Alexandre-4667 avatar image
0 Votes"
Alexandre-4667 asked XiaoweiHe-MSFT edited

ETL TMF/PDB for SRCore.dll to read recovery restore logs


tl;dr: could you publish the ETL TMF/PDB for SRCore.dll 10.0.19041.1 providers, in particular:
- 18db3c95-39dd-3d64-f822-09d100573aae
- 57f88c3d-a6e5-34d7-e6ea-ccb24957812b
- 6159a5aa-b80b-3284-78fc-75a5764023f2
- 67e84b4f-3f04-34d4-988a-7ad6287ab131
- b3482fbf-3745-304e-2165-81fada0d61ef
- cc45e2ee-b286-35d0-28dd-9a198372ce40
- d6e22362-450a-3c6f-e771-15cf9b896f66
- eba92022-09b4-3524-ad44-9d8a9ed4208e
- ffc6638d-365a-308d-b0a8-cae5423b7cb1

Long story, the other day I was trying to clean my system from old unused (and left overs from dirty apps) system drivers (to clean, try to gain some stability (especially for explorer.exe), get some speed when opening a toolbar folder on the start menu (explorer.exe again)), then I misinstalled SPDT (just disabled the service instead of using the uninstaller) and my system refused to boot anymore.

I could have fixed it easily running autoruns (or regedit) again to renable the service, but with this new almost forced microsoft account linking I had to find my online account password, which I changed and I couldn't get on the moment (turn out, the requested one was the old one as I did not gave Windows the new one yet), so I went with the startup repair option by cusiosity, hoping it would tell me something useful. Instead it ran a system restore without even asking me (reverting some of the cleaning I already did, hopefully I writed them down), which is not good behavior if you ask me.

After that the system was able to boot but I want to know what changed, especially since 2-3 files I downloaded disappeared (they where in by browser's history but I wasn't able to find them, even with Everything). By digging on the internet I found 2 tracks:
C:\Windows\System32\Logfiles\Srt\SrtTrail.txt: not helpful, only indicating a system restore was preformed
C:\Windows\Logs\SystemRestore\restore.0.etl: this one looks interesting, but opening it in eventvwr shows nothing since it can't find the providers associated to the GUIDs.

After trying several tools I found online (Microsoft Message Analyser being the easiest and most useful, except you've removed the releases and I had to dig to find it), I was able to read some of the payloads, especially one about my Downloads folder, but I don't have the message associated to the guid+code, hence this request.

Microsoft-Windows-System-Restore (HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Microsoft-Windows-System-Restore) / SrEvents.dll only gives the 126cdb97-d346-4894-8a34-658da5eea1b6 provider, which is not useful here (PerfView.exe userCommand DumpRegisteredManifest "Microsoft-Windows-System-Restore" for the detail).

If someone is willing to exchange more:
- Why some of them seems to be secret?
- Couldn't the recovery present it's results and ask before starting a potentially harmful operation?
- Is it normal the restore deleted files from my Download folder ?
- I listed 6 Microsoft forums / communities, is this the good one to ask this? :)

Thank you,

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


Thanks for your post!

After some research, it seems there's no publishment of the ETL TMF/PDB for SRCore.dll 10.0.19041.1 providers. The information may be deep level. And analysis of log is beyond our forum support level and due to forum security policy. So, I would suggest you open a case with MS for better help.

Below is the link to open a case with MS:

Best Regards,

0 Votes 0 ·

0 Answers