered
HC BytesGatheredTEMPLLD˦i��=I_��Nm�;���D�	EventDataA��C�oData+K�NameWritesIssued
A��C�oData+K�NameBytesWritten
tD�D WritesIssued BytesWrittenTEMPL�E˦i��=I_��Nm�;���D�	EventDataA��C�oData+K�NameWritesIssued
A��C�oData+K�NameBytesWritten
�E�E WritesIssued BytesWrittenTEMP��F9�̡^`U�@��w ���`D�	EventDataA��?�oData'K�Name
StatusCode
�FStatusCodeTEMP$�GV��U�V6Q�D��Y7{���D�	EventDataA��?�oData'K�Name
SourceFile
A��5�oDataK�NameFlags
�G�GSourceFileFlagsTEMP�|H9�̡^`U�@��w ���`D�	EventDataA��?�oData'K�Name
StatusCode
�HStatusCodeTEMP$|IV��U�V6Q�D��Y7{���D�	EventDataA��?�oData'K�Name
SourceFile
A��5�oDataK�NameFlags
�I�ISourceFileFlagsTEMP�dJ9�̡^`U�@��w ���`D�	EventDataA��?�oData'K�Name
StatusCode
xJStatusCodeTEMP�0K��*K�tS
f�g<����fD�	EventDataA��E�oData-K�Name
SourceKeyPath
DK SourceKeyPathTEMP��K9�̡^`U�@��w ���`D�	EventDataA��?�oData'K�Name
StatusCode
LStatusCodePRVAX<LMicrosoft-Windows-Kernel-RegistryOPCO�!2N20N
����HN
�����N
�����N
����(O����\O�����O�����O����(P����\P�����P�����P
���� Q����dQ�����Q����R����TR �����R!�����R"�����R#�����R$����S%����S&����@S'����`S(�����S)�����S*�����S+����T,����T-����0T.����XTwin:Startwin:StopHRegPerfOpHiveMountBaseFileMountedPRegPerfOpHiveFlushBecameActiveFlusherHRegPerfOpShutdownRundownComplete4RegPerfOpSaveFileCopiedHRegPerfOpHiveMountLogEntryAppliedHRegPerfOpHiveFlushGatheredLogData<RegPerfOpShutdownFlushStart4RegPerfOpSaveTreeCopiedPRegPerfOpHiveFlushGatheredPrimaryData<RegPerfOpShutdownFlushStop8RegPerfOpSaveFileWrittenDRegPerfOpHiveFlushWroteLogFileLRegPerfOpHiveFlushWrotePrimaryFileTRegPerfOpHiveFlushBoostedActiveFlusherPRegPerfOpHiveFlushStartWaitForActivePRegPerfOpHiveFlushFinishWaitForActiveCreateKeyOpenKeyDeleteKeyQueryKeySetValueKey$DeleteValueKey QueryValueKey EnumerateKey(EnumerateValueKey0QueryMultipleValueKey(SetInformationKeyFlushKeyCloseKey(QuerySecurityKey$SetSecurityKeyLEVL@P�T(win:InformationalTASKs�Us�Us�UsVsHVstVs�V0RegPerfTaskHiveMount0RegPerfTaskHiveUnload0RegPerfTaskHiveFlush,RegPerfTaskShutdown,RegPerfTaskHiveLoad4RegPerfTaskHiveRestore,RegPerfTaskHiveSaveKEYW������W�����W����X����4X ����\X@�����X������X�����X�����X����Y����,Y����LY ����dY@����xY������YCloseKey(QuerySecurityKey$SetSecurityKey(EnumerateValueKey0QueryMultipleValueKey(SetInformationKeyFlushKeySetValueKey$DeleteValueKey QueryValueKey EnumerateKeyCreateKeyOpenKeyDeleteKeyQueryKeyEVNT�- ������dM�T(b�! ������pM�T,b�"@������|M�T0b�#������T!�M�T4b�$������$�M�T8b�%������*�M�T<b�&������,�M�T@b�'������0�M�TDb�	(������0�M�THb�
) ������4�M�TLb�*@�����7�M�TPb�+��������M�TTb�
,�������M�TXb�-������N�T\b�.������N�T`b�@�����L�T�T�
@�����:�L�T�T�@�����;�L�T�T�@����$=�L�T�T�@�����=�L�T�T�@����<?�L�T�T�@����@�L�TU�
@�����L�TU�@�����A�L�TU�@�����BM�TU�
@����hC(M�TU�@����hC4M�TU�@����@M�TU�@����LM�TU�@����XM�TU�@����F�L�TU� @�����L�TU�!@�����L�TU�"@�����L�TU�#@����M�TU�$@�����L�TU�%@�����F�L�T8U�&@�����G�L�T8U�'@�����H�L�TTU�(@�����I�L�TTU�)@�����J�L�TpU�*
@�����L�TpU�+@�����L�TpU�,@����M�TpU�-@����dK�L�TpU��W�W�W�WPW`WpW�WW W0W@W�V�VWWEVT,	��b(c
�i8jDj�j�j�jCHANt�b�XMicrosoft-Windows-Kernel-PRM/OperationalTTBL�TEMP�Xd>a��⣩Ptd�⩴/����D�	EventDataA��?�oData'K�Name
ModuleGuid
A��E�oData-K�Name
ModuleVersion

A��;�oData#K�NameNtStatus

�d
�d
�dModuleGuid ModuleVersionNtStatusTEMP��fZ8s{y�[&��r�����D�	EventDataA��A�oData)K�NameHandlerGuid
A��?�oData'K�Name
ModuleGuid
A��E�oData-K�Name
ModuleVersion

A��I�oData1K�NameInterfaceStatus

A��E�oData-K�Name
HandlerStatus

g,g
Hg
hg
�gHandlerGuidModuleGuid ModuleVersion$InterfaceStatus HandlerStatusTEMP< i�s�uwsZ�p������>D�	EventDataA��A�oData)K�NameHandlerGuid
A��?�oData'K�Name
ModuleGuid
A��E�oData-K�Name
ModuleVersion

A��C�oData+K�NameDurationInUs

pi�i
�i
�iHandlerGuidModuleGuid ModuleVersion DurationInUsPRVAP�iMicrosoft-Windows-Kernel-PrmOPCOLEVLdPhjP�jwin:Error(win:InformationalTASKKEYWEVNT���\j�b��4cPj�b���dPj�b���gPj�bWEVT���	�k\ltn
3X3d3�3�=�>CHANtl����XMicrosoft-Windows-Kernel-Acpi/DiagnosticMAPSLm�l|l�l�lVMAP$�m��VMAP$n��VMAP$Tn��VMAPd�m
��	�
���
���	�VMAPhm�����<MapAcpiFanStatusChangeSpeed,MapAcpiOverrideTypeHMapActiveCoolingDevicePowerState<MapAmlMethodInvocationState MapResetTypeTTBL��&TEMPL(q}9/��`XuN�y����tD�	EventDataA��C�oData+K�NameResourceFlag
A��A�oData)K�NameGeneralFlag
A��K�oData3K�NameTypeSpecificFlag
A��A�oData)K�NameGranularity

A��?�oData'K�Name
AddressMin

A��?�oData'K�Name
AddressMax

A��O�oData7K�NameAddressTranslation

A��E�oData-K�Name
AddressLength

�q�qr
,r
Hr
dr
�r
�r ResourceFlagGeneralFlag(TypeSpecificFlagGranularityAddressMinAddressMax,AddressTranslation AddressLengthTEMP\�s�K���;T]��cAl쪙���D�	EventDataA��A�oData)K�NameGpeRegister
A��O�oData7K�NameUnexpectedEventMap
�s�sGpeRegister,UnexpectedEventMapTEMP�xxÈ�m��_:����Rt���D�	EventDataA��i�oDataQK�NameThermalZoneDeviceInstanceLength
A��]�oDataEK�NameThermalZoneDeviceInstance
A��3�oDataK�Name_TMP
A��3�oDataK�Name_PSV
A��3�oDataK�Name_AC0
A��3�oDataK�Name_AC1
A��3�oDataK�Name_AC2
A��3�oDataK�Name_AC3
A��3�oDataK�Name_AC4
A��3�oDataK�Name_AC5
	A��3�oDataK�Name_AC6
A��3�oDataK�Name_AC7
A��3�oDataK�Name_AC8
A��3�oDataK�Name_AC9

A��3�oDataK�Name_HOT
A��3�oDataK�Name_CRT
�y�y4zDzTzdztz�z�z�z�z�z�z�z�z{DThermalZoneDeviceInstanceLength8ThermalZoneDeviceInstance_TMP_PSV_AC0_AC1_AC2_AC3_AC4_AC5_AC6_AC7_AC8_AC9_HOT_CRTTEMPH<~�~���\K�+I���S���D�	EventDataA��i�oDataQK�NameThermalZoneDeviceInstanceLength
A��]�oDataEK�NameThermalZoneDeviceInstance
A��O�oData7K�NameActiveCoolingLevel
A��[�oDataCK�NameActiveCoolingDeviceIndex
A��Y�oDataAK�NameFanDeviceInstanceLength
A��M�oData5K�NameFanDeviceInstance
A��K�oData3K�NamePowerStateLength
A��?�oData'K�Name
PowerState
�~ X����@�DThermalZoneDeviceInstanceLength8ThermalZoneDeviceInstance,ActiveCoolingLevel8ActiveCoolingDeviceIndex4FanDeviceInstanceLength(FanDeviceInstance(PowerStateLengthPowerStateTEMP�0�n�V^�_V?��{Lv���D�	EventDataA��i�oDataQK�NameThermalZoneDeviceInstanceLength
A��]�oDataEK�NameThermalZoneDeviceInstance
A��O�oData7K�NameActiveCoolingLevel
A��[�oDataCK�NameActiveCoolingDeviceIndex
A��Y�oDataAK�NameFanDeviceInstanceLength
A��M�oData5K�NameFanDeviceInstance
A��?�oData'K�Name
PowerState
���8�d���Є|l��DThermalZoneDeviceInstanceLength8ThermalZoneDeviceInstance,ActiveCoolingLevel8ActiveCoolingDeviceIndex4FanDeviceInstanceLength(FanDeviceInstancePowerStateTEMP�P���]}�[���q�M��D�	EventDataA��S�oData;K�NameDeviceInstanceLength
A��G�oData/K�NameDeviceInstance
A��?�oData'K�Name
PowerState
����|l�0DeviceInstanceLength$DeviceInstancePowerStateTEMP�4���۸�̫S����m`���D�	EventDataA��S�oData;K�NameDeviceInstanceLength
A��G�oData/K�NameDeviceInstance
A��;�oData#K�NameThrottle
p���Ĉ0DeviceInstanceLength$DeviceInstanceThrottleTEMPX\�A*7���U�
G9P����JD�	EventDataA��S�oData;K�NameDeviceInstanceLength
A��G�oData/K�NameDeviceInstance
A��?�oData'K�Name
PowerState
A��;�oData#K�NameThrottle
��܊|l��0DeviceInstanceLength$DeviceInstancePowerStateThrottleTEMP@����j�焴Y�E��3rZ��6D�	EventDataA��i�oDataQK�NameThermalZoneDeviceInstanceLength
A��]�oDataEK�NameThermalZoneDeviceInstance
A��A�oData)K�NameTemperature
܌ �X�DThermalZoneDeviceInstanceLength8ThermalZoneDeviceInstanceTemperatureTEMPt��]��S���X�;@��ZD�	EventDataA��Q�oData9K�NameAmlMethodNameLength
A��E�oData-K�Name
AmlMethodName
A��G�oData/K�NameAmlMethodState
A��G�oData/K�NameAmlElapsedTime

T����l��

ď,AmlMethodNameLength AmlMethodName$AmlMethodState$AmlElapsedTimeTEMP� ���k�_�]�6����D�	EventDataA��Q�oData9K�NameAmlMethodNameLength
A��E�oData-K�Name
AmlMethodName
A��=�oData%K�Name	Frequency

\���

��,AmlMethodNameLength AmlMethodNameFrequencyTEMP,,p����q"^�8�Iy,���zD�	EventDataA��]�oDataEK�NameThermalZoneBiosNameLength
A��Q�oData9K�NameThermalZoneBiosName
A��3�oDataK�Name_TMP
A��3�oDataK�Name_PSV
A��3�oDataK�Name_TC1
A��3�oDataK�Name_TC2
A��3�oDataK�Name_TSP
A��3�oDataK�Name_AC0
A��3�oDataK�Name_AC1
A��3�oDataK�Name_AC2
	A��3�oDataK�Name_AC3
A��3�oDataK�Name_AC4
A��3�oDataK�Name_AC5
A��3�oDataK�Name_AC6

A��3�oDataK�Name_AC7
A��3�oDataK�Name_AC8
A��3�oDataK�Name_AC9
A��3�oDataK�Name_HOT
A��3�oDataK�Name_CRT
A��3�oDataK�Name_NTT
A��=�oData%K�Name	_PSLCount
A��A�oData)K�Name_PSLEntries
�A��=�oData%K�Name	_TZDCount
A��A�oData)K�Name_TZDEntries
�A��=�oData%K�Name	_AL0Count
A��A�oData)K�Name_AL0Entries
�A��=�oData%K�Name	_AL1Count
A��A�oData)K�Name_AL1Entries
�A��=�oData%K�Name	_AL2Count
A��A�oData)K�Name_AL2Entries
�A��=�oData%K�Name	_AL3Count
A��A�oData)K�Name_AL3Entries
�A��=�oData%K�Name	_AL4Count
 A��A�oData)K�Name_AL4Entries
!�A��=�oData%K�Name	_AL5Count
"A��A�oData)K�Name_AL5Entries
#�A��=�oData%K�Name	_AL6Count
$A��A�oData)K�Name_AL6Entries
%�A��=�oData%K�Name	_AL7Count
&A��A�oData)K�Name_AL7Entries
'�A��=�oData%K�Name	_AL8Count
(A��A�oData)K�Name_AL8Entries
)�A��=�oData%K�Name	_AL9Count
*A��A�oData)K�Name_AL9Entries
+���D�T�d�t���������ġԡ����$�4�D�T�d�|�����̢���4�L�h����� ��У"��$�8�&P�l�(����*��8ThermalZoneBiosNameLength,ThermalZoneBiosName_TMP_PSV_TC1_TC2_TSP_AC0_AC1_AC2_AC3_AC4_AC5_AC6_AC7_AC8_AC9_HOT_CRT_NTT_PSLCount_PSLEntries_TZDCount_TZDEntries_AL0Count_AL0Entries_AL1Count_AL1Entries_AL2Count_AL2Entries_AL3Count_AL3Entries_AL4Count_AL4Entries_AL5Count_AL5Entries_AL6Count_AL6Entries_AL7Count_AL7Entries_AL8Count_AL8Entries_AL9Count_AL9EntriesTEMP�--԰~����kU�RQ��ow����D�	EventDataA��]�oDataEK�NameThermalZoneBiosNameLength
A��Q�oData9K�NameThermalZoneBiosName
A��3�oDataK�Name_TMP
A��3�oDataK�Name_PSV
A��3�oDataK�Name_TC1
A��3�oDataK�Name_TC2
A��3�oDataK�Name_TSP
A��3�oDataK�Name_AC0
A��3�oDataK�Name_AC1
A��3�oDataK�Name_AC2
	A��3�oDataK�Name_AC3
A��3�oDataK�Name_AC4
A��3�oDataK�Name_AC5
A��3�oDataK�Name_AC6

A��3�oDataK�Name_AC7
A��3�oDataK�Name_AC8
A��3�oDataK�Name_AC9
A��3�oDataK�Name_HOT
A��3�oDataK�Name_CRT
A��3�oDataK�Name_NTT
A��=�oData%K�Name	_PSLCount
A��A�oData)K�Name_PSLEntries
�A��=�oData%K�Name	_TZDCount
A��A�oData)K�Name_TZDEntries
�A��=�oData%K�Name	_AL0Count
A��A�oData)K�Name_AL0Entries
�A��=�oData%K�Name	_AL1Count
A��A�oData)K�Name_AL1Entries
�A��=�oData%K�Name	_AL2Count
A��A�oData)K�Name_AL2Entries
�A��=�oData%K�Name	_AL3Count
A��A�oData)K�Name_AL3Entries
�A��=�oData%K�Name	_AL4Count
 A��A�oData)K�Name_AL4Entries
!�A��=�oData%K�Name	_AL5Count
"A��A�oData)K�Name_AL5Entries
#�A��=�oData%K�Name	_AL6Count
$A��A�oData)K�Name_AL6Entries
%�A��=�oData%K�Name	_AL7Count
&A��A�oData)K�Name_AL7Entries
'�A��=�oData%K�Name	_AL8Count
(A��A�oData)K�Name_AL8Entries
)�A��=�oData%K�Name	_AL9Count
*A��A�oData)K�Name_AL9Entries
+�A��I�oData1K�NameMinimumThrottle
,X�����̴ܴ�����,�<�L�\�l�|���������̵ܵ��(�D�\�x�����Ķ���� ,�H�"`�|�$����&ȷ�(���*0�L�8ThermalZoneBiosNameLength,ThermalZoneBiosName_TMP_PSV_TC1_TC2_TSP_AC0_AC1_AC2_AC3_AC4_AC5_AC6_AC7_AC8_AC9_HOT_CRT_NTT_PSLCount_PSLEntries_TZDCount_TZDEntries_AL0Count_AL0Entries_AL1Count_AL1Entries_AL2Count_AL2Entries_AL3Count_AL3Entries_AL4Count_AL4Entries_AL5Count_AL5Entries_AL6Count_AL6Entries_AL7Count_AL7Entries_AL8Count_AL8Entries_AL9Count_AL9Entries$MinimumThrottleTEMP�00@����p`�~S�㔿�,�����D�	EventDataA��]�oDataEK�NameThermalZoneBiosNameLength
A��Q�oData9K�NameThermalZoneBiosName
A��3�oDataK�Name_TMP
A��3�oDataK�Name_PSV
A��3�oDataK�Name_TC1
A��3�oDataK�Name_TC2
A��3�oDataK�Name_TSP
A��3�oDataK�Name_AC0
A��3�oDataK�Name_AC1
A��3�oDataK�Name_AC2
	A��3�oDataK�Name_AC3
A��3�oDataK�Name_AC4
A��3�oDataK�Name_AC5
A��3�oDataK�Name_AC6

A��3�oDataK�Name_AC7
A��3�oDataK�Name_AC8
A��3�oDataK�Name_AC9
A��3�oDataK�Name_HOT
A��3�oDataK�Name_CRT
A��3�oDataK�Name_NTT
A��=�oData%K�Name	_PSLCount
A��A�oData)K�Name_PSLEntries
�A��=�oData%K�Name	_TZDCount
A��A�oData)K�Name_TZDEntries
�A��=�oData%K�Name	_AL0Count
A��A�oData)K�Name_AL0Entries
�A��=�oData%K�Name	_AL1Count
A��A�oData)K�Name_AL1Entries
�A��=�oData%K�Name	_AL2Count
A��A�oData)K�Name_AL2Entries
�A��=�oData%K�Name	_AL3Count
A��A�oData)K�Name_AL3Entries
�A��=�oData%K�Name	_AL4Count
 A��A�oData)K�Name_AL4Entries
!�A��=�oData%K�Name	_AL5Count
"A��A�oData)K�Name_AL5Entries
#�A��=�oData%K�Name	_AL6Count
$A��A�oData)K�Name_AL6Entries
%�A��=�oData%K�Name	_AL7Count
&A��A�oData)K�Name_AL7Entries
'�A��=�oData%K�Name	_AL8Count
(A��A�oData)K�Name_AL8Entries
)�A��=�oData%K�Name	_AL9Count
*A��A�oData)K�Name_AL9Entries
+�A��I�oData1K�NameMinimumThrottle
,A��3�oDataK�Name_CR3
-A��3�oDataK�Name_TFP
.A��U�oData=K�NameOverThrottleThreshold
/�8�d�t�������������������$�4�D�T�d�t������������ �8�T�l������� ����"�$�$<�X�&p���(����*�����(�8�8ThermalZoneBiosNameLength,ThermalZoneBiosName_TMP_PSV_TC1_TC2_TSP_AC0_AC1_AC2_AC3_AC4_AC5_AC6_AC7_AC8_AC9_HOT_CRT_NTT_PSLCount_PSLEntries_TZDCount_TZDEntries_AL0Count_AL0Entries_AL1Count_AL1Entries_AL2Count_AL2Entries_AL3Count_AL3Entries_AL4Count_AL4Entries_AL5Count_AL5Entries_AL6Count_AL6Entries_AL7Count_AL7Entries_AL8Count_AL8Entries_AL9Count_AL9Entries$MinimumThrottle_CR3_TFP0OverThrottleThresholdTEMP22�� ���;;Rwi��Q���6
D�	EventDataA��]�oDataEK�NameThermalZoneBiosNameLength
A��Q�oData9K�NameThermalZoneBiosName
A��3�oDataK�Name_TMP
A��3�oDataK�Name_PSV
A��3�oDataK�Name_TC1
A��3�oDataK�Name_TC2
A��3�oDataK�Name_TSP
A��3�oDataK�Name_AC0
A��3�oDataK�Name_AC1
A��3�oDataK�Name_AC2
	A��3�oDataK�Name_AC3
A��3�oDataK�Name_AC4
A��3�oDataK�Name_AC5
A��3�oDataK�Name_AC6

A��3�oDataK�Name_AC7
A��3�oDataK�Name_AC8
A��3�oDataK�Name_AC9
A��3�oDataK�Name_HOT
A��3�oDataK�Name_CRT
A��3�oDataK�Name_NTT
A��=�oData%K�Name	_PSLCount
A��A�oData)K�Name_PSLEntries
�A��=�oData%K�Name	_TZDCount
A��A�oData)K�Name_TZDEntries
�A��=�oData%K�Name	_AL0Count
A��A�oData)K�Name_AL0Entries
�A��=�oData%K�Name	_AL1Count
A��A�oData)K�Name_AL1Entries
�A��=�oData%K�Name	_AL2Count
A��A�oData)K�Name_AL2Entries
�A��=�oData%K�Name	_AL3Count
A��A�oData)K�Name_AL3Entries
�A��=�oData%K�Name	_AL4Count
 A��A�oData)K�Name_AL4Entries
!�A��=�oData%K�Name	_AL5Count
"A��A�oData)K�Name_AL5Entries
#�A��=�oData%K�Name	_AL6Count
$A��A�oData)K�Name_AL6Entries
%�A��=�oData%K�Name	_AL7Count
&A��A�oData)K�Name_AL7Entries
'�A��=�oData%K�Name	_AL8Count
(A��A�oData)K�Name_AL8Entries
)�A��=�oData%K�Name	_AL9Count
*A��A�oData)K�Name_AL9Entries
+�A��I�oData1K�NameMinimumThrottle
,A��3�oDataK�Name_CR3
-A��3�oDataK�Name_TFP
.A��U�oData=K�NameOverThrottleThreshold
/A��M�oData5K�NameDescriptionLength
0A��A�oData)K�NameDescription
1���� �0�@�P�`�p������������������� �0�@�X�t������������(�D�\�x� ����"����$���&,�H�(`�|�*����������$�0L�8ThermalZoneBiosNameLength,ThermalZoneBiosName_TMP_PSV_TC1_TC2_TSP_AC0_AC1_AC2_AC3_AC4_AC5_AC6_AC7_AC8_AC9_HOT_CRT_NTT_PSLCount_PSLEntries_TZDCount_TZDEntries_AL0Count_AL0Entries_AL1Count_AL1Entries_AL2Count_AL2Entries_AL3Count_AL3Entries_AL4Count_AL4Entries_AL5Count_AL5Entries_AL6Count_AL6Entries_AL7Count_AL7Entries_AL8Count_AL8Entries_AL9Count_AL9Entries$MinimumThrottle_CR3_TFP0OverThrottleThreshold(DescriptionLengthDescriptionTEMP\33�bH׮�5S��E$�7"��p
D�	EventDataA��]�oDataEK�NameThermalZoneBiosNameLength
A��Q�oData9K�NameThermalZoneBiosName
A��3�oDataK�Name_TMP
A��3�oDataK�Name_PSV
A��3�oDataK�Name_TC1
A��3�oDataK�Name_TC2
A��3�oDataK�Name_TSP
A��3�oDataK�Name_AC0
A��3�oDataK�Name_AC1
A��3�oDataK�Name_AC2
	A��3�oDataK�Name_AC3
A��3�oDataK�Name_AC4
A��3�oDataK�Name_AC5
A��3�oDataK�Name_AC6

A��3�oDataK�Name_AC7
A��3�oDataK�Name_AC8
A��3�oDataK�Name_AC9
A��3�oDataK�Name_HOT
A��3�oDataK�Name_CRT
A��3�oDataK�Name_NTT
A��=�oData%K�Name	_PSLCount
A��A�oData)K�Name_PSLEntries
�A��=�oData%K�Name	_TZDCount
A��A�oData)K�Name_TZDEntries
�A��=�oData%K�Name	_AL0Count
A��A�oData)K�Name_AL0Entries
�A��=�oData%K�Name	_AL1Count
A��A�oData)K�Name_AL1Entries
�A��=�oData%K�Name	_AL2Count
A��A�oData)K�Name_AL2Entries
�A��=�oData%K�Name	_AL3Count
A��A�oData)K�Name_AL3Entries
�A��=�oData%K�Name	_AL4Count
 A��A�oData)K�Name_AL4Entries
!�A��=�oData%K�Name	_AL5Count
"A��A�oData)K�Name_AL5Entries
#�A��=�oData%K�Name	_AL6Count
$A��A�oData)K�Name_AL6Entries
%�A��=�oData%K�Name	_AL7Count
&A��A�oData)K�Name_AL7Entries
'�A��=�oData%K�Name	_AL8Count
(A��A�oData)K�Name_AL8Entries
)�A��=�oData%K�Name	_AL9Count
*A��A�oData)K�Name_AL9Entries
+�A��I�oData1K�NameMinimumThrottle
,A��3�oDataK�Name_CR3
-A��3�oDataK�Name_TFP
.A��U�oData=K�NameOverThrottleThreshold
/A��M�oData5K�NameDescriptionLength
0A��A�oData)K�NameDescription
1A��3�oDataK�Name_TZP
2�@�l�|����������������,�<�L�\�l�|����������(�@�\�t������ ���"�,�$D�`�&x���(���*��� �0�@�p�0����8ThermalZoneBiosNameLength,ThermalZoneBiosName_TMP_PSV_TC1_TC2_TSP_AC0_AC1_AC2_AC3_AC4_AC5_AC6_AC7_AC8_AC9_HOT_CRT_NTT_PSLCount_PSLEntries_TZDCount_TZDEntries_AL0Count_AL0Entries_AL1Count_AL1Entries_AL2Count_AL2Entries_AL3Count_AL3Entries_AL4Count_AL4Entries_AL5Count_AL5Entries_AL6Count_AL6Entries_AL7Count_AL7Entries_AL8Count_AL8Entries_AL9Count_AL9Entries$MinimumThrottle_CR3_TFP0OverThrottleThreshold(DescriptionLengthDescription_TZPTEMP�����N��2]���7y�L����D�	EventDataA��M�oData5K�NameFanBiosNameLength
A��A�oData)K�NameFanBiosName
A��C�oData+K�NameFstSupported

A��?�oData'K�Name
PowerState
A��9�oData!K�NameControl
��

(�|lH�d�(FanBiosNameLengthFanBiosName FstSupportedPowerStateControlTEMPp�'��jKY���m����D�	EventDataA��M�oData5K�NameFanBiosNameLength
A��A�oData)K�NameFanBiosName
A��C�oData+K�NameFstSupported

A��?�oData'K�Name
PowerState
A��9�oData!K�NameControl
A��5�oDataK�NameSpeed
��

,�|lL�h�Lm|�(FanBiosNameLengthFanBiosName FstSupportedPowerStateControlSpeedTEMP��v��'_�֓
3�>���D�	EventDataA��M�oData5K�NameFanBiosNameLength
A��A�oData)K�NameFanBiosName
A��?�oData'K�Name
PowerState
� |l<(FanBiosNameLengthFanBiosNamePowerStateTEMP�����
�(�Z��Ӗ���z���D�	EventDataA��M�oData5K�NameFanBiosNameLength
A��A�oData)K�NameFanBiosName
A��9�oData!K�NameControl
��(FanBiosNameLengthFanBiosNameControlTEMP �ko%�
�P�sƻ7D���2D�	EventDataA��M�oData5K�NameFanBiosNameLength
A��A�oData)K�NameFanBiosName
A��9�oData!K�NameControl
A��5�oDataK�NameSpeed
��Lm((FanBiosNameLengthFanBiosNameControlSpeedTEMP`H�-F)徤^Y(K�P��C���D�	EventDataA��i�oDataQK�NameThermalZoneDeviceInstanceLength
A��]�oDataEK�NameThermalZoneDeviceInstance
A��S�oData;K�NameDeviceInstanceLength
A��G�oData/K�NameDeviceInstance
A��?�oData'K�Name
PowerState
��(X|l|DThermalZoneDeviceInstanceLength8ThermalZoneDeviceInstance0DeviceInstanceLength$DeviceInstancePowerStateTEMPl�
7i�u�p]^H���)���D�	EventDataA��i�oDataQK�NameThermalZoneDeviceInstanceLength
A��]�oDataEK�NameThermalZoneDeviceInstance
A��S�oData;K�NameDeviceInstanceLength
A��G�oData/K�NameDeviceInstance
A��E�oData-K�Name
ThrottleLimit
X���DThermalZoneDeviceInstanceLength8ThermalZoneDeviceInstance0DeviceInstanceLength$DeviceInstance ThrottleLimitTEMP`�
ro�窯Q�Z�ٍ����PD�	EventDataA��S�oData;K�NameDeviceBiosNameLength
A��G�oData/K�NameDeviceBiosName
A��I�oData1K�NameDeviceResetType
A��7�oDataK�NameStatus
�
�l,P0DeviceBiosNameLength$DeviceBiosName$DeviceResetTypeStatusTEMP�]�	V�DW�gguF��lD�	EventDataA��K�oData3K�NameAcpiOverrideType
�l(AcpiOverrideTypeTEMP|H!6�;xv0R��F��*����D�	EventDataA��5�oDataK�NameScope
A��7�oDataK�NameObject
A��7�oDataK�NameStatus
���ScopeObjectStatusTEMP�XJ.�K�4T���F����hD�	EventDataA��_�oDataGK�NameButtonDeviceInstanceLength
A��S�oData;K�NameButtonDeviceInstance
A��C�oData+K�NameCapabilities
A��=�oData%K�Name	EventMask
��4<ButtonDeviceInstanceLength0ButtonDeviceInstance CapabilitiesEventMaskTEMPl�
����(U�:Z�����VD�	EventDataA��_�oDataGK�NameButtonDeviceInstanceLength
A��S�oData;K�NameButtonDeviceInstance
A��=�oData%K�Name	EventMask
A��1�oDataK�NameIrp

(d�
�<ButtonDeviceInstanceLength0ButtonDeviceInstanceEventMaskIrpTEMP����f�P�É�M���D�	EventDataA��S�oData;K�NameType34SupportEnabled
A��?�oData'K�Name
SubspaceId
A��3�oDataK�NameType
A��5�oDataK�NameState
A��O�oData7K�NameInterruptSupported
A��G�oData/K�NameInterruptFlags
A��3�oDataK�NameGSIV
A��G�oData/K�NameNominalLatency
A��[�oDataCK�NameAdvertisedNominalLatency
A��U�oData=K�NameMaxPeriodicAccessRate
	A��[�oDataCK�NameMinRequestTurnaroundTime
A��A�oData)K�NameInitFailure
A��C�oData+K�NameEjectFailure
A��G�oData/K�NameWDTimeoutCount

A��M�oData5K�NameWDTimerAttributes
A��a�oDataIK�NameSharedRegionPhysicalAddress

A��O�oData7K�NameSharedRegionLength
A��E�oData-K�Name
RegisterCount
A��KZ�ComplexData%K�Name	Registers
�D`p����<l��� 
, h � � 
� � !,!D!
`!
t!
�!0Type34SupportEnabledSubspaceIdTypeState,InterruptSupported$InterruptFlagsGSIV$NominalLatency8AdvertisedNominalLatency0MaxPeriodicAccessRate8MinRequestTurnaroundTimeInitFailure EjectFailure$WDTimeoutCount(WDTimerAttributes<SharedRegionPhysicalAddress,SharedRegionLength RegisterCountRegisters$PhysicalAddress$AddressSpaceIdBitWidthBitOffsetAccessSizeAddress PreserveMask$UpdateCheckMaskTEMP�X#���7|�~ZG�����<��jD�	EventDataA��?�oData'K�Name
SubspaceId
A��3�oDataK�NameType
A��7�oDataK�NameResult
A��C�oData+K�NameEjectFailure
A��A�oData)K�NameInitFailure
�#�#�#�#$SubspaceIdTypeResult EjectFailureInitFailureTEMP��%v���V,�@ɚ����lD�	EventDataA��?�oData'K�Name
SubspaceId
A��=�oData%K�Name	PrevState
A��;�oData#K�NameNewState
A��A�oData)K�NameSyncAcquire
A��7�oDataK�NameResult
<&X&p&�&�&SubspaceIdPrevStateNewStateSyncAcquireResultTEMP(�Ĕg�O[ے5��5�:��$D�	EventDataA��?�oData'K�Name
SubspaceId
A��=�oData%K�Name	PrevState
A��;�oData#K�NameNewState
A��7�oDataK�NameResult
`(|(�(�(SubspaceIdPrevStateNewStateResultTEMP��*g&���mmV0���>�r���D�	EventDataA��?�oData'K�Name
SubspaceId
A��9�oData!K�NameCommand
A��=�oData%K�Name	PrevState
A��;�oData#K�NameNewState
A��E�oData-K�Name
DelayTimeInUs

A��7�oDataK�NameResult
+8+L+d+

|+�+SubspaceIdCommandPrevStateNewState DelayTimeInUsResultTEMP`�-�
M��ZY]�Zx������D�	EventDataA��?�oData'K�Name
SubspaceId
A��9�oData!K�NameCommand
A��M�oData5K�NameCommandInProgress
A��=�oData%K�Name	PrevState
A��;�oData#K�NameNewState
A��5�oDataK�NameError

A��7�oDataK�NameResult
d.�.�.�.�.

�.�.SubspaceIdCommand(CommandInProgressPrevStateNewStateErrorResultTEMPl0���CDt_�@�kIFȵ���D�	EventDataA��?�oData'K�Name
SubspaceId
A��Y�oDataAK�NameAccumulatedFailureCount
,0H0SubspaceId4AccumulatedFailureCountTEMP�1�����Vű7��f-��TD�	EventDataA��3�oDataK�NameGSIV
1GSIVTEMP��1$*��Qq�����XD�	EventDataA��7�oDataK�NameStatus
�1StatusTEMP,�2ҎM���Q�z��O�F���D�	EventDataA��;�oData#K�NamePromoted
A��=�oData%K�Name	NextState
�2�2PromotedNextStatePRVAP3Microsoft-Windows-Kernel-AcpiOPCOLEVL�P�3P�3P�3win:Errorwin:Warning(win:InformationalTASK�	"d�����7e�����7f����8g����<8h����l8i�����8j�����8k�����8l����$9m����T9n����|9o�����9p�����9q�����9r����:s����H:t�����:u�����:v����;w����$;x����D;y����\;z�����;{�����;|�����;}����<~����0<����\<������<������<������<�����=�����4=�����d=,ResourceTranslation(GpeEventHandling4TemperatureNotification0TripPointNotification8ActiveCoolingDevicePower$AmlMethodTrace,DeviceActiveCooling0DevicePassiveCooling0DeviceCoolingRundown(TemperatureChange,ThermalZoneRundownFanRundown,FanPowerStateChange$FanStatusChange4ActiveCoolingConstraintDActiveCoolingConstraintRundown8PassiveCoolingConstraintDPassiveCoolingConstraintRundownDeviceReset AcpiOverrideAMLIError(FrequentAmlMethod,ButtonNotification,ButtonIrpCompletion,PccSubspaceRundown(PccEjectSubspace,PccAcquireSubspace,PccReleaseSubspace(PccExecuteCommand,PccCommandComplete(PccCommandTimeout0PccPlatformInterrupt0S4DsmEvaluationFailed,MsStateNotificationKEYWh����>����0>����P>����h> �����>@�����>������>$acpi:Diagnostic acpi:Thermalacpi:PCC0ms:ReservedKeyword40 ms:Telemetryms:Measures$ms:CriticalDataEVNTt)d���n�3�3�F�ke���r�34�F�kf��(t�344�F�kg��(t�3P4�F�kh��{�3l4�F�kh��\��3l4�F�ki ��t��3�4�F�kj����3�4�F�k	k�	����3�4�F�k
l�
�܈�3�4�F�km�����4��3�4�F�kn��������35�F�kn�����Ԥ�35�F�kn�����p��35�F�kn�����h��35�F�kn�����h��35�F�k
o�������305�F�k
o�����x��305G�kp��������3L5G�kq�����X�3h5G�kq������3h5G�kr�����8�3�5G�ks�����8�3�5G�kt�������3�5G�ku�������3�5G�kv ���3�5 G�kw ��d�36(G�kx��@p3,60G�ky���|3H64G�kz����3d68G�k{��L�3�6<G�k|�������3�6@G�k}������!�3�6DG�k~�����8$�3�6HG�k������&�3�6LG�k�������(�37PG�k�������+�3(7TG�k ������/�3D7XG�k!������|0�3`7\G�k"��"�(1�3|7`G�k#�������1�3�7dG�k�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=�=WEVT$��G�H
�V�V(W�W�W ZCHAN�G	�H����lH����ApplicationXMicrosoft-Windows-User-Loader/OperationalTMicrosoft-Windows-User-Loader/AnalyticTTBL�

TEMP�\I�<z�#aSl3�z�R���\D�	EventDataA��;�oData#K�NameFileName
pIFileNameTEMP�JT��̫�[��L?��ZD�	EventDataA��9�oData!K�NameDllName
,JDllNameTEMP�LKSη��C�Rd���7!C%���D�	EventDataA��]�oDataEK�NameProcessFileNamePathLength
A��Q�oData9K�NameProcessFileNamePath
tK�K8ProcessFileNamePathLength,ProcessFileNamePathTEMP�M
n��f�S��}�<���D�	EventDataA��E�oData-K�Name
FailureReason
A��E�oData-K�Name
ImportDllName
A��C�oData+K�NameExportModule
DMdM�M FailureReason ImportDllName ExportModuleTEMP��N��E�Q������BA���]EventXML+�xmlnsUser-Loader��&.�
FailureReason
��&�
ImportDllName
��,1ProcessImagePath
�NO(O FailureReason ImportDllName(ProcessImagePathTEMPL,P~�"��@\n٦��A���]EventXML+�xmlnsUser-Loader��,1ProcessImagePath
��&��
CurDirDllPath
TP|P(ProcessImagePath CurDirDllPathTEMP��Q½s��)�[�C�s�۴A���]EventXML+�xmlnsUser-Loader��,1ProcessImagePath
��&��
CurDirDllPath
��$��FoundDllPath
�QR(R(ProcessImagePath CurDirDllPath FoundDllPathTEMP��S(/E��TRO�^�]L���D�	EventDataA��E�oData-K�Name
FailureReason
A��E�oData-K�Name
ImportDllName
A��K�oData3K�NameProcessImagePath
�S�S�S FailureReason ImportDllName(ProcessImagePathTEMP��T�<z�#aSl3�z�R���\D�	EventDataA��;�oData#K�NameFileName
�TFileNameTEMP�Vϙ���G\���{�ɼ>���D�	EventDataA��=�oData%K�Name	ProcessId
A��U�oData=K�NameSuspendProcessRequest
A��9�oData!K�NameDLLName
LVdV�VProcessId0SuspendProcessRequestDLLNamePRVAP�VMicrosoft-Windows-User-LoaderOPCO01Wwin:InfoLEVL�UdWP�WP�WP�W win:Criticalwin:Errorwin:Warning(win:InformationalTASKKEYW4XX �X@�X�<Y	|Y
�YLUSER_LOADER_KEYWORD_DEPRECATED_DLLPUSER_LOADER_FATAL_CALLBACK_EXCEPTIONHUSER_LOADER_KEYWORD_LOAD_FAILURE@USER_LOADER_LAUNCH_16BIT_APPTUSER_LOADER_KEYWORD_COMPONENT_ON_DEMANDPUSER_LOADER_KEYWORD_LOAD_FATAL_ERROREVNTp ��HWXWp\�G  �@JWXWt\�G@ 
HRWXWx\�G� �$TWXW|\�G ��TWXW�\�G ��HWLW�\�G ��HWLW�\�G 
�KWXW�G	 	��HW4W�\�G
	�
�MWXW�G	��PWLW�G	�POW@W�G�WXX(X8XHXHXHXWEVTt��\
`]�]�]8^|^�^CHAN��\����lMicrosoft-Windows-Kernel-BootDiagnostics/DiagnosticPRVAht]Microsoft-Windows-Kernel-BootDiagnosticsOPCO02�]win:StartLEVL@P^(win:InformationalTASKD�����`^SystemBootKEYWD1�^(win:ResponseTimeEVNTD��������]^D^_�\�^WEVT�5����T_�_
��P�Ȏ����CHAN|p_����`Microsoft-Windows-Kernel-Prefetch/DiagnosticTTBL(.
TEMPhda	{]�̝�S�V��..Ϫ��RD�	EventDataA��O�oData7K�NameScenarioNameLength
A��C�oData+K�NameScenarioName
A��G�oData/K�NameScenarioHashId
A��C�oData+K�NameScenarioType
�a�ab$b,ScenarioNameLength ScenarioName$ScenarioHashId ScenarioTypeTEMP��d��0�nd^ᥦ�\�-y��6D�	EventDataA��O�oData7K�NameScenarioNameLength
A��C�oData+K�NameScenarioName
A��G�oData/K�NameScenarioHashId
A��C�oData+K�NameScenarioType
A��E�oData-K�Name
PrefetchPhase
A��C�oData+K�NamePrefetchType
A��G�oData/K�NameIsTricklePhase
<ehe�e�e�e�ef,ScenarioNameLength ScenarioName$ScenarioHashId ScenarioType PrefetchPhase PrefetchType$IsTricklePhaseTEMP��h;�
/�T�'�6z�f���>D�	EventDataA��O�oData7K�NameScenarioNameLength
A��C�oData+K�NameScenarioName
A��G�oData/K�NameScenarioHashId
A��C�oData+K�NameScenarioType
A��M�oData5K�NamePrefetchPhaseMask
A��C�oData+K�NamePrefetchType
A��G�oData/K�NameIsTricklePhase
0i\i|i�i�i�ij,ScenarioNameLength ScenarioName$ScenarioHashId ScenarioType(PrefetchPhaseMask PrefetchType$IsTricklePhaseTEMP		8m��Q�NoY���A����D�	EventDataA��O�oData7K�NameScenarioNameLength
A��C�oData+K�NameScenarioName
A��G�oData/K�NameScenarioHashId
A��C�oData+K�NameScenarioType
A��E�oData-K�Name
PrefetchPhase
A��C�oData+K�NamePrefetchType
A��G�oData/K�NameIsTricklePhase
A��O�oData7K�NameNumPagesPrefetched

A��C�oData+K�NameNumReadLists
�mn8n\n|n�n�n

�no,ScenarioNameLength ScenarioName$ScenarioHashId ScenarioType PrefetchPhase PrefetchType$IsTricklePhase,NumPagesPrefetched NumReadListsTEMP		@r��|Xo�^{�k�1�l���D�	EventDataA��O�oData7K�NameScenarioNameLength
A��C�oData+K�NameScenarioName
A��G�oData/K�NameScenarioHashId
A��C�oData+K�NameScenarioType
A��M�oData5K�NamePrefetchPhaseMask
A��C�oData+K�NamePrefetchType
A��G�oData/K�NameIsTricklePhase
A��O�oData7K�NameNumPagesPrefetched

A��C�oData+K�NameNumReadLists
�r s@sds�s�s�s

�st,ScenarioNameLength ScenarioName$ScenarioHashId ScenarioType(PrefetchPhaseMask PrefetchType$IsTricklePhase,NumPagesPrefetched NumReadListsTEMP�v��<޲5�U�K���v����D�	EventDataA��O�oData7K�NameScenarioNameLength
A��C�oData+K�NameScenarioName
A��G�oData/K�NameScenarioHashId
A��C�oData+K�NameScenarioType
A��E�oData-K�Name
PrefetchPhase
tv�v�v�vw,ScenarioNameLength ScenarioName$ScenarioHashId ScenarioType PrefetchPhaseTEMP�y*�B�eh9[�������D�	EventDataA��O�oData7K�NameScenarioNameLength
A��C�oData+K�NameScenarioName
A��G�oData/K�NameScenarioHashId
A��C�oData+K�NameScenarioType
A��M�oData5K�NamePrefetchPhaseMask
dy�y�y�y�y,ScenarioNameLength ScenarioName$ScenarioHashId ScenarioType(PrefetchPhaseMaskTEMPh�{	{]�̝�S�V��..Ϫ��RD�	EventDataA��O�oData7K�NameScenarioNameLength
A��C�oData+K�NameScenarioName
A��G�oData/K�NameScenarioHashId
A��C�oData+K�NameScenarioType
�{ |@|d|,ScenarioNameLength ScenarioName$ScenarioHashId ScenarioTypeTEMP�P~�.d�2ˮV��O��`���D�	EventDataA��O�oData7K�NameScenarioNameLength
A��C�oData+K�NameScenarioName
A��G�oData/K�NameScenarioHashId
A��C�oData+K�NameScenarioType
A��=�oData%K�Name	EndReason
�~�~$D,ScenarioNameLength ScenarioName$ScenarioHashId ScenarioTypeEndReasonTEMP���������\Ic�ܑ(���0D�	EventDataA��O�oData7K�NameScenarioNameLength
A��C�oData+K�NameScenarioName
A��G�oData/K�NameScenarioHashId
A��C�oData+K�NameScenarioType
A��A�oData)K�NameActionFlags
A��A�oData)K�NameTraceReason
A��G�oData/K�NamePrefetchReason
L�x�����܂���,ScenarioNameLength ScenarioName$ScenarioHashId ScenarioTypeActionFlagsTraceReason$PrefetchReasonTEMP�		D��Y�	U��Z����������D�	EventDataA��O�oData7K�NameScenarioNameLength
A��C�oData+K�NameScenarioName
A��G�oData/K�NameScenarioHashId
A��C�oData+K�NameScenarioType
A��A�oData)K�NameActionFlags
A��A�oData)K�NameTraceReason
A��G�oData/K�NamePrefetchReason
A��A�oData)K�NameNumLaunches
A��W�oData?K�NameTimeSinceLastLaunchInS
��$�D�h���������,ScenarioNameLength ScenarioName$ScenarioHashId ScenarioTypeActionFlagsTraceReason$PrefetchReasonNumLaunches4TimeSinceLastLaunchInSTEMP��Z
G,�GQ��W93�����D�	EventDataA��O�oData7K�NameScenarioNameLength
A��C�oData+K�NameScenarioName
A��G�oData/K�NameScenarioHashId
A��C�oData+K�NameScenarioType
A��G�oData/K�NameWorkItemsCount
l�����܊��,ScenarioNameLength ScenarioName$ScenarioHashId ScenarioType$WorkItemsCountTEMP��ޞoد=�QI���������D�	EventDataA��O�oData7K�NameScenarioNameLength
A��C�oData+K�NameScenarioName
A��G�oData/K�NameScenarioHashId
A��C�oData+K�NameScenarioType
A��=�oData%K�Name	NumPhases
P�|������,ScenarioNameLength ScenarioName$ScenarioHashId ScenarioTypeNumPhasesPRVAX�Microsoft-Windows-Kernel-PrefetchOPCOx1��2��2��win:Infowin:Startwin:StopLEVL@P�(win:InformationalTASK�����؏���������(�����D�����\�	������
������(PrefetchSections(PrefetchMetadataOpenVolumesEndTrace(ScenarioDecision GetReadListsAsyncWorkerKEYWD ����ܐ(BasicInformationEVNT� �����Dbh�Ԏ�x�`_ �����0fh�Ԏ�|�`_ �����,jt�Ԏ���`_ �����,ot�Ԏ���`_ �����<th�Ԏ0���`_ �����$wh�Ԏ0���`_ �����<tt�Ԏ0���`_ �����$wt�Ԏ0���`_ �����zh�ԎL���`_ �����zt�ԎL���`_ ������|\�Ԏh���`_ �����\\�Ԏ����`_ �����8�\�Ԏ����`_		 �����4�h�Ԏ����`_
	 ������_t�Ԏ����`_
 ����� �h�Ԏ����`_
 ������_t�Ԏ����`_

 ������_\�Ԏ����`_̐̐̐̐̐̐̐̐̐̐̐̐̐̐̐̐̐̐WEVT ��t�
Е��L�����CHANd,��HMicrosoft-Windows-UAC/OperationalTTBL\TEMPPЕ)5�H7^A����d����D�	EventDataPRVA@�Microsoft-Windows-UACOPCOLEVL0P4�win:ErrorTASKH����t� CreateProcessKEYWEVNT@����(�X��WEVT�	0�ԗ
�����ԙ�(�CHAN�L��Microsoft-Windows-Security-LessPrivilegedAppContainer/OperationalTTBLDTEMP8���/c���UX�q��r�Y���D�	EventDataA��A�oData)K�NameFailureTime
A��=�oData%K�Name	StackHash
��FailureTimeStackHashPRVA�,�Microsoft-Windows-Security-LessPrivilegedAppContainerOPCOLEVL0P��win:ErrorTASKH������ AccessFailureKEYWEVNT@�
����<�WEVT�����
ԛ�D������CHAN`Ԛ����DMicrosoft-Windows-COM/AnalyticTTBL�TEMP����w�Nm\"l):��N��VD�	EventDataA��5�oDataK�NameCLSID
ěCLSIDPRVA@�Microsoft-Windows-COMOPCO01,�win:InfoLEVL@P\�(win:InformationalTASKKEYWL��0COM_CLASSNOTREG_ERROREVNTD��$� �P� �Ě��WEVT��t���
��$�0�������CHAN8��	�ApplicationTTBLTEMPH̞���+X�^pĕ�A����8Path��xmlnsDhttp://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0��&Q
AttemptedPath
� AttemptedPathTEMP�L���'��Ty�)ҔpӍA����PathAndGuid��xmlnsDhttp://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0��&Q
AttemptedPath
��"��SrpRuleGuid
t��� AttemptedPathSrpRuleGuidTEMP$��j�/A\0&b��SA��@%�PathGuidAndRule��xmlnsDhttp://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0��&Q
AttemptedPath
��"��SrpRuleGuid
����RulePath
`����� AttemptedPathSrpRuleGuidRulePathPRVApȢMicrosoft-Windows-SoftwareRestrictionPoliciesOPCOLEVLhPT�Pp�win:Warning(win:InformationalTASKKEYWEVNT02	�2	�H���a	�a	��<���b	�b	��<���c	�c	��<���d	�d	�<���r	�r	�<���WEVTp�0���
t���Զ`���CHANP|��ĥ���D��HMicrosoft-Windows-MUI/Operational<Microsoft-Windows-MUI/AdminDMicrosoft-Windows-MUI/Analytic<Microsoft-Windows-MUI/DebugTTBL�TEMP��$*��Qq�����XD�	EventDataA��7�oDataK�NameStatus
,�StatusTEMP�Ч�<z�#aSl3�z�R���\D�	EventDataA��;�oData#K�NameFileName
�FileNameTEMP��;o��s\fj������D�	EventDataA��;�oData#K�NameFileName
A��3�oDataK�NameType
A��C�oData+K�NameFunctionName
L�d�t�FileNameType FunctionNameTEMP�$��<z�#aSl3�z�R���\D�	EventDataA��;�oData#K�NameFileName
8�FileNameTEMP$���*z�8�WM
sWR�	���2D�	EventDataA��5�oDataK�NameFlags
A��A�oData)K�NameNewLanguage
A��C�oData+K�NamePrevLanguage
A��C�oData+K�NameExtendedFlag
��4�T�FlagsNewLanguage PrevLanguage ExtendedFlagTEMP��� �ُ_�<�vw����D�	EventDataA��;�oData#K�NameFileName
A��C�oData+K�NameFunctionName
A��A�oData)K�NameReturnValue
ԭ��FileName FunctionNameReturnValueTEMP���)�Y�?��T0��U�����^D�	EventDataA��=�oData%K�Name	Parameter
ЮParameterTEMPP8�)5�H7^A����d����D�	EventDataTEMPP��)5�H7^A����d����D�	EventDataTEMP��4�=��|NP5��pk7��TD�	EventDataA��3�oDataK�NameName
$�NameTEMP�\��f��dY��x(������D�	EventDataA��E�oData-K�Name
NewCacheIndex
A��G�oData/K�NameLiveCacheIndex
A��7�oDataK�NameConfig
����ܱ NewCacheIndex$LiveCacheIndexConfigTEMP���?~�v|�Uj��]�4���^D�	EventDataA��=�oData%K�Name	ErrorCode
��ErrorCodeTEMP�aM?��iVτ������"D�	EventDataA��;�oData#K�NameFileName
A��;�oData#K�NameAffinity
A��;�oData#K�NameSequence
A��;�oData#K�NamePriority
X�p�����FileNameAffinitySequencePriorityTEMP�H��<z�#aSl3�z�R���\D�	EventDataA��;�oData#K�NameFileName
\�FileNamePRVA@��Microsoft-Windows-MUIOPCO :�:0�  :T�!!:t�"":��##:��$$:ĶInitialize$InvokeCallback DisableCache$UpdateManifestBuildCacheEntryExitLEVL�P�P�P8�win:Errorwin:Warning(win:InformationalTASK�z��zԷ0NotifyLanguageChange RescacheBuildKEYWEVNTP������̵�l�<��@��@�̵�l�L��@����̵�l�L��@����̵�l�L��@����̵�l�L�����������<�����������<�� ����ص���<�����������<��!@�������L��!��������<��"��������<��"��������<�����������<�����P�����l�<�����t�̵��l�<�����(�������<��!���������l��" ���������\��" ���������\��"���4������<��# ����������\��$ ���������\��# ����������\��$ ���������\��!���������l�����8�������<��" �������\�WEVT,����
4����l�����CHAN�̽����(�����\Microsoft-Windows-Kernel-AppCompat/GeneraldMicrosoft-Windows-Kernel-AppCompat/PerformanceTTBL�TEMP�0�c��snGa_�!(�y���bD�	EventDataA��S�oData;K�NameExecutablePathLength
A��G�oData/K�NameExecutablePath
A��O�oData7K�NameRegistryPathLength
A��C�oData+K�NameRegistryPath
������0ExecutablePathLength$ExecutablePath,RegistryPathLength RegistryPathTEMP���9�̡^`U�@��w ���`D�	EventDataA��?�oData'K�Name
StatusCode
�StatusCodeTEMPPd�j��F<U�Z����8���JD�	EventDataA��E�oData-K�Name
KeyNameLength
A��9�oData!K�NameKeyName
A��Q�oData9K�NameParentKeyNameLength
A��E�oData-K�Name
ParentKeyName
������� KeyNameLengthKeyName,ParentKeyNameLength ParentKeyNamePRVA\H�Microsoft-Windows-Kernel-AppCompatOPCOx1��2��2��win:Infowin:Startwin:StopLEVLdP,�PD�win:Error(win:InformationalTASK,����X�����|����������������������������@�����d�$CompatCacheInit(CompatCacheQuery$CompatCdbQuery$CompatMapQuirks(CompatCacheUpdate,CompatUserModeQuery$CompatSdbQuery4CompatCacheQueryProcessKEYWH������,RegWrpAccessDeniedEVNTt�6���� �P���@������ �x���@���� ��� �x���@������ �����@���� ��� �����@������ �����@���� ��� �����@������ �����	@���� ��� �����
@������ �����@���� ��� �����@������ ����
@���� ��� ����@������ � ���@���� ��� � ���@������ �<���@���� ��� �<�����	������WEVT,-��
����L�� �TTBL$TEMP��\�Ξ�S�CL�93���� D�	EventDataA��Y�oDataAK�NamecchAppPathIncludingNull
A��_�oDataGK�NameApplicationImageHeaderHash
A��9�oData!K�NameAppPath
8�l���4cchAppPathIncludingNull<ApplicationImageHeaderHashAppPathTEMP|��}�풚T�Xh���������D�	EventDataA��A�oData)K�NameFeatureGuid
A��_�oDataGK�NameApplicationImageHeaderHash
����FeatureGuid<ApplicationImageHeaderHashTEMP4����H�^�m#��!���:D�	EventDataA��A�oData)K�NameFeatureGuid
A��C�oData+K�NameCallerIdType
A��C�oData+K�NamecchImagePath
A��=�oData%K�Name	ImagePath
���4�T�FeatureGuid CallerIdType cchImagePathImagePathTEMP�,�x�a8p�RX1��z�`���D�	EventDataA��i�oDataQK�NamecchParentImagePathIncludingNull
A��A�oData)K�NameFeatureGuid
A��c�oDataKK�NameParentProcessImageHeaderHash
A��I�oData1K�NameParentImagePath
|������DcchParentImagePathIncludingNullFeatureGuid@ParentProcessImageHeaderHash$ParentImagePathTEMP		T�U��[W_���y��x���D�	EventDataA��5�oDataK�NameFlags
A��[�oDataCK�NamecchIdStringIncludingNull
A��Y�oDataAK�NamecchDllPathIncludingNull
A��;�oData#K�NameCategory
A��I�oData1K�NameManifestVersion
A��E�oData-K�Name
DllHeaderHash
A��_�oDataGK�NameApplicationImageHeaderHash
A��;�oData#K�NameIdString
A��9�oData!K�NameDllPath
��P����������4�Flags8cchIdStringIncludingNull4cchDllPathIncludingNullCategory$ManifestVersion DllHeaderHash<ApplicationImageHeaderHashIdStringDllPathTEMPxp�]ng��P\��\堟����D�	EventDataA��5�oDataK�NameFlags
A��[�oDataCK�NamecchIdStringIncludingNull
A��;�oData#K�NameCategory
A��I�oData1K�NameManifestVersion
A��_�oDataGK�NameApplicationImageHeaderHash
A��;�oData#K�NameIdString
����0�H�l���Flags8cchIdStringIncludingNullCategory$ManifestVersion<ApplicationImageHeaderHashIdStringPRVA@��Microsoft-Windows-AITOPCOLEVL@P$�(win:InformationalTASK����������8�����d�������������������������AitFeature,AitParentAitFeatureAitAppInfo,AitSystemUsageByDll,AitSystemUsageByExe AitProcessEndKitFeatureKEYWEVNT`�������X�����l��t��������������@��������H���������������8���WEVTx0��
��T�`�������TTBL�TEMP�����{��U+0"�����vD�	EventDataA��U�oData=K�NameAeLookupServieTrigger
��0AeLookupServieTriggerPRVA���Microsoft-Windows-ApplicationExperience-LookupServiceTriggerOPCOLEVL@Px�(win:InformationalTASKKEYWEVNT@������l�WEVT�.H���
������`�l�x�CHANd������������H�����hMicrosoft-Windows-Kernel-ApphelpCache/Operational\Microsoft-Windows-Kernel-ApphelpCache/DebugdMicrosoft-Windows-Kernel-ApphelpCache/AnalyticTTBL�TEMP�\�_�Yn5�]�S�#����pD�	EventDataA��O�oData7K�NameOperationalMessage
p�,OperationalMessageTEMP�4�nШ)�\�����{���bD�	EventDataA��A�oData)K�NameInfoMessage
H�InfoMessageTEMP���$&��_��XB�8'�;���dD�	EventDataA��C�oData+K�NameDebugMessage
� DebugMessageTEMPT��G'L46߬U��|�8����LD�	EventDataA��9�oData!K�NameMatches

A��A�oData)K�NameCheckerName
A��E�oData-K�Name
AttributeName
A��W�oData?K�NameAttributeExpectedValue


��0�P�MatchesCheckerName AttributeName4AttributeExpectedValueTEMPT��B���S%�N���*���LD�	EventDataA��9�oData!K�NameMatches

A��A�oData)K�NameCheckerName
A��E�oData-K�Name
AttributeName
A��W�oData?K�NameAttributeExpectedValue


T�h�����MatchesCheckerName AttributeName4AttributeExpectedValueTEMPTX�N�T3��*T}�O�(�U���LD�	EventDataA��9�oData!K�NameMatches

A��A�oData)K�NameCheckerName
A��E�oData-K�Name
AttributeName
A��W�oData?K�NameAttributeExpectedValue


��������MatchesCheckerName AttributeName4AttributeExpectedValueTEMPT��^T����Q
1����M���LD�	EventDataA��9�oData!K�NameMatches

A��A�oData)K�NameCheckerName
A��E�oData-K�Name
AttributeName
A��W�oData?K�NameAttributeExpectedValue



���,�

L�MatchesCheckerName AttributeName4AttributeExpectedValuePRVAp��Microsoft-Windows-ApplicationExperience-CacheOPCOLEVLdP �P8�win:Error(win:InformationalTASKKEYWEVNT`�3���T� 4���t�@5d��d�@40��d�@4���d�@4���d�	@4,��d�WEVT�
/ �
�H�T�������TTBL�
TEMPxH�No��X�Z-YT��i����D�	EventDataA��K�oData3K�NameSwitchBranchGuid
A��W�oData?K�NameSwitchBranchNameLength
A��K�oData3K�NameSwitchBranchName
A��e�oDataMK�NameSwitchBranchDescriptionLength
A��Y�oDataAK�NameSwitchBranchDescription
����0�p�(SwitchBranchGuid4SwitchBranchNameLength(SwitchBranchName@SwitchBranchDescriptionLength4SwitchBranchDescriptionTEMP���O���P�.��>$��D�	EventDataA��S�oData;K�NameSwitchBranchImplGuid
A��_�oDataGK�NameSwitchBranchImplNameLength
A��S�oData;K�NameSwitchBranchImplName
A��m�oDataUK�Name!SwitchBranchImplDescriptionLength
A��a�oDataIK�NameSwitchBranchImplDescription
L�|����0�0SwitchBranchImplGuid<SwitchBranchImplNameLength0SwitchBranchImplNameHSwitchBranchImplDescriptionLength<SwitchBranchImplDescriptionTEMPt���=�t�\U�����ZD�	EventDataA��M�oData5K�NameTargetContextGuid
A��M�oData5K�NameTargetContextType
A��K�oData3K�NameModuleNameLength
A��?�oData'K�Name
ModuleName
L�t����(TargetContextGuid(TargetContextType(ModuleNameLengthModuleNameTEMP���mUl���S��G4�1���tD�	EventDataA��S�oData;K�NameContextUpdateCounter



��0ContextUpdateCounterPRVA|�Microsoft-Windows-ApplicationExperience-SwitchBackOPCOLEVL@Pl�(win:InformationalTASK���������(�����@�����h�AeSbCallAeSbImpl(AeSbContextUpdate0AeSbContextReadRetryKEYWEVNT�����,�`���������`�������l�`�������`��WEVT`'��<
��!�!�"H#CHANt�����XMicrosoft-Windows-Kernel-Network/AnalyticTTBLtTEMP(

�l\FX_TR4Ԅ/"\��zD�	EventDataA��1�oDataK�NamePID
A��3�oDataK�Namesize
A��5�oDataK�Namedaddr
A��5�oDataK�Namesaddr
A��5�oDataK�Namedport
A��5�oDataK�Namesport
A��;�oData#K�Namestartime
A��9�oData!K�Nameendtime
A��7�oDataK�Nameseqnum
A��7�oDataK�Nameconnid
	�����4H\PIDsizedaddrsaddrdportsportstartimeendtimeseqnumconnidTEMPP�ؕ�`�]O QjYDz����D�	EventDataA��1�oDataK�NamePID
A��3�oDataK�Namesize
A��5�oDataK�Namedaddr
A��5�oDataK�Namesaddr
A��5�oDataK�Namedport
A��5�oDataK�Namesport
A��7�oDataK�Nameseqnum
A��7�oDataK�Nameconnid
<HXhx���PIDsizedaddrsaddrdportsportseqnumconnidTEMP(�A�r���S����K������D�	EventDataA��1�oDataK�NamePID
A��3�oDataK�Namesize
A��5�oDataK�Namedaddr
A��5�oDataK�Namesaddr
A��5�oDataK�Namedport
A��5�oDataK�Namesport
A��1�oDataK�Namemss
A��9�oData!K�Namesackopt
A��5�oDataK�Nametsopt
A��5�oDataK�Namewsopt
	A��7�oDataK�Namercvwin
A��A�oData)K�Namercvwinscale
A��A�oData)K�Namesndwinscale
A��7�oDataK�Nameseqnum

A��7�oDataK�Nameconnid
�
�
�
$4@Tdt����PIDsizedaddrsaddrdportsportmsssackopttsoptwsoptrcvwinrcvwinscalesndwinscaleseqnumconnidTEMP(�(n�n3��^���2�P���D�	EventDataA��5�oDataK�NameProto
A��A�oData)K�NameFailureCode
��ProtoFailureCodeTEMP(

�{i^�Ӻ.\���F����zD�	EventDataA��1�oDataK�NamePID
A��3�oDataK�Namesize
A��5�oDataK�Namedaddr
A��5�oDataK�Namesaddr
A��5�oDataK�Namedport
A��5�oDataK�Namesport
A��;�oData#K�Namestartime
A��9�oData!K�Nameendtime
A��7�oDataK�Nameseqnum
A��7�oDataK�Nameconnid
	��������$PIDsizedaddrsaddrdportsportstartimeendtimeseqnumconnidTEMPPd5[� 7�WIh�C4����D�	EventDataA��1�oDataK�NamePID
A��3�oDataK�Namesize
A��5�oDataK�Namedaddr
A��5�oDataK�Namesaddr
A��5�oDataK�Namedport
A��5�oDataK�Namesport
A��7�oDataK�Nameseqnum
A��7�oDataK�Nameconnid
 0@P`tPIDsizedaddrsaddrdportsportseqnumconnidTEMP(t����OQ�s��W����D�	EventDataA��1�oDataK�NamePID
A��3�oDataK�Namesize
A��5�oDataK�Namedaddr
A��5�oDataK�Namesaddr
A��5�oDataK�Namedport
A��5�oDataK�Namesport
A��1�oDataK�Namemss
A��9�oData!K�Namesackopt
A��5�oDataK�Nametsopt
A��5�oDataK�Namewsopt
	A��7�oDataK�Namercvwin
A��A�oData)K�Namercvwinscale
A��A�oData)K�Namesndwinscale
A��7�oDataK�Nameseqnum

A��7�oDataK�Nameconnid
�������,<Pl��PIDsizedaddrsaddrdportsportmsssackopttsoptwsoptrcvwinrcvwinscalesndwinscaleseqnumconnidPRVAX�Microsoft-Windows-Kernel-NetworkOPCO�
�����
�\�����, �p �� *�� +�,!1l!<KERNEL_NETWORK_OPCODE_SEND<KERNEL_NETWORK_OPCODE_RECV@KERNEL_NETWORK_OPCODE_CONNECTHKERNEL_NETWORK_OPCODE_DISCONNECTHKERNEL_NETWORK_OPCODE_RETRANSMIT@KERNEL_NETWORK_OPCODE_ACCEPTDKERNEL_NETWORK_OPCODE_RECONNECT<KERNEL_NETWORK_OPCODE_FAIL@KERNEL_NETWORK_OPCODE_TCPCOPY@KERNEL_NETWORK_OPCODE_SENDUDP@KERNEL_NETWORK_OPCODE_RECVUDP@KERNEL_NETWORK_OPCODE_FAILUDPLEVL@P�!(win:InformationalTASK�
����0"����h"8KERNEL_NETWORK_TASK_TCPIP8KERNEL_NETWORK_TASK_UDPIPKEYW������" ����#<KERNEL_NETWORK_KEYWORD_IPV4<KERNEL_NETWORK_KEYWORD_IPV6EVNT�


�H�!�!x'�
�p �!�!|'�
��,�!�!�'�

�p8�!�!�'�
�pD�!�!�'�
��P�!�!�'�
�p\�!�!�'�
0��h�!�!�'�
�	pt�!�!�'�

 �
�!�!�'�
 �8 �!�!�'�
 ��,�!�!�'�
 �88�!�!�'�
 �8D�!�!�'�
 ��P�!�!�'� 
 �8\�!�!�'�"
 �8t�!�!�'�**�
p��!"�'�++�p��!"�'�110����!"�'�:* �8��!"�'�;+ �8��!"�'��"�"�"�"�"�"�"�"�"�"�"�"�"�"�"�"�"�"�"�"�"�"�"�"WEVT�X((�(
$/t/�/�/�/�/CHANpD(����TMicrosoft-Windows-Kernel-Disk/AnalyticTTBL�TEMP,<+�ѵ�ggZ�� *B��bD�	EventDataA��?�oData'K�Name
DiskNumber
A��;�oData#K�NameIrpFlags
A��C�oData+K�NameTransferSize
A��;�oData#K�NameReserved
A��?�oData'K�Name
ByteOffset

A��?�oData'K�Name
FileObject
A��I�oData1K�NameIORequestPacket
A��Q�oData9K�NameHighResResponseTime

�+�+,0,

H,d,�,

�,DiskNumberIrpFlags TransferSizeReservedByteOffsetFileObject$IORequestPacket,HighResResponseTimeTEMPTP.(u��&,&V�O��2���JD�	EventDataA��?�oData'K�Name
DiskNumber
A��;�oData#K�NameIrpFlags
A��Q�oData9K�NameHighResResponseTime

A��I�oData1K�NameIORequestPacket
�.�.

�./DiskNumberIrpFlags,HighResResponseTime$IORequestPacketPRVAP8/Microsoft-Windows-Kernel-DiskOPCOLEVL@P�/(win:InformationalTASKKEYWEVNT�
�Y�(�/4(�Z�(�/4(�[�,�/4(WEVT�]�	�0�1P2
�x�x�|d}��CHAN��0�X1�\Microsoft-Windows-Kernel-EventTracing/AdmindMicrosoft-Windows-Kernel-EventTracing/AnalyticMAPS��1VMAPd02
��������	�
� StopReasonMapTTBLDFTEMP�3
�9G�U�d��A�v��0D�	EventDataA��A�oData)K�NameSessionName
A��;�oData#K�NameFileName
A��=�oData%K�Name	ErrorCode
A��A�oData)K�NameLoggingMode
4,4D4\4SessionNameFileNameErrorCodeLoggingModeTEMPL\5	�,%W��[v�t�
�����D�	EventDataA��A�oData)K�NameSessionName
A��G�oData/K�NameMaximumAllowed
�5�5SessionName$MaximumAllowedTEMP��6�e9�rU>w���!؁���D�	EventDataA��A�oData)K�NameSessionName
A��A�oData)K�NameSessionGuid
A��E�oData-K�Name
DesiredAccess
,7H7d7SessionNameSessionGuid DesiredAccessTEMPhx8]�hюJS���Ӝ�����D�	EventDataA��A�oData)K�NameSessionName
A��U�oData=K�NameMemoryPartitionHandle
�8�8SessionName0MemoryPartitionHandleTEMP��:i[%�_�[Vw'�֦Z���|D�	EventDataA��A�oData)K�NameSessionName
A��;�oData#K�NameFileName
A��=�oData%K�Name	ErrorCode
A��A�oData)K�NameLoggingMode
A��E�oData-K�Name
FailureReason
;;4;L;�1h;SessionNameFileNameErrorCodeLoggingMode FailureReasonTEMP�4=�A\�X+�P2�Z;f���xD�	EventDataA��A�oData)K�NameSessionName
A��;�oData#K�NameFileName
A��=�oData%K�Name	ErrorCode
A��A�oData)K�NameLoggingMode
A��A�oData)K�NameMaxFileSize

�=�=�=�=

>SessionNameFileNameErrorCodeLoggingModeMaxFileSizeTEMP�@?���d��TY��|������D�	EventDataA��A�oData)K�NameSessionName
A��=�oData%K�Name	ErrorCode
A��A�oData)K�NameLoggingMode
|?�?�?SessionNameErrorCodeLoggingModeTEMPD�@�X�f��Z�pI�n���D�	EventDataA��C�oData+K�NameProviderName
A��A�oData)K�NameSessionName
�@�@ ProviderNameSessionNameTEMP��A ����Y�{?C����dD�	EventDataA��C�oData+K�NameProviderName
�A ProviderNameTEMP,HC�#�|��VS��?����8D�	EventDataA��A�oData)K�NameSessionGuid
A��?�oData'K�Name
LoggerMode
A��A�oData)K�NameSessionName
A��A�oData)K�NameLogFileName
�C�C�C�CSessionGuidLoggerModeSessionNameLogFileNameTEMP��D� �!@�T�TQ�/�Z��jD�	EventDataA��I�oData1K�NameLoggerSlotsUsed



�D$LoggerSlotsUsedTEMP\

(H?����a
]�>��;��Q��D�	EventDataA��A�oData)K�NameSessionGuid
A��?�oData'K�Name
LoggerMode
A��A�oData)K�NameSessionName
A��A�oData)K�NameLogFileName
A��G�oData/K�NameMinimumBuffers
A��G�oData/K�NameMaximumBuffers
A��?�oData'K�Name
BufferSize
A��K�oData3K�NamePeakBuffersCount
A��Q�oData9K�NameCurrentBuffersCount
A��G�oData/K�NameFlushThreshold
	�HI(IDI`I�I�I�I�IJSessionGuidLoggerModeSessionNameLogFileName$MinimumBuffers$MaximumBuffersBufferSize(PeakBuffersCount,CurrentBuffersCount$FlushThresholdTEMPP�N�$���[�㟿�Q��:D�	EventDataA��A�oData)K�NameSessionGuid
A��?�oData'K�Name
LoggerMode
A��A�oData)K�NameSessionName
A��A�oData)K�NameLogFileName
A��G�oData/K�NameMinimumBuffers
A��G�oData/K�NameMaximumBuffers
A��?�oData'K�Name
BufferSize
A��K�oData3K�NamePeakBuffersCount
A��Q�oData9K�NameCurrentBuffersCount
A��G�oData/K�NameFlushThreshold
	A��?�oData'K�Name
EventsLost
A��A�oData)K�NameBuffersLost
A��Q�oData9K�NameRealTimeBuffersLost
A��;�oData#K�NameLoggerId

�O�O�OP4PXP|P�P�P�PQ,QHQtQSessionGuidLoggerModeSessionNameLogFileName$MinimumBuffers$MaximumBuffersBufferSize(PeakBuffersCount,CurrentBuffersCount$FlushThresholdEventsLostBuffersLost,RealTimeBuffersLostLoggerIdTEMP��R
.��tX�W���G
��D�	EventDataA��A�oData)K�NameSessionName
A��I�oData1K�NameSecurityDescOld
A��I�oData1K�NameSecurityDescNew
SS@SSessionName$SecurityDescOld$SecurityDescNewTEMP�T˥����Y�P_��y���.D�	EventDataA��?�oData'K�Name
ProviderId
A��?�oData'K�Name
StatusCode
A��9�oData!K�NameEventId
A��A�oData)K�NameSessionName
U4UPUdUProviderIdStatusCodeEventIdSessionNameTEMP$�V�G��.�TZ;7T���>��2D�	EventDataA��?�oData'K�Name
ProviderId
A��?�oData'K�Name
StatusCode
A��=�oData%K�Name	EventName
A��A�oData)K�NameSessionName
8WTW#pW�WProviderIdStatusCodeEventNameSessionNameTEMP4Y�y$h��W6�a�+gQ(��<D�	EventDataA��A�oData)K�NameMessageGuid
A��E�oData-K�Name
MessageNumber
A��?�oData'K�Name
StatusCode
A��A�oData)K�NameSessionName
dY�Y�Y�YMessageGuid MessageNumberStatusCodeSessionNameTEMP��Z!��n^a�KӾr����D�	EventDataA��7�oDataK�NameHookId
A��?�oData'K�Name
StatusCode
A��A�oData)K�NameSessionName
0[D[`[HookIdStatusCodeSessionNameTEMP<�]9�'H�*bR�J�����D�	EventDataA��C�oData+K�NameProviderName
A��A�oData)K�NameSessionName
A��I�oData1K�NameMatchAnyKeyword

A��I�oData1K�NameMatchAllKeyword

A��G�oData/K�NameEnableProperty
A��5�oDataK�NameLevel
^ ^
<^
`^�^�^ ProviderNameSessionName$MatchAnyKeyword$MatchAllKeyword$EnablePropertyLevelTEMP�l`�茴��\��i������D�	EventDataA��;�oData#K�NameFileName
A��?�oData'K�Name
BufferSize
A��K�oData3K�NameBuffersPersisted
A��G�oData/K�NameBuffersWritten
A��7�oDataK�NameStatus
�`�`a,aPaFileNameBufferSize(BuffersPersisted$BuffersWrittenStatusTEMP$`c�`�Z�S��.�ۊ���D�	EventDataA��;�oData#K�NameFileName
A��?�oData'K�Name
BufferSize
A��K�oData3K�NameBuffersPersisted
A��G�oData/K�NameBuffersWritten
A��7�oDataK�NameStatus
A��A�oData)K�NameBuffersLost
�c�cd4dXdldFileNameBufferSize(BuffersPersisted$BuffersWrittenStatusBuffersLostTEMP\tew�,V�
tZ�$@6�������D�	EventDataA��C�oData+K�NameProviderGuid
A��M�oData5K�NameProviderGroupGuid
�e�e ProviderGuid(ProviderGroupGuidTEMP<�f�o���U}2jYn��:���D�	EventDataA��C�oData+K�NameProviderGuid
A��=�oData%K�Name	ErrorCode
�fg ProviderGuidErrorCodeTEMPiC��6R�SСC��Qa����D�	EventDataA��C�oData+K�NameProviderGUID
A��=�oData%K�Name	GroupGUID
A��5�oDataK�NameFlags
A��?�oData'K�Name
EnableMask
A��I�oData1K�NameGroupEnableMask
A��=�oData%K�Name	ProcessId
�i�i�i�i�ij ProviderGUIDGroupGUIDFlagsEnableMask$GroupEnableMaskProcessIdTEMPp\l׺��}YEA��C����D�	EventDataA��3�oDataK�NameGUID
A��5�oDataK�NameIndex
A��;�oData#K�NameLoggerId
A��I�oData1K�NameMatchAnyKeyword

A��I�oData1K�NameMatchAllKeyword

A��5�oDataK�NameLevel
A��G�oData/K�NameEnableProperty
�l�lm
 m
DmhmxmGUIDIndexLoggerId$MatchAnyKeyword$MatchAllKeywordLevel$EnablePropertyTEMP��n1��WPZ���لb���D�	EventDataA��3�oDataK�NameGUID
A��A�oData)K�NameFilterFlags
A��O�oData7K�NameLastEnableLoggerId
oo,oGUIDFilterFlags,LastEnableLoggerIdTEMP�p_�If�TP�������.D�	EventDataA��C�oData+K�NameProviderGuid
A��A�oData)K�NameSessionName
A��=�oData%K�Name	ProcessId
A��7�oDataK�NameStatus
q,qHq`q ProviderGuidSessionNameProcessIdStatusTEMP�r_�If�TP�������.D�	EventDataA��C�oData+K�NameProviderGuid
A��A�oData)K�NameSessionName
A��=�oData%K�Name	ProcessId
A��7�oDataK�NameStatus
(sHsds|s ProviderGuidSessionNameProcessIdStatusTEMP�u�-��l��S��n̘%0,���D�	EventDataA��3�oDataK�NameGUID
A��;�oData#K�NameLoggerId
A��I�oData1K�NameMatchAnyKeyword

A��I�oData1K�NameMatchAllKeyword

A��5�oDataK�NameLevel
A��G�oData/K�NameEnableProperty
�uv
$v
Hvlv|vGUIDLoggerId$MatchAnyKeyword$MatchAllKeywordLevel$EnablePropertyTEMP��wM�v_G&�_V.���6L��D�	EventDataA��A�oData)K�NameSessionName
A��O�oData7K�NameRequestedGroupMask
�A��O�oData7K�NamePermittedGroupMask
� x<xhxSessionName,RequestedGroupMask,PermittedGroupMaskPRVA`�xMicrosoft-Windows-Kernel-EventTracingOPCO�1�y2�y2�y
�z�Hz�|z��z��z��z�{�L{�t{��{��{U|VH|Qx|win:Infowin:Startwin:Stop4ETW_OPCODE_WRITE_BUFFER4ETW_OPCODE_FILE_SWITCH(ETW_OPCODE_START$ETW_OPCODE_STOP(ETW_OPCODE_FLUSH,ETW_OPCODE_REGISTER0ETW_OPCODE_UNREGISTER(ETW_OPCODE_ENABLE,ETW_OPCODE_DISABLE0ETW_OPCODE_CONFIGUREHETW_OPCODE_USER_MODE_STACK_TRACE0ETW_OPCODE_SET_TRAITS0ETW_OPCODE_GROUP_JOIN8ETW_OPCODE_CAPTURE_STATELEVL�P�|P}P }[H}win:Errorwin:Warning(win:Informationalwin:VerboseTASK���~��~��8�d���������	T�
\L�]��^��(ETW_TASK_LOGGING(ETW_TASK_SESSION(ETW_TASK_PROVIDER,ETW_TASK_GUID_ENTRY0ETW_TASK_GROUP_ENTRY0ETW_TASK_STACK_TRACE,ETW_TASK_LOST_EVENT,SavePersistedLogger0ETW_TASK_ENABLE_INFO4ETW_TASK_LOST_TLG_EVENT4ETW_TASK_LOST_WPP_EVENT<ETW_TASK_LOST_SYSTEM_EVENTKEYW �|� ���@�؁����������D�����|������������,ETW_KEYWORD_SESSION0ETW_KEYWORD_PROVIDER4ETW_KEYWORD_LOST_EVENT8ETW_KEYWORD_SOFT_RESTART8ETW_KEYWORD_CAPTURE_STATE8ETW_KEYWORD_REGISTRATION4ETW_KEYWORD_ENABLEMENT(ETW_KEYWORD_GROUPEVNT�
4
��\2$y�|p}��0
��>$y�|p}��0��\2<y�|�}��0��\2Hy�|�}��0���8Hy�|�}��0
���;$y�|p}��0��\20y�|p}���0 @�A`y�|�}���0	 @�Aly�|�}��0
@��A<y�|�}��0
@��D<y�|�}��0@��AHy�|�}��0@��DHy�|�}��0@�<JHy�|�}��0@��A�y�|�} ��0
@��ATy�|�}$��0 @��?xy�|�}(��0 @�|[xy�|�}0��0 @��?�y�|�}8��0@��A�y�|�}@��0��y�|�}@����dSy�|~D������Dy�|�}H�����<Jy�|�}L������y�|4~T�������^y�|4~X������day�|4~\�����^y�|4~`��0���day�|4~d��0 �����my�|�}h�	�����my�|�}p�	 ����,jy�|P~x� ���� gy�|�}�� 
�R�e�y�|�}���0 
@S�d�y�|�}���0 @�Xoy�|�}���0
@�����Uy�|l~�� 0� �tqy�|�}���0!@�����Wy�|�~��"@�����Yy�|�~��#@����Dy�|�}���0( @�|[xy�|�}���0) @��?�y�|�}ȍ�0* @P�s�y�|�}Ѝ�0+@H�A<y�|�}؍�0,@Ix4<y�|�}܍�0-@Jx4<y�|�}��0.@K�5<y�|�}��0/@L�7<y�|�}��00@M\2y�|�}��01@N\2<y�|�}��02@O�vxy�|�}��0���������������L��L����������������\��\��\��������<�,�,�,�,�,��<�<�l��<��<��L�l��L�l��L����������\��\��<�����������������WEVT �	P�L���
�������D���CHAN���������������SystemTMicrosoft-Windows-Kernel-Boot/AnalyticXMicrosoft-Windows-Kernel-Boot/OperationalMAPS8

��t������@�`�$����VMAP�\���������	�d
�e�f�g
�h�i�BMAP|d�
������ �@��	�
��� 
�VMAP$К���� � � � � � � � �0�0�0�0�0�0 �0!�0"�P#�@$�@%�@&�@'�@(�@)�@*�@+�@,� @-� @.� @/� @0� @1� @2� @3� @4� @5�	 @6�
 @7� @8� @9�
 @:� @;� @<� @=� @>� @?� @@� @A� @B� @C� @D� @E� @F� @G� @H� @I� @J� @K�0@$�0@L�0@M�0@N�0@O�0@P�0@Q�0@R�0@S�	0@T�
0@U�0@V�0@W�
0@X�0@Y�0@Z�0@[�0@\�0@]�0@^�0@_�0@`�0@a�0@b�0@c�0@d�0@e�0@f�0@g�0@h�0@i�0@j� 0@k�!0@l�"0@m�#0@n�$0@o�%0@p�&0@q�'0@r�(0@s�)0@t�*0@u�+0@v�,0@w�-0@x�.0@y�/0@z�00@{�10@|�20@}�30@~�40@�50@��60@��70@��80@��90@��:0@��;0@��<0@��=0@��>0@��?0@��@0@��A0@��B0@��C0@��D0@��E0@��F0@��G0@��H0@��I0@��J0@��P0@��Q0@��R0@��S0@��T0@��U0@��V0@��W0@��X0@��Y0@��@@��@@��@@��@@��@@��@@��@@��@@��P@��P@��P@��P@��P@��P@��P@��P@��P@��	P@��
P@��P@��P@��
P@��P@��P@��P@��`@��`@��`@��`@��`@��`@��`@��`@��	`@��
`@��`@��`@��
`@��`@��`@��`@��`@��`@��`@��`@��`@��`@��`@��`@��`@��`@��`@��`@��`@��`@��`@�� `@��!`@��"`@��#`@��$`@��%`@��&`@��'`@��(`@��)`@��*`@��+`@��,`@��-`@��.`@��/`@��0`@��3`@��4`@��5`@��6`@��7`@��8`@��9`@��:`@��VMAP�D�0������������������	��
������
�������������	�
���
���� �!�"�#�$�%�&�'�(�)�*�+�,�-�/�0 �VMAP4��!�"�#�$�VMAPt��%�&�'�(�)�*�+�,�-�	.�
/�0�VMAP<��1�2�3�4�5�VMAP<�6�7�8�9�:�VMAP<ܛ;�<�=�>�?�VMAP4$�@�A�B�C�,BootDiagMessageMap(DebuggerStatusMap8DmaProtectedRangeProperty4EnableDisableReasonMap0PlutonLoadFailureMapPpamInfoMap,SbatUpdateStatusMap<SecureBootBcdMitigationMap TxtStatusMap VsmPolicyMapTTBL$�TEMP`X���Ǎ��Y<��������D�	EventDataA��9�oData!K�NameSqmType
A��G�oData/K�NameSqmSessionGuid
A��5�oDataK�NameSqmID
A��O�oData7K�NameSqmStreamRowLength
A��QZ�ComplexData+K�NameSqmStreamRow
����0�@�l�����̟SqmType$SqmSessionGuidSqmID,SqmStreamRowLength SqmStreamRow SqmTypeEntry SqmDWORDEntry$SqmStringEntryTEMP��*�d�Ÿ[�|5�NR����D�	EventDataA��5�oDataK�NameWidth
A��7�oDataK�NameHeight
A��C�oData+K�NameBitsPerPixel
@�P�d�WidthHeight BitsPerPixelTEMP��A�g���[k#l�'t���`D�	EventDataA��?�oData'K�Name
BytesPerMs
,�BytesPerMsTEMP���
1Ē�BW[�n��Ts��,D�	EventDataA��;�oData#K�NameDeviceID
A��;�oData#K�NameFileName
A��=�oData%K�Name	BytesRead

A��C�oData+K�NameBytesWritten

���

(�

@�DeviceIDFileNameBytesRead BytesWrittenTEMP�p��چ�ЛV���k+�[b���D�	EventDataA��;�oData#K�NameDeviceID
A��;�oData#K�NameFileName
A��7�oDataK�NameStatus
��ĥܥDeviceIDFileNameStatusTEMP��j���_��������D�	EventDataA��I�oData1K�NameApplicationGuid
A��=�oData%K�Name	BytesRead

A��C�oData+K�NameBytesWritten

X�

|�

��$ApplicationGuidBytesRead BytesWrittenTEMP��f��
�Rۓ����F���,D�	EventDataA��=�oData%K�Name	ImageName
A��?�oData'K�Name
ImageFlags
A��7�oDataK�NameReason
A��C�oData+K�NameErrorIgnored
d�|�����ImageNameImageFlagsReason ErrorIgnoredTEMP�d��4�~MQ9�TsK,^.��bD�	EventDataA��A�oData)K�NameBootmgrTime



x�BootmgrTimeTEMP�(���H�Q��b����^D�	EventDataA��=�oData%K�Name	ImageName
<�ImageNameTEMP��R��6Am�Z�������bD�	EventDataA��A�oData)K�NameDriveNumber
�DriveNumberTEMPX̮�@a�]�0gډ�����zD�	EventDataA��A�oData)K�NameFwStartPage

A��A�oData)K�NameFwPageCount

A��C�oData+K�NameFwMemoryType
A��O�oData7K�NameFwMemoryAttributes
A��A�oData)K�NameBlStartPage

A��A�oData)K�NameBlPageCount

A��C�oData+K�NameBlMemoryType
A��O�oData7K�NameBlMemoryAttributes

l�
����į
�
�(�H�FwStartPageFwPageCount FwMemoryType,FwMemoryAttributesBlStartPageBlPageCount BlMemoryType,BlMemoryAttributesTEMP���"�jfg$\���L�����hD�	EventDataA��G�oData/K�NamePreBootMgrTime



$�$PreBootMgrTimeTEMP�`��&6�ؕ]�nZ�H����D�	EventDataA��K�oData3K�NameUefiVariableName
A��3�oDataK�NameSize
A��7�oDataK�NameStatus
��ĲԲ(UefiVariableNameSizeStatusTEMP@ȳ7":���Q:��b��M���D�	EventDataA��I�oData1K�NameApplicationGuid
A��9�oData!K�NameElement
��$ApplicationGuidElementTEMP���$*��Qq�����XD�	EventDataA��7�oDataK�NameStatus
ȴStatusTEMP�h�$*��Qq�����XD�	EventDataA��7�oDataK�NameStatus
|�StatusTEMPLt�I��Q�H�\�p�Ԧ����D�	EventDataA��E�oData-K�Name
FailureStatus

A��C�oData+K�NameFailureMsgId


��
�� FailureStatus FailureMsgIdTEMPD���UaJ˅W�����������D�	EventDataA��E�oData-K�Name
FailureStatus
A��?�oData'K�Name
FailureMsg
�� FailureStatusFailureMsgTEMPPp�)5�H7^A����d����D�	EventDataTEMP���H�tjI�Q��Bn�a���`D�	EventDataA��?�oData'K�Name
EntryCount
�EntryCountTEMP�ȹ���X��4`����`D�	EventDataA��?�oData'K�Name
ToolsCount
ܹToolsCountTEMP\��;���W�Q[\4�����D�	EventDataA��K�oData3K�NameLastShutdownGood

A��C�oData+K�NameLastBootGood



�

4�(LastShutdownGood LastBootGoodTEMP`ؼg����+�[d��f���ND�	EventDataA��K�oData3K�NameLastShutdownGood

A��C�oData+K�NameLastBootGood

A��?�oData'K�Name
LastBootId
A��K�oData3K�NameBootStatusPolicy


(�

P�p���(LastShutdownGood LastBootGoodLastBootId(BootStatusPolicyTEMP�P�
r�y��Wyþ���T��hD�	EventDataA��G�oData/K�NameOptionSelected
d�$OptionSelectedTEMPPؾ)5�H7^A����d����D�	EventDataTEMPP(�)5�H7^A����d����D�	EventDataTEMPPx�)5�H7^A����d����D�	EventDataTEMP��S�/y^�����q0��hD�	EventDataA��G�oData/K�NameBootMenuPolicy
(�$BootMenuPolicyTEMPP��)5�H7^A����d����D�	EventDataTEMP�,�w��-g0�^���"	���\D�	EventDataA��;�oData#K�NameBootType
@�BootTypeTEMP40���	;H�^Fߟ�U�����D�	EventDataA��;�oData#K�NameBootType
A��A�oData)K�NameLoadOptions
X�p�BootTypeLoadOptionsTEMP,��v5Y�0�EX��5f0�q����D�	EventDataA��E�oData-K�Name
ResetEndStart

A��K�oData3K�NameLoadOSImageStart

A��M�oData5K�NameStartOSImageStart

A��U�oData=K�NameExitBootServicesEntry

A��S�oData;K�NameExitBootServicesExit



��

�

0�

X�

�� ResetEndStart(LoadOSImageStart(StartOSImageStart0ExitBootServicesEntry0ExitBootServicesExitTEMP�D�$*��Qq�����XD�	EventDataA��7�oDataK�NameStatus
X�StatusTEMP����{��b(]�O]9�����xD�	EventDataA��W�oData?K�NameBitlockerUserInputTime



,�4BitlockerUserInputTimeTEMPHD��m�[ MkV,Bc�t���D�	EventDataA��=�oData%K�Name	ImageName
A��I�oData1K�NameImageLoadStatus
l���ImageName$ImageLoadStatusTEMPX���bIU�2Z"��M���D�	EventDataA��A�oData)K�NamePeImageName
A��M�oData5K�NamePeImageLoadStatus
����PeImageName(PeImageLoadStatusTEMP����QI��-R�d�(P��rD�	EventDataA��Q�oData9K�NameUpdateCapsuleStatus
��,UpdateCapsuleStatusTEMP� �J�M�9��T2�`0cX���D�	EventDataA��A�oData)K�NameDeviceFlags
A��=�oData%K�Name	PcrBitmap
A��U�oData=K�NameUpdateSupportedStatus
\�x���DeviceFlagsPcrBitmap0UpdateSupportedStatusTEMPH���m�[ MkV,Bc�t���D�	EventDataA��=�oData%K�Name	ImageName
A��I�oData1K�NameImageLoadStatus
����ImageName$ImageLoadStatusTEMPH���m�[ MkV,Bc�t���D�	EventDataA��=�oData%K�Name	ImageName
A��I�oData1K�NameImageLoadStatus
�,�ImageName$ImageLoadStatusTEMPD0��#|�'$\-]���H���D�	EventDataA��=�oData%K�Name	ImageName
A��G�oData/K�NameSiPolicyStatus
X�p�ImageName$SiPolicyStatusTEMPDt��T&��{Z�pu�t�����D�	EventDataA��;�oData#K�NameHiveName
A��G�oData/K�NameHiveLoadStatus
����HiveName$HiveLoadStatusTEMP�d�$*��Qq�����XD�	EventDataA��7�oDataK�NameStatus
x�StatusTEMP��$*��Qq�����XD�	EventDataA��7�oDataK�NameStatus
,�StatusTEMP�L�X���S#�H9����D�	EventDataA��3�oDataK�NamePath
A��?�oData'K�Name
FailedPath
A��7�oDataK�NameStatus
������PathFailedPathStatusTEMPx��dC��6lZ'H_�?Z�����D�	EventDataA��3�oDataK�NamePath
A��7�oDataK�NameImport
A��7�oDataK�NameStatus
��,�PathImportStatusTEMP����ǋzp�P�N?�����tD�	EventDataA��K�oData3K�NameCachedCopyStatus
A��Q�oData9K�NameIdkGenerationStatus
A��I�oData1K�NameMeasuringStatus
A��Y�oDataAK�NameSealingAndCachingStatus
8�`�����(CachedCopyStatus,IdkGenerationStatus$MeasuringStatus4SealingAndCachingStatusTEMP�

��8>$3@T��d��Jo���D�	EventDataA��M�oData5K�NameIsFasrCertPresent
A��i�oDataQK�NameValidateFasrCertSignatureStatus
A��_�oDataGK�NameBootmgrAuthorityEventCount
A��_�oDataGK�NameVerifiedMicrosoftAuthority
A��a�oDataIK�NameValidateFasrPcrValuesStatus
A��K�oData3K�NamePcrMismatchIndex
A��C�oData+K�NameFasrCertSize
A��[�oDataCK�NameFasrCertWithoutSignature
A��M�oData5K�NameFasrSignatureSize
A��E�oData-K�Name
FasrSignature
	������8�t�������0�X�(IsFasrCertPresentDValidateFasrCertSignatureStatus<BootmgrAuthorityEventCount<VerifiedMicrosoftAuthority<ValidateFasrPcrValuesStatus(PcrMismatchIndex FasrCertSize8FasrCertWithoutSignature(FasrSignatureSize FasrSignatureTEMPD��*--�c�
_-tn��y���D�	EventDataA��K�oData3K�NameCachedCopyStatus
A��]�oDataEK�NameUnsealingCachedCopyStatus
A��_�oDataGK�NameKeyGenerationAndSaveStatus
A��E�oData-K�Name
SealingStatus
A��?�oData'K�Name
TpmPcrMask
A��e�oDataMK�NameProtectorAssistedUnsealStatus
A��e�oDataMK�NameProtectorAssistedResealStatus
A��]�oDataEK�NameProtectorSealUpdateStatus
A��O�oData7K�NameTpmCounterOpStatus
A��W�oData?K�NameTpmCounterCreateStatus
	A��S�oData;K�NameBackupSealedBlobUsed

������8�X�t�����,�X�

��(CachedCopyStatus8UnsealingCachedCopyStatus<KeyGenerationAndSaveStatus SealingStatusTpmPcrMask@ProtectorAssistedUnsealStatus@ProtectorAssistedResealStatus8ProtectorSealUpdateStatus,TpmCounterOpStatus4TpmCounterCreateStatus0BackupSealedBlobUsedTEMPT��/�kb.�R$+��\T����D�	EventDataA��K�oData3K�NameCachedCopyStatus
A��Y�oDataAK�NamePrimaryBlobUnsealStatus
A��W�oData?K�NameBackupBlobUnsealStatus
A��c�oDataKK�NamePca2023ProtectorUnsealStatus
A��e�oDataMK�NameBackupBlobValidityCheckStatus
A��S�oData;K�NameBackupBlobStillValid

A��q�oDataYK�Name#Pca2023ProtectorValidityCheckStatus
A��_�oDataGK�NamePca2023ProtectorStillValid

A��Y�oDataAK�NamePrimaryBlobResealStatus
A��W�oData?K�NameBackupBlobResealStatus
	A��c�oDataKK�NamePca2023ProtectorResealStatus
A��_�oDataGK�NameKeyGenerationAndSaveStatus
A��E�oData-K�Name
SealingStatus
A��?�oData'K�Name
TpmPcrMask

A��O�oData7K�NameTpmCounterOpStatus
A��W�oData?K�NameTpmCounterCreateStatus
A��S�oData;K�NameBackupSealedBlobUsed

A��{�oDatacK�Name(Pca2023ProtectorCleanupPostUpgradeStatus
@�h������

P���

���<�p������(�T�

����(CachedCopyStatus4PrimaryBlobUnsealStatus4BackupBlobUnsealStatus@Pca2023ProtectorUnsealStatus@BackupBlobValidityCheckStatus0BackupBlobStillValidLPca2023ProtectorValidityCheckStatus<Pca2023ProtectorStillValid4PrimaryBlobResealStatus4BackupBlobResealStatus@Pca2023ProtectorResealStatus<KeyGenerationAndSaveStatus SealingStatusTpmPcrMask,TpmCounterOpStatus4TpmCounterCreateStatus0BackupSealedBlobUsedXPca2023ProtectorCleanupPostUpgradeStatusTEMP4,,�D����wQ|��o�����D�	EventDataA��K�oData3K�NameCachedCopyStatus
A��Y�oDataAK�NamePrimaryBlobUnsealStatus
A��W�oData?K�NameBackupBlobUnsealStatus
A��c�oDataKK�NamePca2023ProtectorUnsealStatus
A��e�oDataMK�NameBackupBlobValidityCheckStatus
A��S�oData;K�NameBackupBlobStillValid

A��q�oDataYK�Name#Pca2023ProtectorValidityCheckStatus
A��_�oDataGK�NamePca2023ProtectorStillValid

A��Y�oDataAK�NamePrimaryBlobResealStatus
A��W�oData?K�NameBackupBlobResealStatus
	A��c�oDataKK�NamePca2023ProtectorResealStatus
A��_�oDataGK�NameKeyGenerationAndSaveStatus
A��E�oData-K�Name
SealingStatus
A��?�oData'K�Name
TpmPcrMask

A��O�oData7K�NameTpmCounterOpStatus
A��W�oData?K�NameTpmCounterCreateStatus
A��S�oData;K�NameBackupSealedBlobUsed

A��{�oDatacK�Name(Pca2023ProtectorCleanupPostUpgradeStatus
A��G�oData/K�NameNeedToRollLkey
A��U�oData=K�NameCreationStateVerified
A��K�oData3K�NameV2ProtectorsUsed
A��[�oDataCK�NameLegacyUefiVarQueryStatus
A��_�oDataGK�NameLegacyUefiVarCleanupStatus
A��k�oDataSK�Name VbsRollbackDataProtectionEnabled
A��k�oDataSK�Name VbsRollbackDataProtectionOptedIn
A��}�oDataeK�Name)VbsRollbackDataProtectionTpmCounterStatus
A��K�oData3K�NameFirstWriteToDisk
A��G�oData/K�NameWritePkgToUefi
A��S�oData;K�NameLatchedProtectorUsed
A��M�oData5K�NameLatchTheUnlatched
A��Q�oData9K�NameUnsupportedRollback
A��Y�oDataAK�NameUpgradedVbsPolicyExists
A��]�oDataEK�NameTpmCounterIncrementStatus
 A��Q�oData9K�NameActivePolicyVersion
!
A��S�oData;K�NameLatchedPolicyVersion
"
A��W�oData?K�NameUnlatchedPolicyVersion
#
A��k�oDataSK�Name LatchedPrimaryBlobResealStatusV2
$A��i�oDataQK�NameLatchedBackupBlobResealStatusV2
%A��u�oData]K�Name%LatchedPca2023ProtectorResealStatusV2
&A����oDatauK�Name1LatchedPca2023ProtectorCleanupPostUpgradeStatusV2
'A��o�oDataWK�Name"UnlatchedPrimaryBlobResealStatusV2
(A��m�oDataUK�Name!UnlatchedBackupBlobResealStatusV2
)A��y�oDataaK�Name'UnlatchedPca2023ProtectorResealStatusV2
*A����oDatayK�Name3UnlatchedPca2023ProtectorCleanupPostUpgradeStatusV2
+8`��	

H	x	

�	
4
h
�
�
 L

��

,
\��
�
@
�

�


,
\
�
��



H

x��8��<��(CachedCopyStatus4PrimaryBlobUnsealStatus4BackupBlobUnsealStatus@Pca2023ProtectorUnsealStatus@BackupBlobValidityCheckStatus0BackupBlobStillValidLPca2023ProtectorValidityCheckStatus<Pca2023ProtectorStillValid4PrimaryBlobResealStatus4BackupBlobResealStatus@Pca2023ProtectorResealStatus<KeyGenerationAndSaveStatus SealingStatusTpmPcrMask,TpmCounterOpStatus4TpmCounterCreateStatus0BackupSealedBlobUsedXPca2023ProtectorCleanupPostUpgradeStatus$NeedToRollLkey0CreationStateVerified(V2ProtectorsUsed8LegacyUefiVarQueryStatus<LegacyUefiVarCleanupStatusHVbsRollbackDataProtectionEnabledHVbsRollbackDataProtectionOptedInXVbsRollbackDataProtectionTpmCounterStatus(FirstWriteToDisk$WritePkgToUefi0LatchedProtectorUsed(LatchTheUnlatched,UnsupportedRollback4UpgradedVbsPolicyExists8TpmCounterIncrementStatus,ActivePolicyVersion0LatchedPolicyVersion4UnlatchedPolicyVersionHLatchedPrimaryBlobResealStatusV2DLatchedBackupBlobResealStatusV2PLatchedPca2023ProtectorResealStatusV2hLatchedPca2023ProtectorCleanupPostUpgradeStatusV2LUnlatchedPrimaryBlobResealStatusV2HUnlatchedBackupBlobResealStatusV2TUnlatchedPca2023ProtectorResealStatusV2lUnlatchedPca2023ProtectorCleanupPostUpgradeStatusV2TEMP�  ���4��Q�m�]j�x��"
D�	EventDataA��7�oDataK�NameStatus
A��?�oData'K�Name
OsDeviceId
A��?�oData'K�Name
SystemRoot
A��A�oData)K�NamePcrSealMask
A��M�oData5K�NameLatchTheUnlatched
A��k�oDataSK�Name UpgradedAntirollbackPolicyExists
A��K�oData3K�NameEncryptionStatus
A��Y�oDataAK�NameKeyPkgIdTpmCounterValue

A��]�oDataEK�NameEncryptedLKeyArrayPkgSize
A��W�oData?K�NameEncryptedLKeyPkgPdGuid
	A��]�oDataEK�NameUnlatchedUnsealPolicySize
A��[�oDataCK�NameUnlatchedProtectorExists
A��Y�oDataAK�NameLatchedUnsealPolicySize
A��W�oData?K�NameLatchedProtectorExists

A��c�oDataKK�NameLatchedUnsealPolicy->Version
A��o�oDataWK�Name"LatchedUnsealPolicy->VarDataOffset
A��o�oDataWK�Name"LatchedUnsealPolicy->StructureSize
A��o�oDataWK�Name"LatchedUnsealPolicy->PolicyVersion

A��u�oData]K�Name%LatchedUnsealPolicy->PolicyHashLength
A��i�oDataQK�NameLatchedUnsealPolicy->WinloadSVN
A��m�oDataUK�Name!LatchedUnsealPolicy->WinresumeSVN
A��i�oDataQK�NameLatchedUnsealPolicy->BootmgrSVN
A��g�oDataOK�NameLatchedUnsealPolicy->LKeyPkgId

A��g�oDataOK�NameUnlatchedUnsealPolicy->Version
A��s�oData[K�Name$UnlatchedUnsealPolicy->VarDataOffset
A��s�oData[K�Name$UnlatchedUnsealPolicy->StructureSize
A��s�oData[K�Name$UnlatchedUnsealPolicy->PolicyVersion

A��y�oDataaK�Name'UnlatchedUnsealPolicy->PolicyHashLength
A��m�oDataUK�Name!UnlatchedUnsealPolicy->WinloadSVN
A��q�oDataYK�Name#UnlatchedUnsealPolicy->WinresumeSVN
A��m�oDataUK�Name!UnlatchedUnsealPolicy->BootmgrSVN
A��k�oDataSK�Name UnlatchedUnsealPolicy->LKeyPkgId

"0"L"h"
�"
�"�"

#P#�#�#
�#,$
`$�$�$ %

l%�%&L&�&

�&'`'�'

(P(�(�(8)

�)StatusOsDeviceIdSystemRootPcrSealMask(LatchTheUnlatchedHUpgradedAntirollbackPolicyExists(EncryptionStatus4KeyPkgIdTpmCounterValue8EncryptedLKeyArrayPkgSize4EncryptedLKeyPkgPdGuid8UnlatchedUnsealPolicySize8UnlatchedProtectorExists4LatchedUnsealPolicySize4LatchedProtectorExists@LatchedUnsealPolicy->VersionLLatchedUnsealPolicy->VarDataOffsetLLatchedUnsealPolicy->StructureSizeLLatchedUnsealPolicy->PolicyVersionPLatchedUnsealPolicy->PolicyHashLengthDLatchedUnsealPolicy->WinloadSVNHLatchedUnsealPolicy->WinresumeSVNDLatchedUnsealPolicy->BootmgrSVNDLatchedUnsealPolicy->LKeyPkgIdDUnlatchedUnsealPolicy->VersionPUnlatchedUnsealPolicy->VarDataOffsetPUnlatchedUnsealPolicy->StructureSizePUnlatchedUnsealPolicy->PolicyVersionTUnlatchedUnsealPolicy->PolicyHashLengthHUnlatchedUnsealPolicy->WinloadSVNLUnlatchedUnsealPolicy->WinresumeSVNHUnlatchedUnsealPolicy->BootmgrSVNHUnlatchedUnsealPolicy->LKeyPkgIdTEMP�/==�D\��1�X��ט��G
���D�	EventDataA��7�oDataK�NameStatus
A��?�oData'K�Name
OsDeviceId
A��?�oData'K�Name
SystemRoot
A��G�oData/K�NameVsmLKeyRelPath
A��_�oDataGK�NameLatchedUnsealPolicyRelPath
A��c�oDataKK�NameUnlatchedUnsealPolicyRelPath
A��q�oDataYK�Name#LatchedPrimaryProtectorVariableName
A��u�oData]K�Name%LatchedSecondaryProtectorVariableName
A��u�oData]K�Name%UnlatchedPrimaryProtectorVariableName
A��y�oDataaK�Name'UnlatchedSecondaryProtectorVariableName
	A��]�oDataEK�NameLatchedProtectorUsedLocal
A��W�oData?K�NameLatchTheUnlatchedLocal
A��[�oDataCK�NameUnsupportedRollbackLocal
A��u�oData]K�Name%UpgradedAntirollbackPolicyExistsLocal

A��i�oDataQK�NamePkgWasCorruptOrUnavailableLocal
A��_�oDataGK�NameCreationStateVerifiedLocal
A��w�oData_K�Name&PrimaryProtectorTargetPcrSealMaskLocal
A��W�oData?K�NameLatchedProtectorExists
A��[�oDataCK�NameUnlatchedProtectorExists
A��Y�oDataAK�NameKeyPkgIdTpmCounterValue

A��Q�oData9K�NameActivePolicyVersion

A��U�oData=K�NameUseUnlatchedProtector
A��c�oDataKK�NameNeedToResealPrimaryProtector
A��g�oDataOK�NameNeedToResealSecondaryProtector
A��c�oDataKK�NameNeedToResealPca2023Protector
A��q�oDataYK�Name#pSubStatus->PrimaryBlobUnsealStatus
A��o�oDataWK�Name"pSubStatus->BackupBlobUnsealStatus
A��{�oDatacK�Name(pSubStatus->Pca2023ProtectorUnsealStatus
A��}�oDataeK�Name)pSubStatus->BackupBlobValidityCheckStatus
A��k�oDataSK�Name pSubStatus->BackupBlobStillValid

A����oDataqK�Name/pSubStatus->Pca2023ProtectorValidityCheckStatus
A��w�oData_K�Name&pSubStatus->Pca2023ProtectorStillValid

A��q�oDataYK�Name#pSubStatus->PrimaryBlobResealStatus
 A��o�oDataWK�Name"pSubStatus->BackupBlobResealStatus
!A��{�oDatacK�Name(pSubStatus->Pca2023ProtectorResealStatus
"A��c�oDataKK�NamepSubStatus->V2ProtectorsUsed
#A��s�oData[K�Name$pSubStatus->LegacyUefiVarQueryStatus
$A��w�oData_K�Name&pSubStatus->LegacyUefiVarCleanupStatus
%A��i�oDataQK�NamepSubStatus->ActivePolicyVersion
&
A��k�oDataSK�Name pSubStatus->LatchedPolicyVersion
'
A��o�oDataWK�Name"pSubStatus->UnlatchedPolicyVersion
(
A��[�oDataCK�NameLatchedUnsealPolicyValid
)A��c�oDataKK�NameLatchedUnsealPolicy->Version
*A��o�oDataWK�Name"LatchedUnsealPolicy->VarDataOffset
+A��o�oDataWK�Name"LatchedUnsealPolicy->StructureSize
,A��o�oDataWK�Name"LatchedUnsealPolicy->PolicyVersion
-
A��u�oData]K�Name%LatchedUnsealPolicy->PolicyHashLength
.A��i�oDataQK�NameLatchedUnsealPolicy->WinloadSVN
/A��m�oDataUK�Name!LatchedUnsealPolicy->WinresumeSVN
0A��i�oDataQK�NameLatchedUnsealPolicy->BootmgrSVN
1A��g�oDataOK�NameLatchedUnsealPolicy->LKeyPkgId
2
A��_�oDataGK�NameUnlatchedUnsealPolicyValid
3A��g�oDataOK�NameUnlatchedUnsealPolicy->Version
4A��s�oData[K�Name$UnlatchedUnsealPolicy->VarDataOffset
5A��s�oData[K�Name$UnlatchedUnsealPolicy->StructureSize
6A��s�oData[K�Name$UnlatchedUnsealPolicy->PolicyVersion
7
A��y�oDataaK�Name'UnlatchedUnsealPolicy->PolicyHashLength
8A��m�oDataUK�Name!UnlatchedUnsealPolicy->WinloadSVN
9A��q�oDataYK�Name#UnlatchedUnsealPolicy->WinresumeSVN
:A��m�oDataUK�Name!UnlatchedUnsealPolicy->BootmgrSVN
;A��k�oDataSK�Name UnlatchedUnsealPolicy->LKeyPkgId
<
\IpI�I�I�IJHJ�J�J4K
�K
�K
�K
,L
|L
�L�L
PM
�M

�M

�M
N
LN
�N
�NO\O�OP

XP�P

QXQ�Q�Q
HR�R�R

,S

pS

�S
T<T|T�T

U`U�U�U<V

�V
�VWDW�W

�W4X�X�XY

dYStatusOsDeviceIdSystemRoot$VsmLKeyRelPath<LatchedUnsealPolicyRelPath@UnlatchedUnsealPolicyRelPathLLatchedPrimaryProtectorVariableNamePLatchedSecondaryProtectorVariableNamePUnlatchedPrimaryProtectorVariableNameTUnlatchedSecondaryProtectorVariableName8LatchedProtectorUsedLocal4LatchTheUnlatchedLocal8UnsupportedRollbackLocalPUpgradedAntirollbackPolicyExistsLocalDPkgWasCorruptOrUnavailableLocal<CreationStateVerifiedLocalTPrimaryProtectorTargetPcrSealMaskLocal4LatchedProtectorExists8UnlatchedProtectorExists4KeyPkgIdTpmCounterValue,ActivePolicyVersion0UseUnlatchedProtector@NeedToResealPrimaryProtectorDNeedToResealSecondaryProtector@NeedToResealPca2023ProtectorLpSubStatus->PrimaryBlobUnsealStatusLpSubStatus->BackupBlobUnsealStatusXpSubStatus->Pca2023ProtectorUnsealStatusXpSubStatus->BackupBlobValidityCheckStatusHpSubStatus->BackupBlobStillValiddpSubStatus->Pca2023ProtectorValidityCheckStatusTpSubStatus->Pca2023ProtectorStillValidLpSubStatus->PrimaryBlobResealStatusLpSubStatus->BackupBlobResealStatusXpSubStatus->Pca2023ProtectorResealStatus@pSubStatus->V2ProtectorsUsedPpSubStatus->LegacyUefiVarQueryStatusTpSubStatus->LegacyUefiVarCleanupStatusDpSubStatus->ActivePolicyVersionHpSubStatus->LatchedPolicyVersionLpSubStatus->UnlatchedPolicyVersion8LatchedUnsealPolicyValid@LatchedUnsealPolicy->VersionLLatchedUnsealPolicy->VarDataOffsetLLatchedUnsealPolicy->StructureSizeLLatchedUnsealPolicy->PolicyVersionPLatchedUnsealPolicy->PolicyHashLengthDLatchedUnsealPolicy->WinloadSVNHLatchedUnsealPolicy->WinresumeSVNDLatchedUnsealPolicy->BootmgrSVNDLatchedUnsealPolicy->LKeyPkgId<UnlatchedUnsealPolicyValidDUnlatchedUnsealPolicy->VersionPUnlatchedUnsealPolicy->VarDataOffsetPUnlatchedUnsealPolicy->StructureSizePUnlatchedUnsealPolicy->PolicyVersionTUnlatchedUnsealPolicy->PolicyHashLengthHUnlatchedUnsealPolicy->WinloadSVNLUnlatchedUnsealPolicy->WinresumeSVNHUnlatchedUnsealPolicy->BootmgrSVNHUnlatchedUnsealPolicy->LKeyPkgIdTEMP$$$�h϶؍�<^�!dT�+2���D�	EventDataA��7�oDataK�NameStatus
A��U�oData=K�NamePrimarySealedBlobName
A��g�oDataOK�NameSecondaryProtectorVariableName
A��[�oDataCK�NameBlobFromUefiVariableSize
A��Q�oData9K�NameUefiContentIsSealed
A��K�oData3K�NameUnsealedBlobSize
A��I�oData1K�NamePcr7SealingUsed
A��Q�oData9K�NamePkgTpmSealMaskLocal
A��Y�oDataAK�NamePkgTpmCreationMaskLocal
A��O�oData7K�NameNeedToResealKeyPkg
	A��O�oData7K�NameNeedToResealBackup
A��c�oDataKK�NameNeedToResealPca2023Protector
A��M�oData5K�NamePlaintextBlobSize
A��Y�oDataAK�NamePlaintextIsLegacyFormat

A��M�oData5K�NameUefiBlobIsCorrupt
A��;�oData#K�NameNewKeyID
A��_�oDataGK�NameVerifiedMicrosoftAuthority
A��U�oData=K�NameContainsAuthorityData
A��_�oDataGK�NameBootmgrAuthorityEventCount
A��=�oData%K�Name	Authority
A��q�oDataYK�Name#pSubStatus->PrimaryBlobUnsealStatus
A��o�oDataWK�Name"pSubStatus->BackupBlobUnsealStatus
A��{�oDatacK�Name(pSubStatus->Pca2023ProtectorUnsealStatus
A��}�oDataeK�Name)pSubStatus->BackupBlobValidityCheckStatus
A��k�oDataSK�Name pSubStatus->BackupBlobStillValid

A����oDataqK�Name/pSubStatus->Pca2023ProtectorValidityCheckStatus
A��w�oData_K�Name&pSubStatus->Pca2023ProtectorStillValid

A��q�oDataYK�Name#pSubStatus->PrimaryBlobResealStatus
A��o�oDataWK�Name"pSubStatus->BackupBlobResealStatus
A��{�oDatacK�Name(pSubStatus->Pca2023ProtectorResealStatus
A��c�oDataKK�NamepSubStatus->V2ProtectorsUsed
A��s�oData[K�Name$pSubStatus->LegacyUefiVarQueryStatus
A��w�oData_K�Name&pSubStatus->LegacyUefiVarCleanupStatus
 A��i�oDataQK�NamepSubStatus->ActivePolicyVersion
!
A��k�oDataSK�Name pSubStatus->LatchedPolicyVersion
"
A��o�oDataWK�Name"pSubStatus->UnlatchedPolicyVersion
#
Pkdk�k�k
l<l
dl�l�l
�l
m
@m�m
�m
�mn
n
Xn�n�n�n(oto�o

$plp

�p$qpq�q
rTr�r

�r

<s

�sStatus0PrimarySealedBlobNameDSecondaryProtectorVariableName8BlobFromUefiVariableSize,UefiContentIsSealed(UnsealedBlobSize$Pcr7SealingUsed,PkgTpmSealMaskLocal4PkgTpmCreationMaskLocal,NeedToResealKeyPkg,NeedToResealBackup@NeedToResealPca2023Protector(PlaintextBlobSize4PlaintextIsLegacyFormat(UefiBlobIsCorruptNewKeyID<VerifiedMicrosoftAuthority0ContainsAuthorityData<BootmgrAuthorityEventCountAuthorityLpSubStatus->PrimaryBlobUnsealStatusLpSubStatus->BackupBlobUnsealStatusXpSubStatus->Pca2023ProtectorUnsealStatusXpSubStatus->BackupBlobValidityCheckStatusHpSubStatus->BackupBlobStillValiddpSubStatus->Pca2023ProtectorValidityCheckStatusTpSubStatus->Pca2023ProtectorStillValidLpSubStatus->PrimaryBlobResealStatusLpSubStatus->BackupBlobResealStatusXpSubStatus->Pca2023ProtectorResealStatus@pSubStatus->V2ProtectorsUsedPpSubStatus->LegacyUefiVarQueryStatusTpSubStatus->LegacyUefiVarCleanupStatusDpSubStatus->ActivePolicyVersionHpSubStatus->LatchedPolicyVersionLpSubStatus->UnlatchedPolicyVersionTEMP�((���~�a�T�P�\c����D�	EventDataA��7�oDataK�NameStatus
A��g�oDataOK�NameSecondaryProtectorVariableName
A��c�oDataKK�NameNeedToResealPrimaryProtector
A��g�oDataOK�NameNeedToResealSecondaryProtector
A��c�oDataKK�NameNeedToResealPca2023Protector
A��e�oDataMK�NameSealedBackupEncryptionKeySize
A��g�oDataOK�NameSealedPca2023EncryptionKeySize
A��M�oData5K�NameUefiBlobIsCorrupt
A��I�oData1K�NamePcr7SealingUsed
A��_�oDataGK�NameCreationStateVerifiedLocal
	A��_�oDataGK�NameVerifiedMicrosoftAuthority
A��U�oData=K�NameContainsAuthorityData
A��_�oDataGK�NameBootmgrAuthorityEventCount
A��w�oData_K�Name&PrimaryProtectorTargetPcrSealMaskLocal

A��=�oData%K�Name	Authority
A��q�oDataYK�Name#pSubStatus->PrimaryBlobUnsealStatus
A��o�oDataWK�Name"pSubStatus->BackupBlobUnsealStatus
A��{�oDatacK�Name(pSubStatus->Pca2023ProtectorUnsealStatus
A��}�oDataeK�Name)pSubStatus->BackupBlobValidityCheckStatus
A��k�oDataSK�Name pSubStatus->BackupBlobStillValid

A����oDataqK�Name/pSubStatus->Pca2023ProtectorValidityCheckStatus
A��w�oData_K�Name&pSubStatus->Pca2023ProtectorStillValid

A��q�oDataYK�Name#pSubStatus->PrimaryBlobResealStatus
A��o�oDataWK�Name"pSubStatus->BackupBlobResealStatus
A��{�oDatacK�Name(pSubStatus->Pca2023ProtectorResealStatus
A��c�oDataKK�NamepSubStatus->V2ProtectorsUsed
A��s�oData[K�Name$pSubStatus->LegacyUefiVarQueryStatus
A��w�oData_K�Name&pSubStatus->LegacyUefiVarCleanupStatus
A��i�oDataQK�NamepSubStatus->ActivePolicyVersion

A��k�oDataSK�Name pSubStatus->LatchedPolicyVersion

A��o�oDataWK�Name"pSubStatus->UnlatchedPolicyVersion

A��g�oDataOK�NameValidatedUnsealPolicy->Version
A��s�oData[K�Name$ValidatedUnsealPolicy->VarDataOffset
 A��s�oData[K�Name$ValidatedUnsealPolicy->StructureSize
!A��s�oData[K�Name$ValidatedUnsealPolicy->PolicyVersion
"
A��y�oDataaK�Name'ValidatedUnsealPolicy->PolicyHashLength
#A��m�oDataUK�Name!ValidatedUnsealPolicy->WinloadSVN
$A��q�oDataYK�Name#ValidatedUnsealPolicy->WinresumeSVN
%A��m�oDataUK�Name!ValidatedUnsealPolicy->BootmgrSVN
&A��k�oDataSK�Name ValidatedUnsealPolicy->LKeyPkgId
'
Ȉ܈
 �
`�
���$�
h�
��
��
�
,�\�����P����

L���

��L����
<�|�̏

 �

d�

����<���

ܑ,���Ȓ�

\�StatusDSecondaryProtectorVariableName@NeedToResealPrimaryProtectorDNeedToResealSecondaryProtector@NeedToResealPca2023Protector@SealedBackupEncryptionKeySizeDSealedPca2023EncryptionKeySize(UefiBlobIsCorrupt$Pcr7SealingUsed<CreationStateVerifiedLocal<VerifiedMicrosoftAuthority0ContainsAuthorityData<BootmgrAuthorityEventCountTPrimaryProtectorTargetPcrSealMaskLocalAuthorityLpSubStatus->PrimaryBlobUnsealStatusLpSubStatus->BackupBlobUnsealStatusXpSubStatus->Pca2023ProtectorUnsealStatusXpSubStatus->BackupBlobValidityCheckStatusHpSubStatus->BackupBlobStillValiddpSubStatus->Pca2023ProtectorValidityCheckStatusTpSubStatus->Pca2023ProtectorStillValidLpSubStatus->PrimaryBlobResealStatusLpSubStatus->BackupBlobResealStatusXpSubStatus->Pca2023ProtectorResealStatus@pSubStatus->V2ProtectorsUsedPpSubStatus->LegacyUefiVarQueryStatusTpSubStatus->LegacyUefiVarCleanupStatusDpSubStatus->ActivePolicyVersionHpSubStatus->LatchedPolicyVersionLpSubStatus->UnlatchedPolicyVersionDValidatedUnsealPolicy->VersionPValidatedUnsealPolicy->VarDataOffsetPValidatedUnsealPolicy->StructureSizePValidatedUnsealPolicy->PolicyVersionTValidatedUnsealPolicy->PolicyHashLengthHValidatedUnsealPolicy->WinloadSVNLValidatedUnsealPolicy->WinresumeSVNHValidatedUnsealPolicy->BootmgrSVNHValidatedUnsealPolicy->LKeyPkgIdTEMP����H��aIP��]����B
D�	EventDataA��_�oDataGK�NameLegacyMainBlobVariableName
A��s�oData[K�Name$LegacySecondaryProtectorVariableName
A��i�oDataQK�NamePkgWasCorruptOrUnavailableLocal
A��O�oData7K�NameKeysAreLegacyLocal
A��_�oDataGK�NameCreationStateVerifiedLocal
A��w�oData_K�Name&PrimaryProtectorTargetPcrSealMaskLocal
A��q�oDataYK�Name#pSubStatus->PrimaryBlobUnsealStatus
A��o�oDataWK�Name"pSubStatus->BackupBlobUnsealStatus
A��{�oDatacK�Name(pSubStatus->Pca2023ProtectorUnsealStatus
A��}�oDataeK�Name)pSubStatus->BackupBlobValidityCheckStatus
	A��k�oDataSK�Name pSubStatus->BackupBlobStillValid

A����oDataqK�Name/pSubStatus->Pca2023ProtectorValidityCheckStatus
A��w�oData_K�Name&pSubStatus->Pca2023ProtectorStillValid

A��q�oDataYK�Name#pSubStatus->PrimaryBlobResealStatus

A��o�oDataWK�Name"pSubStatus->BackupBlobResealStatus
A��{�oDatacK�Name(pSubStatus->Pca2023ProtectorResealStatus
A��c�oDataKK�NamepSubStatus->V2ProtectorsUsed
A��s�oData[K�Name$pSubStatus->LegacyUefiVarQueryStatus
A��w�oData_K�Name&pSubStatus->LegacyUefiVarCleanupStatus
A��i�oDataQK�NamepSubStatus->ActivePolicyVersion

A��k�oDataSK�Name pSubStatus->LatchedPolicyVersion

A��o�oDataWK�Name"pSubStatus->UnlatchedPolicyVersion

ԟ�
`�
��
Р�`�����P�

���

T����@�
��ؤ(�

|�

��

�<LegacyMainBlobVariableNamePLegacySecondaryProtectorVariableNameDPkgWasCorruptOrUnavailableLocal,KeysAreLegacyLocal<CreationStateVerifiedLocalTPrimaryProtectorTargetPcrSealMaskLocalLpSubStatus->PrimaryBlobUnsealStatusLpSubStatus->BackupBlobUnsealStatusXpSubStatus->Pca2023ProtectorUnsealStatusXpSubStatus->BackupBlobValidityCheckStatusHpSubStatus->BackupBlobStillValiddpSubStatus->Pca2023ProtectorValidityCheckStatusTpSubStatus->Pca2023ProtectorStillValidLpSubStatus->PrimaryBlobResealStatusLpSubStatus->BackupBlobResealStatusXpSubStatus->Pca2023ProtectorResealStatus@pSubStatus->V2ProtectorsUsedPpSubStatus->LegacyUefiVarQueryStatusTpSubStatus->LegacyUefiVarCleanupStatusDpSubStatus->ActivePolicyVersionHpSubStatus->LatchedPolicyVersionLpSubStatus->UnlatchedPolicyVersionTEMP''D�qr�&X�xB)������D�	EventDataA��7�oDataK�NameStatus
A��?�oData'K�Name
OsDeviceId
A��G�oData/K�NameOsDataDeviceId
A��?�oData'K�Name
SystemRoot
A��G�oData/K�NameVsmLKeyRelPath
A��_�oDataGK�NameLatchedUnsealPolicyRelPath
A��c�oDataKK�NameUnlatchedUnsealPolicyRelPath
A��q�oDataYK�Name#LatchedPrimaryProtectorVariableName
A��u�oData]K�Name%LatchedSecondaryProtectorVariableName
A��u�oData]K�Name%UnlatchedPrimaryProtectorVariableName
	A��y�oDataaK�Name'UnlatchedSecondaryProtectorVariableName
A��_�oDataGK�NameLegacyMainBlobVariableName
A��s�oData[K�Name$LegacySecondaryProtectorVariableName
A��]�oDataEK�NameLatchedProtectorUsedLocal

A��W�oData?K�NameLatchTheUnlatchedLocal
A��[�oDataCK�NameUnsupportedRollbackLocal
A��u�oData]K�Name%UpgradedAntirollbackPolicyExistsLocal
A��U�oData=K�NameFirstWriteToDiskLocal
A��Q�oData9K�NameWritePkgToUefiLocal
A��i�oDataQK�NamePkgWasCorruptOrUnavailableLocal
A��O�oData7K�NameKeysAreLegacyLocal
A��_�oDataGK�NameCreationStateVerifiedLocal
A��w�oData_K�Name&PrimaryProtectorTargetPcrSealMaskLocal
A��q�oDataYK�Name#pSubStatus->PrimaryBlobUnsealStatus
A��o�oDataWK�Name"pSubStatus->BackupBlobUnsealStatus
A��{�oDatacK�Name(pSubStatus->Pca2023ProtectorUnsealStatus
A��}�oDataeK�Name)pSubStatus->BackupBlobValidityCheckStatus
A��k�oDataSK�Name pSubStatus->BackupBlobStillValid

A����oDataqK�Name/pSubStatus->Pca2023ProtectorValidityCheckStatus
A��w�oData_K�Name&pSubStatus->Pca2023ProtectorStillValid

A��q�oDataYK�Name#pSubStatus->PrimaryBlobResealStatus
A��o�oDataWK�Name"pSubStatus->BackupBlobResealStatus
A��{�oDatacK�Name(pSubStatus->Pca2023ProtectorResealStatus
 A��c�oDataKK�NamepSubStatus->V2ProtectorsUsed
!A��s�oData[K�Name$pSubStatus->LegacyUefiVarQueryStatus
"A��w�oData_K�Name&pSubStatus->LegacyUefiVarCleanupStatus
#A��i�oDataQK�NamepSubStatus->ActivePolicyVersion
$
A��k�oDataSK�Name pSubStatus->LatchedPolicyVersion
%
A��o�oDataWK�Name"pSubStatus->UnlatchedPolicyVersion
&
P�d�������� �`�����L���ܼ
,�
d�
��
н
 �
P�
|�
��
�(�|�ȿ�l�

��

p���\�
����D�

��

��

$�StatusOsDeviceId$OsDataDeviceIdSystemRoot$VsmLKeyRelPath<LatchedUnsealPolicyRelPath@UnlatchedUnsealPolicyRelPathLLatchedPrimaryProtectorVariableNamePLatchedSecondaryProtectorVariableNamePUnlatchedPrimaryProtectorVariableNameTUnlatchedSecondaryProtectorVariableName<LegacyMainBlobVariableNamePLegacySecondaryProtectorVariableName8LatchedProtectorUsedLocal4LatchTheUnlatchedLocal8UnsupportedRollbackLocalPUpgradedAntirollbackPolicyExistsLocal0FirstWriteToDiskLocal,WritePkgToUefiLocalDPkgWasCorruptOrUnavailableLocal,KeysAreLegacyLocal<CreationStateVerifiedLocalTPrimaryProtectorTargetPcrSealMaskLocalLpSubStatus->PrimaryBlobUnsealStatusLpSubStatus->BackupBlobUnsealStatusXpSubStatus->Pca2023ProtectorUnsealStatusXpSubStatus->BackupBlobValidityCheckStatusHpSubStatus->BackupBlobStillValiddpSubStatus->Pca2023ProtectorValidityCheckStatusTpSubStatus->Pca2023ProtectorStillValidLpSubStatus->PrimaryBlobResealStatusLpSubStatus->BackupBlobResealStatusXpSubStatus->Pca2023ProtectorResealStatus@pSubStatus->V2ProtectorsUsedPpSubStatus->LegacyUefiVarQueryStatusTpSubStatus->LegacyUefiVarCleanupStatusDpSubStatus->ActivePolicyVersionHpSubStatus->LatchedPolicyVersionLpSubStatus->UnlatchedPolicyVersionTEMP�
��z����VX���6mc���D�	EventDataA��7�oDataK�NameStatus
A��9�oData!K�NamePcrMask
A��O�oData7K�NameUnsealPolicyPdGuid
A��i�oDataQK�NameSealingProtectorFixedBufferSize
A��g�oDataOK�NameSealingProtectorUsedBufferSize
A��W�oData?K�NameSealedSecretBufferSize
A��Q�oData9K�NamePcrInfoArrayElCount
A��U�oData=K�NameUnsealPolicy->Version
A��a�oDataIK�NameUnsealPolicy->VarDataOffset
A��a�oDataIK�NameUnsealPolicy->StructureSize
	A��a�oDataIK�NameUnsealPolicy->PolicyVersion

A��g�oDataOK�NameUnsealPolicy->PolicyHashLength
A��[�oDataCK�NameUnsealPolicy->WinloadSVN
A��_�oDataGK�NameUnsealPolicy->WinresumeSVN

A��[�oDataCK�NameUnsealPolicy->BootmgrSVN
A��Y�oDataAK�NameUnsealPolicy->LKeyPkgId

����H������0�`���

���X�����

�StatusPcrMask,UnsealPolicyPdGuidDSealingProtectorFixedBufferSizeDSealingProtectorUsedBufferSize4SealedSecretBufferSize,PcrInfoArrayElCount0UnsealPolicy->Version<UnsealPolicy->VarDataOffset<UnsealPolicy->StructureSize<UnsealPolicy->PolicyVersionDUnsealPolicy->PolicyHashLength8UnsealPolicy->WinloadSVN<UnsealPolicy->WinresumeSVN8UnsealPolicy->BootmgrSVN4UnsealPolicy->LKeyPkgIdTEMP����
w��W\R��}Su�0��xD�	EventDataA��7�oDataK�NameStatus
A��E�oData-K�Name
ProtectorName
A��Y�oDataAK�NameSealedEncryptionKeySize
A��m�oDataUK�Name!ProtectorBlobFromUefiVariableSize
4�H�h���Status ProtectorName4SealedEncryptionKeySizeHProtectorBlobFromUefiVariableSizeTEMP<�i�����[��y�i��r��$D�	EventDataA��5�oDataK�NamealgID
A��C�oData+K�NamedigestLength
A��;�oData#K�NamePcrIndex
A��;�oData#K�NamePcrValue
��������algID digestLengthPcrIndexPcrValueTEMP���>ӎ�uoX���T��J���fD�	EventDataA��K�oData3K�NameCachedCopyStatus
A��Q�oData9K�NameKeyGenerationStatus
A��M�oData5K�NameSealAndSaveStatus
A��G�oData/K�NameUEFIKeysStatus
���,�T�(CachedCopyStatus,KeyGenerationStatus(SealAndSaveStatus$UEFIKeysStatusTEMP�������3_S4Z�!;�+��0D�	EventDataA��K�oData3K�NameCachedCopyStatus
A��Q�oData9K�NameKeyGenerationStatus
A��M�oData5K�NameSealAndSaveStatus
A��G�oData/K�NameUEFIKeysStatus
A��[�oDataCK�NameUnLatchedCiPolicyVersion

A��W�oData?K�NameLatchedCiPolicyVersion

A��i�oDataQK�NameLatchedAntiRollbackCounterValue

A��W�oData?K�NameCurrentCiPolicyVersion

A��i�oDataQK�NameCurrentAntiRollbackCounterValue

A��c�oDataKK�NameMinimumUnsealCiPolicyVersion
	
A��[�oDataCK�NameAuthorizationIsDelegated

�����4�

X�

��

��

�

<�

��

��(CachedCopyStatus,KeyGenerationStatus(SealAndSaveStatus$UEFIKeysStatus8UnLatchedCiPolicyVersion4LatchedCiPolicyVersionDLatchedAntiRollbackCounterValue4CurrentCiPolicyVersionDCurrentAntiRollbackCounterValue@MinimumUnsealCiPolicyVersion8AuthorizationIsDelegatedTEMP����*��T�X��Y�Y��\��xD�	EventDataA��W�oData?K�NameRetrieveDriverListTime



��4RetrieveDriverListTimeTEMPh$��L%�<:R��K�˴��D�	EventDataA��[�oDataCK�NameTpmSrkProvisioningStatus
A��W�oData?K�NameTpmSrkPolicyReadStatus
A��Y�oDataAK�NameTpmSrkSymKeyPolicyValue
A��W�oData?K�NameTpmSrkSymKeyCapability
A��M�oData5K�NameTpmSrkAesBitsUsed
A��[�oDataCK�NameTpmSrkAsymKeyPolicyValue
A��Y�oDataAK�NameTpmSrkAsymKeyCapability
A��M�oData5K�NameTpmSrkRsaBitsUsed
����0�d�������,�8TpmSrkProvisioningStatus4TpmSrkPolicyReadStatus4TpmSrkSymKeyPolicyValue4TpmSrkSymKeyCapability(TpmSrkAesBitsUsed8TpmSrkAsymKeyPolicyValue4TpmSrkAsymKeyCapability(TpmSrkRsaBitsUsedTEMP`��$�F�m�[�sY�����D�	EventDataA��W�oData?K�NameTpmSrkProvisioningTime

A��W�oData?K�NameTpmSrkPolicyReadStatus
A��Y�oDataAK�NameTpmSrkSymKeyPolicyValue
A��W�oData?K�NameTpmSrkSymKeyCapability
A��M�oData5K�NameTpmSrkAesBitsUsed
A��[�oDataCK�NameTpmSrkAsymKeyPolicyValue
A��Y�oDataAK�NameTpmSrkAsymKeyCapability
A��M�oData5K�NameTpmSrkRsaBitsUsed


(�\������� �X���4TpmSrkProvisioningTime4TpmSrkPolicyReadStatus4TpmSrkSymKeyPolicyValue4TpmSrkSymKeyCapability(TpmSrkAesBitsUsed8TpmSrkAsymKeyPolicyValue4TpmSrkAsymKeyCapability(TpmSrkRsaBitsUsedTEMPl�.A�a�M�T��q�`����D�	EventDataA��c�oDataKK�NameTpmBindingProvisioningStatus
��@TpmBindingProvisioningStatusTEMP�`��Ea3�[���>B:���jD�	EventDataA��I�oData1K�NameLoadDriversTime



t�$LoadDriversTimeTEMP,l�.�=����W$ V^ϻп���D�	EventDataA��3�oDataK�NamePath
A��C�oData+K�NameLoadHiveTime

��

��Path LoadHiveTimeTEMP����Z�\�J�Z�d$���D�	EventDataA��U�oData=K�NameApplicationIdentifier
A��Q�oData9K�NameApplicationLoadTime

��

 �0ApplicationIdentifier,ApplicationLoadTimeTEMP�X�L���/!~U1&�ݟ�)���D�	EventDataA��U�oData=K�NameApplicationIdentifier
A��[�oDataCK�NameApplicationExecutionTime

��

��0ApplicationIdentifier8ApplicationExecutionTimeTEMP$���,�L&�SY���������D�	EventDataA��7�oDataK�NameStatus
A��;�oData#K�NameFileName
����StatusFileNameTEMP4��x_T��U�]�x����D�	EventDataA��7�oDataK�NameStatus
A��C�oData+K�NameFailurePoint
��� �Status FailurePointTEMP���$*��Qq�����XD�	EventDataA��7�oDataK�NameStatus
��StatusTEMP������a��R���>�������D�	EventDataA��7�oDataK�NameStatus
A��1�oDataK�NameTag
����StatusTagTEMP����5	0�&U��H�v�%��pD�	EventDataA��O�oData7K�NameReserveDescriptors
��,ReserveDescriptorsTEMP����~��]ͽ'�1����D�	EventDataA��E�oData-K�Name
ApplicationId
A��;�oData#K�NameRunCount
A��=�oData%K�Name	PageCount

@�`�

x� ApplicationIdRunCountPageCountTEMP\�s�Z�j��_��jz(�V(���D�	EventDataA��7�oDataK�NameStatus
A��9�oData!K�NameBlockId

��
��StatusBlockIdTEMP�T��'v~�rPx�zx^X
V��rD�	EventDataA��Q�oData9K�NameFreePersistentPages



h�,FreePersistentPagesTEMPDt���*�P��
7`:o���D�	EventDataA��7�oDataK�NameStatus
A��K�oData3K�NameOutstandingCount

��

��Status(OutstandingCountTEMP4H��/�L�
P\�z���d���:D�	EventDataA��7�oDataK�NameStatus
A��K�oData3K�NameOutstandingCount

A��M�oData5K�NameApplicationsCount
A��5�oDataK�NameAppId
���

�����Status(OutstandingCount(ApplicationsCountAppIdTEMPh�� ��N��YB�B���
���D�	EventDataA��E�oData-K�Name
ApplicationId
A��Q�oData9K�NameFreePersistentPages

(�

H� ApplicationId,FreePersistentPagesTEMP�����*?�S�Y��z\����D�	EventDataA��E�oData-K�Name
ApplicationId
A��9�oData!K�NameBlockId

A��Q�oData9K�NameFreePersistentPages

�
�

� ApplicationIdBlockId,FreePersistentPagesTEMP�\��/��yTQ��lC\V���D�	EventDataA��E�oData-K�Name
ApplicationId
A��9�oData!K�NameBlockId

A��5�oDataK�NameFlags
�

�� ApplicationIdBlockIdFlagsTEMP��݆��@:[%�ŉD��Y���D�	EventDataA��7�oDataK�NameStatus
A��A�oData)K�NameRunsClaimed
A��=�oData%K�Name	PageCount

0D

`StatusRunsClaimedPageCountTEMP� �'v~�rPx�zx^X
V��rD�	EventDataA��Q�oData9K�NameFreePersistentPages



4,FreePersistentPagesTEMP8<7!�~�Z�]��I)���D�	EventDataA��E�oData-K�Name
ApplicationId
A��9�oData!K�NameBlockId

d

� ApplicationIdBlockIdTEMP���r�e~SV��C.`J����D�	EventDataA��3�oDataK�NameType
A��5�oDataK�NameFlags
A��?�oData'K�Name
BufferSize
��TypeFlagsBufferSizeTEMP$�s4y�[�X���8���D�	EventDataA��;�oData#K�NameDiagCode
A��7�oDataK�NameStatus
��,DiagCodeStatusTEMP�T�E�{�wHX�}u�;G�����D�	EventDataA��7�oDataK�NameStatus
A��;�oData#K�NameDataSize
A��?�oData'K�Name
BufferSize
���StatusDataSizeBufferSizeTEMP�	BRuu��T;CB��w����D�	EventDataA��5�oDataK�NamePhase
A��7�oDataK�NameStatus
�	�	PhaseStatusTEMP�7C�{��S5�o/Q9����D�	EventDataA��7�oDataK�NameStatus
A��Q�oData9K�NameEnableDisableReason
A��=�oData%K�Name	VsmPolicy
P��d��Status,EnableDisableReasonVsmPolicyTEMP��
����ݺB[���C~7���D�	EventDataA��?�oData'K�Name
LowAddress

A��A�oData)K�NameHighAddress

A��=�oData%K�Name	SkipBytes

A��?�oData'K�Name
TotalBytes

A��=�oData%K�Name	CacheType
A��5�oDataK�NameFlags


$
@

Xt�LowAddressHighAddressSkipBytesTotalBytesCacheTypeFlagsTEMP�$�s/��T1X��D>��RD�	EventDataA��1�oDataK�NameMdl
8MdlTEMP�������L�X+I%��n�v��XD�	EventDataA��7�oDataK�NameSecure



�SecureTEMP��
+t�]��K~p���lD�	EventDataA��K�oData3K�NameSoftRestartCount
�(SoftRestartCountTEMPD�i%�O댘\@2���\����D�	EventDataA��K�oData3K�NameSoftRestartCount
A��7�oDataK�NameSecure

�

(SoftRestartCountSecureTEMP�dc��U�@M�Ƒ���D�	EventDataA��G�oData/K�NameSequenceNumber
A��I�oData1K�NameDescriptorCount
A��YZ�ComplexData3K�NameMemoryDescriptor
��8
`

x��$SequenceNumber$DescriptorCount(MemoryDescriptorBasePagePageCountMemoryTypeReservedTEMP�d����Uߔ�镢���jD�	EventDataA��I�oData1K�NameDescriptorCount
x$DescriptorCountTEMP�w���0b�Y�G�N��}V���D�	EventDataA��7�oDataK�NameStatus
A��=�oData%K�Name	PageCount

A��?�oData'K�Name
MemoryType
A��?�oData'K�Name
Attributes
A��?�oData'K�Name
LowAddress

A��A�oData)K�NameHighAddress



,H
d
�StatusPageCountMemoryTypeAttributesLowAddressHighAddressTEMP��5��?U�N><�E����BD�	EventDataA��7�oDataK�NameStatus
A��=�oData%K�Name	PageCount

A��?�oData'K�Name
MemoryType
A��?�oData'K�Name
Attributes
A��?�oData'K�Name
LowAddress

A��A�oData)K�NameHighAddress

A��=�oData%K�Name	Alignment
A��A�oData)K�NameProximityId
�

���

4PhStatusPageCountMemoryTypeAttributesLowAddressHighAddressAlignmentProximityIdTEMP���/��TR��w���^D�	EventDataA��=�oData%K�Name	StartTime
,StartTimeTEMPP�)5�H7^A����d����D�	EventDataTEMPP�)5�H7^A����d����D�	EventDataTEMP��6��t�X�S.�NW����D�	EventDataA��?�oData'K�Name
RangeCount

A��=�oData%K�Name	PageCount

A��Y�oDataAK�NameMarkedAsBadRegularPages

A��Y�oDataAK�NameMarkedAsBadIoSpacePages

A��I�oData1K�NameMarkErrorsCount



0 

L 

d 

� 

� RangeCountPageCount4MarkedAsBadRegularPages4MarkedAsBadIoSpacePages$MarkErrorsCountTEMP`#8�^�Q2I�w+�*���D�	EventDataA��?�oData'K�Name
Identifier
A��A�oData)K�NamePartitionId
A��Q�oData9K�NameAllocatedBlockCount

A��M�oData5K�NameAllocatedRunCount

A��O�oData7K�NameAllocatedPageCount

A��7�oDataK�NameStatus
�#�#

�#

�#

$<$IdentifierPartitionId,AllocatedBlockCount(AllocatedRunCount,AllocatedPageCountStatusTEMP<,%w)ϻ�6^lV���Aw����D�	EventDataA��?�oData'K�Name
Identifier
A��A�oData)K�NamePartitionId
T%p%IdentifierPartitionIdTEMP��'�hl��N�Y&���hQO
���D�	EventDataA��?�oData'K�Name
Identifier
A��O�oData7K�NamePartitionPageCount

A��Q�oData9K�NameAllocatedBlockCount

A��M�oData5K�NameAllocatedRunCount

A��O�oData7K�NameAllocatedPageCount

A��7�oDataK�NameStatus
0(

L(

x(

�(

�(�(Identifier,PartitionPageCount,AllocatedBlockCount(AllocatedRunCount,AllocatedPageCountStatusTEMP�4*��޺�Vx�BDX|���D�	EventDataA��?�oData'K�Name
Identifier
A��O�oData7K�NamePartitionPageCount

A��7�oDataK�NameStatus
p*

�*�*Identifier,PartitionPageCountStatusTEMPl�/R�;��RP˭���ث]���D�	EventDataA��?�oData'K�Name
Identifier
A��7�oDataK�NameStatus
A��?�oData'K�Name
NameLength
A��E�oData-K�Name
PartitoinName
A��K�oData3K�NameMemoryRangeCount
A��G�oData/K�NameMemorPageCount

A��M�oData5K�NameIoSpaceRangeCount
A��K�oData3K�NameIoSpacePageCount

A��]�oDataEK�NameAllocatedMemoryBlockCount

A��Y�oDataAK�NameAllocatedMemoryRunCount
	
A��[�oDataCK�NameAllocatedMemoryPageCount

A��_�oDataGK�NameAllocatedIoSpaceBlockCount

A��[�oDataCK�NameAllocatedIoSpaceRunCount

A��]�oDataEK�NameAllocatedIoSpacePageCount


�0�01,1L1

t1�1

�1

�1

 2

T2

�2

�2

3IdentifierStatusNameLength PartitoinName(MemoryRangeCount$MemorPageCount(IoSpaceRangeCount(IoSpacePageCount8AllocatedMemoryBlockCount4AllocatedMemoryRunCount8AllocatedMemoryPageCount<AllocatedIoSpaceBlockCount8AllocatedIoSpaceRunCount8AllocatedIoSpacePageCountTEMP,4d�i�dl�YUY�O�S����D�	EventDataA��?�oData'K�Name
Identifier
A��7�oDataK�NameStatus
44P4IdentifierStatusTEMP��4��*)�R�#����.��`D�	EventDataA��?�oData'K�Name
Identifier
5IdentifierTEMP $7��o�L)�^*�v��w�����D�	EventDataA��?�oData'K�Name
Identifier
A��;�oData#K�NameRunCount
A��=�oData%K�Name	PageCount

A��7�oDataK�NameStatus
A��Q�oData9K�NamePartitionNameLength
A��E�oData-K�Name
PartitionName
�7�7

�7�7�7(8IdentifierRunCountPageCountStatus,PartitionNameLength PartitionNameTEMP8�:�1�"�S�XQ�ڥ6��jD�	EventDataA��?�oData'K�Name
Identifier
A��;�oData#K�NameRunCount
A��=�oData%K�Name	PageCount

A��I�oData1K�NameIoSpaceRunCount
A��K�oData3K�NameIoSpacePageCount

A��7�oDataK�NameStatus
A��Q�oData9K�NamePartitionNameLength
A��E�oData-K�Name
PartitionName
�;�;

�;�;

�; <4<`<IdentifierRunCountPageCount$IoSpaceRunCount(IoSpacePageCountStatus,PartitionNameLength PartitionNameTEMP��=09Q���S�����K&����D�	EventDataA��7�oDataK�NameStatus
A��?�oData'K�Name
ActualSize
A��C�oData+K�NameExpectedSize
�=�=>StatusActualSize ExpectedSizeTEMP|?]�ÊľP�^��/v��� D�	EventDataA��7�oDataK�NameStatus
A��?�oData'K�Name
ActualSize
A��C�oData+K�NameExpectedSize
A��1�oDataK�NameVtl
�?�?�?@StatusActualSize ExpectedSizeVtlTEMP�DA�D RUW8Sҍ�Ƶ����D�	EventDataA��A�oData)K�NamePartitionId
A��;�oData#K�NameRunCount
A��=�oData%K�Name	PageCount

�A�A

�APartitionIdRunCountPageCountTEMP$4C�"��}f_�R��lhH��4D�	EventDataA��A�oData)K�NamePartitionId
A��;�oData#K�NameRunCount
A��=�oData%K�Name	PageCount

A��E�oData-K�Name
IoSpaceMemory

�C�C

�C

�CPartitionIdRunCountPageCount IoSpaceMemoryTEMP��EWt�ȒIOZ���u�_N��xD�	EventDataA��A�oData)K�NamePartitionId
A��;�oData#K�NameRunCount

A��=�oData%K�Name	PageCount

A��E�oData-K�Name
IoSpaceMemory

A��=�oData%K�Name	Allocated

F

F

4F

LF

lFPartitionIdRunCountPageCount IoSpaceMemoryAllocatedTEMP,XG�{cZ(�uZ,K�37J2���D�	EventDataA��;�oData#K�NameBasePage

A��=�oData%K�Name	PageCount


�G

�GBasePagePageCountTEMP��H���HZ>�^�3Gjk�X���D�	EventDataA��A�oData)K�NameCommandCode
A��C�oData+K�NameResponseCode
A��S�oData;K�NameResponseMilliseconds

(IDI

dICommandCode ResponseCode0ResponseMillisecondsTEMP��K;��{�R�^�
r%ʫ���*D�	EventDataA��A�oData)K�NameCommandCode
A��C�oData+K�NameResponseCode
A��S�oData;K�NameResponseMilliseconds

A��A�oData)K�NameCommandSize
A��A�oData)K�NameCommandData
A��C�oData+K�NameResponseSize
A��C�oData+K�NameResponseData
�L�L

�L�LM$MDMCommandCode ResponseCode0ResponseMillisecondsCommandSizeCommandData ResponseSize ResponseDataTEMP��N
��.�m�Z��z;l���D�	EventDataA��A�oData)K�NameCommandCode
A��=�oData%K�Name	ErrorCode
A��S�oData;K�NameResponseMilliseconds

�N�N

OCommandCodeErrorCode0ResponseMillisecondsTEMP��P�ecv�U�U���'*l}���D�	EventDataA��A�oData)K�NameCommandCode
A��=�oData%K�Name	ErrorCode
A��S�oData;K�NameResponseMilliseconds

A��A�oData)K�NameCommandSize
A��A�oData)K�NameCommandData
`Q|Q

�Q�Q�QCommandCodeErrorCode0ResponseMillisecondsCommandSizeCommandDataTEMP��RVC��SR�s�ġ����pD�	EventDataA��O�oData7K�NameFveGlobalDataFlags
�R,FveGlobalDataFlagsTEMP DT_�2Y�?B�8��.D�	EventDataA��?�oData'K�Name
VendorGuid
A��C�oData+K�NameVariableName
A��?�oData'K�Name
Attributes
A��7�oDataK�NameStatus
�T�T�T�TVendorGuid VariableNameAttributesStatusTEMP��U�~�w
�^�ڴl�����dD�	EventDataA��C�oData+K�NameTxtErrorCode
�U TxtErrorCodeTEMP�Vt�0w�@Wf�#t�cg���D�	EventDataA��3�oDataK�NameBase

A��3�oDataK�NameSize


�V
�VBaseSizeTEMP�pW�Mp�dnT!+���3���dD�	EventDataA��C�oData+K�NameBiosDataSize



�W BiosDataSizeTEMPt�Xn�p�;�WN=���"���D�	EventDataA��O�oData7K�NameAcmMinMleHeaderVer
A��K�oData3K�NameMleHeaderVersion
�X�X,AcmMinMleHeaderVer(MleHeaderVersionTEMP��Z U�)%�KQ�����"����D�	EventDataA��?�oData'K�Name
PmrLowBase

A��?�oData'K�Name
PmrLowSize

A��A�oData)K�NamePmrHighBase

A��A�oData)K�NamePmrHighSize

A��Q�oData9K�NameFirmwareProvidedAcm



@[

\[

x[

�[

�[PmrLowBasePmrLowSizePmrHighBasePmrHighSize,FirmwareProvidedAcmTEMP0]�]�)A�_s`C�Af�� D�	EventDataA��M�oData5K�NameGetCapabilityTime

A��K�oData3K�NameGetResourcesTime

A��Y�oDataAK�NameResourcesValidationTime



l]

�]

�](GetCapabilityTime(GetResourcesTime4ResourcesValidationTimeTEMP��^�Gg�`6XRN�r��HJ��^D�	EventDataA��=�oData%K�Name	TxtStatus
���^TxtStatusTEMP��_ݞ���s\k�rT�O���D�	EventDataA��5�oDataK�NamePhase
A��?�oData'K�Name
StatusCode
A��K�oData3K�NameEnvironmentState
` `<`PhaseStatusCode(EnvironmentStateTEMP�$b���05R���c'K3����D�	EventDataA��=�oData%K�Name	InitState
A��?�oData'K�Name
StatusCode
A��G�oData/K�NameFailureAddress

A��K�oData3K�NameReferenceAddress

A��?�oData'K�Name
ReasonCode
�b�b
�b
�bcInitStateStatusCode$FailureAddress(ReferenceAddressReasonCodeTEMP0�d��KknT׉�&�:���6D�	EventDataA��C�oData+K�NameSvnCounterId
A��?�oData'K�Name
StatusCode
A��;�oData#K�NameSvnValue
A��C�oData+K�NamePrevSvnValue
�dee4e SvnCounterIdStatusCodeSvnValue PrevSvnValueTEMP<0f�X�@EJ�Q8A�%�)2����D�	EventDataA��;�oData#K�NameSvnValue
A��C�oData+K�NamePrevSvnValue
XfpfSvnValue PrevSvnValueTEMP�(g��	͓^����؟����bD�	EventDataA��A�oData)K�NameSinitTimeMs



<gSinitTimeMsTEMP40h9s��B�V݇���0,���D�	EventDataA��?�oData'K�Name
StatusCode
A��;�oData#K�NamePosition
XhthStatusCodePositionTEMP��ip�5�g�\3�����W���D�	EventDataA��?�oData'K�Name
AcmDateDay
A��C�oData+K�NameAcmDateMonth
A��A�oData)K�NameAcmDateYear
�ij,jAcmDateDay AcmDateMonthAcmDateYearTEMP��j�<��m�]l���8�����rD�	EventDataA��Q�oData9K�NameAcmInfoTableVersion
k,AcmInfoTableVersionTEMP��k�Gg�`6XRN�r��HJ��^D�	EventDataA��=�oData%K�Name	TxtStatus
���kTxtStatusTEMP�mA���!_��	��XY���D�	EventDataA��=�oData%K�Name	TxtStatus
A��;�oData#K�NameInstance

A��7�oDataK�NameStatus

��@m

Xm

pmTxtStatusInstanceStatusTEMP�n	�`a��R~\�rY���`D�	EventDataA��?�oData'K�Name
PpamStatus
@�,nPpamStatusTEMP�o7�@��ir\��hZc�a��.D�	EventDataA��=�oData%K�Name	TxtStatus
A��A�oData)K�NamePolicyLevel
A��=�oData%K�Name	Argument1

A��=�oData%K�Name	Argument2

���op

0p

HpTxtStatusPolicyLevelArgument1Argument2TEMPr^p%`�$^U��l�T�?���D�	EventDataA��5�oDataK�NamePhase
A��7�oDataK�NameStatus
A��5�oDataK�NameTries
A��Q�oData9K�NameRemainingNodesCount
A��UZ�ComplexData/K�NameRemainingNodes
��r�r�r�rs(sDsPhaseStatusTries,RemainingNodesCount$RemainingNodesNodeNumber$RemainingRangesTEMP<DtYTɁ���T����H���D�	EventDataA��K�oData3K�NameAllocatedRegions
A��5�oDataK�NameTries
lt�t(AllocatedRegionsTriesTEMP$tu�-��Dz[*��$������D�	EventDataA��?�oData'K�Name
PathLength
A��3�oDataK�NamePath
�u�uPathLengthPathTEMP�`v[�C4VZ��ss�	���bD�	EventDataA��A�oData)K�NameTryComplete



tvTryCompleteTEMP��w�[��b��Q�,]��U�����D�	EventDataA��;�oData#K�NameFunction
A��7�oDataK�NameStatus
A��?�oData'K�Name
Checkpoint
�w�wxFunctionStatusCheckpointTEMP<y�H-"��m^�&��O�����D�	EventDataA��G�oData/K�NameDebuggerStatus
A��7�oDataK�NameStatus
t�,yPy$DebuggerStatusStatusTEMPP�y)5�H7^A����d����D�	EventDataTEMP|z�.p�U��[t��MJ�����D�	EventDataA��9�oData!K�NameKeyType
A��3�oDataK�NameCode
�z�zKeyTypeCodeTEMPL�{���<Q���<�����D�	EventDataA��E�oData-K�Name
DisableReason
A��C�oData+K�NameTcgLogStatus
�{�{ DisableReason TcgLogStatusTEMP4�|x_T��U�]�x����D�	EventDataA��7�oDataK�NameStatus
A��C�oData+K�NameFailurePoint
}(}Status FailurePointTEMP��}�i{�0W'D�d�����dD�	EventDataA��C�oData+K�NameMirrorStatus
�} MirrorStatusTEMP��~��X4��rXr�.;�a���lD�	EventDataA��K�oData3K�NameMirrorPercentage
�~(MirrorPercentageTEMPd��M�L3�$\�G��̚����D�	EventDataA��I�oData1K�NameEfiTimeZoneBias
A��K�oData3K�NameEfiDaylightFlags
�,�$EfiTimeZoneBias(EfiDaylightFlagsTEMP����jt�t΀V�D(	z����D�	EventDataA��I�oData1K�NameEfiTimeZoneBias
A��K�oData3K�NameEfiDaylightFlags
A��9�oData!K�NameEfiTime
����$EfiTimeZoneBias(EfiDaylightFlagsEfiTimeTEMP����Ig���R������>D�	EventDataA��5�oDataK�NamePages

A��?�oData'K�Name
MemoryType
A��?�oData'K�Name
Attributes
A��=�oData%K�Name	Alignment
A��7�oDataK�NameStatus
A��C�oData+K�NameRangeMinimum

A��C�oData+K�NameRangeMaximum

A��?�oData'K�Name
RangeFlags


4�D�`�|���

��

ȅ�PagesMemoryTypeAttributesAlignmentStatus RangeMinimum RangeMaximumRangeFlagsTEMP����~f{��U�/��HXۂ��hD�	EventDataA��G�oData/K�NameIsolationLevel
��$IsolationLevelTEMP�l���*)�R�#����.��`D�	EventDataA��?�oData'K�Name
Identifier
��IdentifierTEMP,p�d�i�dl�YUY�O�S����D�	EventDataA��?�oData'K�Name
Identifier
A��7�oDataK�NameStatus
����IdentifierStatusTEMP4��w�E���S��
������D�	EventDataA��7�oDataK�NameStatus
A��E�oData-K�Name
FailureReason
ȉ�܉Status FailureReasonTEMPȊ��Uo7z�]#�͠H���D�	EventDataA��7�oDataK�NameSource
A��7�oDataK�NameStatus
��SourceStatusTEMP���������S�U���&��hD�	EventDataA��G�oData/K�NameAmdSlErrorCode
ȋ$AmdSlErrorCodeTEMP�����qk�P%Y�i0���c���D�	EventDataA��7�oDataK�NameModule
A��;�oData#K�NameFunction
A��7�oDataK�NameStatus
4�H�`�ModuleFunctionStatusTEMPЎ!o'\KuZTf�lN�	@��(D�	EventDataA��=�oData%K�Name	PageCount

A��7�oDataK�NameStatus
A��?�oData'K�Name
MemoryType
A��?�oData'K�Name
Attributes


 �8�L�h�PageCountStatusMemoryTypeAttributesTEMPDd�$ɿ��[�NA�6z����D�	EventDataA��K�oData3K�NameInformationClass
A��7�oDataK�NameStatus
����(InformationClassStatusTEMPH@��J��;:Ri_0�5��BD�	EventDataA��C�oData+K�NameFailurePoint
A��7�oDataK�NameStatus
A��O�oData7K�NameHotPatchPathLength
A��C�oData+K�NameHotPatchPath
����Ē� FailurePointStatus,HotPatchPathLength HotPatchPathTEMP,�0W����]}���a@.���D�	EventDataA��?�oData'K�Name
ModulePath
A��7�oDataK�NameStatus
�(�ModulePathStatusTEMPt4��q�t܂_��ј�����D�	EventDataA��K�oData3K�NameHostDumpFileName
A��O�oData7K�NameTargetDumpFileName
\���(HostDumpFileName,TargetDumpFileNameTEMPx�����>{K^��#�!x����D�	EventDataA��U�oData=K�NameApplicationIdentifier
A��I�oData1K�NameEventsLostCount
Ԗ�0ApplicationIdentifier$EventsLostCountTEMP�8�,˜qz�X��򟏙���D�	EventDataA��;�oData#K�NameFunction
A��5�oDataK�NamePoint
A��;�oData#K�NameNTStatus
t�����FunctionPointNTStatusTEMP4��~�����\�����m����D�	EventDataA��=�oData%K�Name	BcdOption
A��?�oData'K�Name
BcdElement
$���̙BcdOptionBcdElementTEMP�x��Py��TU��R�RM���ZD�	EventDataA��9�oData!K�NameVersion
��VersionTEMP�p�=���h�X.��nO� ���D�	EventDataA��E�oData-K�Name
RangeAltitude
A��E�oData-K�Name
RangeEndpoint
A��9�oData!K�NameAddress

A��G�oData/K�NameAlignedAddress

A��S�oData;K�NameOverlappedMemoryType
��Ԝ���
�
(�L� RangeAltitude RangeEndpointAddress$AlignedAddress0OverlappedMemoryTypeTEMP(�W��,�FTTϞ*,H�H��4D�	EventDataA��7�oDataK�NameStatus
A��C�oData+K�NameFailurePoint
A��K�oData3K�NameUpdateStatusEnum
A��9�oData!K�NameFwLevel
4�H�`�h���Status FailurePoint(UpdateStatusEnumFwLevelTEMPH�n� ��{U�H��;��BD�	EventDataA��K�oData3K�NameLoadedBootAppSvn
A��O�oData7K�NameEnforcedBootAppSvn
A��7�oDataK�NameStatus
A��;�oData#K�NameFileName
l�����ԡ(LoadedBootAppSvn,EnforcedBootAppSvnStatusFileNameTEMP�|�>c'�޽XS떂7�r���\D�	EventDataA��;�oData#K�NameNTStatus
��NTStatusPRVAP��Microsoft-Windows-Kernel-BootOPCO�?1��2�2(�����@�H����p�L������N������O����ئX�����Y�����_����(�`����`�c����x�d������f������n����ܧq�����}����<�~����d�������H������L����ܨN�����X����0�Y����P�`����x�c������d������q����ԩ}�����
����,�L
����<�N
����l�Y
������q
������L����ܪN�����q����,�L����\�q������L������q����ЫL�����q����$�L����\�q������L������L������L���� �L����H�L����p�L������L����ȭL�����L����(�L����D�L����d�L������L������L ����ܮL!�����L"����,�L%����T�win:Infowin:Startwin:Stop0InitializationFailure$GetEfiVariable(TxtLaunchPreparedInitStatusOpenFailureBdEnabledAllocation8ListInitializationFailureKdEnabledTpmInit NotSupported0BlMmAllocationFailure0HotPatchApplyFailure0GetDriverListFailure(SbatUpdateSuccess$BootAppRevoked0MeasurementsDisabled$SetEfiVariable(PreviousTxtError,EnterInsecureState BdInitFailure(AllocationFailure KdInitFailure(PlutonLoadFailureEnabled0BuildImagePathFailure(SbatUpdateFailureVeto0InvalidTxtSinitRange DrtmSvnCheck(EnumerateFailure(LoadModuleFailure,InvalidTxtHeapRange$BootmgrSvnCheck0EarlyDumpNotSupported$MleLoadFailure(EarlyDumpDisabled(MissingRsdpTable8QueryEarlyDumpInitFailureNoSinitAcm8QueryDumpFileNameFailure4ComputePmrRangesFailure0DumpFileNameMismatch<InvalidTxtHeapBiosDataSize$MleHeaderTooOld(SinitPerformance(PrepareLcpFailure4TxtRejectedFirmwareAcm$TxtInformation(DrtmNotSupported8DrtmDriversNotSupportVbsPpamFailure SmmLevelCheck SmmIsolation,TxtSmmIsolationPerf,PreviousAmdSlError(TprSetupRequested(PpamManifestInfo(AcmInfoTableInfo8DmaProtectedRangeAdjustedLEVL�P��PԯP�win:Errorwin:Warning(win:InformationalTASK,!x����D�����l�����������������ܽ����������,�����X�	������
����������������
����<�����\���������������������������X�����t��������������������������������T��������������������������� � ����H�!����l�"������#������$������%�����&����0�'����d�(������)������*�����+����$�,����P�-����|�.������/������0�����1����<�2����p�3������4������5������6�����7����4�8����`�9������:������;������<�����=����,�>����\�?������@������A������B�����C����<�D����h�E������F������G������H������I���� �J����T�K����x�L������M������N������O�����P�����Q����D�R����|�S������T������U�����V����<�W����X�X����|�Y������Z������[������\����4�]����p�^������_������`������a�����b����\�c������d������e������f�����g����,�h����\�i������j������k������l�����m����X�n������o������p������q������r����$�s����H�t����h�u������}������~������������(InitializeLibrary PrepareTarget4RebuildKernelMemoryMapFatalError PersistMemory0ClaimPersistedMemory,FreePersistedMemory,CleanupPageDatabaseCancelBoot@AttachPersistentPageDatabase,MemoryBlockRundown0BuildKernelMemoryMap GetMemoryMap<AllocatePhysicalPagesForMdl(ExecuteTransition0DisconnectHypervisor(MemoryMapRundown@PhysicalPageAllocationFailureBootManagerPreBoot(FirmwareBootDataLoadDriversLoadHive8BootApplicationExecution8WaitForPartitionsRestored4MemoryPartitionRestore4PersistMemoryPartition$RegisterLoader$SiPolicyFailureBootTotalIo(DirtyBootShutdown$BootMenuPolicyBootType8MemoryPartitionsRestored$QueryStatistics,ConnectSecureLoader$BootFileAccess4RetrieveDriverListTime8FreePersistedMemoryBlock,PrepareNotification8PartitionInitialAddMemory$ImageHashCheck,ImageIntegrityCheck,BootPolicyMigration,RemoveEnclavePages0EnumerateEnclavePages0GetFirmwareBootDevice4NormalizeBootOptionList4CreateLibraryParameters CreateDevices8SoftRestartHostCapability,CancelNotificationBootDiag(ImageLoadFailure,FirmwareResolution(BootEnvResolution(BootmgrEntryCount UserInputTime8VsmIdkProvisioningStatus$BootAppLoadTime0PrepareTargetFailure,VsmPolicyEnablement@InitializeMeasurementContext$KsrMeasurement$TpmMeasurement,CloseMeasurementLog,CommitPendingEventsCapTpmPcr,TpmCommandResponse$TpmSubmitError(TpmBitLockerUsage(EfiVariableAccess4GetFirmwareInformation$VerifyBootEntry(InvalidNfitTable$MeasuredLaunch,EFICapsuleCreationBootSIFileOpen(VsmPolicyFailure8VsmLKeyProvisioningStatus4SecureBootVariableUsage4MiniFilterStartFailure(FileModification0RegistryModificationSoftReboot$RegisterFilter BootDebugger IoSpaceMemory(FinalizeMemoryMapPRegisterHvloaderPersistenceInterface<LoadHvloaderForPersistence0VsmBootNoSecretsMode0BootMenuTimerCanceled$BadMemoryPages$KernelDebuggerDMemoryPartitionFreeUnusedMemory<MemoryPartitionRestoreStatsBootTpm$MemoryMirroring4EfiTimeZoneInformation(MemoryAllocation0FinalizeNotification(PersistBcdFailure8UnpersistMemoryPartition,BindImportsFailure0SlabAllocationFailure@QuerySystemInformationFailure0BootmgrBltDisplayMenuHotPatch0GetPerformanceOptions$SnapshotPolicy0LoadEarlyDumpSupport$BootEventsLost BootBcdLoaded0SecureBootMitigations4QueryMemdiskInformationSbatUpdate(BootAppRevocation4ApiSetSchemaCompositionKEYW�
���� �����<�����h������������� ������@���������(�����L� ����|�@�������������4��SoftRestart,MemoryPreservation,MemoryBlockRundown$PhysicalMemory(MemoryMapRundown(MemoryPartitions EfiVariables$LOG_TO_BOOTSTAT0ms:ReservedKeyword40 ms:Telemetryms:Measures$ms:CriticalDatawin:SQMEVNT(97@�����l�8@����(�l�@�����l�%@�H����l� @����P��	l�+(@���������	l� @�̩����	l�*(@���������	l�	 @�T����	l�
 �
����	\�@�t���8�l�R@�H����l�
 @�����	l�@�(���l�@�ܴ��l������\��ܶ���	\�� ���\�9�p���D�\��4���\������l�\��T���l�\������\������\��ؾ��\��(���\� �x�����\��L����	\�!�������\�!�X�����\����������	�����\��ܶ��
\������T�\�@�����l� :� l���`�\�!(@!�`���
l�"(@"�����
l�#( #����
|�$@$�����l�%(@%�����
l�&6( &�����$
|�'  '�����,
|�(  (�����0
|�)  )�����4
|�*( *�@���8
|�+ +�����@
|�, ,�@���D
|�-; -�@���|�|�.&@�����0�l�/@�����p�l�0@�������l�1 1�P���4�|�2Q 2�x����|�2Q 2������|�2Q 2�����|�3Q 3�x����|�3Q 3������|�3Q 3�����|�4<@�������l�5@�L�����l�6@�����l�7=@������l�8@�@���H
l�9 9�����|�: :�T���|�; ;�����|�<K <����<�|�=L@����Y@���X�L
l�>L >�U���X�P
|�?
L@�����Ux���X�T
l�@L@�����U����X�X
l�AL@����@�̤��X�\
l�BL@����@����X�`
l�CL@����@�����X�d
l�DL@�����V,���X�h
l�EL@�����W8���X�l
l�FL@����@����X�p
l�GO����`�X�����HL@����@�P���X�t
l�IL I��]\���X�|�JQ J������|�JQ J�x����|�KQ K������|�KQ K�x����|�LX����d�����MX����(x�����N`����(x0�����O`����������PQ P������|�Q Q���|�R5 R�(���Եx
|�SQ S��)���|�TQ T�D���|�UQ U��Y���|�VQ V��s���|�WQ W������|�XQ X�T����|�YQ Y�p����|�ZQ Z�8����|�[Q [������|�\%L@���������X�l�d�������$�|
d����D���$��
e����@����$��
f�������@��
f��������@��
f��������@��
g����@����@��
h��������\��
i����@����\��
j������������
k������������
l����@����x��
m�����������
n����@������
o��������̰�
p����@����̰�
q����D�������
r�����������
s	�sx�����
\�t	�t@������
\�u
������� ��
v
����@���� ��
w����`���<��
x�������X��
y����@����X��
z
��������t��
{
����@���t��
|PH�|���ȸ�
\�~	����������	�����������������������������ȱ������������������ ����������$�	 ���������(|��	 ���������0|���������Ĳ8��������Ĳ<� ��������@|�� �������H|������P$����P������%����X�����)����`������*����h� ��83����p|������d4�����x�����(5�����������H8������� ���<�����|�� ��(>�����|��"����@��������#�������ܳ��#����@����ܳ��$ ��@�������|��'����t����L���'����@����L���(�������h���(����@����h���(���������h���) ����(@�������) �����A�������) �����C�������) ����@��������>���	��ж\��, ��@����ش|��, ��@����ش|�����	��\��5����Ե��5 ����Ե�|��-�����F������4����@��������4����@��������/ ����@����,��|��0 ����@����H��|��1 ����@����d��|�� ����@����$��|��2 ����@�������|��3 ����@�������|��. ����@������|��? ����@�����|��? ����|(����|��@ ��@�����|��A ��@����$�|��B ��@����@�|��C ����@����\�|��D ����@����x�|��D ����@����x�|�� ����@����$� |��H@�����R4����$�H@�����R����(�I ����@�����,|��J ����@���� �0|��W ��@������4|��
Y ����@�����Ĺ8|��_ ����@�|���l�<|��?�����z����@�h ��@���h�D|��u ��@����ԼH|��E@���G�����l��E@���I�����l��F ��dM�����L|��F ��8O�����P|��G@���Q���̷l��M�������t�T�M����@����t�X�N@���^L�����l��N ��d`�����\|��
N ��$c������|��L ���fD���X�|��S ����@�����`|��T@���t���8�dl��U@���t���T�hl��V���u���p�l\��V��@����p�p\��V�����p�t\��V��@����p�x\��V���v��p�|\��L ���hh���X�|��L ��0kt���X�|��L������X�\��L���k����X�\��Y ����`p$���Ĺ|��Y ����hsp���Ĺ|��] ��dy���4�|��Z����������Z����������Z����@�������[����@��������\����@�������^ ���y���P��|��a����D�������a������������a������������b����� �������c ��Xg����ܺ�|��L ��Hn����X�|��d ��H}������|��e����~����\��e��T�����\��f@���� �����0�l��g�������L���g����@����L���g���������L���L�������X�\��d ��~H�����|��L@�����[����X�l��i����؆�������i�������������c��Ȉ<���ܺ\��L ��������X��|��L �������X��|��j �����������|��k ����t������|��l ��������ػ�|��m ������|��n ��Ȑ������|��o����@���,���p����@���H�����\�q ��T���d�|�
q ������d�|�q ����d�|�q �����d�|�
( ���l���h�|�
g ���l���L�|�q �ؤ��d�|�q �@����d�|�	q 	�@����d�|�
q 
�<� ���d�|�q �@�ģ��d�|�r ��������|�
5 R�(���Ե�|�s ������|� L �ȥ��X��|�!L��mԥ��X�\�t �������|�N�Te������
\�"L �Hj���X�|�t ������|�t ������|�#}  #�|�У���
|�$}  $�|�`����
|�'~( '���ܣ���
|�8� 8����(�
|��������������������������������������������������������������������������������������P�P�P�P�P�P�P�P�P�`�`�P�`�P�`�P�`�`�`�`�`�P�P�P�`�P�`�p�P�P�P�P�����P���P���P�P�������P���P���P�P�P�`�P�`�P�`�P�`�P�`�P�`�P�`�P�`�P�`�P�`�P�P�P�`�P�P�P�`�`�P�P�P�������������`�P�P�P�P�P�P�P�P�P�P�P�P�P�P�P�P�P�P�����P�P�P�P�P�P�P�P�����P�P���P�P�P�P�P�P�P�P�`�P�P�P�P�P���P�`�P�`�P�`�P�`���P�P�P�P�`�P�`�����P�P���P�P�����������������WEVT�; h
�

�6H7x7�7�<�?CHANp�
����TMicrosoft-Windows-Kernel-File/AnalyticTTBL )TEMP����[�xdS�2iY���
��D�	EventDataA��1�oDataK�NameIrp
A��;�oData#K�NameThreadId
A��?�oData'K�Name
FileObject
A��E�oData-K�Name
CreateOptions
A��K�oData3K�NameCreateAttributes
A��A�oData)K�NameShareAccess
A��;�oData#K�NameFileName
����0LIrpThreadIdFileObject CreateOptions(CreateAttributesShareAccessFileNameTEMP8x>���_Ql%x�t%����D�	EventDataA��?�oData'K�Name
ByteOffset

A��1�oDataK�NameIrp
A��;�oData#K�NameThreadId
A��?�oData'K�Name
FileObject
A��9�oData!K�NameFileKey
A��7�oDataK�NameIOSize
A��9�oData!K�NameIOFlags

 ,D`t�ByteOffsetIrpThreadIdFileObjectFileKeyIOSizeIOFlagsTEMP��a��RR!Y�-�%���D�	EventDataA��1�oDataK�NameIrp
A��;�oData#K�NameThreadId
A��?�oData'K�Name
FileObject
A��9�oData!K�NameFileKey
A��K�oData3K�NameExtraInformation
A��=�oData%K�Name	InfoClass
�8LtIrpThreadIdFileObjectFileKey(ExtraInformationInfoClassTEMP`�����RXZ��t�K�Ł���D�	EventDataA��1�oDataK�NameIrp
A��;�oData#K�NameThreadId
A��?�oData'K�Name
FileObject
A��9�oData!K�NameFileKey
A��K�oData3K�NameExtraInformation
A��=�oData%K�Name	InfoClass
A��;�oData#K�NameFilePath
@Ld����IrpThreadIdFileObjectFileKey(ExtraInformationInfoClassFilePathTEMP�D9�k���R�BC�K&���"D�	EventDataA��1�oDataK�NameIrp
A��;�oData#K�NameThreadId
A��?�oData'K�Name
FileObject
A��9�oData!K�NameFileKey
A��7�oDataK�NameLength
A��=�oData%K�Name	InfoClass
A��=�oData%K�Name	FileIndex
A��;�oData#K�NameFileName
��$8Ld|IrpThreadIdFileObjectFileKeyLengthInfoClassFileIndexFileNameTEMP��[��ҟ�hQou����D�	EventDataA��1�oDataK�NameIrp
A��;�oData#K�NameThreadId
A��?�oData'K�Name
FileObject
A��9�oData!K�NameFileKey
4 @ X t IrpThreadIdFileObjectFileKeyTEMP��"�ԋR�W�!ssx��D�	EventDataA��1�oDataK�NameIrp
A��?�oData'K�Name
FileObject
A��I�oData1K�NameIssuingThreadId
A��E�oData-K�Name
CreateOptions
A��K�oData3K�NameCreateAttributes
A��A�oData)K�NameShareAccess
A��;�oData#K�NameFileName
X#d#�#�#�#�#$IrpFileObject$IssuingThreadId CreateOptions(CreateAttributesShareAccessFileNameTEMP��&ު��N[�^�kљ9و���2D�	EventDataA��?�oData'K�Name
ByteOffset

A��1�oDataK�NameIrp
A��?�oData'K�Name
FileObject
A��9�oData!K�NameFileKey
A��I�oData1K�NameIssuingThreadId
A��7�oDataK�NameIOSize
A��9�oData!K�NameIOFlags
A��?�oData'K�Name
ExtraFlags

('D'P'l'�'�'�'�'ByteOffsetIrpFileObjectFileKey$IssuingThreadIdIOSizeIOFlagsExtraFlagsTEMP�)�ty��:[�PW�<����D�	EventDataA��1�oDataK�NameIrp
A��?�oData'K�Name
FileObject
A��9�oData!K�NameFileKey
A��K�oData3K�NameExtraInformation
A��I�oData1K�NameIssuingThreadId
A��=�oData%K�Name	InfoClass
T*`*|*�*�*�*IrpFileObjectFileKey(ExtraInformation$IssuingThreadIdInfoClassTEMPx(-�Z�Q��	U�K�n?�,��D�	EventDataA��1�oDataK�NameIrp
A��?�oData'K�Name
FileObject
A��9�oData!K�NameFileKey
A��K�oData3K�NameExtraInformation
A��I�oData1K�NameIssuingThreadId
A��=�oData%K�Name	InfoClass
A��;�oData#K�NameFilePath
�-�-�-�-.<.T.IrpFileObjectFileKey(ExtraInformation$IssuingThreadIdInfoClassFilePathTEMP��0t�욷�X_������0D�	EventDataA��1�oDataK�NameIrp
A��?�oData'K�Name
FileObject
A��9�oData!K�NameFileKey
A��I�oData1K�NameIssuingThreadId
A��7�oDataK�NameLength
A��=�oData%K�Name	InfoClass
A��=�oData%K�Name	FileIndex
A��;�oData#K�NameFileName
p1|1�1�1�1�1�12IrpFileObjectFileKey$IssuingThreadIdLengthInfoClassFileIndexFileNameTEMP�3��]�@L,Xӑ�2��\��(D�	EventDataA��1�oDataK�NameIrp
A��?�oData'K�Name
FileObject
A��9�oData!K�NameFileKey
A��I�oData1K�NameIssuingThreadId
�3�344IrpFileObjectFileKey$IssuingThreadIdTEMP�P5��-�IT�S��BD����D�	EventDataA��1�oDataK�NameIrp
A��K�oData3K�NameExtraInformation
A��7�oDataK�NameStatus
�5�5�5Irp(ExtraInformationStatusTEMP$�6��`Ӓ��],��Ӛ����D�	EventDataA��9�oData!K�NameFileKey
A��;�oData#K�NameFileName
�6�6FileKeyFileNamePRVAP7Microsoft-Windows-Kernel-FileOPCO01`7win:InfoLEVL@P�7(win:InformationalTASK$
�����:�����:�����:
�����:�����:�����:����;����;����4;����L;����`;����t;�����;�����;�����;�����;�����;����<����,<����H<����\<����|< �����<!�����<"�����<NameCreateNameDeleteCreateCleanupCloseReadWrite$SetInformationSetDeleteRenameDirEnumFlush(QueryInformationFSCTL OperationEndDirNotifyDeletePathRenamePathSetLinkPathSetLink CreateNewFileSetSecurity QuerySecuritySetEAQueryEAKEYW�	����x= �����=@�����=�����0>����l>�����>�����>���� ?����t?@KERNEL_FILE_KEYWORD_FILENAME<KERNEL_FILE_KEYWORD_FILEIO<KERNEL_FILE_KEYWORD_OP_END<KERNEL_FILE_KEYWORD_CREATE8KERNEL_FILE_KEYWORD_READ8KERNEL_FILE_KEYWORD_WRITEDKERNEL_FILE_KEYWORD_DELETE_PATHTKERNEL_FILE_KEYWORD_RENAME_SETLINK_PATHLKERNEL_FILE_KEYWORD_CREATE_NEW_FILEEVNT�+

������5T7�7�7�Gt
������5T7�7�7�Gt
�������
T7�7�7�Gt
������� T7�7�7�Gt


 ������T7�78�Gt


 �����,2T7�78�Gt
 ������T7�748Ht
 �����,2T7�748Ht
 �����dT7�7P8Ht
 ����� $T7�7P8Ht
 �����dT7�7l8Ht
 ����� $T7�7l8 Ht
 ������T7�7�8(Ht
 ������'T7�7�8,Ht
 ������T7�7�80Ht
 ������'T7�7�84Ht
 ������T7�7�88Ht
 ������'T7�7�8<Ht
 ������T7�7�8@Ht
 �����l.T7�7�8DHt
 ������T7�7�8HHt
 �����,2T7�7�8LHt
 ������T7�79PHt
 ������'T7�79THt
 ������T7�709XHt
 ������'T7�709\Ht
`�����84T7�7L9`Ht
 ������T7�7h9hHt
 �����l.T7�7h9lHt
������T7�7�9pHt
������*T7�7�9tHt
������T7�7�9xHt
������*T7�7�9|Ht
������T7�7�9�Ht
������*T7�7�9�Ht
 ������T7�7�8�Ht
 ������'T7�7�8�Ht
������
T7�7�9�Ht
������ T7�7�9�Ht
 ������'T7�7:�Ht
   ������'T7�7,:�Ht
!! ������'T7�7H:�Ht
"" ������'T7�7d:�Ht
�<�<�<=�<=�<�<�<�<�<(=�<(=�<8=�<8=�<�<�<�<�<�<�<�<�<�<�<�<�<�<�<=�<�<H=H=X=X=X=X=�<�<h=h=�<�<�<�<WEVTp��H�I
|L�L�LxMN8NCHAN�$I�lI�HMicrosoft-Windows-PCI/DiagnosticHMicrosoft-Windows-PCI/OperationalTTBL�TEMP��K������Vy&g"������D�	EventDataA��;�oData#K�NameCategory
A��1�oDataK�NameRid
A��=�oData%K�Name	Secondary
A��A�oData)K�NamePreciseTime

A��1�oDataK�NameQpc

A��9�oData!K�NameMessage
LL(L
@L
\LhLCategoryRidSecondaryPreciseTimeQpcMessagePRVA@�LMicrosoft-Windows-PCIOPCO01�Lwin:InfoLEVL�PMP4MPPMwin:Errorwin:Warning(win:InformationalTASK���M
�����M Task_PCI_Log(AspmErrataRundownKEYW0 NPciDiagEVNT�@��IM�MOI@��IM�MOI@��I�L�MOI

@�����LM�MOINNNNWEVT�-�	pOXP Q
s\s�stxyCHAN��O�����O�\Microsoft-Windows-Kernel-StoreMgr/Analytic`Microsoft-Windows-Kernel-StoreMgr/OperationalMAPS��PlPVMAP$�P��VMAP$�P��4CacheTerminationMsgMap8StoreMgrCorruptPageMsgMapTTBL�!TEMP|�Rw��49�-T��O[T!����lD�	EventDataA��9�oData!K�NameDataKey
A��9�oData!K�NameDataMgr
A��A�oData)K�NameStoreOffset
A��G�oData/K�NameCompressedSize
A��5�oDataK�NameFlags
0SDSXStS�SDataKeyDataMgrStoreOffset$CompressedSizeFlagsTEMP��T��` �U�E3�C�����D�	EventDataA��9�oData!K�NameDataKey
A��9�oData!K�NameDataMgr
A��A�oData)K�NameStoreOffset
�TU$UDataKeyDataMgrStoreOffsetTEMPp
�[�\�6$^x2~�c]
��D�	EventDataA��;�oData#K�NameStoreKey
A��C�oData+K�NameStoreFileKey
A��A�oData)K�NameUserDataMgr
A��A�oData)K�NameMetadataMgr
A��?�oData'K�Name
RegionSize
A��A�oData)K�NameRegionCount
A��=�oData%K�Name	BlockSize
A��?�oData'K�Name
SectorSize
A��O�oData7K�NameEncryptionStrength
A��=�oData%K�Name	StoreType
	A��9�oData!K�NameStoreId
A��C�oData+K�NameBlocksStored
A��C�oData+K�NameRegionsInUse
A��G�oData/K�NameTotalSpaceUsed

A��5�oDataK�NameFlags
A��I�oData1K�NameMetaRegionCount
A��K�oData3K�NameMetaRegionsInUse
A��S�oData;K�NameMetaRegionsSpaceUsed
A��=�oData%K�Name	StoreTime
A��G�oData/K�NameOwnerProcessId
A��A�oData)K�NamePartitionId
4]L]l]�]�]�]�]�]^<^T^h^�^�^�^�^_(_X_p_�_StoreKey StoreFileKeyUserDataMgrMetadataMgrRegionSizeRegionCountBlockSizeSectorSize,EncryptionStrengthStoreTypeStoreId BlocksStored RegionsInUse$TotalSpaceUsedFlags$MetaRegionCount(MetaRegionsInUse0MetaRegionsSpaceUsedStoreTime$OwnerProcessIdPartitionIdTEMP�@`�4�d*�cS�Ս&w)�t��\D�	EventDataA��;�oData#K�NameStoreKey
T`StoreKeyTEMP��b����_Ql6��a� ��D�	EventDataA��9�oData!K�NameDataMgr
A��G�oData/K�NameVirtualAddress
A��I�oData1K�NamePhysicalAddress

A��3�oDataK�NameSize
A��?�oData'K�Name
FileBacked
A��G�oData/K�NameCorruptionType
A��5�oDataK�NameFlags
0cDc
hc�clP�c�c�cDataMgr$VirtualAddress$PhysicalAddressSizeFileBacked$CorruptionTypeFlagsTEMP��e���v�z]���	8XIG��rD�	EventDataA��9�oData!K�NameDataMgr
A��A�oData)K�NameRegionIndex
A��7�oDataK�NameStatus
A��=�oData%K�Name	SpaceUsed
A��G�oData/K�NameLastAccessTime
�ef(f<fTfDataMgrRegionIndexStatusSpaceUsed$LastAccessTimeTEMP@�g�B��ZR�-))��>D�	EventDataA��?�oData'K�Name
FailReason
A��?�oData'K�Name
FailStatus
A��K�oData3K�NameObjectPathLength
A��?�oData'K�Name
ObjectPath
<hXhth�hFailReasonFailStatus(ObjectPathLengthObjectPathTEMP|iKz�?�pY�ޔaB@�d���D�	EventDataA��3�oDataK�NameSize
A��3�oDataK�NameData
�i�iSizeDataTEMPx�j��(߀09S���	6����D�	EventDataA��;�oData#K�NameStoreKey
A��3�oDataK�NameSize
A��3�oDataK�NameData
kk,kStoreKeySizeDataTEMPlR0qTBV��) ���D�	EventDataA��;�oData#K�NameStoreKey
A��5�oDataK�NameParam
0lHlStoreKeyParamTEMPLhn�Y�q�U���������D�	EventDataA��7�oDataK�NameReason
A��?�oData'K�Name
FailStatus
A��K�oData3K�NameDeviceDescLength
A��M�oData5K�NameDeviceDescription
A��K�oData3K�NameObjectPathLength
A��?�oData'K�Name
ObjectPath
�P�n�no8o`o�oReasonFailStatus(DeviceDescLength(DeviceDescription(ObjectPathLengthObjectPathTEMP`lq��Ǎ��Y<��������D�	EventDataA��9�oData!K�NameSqmType
A��G�oData/K�NameSqmSessionGuid
A��5�oDataK�NameSqmID
A��O�oData7K�NameSqmStreamRowLength
A��QZ�ComplexData+K�NameSqmStreamRow
�r rDrTr�r�r�r�rSqmType$SqmSessionGuidSqmID,SqmStreamRowLength SqmStreamRow SqmTypeEntry SqmDWORDEntry$SqmStringEntryPRVAXsMicrosoft-Windows-Kernel-StoreMgrOPCOx1�s2�s2�swin:Infowin:Startwin:StopLEVL@P�s(win:InformationalTASK�����u����v����0v����Lv����hv�����v�����v�����v	�����v
����w����4w����Tw
����pw�����w�����w�����w�����wStoreAddStoreRemoveStoreCreateStoreDelete StoreRundown$StoreCorruption(StorePageRundownRegionEvictRegionWrite(UnpersistFailure StoreIoStatsGlobalStatsStoreEmpty RegionRelease RegionCompact RegionRundown(CacheTerminationKEYW�����px@�����x������x�����x4�xStoreOpsStoreDiag0StoreContentsRundown StoreSummarywin:SQMEVNT������,Qhs�s t�||O������Shs�s<t�||O�����@Uhs�sXt�||O������_hs�stt�||O�����@Uhs�s�t�||OP@�l`hs�s�t�|�O������,Qhs�s�t�||O������chs�s�t�||O		������chs�su�||O

P@�xfhs�su�|�O������ihs�s8u�||O������hhs�sTu�||O

�����<khs�spu�||O������chs�s�u�||O������cts�s�u�||O������c�s�s�u�||O�������chs�s�u�||OP@�Xlhs�s�u�|�O�����o�s�| x xPxPxPx x0x@x x x x0x x x x x x x@x x0x`xWEVT�����H}
���D�P���TTBLPTEMPD�~�͟�,�Vo�9��{���BD�	EventDataA��9�oData!K�NameSqmType
A��G�oData/K�NameSqmSessionGuid
A��5�oDataK�NameSqmID
A��W�oData?K�NameSqmDWORDDatapointValue
0TdSqmType$SqmSessionGuidSqmID4SqmDWORDDatapointValuePRVA`�Microsoft-Windows-Kernel-LicensingSqmOPCOLEVL@P�(win:InformationalTASKKEYW04l�win:SQMEVNTD����T}���\�WEVT|F�������
4����@����CHANt0�����XMicrosoft-Windows-Kernel-Memory/AnalyticTTBL�;TEMP�

(�!5
.)]���Z�����^D�	EventDataA��G�oData/K�NamePriorityLevels
A��E�oData-K�Name
ZeroPageCount
A��E�oData-K�Name
FreePageCount
A��M�oData5K�NameModifiedPageCount
A��[�oDataCK�NameModifiedNoWritePageCount
A��C�oData+K�NameBadPageCount
A��M�oData5K�NameStandbyPageCounts
�A��S�oData;K�NameRepurposedPageCounts
�A��]�oDataEK�NameModifiedPageCountPageFile
A��O�oData7K�NamePagedPoolPageCount
	A��U�oData=K�NameNonPagedPoolPageCount
A��C�oData+K�NameMdlPageCount
A��I�oData1K�NameCommitPageCount
,�P�p�������8�h���̈���$PriorityLevels ZeroPageCount FreePageCount(ModifiedPageCount8ModifiedNoWritePageCount BadPageCount(StandbyPageCounts0RepurposedPageCounts8ModifiedPageCountPageFile,PagedPoolPageCount0NonPagedPoolPageCount MdlPageCount$CommitPageCountTEMPp$�R���n.R����H����D�	EventDataA��5�oDataK�NameCount
A��QZ�ComplexData+K�NameWSCommitInfo
��������$�H�t�Count WSCommitInfoProcessID,WorkingSetPageCount$CommitPageCount,VirtualSizeInPages<PrivateWorkingSetPageCountTEMP$
��R���n.R����H����D�	EventDataA��5�oDataK�NameCount
A��QZ�ComplexData+K�NameWSCommitInfo
�\�l�����Ѝ� �\�����Count WSCommitInfoProcessID,WorkingSetPageCount$CommitPageCount,VirtualSizeInPages<PrivateWorkingSetPageCount,StoreSizePageCount$StoredPageCount(CommitDebtInPagesTEMPd��R���n.R����H����D�	EventDataA��5�oDataK�NameCount
A��QZ�ComplexData+K�NameWSCommitInfo
���	��Đܐ�,�X�������Count WSCommitInfoProcessID,WorkingSetPageCount$CommitPageCount,VirtualSizeInPages<PrivateWorkingSetPageCount,StoreSizePageCount$StoredPageCount(CommitDebtInPages,SharedCommitInPagesTEMP�(���?"~�[&
�S�%�\���D�	EventDataA��5�oDataK�NameCount
A��_Z�ComplexData9K�NameSessionWSCommitInfo
���ē��4�X���Count,SessionWSCommitInfoSessionId,WorkingSetPageCount$CommitPageCount,PagedPoolPageCount<PrivateWorkingSetPageCountTEMP<
����?"~�[&
�S�%�\���D�	EventDataA��5�oDataK�NameCount
A��_Z�ComplexData9K�NameSessionWSCommitInfo
�x�����̖���H�����ԗCount,SessionWSCommitInfoSessionId,WorkingSetPageCount$CommitPageCount,PagedPoolPageCount<PrivateWorkingSetPageCount,StoreSizePageCount$StoredPageCount(CommitDebtInPagesTEMP|���?"~�[&
�S�%�\���D�	EventDataA��5�oDataK�NameCount
A��_Z�ComplexData9K�NameSessionWSCommitInfo
�ș	ؙ��H�l���Ԛ�$�L�Count,SessionWSCommitInfoSessionId,WorkingSetPageCount$CommitPageCount,PagedPoolPageCount<PrivateWorkingSetPageCount,StoreSizePageCount$StoredPageCount(CommitDebtInPages,SharedCommitInPagesTEMP���)m���N_}݉�T3n��^D�	EventDataA��=�oData%K�Name	ProcessId
 �ProcessIdTEMP ��de�^��<3�����D�	EventDataA��=�oData%K�Name	ProcessId
A��5�oDataK�NameFlags
0�H�ProcessIdFlagsTEMP�x��tMO%�XRVw�*�����D�	EventDataA��=�oData%K�Name	ProcessId
A��7�oDataK�NameStatus
A��G�oData/K�NamePagesProcessed
��̞�ProcessIdStatus$PagesProcessedTEMP�@����USg�\zY�4.��D�	EventDataA��=�oData%K�Name	ProcessId
A��7�oDataK�NameStatus
A��G�oData/K�NamePagesProcessed
A��_�oDataGK�NameWriteCombinePagesProcessed
A��W�oData?K�NameUncachedPagesProcessed
A��Q�oData9K�NameCleanPagesProcessed
��С��D�x�ProcessIdStatus$PagesProcessed<WriteCombinePagesProcessed4UncachedPagesProcessed,CleanPagesProcessedTEMP$t��V]���])&�l�Q|{���D�	EventDataA��=�oData%K�Name	ProcessId
A��7�oDataK�NameStatus
����ProcessIdStatusTEMP�X�bP���P���J&� ���ZD�	EventDataA��9�oData!K�NameAcgFlag
l�AcgFlagTEMP8 ������Z�v��N˝���jD�	EventDataA��W�oData?K�NameDurationInMicroseconds

A��?�oData'K�Name
TotalBytes

A��?�oData'K�Name
LowAddress

A��A�oData)K�NameHighAddress

A��=�oData%K�Name	SkipBytes

A��S�oData;K�NameMemoryDescriptorList
A��=�oData%K�Name	IdealNode
A��5�oDataK�NameFlags


��

�
�
,�
H�`�����4DurationInMicrosecondsTotalBytesLowAddressHighAddressSkipBytes0MemoryDescriptorListIdealNodeFlagsTEMPd

��s��cR��5���Ͻ��D�	EventDataA��W�oData?K�NameDurationInMicroseconds

A��?�oData'K�Name
TotalBytes

A��?�oData'K�Name
LowAddress

A��A�oData)K�NameHighAddress

A��;�oData#K�NameBoundary

A��I�oData1K�NamePhysicalAddress

A��E�oData-K�Name
MappedAddress
A��M�oData5K�NameAllocatedFromPool

A��G�oData/K�NameProtectionMask
A��E�oData-K�Name
PreferredNode
	

̬

�
�
8�
T�
l���

��ح��4DurationInMicrosecondsTotalBytesLowAddressHighAddressBoundary$PhysicalAddress MappedAddress(AllocatedFromPool$ProtectionMask PreferredNodeTEMP<��eر��4Q��˭A�Am��2D�	EventDataA��W�oData?K�NameDurationInMicroseconds

A��?�oData'K�Name
TotalBytes

A��?�oData'K�Name
LowAddress

A��A�oData)K�NameHighAddress

A��;�oData#K�NameBoundary

A��I�oData1K�NamePhysicalAddress

A��E�oData-K�Name
MappedAddress
A��G�oData/K�NameProtectionMask
A��E�oData-K�Name
PreferredNode
A��A�oData)K�NamePartitionId
	A��1�oDataK�NameTag
A��5�oDataK�NameFlags
A��M�oData5K�NameAllocatedFromPool

A��W�oData?K�NameAllocatedFromExtension




��

г
�
�
$�
<�`�����Ĵ��

��

$�4DurationInMicrosecondsTotalBytesLowAddressHighAddressBoundary$PhysicalAddress MappedAddress$ProtectionMask PreferredNodePartitionIdTagFlags(AllocatedFromPool4AllocatedFromExtensionTEMP
���깗x��S���њ���D�	EventDataA��A�oData)K�NamePartitionId
A��5�oDataK�NameCount
A��UZ�ComplexData/K�NameMemoryNodeInfo
�����
��ܷ���H�t���̸��$�L�PartitionIdCount$MemoryNodeInfoNodeNumber$TotalPageCount,SmallFreePageCount,SmallZeroPageCount,MediumFreePageCount,MediumZeroPageCount,LargeFreePageCount,LargeZeroPageCount(HugeFreePageCount(HugeZeroPageCountTEMP����깗x��S���њ���D�	EventDataA��A�oData)K�NamePartitionId
A��5�oDataK�NameCount
A��UZ�ComplexData/K�NameMemoryNodeInfo
�0�L�\��������PartitionIdCount$MemoryNodeInfoNodeNumber$TotalPageCount(HugeFreePageCount(HugeZeroPageCountTEMP$�-��0_��1������D�	EventDataA��A�oData)K�NameBaseAddress
A��3�oDataK�NameSize
�$�BaseAddressSizePRVATH�Microsoft-Windows-Kernel-MemoryOPCOx1��2н2�win:Infowin:Startwin:StopLEVL@P�(win:InformationalTASK�����������������������Կ����������$�����0�����P�	����t�
������������MemInfoMemInfoWS(MemInfoSessionWS(WorkingSetOutSwap(WorkingSetInSwapAcg MdlAllocation$ContAllocationMemInfoNode,MemInfoHugeIoSpaceContFreeKEYW� ����@�@����|������������������,�����t�<KERNEL_MEM_KEYWORD_MEMINFO@KERNEL_MEM_KEYWORD_MEMINFO_EX<KERNEL_MEM_KEYWORD_WS_SWAP4KERNEL_MEM_KEYWORD_ACGHKERNEL_MEM_KEYWORD_PHYSICAL_ALLOCDKERNEL_MEM_KEYWORD_MEMINFO_NODEEVNT� ����������L��� �@�����@����h��� �@����������h��� �@�����Ԏ���h��� �@�����8�������� �@�������������� �@������������� �������x������� �������8������� �������X������� �������������� �������x������� �������8������� ��������������� ������ȣ���ؾ � �	�������������$� �
�����������(� ������������,� �����������0� �	�����X����,�4� �

�����t����H�8� ����������d�<� ����������������� � � �0�0� �WEVT�6�	������
����������CHAN\������,��������XMicrosoft-Windows-Kernel-ShimEngine/DebugdMicrosoft-Windows-Kernel-ShimEngine/OperationaldMicrosoft-Windows-Kernel-ShimEngine/DiagnosticMAPS�,��VMAP$����VMAP$P���LKSE:DeviceFlagApplied.FlagSourceMapLKSE:DriverShimApplied.ShimSourceMapTTBL�,TEMP4��Z~�B ;�\�Y�q�h:���D�	EventDataA��9�oData!K�NameEventId
A��C�oData+K�NameDebugMessage
���EventId DebugMessageTEMP(���%oM���]�@/Hxɫ��4D�	EventDataA��?�oData'K�Name
DriverName
A��?�oData'K�Name
ShimSource
A��=�oData%K�Name	ShimCount
A��C�oData+K�NameAppliedGuids
������0�DriverNameShimSourceShimCount AppliedGuidsTEMP��-
U&O�SA����4��*D�	EventDataA��?�oData'K�Name
DeviceName
A��A�oData)K�NameDeviceClass
A��?�oData'K�Name
FlagSource
A��5�oDataK�NameFlags

��,�8�

T�DeviceNameDeviceClassFlagSourceFlagsTEMP�$��N��_���ք������D�	EventDataA��?�oData'K�Name
DriverName
A��?�oData'K�Name
DriverBase
A��?�oData'K�Name
DriverSize
A��I�oData1K�NameDriverTimeStamp
A��G�oData/K�NameDriverCheckSum
���������DriverNameDriverBaseDriverSize$DriverTimeStamp$DriverCheckSumTEMPD�ef2�_�Ǎ;�vB���D�	EventDataA��C�oData+K�NameDriverObject
A��?�oData'K�Name
DriverBase
,�L� DriverObjectDriverBaseTEMPd��O]S��Rx�������D�	EventDataA��?�oData'K�Name
DriverBase
A��?�oData'K�Name
DriverSize
A��C�oData+K�NameDriverObject
A��1�oDataK�NamePdo
A��7�oDataK�NameStatus
A��A�oData)K�NameServiceName
A��?�oData'K�Name
HardwareId
�8�T�t�������DriverBaseDriverSize DriverObjectPdoStatusServiceNameHardwareIdTEMP0D��<au2Pۜ�]i���DD�	EventDataA��9�oData!K�NameAddress
A��7�oDataK�NameCaller
A��3�oDataK�NameType
A��3�oDataK�NameSize
A��1�oDataK�NameTag
����������AddressCallerTypeSizeTagTEMPt�e�5��J]Y���9����D�	EventDataA��9�oData!K�NameAddress
A��7�oDataK�NameCaller
A��1�oDataK�NameTag
<�P�d�AddressCallerTagTEMP|x���k,H�lZ.�7u1�n:���D�	EventDataA��C�oData+K�NameDriverObject
A��1�oDataK�NameFdo
A��1�oDataK�NameIrp
������ DriverObjectFdoIrpTEMP����h؂iAQ��՜����D�	EventDataA��C�oData+K�NameDriverObject
A��1�oDataK�NameFdo
A��?�oData'K�Name
DeviceType
A��U�oData=K�NameDeviceCharacteristics
A��=�oData%K�Name	Exclusive
A��7�oDataK�NameStatus
X�x��������� DriverObjectFdoDeviceType0DeviceCharacteristicsExclusiveStatusTEMPT�����ܐ�_���R����VD�	EventDataA��C�oData+K�NameDriverObject
A��1�oDataK�NameFdo
A��1�oDataK�NameIrp
A��=�oData%K�Name	MajorCode
A��7�oDataK�NameStatus
����$�<� DriverObjectFdoIrpMajorCodeStatusTEMPT��w����RĚ�pȧ'��VD�	EventDataA��C�oData+K�NameDriverObject
A��1�oDataK�NameFdo
A��1�oDataK�NameIrp
A��=�oData%K�Name	MinorCode
A��7�oDataK�NameStatus
@�`�l�x��� DriverObjectFdoIrpMinorCodeStatusTEMP����b6wm+^��>��.���D�	EventDataA��C�oData+K�NameDriverObject
A��1�oDataK�NameFdo
A��1�oDataK�NameIrp
A��7�oDataK�NameStatus
<�\�h�t� DriverObjectFdoIrpStatusTEMP����b6wm+^��>��.���D�	EventDataA��C�oData+K�NameDriverObject
A��1�oDataK�NameFdo
A��1�oDataK�NameIrp
A��7�oDataK�NameStatus
 �@�L�X� DriverObjectFdoIrpStatusTEMP8����g��cQ胉� �o8���D�	EventDataA��C�oData+K�NameDriverObject
A��1�oDataK�NameFdo
A��1�oDataK�NameIrp
A��=�oData%K�Name	MinorCode
A��=�oData%K�Name	PowerType
A��?�oData'K�Name
PowerState
A��7�oDataK�NameStatus
�,�8�D�\�t��� DriverObjectFdoIrpMinorCodePowerTypePowerStateStatusTEMP8����g��cQ胉� �o8���D�	EventDataA��C�oData+K�NameDriverObject
A��1�oDataK�NameFdo
A��1�oDataK�NameIrp
A��=�oData%K�Name	MinorCode
A��=�oData%K�Name	PowerType
A��?�oData'K�Name
PowerState
A��7�oDataK�NameStatus
D�d�p�|������� DriverObjectFdoIrpMinorCodePowerTypePowerStateStatusTEMP���b}}����_�G��&Sv����D�	EventDataA��C�oData+K�NameDriverObject
A��1�oDataK�NameFdo
A��1�oDataK�NameIrp
A��=�oData%K�Name	MinorCode
A��?�oData'K�Name
PowerState
A��7�oDataK�NameStatus
$�D�P�\�t��� DriverObjectFdoIrpMinorCodePowerStateStatusTEMP����b6wm+^��>��.���D�	EventDataA��C�oData+K�NameDriverObject
A��1�oDataK�NameFdo
A��1�oDataK�NameIrp
A��7�oDataK�NameStatus
<�\�h�t� DriverObjectFdoIrpStatusTEMP�H��N��_���ք������D�	EventDataA��?�oData'K�Name
DriverName
A��?�oData'K�Name
DriverBase
A��?�oData'K�Name
DriverSize
A��I�oData1K�NameDriverTimeStamp
A��G�oData/K�NameDriverCheckSum
�������$�DriverNameDriverBaseDriverSize$DriverTimeStamp$DriverCheckSumTEMPD(�ef2�_�Ǎ;�vB���D�	EventDataA��C�oData+K�NameDriverObject
A��?�oData'K�Name
DriverBase
P�p� DriverObjectDriverBasePRVA\��Microsoft-Windows-Kernel-ShimEngineOPCO01�win:InfoLEVL�PH�P`�[��win:Error(win:Informationalwin:VerboseTASKKEYW�����<�����d���������������������������,� ����P�(ShimEngineEvents,ShimEngineMessages,DriverScopeGeneral$DriverScopePnp(DriverScopePower$DriverScopeIrps$DriverScopePool4SkipDriverUnloadGeneralEVNTD�������$����������0���@�(��0���@�P��0��� @������<����� @����H�<�����
 ����d�<����� ����$�<����� ����h�<�����
 ������<����� ������<����� ����p�<����� ������<����� ������<����� ����P�<����� ������<����� ������<����� ����l�<����� ������<����� ������<���� ������<����,�,��������������������WEVTl�
���������PRVA� �Microsoft-Windows-Kernel-Licensing-StartServiceTriggerOPCOLEVL@P��(win:InformationalTASKKEYWEVNT@������WEVTX������
��P����CHANx������\Microsoft-Windows-Kernel-IoTrace/DiagnosticPRVAXMicrosoft-Windows-Kernel-IoTraceOPCO01hwin:InfoLEVLhP�[�(win:Informationalwin:VerboseTASK�����H����l�����$UserInitiatedIoKernelIo,ActivityIdTransferKEYWEVNT������\���������\��������\��������\�,��WEVTp���
`N�NO�OXVXCHAN�<	�X����������d����Application\Microsoft-Windows-AppModel-Runtime/AnalyticXMicrosoft-Windows-AppModel-Runtime/AdminXMicrosoft-Windows-AppModel-Runtime/DebugdMicrosoft-Windows-AppModel-Runtime/DiagnosticsTTBL�I)TEMPH���U�%T�d<�
�����D�	EventDataA��=�oData%K�Name	ErrorCode
A��I�oData1K�NamePackageFullName
��ErrorCode$PackageFullNameTEMPtD'$�vS�^a�[.�������D�	EventDataA��=�oData%K�Name	ProcessID
A��?�oData'K�Name
CreateTime
A��I�oData1K�NameParentProcessID
A��I�oData1K�NamePackageFullName
A��=�oData%K�Name	ImageName
A��c�oDataKK�NamePackageRelativeApplicationId
���	8	P	ProcessIDCreateTime$ParentProcessID$PackageFullNameImageName@PackageRelativeApplicationIdTEMP��
zsS��&]����%Ǚ���D�	EventDataA��I�oData1K�NamePackageFullName
A��=�oData%K�Name	ErrorCode
A��C�oData+K�NameErrorMessage
�
4$PackageFullNameErrorCode ErrorMessageTEMP��}��s!t
^�p�v�W���D�	EventDataA��I�oData1K�NamePackageFullName
A��=�oData%K�Name	ErrorCode
A��C�oData+K�NameFailedBinary
���$PackageFullNameErrorCode FailedBinaryTEMP��
?~�v|�Uj��]�4���^D�	EventDataA��=�oData%K�Name	ErrorCode
�
ErrorCodeTEMP@������wZۉML-e�����D�	EventDataA��;�oData#K�NameFileName
A��=�oData%K�Name	ErrorCode
A��3�oDataK�NameSize

A��7�oDataK�NameOffset
A��?�oData'K�Name
HeaderAddr
A��9�oData!K�NameSection
A��=�oData%K�Name	ProcessId
|�

����FileNameErrorCodeSizeOffsetHeaderAddrSectionProcessIdTEMP���2Ol�T�>��6�����D�	EventDataA��;�oData#K�NameFileName
A��=�oData%K�Name	ErrorCode
A��3�oDataK�NameSize

A��?�oData'K�Name
HeaderAddr
A��9�oData!K�NameSection
A��=�oData%K�Name	ProcessId
h�

����FileNameErrorCodeSizeHeaderAddrSectionProcessIdTEMP���/Q}�Q����B����D�	EventDataA��;�oData#K�NameFileName
A��=�oData%K�Name	ErrorCode
A��3�oDataK�NameSize

A��?�oData'K�Name
HeaderAddr
A��W�oData?K�NameApplicationUserModelId
A��=�oData%K�Name	ProcessId
`x

����FileNameErrorCodeSizeHeaderAddr4ApplicationUserModelIdProcessIdTEMPp�&�8#}�NX[V��PpK���dD�	EventDataA��;�oData#K�NameFileName
A��=�oData%K�Name	ErrorCode
A��3�oDataK�NameSize

A��?�oData'K�Name
HeaderAddr
A��=�oData%K�Name	ProcessId


4D`FileNameErrorCodeSizeHeaderAddrProcessIdTEMP��R�n#�V�!�qT����D�	EventDataA��;�oData#K�NameFileName
A��=�oData%K�Name	ErrorCode
A��=�oData%K�Name	ProcessId
���FileNameErrorCodeProcessIdTEMP<����DI�]���jzXK���D�	EventDataA��;�oData#K�NameFileName
A��E�oData-K�Name
ExceptionCode
0FileName ExceptionCodeTEMP��B��
��;V ,��1~���D�	EventDataA��;�oData#K�NameFileName
A��=�oData%K�Name	ErrorCode
A��3�oDataK�NameType
A��=�oData%K�Name	ProcessId
�$4FileNameErrorCodeTypeProcessIdTEMPH0�uSQk�Xޱt!֝6A���D�	EventDataA��I�oData1K�NamePackageFullName
A��=�oData%K�Name	ErrorCode
X|$PackageFullNameErrorCodeTEMP� }4j�n��]l���=�0��$D�	EventDataA��I�oData1K�NamePackageFullName
A��1�oDataK�NameKey
A��7�oDataK�NameSubkey
A��=�oData%K�Name	ErrorCode
<!`!l!�!$PackageFullNameKeySubkeyErrorCodeTEMP�"}4j�n��]l���=�0��$D�	EventDataA��I�oData1K�NamePackageFullName
A��1�oDataK�NameKey
A��7�oDataK�NameSubkey
A��=�oData%K�Name	ErrorCode
@#d#p#�#$PackageFullNameKeySubkeyErrorCodeTEMP�$}4j�n��]l���=�0��$D�	EventDataA��I�oData1K�NamePackageFullName
A��1�oDataK�NameKey
A��7�oDataK�NameSubkey
A��=�oData%K�Name	ErrorCode
D%h%t%�%$PackageFullNameKeySubkeyErrorCodeTEMPP�&	�p\k��&�����D�	EventDataA��M�oData5K�NamePackageFamilyName
A��=�oData%K�Name	ErrorCode
�&�&(PackageFamilyNameErrorCodeTEMP(�'�c��+U���w�6p����D�	EventDataA��=�oData%K�Name	ErrorCode
A��9�oData!K�NameContext
�'(ErrorCodeContextTEMP(�(�c��+U���w�6p����D�	EventDataA��=�oData%K�Name	ErrorCode
A��9�oData!K�NameContext
),)ErrorCodeContextTEMP��)?~�v|�Uj��]�4���^D�	EventDataA��=�oData%K�Name	ErrorCode
�)ErrorCodeTEMP��*�&؍1�
U)��;߸C��lD�	EventDataA��K�oData3K�NameAppContainerName
�*(AppContainerNameTEMP�|+t+=D{��Q
��m����jD�	EventDataA��I�oData1K�NamePackageFullName
�+$PackageFullNameTEMPH�, ����2B[&�Ŧ�]$���D�	EventDataA��=�oData%K�Name	ErrorCode
A��I�oData1K�NamePackageFullName
�,�,ErrorCode$PackageFullNameTEMP,�-�ˀf��S �t�:sV����D�	EventDataA��=�oData%K�Name	ErrorCode
A��;�oData#K�NameResource
�-.ErrorCodeResourceTEMP,�.�ˀf��S �t�:sV����D�	EventDataA��=�oData%K�Name	ErrorCode
A��;�oData#K�NameResource
$/</ErrorCodeResourceTEMPH80 ����2B[&�Ŧ�]$���D�	EventDataA��=�oData%K�Name	ErrorCode
A��I�oData1K�NamePackageFullName
`0x0ErrorCode$PackageFullNameTEMP��1ر`n���[m��,l��.���D�	EventDataA��=�oData%K�Name	ErrorCode
A��I�oData1K�NamePackageFullName
A��3�oDataK�NameUser
�1202ErrorCode$PackageFullNameUserTEMPH�3uBԘ|Xl��%�{�Z��FD�	EventDataA��=�oData%K�Name	ErrorCode
A��I�oData1K�NamePackageFullName
A��E�oData-K�Name
DesiredStatus
A��E�oData-K�Name
CurrentStatus
4$4H4h4ErrorCode$PackageFullName DesiredStatus CurrentStatusTEMP��5�~��uB�YĴ��z�E��D�	EventDataA��I�oData1K�NamePackageFullName
A��E�oData-K�Name
DesiredStatus
A��E�oData-K�Name
CurrentStatus
�5 6@6$PackageFullName DesiredStatus CurrentStatusTEMP�8B{4�\�Y8����|D�	EventDataA��=�oData%K�Name	ErrorCode
A��I�oData1K�NamePackageFullName
A��3�oDataK�NameUser
A��E�oData-K�Name
StatusToClear
A��A�oData)K�NameStatusToSet
t8�8�8�8�8ErrorCode$PackageFullNameUser StatusToClearStatusToSetTEMP,h:S3�%=�P�˪FA��8D�	EventDataA��I�oData1K�NamePackageFullName
A��3�oDataK�NameUser
A��E�oData-K�Name
StatusToClear
A��A�oData)K�NameStatusToSet
�:�:�:;$PackageFullNameUser StatusToClearStatusToSetTEMP(�;�c��+U���w�6p����D�	EventDataA��=�oData%K�Name	ErrorCode
A��9�oData!K�NameContext
$<<<ErrorCodeContextTEMP�>ü��V�]6�D����zD�	EventDataA��=�oData%K�Name	ProcessID
A��A�oData)K�NamePackageName
A��=�oData%K�Name	ImageName
A��I�oData1K�NameApplicationName
A��9�oData!K�NameMessage
d>|>�>�>�>ProcessIDPackageNameImageName$ApplicationNameMessageTEMP��@��6���RSX�����zD�	EventDataA��A�oData)K�NamePackageName
A��=�oData%K�Name	ImageName
A��I�oData1K�NameApplicationName
A��=�oData%K�Name	ErrorCode
A��9�oData!K�NameMessage
�@A0ATAlAPackageNameImageName$ApplicationNameErrorCodeMessageTEMP��B�n#Ύ��X��sk�	�����D�	EventDataA��A�oData)K�NamePackageName
A��E�oData-K�Name
ContainerName
A��A�oData)K�NameContainerId
�BC$CPackageName ContainerNameContainerIdTEMP�dDC|3*C�uVo���.}+���D�	EventDataA��=�oData%K�Name	ProcessID
A��A�oData)K�NamePackageName
A��A�oData)K�NameContainerId
�D�D�DProcessIDPackageNameContainerIdTEMP XFz`y�-'1T��x¤�r���2D�	EventDataA��=�oData%K�Name	ErrorCode
A��=�oData%K�Name	ProcessID
A��A�oData)K�NamePackageName
A��A�oData)K�NameContainerId
�F�F�F�FErrorCodeProcessIDPackageNameContainerIdTEMP�8H�vgz!XX_�HT
"I���D�	EventDataA��=�oData%K�Name	ErrorCode
A��A�oData)K�NamePackageName
A��E�oData-K�Name
ContainerName
tH�H�HErrorCodePackageName ContainerNameTEMP@�I�O�L�W�ּY=���D�	EventDataA��A�oData)K�NamePackageName
A��A�oData)K�NameContainerId
�I�IPackageNameContainerIdTEMP��K�Cg�6hT���v#��E��lD�	EventDataA��]�oDataEK�NameCleanupContainerErrorCode
A��W�oData?K�NameMakeTemporaryErrorCode
A��A�oData)K�NamePackageName
A��A�oData)K�NameContainerId
�K0LdL�L8CleanupContainerErrorCode4MakeTemporaryErrorCodePackageNameContainerIdTEMP��M����V�?d�qz����D�	EventDataA��I�oData1K�NamePackageFullName
A��E�oData-K�Name
ApplicationId
A��;�oData#K�NamePsmFlags

N(N
HN$PackageFullName ApplicationIdPsmFlagsPRVA\tNMicrosoft-Windows-AppModel-RuntimeOPCOT2�N2�Nwin:Startwin:StopLEVL�ULOPlOP�OP�O win:Criticalwin:Errorwin:Warning(win:InformationalTASK������Q�����Q����DR�����R�����R����Sd����\Se�����Sf�����Sg���� Th����hTi�����T������T�����$U�����TU������U������U�����V0AppModelProcessStartHAppIntegrityDependencyGraphCheck<AppIntegrityProcessCreationHAppIntegrityInAppValidatePackageLAppModelDynamicPropertiesReadFailedHAppModelDynamicPropertiesInvalidDRestrictedAppContainerCreationDRestrictedAppContainerDeletion<RestrictedAppContainerOpenHRestrictedAppContainerEnumeration@RestrictedAppContainerLaunchLRestrictedAppContainerTerminateAll0AppContainerCreation0AppContainerDeletion,AppContainerUpdate@FirewallAppContainerCreation@FirewallAppContainerDeletionXRestrictedAppContainerUpdateCapabilitiesKEYW��V�VWDW����tW �����W@�����W������WProcess AppContainer,DesktopAppXProcess0DesktopAppXContainer0ms:ReservedKeyword40 ms:Telemetryms:Measures$ms:CriticalDataEVNT��@�@Oxp�@ ��	(O|p@ ��	(O�p@ ��	(O�p@ ��	(O�p@ ��	(O�p ��	(O�p �T(O�p		�	T(O�p� �T4O�p �
4O�p ��
(O�p �(O�p ��
(O�p ��
(O�p �x(O�p �(O�p@ ��	(O�p@ ��&(O�p ��&(O�p ��&(O�p ��&(O�p ��&(O�p ��&(O�p ��&(O�p ��&(O�p ��&(O�p ��&(Oq �@)(Oq   ��&(Oq! !�@)(Oq" "�@)(Oq# #�@)(Oq$ $�@)(Oq% %�@)(Oq& &�@)(O q' '�*@O$q( (�*@O(q) )�*@O,q* *�*@O0q+ +��(O4q, ,�(O8q- -��&(O<q. .�@)(O@q/ /�@)(ODq0 0��&(OHq1 1��&(OLq2 2��&(OPq3 3��&(OTq4 4��&(OXq5 5��*@O\q6 6��*(O`q7 7��*(Odq8 8��*@Ohq9 9��+(Olq: :��+(Opq; ;��+(Otq< <��*(Oxq=@ =��	(O|q> >��+(O�q? ?��,(O�q@ @�(.(O�qA A�T/(O�qB B��0(O�qC C�@2@O�qD D��4@O�qE E�`6@O�qF F��8@O�qG G�(;(O�qHH�@O�qI I��	(O�qJ J�P(O�qK K�L(O�qL L��(O�qM M��!(O�qN N��#(O�qO  O��%O�qP  P��%(O�qQ Q��(O�qe�e�*�N@O$Q�q,f�f��&�N@O$Q�q,g�g�*�N@O@Q�q,h�h��&�N@O@Q�q,i�i�*�N@O\Q�q,j�j��&�N@O\Q�q,k�k�*�N@OxQ�q,l�l�(�N@OxQ�q,m�m�*�N@O�Q�q,n�n�(�N@O�Qr,odo�*�N@O|Pr,pdp�(�N@O|Pr,qeq�*�N@O�Pr,rer�(�N@O�Pr,sfs�*�N@O�Pr,tft�(�N@O�Pr,ugu�*�N@O�Pr,vgv�(�N@O�P r,whw�*�N@O�P$r,xhx�(�N@O�P(r,yiy�*�N@OQ,r,ziz�(�N@OQ0r,{{��*�N@O�O4r,||��+�N@O�O8r,}}��*�N@OP<r,~~��+�N@OP@r,��*�N@O(PDr,����+�N@O(PHr,����*�N@OxQLr,����*�N@O�QPr,����(�N@O�QTr,� ��P<@OXr� ���>(O\r� ���>(O`r� ���>(Odr� ���>(Ohr� ���>(Olr� ���>(Opr� ���>(Otr� ���>(Oxr� ���A@O|r� ��@C@O�r� ���D(O�r� ��G(O�r� ��G(O�r� ��G(O�r� ��G(O�r� ���H@O�r� ��J@O�r� ���L@O�r� ���>(O�rdVdV�VdV�VdV�VdV�VdV�VdVdVdVdVdVdVdVdVdVdVdVdV�VtV�VtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVdVdVdVdVdVdVdVdVdVdVdVdVdVdVdVdVdVdVdV�VdVdVdVdVdVdVdVdVdVdVdVdVdVdVdVdVdVdV�VdV�VdVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVdVdVdVdVdVdVtVtVtV�V�V�V�V�V�V�V�V�V�V�V�V�V�V�V�V�V�V�V�VWEVT?��rt
�~�~P�d���CHAN4s	�Ps��s�ApplicationTMicrosoft-Windows-AppModel-State/Debug\Microsoft-Windows-AppModel-State/DiagnosticTTBL�
TEMP��t!��5�"0W�
P�څ���rD�	EventDataA��Q�oData9K�NameInformationalString
�t,InformationalStringTEMP(�uv��(8\�$������D�	EventDataA��A�oData)K�NameErrorString
A��5�oDataK�NameError
�uvErrorStringErrorTEMP�<w����br�RiM1$U�����D�	EventDataA��C�oData+K�NameFolderString
A��E�oData-K�Name
PackageString
A��5�oDataK�NameError
xw�w�w FolderString PackageStringErrorTEMP��xp���p[&Xp�� T�����D�	EventDataA��E�oData-K�Name
PackageString
A��9�oData!K�NameUserSid
A��5�oDataK�NameError
y<yPy PackageStringUserSidErrorTEMP��zv��k�T�l/�;c���D�	EventDataA��=�oData%K�Name	Operation
A��E�oData-K�Name
PackageFamily
A��G�oData/K�NameOperationError
�z�z{Operation PackageFamily$OperationErrorTEMP\�|hyVb��X\x�5y�f/��ND�	EventDataA��=�oData%K�Name	Operation
A��E�oData-K�Name
PackageFamily
A��G�oData/K�NameOperationError
A��O�oData7K�NameRepairTriggerError
�|}0}T}Operation PackageFamily$OperationError,RepairTriggerErrorTEMP$P~�mQ�5�Qj�8!~��C���D�	EventDataA��?�oData'K�Name
FolderPath
A��5�oDataK�NameError
x~�~FolderPathErrorPRVAX�~Microsoft-Windows-AppModel-StateOPCOT2 28win:Startwin:StopLEVL�P�P�P�win:Errorwin:Warning(win:InformationalTASK�+���������������(�����p�����ą���������h�������d�����e����\�f����Їg����H�h������i����L�j����؉k����l�l������m������n�����o������p����0�q����čr����\�s�����t������u�����v������w����<�x����Бy����`�z�����{������|�����}������~���� ������������<������Ȗ�����T������������8��������������HAppModel.Task.State.WriteSettingDAppModel.Task.State.ReadSettingHAppModel.Task.State.DeleteSettingTAppModel.Task.State.WriteSettingInAtomPAppModel.Task.State.ReadSettingInAtomTAppModel.Task.State.DeleteSettingInAtomDAppModel.Task.State.CommitAtomDAppModel.Task.State.LoadAppHivelAppModel.Task.StateWinRT.AppDataFactory_ActivationtAppModel.Task.StateWinRT.ApplicationDataServer_LifespanxAppModel.Task.StateWinRT.ApplicationDataServer_GetVersionxAppModel.Task.StateWinRT.ApplicationDataServer_SetVersion�AppModel.Task.StateWinRT.ApplicationDataServer_RoamingStorageQuota�AppModel.Task.StateWinRT.ApplicationDataServer_RoamingStorageUsage�AppModel.Task.StateWinRT.ApplicationDataServer_ActivateContainerServer�AppModel.Task.StateWinRT.ApplicationDataServer_ActivateFileItemServer�AppModel.Task.StateWinRT.ApplicationDataContainerServer_Lifespan�AppModel.Task.StateWinRT.ApplicationDataContainerServer_GetValues�AppModel.Task.StateWinRT.ApplicationDataContainerServer_GetContainers�AppModel.Task.StateWinRT.ApplicationDataContainerServer_CreateContainer�AppModel.Task.StateWinRT.ApplicationDataContainerServer_DeleteContainer�AppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_Lifespan�AppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_Lookup�AppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_Size�AppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_HasKey�AppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_GetView�AppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_Insert�AppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_Remove�AppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_Clear�AppModel.Task.StateWinRT.ApplicationDataContainerSettingsServer_First�AppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_Lifespan�AppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_Lookup�AppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_Size�AppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_HasKey�AppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_GetView�AppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_Insert�AppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_Remove�AppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_Clear�AppModel.Task.StateWinRT.ApplicationDataCompositeValueServer_FirstXAppModel.Task.StateWinRT.RoamingRpcSignalhAppModel.Task.StateWinRT.DataChangedEventDispatchPAppModel.Task.StateWinRT.TempCleanuptAppModel.Task.StateWinRT.ApplicationDataServer_ForUserKEYWT���$�@�\� l�1��Structured(UnstructuredResetOutOfMemoryApiSetErrorWinRT$DataStoreError(win:ResponseTimeEVNTl@��tt�s@��tt�s@�\�s@��t\�s @��t\�s@�ts@�ts@��t\s	@	�\s
	�
�t\s	��t\s	��t\s
	�
v\s@��wts@��wts@��wts@��wts@�tts@��t\s	�`yhs	�${hs	��}hs	�`yhs	�${hs2 ����t��$s3 ����t�$�$s< ����t�,�$s= ����t�4�$sF ����t �<�$sG ����t �D�$sP ����t<�L�$sQ ����t<�T�$sZ ����tX�\�$s[ ����tX�d�$sd ����tt�l�$se ����tt�t�$sn ����t��|�$so ����t����$sx ����t����$sy ����t����$s�d ����tȀ��$s�d ����tȀ��$s�e ����t���$s�e ����t���$s�f ����t���$s�f ����t�į$s�g ����t�̯$s�g ����t�ԯ$s�h ����t8�ܯ$s�h ����t8��$s�j ����tp��$s�j ����tp��$s�k ����t����$s�k ����t���$s�l ����t���$s�l ����t���$s�m ����tā�$s�m ����tā$�$s�n ����t�,�$s�n ����t�4�$so ����t��<�$so ����t��D�$sp ����t�L�$sp ����t�T�$sq ����t4�\�$sq ����t4�d�$s"r ����tP�l�$s#r ����tP�t�$s,s ����tl�|�$s-s ����tl���$s6t ����t����$s7t ����t����$s@u ����t����$sAu ����t����$sJv ����t����$sKv ����t����$sTw ����t܂��$sUw ����t܂İ$s^x ����t��̰$s_x ����t��԰$shy ����t�ܰ$siy ����t��$srz ����t0��$ssz ����t0��$s|{ ����tL���$s}{ ����tL��$s�| ����th��$s�| ����th��$s�} ����t���$s�} ����t��$�$s�~ ����t��,�$s�~ ����t��4�$s� ����t��<�$s� ����t��D�$s�� ����t؃L�$s�� ����t؃T�$s�� ����t�\�$s�� ����t�d�$s�� ����t�l�$s�� ����t�t�$s�� ����t,�|�$s�� ����t,���$s�� ����tH���$s�� ����tH���$s�� ����td���$s�� ����td���$s�� ����t����$s�� ����t����$s����������p�Йp�Йp�Йp�Йp�Йp�Йp�Йp�Йp�Йp�Йp�Йp�Йp�Йp�Йp�Йp�Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��Й��ЙWEVTl�
������̲ز�PRVA��Microsoft-Windows-Kernel-WSService-StartServiceTriggerOPCOLEVL@P��(win:InformationalTASKKEYWEVNT@������WEVT��	�����
4���������(�CHAN������TMicrosoft-Windows-Kernel-IO/OperationalSystemMAPS�$�VMAP4X�����@IoMgrDmpEncryptionFailureMapTTBL�TEMP�е�~�b?P��\�X^����D�	EventDataA��?�oData'K�Name
VolumeGuid
A��K�oData3K�NameVolumeNameLength
A��?�oData'K�Name
VolumeName
�(�P�VolumeGuid(VolumeNameLengthVolumeNameTEMP(Է3n�d���TX�¶?�,���4D�	EventDataA��?�oData'K�Name
VolumeGuid
A��K�oData3K�NameVolumeNameLength
A��?�oData'K�Name
VolumeName
A��5�oDataK�NameError
$�@�h���VolumeGuid(VolumeNameLengthVolumeNameErrorTEMPT|�A���Ug���f����D�	EventDataA��K�oData3K�NameFilterNameLength
A��?�oData'K�Name
FilterName
��̹(FilterNameLengthFilterNameTEMPXh��E���]�y��9щw��JD�	EventDataA��K�oData3K�NameFilterNameLength
A��?�oData'K�Name
FilterName
A��K�oData3K�NameVolumeNameLength
A��?�oData'K�Name
VolumeName
�����$�(FilterNameLengthFilterName(VolumeNameLengthVolumeNameTEMP��n��	Y�ώ)@b.����D�	EventDataA��a�oDataIK�NameDumpEncryptionFailureReason
$��<DumpEncryptionFailureReasonTEMP�Խc;8��Y}8[�ȗ#���VD�	EventDataA��5�oDataK�NamePhase
�PhaseTEMP���$*��Qq�����XD�	EventDataA��7�oDataK�NameStatus
��StatusTEMP������h6'^^���5*JmB���D�	EventDataA��?�oData'K�Name
NameLength
A��3�oDataK�NameName
A��7�oDataK�NameStatus
�� �NameLengthNameStatusPRVALH�Microsoft-Windows-Kernel-IOOPCOx1��2�2�win:Infowin:Startwin:StopLEVL�P(�P@�P\�win:Errorwin:Warning(win:InformationalTASK��������������H�����l�VolumeMount,LoadBootHotPatches$WheaInitialize,CrashDumpInitializeKEYW������������������ VolumeMountsHotPatchBootPerfEVNT�����������������������������l�����������@���������@��������@�@�������@���������@���������������������������������H���������������������������������������������������������WEVT�cL	T�<���
���t�CHAN���M��\Microsoft-Windows-Kernel-LiveDump/Analytic`Microsoft-Windows-Kernel-LiveDump/OperationalMAPS�L�VMAPD������		,Io:Livedump.CalloutTTBL�LTEMPT��NI!���]=`Qٵ������D�	EventDataA��C�oData+K�NameControlFlags

A��I�oData1K�NameAddPagesControl



��

�� ControlFlags$AddPagesControlTEMP 

��`�<8[�Z7~+�'7�����D�	EventDataA��;�oData#K�NameNTStatus
A��C�oData+K�NameBugcheckCode
A��O�oData7K�NameBugCheckParameter1
A��O�oData7K�NameBugCheckParameter2
A��O�oData7K�NameBugCheckParameter3
A��O�oData7K�NameBugCheckParameter4
A��U�oData=K�NameAbortIfMemoryPressure
A��W�oData?K�NameDumpCaptureDuration_ms

A��E�oData-K�Name
SelectiveDump
A��g�oDataOK�NameDynamicLowMemoryThresholdBytes
	
A��g�oDataOK�NameAvailablePhysicalMemoryInBytes

A��_�oDataGK�NameTotalPhysicalMemoryInBytes

A��G�oData/K�NameIOSpaceEnabled

��� �L�x�����

�4�

T�

��

��

�NTStatus BugcheckCode,BugCheckParameter1,BugCheckParameter2,BugCheckParameter3,BugCheckParameter40AbortIfMemoryPressure4DumpCaptureDuration_ms SelectiveDumpDDynamicLowMemoryThresholdBytesDAvailablePhysicalMemoryInBytes<TotalPhysicalMemoryInBytes$IOSpaceEnabledTEMPX@�E���*S\=Pu�����D�	EventDataA��q�oDataYK�Name#NtEstimatedRequiredPrimaryDataBytes

A��a�oDataIK�NameNtEstimatedPrimaryDataBytes

A��a�oDataIK�NameHvEstimatedPrimaryDataBytes

A��e�oDataMK�NameHvEstimatedSecondaryDataBytes



��

��

�

T�LNtEstimatedRequiredPrimaryDataBytes<NtEstimatedPrimaryDataBytes<HvEstimatedPrimaryDataBytes@HvEstimatedSecondaryDataBytesTEMP�����aʞ_�Y��r�Ҁ���D�	EventDataA��q�oDataYK�Name#NtEstimatedRequiredPrimaryDataBytes

A��a�oDataIK�NameNtEstimatedPrimaryDataBytes

A��a�oDataIK�NameHvEstimatedPrimaryDataBytes

A��e�oDataMK�NameHvEstimatedSecondaryDataBytes

A��a�oDataIK�NameSkEstimatedPrimaryDataBytes

A��a�oDataIK�NameMemoryEstimationDuration_ms

A��]�oDataEK�NameSystemQuiescedDuration_ms

A��e�oDataMK�NameEndMirroringPhasesDuration_ms

A��i�oDataQK�NameMirrorPhysicalMemoryDuration_ms

A��i�oDataQK�NameMirrorPhysicalMemorySizeInBytes
	
A��q�oDataYK�Name#HvlCalculateLiveDumpSizeDuration_ms



l�

��

��

0�

p�

��

��

 �

`�

��

��LNtEstimatedRequiredPrimaryDataBytes<NtEstimatedPrimaryDataBytes<HvEstimatedPrimaryDataBytes@HvEstimatedSecondaryDataBytes<SkEstimatedPrimaryDataBytes<MemoryEstimationDuration_ms8SystemQuiescedDuration_ms@EndMirroringPhasesDuration_msDMirrorPhysicalMemoryDuration_msDMirrorPhysicalMemorySizeInBytesLHvlCalculateLiveDumpSizeDuration_msTEMP��e����[�$`����� D�	EventDataA��O�oData7K�NameNtPrimaryDataBytes

A��O�oData7K�NameHvPrimaryDataBytes

A��S�oData;K�NameHvSecondaryDataBytes



��

��

�,NtPrimaryDataBytes,HvPrimaryDataBytes0HvSecondaryDataBytesTEMP$T�L����[�^暔��:����D�	EventDataA��O�oData7K�NameNtPrimaryDataBytes

A��O�oData7K�NameHvPrimaryDataBytes

A��S�oData;K�NameHvSecondaryDataBytes

A��O�oData7K�NameSkPrimaryDataBytes

A��g�oDataOK�NameAllocateDumpBuffersDuration_ms

A��i�oDataQK�NameAllocateExtraBuffersDuration_ms

A��y�oDataaK�Name'HvlPrepareLivedumpDescriptorDuration_ms



��

�

8�

h�

��

��

�,NtPrimaryDataBytes,HvPrimaryDataBytes0HvSecondaryDataBytes,SkPrimaryDataBytesDAllocateDumpBuffersDuration_msDAllocateExtraBuffersDuration_msTHvlPrepareLivedumpDescriptorDuration_msTEMPl��_M3���+Yٺ_�Õ)m���D�	EventDataA��;�oData#K�NameNTStatus
A��?�oData'K�Name
TotalBytes

A��A�oData)K�NameHeaderBytes

A��K�oData3K�NamePrimaryDataBytes

A��O�oData7K�NameSecondaryDataBytes

A��S�oData;K�NameDumpWriteDuration_ms

�

 �

<�

X�

��

��NTStatusTotalBytesHeaderBytes(PrimaryDataBytes,SecondaryDataBytes0DumpWriteDuration_msTEMP����8 Q��C�Y�]���pD�	EventDataA��O�oData7K�NameCallbackIdentifier
��,CallbackIdentifierTEMPT��B|�SUY҂K$���+���D�	EventDataA��O�oData7K�NameCallbackIdentifier
A��;�oData#K�NameNTStatus
����,CallbackIdentifierNTStatusTEMPh

`�ٮ:��&�\xmT˱�����D�	EventDataA��O�oData7K�NameEstimatedPageCount

A��O�oData7K�NameAllocatedPageCount

A��w�oData_K�Name&VMMemoryPartitionIOSpaceAllocatedPages

A��i�oDataQK�NameVMMemoryPartitionAllocatedPages

A��s�oData[K�Name$SystemPartitionIOSpaceAllocatedPages

A��e�oDataMK�NameSystemPartitionAllocatedPages

A��M�oData5K�NameLimitDumpFileSize
A��[�oDataCK�NameDumpFileSizeLimitInBytes

A��[�oDataCK�NameDumpFileSizeLimitReached
A��_�oDataGK�NameAbortWhileBufferAllocation
	

(�

T�

��

��

�

h���

���@�,EstimatedPageCount,AllocatedPageCountTVMMemoryPartitionIOSpaceAllocatedPagesDVMMemoryPartitionAllocatedPagesPSystemPartitionIOSpaceAllocatedPages@SystemPartitionAllocatedPages(LimitDumpFileSize8DumpFileSizeLimitInBytes8DumpFileSizeLimitReached<AbortWhileBufferAllocationTEMP��>c'�޽XS떂7�r���\D�	EventDataA��;�oData#K�NameNTStatus
 �NTStatusTEMP���>c'�޽XS떂7�r���\D�	EventDataA��;�oData#K�NameNTStatus
��NTStatusTEMP���>c'�޽XS떂7�r���\D�	EventDataA��;�oData#K�NameNTStatus
��NTStatusTEMP�H��RT���C^�Q5�q���bD�	EventDataA��A�oData)K�NameDuration_ms



\�Duration_msTEMP8�Q=Ȋ��YO)�TMa���D�	EventDataA��i�oDataQK�NameMarkRequiredDumpDataDuration_ms



L�DMarkRequiredDumpDataDuration_msTEMPP�Ѧ��YX�-O�p����D�	EventDataA��k�oDataSK�Name MarkImportantDumpDataDuration_ms



d�HMarkImportantDumpDataDuration_msTEMP��*E�I��S}�A��Y~���D�	EventDataA��k�oDataSK�Name PopulateBitmapForDumpDuration_ms

A��s�oData[K�Name$RemoveSystemCacheFromDumpDuration_ms



�

X�HPopulateBitmapForDumpDuration_msPRemoveSystemCacheFromDumpDuration_msTEMP�@��RT���C^�Q5�q���bD�	EventDataA��A�oData)K�NameDuration_ms



T�Duration_msTEMP T�g�C����P��=�`��4���D�	EventDataA��M�oData5K�NameCorralDuration_ms

A��c�oDataKK�NameDisableInterruptsDuration_ms

A��g�oDataOK�NameSaveSupervisorStateDuration_ms

A��c�oDataKK�NameSuspendClockTimerDuration_ms



��

�

�

P�(CorralDuration_ms@DisableInterruptsDuration_msDSaveSupervisorStateDuration_ms@SuspendClockTimerDuration_msTEMP(|��Q��VˡW�k؄'T8S���D�	EventDataA��Q�oData9K�NameUncorralDuration_ms

A��a�oDataIK�NameEnableInterruptsDuration_ms

A��m�oDataUK�Name!RestoreSupervisorStateDuration_ms

A��a�oDataIK�NameResumeClockTimerDuration_ms



�

��

4�

|�,UncorralDuration_ms<EnableInterruptsDuration_msHRestoreSupervisorStateDuration_ms<ResumeClockTimerDuration_msTEMP|��[+b
_]�#xК�C��D�	EventDataA��[�oDataCK�NameMemoryCaptureDuration_ms

A��]�oDataEK�NameSystemQuiescedDuration_ms

A��e�oDataMK�NameEndMirroringPhasesDuration_ms

A��i�oDataQK�NameMirrorPhysicalMemoryDuration_ms

A��i�oDataQK�NameMirrorPhysicalMemorySizeInBytes

A��e�oDataMK�NameHvlCollectLivedumpDuration_ms

A��c�oDataKK�NameDumpDataBufferingDuration_ms



|

�

�

,

p

�

�8MemoryCaptureDuration_ms8SystemQuiescedDuration_ms@EndMirroringPhasesDuration_msDMirrorPhysicalMemoryDuration_msDMirrorPhysicalMemorySizeInBytes@HvlCollectLivedumpDuration_ms@DumpDataBufferingDuration_msTEMPL�Rt��S��t�������D�	EventDataA��;�oData#K�NameNTStatus
A��K�oData3K�NameMirrorInProgress

@

XNTStatus(MirrorInProgressTEMP��.���\�x�XZ_CN��fD�	EventDataA��E�oData-K�Name
OperationType
0 OperationTypeTEMP4(�2ig�8�\���'���d���D�	EventDataA��A�oData)K�NamePolicyValue
A��;�oData#K�NameNTStatus
PlPolicyValueNTStatusTEMP�	���HS�ga=F�,���bD�	EventDataA��A�oData)K�NamePolicyValue
0	PolicyValueTEMP$
�T5�
��\��F*�A����D�	EventDataA��9�oData!K�NameCallout
A��;�oData#K�NameIncluded

L�D


X
CalloutIncludedTEMP�>c'�޽XS떂7�r���\D�	EventDataA��;�oData#K�NameNTStatus
NTStatusTEMPl	�2	��([�P�Rޠ���lD�	EventDataA��[�oDataCK�NameLiveDumpEventDescription
A��G�oData/K�NameParameter1Name
A��I�oData1K�NameParameter1Value

A��G�oData/K�NameParameter2Name
A��I�oData1K�NameParameter2Value

A��G�oData/K�NameParameter3Name
A��I�oData1K�NameParameter3Value

A��G�oData/K�NameParameter4Name
A��I�oData1K�NameParameter4Value

A��G�oData/K�NameParameter5Name
	A��I�oData1K�NameParameter5Value

A��G�oData/K�NameParameter6Name
A��I�oData1K�NameParameter6Value

A��G�oData/K�NameParameter7Name

A��I�oData1K�NameParameter7Value

A��G�oData/K�NameParameter8Name
A��I�oData1K�NameParameter8Value

 X

|�

��

0

Tx

��

�

,P

t8LiveDumpEventDescription$Parameter1Name$Parameter1Value$Parameter2Name$Parameter2Value$Parameter3Name$Parameter3Value$Parameter4Name$Parameter4Value$Parameter5Name$Parameter5Value$Parameter6Name$Parameter6Value$Parameter7Name$Parameter7Value$Parameter8Name$Parameter8ValuePRVAX�Microsoft-Windows-Kernel-LiveDumpOPCO�1d
c|d�e�
f�gh8idj�k�l�mv8w`}�������8�h�� ��!��"� #�X$��%��&�'�T(��win:InfoAPIStartAPIEnd8WriteDumpDataToFileStart4WriteDumpDataToFileEnd$MirroringStart,MirroringPhase0End,MirroringPhase1End,SystemQuiesceStart(SystemQuiesceEnd,PageBufferingStart(PageBufferingEnd(BufferEstimation(BufferAllocationRemovePages4CaptureProcessorContext0MarkRequiredDumpData0MarkImportantDumpData0PopulateBitmapForDump8GenerateIptSecondaryData(CorralProcessors,UncorralProcessors,CaptureMemoryPages8MmDuplicateMemoryFailureDLiveDumpPolicyOperationFailure<LiveDumpPolicyValueChangedDLiveDumpDisabledOnBootByPolicy8DisableIOSpaceUtilization4LiveDumpFeatureCalloutLHvlPrepareLivedumpDescriptorFailureLEVL@P�(win:InformationalTASK`N�OP@Q�R��48LIVEDUMP_TASK_CAPTURE_API@LIVEDUMP_TASK_SIZING_WORKFLOWPLIVEDUMP_TASK_CAPTURE_PAGES_WORKFLOWPLIVEDUMP_TASK_WRITE_DEFERRED_DATA_APITLIVEDUMP_TASK_DISCARD_DEFERRED_DATA_API@LIVEDUMP_TASK_LIVEDUMP_POLICYKEYWEVNTP<
�_��� `�@`�� p�@a � p�
@bp�,� p��~�� `�@�,��<p�e@S8�<p�f�TD�<`�g�UP�<`�h@V\�<p�i@Wh�<p�j@t<���<p�j@�����<p�k@u4���<p�k@�L���<p�l�x��<`�m�y��<`�n�z����<`�o�{����<`�p�|����<`�q@����<p�r@�|���<p�s@�8���<p�t@�����<p�u������<`�v��x���<`�w������<`�x������<`�y��p���<`�z ������<`�{"@�4�<p�|&@�@�<p�}'@�L	L�<p�~(@�p
X�<p���X8�X`���YD�X`���ZP�X`��@[\�Xp��@\h�Xp��@]t�Xp��@^��Xp��������X`����x���X`��������X`��������X`��������X`����p���X`�� ������X`��!@����Xp��"@�4�Xp��'@�L	L�Xp��
�n�t`��@o��tp��@p �tp��
@qp�,�tp��
�r��`��@s���p�#@����p�$@�P(��p�%@��4��p�WEVT*
9�9�9�9::TTBL	TEMP��*I��,c_����v�N��`D�	EventDataA��?�oData'K�Name
ReturnCode
�*ReturnCodeTEMPd�+�y�i,UTu�j������D�	EventDataA��S�oData;K�NameNotifyRoutineAddress
A��?�oData'K�Name
ReturnCode
,0,0NotifyRoutineAddressReturnCodeTEMPL0-=�R�ӛT9����F���D�	EventDataA��I�oData1K�NameTargetProcessId
A��?�oData'K�Name
ReturnCode
X-|-$TargetProcessIdReturnCodeTEMP�</ݠ�g�U��B�}�����pD�	EventDataA��I�oData1K�NameTargetProcessId
A��?�oData'K�Name
ReturnCode
A��U�oData=K�NameTargetProcessStartKey

A��]�oDataEK�NameTargetProcessCreationTime
�/�/

�/�/$TargetProcessIdReturnCode0TargetProcessStartKey8TargetProcessCreationTimeTEMP�d12�l�l9Q+Y�%�6����D�	EventDataA��I�oData1K�NameTargetProcessId
A��E�oData-K�Name
DesiredAccess
A��?�oData'K�Name
ReturnCode
�1�1�1$TargetProcessId DesiredAccessReturnCodeTEMPT�3��v"�\�[�R=����JD�	EventDataA��I�oData1K�NameTargetProcessId
A��G�oData/K�NameTargetThreatId
A��E�oData-K�Name
DesiredAccess
A��?�oData'K�Name
ReturnCode
�3�3484$TargetProcessId$TargetThreatId DesiredAccessReturnCodeTEMP<05�(�FG�\�\9����I���D�	EventDataA��?�oData'K�Name
DriverName
A��?�oData'K�Name
ReturnCode
X5t5DriverNameReturnCodeTEMP<l6�(�FG�\�\9����I���D�	EventDataA��?�oData'K�Name
DriverName
A��?�oData'K�Name
ReturnCode
�6�6DriverNameReturnCodeTEMPPH8NV���]ۏ�WD�{��HD�	EventDataA��G�oData/K�NameLinkSourceName
A��G�oData/K�NameLinkTargetName
A��E�oData-K�Name
DesiredAccess
A��?�oData'K�Name
ReturnCode
�8�8�89$LinkSourceName$LinkTargetName DesiredAccessReturnCodePRVAh09Microsoft-Windows-Kernel-Audit-API-CallsOPCO01�9win:InfoLEVL@P�9(win:InformationalTASKKEYWEVNT�	�����*�9�9����L,�9�9�����-�9�9�����6�9�9����$*�9�9����40�9�9����2�9�9����T4�9�9�����5�9�9WEVT0x <|<
�=>D>x>�>�>CHAN\L<	�h<�ApplicationSystemTTBLLTEMP@h=-�v6R�^l/{/!�I���D�	EventDataA��5�oDataK�NameCVEID
A��M�oData5K�NameAdditionalDetails
�=�=CVEID(AdditionalDetailsPRVAL�=Microsoft-Windows-Audit-CVEOPCO01,>win:InfoLEVL4P\>win:WarningTASKKEYWEVNTp	��< >P>,<@�< >P><<WEVT�H?
@l@x@�@�@�@TTBL�TEMP��??~�v|�Uj��]�4���^D�	EventDataA��=�oData%K�Name	ErrorCode
�?ErrorCodePRVAX(@Microsoft-Windows-User-DiagnosticOPCOLEVL4P�@win:WarningTASKKEYWEVNT@����T?�@WEVTh@PA
xE�E�E�E�EFTTBL(TEMP�C�]@Zl�_k�3�8�2����D�	EventDataA��S�oData;K�NameHeapSnapshotInstance
A��S�oData;K�NameHeapSnapshotSequence
A��U�oData=K�NameHeapSnapshotBufferLen
A��O�oData7K�NameHeapSnapshotBuffer
`C�C�C�C0HeapSnapshotInstance0HeapSnapshotSequence0HeapSnapshotBufferLen,HeapSnapshotBufferTEMP\E�@�
D�WP�+��;����D�	EventDataA��S�oData;K�NameHeapSnapshotInstance
A��=�oData%K�Name	TotalData
0E`E0HeapSnapshotInstanceTotalDataPRVAT�EMicrosoft-Windows-Heap-SnapshotOPCOLEVLTASKKEYWEVNTpd����\A�����DWEVT@�l	�F�G(J
�����\�����CHAN��Fm\GnhMicrosoft-Windows-Security-Mitigations/KernelModedMicrosoft-Windows-Security-Mitigations/UserModeMAPSh`H<HH�GVMAP4�I����VMAP,�I���VMAP$I��VMAP|H��ControlProtectionKernelModeReturnMismatchNonenforcementReasonMap�ControlProtectionUserModeReturnMismatchNonenforcementReasonMap@RedirectionTrustPolicyTypeMap`SetContextIpValidationFailureContinueTypeMapTTBLl�TEMP��N!�^��[��I���`���tD�	EventDataA��M�oData5K�NameProcessPathLength
A��A�oData)K�NameProcessPath
A��[�oDataCK�NameProcessCommandLineLength
A��O�oData7K�NameProcessCommandLine
A��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
	A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
�O�OPHPtP�P

�PQHQ�Q�Q�Q(ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLine(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTimeTEMPh
4X�2�4��oQlW�����D�	EventDataA��M�oData5K�NameProcessPathLength
A��A�oData)K�NameProcessPath
A��[�oDataCK�NameProcessCommandLineLength
A��O�oData7K�NameProcessCommandLine
A��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
	A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
A��[�oDataCK�NameChildImagePathNameLength
A��O�oData7K�NameChildImagePathName

A��W�oData?K�NameChildCommandLineLength
A��K�oData3K�NameChildCommandLine
tY�Y�Y�YZDZ

|Z�Z�Z<[t[�[�[\0\d\(ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLine(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTime8ChildImagePathNameLength,ChildImagePathName4ChildCommandLineLength(ChildCommandLineTEMP4pa��O�	��X�s���Ɏ����D�	EventDataA��M�oData5K�NameProcessPathLength
A��A�oData)K�NameProcessPath
A��[�oDataCK�NameProcessCommandLineLength
A��O�oData7K�NameProcessCommandLine
A��=�oData%K�Name	ProcessId
A��M�oData5K�NameProcessCreateTime
A��I�oData1K�NameProcessStartKey

A��U�oData=K�NameProcessSignatureLevel
A��c�oDataKK�NameProcessSectionSignatureLevel
A��M�oData5K�NameProcessProtection
	A��G�oData/K�NameTargetThreadId
A��W�oData?K�NameTargetThreadCreateTime
A��I�oData1K�NameImageNameLength
A��=�oData%K�Name	ImageName

�b�b�bc0cHc

pc�c�cd,dPd�d�d(ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLineProcessId(ProcessCreateTime$ProcessStartKey0ProcessSignatureLevel@ProcessSectionSignatureLevel(ProcessProtection$TargetThreadId4TargetThreadCreateTime$ImageNameLengthImageNameTEMP`	Pjkh�
��U�P�	Q���\D�	EventDataA��M�oData5K�NameProcessPathLength
A��A�oData)K�NameProcessPath
A��[�oDataCK�NameProcessCommandLineLength
A��O�oData7K�NameProcessCommandLine
A��=�oData%K�Name	ProcessId
A��M�oData5K�NameProcessCreateTime
A��I�oData1K�NameProcessStartKey

A��U�oData=K�NameProcessSignatureLevel
A��c�oDataKK�NameProcessSectionSignatureLevel
A��M�oData5K�NameProcessProtection
	A��G�oData/K�NameTargetThreadId
A��W�oData?K�NameTargetThreadCreateTime
A��W�oData?K�NameRequiredSignatureLevel
A��G�oData/K�NameSignatureLevel

A��I�oData1K�NameImageNameLength
A��=�oData%K�Name	ImageName
�k�k�kl8lPl

xl�l�lm4mXm�m�m�mn(ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLineProcessId(ProcessCreateTime$ProcessStartKey0ProcessSignatureLevel@ProcessSectionSignatureLevel(ProcessProtection$TargetThreadId4TargetThreadCreateTime4RequiredSignatureLevel$SignatureLevel$ImageNameLengthImageNameTEMP�q�H@9�^
��M|6����D�	EventDataA��9�oData!K�NameSubcode
A��A�oData)K�NameProcessPath
A��=�oData%K�Name	ProcessId
A��G�oData/K�NameModuleFullPath
A��?�oData'K�Name
ModuleBase
A��E�oData-K�Name
ModuleAddress
A��?�oData'K�Name
MemAddress
A��M�oData5K�NameMemModuleFullPath
A��E�oData-K�Name
MemModuleBase
A��9�oData!K�NameAPIName
	A��K�oData3K�NameProcessStartTime
A��;�oData#K�NameThreadId
�r�r�rs0sLsls�s�s�s�stSubcodeProcessPathProcessId$ModuleFullPathModuleBase ModuleAddressMemAddress(MemModuleFullPath MemModuleBaseAPIName(ProcessStartTimeThreadIdTEMP@�w&R��Tv)b�s�E���D�	EventDataA��9�oData!K�NameSubcode
A��A�oData)K�NameProcessPath
A��=�oData%K�Name	ProcessId
A��=�oData%K�Name	HookedAPI
A��E�oData-K�Name
ReturnAddress
A��E�oData-K�Name
CalledAddress
A��E�oData-K�Name
TargetAddress
A��C�oData+K�NameStackAddress
A��C�oData+K�NameFrameAddress
A��a�oDataIK�NameReturnAddressModuleFullPath
	A��K�oData3K�NameProcessStartTime
A��;�oData#K�NameThreadId
�x�xy0yHyhy�y�y�y�y$zLzSubcodeProcessPathProcessIdHookedAPI ReturnAddress CalledAddress TargetAddress StackAddress FrameAddress<ReturnAddressModuleFullPath(ProcessStartTimeThreadIdTEMP��T�.�߸S���Л����D�	EventDataA��M�oData5K�NameProcessPathLength
A��A�oData)K�NameProcessPath
A��[�oDataCK�NameProcessCommandLineLength
A��O�oData7K�NameProcessCommandLine
A��=�oData%K�Name	ProcessId
A��M�oData5K�NameProcessCreateTime
A��I�oData1K�NameProcessStartKey

A��U�oData=K�NameProcessSignatureLevel
A��c�oDataKK�NameProcessSectionSignatureLevel
A��M�oData5K�NameProcessProtection
	A��[�oDataCK�NameControlPcImageNameLength
A��O�oData7K�NameControlPcImageName
A��_�oDataGK�NameRspContentsImageNameLength
A��S�oData;K�NameRspContentsImageName

����܀�@�X�

����ԁ�<�
t���܂(ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLineProcessId(ProcessCreateTime$ProcessStartKey0ProcessSignatureLevel@ProcessSectionSignatureLevel(ProcessProtection8ControlPcImageNameLength,ControlPcImageName<RspContentsImageNameLength0RspContentsImageNameTEMP 	p��TA*�WVԳ������.D�	EventDataA��M�oData5K�NameProcessPathLength
A��A�oData)K�NameProcessPath
A��[�oDataCK�NameProcessCommandLineLength
A��O�oData7K�NameProcessCommandLine
A��=�oData%K�Name	ProcessId
A��M�oData5K�NameProcessCreateTime
A��I�oData1K�NameProcessStartKey

A��U�oData=K�NameProcessSignatureLevel
A��c�oDataKK�NameProcessSectionSignatureLevel
A��M�oData5K�NameProcessProtection
	A��[�oDataCK�NameControlPcImageNameLength
A��O�oData7K�NameControlPcImageName
A��_�oDataGK�NameRspContentsImageNameLength
A��S�oData;K�NameRspContentsImageName

A��?�oData'K�Name
StrictMode

��ĉ��D�\�

����؊�@�
x����

�(ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLineProcessId(ProcessCreateTime$ProcessStartKey0ProcessSignatureLevel@ProcessSectionSignatureLevel(ProcessProtection8ControlPcImageNameLength,ControlPcImageName<RspContentsImageNameLength0RspContentsImageNameStrictModeTEMP�
D�)��ҵS�̶T��oz���D�	EventDataA��M�oData5K�NameProcessPathLength
A��A�oData)K�NameProcessPath
A��[�oDataCK�NameProcessCommandLineLength
A��O�oData7K�NameProcessCommandLine
A��=�oData%K�Name	ProcessId
A��M�oData5K�NameProcessCreateTime
A��I�oData1K�NameProcessStartKey

A��U�oData=K�NameProcessSignatureLevel
A��c�oDataKK�NameProcessSectionSignatureLevel
A��M�oData5K�NameProcessProtection
	A��[�oDataCK�NameControlPcImageNameLength
A��O�oData7K�NameControlPcImageName
A��_�oDataGK�NameRspContentsImageNameLength
A��S�oData;K�NameRspContentsImageName

A��?�oData'K�Name
StrictMode

A��Y�oDataAK�NameUserCetAppcompatOptions
A��S�oData;K�NameNonenforcementReason
A��K�oData3K�NameControlPcAddress
A��I�oData1K�NameControlPcOffset
A��O�oData7K�NameControlPcCetCompat

A��O�oData7K�NameRspContentsAddress
A��M�oData5K�NameRspContentsOffset
A��S�oData;K�NameRspContentsCetCompat

�8�T�����Ж

���L�����
��T�

����<HԘ�,�

P�|���

Й(ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLineProcessId(ProcessCreateTime$ProcessStartKey0ProcessSignatureLevel@ProcessSectionSignatureLevel(ProcessProtection8ControlPcImageNameLength,ControlPcImageName<RspContentsImageNameLength0RspContentsImageNameStrictMode4UserCetAppcompatOptions0NonenforcementReason(ControlPcAddress$ControlPcOffset,ControlPcCetCompat,RspContentsAddress(RspContentsOffset0RspContentsCetCompatTEMP

���2�q��\*n�kj8׃��pD�	EventDataA��M�oData5K�NameProcessPathLength
A��A�oData)K�NameProcessPath
A��[�oDataCK�NameProcessCommandLineLength
A��O�oData7K�NameProcessCommandLine
A��=�oData%K�Name	ProcessId
A��M�oData5K�NameProcessCreateTime
A��I�oData1K�NameProcessStartKey

A��U�oData=K�NameProcessSignatureLevel
A��c�oDataKK�NameProcessSectionSignatureLevel
A��M�oData5K�NameProcessProtection
	l�������,�

T�x����(ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLineProcessId(ProcessCreateTime$ProcessStartKey0ProcessSignatureLevel@ProcessSectionSignatureLevel(ProcessProtectionTEMP<��Ai�ui�S�xH�n^���D�	EventDataA��M�oData5K�NameProcessPathLength
A��A�oData)K�NameProcessPath
A��[�oDataCK�NameProcessCommandLineLength
A��O�oData7K�NameProcessCommandLine
A��=�oData%K�Name	ProcessId
A��M�oData5K�NameProcessCreateTime
A��I�oData1K�NameProcessStartKey

A��U�oData=K�NameProcessSignatureLevel
A��c�oDataKK�NameProcessSectionSignatureLevel
A��M�oData5K�NameProcessProtection
	A��Y�oDataAK�NameTargetIpImageNameLength
A��M�oData5K�NameTargetIpImageName
A��?�oData'K�Name
StrictMode

A��C�oData+K�NameContinueType

�8�T�����Ц

���L�����
�

��G,�(ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLineProcessId(ProcessCreateTime$ProcessStartKey0ProcessSignatureLevel@ProcessSectionSignatureLevel(ProcessProtection4TargetIpImageNameLength(TargetIpImageNameStrictMode ContinueTypeTEMP0	�����W��Q��~�0���<D�	EventDataA��M�oData5K�NameProcessPathLength
A��A�oData)K�NameProcessPath
A��[�oDataCK�NameProcessCommandLineLength
A��O�oData7K�NameProcessCommandLine
A��=�oData%K�Name	ProcessId
A��M�oData5K�NameProcessCreateTime
A��I�oData1K�NameProcessStartKey

A��U�oData=K�NameProcessSignatureLevel
A��c�oDataKK�NameProcessSectionSignatureLevel
A��M�oData5K�NameProcessProtection
	A��U�oData=K�NameMappedImageNameLength
A��I�oData1K�NameMappedImageName
A��]�oDataEK�NameImageCetShadowStacksReady

A��i�oDataQK�NameImageEHContinuationTablePresent


A��E�oData-K�Name
NonEhcontMode

��,�d�����

Я�$�d���
��

�

�

\�(ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLineProcessId(ProcessCreateTime$ProcessStartKey0ProcessSignatureLevel@ProcessSectionSignatureLevel(ProcessProtection0MappedImageNameLength$MappedImageName8ImageCetShadowStacksReadyDImageEHContinuationTablePresent NonEhcontModeTEMP..<����kgW�Q�(�
ozS���
D�	EventDataA��M�oData5K�NameProcessPathLength
A��A�oData)K�NameProcessPath
A��[�oDataCK�NameProcessCommandLineLength
A��O�oData7K�NameProcessCommandLine
A��=�oData%K�Name	ProcessId
A��M�oData5K�NameProcessCreateTime
A��I�oData1K�NameProcessStartKey

A��U�oData=K�NameProcessSignatureLevel
A��c�oDataKK�NameProcessSectionSignatureLevel
A��M�oData5K�NameProcessProtection
	A��I�oData1K�NameRedirectionType
A��Q�oData9K�NameOperationPathLength
A��E�oData-K�Name
OperationPath
A��E�oData-K�Name
Impersonating


A��9�oData!K�NameModule1
A��E�oData-K�Name
Module1Offset

A��9�oData!K�NameModule2
A��E�oData-K�Name
Module2Offset

A��9�oData!K�NameModule3
A��E�oData-K�Name
Module3Offset

A��9�oData!K�NameModule4
A��E�oData-K�Name
Module4Offset

A��9�oData!K�NameModule5
A��E�oData-K�Name
Module5Offset

A��9�oData!K�NameModule6
A��E�oData-K�Name
Module6Offset

A��9�oData!K�NameModule7
A��E�oData-K�Name
Module7Offset

A��9�oData!K�NameModule8
A��E�oData-K�Name
Module8Offset

A��9�oData!K�NameModule9
A��E�oData-K�Name
Module9Offset

A��;�oData#K�NameModule10
 A��G�oData/K�NameModule10Offset
!
A��;�oData#K�NameModule11
"A��G�oData/K�NameModule11Offset
#
A��;�oData#K�NameModule12
$A��G�oData/K�NameModule12Offset
%
A��;�oData#K�NameModule13
&A��G�oData/K�NameModule13Offset
'
A��;�oData#K�NameModule14
(A��G�oData/K�NameModule14Offset
)
A��;�oData#K�NameModule15
*A��G�oData/K�NameModule15Offset
+
A��;�oData#K�NameModule16
,A��G�oData/K�NameModule16Offset
-
�����P�|���

�����P�Hx�����

���

�<�

P�p�

����

����

���

 �@�

T�t�

����

����

���

0�T�

l���

����

���

 �D�

\�(ProcessPathLengthProcessPath8ProcessCommandLineLength,ProcessCommandLineProcessId(ProcessCreateTime$ProcessStartKey0ProcessSignatureLevel@ProcessSectionSignatureLevel(ProcessProtection$RedirectionType,OperationPathLength OperationPath ImpersonatingModule1 Module1OffsetModule2 Module2OffsetModule3 Module3OffsetModule4 Module4OffsetModule5 Module5OffsetModule6 Module6OffsetModule7 Module7OffsetModule8 Module8OffsetModule9 Module9OffsetModule10$Module10OffsetModule11$Module11OffsetModule12$Module12OffsetModule13$Module13OffsetModule14$Module14OffsetModule15$Module15OffsetModule16$Module16OffsetTEMP

D��hb|oSU?Gޗr�Ke���D�	EventDataA��[�oDataCK�NameControlPcImageNameLength
A��O�oData7K�NameControlPcImageName
A��_�oDataGK�NameRspContentsImageNameLength
A��S�oData;K�NameRspContentsImageName
A��S�oData;K�NameNonenforcementReason
A��K�oData3K�NameControlPcAddress
A��I�oData1K�NameControlPcOffset
A��O�oData7K�NameControlPcCetCompat

A��O�oData7K�NameRspContentsAddress
A��M�oData5K�NameRspContentsOffset
	A��S�oData;K�NameRspContentsCetCompat

A��[�oDataCK�NameShadowStackOverflowReset

A��=�oData%K�Name	ErrorCode
H�������`H�H�p�

������

�

D�|�8ControlPcImageNameLength,ControlPcImageName<RspContentsImageNameLength0RspContentsImageName0NonenforcementReason(ControlPcAddress$ControlPcOffset,ControlPcCetCompat,RspContentsAddress(RspContentsOffset0RspContentsCetCompat8ShadowStackOverflowResetErrorCodePRVAd��Microsoft-Windows-Security-MitigationsOPCOLEVLXP(�P@�win:Errorwin:WarningTASKX	����`�����������4����������������l�����������<�	������
����������H�������
����������l�����������T�����������H�`KERNEL_MITIGATION_TASK_PROHIBIT_DYNAMIC_CODEtKERNEL_MITIGATION_TASK_PROHIBIT_CHILD_PROCESS_CREATIONhKERNEL_MITIGATION_TASK_PROHIBIT_REMOTE_IMAGE_MAPdKERNEL_MITIGATION_TASK_PROHIBIT_LOWIL_IMAGE_MAPlKERNEL_MITIGATION_TASK_PROHIBIT_WIN32K_SYSTEM_CALLStKERNEL_MITIGATION_TASK_PROHIBIT_NON_MICROSOFT_BINARIES\USER_MITIGATION_TASK_EXPORT_ADDRESS_FILTERdUSER_MITIGATION_TASK_EXPORT_ADDRESS_FILTER_PLUS\USER_MITIGATION_TASK_IMPORT_ADDRESS_FILTERLUSER_MITIGATION_TASK_ROP_STACKPIVOTPUSER_MITIGATION_TASK_ROP_CALLERCHECKHUSER_MITIGATION_TASK_ROP_SIMEXEC�KERNEL_MITIGATION_TASK_CONTROL_PROTECTION_USER_MODE_RETURN_MISMATCH�KERNEL_MITIGATION_TASK_USER_CET_SET_CONTEXT_IP_VALIDATION_FAILURE`KERNEL_MITIGATION_TASK_BLOCK_NON_CET_BINARIESdKERNEL_MITIGATION_TASK_REDIRECTION_TRUST_POLICY�KERNEL_MITIGATION_TASK_CONTROL_PROTECTION_KERNEL_MODE_RETURN_MISMATCHlKERNEL_MITIGATION_TASK_PROHIBIT_FSCTL_SYSTEM_CALLSKEYWEVNT�*�o4Jh��F�p4J�h��F�q$R���F�r$R����F�s�\���F�t�\����F�u4J���F�v4J����F	�w4J���F
�x4J����F�y�d���F�z�d����F
@{ n��F@| n���F@{ n,��F@| n�,��F	@} nH��F	@~ n�H��F
@$td��F
@�$t�d��F@$t���F@�$t����F@$t���F@�$t����F
��dz����F
�������F
��,�����F
��dz����F
�������F
��,�����F�������F�������F�������F�������F��L�����F��L�����F��|����F ��|����F!�����(��F"�����(��F#��4JD��F$��4J�D��FWEVTx����
��	�	�	P�	4�	��	CHAN������dMicrosoft-Windows-Threat-Intelligence/AnalyticTTBL$�TEMP����@���%NX�{�{z����D�	EventDataA��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
A��I�oData1K�NameTargetProcessId
A��Y�oDataAK�NameTargetProcessCreateTime
	A��U�oData=K�NameTargetProcessStartKey

A��a�oDataIK�NameTargetProcessSignatureLevel
A��o�oDataWK�Name"TargetProcessSectionSignatureLevel
A��Y�oDataAK�NameTargetProcessProtection

A��M�oData5K�NameOriginalProcessId
A��]�oDataEK�NameOriginalProcessCreateTime
A��Y�oDataAK�NameOriginalProcessStartKey

A��e�oDataMK�NameOriginalProcessSignatureLevel
A��s�oData[K�Name$OriginalProcessSectionSignatureLevel
A��]�oDataEK�NameOriginalProcessProtection
A��A�oData)K�NameBaseAddress
A��?�oData'K�Name
RegionSize
A��G�oData/K�NameAllocationType
A��G�oData/K�NameProtectionMask
����

��,�l������H�l�

�����X�����

�� �`������ �D�(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTime$TargetProcessId4TargetProcessCreateTime0TargetProcessStartKey<TargetProcessSignatureLevelLTargetProcessSectionSignatureLevel4TargetProcessProtection(OriginalProcessId8OriginalProcessCreateTime4OriginalProcessStartKey@OriginalProcessSignatureLevelPOriginalProcessSectionSignatureLevel8OriginalProcessProtectionBaseAddressRegionSize$AllocationType$ProtectionMaskTEMP����vPɡ$BS�-�Ա����D�	EventDataA��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
A��I�oData1K�NameTargetProcessId
A��Y�oDataAK�NameTargetProcessCreateTime
	A��U�oData=K�NameTargetProcessStartKey

A��a�oDataIK�NameTargetProcessSignatureLevel
A��o�oDataWK�Name"TargetProcessSectionSignatureLevel
A��Y�oDataAK�NameTargetProcessProtection

A��M�oData5K�NameOriginalProcessId
A��]�oDataEK�NameOriginalProcessCreateTime
A��Y�oDataAK�NameOriginalProcessStartKey

A��e�oDataMK�NameOriginalProcessSignatureLevel
A��s�oData[K�Name$OriginalProcessSectionSignatureLevel
A��]�oDataEK�NameOriginalProcessProtection
A��A�oData)K�NameBaseAddress
A��?�oData'K�Name
RegionSize
A��G�oData/K�NameProtectionMask
A��O�oData7K�NameLastProtectionMask
|���

��P������,	P	

�	�	�	<	p	�	

�		D	�	�	�		(	(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTime$TargetProcessId4TargetProcessCreateTime0TargetProcessStartKey<TargetProcessSignatureLevelLTargetProcessSectionSignatureLevel4TargetProcessProtection(OriginalProcessId8OriginalProcessCreateTime4OriginalProcessStartKey@OriginalProcessSignatureLevelPOriginalProcessSectionSignatureLevel8OriginalProcessProtectionBaseAddressRegionSize$ProtectionMask,LastProtectionMaskTEMP��	fqХq'�\��
M���@D�	EventDataA��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
A��I�oData1K�NameTargetProcessId
A��Y�oDataAK�NameTargetProcessCreateTime
	A��U�oData=K�NameTargetProcessStartKey

A��a�oDataIK�NameTargetProcessSignatureLevel
A��o�oDataWK�Name"TargetProcessSectionSignatureLevel
A��Y�oDataAK�NameTargetProcessProtection

A��M�oData5K�NameOriginalProcessId
A��]�oDataEK�NameOriginalProcessCreateTime
A��Y�oDataAK�NameOriginalProcessStartKey

A��e�oDataMK�NameOriginalProcessSignatureLevel
A��s�oData[K�Name$OriginalProcessSectionSignatureLevel
A��]�oDataEK�NameOriginalProcessProtection
A��A�oData)K�NameBaseAddress
A��?�oData'K�Name
RegionSize
A��G�oData/K�NameProtectionMask
A��O�oData7K�NameLastProtectionMask
A��K�oData3K�NameVaVadQueryResult
A��Q�oData9K�NameVaVadAllocationBase
A��W�oData?K�NameVaVadAllocationProtect
A��I�oData1K�NameVaVadRegionType
A��I�oData1K�NameVaVadRegionSize
A��I�oData1K�NameVaVadCommitSize
A��C�oData+K�NameVaVadMmfName
4	\	

�	�		T	�	�	�		

<	l	�	�	(	P	

�	�	�	L	�	�	�	�		4	`	�	�	�		(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTime$TargetProcessId4TargetProcessCreateTime0TargetProcessStartKey<TargetProcessSignatureLevelLTargetProcessSectionSignatureLevel4TargetProcessProtection(OriginalProcessId8OriginalProcessCreateTime4OriginalProcessStartKey@OriginalProcessSignatureLevelPOriginalProcessSectionSignatureLevel8OriginalProcessProtectionBaseAddressRegionSize$ProtectionMask,LastProtectionMask(VaVadQueryResult,VaVadAllocationBase4VaVadAllocationProtect$VaVadRegionType$VaVadRegionSize$VaVadCommitSize VaVadMmfNameTEMP�!!0#	���G�Y��L�Z_����D�	EventDataA��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
A��I�oData1K�NameTargetProcessId
A��Y�oDataAK�NameTargetProcessCreateTime
	A��U�oData=K�NameTargetProcessStartKey

A��a�oDataIK�NameTargetProcessSignatureLevel
A��o�oDataWK�Name"TargetProcessSectionSignatureLevel
A��Y�oDataAK�NameTargetProcessProtection

A��M�oData5K�NameOriginalProcessId
A��]�oDataEK�NameOriginalProcessCreateTime
A��Y�oDataAK�NameOriginalProcessStartKey

A��e�oDataMK�NameOriginalProcessSignatureLevel
A��s�oData[K�Name$OriginalProcessSectionSignatureLevel
A��]�oDataEK�NameOriginalProcessProtection
A��A�oData)K�NameBaseAddress
A��?�oData'K�Name
RegionSize

A��G�oData/K�NameProtectionMask
A��O�oData7K�NameLastProtectionMask
A��K�oData3K�NameVaVadQueryResult
A��Q�oData9K�NameVaVadAllocationBase
A��W�oData?K�NameVaVadAllocationProtect
A��I�oData1K�NameVaVadRegionType
A��I�oData1K�NameVaVadRegionSize
A��I�oData1K�NameVaVadCommitSize
A��C�oData+K�NameVaVadMmfName
A��E�oData-K�Name
TargetAddress
A��G�oData/K�NameFullRegionSize
 
�%	�%	

$&	X&	�&	�&	'	@'	t'	�'	

�'	�'	8(	�(	�(	�(	

)	L)	�)	�)	*	
0*	L*	p*	�*	�*	�*	$+	H+	l+	�+	�+	
�+	(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTime$TargetProcessId4TargetProcessCreateTime0TargetProcessStartKey<TargetProcessSignatureLevelLTargetProcessSectionSignatureLevel4TargetProcessProtection(OriginalProcessId8OriginalProcessCreateTime4OriginalProcessStartKey@OriginalProcessSignatureLevelPOriginalProcessSectionSignatureLevel8OriginalProcessProtectionBaseAddressRegionSize$ProtectionMask,LastProtectionMask(VaVadQueryResult,VaVadAllocationBase4VaVadAllocationProtect$VaVadRegionType$VaVadRegionSize$VaVadCommitSize VaVadMmfName TargetAddress$FullRegionSizeTEMP��2	��Wf�U�
%�X|����D�	EventDataA��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
A��I�oData1K�NameTargetProcessId
A��Y�oDataAK�NameTargetProcessCreateTime
	A��U�oData=K�NameTargetProcessStartKey

A��a�oDataIK�NameTargetProcessSignatureLevel
A��o�oDataWK�Name"TargetProcessSectionSignatureLevel
A��Y�oDataAK�NameTargetProcessProtection

A��A�oData)K�NameBaseAddress
A��;�oData#K�NameViewSize
A��G�oData/K�NameAllocationType
A��G�oData/K�NameProtectionMask
 4	H4	

�4	�4	�4	@5	x5	�5	�5	�5	

(6	X6	�6	�6	7	07	H7	l7	(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTime$TargetProcessId4TargetProcessCreateTime0TargetProcessStartKey<TargetProcessSignatureLevelLTargetProcessSectionSignatureLevel4TargetProcessProtectionBaseAddressViewSize$AllocationType$ProtectionMaskTEMP�**�G	���AoXU�]�:�3���D�	EventDataA��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
A��I�oData1K�NameTargetProcessId
A��Y�oDataAK�NameTargetProcessCreateTime
	A��U�oData=K�NameTargetProcessStartKey

A��a�oDataIK�NameTargetProcessSignatureLevel
A��o�oDataWK�Name"TargetProcessSectionSignatureLevel
A��Y�oDataAK�NameTargetProcessProtection

A��G�oData/K�NameTargetThreadId
A��W�oData?K�NameTargetThreadCreateTime
A��M�oData5K�NameOriginalProcessId
A��]�oDataEK�NameOriginalProcessCreateTime
A��Y�oDataAK�NameOriginalProcessStartKey

A��e�oDataMK�NameOriginalProcessSignatureLevel
A��s�oData[K�Name$OriginalProcessSectionSignatureLevel
A��]�oDataEK�NameOriginalProcessProtection
A��U�oData=K�NameTargetThreadAlertable
A��?�oData'K�Name
ApcRoutine
A��C�oData+K�NameApcArgument1
A��C�oData+K�NameApcArgument2
A��C�oData+K�NameApcArgument3
A��E�oData-K�Name
RealEventTime
A��[�oDataCK�NameApcRoutineVadQueryResult
A��a�oDataIK�NameApcRoutineVadAllocationBase
A��g�oDataOK�NameApcRoutineVadAllocationProtect
A��Y�oDataAK�NameApcRoutineVadRegionType
A��Y�oDataAK�NameApcRoutineVadRegionSize
 A��Y�oDataAK�NameApcRoutineVadCommitSize
!A��S�oData;K�NameApcRoutineVadMmfName
"A��_�oDataGK�NameApcArgument1VadQueryResult
#A��e�oDataMK�NameApcArgument1VadAllocationBase
$A��k�oDataSK�Name ApcArgument1VadAllocationProtect
%A��]�oDataEK�NameApcArgument1VadRegionType
&A��]�oDataEK�NameApcArgument1VadRegionSize
'A��]�oDataEK�NameApcArgument1VadCommitSize
(A��W�oData?K�NameApcArgument1VadMmfName
)�J	�J	

0K	dK	�K	�K	(L	LL	�L	�L	

�L	M	DM	�M	�M	�M	N	DN	

|N	�N	�N	@O	xO	�O	�O	�O	P	$P	DP	|P	�P	�P	0Q	dQ	�Q	�Q	R	DR	�R	�R	�R	4S	(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTime$TargetProcessId4TargetProcessCreateTime0TargetProcessStartKey<TargetProcessSignatureLevelLTargetProcessSectionSignatureLevel4TargetProcessProtection$TargetThreadId4TargetThreadCreateTime(OriginalProcessId8OriginalProcessCreateTime4OriginalProcessStartKey@OriginalProcessSignatureLevelPOriginalProcessSectionSignatureLevel8OriginalProcessProtection0TargetThreadAlertableApcRoutine ApcArgument1 ApcArgument2 ApcArgument3 RealEventTime8ApcRoutineVadQueryResult<ApcRoutineVadAllocationBaseDApcRoutineVadAllocationProtect4ApcRoutineVadRegionType4ApcRoutineVadRegionSize4ApcRoutineVadCommitSize0ApcRoutineVadMmfName<ApcArgument1VadQueryResult@ApcArgument1VadAllocationBaseHApcArgument1VadAllocationProtect8ApcArgument1VadRegionType8ApcArgument1VadRegionSize8ApcArgument1VadCommitSize4ApcArgument1VadMmfNameTEMPx&&|_		�a�' �TH�SUZ'����D�	EventDataA��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
A��I�oData1K�NameTargetProcessId
A��Y�oDataAK�NameTargetProcessCreateTime
	A��U�oData=K�NameTargetProcessStartKey

A��a�oDataIK�NameTargetProcessSignatureLevel
A��o�oDataWK�Name"TargetProcessSectionSignatureLevel
A��Y�oDataAK�NameTargetProcessProtection

A��G�oData/K�NameTargetThreadId
A��W�oData?K�NameTargetThreadCreateTime
A��C�oData+K�NameContextFlags
A��A�oData)K�NameContextMask
A��/�oDataK�NamePc
A��/�oDataK�NameSp
A��/�oDataK�NameLr
A��/�oDataK�NameFp
A��3�oDataK�NameReg0
A��3�oDataK�NameReg1
A��3�oDataK�NameReg2
A��3�oDataK�NameReg3
A��3�oDataK�NameReg4
A��3�oDataK�NameReg5
A��3�oDataK�NameReg6
A��3�oDataK�NameReg7
A��E�oData-K�Name
RealEventTime
A��K�oData3K�NamePcVadQueryResult
A��Q�oData9K�NamePcVadAllocationBase
 A��W�oData?K�NamePcVadAllocationProtect
!A��I�oData1K�NamePcVadRegionType
"A��I�oData1K�NamePcVadRegionSize
#A��I�oData1K�NamePcVadCommitSize
$A��C�oData+K�NamePcVadMmfName
%tb	�b	

�b	c	Hc	�c	�c	�c	$d	Hd	

|d	�d	�d	4e	he	�e	�e	�e	�e	f	f	 f	,f	<f	Lf	\f	lf	|f	�f	�f	�f	�f	�f	 g	Tg	xg	�g	�g	(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTime$TargetProcessId4TargetProcessCreateTime0TargetProcessStartKey<TargetProcessSignatureLevelLTargetProcessSectionSignatureLevel4TargetProcessProtection$TargetThreadId4TargetThreadCreateTime ContextFlagsContextMaskPcSpLrFpReg0Reg1Reg2Reg3Reg4Reg5Reg6Reg7 RealEventTime(PcVadQueryResult,PcVadAllocationBase4PcVadAllocationProtect$PcVadRegionType$PcVadRegionSize$PcVadCommitSize PcVadMmfNameTEMP$`n	Rӹ���Z8&1�dYJ��JD�	EventDataA��I�oData1K�NameOperationStatus
A��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
A��I�oData1K�NameTargetProcessId
	A��Y�oDataAK�NameTargetProcessCreateTime
A��U�oData=K�NameTargetProcessStartKey

A��a�oDataIK�NameTargetProcessSignatureLevel
A��o�oDataWK�Name"TargetProcessSectionSignatureLevel

A��Y�oDataAK�NameTargetProcessProtection
A��A�oData)K�NameBaseAddress
A��A�oData)K�NameBytesCopied
�o	�o	p	

8p	lp	�p	�p	0q	Tq	�q	�q	

�q	r	Lr	�r	�r	�r	$OperationStatus(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTime$TargetProcessId4TargetProcessCreateTime0TargetProcessStartKey<TargetProcessSignatureLevelLTargetProcessSectionSignatureLevel4TargetProcessProtectionBaseAddressBytesCopiedTEMP�{	�L��%\`}y$v[y���D�	EventDataA��I�oData1K�NameOperationStatus
A��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
A��I�oData1K�NameTargetProcessId
	A��Y�oDataAK�NameTargetProcessCreateTime
A��U�oData=K�NameTargetProcessStartKey

A��a�oDataIK�NameTargetProcessSignatureLevel
A��o�oDataWK�Name"TargetProcessSectionSignatureLevel

A��Y�oDataAK�NameTargetProcessProtection
A��A�oData)K�NameBaseAddress
A��A�oData)K�NameBytesCopied
A��K�oData3K�NameVaVadQueryResult
A��Q�oData9K�NameVaVadAllocationBase
A��W�oData?K�NameVaVadAllocationProtect
A��I�oData1K�NameVaVadRegionType
A��I�oData1K�NameVaVadRegionSize
A��I�oData1K�NameVaVadCommitSize
A��C�oData+K�NameVaVadMmfName
�}	�}	�}	

(~	\~	�~	�~	 	D	x	�	

�	�	<�	��	��	؀	�	�	H�	|�	��	ā	�	$OperationStatus(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTime$TargetProcessId4TargetProcessCreateTime0TargetProcessStartKey<TargetProcessSignatureLevelLTargetProcessSectionSignatureLevel4TargetProcessProtectionBaseAddressBytesCopied(VaVadQueryResult,VaVadAllocationBase4VaVadAllocationProtect$VaVadRegionType$VaVadRegionSize$VaVadCommitSize VaVadMmfNameTEMP`��	�&�-.�+U���~	��fD�	EventDataA��I�oData1K�NameOperationStatus
A��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
A��I�oData1K�NameTargetProcessId
	A��Y�oDataAK�NameTargetProcessCreateTime
A��U�oData=K�NameTargetProcessStartKey

A��a�oDataIK�NameTargetProcessSignatureLevel
A��o�oDataWK�Name"TargetProcessSectionSignatureLevel

A��Y�oDataAK�NameTargetProcessProtection
A��G�oData/K�NameTargetThreadId
A��W�oData?K�NameTargetThreadCreateTime
��	�	D�	

|�	��	�	<�	t�	��	̋	�	

$�	T�	��	܌	�	4�	$OperationStatus(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTime$TargetProcessId4TargetProcessCreateTime0TargetProcessStartKey<TargetProcessSignatureLevelLTargetProcessSectionSignatureLevel4TargetProcessProtection$TargetThreadId4TargetThreadCreateTimeTEMP4
X�	Ɯڙs�T��9��O���D�	EventDataA��I�oData1K�NameOperationStatus
A��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
A��I�oData1K�NameTargetProcessId
	A��Y�oDataAK�NameTargetProcessCreateTime
A��U�oData=K�NameTargetProcessStartKey

A��a�oDataIK�NameTargetProcessSignatureLevel
A��o�oDataWK�Name"TargetProcessSectionSignatureLevel

A��Y�oDataAK�NameTargetProcessProtection
��	��	Д	

�	<�	|�	ȕ	�	$�	X�	|�	

��	�	�	h�	$OperationStatus(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTime$TargetProcessId4TargetProcessCreateTime0TargetProcessStartKey<TargetProcessSignatureLevelLTargetProcessSectionSignatureLevel4TargetProcessProtectionTEMP�ܘ	��:*ޠ3W����W��
D�	EventDataA��K�oData3K�NameDriverNameLength
A��?�oData'K�Name
DriverName
A��Q�oData9K�NameCodeIntegrityOption
�	@�	\�	(DriverNameLengthDriverName,CodeIntegrityOptionTEMPTp�	0f���S*Y>Б�����D�	EventDataA��K�oData3K�NameDriverNameLength
A��?�oData'K�Name
DriverName
��	��	(DriverNameLengthDriverNameTEMPX\�	��Ey{BP�xaW�^���JD�	EventDataA��K�oData3K�NameDriverNameLength
A��?�oData'K�Name
DriverName
A��K�oData3K�NameDeviceNameLength
A��?�oData'K�Name
DeviceName
��	Ԝ	�	�	(DriverNameLengthDriverName(DeviceNameLengthDeviceNameTEMP�$*T�	f{�F�?WÿF�m�^���
D�	EventDataA��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
A��[�oDataCK�NamePreviousTokenQueryResult
A��M�oData5K�NamePreviousTokenType
	A��W�oData?K�NamePreviousTokenElevation
A��_�oDataGK�NamePreviousTokenElevationType
A��i�oDataQK�NamePreviousTokenImpersonationLevel
A��M�oData5K�NamePreviousTokenUser

A��c�oDataKK�NamePreviousTokenTrustLevelCount
A��gZ�ComplexDataAK�NamePreviousTokenTrustLevel
�A��a�oDataIK�NamePreviousTokenIntegrityLevel
A��W�oData?K�NamePreviousTokenSessionId
A��]�oDataEK�NamePreviousTokenLowBoxNumber
A��e�oDataMK�NamePreviousTokenAuthenticationId
A��[�oDataCK�NamePreviousTokenGroupsCount
A��_Z�ComplexData9K�NamePreviousTokenGroups
�A��Y�oDataAK�NameCurrentTokenQueryResult
A��K�oData3K�NameCurrentTokenType
A��U�oData=K�NameCurrentTokenElevation
A��]�oDataEK�NameCurrentTokenElevationType
A��g�oDataOK�NameCurrentTokenImpersonationLevel
A��K�oData3K�NameCurrentTokenUser
A��a�oDataIK�NameCurrentTokenTrustLevelCount
A��eZ�ComplexData?K�NameCurrentTokenTrustLevel
�A��_�oDataGK�NameCurrentTokenIntegrityLevel
A��U�oData=K�NameCurrentTokenSessionId
A��[�oDataCK�NameCurrentTokenLowBoxNumber
 A��c�oDataKK�NameCurrentTokenAuthenticationId
!A��Y�oDataAK�NameCurrentTokenGroupsCount
"A��]Z�ComplexData7K�NameCurrentTokenGroups
#���	Į	

��	0�	p�	��	�	�	L�	��	��	�	�	`�	��	$ȱ	��	8�	l�	��	�	%�	H�	|�	��	Գ	�	P�	x�	'��	�	$�	T�	��	̵	("�	,�	L�	p�	��	��	̶	(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTime8PreviousTokenQueryResult(PreviousTokenType4PreviousTokenElevation<PreviousTokenElevationTypeDPreviousTokenImpersonationLevel(PreviousTokenUser@PreviousTokenTrustLevelCount4PreviousTokenTrustLevel<PreviousTokenIntegrityLevel4PreviousTokenSessionId8PreviousTokenLowBoxNumber@PreviousTokenAuthenticationId8PreviousTokenGroupsCount,PreviousTokenGroups4CurrentTokenQueryResult(CurrentTokenType0CurrentTokenElevation8CurrentTokenElevationTypeDCurrentTokenImpersonationLevel(CurrentTokenUser<CurrentTokenTrustLevelCount4CurrentTokenTrustLevel<CurrentTokenIntegrityLevel0CurrentTokenSessionId8CurrentTokenLowBoxNumber@CurrentTokenAuthenticationId4CurrentTokenGroupsCount,CurrentTokenGroups TrustLevelSid$GroupAttributesGroupSid TrustLevelSid$GroupAttributesGroupSidTEMP�8�	�_r�p�}XN^U�&��� D�	EventDataA��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
غ	�	

8�	l�	��	��	0�	T�	(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTimeTEMP��	�»c��ZN�j��z����D�	EventDataA��K�oData3K�NameCallingProcessId
A��[�oDataCK�NameCallingProcessCreateTime
A��W�oData?K�NameCallingProcessStartKey

A��c�oDataKK�NameCallingProcessSignatureLevel
A��q�oDataYK�Name#CallingProcessSectionSignatureLevel
A��[�oDataCK�NameCallingProcessProtection
A��I�oData1K�NameCallingThreadId
A��Y�oDataAK�NameCallingThreadCreateTime
A��=�oData%K�Name	SessionId
A��A�oData)K�NameSyscallEnum
	A��K�oData3K�NameIsSandboxedToken

��	��	

��	,�	l�	��	��	�	H�	`�	

|�	(CallingProcessId8CallingProcessCreateTime4CallingProcessStartKey@CallingProcessSignatureLevelLCallingProcessSectionSignatureLevel8CallingProcessProtection$CallingThreadId4CallingThreadCreateTimeSessionIdSyscallEnum(IsSandboxedTokenPRVA`��	Microsoft-Windows-Threat-IntelligenceOPCOLEVL@P(�	(win:InformationalTASK�������	����$�	����h�	������	������	����H�	������	������		����$�	
������	������	����$�	
������	������	@KERNEL_THREATINT_TASK_ALLOCVMDKERNEL_THREATINT_TASK_PROTECTVM@KERNEL_THREATINT_TASK_MAPVIEWLKERNEL_THREATINT_TASK_QUEUEUSERAPCTKERNEL_THREATINT_TASK_SETTHREADCONTEXT@KERNEL_THREATINT_TASK_READVM@KERNEL_THREATINT_TASK_WRITEVM\KERNEL_THREATINT_TASK_SUSPENDRESUME_THREAD\KERNEL_THREATINT_TASK_SUSPENDRESUME_PROCESSLKERNEL_THREATINT_TASK_DRIVER_DEVICEXKERNEL_THREATINT_PROCESS_IMPERSONATION_UP`KERNEL_THREATINT_PROCESS_IMPERSONATION_REVERTTKERNEL_THREATINT_PROCESS_SYSCALL_USAGE\KERNEL_THREATINT_PROCESS_IMPERSONATION_DOWNKEYW�+������	����D�	������	�����	����x�	 ������	@����D�	�������	�����	����d�	������	����(�	������	 ������	@����t�	�������	����`�	������	�����	����X�	������	 �����	@����T�	�������	�����	����T�	������	������	����h�	 ������	@����`�	�������	�����	����l�	������	����<�	������	 ����,�	@������	������	������	������	����P�	TKERNEL_THREATINT_KEYWORD_ALLOCVM_LOCALpKERNEL_THREATINT_KEYWORD_ALLOCVM_LOCAL_KERNEL_CALLERTKERNEL_THREATINT_KEYWORD_ALLOCVM_REMOTEpKERNEL_THREATINT_KEYWORD_ALLOCVM_REMOTE_KERNEL_CALLERXKERNEL_THREATINT_KEYWORD_PROTECTVM_LOCALtKERNEL_THREATINT_KEYWORD_PROTECTVM_LOCAL_KERNEL_CALLERXKERNEL_THREATINT_KEYWORD_PROTECTVM_REMOTEtKERNEL_THREATINT_KEYWORD_PROTECTVM_REMOTE_KERNEL_CALLERTKERNEL_THREATINT_KEYWORD_MAPVIEW_LOCALpKERNEL_THREATINT_KEYWORD_MAPVIEW_LOCAL_KERNEL_CALLERTKERNEL_THREATINT_KEYWORD_MAPVIEW_REMOTEpKERNEL_THREATINT_KEYWORD_MAPVIEW_REMOTE_KERNEL_CALLER`KERNEL_THREATINT_KEYWORD_QUEUEUSERAPC_REMOTE|KERNEL_THREATINT_KEYWORD_QUEUEUSERAPC_REMOTE_KERNEL_CALLERhKERNEL_THREATINT_KEYWORD_SETTHREADCONTEXT_REMOTE�KERNEL_THREATINT_KEYWORD_SETTHREADCONTEXT_REMOTE_KERNEL_CALLERPKERNEL_THREATINT_KEYWORD_READVM_LOCALTKERNEL_THREATINT_KEYWORD_READVM_REMOTETKERNEL_THREATINT_KEYWORD_WRITEVM_LOCALTKERNEL_THREATINT_KEYWORD_WRITEVM_REMOTETKERNEL_THREATINT_KEYWORD_SUSPEND_THREADTKERNEL_THREATINT_KEYWORD_RESUME_THREADXKERNEL_THREATINT_KEYWORD_SUSPEND_PROCESSTKERNEL_THREATINT_KEYWORD_RESUME_PROCESSTKERNEL_THREATINT_KEYWORD_FREEZE_PROCESSPKERNEL_THREATINT_KEYWORD_THAW_PROCESSTKERNEL_THREATINT_KEYWORD_CONTEXT_PARSEpKERNEL_THREATINT_KEYWORD_EXECUTION_ADDRESS_VAD_PROBExKERNEL_THREATINT_KEYWORD_EXECUTION_ADDRESS_MMF_NAME_PROBE�KERNEL_THREATINT_KEYWORD_READWRITEVM_NO_SIGNATURE_RESTRICTIONTKERNEL_THREATINT_KEYWORD_DRIVER_EVENTSTKERNEL_THREATINT_KEYWORD_DEVICE_EVENTSdKERNEL_THREATINT_KEYWORD_READVM_REMOTE_FILL_VADhKERNEL_THREATINT_KEYWORD_WRITEVM_REMOTE_FILL_VADhKERNEL_THREATINT_KEYWORD_PROTECTVM_LOCAL_FILL_VAD�KERNEL_THREATINT_KEYWORD_PROTECTVM_LOCAL_KERNEL_CALLER_FILL_VADlKERNEL_THREATINT_KEYWORD_PROTECTVM_REMOTE_FILL_VAD�KERNEL_THREATINT_KEYWORD_PROTECTVM_REMOTE_KERNEL_CALLER_FILL_VADhKERNEL_THREATINT_KEYWORD_PROCESS_IMPERSONATION_UPpKERNEL_THREATINT_KEYWORD_PROCESS_IMPERSONATION_REVERTdKERNEL_THREATINT_KEYWORD_PROCESS_SYSCALL_USAGE`KERNEL_THREATINT_KEYWORD_QUEUEUSERAPC_AT_DPClKERNEL_THREATINT_KEYWORD_PROCESS_IMPERSONATION_DOWNEVNTh	.��������	\�	p�	�@�����h��	x�	t�	�@�����T	�	x�	x�	�@����� 	�	x�	|�	�������+	�	��	��	�������7	�	��	��	�@�����hS	�	��	��	���������	\�	��	������h��	x�	��	������T	�	x�	��	������ 	�	x�	��	�������+	�	��	��	�������g	�	��	��	������s	�	��	��	�������g	�	�	��	������s	�	�	��	�
������g	�	��	��	�
�����s	�	��	��	�������g	�	�	��	������s	�	�	��	�������	�	 �	��	� ������	�	 �	��	�	@�����h�	�	<�	��	�	������h�	�	<�	��	�	�����h�	�	<�	��	�	�����h�	�	<�	��	���������	\�	��	�������h��	x�	��	�������T	�	x�	��	������� 	�	x�	��	�������+	�	��	��	� ������7	�	��	��	�������hS	�	��	��	���������	\�	��	� �����h��	x�	��	� �����T	�	x�	��	� ����� 	�	x�	�	�������+	�	��	�	�
@�������	�	X�	�	�
@�������	�	X�	�	�
������ܚ	�	X�	�	� 
������ܚ	�	X�	�	�!@�����4�	�	t�	�	�"�������	�	��	�	�#
�������	�	��	 �	�$�����4�	�	��	$�	�`�	��	��	��	��	�	 �	@�	��	��	��	��	@�	@�	`�	`�	P�	P�	p�	p�	��	��	��	��	��	��	p�	��	��	��	��	�	0�	P�	��	��	��	��	 �	 �	0�	0�	��	��	��	��	WEVT�4x�	��	
`�	��	�	p�	x�	��	CHANt��	5XMicrosoft-Windows-Kernel-Dump/OperationalTTBLtTEMP���	�.���\�x�XZ_CN��fD�	EventDataA��E�oData-K�Name
OperationType
��	 OperationTypeTEMP4��	�2ig�8�\���'���d���D�	EventDataA��A�oData)K�NamePolicyValue
A��;�oData#K�NameNTStatus
��	��	PolicyValueNTStatusTEMP���	���HS�ga=F�,���bD�	EventDataA��A�oData)K�NamePolicyValue
��	PolicyValueTEMP�T�	>c'�޽XS떂7�r���\D�	EventDataA��;�oData#K�NameNTStatus
h�	NTStatusTEMP�$�	ga���D�Sᚻ�\�P���nD�	EventDataA��M�oData5K�NameForceDumpDisabled
8�	(ForceDumpDisabledPRVAPt�	Microsoft-Windows-Kernel-DumpOPCOX:L�	;��	
<��	D�	ED�	F|�	G��	H�	IH�	K��	M��	O��	DCrashDumpPolicyOperationFailure<CrashDumpPolicyValueChangedDCrashDumpDisabledOnBootByPolicy4CrashDumpDisableFailed8CrashDumpInitializeFailed8CrashDumpLoadDriverFailedTCrashDumpDumpStackInitializationFailed@CrashDumpFreeDumpStackFailed@CrashDumpLoadDumpStackFailed(CrashDumpDisabled0CrashDumpReconfigured(ForceDumpDisabledLEVLhP,�	PH�	win:Warning(win:InformationalTASK6��	=�	PH�	<DUMP_TASK_CRASHDUMP_POLICY<DUMP_TASK_CRASHDUMP_CONFIG0DUMP_TASK_DUMP_CONFIGKEYWEVNTP�7��	��	 �	|�	��	�8��	��	 �	|�	��	
�9��	��	 �	|�	��	�>��	��	�	��	��	�?��	��	�	��	��	�@��	��	�	��	��	�A��	�	�	��	��	�B��	�	�	��	��		�C��	�	�	��	��	
�J(�	 �	��	��	�L��	4�	 �	��	��	�N��	@�	 �	��	��	WEVTl�	0�	��	0�	
@
�
�
�
�
0
CHAN�L�	�lMicrosoft-Windows-Kernel-CPU-Starvation/OperationalMAPSx��	VMAP$��	��DDpcProfilingStackBeginReasonMapTTBL
TEMP���	dWA�gM[QB'/��K?k��D�	EventDataA��E�oData-K�Name
DpcRoutineKey
A��;�oData#K�NameThreadID
A��=�oData%K�Name	CpuNumber
A��=�oData%K�Name	TickCount
A��K�oData3K�NameSoftTimeoutTicks
A��K�oData3K�NameModuleNameLength
A��?�oData'K�Name
ModuleName
�	8�	P�	h�	��	��	�	 DpcRoutineKeyThreadIDCpuNumberTickCount(SoftTimeoutTicks(ModuleNameLengthModuleNameTEMP|��	
��BAE^��0�	�M���^D�	EventDataA��;�oData#K�NameThreadID
A��=�oData%K�Name	CpuNumber
A��Q�oData9K�NameCumulativeTickCount
A��_�oDataGK�NameCumulativeSoftTimeoutTicks
�	�	�	,�	ThreadIDCpuNumber,CumulativeTickCount<CumulativeSoftTimeoutTicksTEMP<D�	��s��PZ'ϗH*�����D�	EventDataA��M�oData5K�NameDpcSequenceNumber
A��3�oDataK�NameTick
l�	��	(DpcSequenceNumberTickTEMP�x�	5������Q��[�5c����D�	EventDataA��M�oData5K�NameDpcSequenceNumber
A��G�oData/K�NameThresholdTicks
A��I�oData1K�NameSingleTickCount
A��Q�oData9K�NameCumulativeTickCount
A��5�oDataK�NameCause
�	�	(�	L�	��	x�	(DpcSequenceNumber$ThresholdTicks$SingleTickCount,CumulativeTickCountCauseTEMP�D
^��� �YKF&�6S���D�	EventDataA��;�oData#K�NameThreadID
A��=�oData%K�Name	CpuNumber
A��M�oData5K�NameDpcSequenceNumber
A��G�oData/K�NameThresholdTicks
A��?�oData'K�Name
Cumulative
�
�
�

$
ThreadIDCpuNumber(DpcSequenceNumber$ThresholdTicksCumulativePRVAdT
Microsoft-Windows-Kernel-CPU-StarvationOPCO��
�

�H
�|
0SingleDpcSoftTimeout8CumulativeDpcSoftTimeout4DpcProfilingStackBegin(DpcProfilingStackLEVL4P�
win:WarningTASK��
�l
PCPU_STARVATION_TASK_DPC_SOFT_TIMEOUTTCPU_STARVATION_TASK_DPC_PROFILING_STACKKEYWp�����
����
$DpcSoftTimeout DpcProfilingEVNT��<�	�
�
�
0
<�	���	�
�
�
4
<�	
����	�
�

8
<�	
����	�
�

<
<�	�h�	�
�

@
�
�
�
�
�
WEVT�	`	�


p
�
�
�
(
 
CHAN��
a	dMicrosoft-Windows-Kernel-CPU-Partition/AnalyticTTBL\TEMP��
f�[+�\��5R�]����^D�	EventDataA��S�oData;K�NameKernelAffinitization

A��;�oData#K�NameThreadID
A��?�oData'K�Name
GroupCount
A��[Z�ComplexData5K�NameRequestedAffinity
�

,	
\	
t	
�	
�	
�	
0KernelAffinitizationThreadIDGroupCount(RequestedAffinityGroupMaskTEMP��

�����p�Xor���s���D�	EventDataA��W�oData?K�NameDeferredRoutineAddress
A��[�oDataCK�NameRequestedProcessorNumber

D
4DeferredRoutineAddress8RequestedProcessorNumberTEMP�(
J�V���P���kbU��xD�	EventDataA��W�oData?K�NameDeferredRoutineAddress
<
4DeferredRoutineAddressPRVAd�
Microsoft-Windows-Kernel-CPU-PartitionOPCO�f	
g	,

h	`
(AffinityViolation4DpcSchedulingViolation,GenericDpcViolationLEVL4P�
win:WarningTASKhb	�
@CPU_PARTITION_TASK_VIOLATIONKEYW�����d
�����
�����
@CpuPartitionAffinityViolation8CpuPartitionDpcViolationDCpuPartitionGenericDpcViolationEVNT��c	 
�
�
�
�
�
�d	�	
�
�
�
�
�

�e	|
�
�
�
�
�
4
D
T
WEVTl(

�

�
( 
4 
t 
�!
�!
CHAN�H
)
�
*
XMicrosoft-Windows-DriverProxy/PerformanceXMicrosoft-Windows-DriverProxy/OperationalTTBL�TEMP��
;^����[�ƳJ�#)���D�	EventDataA��K�oData3K�NameDriverNameLength
A��7�oDataK�NameDriver
A����oData�K�Name:AvgServiceLockAcquisitionTimeInLastLogPeriodInMicroSeconds

A����oDataiK�Name+AvgServiceLockAcquisitionTimeInMicroSeconds

A��U�oData=K�NameTotalAcquisitionCount
A��W�oData?K�NameFailedAcquisitionCount
D
l


�


�
X
�
(DriverNameLengthDriver|AvgServiceLockAcquisitionTimeInLastLogPeriodInMicroSeconds\AvgServiceLockAcquisitionTimeInMicroSeconds0TotalAcquisitionCount4FailedAcquisitionCountTEMPp		�
�u)�T#�S�nR�����D�	EventDataA��K�oData3K�NameDriverNameLength
A��7�oDataK�NameDriver
A��M�oData5K�NameLastServiceStatus
A��U�oData=K�NameLastServiceFinalPhase
A����oDatauK�Name1LastServiceLockAcquisitionTimeTotalInMicroSeconds

A����oData�K�Name;LastServiceLockAcquisitionTimePreProcessPhaseInMicroSeconds

A����oData�K�Name?LastServiceLockAcquisitionTimeAcquireRundownPhaseInMicroSeconds

A����oData�K�Name8LastServiceLockAcquisitionTimeStalledPhaseInMicroSeconds

A����oData�K�Name<LastServiceLockAcquisitionTimePostProcessPhaseInMicroSeconds

8
`
t
�


�


4


�


4


�
(DriverNameLengthDriver(LastServiceStatus0LastServiceFinalPhasehLastServiceLockAcquisitionTimeTotalInMicroSeconds|LastServiceLockAcquisitionTimePreProcessPhaseInMicroSeconds�LastServiceLockAcquisitionTimeAcquireRundownPhaseInMicroSecondsxLastServiceLockAcquisitionTimeStalledPhaseInMicroSeconds�LastServiceLockAcquisitionTimePostProcessPhaseInMicroSecondsTEMP�L
�Ɯbm%\�������D�	EventDataA��K�oData3K�NameDriverNameLength
A��7�oDataK�NameDriver
A��9�oData!K�NameMessage
�
�
�
(DriverNameLengthDriverMessagePRVAP�
Microsoft-Windows-DriverProxyOPCOLEVL@PL 
(win:InformationalTASK+
� 
,
!
-
X!
DTask_DriverProxy_Serviceability@Task_DriverProxy_Performance0Task_DriverProxy_LogKEYWEVNT��.

@ 
� 
(
@/
�
@ 
� 
8
@0
,
@ 
� 
8
���7��]�.�*B�{�g:�PO .�ĀV9m	?��*����WEVT_TEMPLATEMUIMUIen-US�%0�%q	*�H��
��%b0�%^10
	`�He0\
+�7�N0L0
+�70	���010
	`�He )�(P�@�X��lF��I֢��]L�ߍ1�'4�$��
�0��0��3�ݪ��D��0
	*�H��
0��10	UUS10U
Washington10URedmond10U
Microsoft Corporation1.0,U%Microsoft Windows Production PCA 20110
250619181144Z
260617181144Z0p10	UUS10U
Washington10URedmond10U
Microsoft Corporation10UMicrosoft Windows0�"0
	*�H��
�0�
��ʻt9�)C@۸H�������^'�bD�]��0��
��d{��Q���lR��K�$�BR/��N�Y�����jv�-E(t�N:L�|�%P�<�S����v�y�V܇�V�o�t�.�NԚCh��[m��Sǡ�a.l�M�'hGvP��h�L�}j�N�3'�.�+㩱Cގc�ʭ�\�O�n����h��|goVcO�:$���*n�1H:2JoT��`�Y8!����=k���98�b5T���H��H؄��v0�r0U%0
+�7
+0U�9Z��Ы���^9!��0EU>0<�:0810UMicrosoft Corporation10U
229879+5053260U#0��)9�ėx͐��O��|U�S0WUP0N0L�J�H�Fhttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl%200a+U0S0Q+0�Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0U�00
	*�H��
��hz�x�iXǳq�	L]�IY����Xq��P���I�
gV~q_�R5�ٳ�);�	��#� o.J�@�$��3o�8NnMe�bʍ	�� @����BVFLt��1���M3�4E�p�b*��q	��]�Fe��]�}��n�sb��H,zȭ+�i���+Q"�V�t}���?¥����rl��^��N�M�&sc��n�`�ԓ�l���9B�U�K�������s?�~����s�zw+a0��0���
avV0
	*�H��
0��10	UUS10U
Washington10URedmond10U
Microsoft Corporation1200U)Microsoft Root Certificate Authority 20100
111019184142Z
261019185142Z0��10	UUS10U
Washington10URedmond10U
Microsoft Corporation1.0,U%Microsoft Windows Production PCA 20110�"0
	*�H��
�0�
�����.	����i�!�i33��T����� ��ҋ�8����-|by��J?5 p���k�6u�1ݍp��7�tF�([�`#,��G�g�Q'�r��ɹ;S5|���'�����#	o�F��n�<A�ˣ?]jM�i%(\6��C
��������['�'x0�[*	k"�S`,�hS��I�a��h	sD]}�T+�y��5]l+\μ�#�on�&�6�O�'��2;A�,���w�TN�\�e�C���mw�Z$�H��C0�?0	+�70U�)9�ėx͐��O��|U�S0	+�7
SubCA0U�0U�0�0U#0��Vˏ�\bh�=��[�Κ�0VUO0M0K�I�G�Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z+N0L0J+0�>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
	*�H��
��|qQ�y�n��9>�<Rn+?s��h�H�4M��&�1F�ay�8.Ek��(�����	��L
6fj���������@26v�Zƿ���Ӭ�h�b��TlP0X��|���N���|�sW�R!s4Z�V��	����~�����?�rS��c��=1e�������=����BА�_T���G�o�sNA�@�_�*��s�!(���s9_>�\`����	���Q�fG���=�*hw��Lb{��Ǻz�4Kbz����J7�-�W|�=ܸZ��ĳ�:��n�i!7ށ�ugӓW^)9��-���Es[���z��FX�^���g�l5��?$�5�
u�V��x,��Ј���ߺ~,c��#!�xl�X6+�̤��-����@�E�Ί\k>��p*
j�_G��c
2��6*pZ�BYqKW�~���!<��Ź���E��� ����ŕ�]b֠c �uw}=�E�����W�o3��w�bY~1�0�0��0��10	UUS10U
Washington10URedmond10U
Microsoft Corporation1.0,U%Microsoft Windows Production PCA 20113�ݪ��D��0
	`�He���0	*�H��
	1
+�70/	*�H��
	1" �KT�O�mE���̑�[�ψ�R�s��<
֝0Z
+�71L0J�$�"Microsoft Windows�"� http://www.microsoft.com/windows0
	*�H��
��"�(�H83f����YCU��Ae*y;I<�^�圕������s*S�G�rt�L?�h�û<�ɔvV97in��̪'DJ�&��E�Aa3�ﱜ����S�Z�!��Η���z�6b
�jh�[9s��\�]˕Y�o
KҲi��MX<.X/2wF�e_"+Q�vv����B��E�U���E�Тk7Jb>��8/�8��&)�0��C�n�'vo�zC�.޶=��Ss���=����6X�R���0��
+�71��0�|	*�H��
��m0�i10
	`�He0�R*�H��
	��A�=0�9
+�Y
010
	`�He l���ߞ]�1;�u��MJ�����IR��a��h���be20250926020509.823Z0��Ѥ��0��10	UUS10U
Washington10URedmond10U
Microsoft Corporation1%0#UMicrosoft America Operations1'0%UnShield TSS ESN:8900-05E0-D9471%0#UMicrosoft Time-Stamp Service���0� 0��3,�(}� uc0
	*�H��
0|10	UUS10U
Washington10URedmond10U
Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100
250130194303Z
260422194303Z0��10	UUS10U
Washington10URedmond10U
Microsoft Corporation1%0#UMicrosoft America Operations1'0%UnShield TSS ESN:8900-05E0-D9471%0#UMicrosoft Time-Stamp Service0�"0
	*�H��
�0�
�����F���ޣ���X��7��.X�EC����衄@3�ښ�q�L'A��]��N���
��W��堫e�@��}����^���z+9dA j	��Z�u
�^�m]�=�cq��Z��z�~x��)�qc���1�as���9a-���*i|!u�5
[�����>"�c�3x�m@`�I�ӫbB\t<t�M���֩/PƲ���dϱ:��| �0���E:�D$Ψi�@�ڧ���= y���9�쯀�r����~p�E\ӓ��d��u�Nx������AY
C,ᅑ�O}� �w����"س��rQ�,�_��]��}�3�}N�
Ney lVty��xa��L�,��&�������[�܁vn~�"l�$�n�h�4����-�F��z���V3C��?G,Y�#�>v��F��:>&ϑRe��L]�wws�`+o"G��F���;��֍�gǖ1�>0�|z��5Oq.
�3�`�;�����D��R���I0�E0U�qDiR�>�D��A��\��0U#0���]^b]����e�S5�r0_UX0V0T�R�P�Nhttp://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l+`0^0\+0�Phttp://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0U�00U%�0
+0U��0
	*�H��
�uན/�9r�d��hw�f{�E����ENcNE���=5n|@�XJM7-�}�X��C��<��J�t3�h2�ݍc�Y�At���fb���ᑝF}��7bid4��i�{����*;�b}�l�A��0��m�������k.5�˔	/�o-ИJD��/�P/�:�y(�F��*�s˳�x��Z@=�/8Bɋ���
q�p����yF���{'��5�%~�{�G'Zİ>^.BG.�� �~\)C�T�WM�~��~O��G��e��Q�g��c?�*��IŸ�^�l$rq�䪅��w�J��j��C��U��M���`�n�sЪ(�_��i���o�A����� ���x
r8}��,�!�8��+�ti�V�X�*��
�v�L��|��cN+aR(*L�$�JF:�K׏��L�PZ�6����R\3o�^ĪW'���L���`�
j�#ag1�9Z����OG�9���]�m.���ɪ�z�����a5�s��_�2��#�0�q0�Y�3��k��I�0
	*�H��
0��10	UUS10U
Washington10URedmond10U
Microsoft Corporation1200U)Microsoft Root Certificate Authority 20100
210930182225Z
300930183225Z0|10	UUS10U
Washington10URedmond10U
Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100�"0
	*�H��
�0�
���L�r!y���$y�Ղ��ҩlNu��5W�lJ�⽹>`3�\O�f��SqZ�~JZ��6g�F#���w2��`}jR�D���Fk��v��P�D�q\Q17�
8n����&S|9azĪ�ri����6�5&dژ;�{3��[~��R���b%�j�]�S���VM�ݼ��㑏�9,Q��pi
�6-p�1�5(�㴇$��ɏ~�T��U�mh;�F��z)7���E�Fn�2��0\O,�b�͹⍈䖬J��q�[g`���=� �s}A�Fu��_4���� }~�ٞE߶r/�}_��۪~6�6L�+n�Q���s�M7t�4���G��|?Lۯ^����s=CN�39L��Bh.�QF�ѽjZas�g�^�(v�3rק ��
�co�6d�[���!]_0t���عP��a�65�G������k�\RQ]�%��Pzl�r�Rą��<�7�?x�E���^ڏ�riƮ{��>j�.����0��0	+�70#	+�7*�R�dĚ���<F5)��/�0U��]^b]����e�S5�r0\U U0S0Q+�7L�}0A0?+3http://www.microsoft.com/pkiops/Docs/Repository.htm0U%0
+0	+�7
SubCA0U�0U�0�0U#0��Vˏ�\bh�=��[�Κ�0VUO0M0K�I�G�Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z+N0L0J+0�>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
	*�H��
��U}�*��,g1$[�rK��o�\�>NGdx���=13�9��q6?�dl|�u9m�1��lѡ�"��fg:SMݘ��x�6.���V����i�	�{�jo�)�n�?Hu��m��m#T�xSu$W�ݟ�=��h�e��V����(U'�$�@���]='�@�8���)�ü�T�B�������j�BRu�6��as.,k{n?,	x鑲�[�I�t�쑀�=�J>f;O���2ٖ����t��Lro�u0�4�z�P�
X�@<�Tm�ctH,�NG-�q�d�$�smʎ	��WITd�s�[D�Z�k
��(�g($�8K�n�!TkjEG����^O���Lv�WT	�iD~|�als�
��Af=i��AI~~���;����>�1Q������{��p���(��6ںL���
�4�$5g+�
�挙��"��'B=%��tt[jў>�~�13}���{�8pDѐ�ȫ:�:b�pcSM��m��qj�U3X��pf�M0�50����Ѥ��0��10	UUS10U
Washington10URedmond10U
Microsoft Corporation1%0#UMicrosoft America Operations1'0%UnShield TSS ESN:8900-05E0-D9471%0#UMicrosoft Time-Stamp Service�#
0+J�v?eb�9�B��
��V���0���~0|10	UUS10U
Washington10URedmond10U
Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100
	*�H��
�80"20250925215206Z20250926215206Z0t0:
+�Y
1,0*0
�80�0L0
쁉�06
+�Y
1(0&0
+�Y
�
0� �
0��0
	*�H��
��)��aޗ��ޓ�Y��-cSo����FT~�3����^�ОZP5�H��E���іE�KP�#;���5��Z~&�,P�-�p�\d,4C)h�Y??�	�2,�.
���L�{}#�aŶB������-,{d��G�dC����"��/�F�2o��C�P+�݆�y���W�;��g��O���A��ʕ�떯�ꥅ�6��Z�:��$�%s&��p7G�����.����fn��lX����2Vݹ1�
0�	0��0|10	UUS10U
Washington10URedmond10U
Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103,�(}� uc0
	`�He��J0	*�H��
	1
*�H��
	0/	*�H��
	1" xzbC�LH@;)�?��ߩ�_�ɮg��c��0��*�H��
	/1��0��0��0�� ts%�遐���lhl����?G�5tʓ�O�0��0���~0|10	UUS10U
Washington10URedmond10U
Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103,�(}� uc0" Ê����%��< 5�](�s:�4.@O��0
	*�H��
�N*Z��((��Ģ��A%Kr�VMњzj/.���Yj���u��P���&˸�O|��a�.l�ݴ)V�Ct"�X�Cjy���u�-{ӎ���+�0ZW����%Nª+�C��ʞ��o�g�A��CG��W��g1,%5�,��h�#Y��$)\��l ����8�L�ū�?����}��U���p���no��Q
I�	����UK% ߱j<�V�p��Y~�G,*�v4L���� �kv��]l
�
D�����C1�8���(M�X_�,�q�1[&��fZ��]�Ι�1p��Le�y��Q:Џt�l�V�����
4o��?d��P����ӄ�Ք/��W�t8��YH@[�lx�Lr��_1kD�f��jx
�<�H�GDL=���U���(�ʿ�j�=��K~�ؤ�3�����߀H�`�)_��Ƶ��
O��s�P,��eܾ��>�tᔲ�ȫGl�պ���376��-�,iB�Lgu�&�l
Anon7 - 2021