himselfv
commented
5 years ago After much digging, turns out these things are so-called WNF State Names:
https://blog.quarkslab.com/playing-with-the-windows-notification-facility-wnf.html
WNF is an undocumented low-level system-wide facility to deliver per-system/per-user/per-session simple (int64 + optional data) event notifications to subscribers.
WNF State Names have a few flags in the lower bits, but otherwise are self-declared, like HRESULTs or GUIDs. Only in contrast to GUIDs, State Names are only 8 bytes so there's a chance of collisions. Currently the facility is internal so the list is probably curated.
Various DLLs throughout the system define State Names, and thankfully there seems to be a way to extract these definitions from PDBs, along sometimes even with descriptions. I'm using a list compiled by http://redplait.blogspot.com/2017/08/wnf-ids-from-perfntcdll.html
The list is not exhaustive. Once the guys by the first link release their scanner tool I might update it with everything extracted from everywhere.
Original report by me.
For now we only support plain text GUID, maybe there are lists of possible options? (System-wide or sources for building custom list)