Inside Battlefield 6’s Anti‑Cheat

This article explains the structure of Battlefield 6's anti‑cheat system and catalogs the event names. The focus is on what each name represents from a defensive and diagnostics perspective. Nothing here is intended for bypassing or weakening security controls.

  • Detection_*: Integrity or policy violations observed by the driver, service, or in‑game module.
  • TelemetryEventType_*: Context and diagnostics to help the system measure health, timing, configuration, and suspicious but non‑blocking conditions.
  • TelemetryExitEventType_*: Reasons the anti‑cheat stack or game session decided to stop early or abort.

System Overview

  • Kernel driver
    • Verifies executable images (drivers, game modules); checks import tables and relocations; validates dispatch tables (SSDT/IDT/HAL); watches for manual mapping, RWX pages, DKOM, and hidden threads/drivers; surveys CPU protections (DEP/SMEP/KVA/HVCI); samples PT/PMU; observes EPT usage and guarded regions; tracks ETW activity; inspects DMA/USB/PCIe anomalies.
  • User‑mode service (bridge/service process)
    • Coordinates with the driver, mediates IPC with the game, validates signatures and checksums, manages guarded region setup, samples call stacks, uploads telemetry, and enforces startup/shutdown hygiene.
  • In‑game components (bridge)
    • Verifies game code/data boundaries, validates call stacks around executable pages, monitors module ranges, interacts with guard pages, and reacts to integrity alerts from the driver.
  • Backend
    • Distributes deny/allow lists, signature metadata, platform attestation policies, and thresholds; aggregates telemetry for tuning and investigations.

Signal Types

  • Detection_*: Enforcement‑leaning conditions (e.g., tampered kernel structures, unsigned drivers, manual mapping, illegal executable pages, guarded region violations).
  • TelemetryEventType_*: Health, timing, and configuration (e.g., Secure Boot state, PT/PMU setup, image load info, module ranges, USB/PCIe snapshots).
  • TelemetryExitEventType_*: Controlled shutdown reasons (e.g., missing rights, thread creation failure, signature service not reachable, integrity pipeline errors).

Detection_* Glossary

  • Detection_ActiveDriverIo: A driver is actively issuing I/O to the game or system in a pattern associated with manipulation.
  • Detection_ActiveManualMappedExecutableCodeInGame: Executable code mapped without the normal loader was found running inside the game.
  • Detection_Alpc: Suspicious ALPC use tied to tampering or privileged broker messaging.
  • Detection_Apc: Unusual APC usage linked to code injection or thread hijack.
  • Detection_AttachedDevice: A driver attached a device object in a suspicious way (e.g., filter‑like hiding).
  • Detection_AttachingApcBlockingSystemThread: An APC attached to a system thread in a way that blocks or abuses its execution.
  • Detection_AttachingSystemThreadFromInterruptFrame: A system thread was attached or initiated from an interrupt frame context (abnormal).
  • Detection_AutoHotKey: AutoHotKey activity detected and tied to sensitive hooks or send‑input usage.
  • Detection_AVHypervisorWithoutVendor: A hypervisor is present but reports no vendor or mismatched vendor identity.
  • Detection_BlockedUntrustedImage: An untrusted image load was prevented.
  • Detection_BootPartitionTampering: Suspicious changes to the boot partition layout or content.
  • Detection_ChangedDisplayAffinity: Display affinity flags were altered in a suspicious context (overlay/obfuscation).
  • Detection_ChangedDynamicOptions: Process mitigation options changed unexpectedly (e.g., ACG/CFG toggles).
  • Detection_ChecksumChangeGameBridge: Game bridge image or data checksum changed during runtime.
  • Detection_ChecksumMismatch: Image checksum mismatch against expected metadata.
  • Detection_ChecksumMismatchRWX: RWX region checksum mismatch (self‑modifying or injected code).
  • Detection_ConfigTamper: Configuration for the anti‑cheat stack appears altered or corrupted.
  • Detection_CreatedUserThreadFromKernel: A user‑mode thread was created by a kernel component in an abnormal path.
  • Detection_CsrssAccess: Suspicious CSRSS access rights or handle patterns.
  • Detection_CsrssFileIdSpoof: CSRSS file identity spoof indicators.
  • Detection_CsrssIntegrity: Integrity violation involving CSRSS structures or handles.
  • Detection_CuteHookIntegrity: Integrity check related to a vendor component “CuteHook” indicates tampering.
  • Detection_CuteHookManuallyMappedPageFaulted: CuteHook detected manual‑mapped pages generating faults.
  • Detection_DPCCallbackViolation: DPC callback used in an unexpected or unsafe manner.
  • Detection_DPCDeactivated: DPC deactivation in a context that suggests sabotage.
  • Detection_DPCDeviceIoControlChange: DeviceIoControl entry point or behavior altered via DPC.
  • Detection_DPCFunctionTableChange: Function table involved in DPC processing modified.
  • Detection_DSE: Code integrity configuration inconsistent with policy (e.g., Driver Signature Enforcement compromised).
  • Detection_DebuggerAttached: Debugger presence where prohibited.
  • Detection_DenylistedDriver: Driver on a deny list was loaded or observed.
  • Detection_DenylistedDriverKernelHashBucketList: Driver found via kernel's hash bucket scanning matches deny list.
  • Detection_DenylistedDriverShortName: Driver short name matches deny list entry.
  • Detection_DenylistedDriverTimedateStamp: PE timestamp matches denylisted driver signature.
  • Detection_DenylistedErasedDriverKernelHashBucketList: Erased/unbacked driver remnants found via hash buckets.
  • Detection_DenylistedHv: Hypervisor identified on deny list.
  • Detection_DenylistedPooltag: Suspicious pool tag use matching denylisted patterns.
  • Detection_DepDisabled: DEP/NX protections disabled or inconsistent.
  • Detection_DevPhysMemMappingProcess: Process mapping \Device\PhysicalMemory in a suspicious pattern.
  • Detection_DevPhysMemUser: User‑mode access to physical memory interfaces detected.
  • Detection_DirectKernelVirtualGameMemoryAllocation: Kernel allocated virtual memory directly in the game without standard APIs.
  • Detection_DiskSerialSpoofer: Disk serial characteristics altered or masked.
  • Detection_DriverCallbacks: Driver callback vectors altered or abused.
  • Detection_DriverChecksumFailure: Driver checksum failed integrity verification.
  • Detection_DriverCodeCaveTamper: Executable padding/code cave in a driver contains injected code.
  • Detection_DriverExecutableSection: A driver contains unexpected executable sections or permissions.
  • Detection_DriverFuncPtrTamper: Driver function pointer mutated to redirect execution.
  • Detection_DriverIATTamper: Driver Import Address Table modified.
  • Detection_DriverImportControlGuardTamper: Import‑related control guard violated or patched.
  • Detection_DriverKdInitTamper: Tamper found in driver initialization path (KdInit or similar).
  • Detection_DriverPeImageMismatch: In‑memory driver image does not match on‑disk PE.
  • Detection_DriverTamperedFunctionOverride: Driver function body replaced or hooked.
  • Detection_DriverTamperedFunctionPadding: Padding bytes of a function altered (trampoline staging).
  • Detection_DriverTamperedFunctionPointerTableEntry: Function pointer table entry modified for redirection.
  • Detection_DriverTamperedRelocation: PE relocations appear patched.
  • Detection_DriverWorkingSetAllocation: Driver performed suspicious working set memory allocations.
  • Detection_DuplicatedSharedMemoryHandle: Shared memory handle duplication used for cross‑process tampering.
  • Detection_DxgkInterfaceExploit: Abuse of DXGK interfaces for stealth or memory access.
  • Detection_DxgkrnlGlobalPagedPoolHooked: dxgkrnl global paged pool data was hooked.
  • Detection_EfiRuntimeServiceDriver: UEFI runtime driver activity inconsistent with policy.
  • Detection_EptHook: EPT‑based page hooking detected.
  • Detection_EtwAllocVm: ETW‑related allocation in VM patterns that suggest tampering.
  • Detection_EtwAllocVmKernel: Kernel allocation associated with ETW misuse.
  • Detection_EtwFrequentCsrssGameAccess: Frequent CSRSS access linked to the game process via ETW.
  • Detection_EtwFrequentLsassGameServiceAccess: LSASS access patterns surfaced via ETW from the game service.
  • Detection_EtwHiddenDpc: DPC observed only through ETW traces (hidden elsewhere).
  • Detection_EtwKernelApc: Kernel APC activity illuminated by ETW as suspicious.
  • Detection_EtwManuallyMappedIpi: IPI activity sourced from manually mapped code.
  • Detection_EtwMapView: MZ/section map activity flagged via ETW.
  • Detection_EtwMapViewKernel: Kernel map view activity consistent with injection.
  • Detection_EtwProcessSuspend: Suspicious process suspend detected with ETW correlation.
  • Detection_EtwProtectVm: Page protection changes correlated in ETW.
  • Detection_EtwProtectVmKernel: Kernel‑initiated protect changes correlated in ETW.
  • Detection_EtwReadVm: Read process memory patterns logged by ETW.
  • Detection_EtwThreadContext: Thread context manipulation via ETW observations.
  • Detection_EtwThreadContextKernel: Kernel context changes on threads via ETW.
  • Detection_EtwThreadSuspend: Thread suspension patterns via ETW.
  • Detection_EtwUserApc: User APC events suggest injection.
  • Detection_EtwWriteVm: Write process memory activity via ETW tracing.
  • Detection_ExceptionHandlerHook: VEH/SEH callbacks modified.
  • Detection_ExecutableCodeDetected: Executable code where no mapped image should exist.
  • Detection_ExecutableSegmentCallstackUnexpectedInstr: Executable segment contains unexpected instruction patterns when validating call stack context.
  • Detection_ExecutableSegmentCallstackUnexpectedJmpInstr: Unexpected JMP patterns near call stack transitions.
  • Detection_ExecutableSegmentCallstackViolation: Call stack validation failed for an executable region.
  • Detection_ExecutableSegmentCallstackWrongImportInstr: Import‑driven call sequences do not match expected instruction forms.
  • Detection_ExecutableSharedUserPage: Shared user page marked executable.
  • Detection_ExecutableSmallblockPage: Small executable allocations indicative of shellcode.
  • Detection_ExecutableThemidaCodeDetected: Themida‑packed code in a forbidden region.
  • Detection_ExecutableUserCodeInKernel: User code pointers executed in kernel context.
  • Detection_ExecutableVmProtect3CodeDetected: VMProtect v3 traits in protected regions.
  • Detection_ExecutableVmProtectCodeDetected: VMProtect traits observed.
  • Detection_ExpiredDriver: Driver signature expired.
  • Detection_ExposedKernelMemory: Kernel memory unintentionally exposed to user space.
  • Detection_FakeLsassProcess: A process masquerading as LSASS.
  • Detection_FaultHook: Page fault interception used as a hook method.
  • Detection_FoundGameRDataMismatch: Read‑only data section of the game differs from expected.
  • Detection_FoundInstrumentationCallback: Instrumentation callback installed in an unexpected way.
  • Detection_FoundKernelHandleFromDiscardableSection: Kernel handle created from code running in a discardable section.
  • Detection_FoundKernelHandleFromManuallyMappedDriver: Kernel handle created by a manually mapped driver.
  • Detection_FoundKernelHandleNonBackedImage: Kernel handle created by an unbacked image.
  • Detection_FunctionTableTamper: Function table modified (system or driver).
  • Detection_GDITamperedDrawingProcess: GDI drawing process modified to overlay or intercept.
  • Detection_GameBridgeCodeCaveAddr: Code cave location within the game bridge identified.
  • Detection_GameBridgeValuesChanged: Runtime changes to bridge control values.
  • Detection_GameFileIdSpoof: File ID for the game executable or DLL spoofed.
  • Detection_GameModuleChecksumMismatch: Game module checksum mismatch.
  • Detection_GameModuleChecksumMismatchFothk: Checksum mismatch tied to a specific hook family (FoTHk).
  • Detection_GameModuleChecksumMismatchRwx: Checksum mismatch in a RWX region of a game module.
  • Detection_GameModuleMismatchC3: Mismatch detected around C3/RET patterns (patched returns).
  • Detection_GamePageTableIntegrityFailure: Page table entries for the game process fail integrity checks.
  • Detection_GamePageTableTampering: Game process page tables modified outside policy.
  • Detection_GameProcessIdTamper: Game process PID spoofed or altered.
  • Detection_GameThreadSpoofing: Thread identity or start address spoofed within the game.
  • Detection_GuardedRegionContextSwitchEventDetected: Context switch evidence indicating guarded region interference.
  • Detection_GuardedRegionHighNmiCount: Elevated NMI rate where guarded regions are in play.
  • Detection_GuardedRegionNoInitialAllowlistThreadCount: Missing expected allowlist baseline in guarded regions.
  • Detection_GuardedRegionNoSwaps: Guarded region never swapped when swaps are expected.
  • Detection_GuardedRegionUnused: Guarded region was created but not used as expected.
  • Detection_GuardedRegionViolation: Access violation within or against a guarded region.
  • Detection_HalDispatchTableExploit: HAL dispatch table altered.
  • Detection_HalPrivateDispatchTableExploit: HAL private dispatch table altered.
  • Detection_HandleElevation: Process/handle elevated privileges not granted by policy.
  • Detection_HandleRetainAccessExploit: Retained handle access exploited to bypass restrictions.
  • Detection_HardwareBreakpoints: Hardware breakpoints active in suspect contexts.
  • Detection_HiddenMemory: Memory not discoverable via standard enumeration.
  • Detection_HiddenProcess: Process hidden via DKOM or similar.
  • Detection_HiddenSystemThread: System thread hidden or unlisted.
  • Detection_HiddenUnlinkedSystemThread: System thread detached from standard lists.
  • Detection_HidingFileFilter: File filter driver used to hide files.
  • Detection_HookedDriver: Driver entry points or vectors hooked.
  • Detection_HookedFunctionTable: Hooked function table discovered.
  • Detection_HwBp: Hardware breakpoint usage associated with tampering.
  • Detection_HwidMonitorEdidMismatch: Display EDID mismatch relative to prior hardware ID state.
  • Detection_HyperVIsNotHyperV: Claimed Hyper‑V presence contradicts hardware state.
  • Detection_HypercallExploit: Hypercall misuse patterns observed.
  • Detection_Hyperion: Vendor module “Hyperion” reported anomalous behavior.
  • Detection_IATHook: Import Address Table hook found.
  • Detection_IATInjection: IAT used to inject/redirect calls.
  • Detection_Idt: Interrupt Descriptor Table modified.
  • Detection_ImageCallbacksDisabled: Image load callbacks disabled or tampered.
  • Detection_InfinityHookDetectedManuallyMappedGroupMaskModification: Group mask modification via manually mapped InfinityHook‑like code.
  • Detection_InfinityHookInactive: Expected InfinityHook guard component inactive or bypassed.
  • Detection_InterruptServiceRoutine: ISR replaced or altered.
  • Detection_InvalidTpmStartMethod: TPM start method inconsistent with expected flow.
  • Detection_IrpHook: IRP major function table hook.
  • Detection_KernelCallbackTableHook: Kernel callback table tampered.
  • Detection_KernelDebugger: Kernel debugging detected.
  • Detection_KernelDebuggerEx: Extended kernel debugging state present.
  • Detection_KernelDebuggerMeasureBootLog: Measured boot data indicates debugging during boot.
  • Detection_KernelExceptionHandlerHook: Kernel exception handler altered.
  • Detection_KernelFileHook: File system hooks in kernel paths.
  • Detection_KernelSharedGameProcessMemory: Kernel mapped shared memory into the game unexpectedly.
  • Detection_KernelTrap: Trap handling modified.
  • Detection_LocalSocket: Local socket channel used to control injected code or overlay.
  • Detection_ManualMappedAttachingSystemThread: System thread attachment originating from manually mapped code.
  • Detection_ManualMappedExecutableCodeInGame: Manual‑mapped executable code detected in the game.
  • Detection_ManualMappedNonRegularSystemThreadActive: Non‑standard system thread from manual mapping is running.
  • Detection_ManualMappedSystemThreadJmpRcx: JMP RCX style trampoline in a manually mapped system thread.
  • Detection_ManualMappedSystemThreadRuntime: Runtime activity from manually mapped system thread.
  • Detection_ManualMappedThread: Manually mapped thread present.
  • Detection_ManualThreadSyscall: Manual thread invoking syscalls outside normal loader context.
  • Detection_ManuallyMappedFilesystemDriver: File system driver loaded via manual map.
  • Detection_ManuallyMappedKernelExceptionHandler: Kernel exception handler installed from manual map.
  • Detection_ManuallyMappedRegistryAccess: Registry callbacks set up by a manual map.
  • Detection_ManuallyMappedSymLinkCallback: Symlink callback installed by a manual map.
  • Detection_MinifilterDisabled: Minifilter unexpectedly disabled.
  • Detection_MinifilterPingFailure: Health ping to minifilter failed.
  • Detection_MismatchingBootApplicationDigest: Boot application digest mismatch.
  • Detection_MissingLoadedDriverFile: Loaded driver has no corresponding file on disk.
  • Detection_Msr: MSR manipulation inconsistent with policy.
  • Detection_MultipleMouseDriver: Multiple mouse class drivers present in a suspicious configuration.
  • Detection_NasaMapper: Reference to a known mapper technique or driver nickname (“NasaMapper”).
  • Detection_NmiHiddenThread: Hidden thread discovered during NMI scan.
  • Detection_NmiInitKdbgCode: KD initialization code surfaced during NMI.
  • Detection_NmiManuallyMappedCode: Manual map discovered via NMI context walk.
  • Detection_NoRuntimePatchguard: PatchGuard not active when expected.
  • Detection_NonListedGameModule: Game module not present in allow list.
  • Detection_None: Placeholder.
  • Detection_Num: Enumeration count placeholder.
  • Detection_ObCallbackRemoved: Object callbacks removed or unregistered unexpectedly.
  • Detection_ObPingMismatch: Object manager ping check reported mismatch.
  • Detection_ObPingThreadKill: Thread killed during object manager ping activity.
  • Detection_ObPingThreadSuspension: Thread suspension during object manager ping.
  • Detection_ObjectReferenceFromCodeCave: Object referenced from code cave address.
  • Detection_ObjectReferenceFromDiscardableSection: Object referenced from a discardable section.
  • Detection_ObjectReferenceFromIllegalSection: Object referenced from illegal section.
  • Detection_ObjectReferenceFromInterruptFrame: Object reference initiated from interrupt frame.
  • Detection_ObjectReferenceFromManuallyMappedDriver: Object reference traced to manually mapped driver.
  • Detection_ObjectReferenceNonBackedImage: Object reference from non‑backed image.
  • Detection_OverlayIPCHijack: Overlay IPC channel hijacked.
  • Detection_OverlayWindow: Overlay window found linked to tampering.
  • Detection_PMUAttachingSystemThread: PMU trace aligns with system thread attachment behavior.
  • Detection_PMUAttachingUserThread: PMU trace aligns with user thread attachment.
  • Detection_PMUEptHypervisorPresent: PMU/EPT patterns indicate a hypervisor present.
  • Detection_PMUGameSystemProcessPage: PMU event references game/system page boundary activity.
  • Detection_PMUManuallyMappedGameProcessPage: PMU shows manual‑mapped page access in the game.
  • Detection_PMUManuallyMappedSystemProcessPage: PMU shows manual‑mapped page in a system process.
  • Detection_PMUManuallyMappedUserProcessPage: PMU shows manual‑mapped page in a user process.
  • Detection_PMUTamperedFlags: PMU flags altered.
  • Detection_PPLRemoval: Protected Process Light attributes removed or downgraded.
  • Detection_PTManualMappedAttachingThread: PT shows attaching thread from manual map.
  • Detection_PTManuallyMappedGamePage: PT reveals manual‑mapped page in the game.
  • Detection_PTManuallyMappedKernelPage: PT reveals manual‑mapped kernel page.
  • Detection_PTManuallyMappedUserProcessPage: PT reveals manual‑mapped page in user process.
  • Detection_PTStopPacketFound: PT stop packet indicates trace interference.
  • Detection_PTTamperedFlags: Processor Trace flags manipulated.
  • Detection_PidChanged: PID flip or spoof observed.
  • Detection_PmuMmapIospaceDriverUnsignedCallerProcess: PMU shows IO space mapping by a driver on behalf of an unsigned caller process.
  • Detection_PmuMonitoredDriverUnsignedCallerProcess: PMU shows monitored driver activity for an unsigned caller process.
  • Detection_Probe: Probe event marked as a detection (rare, likely internal testing).
  • Detection_ProcessHandleRights: Process handle rights exceed policy.
  • Detection_ProtectedProcessIntegrity: Protected process integrity violation.
  • Detection_RegisteredKernelCallbackViolation: Registered callback fails integrity or provenance checks.
  • Detection_RevokedDriver: Driver certificate revoked.
  • Detection_RuntimeUnsignedDriver: Unsigned driver loaded during runtime.
  • Detection_SeCiCallbacksExploit: Security/CI callbacks altered or bypassed.
  • Detection_SelfRuntimeDriverChecksumMismatch: Self‑integrity check of the anti‑cheat driver failed.
  • Detection_SelfRuntimeDriverChecksumMismatchGriffin: Same as above, Griffin variant.
  • Detection_SelfRuntimeDriverChecksumMismatchInit: Self‑integrity failed during init path.
  • Detection_SetWindowsHookEx: System‑wide hook chain used in a suspicious fashion.
  • Detection_SharedMemory: Shared memory used to control or spy on the game.
  • Detection_Shim: Application compatibility shim abused for injection.
  • Detection_SignChangedGameDll: Authenticode signature of a game DLL changed or invalid.
  • Detection_SignatureFunctionSetBypass: Anti‑cheat signature function set tampered to bypass validation.
  • Detection_SignatureRegistryBypass: Registry‑based bypass of signature checks.
  • Detection_SmepDisabled: SMEP disabled or not enforced.
  • Detection_Ssdt: SSDT altered.
  • Detection_SteamOverlayTmpUnsigned: Temporary Steam overlay binary unsigned.
  • Detection_SteamOverlayUnsigned: Steam overlay state unsigned.
  • Detection_SteamUnsigned: Steam client or module unsigned in this context.
  • Detection_SwapContextHookHalChanged: swapcontext/HAL path changed.
  • Detection_SysFirmwareTables: System firmware table anomalies.
  • Detection_SystemLoadedGameImage: The game image was loaded by a system process unexpectedly.
  • Detection_SystemThreadDKOM: System thread hidden via DKOM.
  • Detection_SystemThreadStartAddress: Suspicious system thread start address.
  • Detection_SystemThreadStartAddressCodecave: System thread started inside a code cave.
  • Detection_SystemThreadStartAddressDetour: Start address detoured.
  • Detection_SystemThreadStartAddressDiscardableSection: Start address in a discardable section.
  • Detection_SystemThreadStartAddressIllegalSection: Start address in an illegal section.
  • Detection_SystemThreadWithInterruptFrame: System thread linked to interrupt frame activity.
  • Detection_TamperedDeviceFlags: Device object flags manipulated.
  • Detection_TestsigningOn: Test signing mode is on.
  • Detection_TestsigningOnMeasureBootLog: Measured boot log shows test signing.
  • Detection_Theia: Vendor module “Theia” reports anomaly.
  • Detection_TheiaExit: Theia indicates early exit due to anomaly.
  • Detection_ThreadHandleRights: Thread handle rights exceed policy.
  • Detection_ThreadPreviousMode: Thread previous mode inconsistent (user/kernel).
  • Detection_TianoCoreEfiApplication: TianoCore EFI application present unexpectedly.
  • Detection_TlsCallbackExploit: TLS callbacks abused for payload.
  • Detection_TpmHwidMismatch: TPM hardware identity mismatch across sessions.
  • Detection_UniversalSerialBusAnomaly: USB topology or device behavior anomaly.
  • Detection_UnknownHv: Unknown hypervisor present.
  • Detection_UnknownHvActiveSpoofing: Active spoofing by a hypervisor suspected.
  • Detection_UnknownHvLikelyEdr: Unknown hypervisor resembles EDR/monitor tooling.
  • Detection_UnknownStackGadget: Return‑oriented gadget path unknown or suspicious.
  • Detection_UnlinkedDriver: Driver object present without module linkage.
  • Detection_UnloadedDenylistedDriver: Unloaded driver traces match deny list.
  • Detection_UnloadedExpiredDriver: Unloaded driver traces show expired signing.
  • Detection_UnloadedRevokedDriver: Unloaded driver traces show revoked signing.
  • Detection_UnloadedUnsignedDriver: Unloaded driver traces show unsigned state.
  • Detection_UnsignedBootModule: Boot module unsigned.
  • Detection_UnsignedDriver: Unsigned driver loaded.
  • Detection_UnsignedLoadedGameModule: Unsigned module loaded into the game.
  • Detection_UnsignedMicrosoftSystemProcess: Microsoft‑labelled system process reported unsigned imagery.
  • Detection_UnsignedProcessRegistryCalls: Registry calls from unsigned process flagged in sensitive contexts.
  • Detection_UnsignedProtectedProcess: Protected process without valid signing attributes.
  • Detection_UntrustedGameServiceImageLoad: Game service attempted to load untrusted image.
  • Detection_UntrustedImageLoad: Untrusted image load detected.
  • Detection_UnusedGuardedRegionBlocks: Guarded region blocks never allocated/used as expected.
  • Detection_UserApc: User‑mode APC patterns tied to injection.
  • Detection_UserDebugger: User‑mode debugger detected.
  • Detection_UserInputBitblt: BitBlt used by a process to synthesize or overlay input.
  • Detection_VirtualMappingManualCode: Virtual mapping created to host manual shellcode.
  • Detection_WerFaultUnsigned: Windows Error Reporting component unsigned in this context.
  • Detection_WppHook: WPP tracing path hooked.
  • Detection_WriteProtDisabled: Write protection disabled on CR0 or equivalent.

TelemetryEventType_* Glossary

  • TelemetryEventType_ACGDisabled: Arbitrary Code Guard disabled.
  • TelemetryEventType_ACGFailure: ACG enforcement failed during a check.
  • TelemetryEventType_AbnormalBootPartitionFileSize: Boot partition file size differs from expected norms.
  • TelemetryEventType_ActiveKernelFileIoEtw: Kernel file I/O events active via ETW.
  • TelemetryEventType_AdvancedHvStats: Aggregated stats about hypervisor activity.
  • TelemetryEventType_AllowedChildProcessCreation: A child process creation was allowed and logged.
  • TelemetryEventType_AllowedLauncherValidationFailure: Launcher validation failed but was allowed under policy.
  • TelemetryEventType_AllowedManuallyMappedGameModule: Manual‑mapped module seen but allowed (monitoring mode).
  • TelemetryEventType_AllowedUnsignedImageLoad: Unsigned image load observed but allowed (monitoring).
  • TelemetryEventType_AntivirusProduct: Antivirus product inventory data.
  • TelemetryEventType_AppCertDetection: AppCert DLL injection path observed.
  • TelemetryEventType_AppInitDetection: AppInit_DLLs mechanism observed.
  • TelemetryEventType_AppliedDynamicOptions: Process mitigation options applied dynamically.
  • TelemetryEventType_BackendOptionsTimeout: Backend options retrieval timed out.
  • TelemetryEventType_BgContextNotInitialized: Background context not initialized yet.
  • TelemetryEventType_BitBltProcess: Process using BitBlt for drawing.
  • TelemetryEventType_BlockedChildProcessCreation: Attempted child process creation blocked.
  • TelemetryEventType_BlockedDenylistedDriver: Denylisted driver blocked from loading.
  • TelemetryEventType_BlockedExpiredDriver: Expired driver prevented from loading.
  • TelemetryEventType_BlockedGameModuleWithRwx: Module with RWX blocked in the game.
  • TelemetryEventType_BlockedKernelFileGetFileIdFailed: Block due to inability to get kernel file ID.
  • TelemetryEventType_BlockedKernelFileInitAllowlistedDriver: Kernel file initialization blocked despite allowlist mismatch.
  • TelemetryEventType_BlockedKernelFileInitFailure: Kernel file init failure triggered a block.
  • TelemetryEventType_BlockedKernelFileLoad: Kernel file load blocked.
  • TelemetryEventType_BlockedKernelFileLoadFailed: Load attempt failed after block.
  • TelemetryEventType_BlockedKernelNonExecutableSectionSync: Non‑executable section sync blocked in kernel.
  • TelemetryEventType_BlockedKernelSectionSync: Section synchronization blocked in kernel.
  • TelemetryEventType_BlockedLegacyFolderFileLoadAttempt: Attempt to load from legacy folder blocked.
  • TelemetryEventType_BlockedManuallyMappedGameModule: Manual‑mapped module blocked in the game.
  • TelemetryEventType_BlockedRevokedDriver: Revoked driver blocked.
  • TelemetryEventType_BlockedSignedImageLoad: Signed image blocked due to policy (e.g., mismatched signer).
  • TelemetryEventType_BlockedSystemDllLoad: Replacement or redirected system DLL load blocked.
  • TelemetryEventType_BlockedVirtualMemoryAllocationFromKernelSpace: Kernel‑initiated allocation into user process blocked.
  • TelemetryEventType_BootParsing: Boot log parsing underway.
  • TelemetryEventType_BootPartitionDst: Boot partition destination mapping log.
  • TelemetryEventType_BootPartitionTampering: Boot partition tampering suspicion recorded.
  • TelemetryEventType_BootTime: Boot timing snapshot.
  • TelemetryEventType_BoundsCallback: Callback bounds validation report.
  • TelemetryEventType_CFGDisabled: Control Flow Guard disabled.
  • TelemetryEventType_CSMType: Compatibility Support Module configuration reported.
  • TelemetryEventType_Casper: Vendor‑named telemetry bucket for related checks.
  • TelemetryEventType_CheckGameProcessFailed: Game process check failed.
  • TelemetryEventType_CiProtectedLicenseEnabled: CI‑protected license mode enabled.
  • TelemetryEventType_CircularKernelContextLoggerFailedDisabling: Fetched state shows CKCL failed to disable.
  • TelemetryEventType_CloudGaming: Running in a cloud gaming environment reported.
  • TelemetryEventType_CpuIdInfo: CPUID vector info.
  • TelemetryEventType_CpuInfo: CPU model/features inventory.
  • TelemetryEventType_CsrsssPathKernelMismatch: CSRSS path mismatch observed in kernel.
  • TelemetryEventType_CsrsssPathMismatch: CSRSS path mismatch recorded.
  • TelemetryEventType_CuteHookSetup: CuteHook component setup state.
  • TelemetryEventType_CustomKernelSigningEnabled: Custom signing setting detected.
  • TelemetryEventType_DCIDebuggingEnabled: Device context/driver debugging enabled.
  • TelemetryEventType_DelayedGameStart: Game start delayed; timings recorded.
  • TelemetryEventType_DelayedGameVerificationException: Delay during verification due to exception.
  • TelemetryEventType_DenylistedHv: Denylisted hypervisor seen.
  • TelemetryEventType_DevPhysHighPtrCnt: High pointer count to physical memory ranges.
  • TelemetryEventType_DevPhysMemHandle: Handle to \Device\PhysicalMemory recorded.
  • TelemetryEventType_DevPhysMemMapping: Mapping of physical memory noted.
  • TelemetryEventType_DevPhysUserRef: User‑mode references to physical memory.
  • TelemetryEventType_DeviceIoControlNotAtFunctionBoundary: DeviceIoControl handler entry not aligned at function start (patch/hook suspicion).
  • TelemetryEventType_DeviceMissingFunctionTable: Device object missing function table.
  • TelemetryEventType_DmaDeviceAllowlisted: DMA device on allow list.
  • TelemetryEventType_DmaDeviceWithIncompatibleLinkStatus: DMA device link training/status mismatch.
  • TelemetryEventType_DmaDeviceWithInterruptsButNoDpcs: Device raising interrupts without DPCs.
  • TelemetryEventType_DmaDisabledDevice: DMA disabled for a device.
  • TelemetryEventType_DmaFailedToDisableDevice: Attempt to disable DMA failed.
  • TelemetryEventType_DmaIllegalBridgeDevice: Illegal bridge path in PCIe tree.
  • TelemetryEventType_DmaInvalidPciConfig: Invalid PCI configuration values.
  • TelemetryEventType_DmaPacketSimViolation: DMA packet simulator reported violation.
  • TelemetryEventType_DmaPciBusConfig: PCI bus config snapshot for DMA.
  • TelemetryEventType_DmaReenabledRootPort: Root port DMA re‑enabled log.
  • TelemetryEventType_DmaRootPortNoDevices: Root port shows no children unexpectedly.
  • TelemetryEventType_DmaUnmatchedPdo: PDO did not match expectations in DMA audit.
  • TelemetryEventType_DnsDenyListedEntry: DNS entry from deny list contacted.
  • TelemetryEventType_DriverCertValidationFailed: Driver cert chain validation failed.
  • TelemetryEventType_DriverChecksumDpcSuspension: DPC suspension occurred during checksum operations.
  • TelemetryEventType_DriverFileNotFound: Driver file path not present.
  • TelemetryEventType_DriverIatHooked: Driver IAT hooking recorded.
  • TelemetryEventType_DriverIntegrityProcessingFailure: Integrity manager processing failed on a driver.
  • TelemetryEventType_DriverLoadSeImageVerificationCallbackIntegrityFailure: SeImageVerification callback integrity failure.
  • TelemetryEventType_DriverMismatch: Driver image mismatch recorded.
  • TelemetryEventType_DriverNoIntegrityRanges: Driver lacked declared integrity ranges.
  • TelemetryEventType_DriverNotUnloaded: Driver did not unload when expected.
  • TelemetryEventType_DriverRequestError: Driver request returned error.
  • TelemetryEventType_DriverShutdownError: Driver failed shutdown cleanly.
  • TelemetryEventType_DriverShutdownTimeout: Driver shutdown timed out.
  • TelemetryEventType_DriverStopServiceError: Service stop for driver failed.
  • TelemetryEventType_DriverTamperedFunctionPointerTableEntry: Function pointer table entry change recorded (telemetry).
  • TelemetryEventType_DriverWithDevicePhysicalMemory: Driver exposes physical memory device interface.
  • TelemetryEventType_DriverWithVirtualMemoryImport: Driver imports VM mapping APIs for user targeting.
  • TelemetryEventType_DynamicRelocationParsingError: Error parsing dynamic relocations.
  • TelemetryEventType_EarlyGameExecutableRange: Early executable range in game process recorded.
  • TelemetryEventType_EfiAddressProcessorTrace: EFI address examined via PT.
  • TelemetryEventType_EfiDriverExploit: EFI driver exploit signs noted.
  • TelemetryEventType_EfiVars: EFI variables snapshot.
  • TelemetryEventType_ElevatedLauncherHandleFound: Elevated handle from launcher recorded.
  • TelemetryEventType_EptCheckException: EPT check generated exception; logged.
  • TelemetryEventType_EptRdtscDiscrepancy: RDTSC drift under EPT observed.
  • TelemetryEventType_EtwKernelLoggerFailed: Kernel logger setup failed.
  • TelemetryEventType_EtwNotEnabled: ETW providers not enabled as expected.
  • TelemetryEventType_EtwNotWaiting: ETW sessions not in waiting state when expected.
  • TelemetryEventType_EtwTraceStopError: Error stopping ETW trace.
  • TelemetryEventType_EtwTraceTimeoutError: ETW trace stop timed out.
  • TelemetryEventType_EtwUnknownId: Unknown ETW event ID encountered.
  • TelemetryEventType_EventLogException: Exception reading Windows event logs.
  • TelemetryEventType_EventLogNoBootEventFound: No boot event in event log.
  • TelemetryEventType_EventLogNonExistingDriver: Event log references a missing driver.
  • TelemetryEventType_ExecutableCodeDetected: Executable code detected in a sensitive area.
  • TelemetryEventType_ExecutableKernelCode: Executable code region inside kernel cataloged.
  • TelemetryEventType_ExecutableKernelCodeDetectedWithPdbPath: Kernel executable region tied to a PDB path.
  • TelemetryEventType_ExecutableKernelPeHeader: Executable kernel PE header region recorded.
  • TelemetryEventType_ExecutableKernelRegion: Generic executable region in kernel logged.
  • TelemetryEventType_ExecutableUserPageInKernel: User page executable pointer executed in kernel context.
  • TelemetryEventType_ExistingGuardedRegionHalHook: Existing guarded region overlapped with HAL hook.
  • TelemetryEventType_ExistingInterruptHandler: Pre‑existing ISR recorded.
  • TelemetryEventType_Exit: Clean exit path logged.
  • TelemetryEventType_ExitDetection: Exit triggered by a Detection_* path.
  • TelemetryEventType_ExitError: Exit with error condition.
  • TelemetryEventType_ExitWarning: Exit with warning condition.
  • TelemetryEventType_ExtendedLsassAccess: LSASS access extended beyond normal ranges.
  • TelemetryEventType_ExtendedSvchostAccess: svchost access observed beyond typical.
  • TelemetryEventType_FailedInstructionvalidationForExecutableGameAllocation: Instruction validation failed on game allocation.
  • TelemetryEventType_FileConversionMismatch: File conversion process mismatch.
  • TelemetryEventType_FileIdTimeout: Timeout getting File ID.
  • TelemetryEventType_FirmwareType: Firmware boot type snapshot (UEFI/legacy).
  • TelemetryEventType_ForegroundWindow: Foreground window info sampled.
  • TelemetryEventType_FoundInstrumentationCallback: Instrumentation callback presence recorded.
  • TelemetryEventType_FoundVadClobbering: VAD clobbering behavior observed.
  • TelemetryEventType_GDIDrawingModule: GDI drawing module info.
  • TelemetryEventType_GameAckSinceServiceRunning: Game acknowledged service link since start.
  • TelemetryEventType_GameAllowlistFileRename: Game file rename linked to allowlist.
  • TelemetryEventType_GameApc: APC events in game process logged.
  • TelemetryEventType_GameBridgeCloseWithConnectionFailed: Bridge close occurred after connection failure.
  • TelemetryEventType_GameBridgeConnectionTimeSinceStart: Time to establish bridge connection.
  • TelemetryEventType_GameBridgeModuleRangeTimeSinceStart: Time to enumerate bridge module ranges.
  • TelemetryEventType_GameBridgeTimeout: Bridge operation timed out.
  • TelemetryEventType_GameBridgeVirtualAlloc: VirtualAlloc events from bridge module.
  • TelemetryEventType_GameDataFileChecksum: Checksum of game data file recorded.
  • TelemetryEventType_GameDeviceHandle: Device handle opened by game recorded.
  • TelemetryEventType_GameEptInvalidData: EPT invalidation data from game context.
  • TelemetryEventType_GameExceptionCallstack: Game exception call stack captured.
  • TelemetryEventType_GameExit: Game exit observed.
  • TelemetryEventType_GameExitForReactivateFlow: Exit used to reactivate flow.
  • TelemetryEventType_GameLauncherValidationFailed: Launcher validation failed.
  • TelemetryEventType_GameModuleChecksumMismatch: Game module checksum mismatch recorded.
  • TelemetryEventType_GameModuleInformation: Module info snapshot for game.
  • TelemetryEventType_GameModuleRange: Address ranges for game modules recorded.
  • TelemetryEventType_GameModuleWithRwx: RWX module in game recorded.
  • TelemetryEventType_GamePageTableCopyFailure: Copy of game page tables failed.
  • TelemetryEventType_GamePath: Game path logged.
  • TelemetryEventType_GameProcessTerminationFailed: Termination of game process failed.
  • TelemetryEventType_GameProfilingActive: Profiling mode active for game.
  • TelemetryEventType_GameServiceApc: APC related to game service recorded.
  • TelemetryEventType_GameServiceArgs: Game service start arguments logged.
  • TelemetryEventType_GameServiceBridgeDuplicationFailed: Handle or section duplication failed.
  • TelemetryEventType_GameServiceBridgeExited: Game service bridge exited.
  • TelemetryEventType_GameServiceKernelApc: Kernel APC related to game service.
  • TelemetryEventType_GameServiceStatus: Status snapshot for game service.
  • TelemetryEventType_GameServiceVehHandler: VEH handler tied to game service observed.
  • TelemetryEventType_GameTextSegmentChecksum: Text segment checksum measured.
  • TelemetryEventType_GameThreadThresholdExceeded: Thread count or activity threshold exceeded.
  • TelemetryEventType_GameVehHandler: VEH handler present in game.
  • TelemetryEventType_GameVerificationException: Exception raised during game verification.
  • TelemetryEventType_GeneralException: Unhandled exception caught and logged.
  • TelemetryEventType_GpiOpsAccess: Graphics pipeline interface access logged.
  • TelemetryEventType_GpuHwid: GPU hardware identity data.
  • TelemetryEventType_GpuInfo: GPU model and driver info.
  • TelemetryEventType_GuardedRegionAllocationFailure: Guarded region allocation failed.
  • TelemetryEventType_GuardedRegionHighExceptionCount: High exception frequency around guarded regions.
  • TelemetryEventType_GuardedRegionInitialAllowlistThreadCount: Initial allowlist thread count recorded.
  • TelemetryEventType_GuardedRegionInitialAllowlistThreadCountFailure: Failed to acquire initial allowlist thread count.
  • TelemetryEventType_GuardedRegionInitialReport: Initial guarded region report.
  • TelemetryEventType_GuardedRegionReplacementStop: Guarded region replacement stopped.
  • TelemetryEventType_GuardedRegionStats: Statistics for guarded region usage.
  • TelemetryEventType_GuardedRegionSwapCount: Swap count recorded for guarded regions.
  • TelemetryEventType_GuardedRegionVbsSwitchFailure: VBS switch failed.
  • TelemetryEventType_GuardedRegionVbsSwitchSuccess: VBS switch succeeded.
  • TelemetryEventType_GuardedRegionsPml4Fallback: PML4 fallback used.
  • TelemetryEventType_GuardedRegionsSetupResult: Setup results for guarded regions.
  • TelemetryEventType_HalModuleMismatch: HAL module mismatch recorded.
  • TelemetryEventType_HalPrivateDispatchTableEntry: HAL private dispatch table entry snapshot.
  • TelemetryEventType_HalPrivateDispatchTableVersion: HAL private dispatch table version logged.
  • TelemetryEventType_HandleClosedFailed: Failure to close handle recorded.
  • TelemetryEventType_HandleElevationByMicrosoftProcess: Handle elevation performed by a Microsoft‑signed process.
  • TelemetryEventType_HandleToSystemProcessFound: Handle to a system process found in a sensitive context.
  • TelemetryEventType_HighMemoryUsage: High memory footprint recorded.
  • TelemetryEventType_HookUndoFailed: Undoing a hook failed.
  • TelemetryEventType_HookUndoStatistics: Summary of hook undo attempts.
  • TelemetryEventType_HvType: Hypervisor type classification.
  • TelemetryEventType_HvciEnabled: HVCI enabled state reported.
  • TelemetryEventType_HwidDiskSerials: Disk serial info collected for identity.
  • TelemetryEventType_HwidMonitorEdid: Monitor EDID recorded.
  • TelemetryEventType_HwidMonitorEdidMismatch: EDID mismatch noted.
  • TelemetryEventType_HwidTheia: Hardware ID info linked to Theia.
  • TelemetryEventType_HwidTpm: TPM identity captured.
  • TelemetryEventType_HwidTpmFailure: TPM query failed.
  • TelemetryEventType_HwidUefiVars: UEFI variables tied to HWID.
  • TelemetryEventType_HyperVContainer: Hyper‑V container detected.
  • TelemetryEventType_HyperVContainerFailure: Hyper‑V container operation failed.
  • TelemetryEventType_HyperVMissingGuestKbService: Hyper‑V guest lacks keyboard service.
  • TelemetryEventType_HyperVMissingGuestObjectDevice: Hyper‑V guest lacks expected object device.
  • TelemetryEventType_HypervisorDetectionData: Hypervisor fingerprints and timing.
  • TelemetryEventType_HypervisorDriverVendor: Vendor mapping for hypervisor driver.
  • TelemetryEventType_ImageListOverflow: Image list reached capacity.
  • TelemetryEventType_ImageLoadPathConversionError: Path conversion failed for an image load.
  • TelemetryEventType_ImageLoadSignatureFailure: Signature validation failed on image load.
  • TelemetryEventType_InfinityHookDetectedGroupMaskModification: Group mask changed through InfinityHook path.
  • TelemetryEventType_InfinityHookDpcIpiSetupFailure: IPI/DPC setup for InfinityHook failed.
  • TelemetryEventType_InfinityHookFailedGroupMaskBlockHandshake: Group mask handshake block attempt failed.
  • TelemetryEventType_InfinityHookFaultProcessingState: Fault processing state for InfinityHook captured.
  • TelemetryEventType_InfinityHookFixupFailure: Fixup for InfinityHook failed.
  • TelemetryEventType_InfinityHookFixupSuccess: Fixup for InfinityHook succeeded.
  • TelemetryEventType_InfinityHookIgnoreSyscallAddressMismatchForKnownDriver: Ignored syscall address mismatch for known driver (compatibility quirk).
  • TelemetryEventType_InfinityHookInactive: InfinityHook not active when expected.
  • TelemetryEventType_InfinityHookSetupResult: Outcome of InfinityHook setup.
  • TelemetryEventType_InfinityHookWriteToGameMemoryByDriver: Driver wrote to game memory via InfinityHook.
  • TelemetryEventType_Init: Initialization event.
  • TelemetryEventType_InitialExecutableNonImageRange: Executable non‑image region seen early in process life.
  • TelemetryEventType_InterestingProcessAlpc: ALPC activity in an interesting process.
  • TelemetryEventType_InterestingProcessHighRegistryCount: High registry activity in an interesting process.
  • TelemetryEventType_InvalidAddressInstructionValidation: Invalid instruction address during validation.
  • TelemetryEventType_InvalidDriverChecksum: Invalid checksum for a driver (telemetry channel).
  • TelemetryEventType_InvalidExecutableMemoryGameCallstack: Invalid call stack for an executable allocation in the game.
  • TelemetryEventType_InvalidSystemThreadStartAddress: Invalid system thread start address observed.
  • TelemetryEventType_KVAShadowingDisabled: KVA shadowing disabled.
  • TelemetryEventType_KernelAddressNotFound: Kernel address symbol not resolved.
  • TelemetryEventType_KernelDebuggingDpcEnabled: Debugging DPCs enabled.
  • TelemetryEventType_KernelDumpParseFailure: Failed to parse kernel dump.
  • TelemetryEventType_KernelDumpProcessingFailure: Error processing kernel dump.
  • TelemetryEventType_KernelEptInvalidData: EPT invalid data in kernel context.
  • TelemetryEventType_KernelHandleAccess: Kernel‑level handle access recorded.
  • TelemetryEventType_KernelHandleElevation: Kernel‑level handle elevation noted.
  • TelemetryEventType_KernelHandleElevationByMicrosoftProcess: Elevation performed by Microsoft process (logged for context).
  • TelemetryEventType_KernelInitiatedNonSectionSync: Non‑section synchronization initiated in kernel.
  • TelemetryEventType_KernelObjectReference: Kernel object reference count/path snapshot.
  • TelemetryEventType_KernelPdbResult: Kernel PDB symbol resolution status.
  • TelemetryEventType_KernelPingFailure: Ping from user‑mode to kernel failed.
  • TelemetryEventType_KernelTrap: Trap event in kernel captured.
  • TelemetryEventType_KernelWorkingSetAllocation: Kernel allocated working set memory logged.
  • TelemetryEventType_KillswitchExit: Exit caused by killswitch policy.
  • TelemetryEventType_LargePageDriver: Driver using large pages cataloged.
  • TelemetryEventType_LauncherChildProcess: Child process spawned by launcher.
  • TelemetryEventType_LauncherKernel32DllFallback: Fallback to kernel32 path logic for launcher.
  • TelemetryEventType_LauncherPath: Launcher path logged.
  • TelemetryEventType_LauncherRunsElevated: Launcher runs with elevation.
  • TelemetryEventType_LauncherTerminationFailed: Launcher termination failed.
  • TelemetryEventType_LoadDriverImageError: Load driver image error logged.
  • TelemetryEventType_Log: General log event.
  • TelemetryEventType_MachineName: Machine name snapshot.
  • TelemetryEventType_ManualMappedThreadUnverified: Manual‑mapped thread observed but unverified.
  • TelemetryEventType_ManualThreadSyscallUnverified: Manual thread making syscalls unverified.
  • TelemetryEventType_MappedMdlMapping: MDL mapping observed.
  • TelemetryEventType_MeasuredBootLogError: Measured boot log read error.
  • TelemetryEventType_MismatchingVirtualAllocAddress: VirtualAlloc address differs from expected pattern.
  • TelemetryEventType_ModifiedGameDataFile: Modified game data file recorded.
  • TelemetryEventType_ModuleInfo: Module info snapshot outside the game.
  • TelemetryEventType_MotherboardInfo: Motherboard model/version snapshot.
  • TelemetryEventType_MultipleMouseDriver: Multiple mouse drivers present; compatibility record.
  • TelemetryEventType_MultipleRwxAddressInstruction: Multiple RWX instruction sites observed.
  • TelemetryEventType_NMICallback: NMI callback invoked.
  • TelemetryEventType_NetworkStats: Network statistics snapshot.
  • TelemetryEventType_NoAttachingManuallyMappedSystemThread: Attaching manual‑mapped system thread not observed (expected baseline absent).
  • TelemetryEventType_NmiAllowlistedHypervisor: Known‑good hypervisor under NMI scan.
  • TelemetryEventType_NmiBsodPreventionSetupFailed: NMI BSOD prevention setup failed.
  • TelemetryEventType_NmiEfi: NMI scanning EFI space.
  • TelemetryEventType_NmiError: NMI error recorded.
  • TelemetryEventType_NmiHardwareFailure: Hardware failure during NMI routine.
  • TelemetryEventType_NonAllowlistedSignedImageLoadGame: Signed image loaded in game but not allowlisted.
  • TelemetryEventType_NonAllowlistedSignedImageLoadGameService: Same condition in game service.
  • TelemetryEventType_NonCommonDriverDpc: Driver DPC from an uncommon signer/vendor.
  • TelemetryEventType_NonCommonDriverIpi: IPI from a non‑common driver.
  • TelemetryEventType_NonCommonDriverSigner: Driver signer not in typical set.
  • TelemetryEventType_NonCommonFilesystemDriverSigner: Filesystem driver signer uncommon.
  • TelemetryEventType_NonCommonGameDll: Game DLL not among common set.
  • TelemetryEventType_NonCommonGameServiceDll: Uncommon DLL in game service.
  • TelemetryEventType_NonCommonVendorProxyDll: Uncommon vendor proxy DLL.
  • TelemetryEventType_NonEaSignedLocalFolderImageLoad: Signed image from local folder not EA‑signed.
  • TelemetryEventType_NonIntegerActiveDriverIoProcess: Non‑integer PID or unexpected process reported for active driver I/O (parsing guard).
  • TelemetryEventType_NonMainThreadRwxAddressInstruction: RWX instruction observed on a non‑main thread.
  • TelemetryEventType_NonPeFileExecutableImageLoad: Executable mapping without a PE header.
  • TelemetryEventType_NonSystemDirectoryUnloadedDriverPiDdbEntry: Unloaded driver entry from non‑system directory.
  • TelemetryEventType_ObCallbackVerificationHandler: OB callback verification handler telemetry.
  • TelemetryEventType_ObPingThreadSuspension: Thread suspension during OB ping.
  • TelemetryEventType_OoaTimeout: Out‑of‑allowance timeout (internal budgeting).
  • TelemetryEventType_OverlayThreadError: Error in overlay worker thread.
  • TelemetryEventType_PMUAttachingUserThread: PMU indicates attaching user thread.
  • TelemetryEventType_PMUEfiUserProcessPage: PMU shows EFI‑related user process page accessed.
  • TelemetryEventType_PMUManuallyMappedProcessPage: PMU indicates manual‑mapped page in process.
  • TelemetryEventType_PMUManuallyMappedSystemPage: PMU indicates manual‑mapped page in system process.
  • TelemetryEventType_PMUSignedProcessMmCopyMemoryDriverUserProcessCaller: PMU shows MmCopyMemory path used by signed process on behalf of user caller.
  • TelemetryEventType_PMUSignedProcessMmapIospaceDriverUserProcessCaller: PMU shows IO space mapping by signed process on behalf of user caller.
  • TelemetryEventType_PMUSignedProcessMonitoredDriverUserProcessCaller: PMU shows monitored driver acting for user process caller.
  • TelemetryEventType_PTResult: Processor Trace summary result.
  • TelemetryEventType_PTSmallPacketDeltaFound: PT packet delta suggests tampering or gaps.
  • TelemetryEventType_PageGuardDetected: Page guard present.
  • TelemetryEventType_PageGuardFailure: Page guard operation failed.
  • TelemetryEventType_PatchGuardCheck: PatchGuard check status.
  • TelemetryEventType_PciTreeScanResult: PCI tree scan exported.
  • TelemetryEventType_PcieHwid: PCIe hardware identity dump.
  • TelemetryEventType_PerfGlobalGroupMaskChanged: Perf group mask changed.
  • TelemetryEventType_PiDbdException: Exception during PiDDB interactions.
  • TelemetryEventType_PmuEfiPage: PMU data related to EFI page.
  • TelemetryEventType_PmuSetupFailure: PMU setup failure.
  • TelemetryEventType_PotentialSmallblockAllocation: Small executable block allocation identified.
  • TelemetryEventType_Probe: Probe telemetry beacon.
  • TelemetryEventType_ProcessCreationFailed: Process creation failed.
  • TelemetryEventType_ProcessList: Process list snapshot.
  • TelemetryEventType_ProcessTerminationFailed: Process termination failed.
  • TelemetryEventType_ProtectedProcessIntegrity: Protected process integrity info.
  • TelemetryEventType_PsAltSystemCallHandler: Alternate system call handler present.
  • TelemetryEventType_RamGB: RAM size in GB recorded.
  • TelemetryEventType_ReadStartOpCodeFailure: Failed reading start opcode of a function.
  • TelemetryEventType_ReducedAccess: Reduced access mode engaged.
  • TelemetryEventType_RegistrySystemCertificates: System cert store snapshot.
  • TelemetryEventType_RemoteSession: Running under Remote Desktop or similar.
  • TelemetryEventType_RequiresElevation: Operation requires elevation.
  • TelemetryEventType_ReusedManualMappedExecutableCodeInGame: Previously seen manual‑mapped code reused in game process.
  • TelemetryEventType_RuntimePatchGuardManuallyMappedDpc: Manual‑mapped DPC observed during PatchGuard runtime window.
  • TelemetryEventType_RuntimePatchGuardNonCanonicalDpc: Non‑canonical DPC during PatchGuard.
  • TelemetryEventType_RuntimePatchGuardResult: Result from PatchGuard runtime checks.
  • TelemetryEventType_RuntimePatchGuardSuspension: PatchGuard appears suspended.
  • TelemetryEventType_RuntimeUnsignedImageSystemLoad: Unsigned image loaded by system during runtime (monitoring).
  • TelemetryEventType_RwxGameModuleLoadAttempt: Attempt to load RWX game module.
  • TelemetryEventType_ScreenshotDiagnostic: Screenshot diagnostic info.
  • TelemetryEventType_ScreenshotError: Screenshot capture error.
  • TelemetryEventType_ScreenshotMetaData: Metadata around screenshot.
  • TelemetryEventType_Sdev: Secure Device framework event.
  • TelemetryEventType_SecondaryExit: Secondary exit recorded (hypervisor context).
  • TelemetryEventType_SecureBootCapableReportingAsIncapable: Device capable of Secure Boot reports incapable.
  • TelemetryEventType_SecureBootEnabled: Secure Boot state reported as enabled.
  • TelemetryEventType_SecureBootIncapableMotherboard: Board reports Secure Boot incapable.
  • TelemetryEventType_SectionMapping: Section mapping events captured.
  • TelemetryEventType_SecurityInformation: Security configuration snapshot.
  • TelemetryEventType_ServiceProcessHandleRights: Handle rights for service process.
  • TelemetryEventType_ServiceReadyMs: Time to service ready in milliseconds.
  • TelemetryEventType_Sha1Failure: SHA‑1 validation failure.
  • TelemetryEventType_SharedMemoryRegion: Shared memory region info.
  • TelemetryEventType_SharedMemoryUserFailure: User‑space shared memory failure.
  • TelemetryEventType_SharedNamedPipe: Shared named pipe used.
  • TelemetryEventType_SignChangedGameServiceDll: Signature change noticed on game service DLL.
  • TelemetryEventType_SignatureError: Generic signature error.
  • TelemetryEventType_SignatureVerificationError: Signature verification failed.
  • TelemetryEventType_SignedNoSignerGameProcess: Signed but signer unknown for game process module.
  • TelemetryEventType_SkyfallDpcMissing: Skyfall (vendor module) DPC missing.
  • TelemetryEventType_SlowDriverManagerInitCall: Driver manager init took long.
  • TelemetryEventType_SlowServiceInitFuncMs: Service init function slow.
  • TelemetryEventType_SlowServiceResponseToDriver: Service response to driver slow.
  • TelemetryEventType_SlowSignatureQuery: Signature query slow.
  • TelemetryEventType_SmepDisabled: SMEP disabled recorded as telemetry.
  • TelemetryEventType_SpawnElevationFailure: Elevation attempt failed on spawn.
  • TelemetryEventType_SpawnElevationWinLogon: Elevation routed through WinLogon.
  • TelemetryEventType_SpectreImportOptimization: Import optimization for Spectre mitigations noted.
  • TelemetryEventType_SpectreMitigationDisabled: Spectre mitigations disabled.
  • TelemetryEventType_SpectreRetpolineOptimization: Retpoline present as mitigation/optimization.
  • TelemetryEventType_StamplessDriverPiDdbEntry: Driver entry without timestamp in PiDDB.
  • TelemetryEventType_StartGameKillswitched: Game start halted by killswitch policy.
  • TelemetryEventType_StartupTelemetry: Initial telemetry set.
  • TelemetryEventType_SuspiciousNmiError: Suspicious NMI error condition.
  • TelemetryEventType_SuspiciousPmuFailure: Suspicious PMU setup failure.
  • TelemetryEventType_SysFirmwareTables: System firmware tables snapshot.
  • TelemetryEventType_SyscallInitializationResult: Syscall initialization status.
  • TelemetryEventType_SystemModuleThreadError: Error around a system module thread.
  • TelemetryEventType_SystemModuleThreadTimedOut: System module thread timed out.
  • TelemetryEventType_SystemModuleWithRwx: System module with RWX pages recorded.
  • TelemetryEventType_SystemThreadImportMismatch: Import mismatch for system thread owner.
  • TelemetryEventType_SystemThreadNonIntegrityRangeMismatch: Non‑integrity range mismatch for system thread code.
  • TelemetryEventType_SystemThreadStartAddressDetour: System thread start address appears detoured.
  • TelemetryEventType_SystemThreadTraceBrokenKernelStack: Trace shows broken kernel stack.
  • TelemetryEventType_TPM: TPM info snapshot.
  • TelemetryEventType_ThreadCreationError: Thread creation error.
  • TelemetryEventType_ThreadPreviousMode: Thread previous‑mode log (user/kernel).
  • TelemetryEventType_ThreatIntelInactive: Threat intel feed inactive.
  • TelemetryEventType_TimedoutAsyncSignatureQuery: Async signature query timed out.
  • TelemetryEventType_TlsCallbackChecksumInitFailure: TLS callback checksum init failed.
  • TelemetryEventType_TlsCallbackChecksumVerifyFailure: TLS callback checksum verify failed.
  • TelemetryEventType_TooManyHandlesHeld: Excess handles held by a process.
  • TelemetryEventType_TrackHookFailed: Tracking a hook failed.
  • TelemetryEventType_TrackHookStatistics: Statistics on tracked hooks.
  • TelemetryEventType_UnauthorizedGuardedRegionAccess: Unauthorized access to guarded region (telemetry path).
  • TelemetryEventType_UnbackedHashBucketDriverEntry: Hash bucket entry for driver lacks backing file.
  • TelemetryEventType_UnexpectedEfiBootApplication: EFI application loaded unexpectedly at boot.
  • TelemetryEventType_UnexpectedGameExitCode: Unexpected game exit code logged.
  • TelemetryEventType_UnexpectedRwxAddressInstruction: Unexpected instruction in RWX region.
  • TelemetryEventType_UniversalSerialBusResult: USB result summary.
  • TelemetryEventType_UniversalSerialBusTopologyStatistics: USB topology stats.
  • TelemetryEventType_UnknownHv: Unknown hypervisor reported.
  • TelemetryEventType_UnknownIntelProcessor: Processor model unknown to catalog.
  • TelemetryEventType_UnlinkedDriverNoFileFound: Unlinked driver with no backing file.
  • TelemetryEventType_UnlinkedThread: Unlinked thread snapshot.
  • TelemetryEventType_UnloadedDriverOutsideSystemDir: Unloaded driver recorded from outside system directory.
  • TelemetryEventType_UnloadedGameModule: Game module unloaded.
  • TelemetryEventType_UnlockFailedForGameExecutable: Unlocking the game executable failed.
  • TelemetryEventType_UnmatchedDriverPiDdbEntry: Driver PiDDB entry unmatched to loaded modules.
  • TelemetryEventType_UnresolvedMeasuredBootModule: Measured boot module unresolved.
  • TelemetryEventType_UnsignedGameProcess: Game process loaded unsigned code.
  • TelemetryEventType_UntrustedImageLoad: Untrusted image load noted.
  • TelemetryEventType_UploadError: Upload to backend failed.
  • TelemetryEventType_UploadStats: Upload stats summary.
  • TelemetryEventType_UserInputProcess: Process tied to input hooks.
  • TelemetryEventType_UserKernelImageFailure: Failure when handling user/kernel image boundaries.
  • TelemetryEventType_UserSpaceKernelImageFailure: User‑space routine failed for kernel image operations.
  • TelemetryEventType_UuidNotSet: UUID not set.
  • TelemetryEventType_UuidTamper: UUID shows tampering.
  • TelemetryEventType_UuidUpdateFailure: UUID update failed.
  • TelemetryEventType_UuidUpdated: UUID updated.
  • TelemetryEventType_ValidExecutableMemoryInUnloadedModuleRange: Executable memory persists in range of an unloaded module.
  • TelemetryEventType_VerifierModuleLoaded: Driver Verifier module loaded.
  • TelemetryEventType_VerifySignatureIntegrityFailure: Signature integrity verification failed.
  • TelemetryEventType_Version: Version info snapshot.
  • TelemetryEventType_VmWareLowScore: VMware heuristics score low (likely false positive mitigation).
  • TelemetryEventType_VulnerableDriverBlocklistDisabled: Vulnerable driver blocklist not active.
  • TelemetryEventType_WerfaultEnforcedExit: WER enforced an exit.
  • TelemetryEventType_WindowEnumerationFailure: Failed to enumerate windows.
  • TelemetryEventType_WindowsBuild: Windows build information.
  • TelemetryEventType_WorkingSetReduced: Working set trimmed.
  • TelemetryEventType_ZipExtractionError: Error extracting a zip package.

TelemetryExitEventType_* Glossary

  • TelemetryExitEventType_AdministratorRightsRequired: Exit because elevation not present.
  • TelemetryExitEventType_AllowlistGamebridgeInjectionIdError: Allowlist mismatch for game bridge injection identity.
  • TelemetryExitEventType_AllowlistKernel32FileIdError: kernel32 allowlist file ID error.
  • TelemetryExitEventType_AllowlistMaxLoadAllowListCountExceeded: Exceeded max allowlist load count.
  • TelemetryExitEventType_AllowlistNtDllFileIdError: ntdll allowlist file ID error.
  • TelemetryExitEventType_AllowlistSystemDirectoryError: System directory allowlist error.
  • TelemetryExitEventType_AllowlistWindowsDirectoryError: Windows directory allowlist error.
  • TelemetryExitEventType_AppCertDetection: AppCert injection policy violation triggered exit.
  • TelemetryExitEventType_AppInitDetection: AppInit policy violation triggered exit.
  • TelemetryExitEventType_BadwareFound: Known unwanted software detected; exit enforced.
  • TelemetryExitEventType_BridgeServiceReaderThreadCreationFailure: Failed to create bridge reader thread.
  • TelemetryExitEventType_CException: C‑style exception caused exit.
  • TelemetryExitEventType_CommunicationInterfaceMissing: Communication interface not present.
  • TelemetryExitEventType_CppException: C++ exception caused exit.
  • TelemetryExitEventType_CreateGameBridgeFailure: Could not create game bridge.
  • TelemetryExitEventType_Detection: Exit due to Detection_* event.
  • TelemetryExitEventType_DetectionHandlerExitEventCreationFailure: Failed to create exit event for detection handler.
  • TelemetryExitEventType_DetectionHandlerItemEventCreationFailure: Failed to create item event for detection handler.
  • TelemetryExitEventType_DetectionHandlerThreadCreationFailure: Failed to create detection handler thread.
  • TelemetryExitEventType_DpcFailed: DPC operation failed and exit followed.
  • TelemetryExitEventType_DriverConfigChecksumError: Driver config checksum error at startup.
  • TelemetryExitEventType_DriverConfigureFailure: Driver configuration failed.
  • TelemetryExitEventType_DriverExitForced: Driver forced the exit.
  • TelemetryExitEventType_DriverFile: Driver file condition triggered exit.
  • TelemetryExitEventType_DriverFileAccessDenied: Access denied to driver file.
  • TelemetryExitEventType_DriverHandleError: Error with driver handle.
  • TelemetryExitEventType_DriverIoEventCreationFailure: Failed to create driver I/O event.
  • TelemetryExitEventType_DriverPath: Driver path problem caused exit.
  • TelemetryExitEventType_DriverResponseError: Driver returned error to service.
  • TelemetryExitEventType_DriverServiceLoopDecryptionError: Decryption failed in service loop.
  • TelemetryExitEventType_DriverServiceLoopDriverRequestAllocationFailure: Allocation failed for driver request in service loop.
  • TelemetryExitEventType_DriverServiceLoopInvalidSize: Invalid size read/written in service loop.
  • TelemetryExitEventType_DriverServiceLoopOverlappedResultError: Overlapped I/O result error in service loop.
  • TelemetryExitEventType_DriverServiceLoopReadFileEventFailure: ReadFile event creation failed in service loop.
  • TelemetryExitEventType_DriverServiceLoopWriteCompletionEventFailure: Write completion event creation failed in service loop.
  • TelemetryExitEventType_DriverServiceLoopZeroSizedReads: Zero‑sized reads detected in service loop.
  • TelemetryExitEventType_DriverServiceThreadCreationFailure: Service thread creation failed.
  • TelemetryExitEventType_DriverStillRunning: Driver still running when it should stop.
  • TelemetryExitEventType_DriverVerifierActive: Driver Verifier active; exit enforced for safety.
  • TelemetryExitEventType_ErrorDiskFull: Disk full error at startup.
  • TelemetryExitEventType_FilterAlreadyRunning: Required filter already running; conflict.
  • TelemetryExitEventType_GameBridgeException: Exception inside game bridge.
  • TelemetryExitEventType_GameEventCreationFailure: Failed creating game event handle.
  • TelemetryExitEventType_GameExeParseError: Error parsing game executable.
  • TelemetryExitEventType_GameExePathResolveError: Could not resolve game executable path.
  • TelemetryExitEventType_GameExitEventCreationFailure: Failed to create game exit event.
  • TelemetryExitEventType_GameIntegritySignatureQuery: Integrity query for game signature failed decisively.
  • TelemetryExitEventType_GameIntegrityThreadCreationFailure: Integrity thread creation failed.
  • TelemetryExitEventType_GameIntegrityThreadEventCreationFailure: Integrity thread event creation failed.
  • TelemetryExitEventType_GameIntegrityThreadItemEventCreationFailure: Integrity thread item event creation failed.
  • TelemetryExitEventType_GameLauncherValidationFailed: Launcher validation failure triggered exit.
  • TelemetryExitEventType_GameNotSigned: Game binary unsigned; exit path.
  • TelemetryExitEventType_GameNotSignedByEA: Game not signed by publisher; exit.
  • TelemetryExitEventType_GameProcessFileIdError: File ID error for game process.
  • TelemetryExitEventType_GameProcessFileIdErrorAntivirus: Antivirus interference caused File ID error.
  • TelemetryExitEventType_GameProcessHandleError: Handle error for game process.
  • TelemetryExitEventType_GameProcessIdMismatch: Game PID mismatch.
  • TelemetryExitEventType_GameProcessLaunchFailed: Launch failed.
  • TelemetryExitEventType_GameProcessPIDError: Generic PID error.
  • TelemetryExitEventType_GameProcessWaitFailure: Wait on game process failed.
  • TelemetryExitEventType_GameServiceBridgeRuntimeError: Runtime error in service bridge.
  • TelemetryExitEventType_GameServiceBridgeThreadItemEventCreationFailure: Failed to create thread item event in bridge.
  • TelemetryExitEventType_GameVerificationExitEventCreationFailure: Verification exit event creation failed.
  • TelemetryExitEventType_GameVerificationHandler: Game verification handler signaled exit.
  • TelemetryExitEventType_GameVerificationObThreadCreationFailure: Verification OB thread creation failed.
  • TelemetryExitEventType_GameVerificationStartEventCreationFailure: Verification start event creation failed.
  • TelemetryExitEventType_GetOverlappedResultErrorPending: GetOverlappedResult returned pending error in a fatal path.
  • TelemetryExitEventType_HandleAccessCheckInitFailure: Failed to init handle access checker.
  • TelemetryExitEventType_HandleAccessLoopThreadCreationFailure: Handle access loop thread could not be created.
  • TelemetryExitEventType_HandleCheckThreadError: Error inside handle check thread.
  • TelemetryExitEventType_HeartbeatInterfaceMissing: Heartbeat interface not available.
  • TelemetryExitEventType_IncompatibleSoftware: Software conflict detected.
  • TelemetryExitEventType_InitSystemCallsFailure: Failed to initialize system calls.
  • TelemetryExitEventType_InitSystemHandleTypesFailure: Failed to init system handle types.
  • TelemetryExitEventType_InitialDriverChecksumMismatch: Initial checksum mismatch for anti‑cheat driver.
  • TelemetryExitEventType_InitialSignatureverificationFailure: Initial signature verification failed.
  • TelemetryExitEventType_InjectionGameBridgeFailure: Injection of game bridge failed.
  • TelemetryExitEventType_InsufficientSystemResources: System resources insufficient.
  • TelemetryExitEventType_IntegrityManagerAsyncExitEventCreationFailure: Async integrity manager exit event creation failed.
  • TelemetryExitEventType_IntegrityManagerAsyncSignatureQueryThreadCreationFailure: Async signature query thread creation failed.
  • TelemetryExitEventType_IntegrityManagerAsyncStartEventCreationFailure: Async integrity manager start event creation failed.
  • TelemetryExitEventType_InvalidComArgs: Invalid COM arguments supplied.
  • TelemetryExitEventType_KernelManagerAsyncExecutableCodeThreadCreationFailure: Async executable code thread in kernel manager failed to create.
  • TelemetryExitEventType_KernelManagerAsyncProcessorTraceThreadCreationFailure: Failed to create PT thread.
  • TelemetryExitEventType_KernelManagerEventCreationFailure: Kernel manager event creation failed.
  • TelemetryExitEventType_KernelManagerSystemThreadStartAddressesEventCreationFailure: Failed to create event for system thread start addresses.
  • TelemetryExitEventType_KernelManagerThreadExitEventCreationFailure: Thread exit event creation failed.
  • TelemetryExitEventType_KernelModuleLoadFailure: Kernel module load failed.
  • TelemetryExitEventType_LauncherExitedPrematurely: Launcher exited too early.
  • TelemetryExitEventType_LoadGameBridgeDataFailure: Could not load game bridge data.
  • TelemetryExitEventType_LogInterfaceMissing: Logging interface missing.
  • TelemetryExitEventType_ManuallyMappedImportHook: Manual‑mapped import hook detected; exit enforced.
  • TelemetryExitEventType_MissingKernelAddress: Required kernel address not resolved.
  • TelemetryExitEventType_ModifiedGameDataFile: Game data modified; exit enforced.
  • TelemetryExitEventType_None: Placeholder.
  • TelemetryExitEventType_Num: Enumeration placeholder.
  • TelemetryExitEventType_NxDisable: NX/DEP disabled; exit enforced.
  • TelemetryExitEventType_ObCallbackVerificationHandler: OB callback verification failure led to exit.
  • TelemetryExitEventType_PowerChanged: Power state changed during sensitive window; exit triggered.
  • TelemetryExitEventType_PrepareGameBridgeDataFailure: Prep of bridge data failed.
  • TelemetryExitEventType_PrivilegeFailure: Privilege request failed at startup.
  • TelemetryExitEventType_RegistryFixupError: Registry fixup step failed.
  • TelemetryExitEventType_RuntimeDriverChecksumMismatch: Runtime checksum mismatch of anti‑cheat driver.
  • TelemetryExitEventType_SecureBootRequired: Secure Boot required but not present.
  • TelemetryExitEventType_ServerRule: Server‑driven rule enforced exit.
  • TelemetryExitEventType_ServerRuleIncompatibleDriverArgs: Driver args conflict with server rules.
  • TelemetryExitEventType_ServerRuleIncompatibleSoftwareArgs: Software args conflict with server rule.
  • TelemetryExitEventType_SharedMemoryInitFailed: Shared memory initialization failed.
  • TelemetryExitEventType_SharedMemoryMalFunction: Shared memory malfunction.
  • TelemetryExitEventType_SignatureSystemDirectoryError: Signature error for system directory content.
  • TelemetryExitEventType_SystemModuleThreadError: System module thread error caused exit.
  • TelemetryExitEventType_SystemServiceCallbackFailedAfterGameCreation: System service callback failure after game start.
  • TelemetryExitEventType_SystemTimeBehind: System time behind acceptable range.
  • TelemetryExitEventType_TelemetryInterfaceMissing: Telemetry interface missing.
  • TelemetryExitEventType_ThreadEventCreationFailureDriver: Driver thread event creation failed.
  • TelemetryExitEventType_TimeoutGameProcessDetection: Timeout waiting for game detection.
  • TelemetryExitEventType_UnableToLoadFilter: Filter could not be loaded.
  • TelemetryExitEventType_UnhandledDriverEvent: Unhandled event from driver.
  • TelemetryExitEventType_UnsupportedClientVersion: Client version unsupported.
  • TelemetryExitEventType_UnsupportedWindowsVersion: Windows version unsupported.
  • TelemetryExitEventType_UpdateThreadProcErrorGameProcess: Update thread error within game process.
  • TelemetryExitEventType_VirtualMachine: VM detected and policy forbids start.
  • TelemetryExitEventType_WindowsSafeMode: Windows Safe Mode not allowed for play.
  • TelemetryExitEventType_WorkerThreadCreationFailure: Failed to create a worker thread.

Internal Routine Notation

  • performSignatureBypassDetection: Internal routine name indicating the system is checking for tampering aimed at bypassing signature verification.

Practical Notes for Players and Tool Developers

  • Keep Windows, GPU drivers, chipset drivers, and storage drivers current and signed.
  • Disable test signing and detach debuggers before play.
  • Use supported overlays from major platforms and keep them current. Avoid global keyboard/mouse hooks and macro drivers.
  • Avoid virtualization or firmware mods while playing. Ensure Secure Boot, TPM, and measured boot are consistent.
  • If an exit event occurs, look for missing elevation, unsupported OS, signature errors, or launch‑sequence thread creation failures.