From 7e9d6c6e71c3cf8a2fa7074df3c86e4573f0326d Mon Sep 17 00:00:00 2001
From: Dongbo Wang <dongbow@microsoft.com>
Date: Mon, 20 Apr 2026 16:25:58 -0700
Subject: [PATCH 1/2] Update the ETW manifest file to converge the changes from
 PowerShell repo

---
 .../PowerShell.Core.Instrumentation.man       | 292 +++++++++++-------
 1 file changed, 188 insertions(+), 104 deletions(-)

diff --git a/src/PowerShell.Core.Instrumentation/PowerShell.Core.Instrumentation.man b/src/PowerShell.Core.Instrumentation/PowerShell.Core.Instrumentation.man
index 8019539..b406eb4 100644
--- a/src/PowerShell.Core.Instrumentation/PowerShell.Core.Instrumentation.man
+++ b/src/PowerShell.Core.Instrumentation/PowerShell.Core.Instrumentation.man
@@ -18,17 +18,18 @@
       version="$(build.version)"
       versionScope="nonSxS"
       />
-  <!--Define the instrumentation for Windows PowerShell-->
+  <!--Define the instrumentation for PowerShell-->
   <instrumentation
       xmlns:trace="http://schemas.microsoft.com/win/2004/08/events/trace"
       xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events"
       xmlns:xs="http://www.w3.org/2001/XMLSchema"
       >
     <events xmlns="http://schemas.microsoft.com/win/2004/08/events">
-      <!--Defines an event provider for PowerShell Core
-          The Guid for this provider should not be changed. If its
-          changed for any reason, then the manifest needs to be
-          first uninstalled and then installed again (using wevtutil)-->
+      <!--Defines an event provider for PowerShell
+          The Guid for this provider should not be changed. If it's
+          changed for any reason, then the old manifest needs to be
+          first uninstalled and then the changed manifest installed
+          (using wevtutil)-->
       <provider
           guid="{f90714a8-5509-434a-bf6d-b1624c8a19a2}"
           messageFileName="PowerShell.Core.Instrumentation.dll"
@@ -97,6 +98,41 @@
               value="0xD003"
               version="1"
               />
+          <!--ExperimentalFeature event-->
+          <event
+              channel="C_OPERATIONAL"
+              level="win:Error"
+              message="$(string.PS_PROVIDER.event.E_O_ExperimentalFeatureInvalidName.message)"
+              opcode="Constructor"
+              symbol="ExperimentalFeatureInvalidName"
+              task="ExperimentalFeature"
+              template="T_ExperimentalFeatureInvalidName"
+              value="0x3001"
+              version="1"
+              />
+          <event
+              channel="C_OPERATIONAL"
+              level="win:Error"
+              message="$(string.PS_PROVIDER.event.E_O_ExperimentalFeatureReadConfigError.message)"
+              opcode="Constructor"
+              symbol="ExperimentalFeatureReadConfigError"
+              task="ExperimentalFeature"
+              template="T_ExperimentalFeatureReadConfigError"
+              value="0x3002"
+              version="1"
+              />
+          <!--Telemetry events-->
+          <event
+              channel="C_OPERATIONAL"
+              level="win:Error"
+              message="$(string.PS_PROVIDER.event.T_TelemetrySettingError.message)"
+              opcode="Exception"
+              symbol="TelemetrySettingError"
+              task="Telemetry"
+              template="T_TelemetrySettingError"
+              value="0x3011"
+              version="1"
+              />
           <!--M3P events-->
           <event
               channel="C_ANALYTIC"
@@ -2185,47 +2221,48 @@
               version="1"
               />
           <event
-                channel="C_ANALYTIC"
-                keywords="AmsiState"
-                level="win:Verbose"
-                message="$(string.PS_PROVIDER.event.E_A_AmsiState.message)"
-                opcode="Method"
-                symbol="AmsiState"
-                task="Amsi"
-                template="T_AmsiState"
-                value="0x4001"
-                version="1"
-              />
-          <event
-                channel="C_ANALYTIC"
-                keywords="WDACQuery"
-                level="win:Verbose"
-                message="$(string.PS_PROVIDER.event.E_A_WDACQuery.message)"
-                opcode="Method"
-                symbol="WDACQuery"
-                task="WDAC"
-                template="T_WDACQuery"
-                value="0x4002"
-                version="1"
-              />
-          <event
-                channel="C_ANALYTIC"
-                keywords="WDACAudit"
-                level="win:Verbose"
-                message = "$(string.PS_PROVIDER.event.E_A_WDACAudit.message)"
-                opcode="Method"
-                symbol="WDACAudit"
-                task="WDACAudit"
-                template="T_WDACAudit"
-                value="0x4003"
-                version="1"
-              />
-          </events>
+              channel="C_ANALYTIC"
+              keywords="AmsiState"
+              level="win:Verbose"
+              message="$(string.PS_PROVIDER.event.E_A_AmsiState.message)"
+              opcode="Method"
+              symbol="AmsiState"
+              task="Amsi"
+              template="T_AmsiState"
+              value="0x4001"
+              version="1"
+              />
+          <event
+              channel="C_ANALYTIC"
+              keywords="WDACQuery"
+              level="win:Verbose"
+              message="$(string.PS_PROVIDER.event.E_A_WDACQuery.message)"
+              opcode="Method"
+              symbol="WDACQuery"
+              task="WDAC"
+              template="T_WDACQuery"
+              value="0x4002"
+              version="1"
+              />
+          <event
+              channel="C_ANALYTIC"
+              keywords="WDACAudit"
+              level="win:Verbose"
+              message = "$(string.PS_PROVIDER.event.E_A_WDACAudit.message)"
+              opcode="Method"
+              symbol="WDACAudit"
+              task="WDACAudit"
+              template="T_WDACAudit"
+              value="0x4003"
+              version="1"
+              />
+        </events>
         <channels>
-          <!--There are two channels defined for Windows PowerShell instrumentation
+          <!--There are three channels defined for PowerShell instrumentation
               event provider
-                1. Operational - for high level diagnositc messages
+                1. Operational - for high level diagnostic messages
                 2. Analytic - for high volume high performance trace messages
+                3. Debug - for high volume high performance trace messages
 		-->
           <channel
               chid="C_OPERATIONAL"
@@ -2247,7 +2284,6 @@
           <channel
               chid="C_ANALYTIC"
               enabled="false"
-              isolation="Application"
               message="$(string.PS_CHANNEL_ANALYTIC.ChannelMessage)"
               name="PowerShellCore/Analytic"
               symbol="C_ANALYTIC"
@@ -2274,7 +2310,6 @@
           <channel
               chid="C_DEBUG"
               enabled="false"
-              isolation="Application"
               message="$(string.PS_CHANNEL_DEBUG.ChannelMessage)"
               name="PowerShellCore/Debug"
               symbol="C_DEBUG"
@@ -2298,27 +2333,6 @@
               <bufferSize>64</bufferSize>
             </publishing>
           </channel>
-          <channel
-              chid="C_ADMIN"
-              enabled="true"
-              isolation="Application"
-              message="$(string.PS_CHANNEL_ADMIN.ChannelMessage)"
-              name="PowerShellCore/Admin"
-              symbol="C_ADMIN"
-              type="Admin"
-              >
-            <logging>
-              <!--this log is not circular, which means user has to
-					  manually clear logs-->
-              <retention>true</retention>
-              <!--max size of the analytic log file is 100 MB.
-					  It's ok to set it to this high a value because
-					  this channel is not enabled by default and the
-					  user will have to turn it on and this is the
-					  maximum size as well-->
-              <maxSize>1048985600</maxSize>
-            </logging>
-          </channel>
         </channels>
         <levels>
           <level
@@ -2425,6 +2439,18 @@
               symbol="T_EXECUTEPIEPLINE"
               value="106"
               />
+          <task
+              message="$(string.PS_PROVIDER.task.T_ExperimentalFeature.message)"
+              name="ExperimentalFeature"
+              symbol="T_EXPERIMENTALFEATURE"
+              value="107"
+              />
+          <task
+              message="$(string.PS_PROVIDER.task.T_Telemetry.message)"
+              name="Telemetry"
+              symbol="T_TELEMETRY"
+              value="108"
+              />
           <task
               message="$(string.PS_PROVIDER.task.T_ScheduledJob.message)"
               name="ScheduledJob"
@@ -2849,7 +2875,7 @@
         </maps>
         <templates>
           <!--
-            see http://msdn.microsoft.com/en-us/library/aa382747(VS.85).aspx
+            see https://msdn.microsoft.com/library/aa382747(VS.85).aspx
             for definitions of different data types
           -->
           <template tid="T_CorrelationEvent">
@@ -4020,6 +4046,44 @@
                 name="InnerException"
                 />
           </template>
+          <template tid="T_ExperimentalFeatureInvalidName">
+            <data
+                inType="win:UnicodeString"
+                name="Name"
+                />
+            <data
+                inType="win:UnicodeString"
+                name="Message"
+                />
+          </template>
+          <template tid="T_ExperimentalFeatureReadConfigError">
+            <data
+                inType="win:UnicodeString"
+                name="Name"
+                />
+            <data
+                inType="win:UnicodeString"
+                name="Message"
+                />
+            <data
+                inType="win:UnicodeString"
+                name="StackTrace"
+                />
+          </template>
+          <template tid="T_TelemetrySettingError">
+            <data
+                inType="win:UnicodeString"
+                name="Name"
+                />
+            <data
+                inType="win:UnicodeString"
+                name="Message"
+                />
+            <data
+                inType="win:UnicodeString"
+                name="StackTrace"
+                />
+          </template>
           <template tid="T_TrackingGuid">
             <data
                 inType="win:GUID"
@@ -4107,36 +4171,36 @@
                 />
           </template>
           <template tid="T_WDACQuery">
-            <data
-                inType="win:UnicodeString"
-                name="QueryName"
-                />
-            <data
-                inType="win:UnicodeString"
-                name="FileName"
-                />
-            <data
-                inType="win:Int32"
-                name="QuerySuccess"
-                />
-            <data
-                inType="win:Int32"
-                name="QuerySResult"
-                />
+              <data
+                  inType="win:UnicodeString"
+                  name="QueryName"
+                  />
+              <data
+                  inType="win:UnicodeString"
+                  name="FileName"
+                  />
+              <data
+                  inType="win:Int32"
+                  name="QuerySuccess"
+                  />
+              <data
+                  inType="win:Int32"
+                  name="QuerySResult"
+                  />
           </template>
           <template tid="T_WDACAudit">
-            <data
-                inType="win:UnicodeString"
-                name="Title"
-                />
-            <data
-                inType="win:UnicodeString"
-                name="Message"
-                />
-            <data
-                inType="win:UnicodeString"
-                name="FullyQualifiedId"
-                />
+              <data
+                  inType="win:UnicodeString"
+                  name="Title"
+                  />
+              <data
+                  inType="win:UnicodeString"
+                  name="Message"
+                  />
+              <data
+                  inType="win:UnicodeString"
+                  name="FullyQualifiedId"
+                  />
           </template>
         </templates>
       </provider>
@@ -4805,7 +4869,7 @@
             />
         <string
             id="PS_PROVIDER.event.E_A_RUNSPACE_WSMANCONNECTIONINFO.message"
-            value="Connection Paramters are %n Connection URI: %1 %n Resource URI: %2 %n User: %3 %n OpenTimeout: %4 %n IdleTimeout: %5 %n CancelTimeout: %6 %n AuthenticationMechanism: %7 %n Thumb Print: %8 %n MaxUriRedirectionCount: %9 %n MaxReceivedDataSizePerCommand: %10 %n MaxReceivedObjectSize: %11"
+            value="Connection Parameters are %n Connection URI: %1 %n Resource URI: %2 %n User: %3 %n OpenTimeout: %4 %n IdleTimeout: %5 %n CancelTimeout: %6 %n AuthenticationMechanism: %7 %n Thumb Print: %8 %n MaxUriRedirectionCount: %9 %n MaxReceivedDataSizePerCommand: %10 %n MaxReceivedObjectSize: %11"
             />
         <string
             id="PS_PROVIDER.event.E_O_RUNSPACE_CONSTRUCTOR.message"
@@ -4977,11 +5041,11 @@
             />
         <string
             id="PS_PROVIDER.event.E_A_SERIALIZER_DEPTH_OVERRIDE.message"
-            value="Serialization depth has been overriden. %n %t Serialized type name: %1 %n %t Original depth: %2 %n %t Overriden depth: %3 %n %t Current depth below top level: %4"
+            value="Serialization depth has been overriden. %n %t Serialized type name: %1 %n %t Original depth: %2 %n %t Overridden depth: %3 %n %t Current depth below top level: %4"
             />
         <string
             id="PS_PROVIDER.event.E_A_SERIALIZER_MODE_OVERRIDE.message"
-            value="Serialization mode has been overriden. %n %t Serialized type name: %1 %n %t Overriden mode: %2"
+            value="Serialization mode has been overriden. %n %t Serialized type name: %1 %n %t Overridden mode: %2"
             />
         <string
             id="PS_PROVIDER.event.E_A_SERIALIZER_SCRIPT_PROPERTY_WITHOUT_RUNSPACE.message"
@@ -5035,7 +5099,7 @@
               id="PS_PROVIDER.event.E_A_AmsiState.message"
               value="AmsiUtil state. %n %t state: %1 %n %t Context: %2"
             />
-        <string
+          <string
             id="PS_PROVIDER.event.E_O_M3PEndpointRegistered.message"
             value="A new PowerShell endpoint was registered. %n %t EndpointName: %1 %n %t EndpointType: %2 %n %t RegisteredBy: %3"
             />
@@ -5571,6 +5635,26 @@
             id="PS_PROVIDER.task.T_ScheduledJob.message"
             value="PowerShell Scheduled Jobs"
             />
+        <string
+            id="PS_PROVIDER.event.E_O_ExperimentalFeatureInvalidName.message"
+            value="Experimental Feature Initialization: Ignore the experimental feature '%1' from the config file. %2"
+            />
+        <string
+            id="PS_PROVIDER.event.E_O_ExperimentalFeatureReadConfigError.message"
+            value="Experimental Feature Initialization: Failed to read the config file.%n Exception: %1 %n Message: %2 %n StackTrace: %3 %n"
+            />
+        <string
+            id="PS_PROVIDER.task.T_ExperimentalFeature.message"
+            value="PowerShell Experimental Features"
+            />
+        <string
+            id="PS_PROVIDER.event.T_TelemetrySettingError.message"
+            value="Failed to retrieve diagnostics and feedback setting from Windows.%n Exception: %1 %n Message: %2 %n StackTrace: %3 %n"
+            />
+        <string
+            id="PS_PROVIDER.task.T_Telemetry.message"
+            value="PowerShell Telemetry"
+            />
         <string
             id="PS_PROVIDER.task.T_NamedPipe.message"
             value="PowerShell Named Pipe IPC"
@@ -5737,23 +5821,23 @@
             />
         <string
             id="PS_PROVIDER.event.E_O_REMOTE_NAMEDPIPE_LISTENER_START.message"
-            value="Windows PowerShell has started an IPC listening thread on process: %1 in AppDomain: %2."
+            value="PowerShell has started an IPC listening thread on process: %1 in AppDomain: %2."
             />
         <string
             id="PS_PROVIDER.event.E_O_REMOTE_NAMEDPIPE_LISTENER_END.message"
-            value="Windows PowerShell has ended an IPC listening thread on process: %1 in AppDomain: %2."
+            value="PowerShell has ended an IPC listening thread on process: %1 in AppDomain: %2."
             />
         <string
             id="PS_PROVIDER.event.E_O_REMOTE_NAMEDPIPE_LISTENER_ERROR.message"
-            value="An error has occurred in Windows PowerShell IPC listening thread on process: %1 in AppDomain: %2.  Error Message: %3."
+            value="An error has occurred in PowerShell IPC listening thread on process: %1 in AppDomain: %2.  Error Message: %3."
             />
         <string
             id="PS_PROVIDER.event.E_O_REMOTE_NAMEDPIPE_CONNECT.message"
-            value="Windows PowerShell IPC connect on process: %1 in AppDomain: %2 for User: %3."
+            value="PowerShell IPC connect on process: %1 in AppDomain: %2 for User: %3."
             />
         <string
             id="PS_PROVIDER.event.E_O_REMOTE_NAMEDPIPE_DISCONNECT.message"
-            value="Windows PowerShell IPC disconnect on process: %1 in AppDomain: %2 for User: %3."
+            value="PowerShell IPC disconnect on process: %1 in AppDomain: %2 for User: %3."
             />
         <string
             id="PS_PROVIDER.event.E_A_WDACQuery.message"

From 3be24c6075041580d8b7894fcd214daae7282074 Mon Sep 17 00:00:00 2001
From: Dongbo Wang <dongbow@microsoft.com>
Date: Wed, 22 Apr 2026 12:25:06 -0700
Subject: [PATCH 2/2] Update the name of the new event message

---
 .../PowerShell.Core.Instrumentation.man                       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PowerShell.Core.Instrumentation/PowerShell.Core.Instrumentation.man b/src/PowerShell.Core.Instrumentation/PowerShell.Core.Instrumentation.man
index b406eb4..bb4e153 100644
--- a/src/PowerShell.Core.Instrumentation/PowerShell.Core.Instrumentation.man
+++ b/src/PowerShell.Core.Instrumentation/PowerShell.Core.Instrumentation.man
@@ -125,7 +125,7 @@
           <event
               channel="C_OPERATIONAL"
               level="win:Error"
-              message="$(string.PS_PROVIDER.event.T_TelemetrySettingError.message)"
+              message="$(string.PS_PROVIDER.event.E_O_TelemetrySettingError.message)"
               opcode="Exception"
               symbol="TelemetrySettingError"
               task="Telemetry"
@@ -5648,7 +5648,7 @@
             value="PowerShell Experimental Features"
             />
         <string
-            id="PS_PROVIDER.event.T_TelemetrySettingError.message"
+            id="PS_PROVIDER.event.E_O_TelemetrySettingError.message"
             value="Failed to retrieve diagnostics and feedback setting from Windows.%n Exception: %1 %n Message: %2 %n StackTrace: %3 %n"
             />
         <string