Full Shutdown Begin Root Container <--> Logoff Request To User Feedback: Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=6101, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=6102, version=0 Additionally, will only match start event to stop event when the PID is the same. <--> User Session Shutdown: Event-Based Start with provider=206f6dea-d3c5-4d10-bc72-989f03c8b84b, id=1, and version=0 Event-Based Stop with provider=206f6dea-d3c5-4d10-bc72-989f03c8b84b, id=2, version=0 Additionally, will only match start event to stop event when the PID is the same. <--> Shutdown Processes: Event-Based Start with provider=e8316a2d-0d94-4f52-85dd-1e15b66c5891, id=1, and version=0 Event-Based Stop with provider=e8316a2d-0d94-4f52-85dd-1e15b66c5891, id=2, version=0 Additionally, will only match start event to stop event when the PID is the same. Children: Shutdown Process Begin Shutdown Processes Container <--> Shutdown Process Event-Based Start with provider=9d55b53d-449b-4824-a637-24f9d69aa02f, id=12009, and version=1 Event-Based Stop with provider=9d55b53d-449b-4824-a637-24f9d69aa02f, id=12010, and version=1 Additionally, only match start to stop if the field "ProcessId" is the same. Instance based off payload field called "ProcessId" In the start event. This field is of type PID and will have a proces name associated with it as well as ID. <--> End Shutdown Processess <--> Winlogon Shutdown Children: Winlogon Notify Execute Begin Winlogon Shutdown Container <--> Winlogon End Shell Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=801, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=802, and version=0 Additionally, only match start to stop if the PIDs are the same and start event field is 13. Children: Notify Subscriber Begin Winlogon End Shell <--> Notify Subscriber Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=805, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=806, and version=0 Additionally, only match start to stop if the PIDs are the same. Instance based off payload field called "SubscriberName" in the start event. Children: Connect to Subscriber Call to Subscriber Notify Subscriber <--> Connect to Subscriber Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=809, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=810, and version=0 Additionally, only match start to stop if the PIDs are the same. Instance based off payload field called "SubscriberName" in the start event. <--> Connect to Subscriber Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=811, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=812, and version=0 Additionally, only match start to stop if the PIDs are the same. Instance based off payload field called "SubscriberName" in the start event. <--> End Notify Subscriber <--> End Winlogon Notify Execute <--> Winlogon Logoff Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=801, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=802, and version=0 Additionally, only match start to stop if the PIDs are the same and start event field is 3. Children: Notify Subscriber Begin Winlogon Logoff <--> Notify Subscriber Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=805, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=806, and version=0 Additionally, only match start to stop if the PIDs are the same. Instance based off payload field called "SubscriberName" in the start event. Children: Connect to Subscriber Call to Subscriber Notify Subscriber <--> Connect to Subscriber Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=809, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=810, and version=0 Additionally, only match start to stop if the PIDs are the same. Instance based off payload field called "SubscriberName" in the start event. <--> Connect to Subscriber Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=811, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=812, and version=0 Additionally, only match start to stop if the PIDs are the same. Instance based off payload field called "SubscriberName" in the start event. <--> End Notify Subscriber <--> End Winlogon Notify Execute <--> Winlogon Terminate Session Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=801, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=802, and version=0 Additionally, only match start to stop if the PIDs are the same and start event field is 1. Children: Notify Subscriber Begin Winlogon Notify Execute <--> Notify Subscriber Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=805, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=806, and version=0 Additionally, only match start to stop if the PIDs are the same. Instance based off payload field called "SubscriberName" in the start event. Children: Connect to Subscriber Call to Subscriber Notify Subscriber <--> Connect to Subscriber Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=809, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=810, and version=0 Additionally, only match start to stop if the PIDs are the same. Instance based off payload field called "SubscriberName" in the start event. <--> Connect to Subscriber Event-Based Start with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=811, and version=0 Event-Based Stop with provider=dbe9b383-7cf3-4331-91cc-a3cb16a3b538, id=812, and version=0 Additionally, only match start to stop if the PIDs are the same. Instance based off payload field called "SubscriberName" in the start event. <--> End Notify Subscriber <--> End Winlogon Notify Execute <--> End Winlogon Shutdown <--> Pre-Shutdown Notification Event-Based Start with provider=206f6dea-d3c5-4d10-bc72-989f03c8b84b, id=3, and version=0 Event-Based Stop with provider=206f6dea-d3c5-4d10-bc72-989f03c8b84b, id=4, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> System Session Shutdown Event-Based Start with provider=206f6dea-d3c5-4d10-bc72-989f03c8b84b, id=9, and version=0 Event-Based Stop with provider=206f6dea-d3c5-4d10-bc72-989f03c8b84b, id=10, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> Shutdown Services Children: Shutdown Service Begin Shutdown Services Container <--> Shutdown Service Event-Based Start with provider=0063715b-eeda-4007-9429-ad526f62696e, id=105, version=0, CurrentState=4, and ExecutionPhase=3 Event-Based Stop with provider=0063715b-eeda-4007-9429-ad526f62696e, id=105, version=0, and CurrentState=1 Additionally, only match start to stop if the field "ServiceName" is the same. Instance based off payload field called "ServiceName" in the start event. <--> End Shutdown Services <--> UNSUPPORTED REGION: In future versions, this will contain the following region: Post On/Off Region-Based Start based off the stop of region: d8d639a0-cf4c-45fb-976a-000000000200 (System Session Shutdown) Trace-Based Stop Additionally, only match start to stop if the PIDs are the same. Children: NT Shutdown System Pre-Sleep Callbacks Flush Storage Volumes Shutdown Devices Zero Page File IO Shutdown System CM Shutdown System Instead, this region is being made a container. <--> NT Shutdown System Event-Based Start with provider=206f6dea-d3c5-4d10-bc72-989f03c8b84b, id=8, and version=0 Event-Based Stop with provider=206f6dea-d3c5-4d10-bc72-989f03c8b84b, id=51, and version=0 <--> PreSleep Callbacks Event-Based Start with provider=331c3b3a-2005-44c2-ac5e-77220c37d6b4, id=68, and version=0 Event-Based Stop with provider=331c3b3a-2005-44c2-ac5e-77220c37d6b4, id=69, and version=0 <--> Flush Storage Volumes Event-Based Start with provider=331c3b3a-2005-44c2-ac5e-77220c37d6b4, id=45, and version=0 Event-Based Stop with provider=331c3b3a-2005-44c2-ac5e-77220c37d6b4, id=46, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> Shutdown Device Event-Based Start with provider=331c3b3a-2005-44c2-ac5e-77220c37d6b4, id=46, and version=0 Event-Based Stop with provider=331c3b3a-2005-44c2-ac5e-77220c37d6b4, id=49, and version=0 <--> Zero Page File Event-Based Start with provider=331c3b3a-2005-44c2-ac5e-77220c37d6b4, id=49, and version=0 Event-Based Stop with provider=331c3b3a-2005-44c2-ac5e-77220c37d6b4, id=50, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> IO Shutdown System Event-Based Start with provider=331c3b3a-2005-44c2-ac5e-77220c37d6b4, id=51, and version=0 Event-Based Stop with provider=331c3b3a-2005-44c2-ac5e-77220c37d6b4, id=52, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> CM Shutdown System Event-Based Start with provider=331c3b3a-2005-44c2-ac5e-77220c37d6b4, id=55, and version=0 Event-Based Stop with provider=331c3b3a-2005-44c2-ac5e-77220c37d6b4, id=56, and version=0 Additionally, only match start to stop if the PIDs are the same. <--> End Shutdown System <-->