Full Boot: Begin Root Container <--> Boot Main Path Children: Boot-PreSessionInit-Phase Boot-SessionInit-Phase Boot-Winlogon-Phase Boot-ExplorerInit Post Boot Being Boot Main Path Container <--> Boot-PreSessionInit-Phase Children: Boot-PnP-BootStart-Phase Boot-PnP-SystemStart-Phase <--> Boot-PnP-DevicesStarting Event-Based Start with provider=9c205a39-1250-487d-abd7-e831c6290539, id=216, and version=0 Event-Based Stop with provider=9c205a39-1250-487d-abd7-e831c6290539, id=218, and version=0 Additionally, only match start to stop if the DriverNames are the same. <--> Boot-PnP-DevicesEnum Event-Based Start with provider=9c205a39-1250-487d-abd7-e831c6290539, id=220, and version=0 Event-Based Stop with provider=9c205a39-1250-487d-abd7-e831c6290539, id=222, and version=0 Additionally, only match start to stop if the DriverNames are the same. <--> Boot-PnP-BootStart-Phase Event-Based Start with provider=9c205a39-1250-487d-abd7-e831c6290539, id=200, and version=0 Event-Based Stop with provider=9c205a39-1250-487d-abd7-e831c6290539, id=201, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> Boot-PnP-SystemStart-Phase Event-Based Start with provider=9c205a39-1250-487d-abd7-e831c6290539, id=202, and version=0 Event-Based Stop with provider=9c205a39-1250-487d-abd7-e831c6290539, id=203, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> End Boot-PreSessionInit-Phase <--> Boot-SessionInit-Phase Event-Based Start with provider=43e63da5-41d1-4fbf-aded-1bbed98fdd1d, id=7, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=101, and version=0 Children: Boot-SessionInit-Session <--> Boot-SessionInit-Session Event-Based Start with provider=43e63da5-41d1-4fbf-aded-1bbed98fdd1d, id=1, version=0, and Flags=1056 Event-Based Stop with provider=43e63da5-41d1-4fbf-aded-1bbed98fdd1d, id=1, version=0, and Flags-2080 <--> End Boot-SessionInit-Phase <--> Boot-Winlogon-Session Region-Based Start based off the stop of region: FA473B22-58C7-4774-9EEE-C21B55F3A919 (Boot-SessionInit-Phase) Region-Based Stop based off the start of region: 75218788-563C-485e-BE8B-84E50583A009 (Boot-ExplorerInit) <--> Update PerUser System Parameters: Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=3, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=4, and version=0 Additionally, only match start to stop if the PIDs are the same. Instance based off payload field called "Flags". <--> Connect to Subscriber for Logon Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=809, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=810, and version=0 Additionally, only match start to stop if the PIDs are the same. Additionally, only match to a parent if the parent shares this same PID. Instance based off payload field called "SubscriberName" in the start event. <--> End CreateSession <--> Request Credentials: Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=203, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=204, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> Authenticate User: Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=1, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=2, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> Prepare Themes: Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=11, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=12, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> Logon Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=801, version=0, and Event=2 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=802, version=0, and Event=2 Additionally, only match start to stop if the PIDs are the same. <--> Logon Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=801, version=0, and Event=2 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=802, version=0, and Event=2 Additionally, only match start to stop if the PIDs are the same. Instance based off payload field called "SubscriberName" in the start event. Children: Connect to Subscriber for Logon Call Subscriber for Logon Pended Notification for Logon Begin Logon <--> Connect to Subscriber for Logon Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=809, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=810, and version=0 Additionally, only match start to stop if the PIDs are the same. Additionally, only match to a parent if the parent shares this same PID. Instance based off payload field called "SubscriberName" in the start event. <--> Call Subscriber for Logon Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=811, version=0, and Event=2 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=812, version=0, and Event=2 Additionally, only match start to stop if the PIDs are the same. Additionally, only match to a parent if the parent shares this same PID. Instance based off payload field called "SubscriberName" in the start event. <--> Pended Notification for Logon Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=807, version=0, and Event=2 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=812, version=0, and Event=2 Additionally, only match start to stop if the field "SubscriberName" is the same. Additionally, only match to a parent if the parent shares this same "SubscriberName" field. Instance based off payload field called "Message" in the start event. <--> End Subscribers for Logon <--> End Logon <--> Notify Themes: Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=13, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=14, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> Notify DWM: Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=67, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=68, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> End Notify Themes <--> Check License: Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=5, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=6, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> Restore Network Connections Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=7, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=8, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> Start Shell: Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=801, version=0, and Event=12 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=802, version=0, and Event=12 Additionally, only match start to stop if the PIDs are the same. Children: Subscribers for Start Shell Begin Start Shell <--> Subscribers for Start Shell: Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=805, version=0, and Event=12 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=806, version=0, and Event=12 Instance based off payload field called "SubscriberName" in the start event. Children: Connect to Subscriber for Start Shell Call Subscriber for Start Shell Pended Notification for Start Shell Begin Subscribers for Start Shell <--> Connect to Subscriber for Start Shell Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=809, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=810, and version=0 Additionally, only match start to stop if the PIDs are the same. Additionally, only match to a parent if the parent shares this same PID. Instance based off payload field called "SubscriberName" in the start event. <--> Call Subscriber for Start Shell Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=811, version=0, and Event=12 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=812, version=0, and Event=12 Additionally, only match start to stop if the PIDs are the same. Additionally, only match to a parent if the parent shares this same PID. Instance based off payload field called "SubscriberName" in the start event. <--> Pended Notification for Start Shell Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=809, version=0, and Event=12 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=810, version=0, and Event=12 Additionally, only match start to stop if the field "SubscriberName" is the same. Additionally, only match to a parent if the parent shares this same "SubscriberName" field. Instance based off payload field called "Message" in the start event. <--> End Subscribers for Start Shell <--> End Start Shell <--> End Boot Winlogon Phase <--> Boot-ExplorerInit Event-Based Start with provider=30336ed4-e327-447c-9de0-51b652c86108, id=27230, version=0, and Flags=1056 Event-Based Stop with provider=30336ed4-e327-447c-9de0-51b652c86108, id=27231, version=0, and Flags-2080 <--> Create Explorer Process: Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=10, and version=0 Event-Based Stop with provider=30336ed4-e327-447c-9de0-51b652c86108, id=9601, and version=0 <--> Init Explorer: Event-Based Start with provider=0336ed4-e327-447c-9de0-51b652c86108, id=9601, and version=0 Event-Based Stop with provider=30336ed4-e327-447c-9de0-51b652c86108, id=62170, version=0, and TaskName="AllLogonTasks" <--> Process RunOnce: Event-Based Start with provider=0336ed4-e327-447c-9de0-51b652c86108, id=9601, and version=0 Event-Based Stop with provider=30336ed4-e327-447c-9de0-51b652c86108, id=62170, version=0, and TaskName="AllLogonTasks" <--> Create Desktop: Event-Based Start with provider=30336ed4-e327-447c-9de0-51b652c86108, id=9611, and version=0 Event-Based Stop with provider=30336ed4-e327-447c-9de0-51b652c86108, id=9612, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> Create Tray: Event-Based Start with provider=30336ed4-e327-447c-9de0-51b652c86108, id=9603, and version=0 Event-Based Stop with provider=30336ed4-e327-447c-9de0-51b652c86108, id=9604, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> Launcher Show: Event-Based Start with provider=315a8872-923e-4ea2-9889-33cd4754bf64, id=2365, and version=0 Event-Based Stop with provider=315a8872-923e-4ea2-9889-33cd4754bf64, id=2366, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> Startup Step: Event-Based Start with provider=30336ed4-e327-447c-9de0-51b652c86108, id=9648, and version=0 Event-Based Stop with provider=30336ed4-e327-447c-9de0-51b652c86108, id=9649, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> Startup ParallelStep: Event-Based Start with provider=30336ed4-e327-447c-9de0-51b652c86108, id=9652, and version=0 Event-Based Stop with provider=30336ed4-e327-447c-9de0-51b652c86108, id=9653, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> LogonPerformance TaskRunTime: Event-Based Start with provider=30336ed4-e327-447c-9de0-51b652c86108, id=62170, version=0, and TaskName!="AllLogonTasks" Event-Based Stop with provider=30336ed4-e327-447c-9de0-51b652c86108, id=62171, version=0, and TaskName!="AllLogonTasks" <--> End Boot Main Path <--> Console Session Disconnect Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=801 version=0, and Event=8 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=802 version=0, and Event=8 Additionally, only match start to stop if the PIDs are the same. <-->