Microsoft-Windows-Crypto-NCrypt
26 events across 3 channels
Event ID 1: Cryptographic Operation failed.
#Description
Cryptographic Operation failed.
Message #
Fields #
| Name | Description |
|---|---|
OperationType UInt32 | [Cryptographic Parameters] OperationType. Known values
|
ProviderName UnicodeString | |
KeyName UnicodeString | |
KeyType UnicodeString | Known values
|
AlgorithmName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
ProcessName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Crypto-NCrypt",
"guid": "E8ED09DC-100C-45E2-9FC8-B53399EC1F70",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 2,
"task": 1,
"opcode": 0,
"keywords": 9223372036854775809,
"time_created": "2025-12-31T19:35:46.563871+00:00",
"event_record_id": 23,
"correlation": {
"ActivityID": "8D2E1BCA-7A8C-0001-8674-2E8D8C7ADC01"
},
"execution": {
"process_id": 5364,
"thread_id": 6168
},
"channel": "Microsoft-Windows-Crypto-NCrypt/Operational",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"OperationType": 17,
"ProviderName": "Microsoft Software Key Storage Provider",
"KeyName": "NULL",
"KeyType": "",
"AlgorithmName": "",
"Status": "0x80090029",
"ProcessName": "powershell.exe"
},
"message": ""
}
Event ID 2: Open Provider operation failed.
#Description
Open Provider operation failed.
Message #
Fields #
| Name | Description |
|---|---|
ProviderName UnicodeString | [Cryptographic Parameters] Provider Name. |
Status HexInt32 | NTSTATUS reference |
ProcessName UnicodeString | [Failure Information] Return Code. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Crypto-NCrypt",
"guid": "{E8ED09DC-100C-45E2-9FC8-B53399EC1F70}",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 2,
"task": 2,
"opcode": 0,
"keywords": -9223372036854775807,
"time_created": "2026-05-29T23:38:46.2948620+00:00",
"event_record_id": 30,
"correlation": {},
"execution": {
"process_id": 812,
"thread_id": 524
},
"channel": "Microsoft-Windows-Crypto-NCrypt/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ProviderName": "Microsoft Platform Crypto Provider",
"Status": "0x80090030",
"ProcessName": "lsass.exe"
},
"message": "Open Provider operation failed.\r\n\r\n Cryptographic Parameters:\r\n \tProvider Name:\tMicrosoft Platform Crypto Provider\r\n Failure Information:\r\n \tReturn Code:\tlsass.exe"
}
Event ID 3: Open Key operation failed.
#Description
Open Key operation failed.
Message #
Fields #
| Name | Description |
|---|---|
ProviderName UnicodeString | [Cryptographic Parameters] Provider Name. |
KeyName UnicodeString | [Cryptographic Parameters] Key Name. |
Status HexInt32 | [Failure Information] Return Code. NTSTATUS reference |
ProcessName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Crypto-NCrypt",
"guid": "{E8ED09DC-100C-45E2-9FC8-B53399EC1F70}",
"event_source_name": "",
"event_id": 3,
"version": 0,
"level": 2,
"task": 3,
"opcode": 0,
"keywords": -9223372036854775807,
"time_created": "2026-05-28T11:12:54.3298818+00:00",
"event_record_id": 20,
"correlation": {},
"execution": {
"process_id": 356,
"thread_id": 2384
},
"channel": "Microsoft-Windows-Crypto-NCrypt/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"ProviderName": "Microsoft Software Key Storage Provider",
"KeyName": "Microsoft Connected Devices Platform device certificate",
"Status": "0x80090016",
"ProcessName": "svchost.exe"
},
"message": "Open Key operation failed.\r\n\r\n Cryptographic Parameters:\r\n \tProvider Name:\tMicrosoft Software Key Storage Provider\r\n \tKey Name:\tMicrosoft Connected Devices Platform device certificate\r\n Failure Information:\r\n \tReturn Code:\t0x80090016"
}
Event ID 4: Create Key operation failed.
#Description
Create Key operation failed.
Message #
Fields #
| Name | Description |
|---|---|
ProviderName UnicodeString | [Cryptographic Parameters] Provider Name. |
KeyName UnicodeString | [Cryptographic Parameters] Key Name. |
AlgorithmName UnicodeString | [Cryptographic Parameters] Algorithm Name. |
Flags HexInt32 | [Cryptographic Parameters] Flags. |
Status HexInt32 | [Failure Information] Return Code. NTSTATUS reference |
ProcessName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Crypto-NCrypt",
"guid": "E8ED09DC-100C-45E2-9FC8-B53399EC1F70",
"event_source_name": "",
"event_id": 4,
"version": 0,
"level": 2,
"task": 4,
"opcode": 0,
"keywords": 9223372036854775809,
"time_created": "2023-11-06T01:47:51.933305+00:00",
"event_record_id": 47,
"correlation": {},
"execution": {
"process_id": 13296,
"thread_id": 8852
},
"channel": "Microsoft-Windows-Crypto-NCrypt/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"ProviderName": "Microsoft Software Key Storage Provider",
"KeyName": "ChromeMetricsTestKey",
"AlgorithmName": "ECDSA_P256",
"Flags": "0x20000",
"Status": "0x80090029",
"ProcessName": "chrome.exe"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5: Protect Key operation failed.
#Description
Protect Key operation failed.
Message #
Fields #
| Name | Description |
|---|---|
ProtectorName UnicodeString | |
ProtectorAttributes UnicodeString | |
Flags HexInt32 | [Protector Attributes] Flags. |
Status HexInt32 | NTSTATUS reference |
ProcessName UnicodeString |
Event ID 6: Unprotect Key operation failed.
#Description
Unprotect Key operation failed.
Message #
Fields #
| Name | Description |
|---|---|
ProtectorName UnicodeString | |
RecipientType UInt32 | |
Flags HexInt32 | [Cryptographic Parameters] Flags. |
Status HexInt32 | NTSTATUS reference |
ProcessName UnicodeString | |
KeyIdLength UInt32 | |
KeyId Binary |
Event ID 7: Protect Secret operation failed.
#Description
Protect Secret operation failed.
Message #
Fields #
| Name | Description |
|---|---|
Flags HexInt32 | [Cryptographic Parameters] Flags. |
Status HexInt32 | NTSTATUS reference |
ProcessName UnicodeString |
Event ID 8: Unprotect Secret operation failed.
#Description
Unprotect Secret operation failed.
Message #
Fields #
| Name | Description |
|---|---|
Flags HexInt32 | [Cryptographic Parameters] Flags. |
Status HexInt32 | NTSTATUS reference |
ProcessName UnicodeString |
Event ID 9: Key write succeeded.
#Description
Key write succeeded.
Message #
Fields #
| Name | Description |
|---|---|
ProviderName UnicodeString | |
KeyModificationType HexInt32 | ModificationType. |
Flags HexInt32 | |
KeyName UnicodeString | |
KeyFileName UnicodeString | |
ProcessName UnicodeString | |
ProcessId HexInt32 | |
ThreadId HexInt32 | ServerThreadId. |
UserId UnicodeString | |
ServiceTag UnicodeString | |
Status HexInt32 | Return Code. NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Crypto-NCrypt",
"guid": "{E8ED09DC-100C-45E2-9FC8-B53399EC1F70}",
"event_source_name": "",
"event_id": 9,
"version": 0,
"level": 5,
"task": 9,
"opcode": 0,
"keywords": -9223372036854775807,
"time_created": "2026-06-13T05:13:11.7061815+00:00",
"event_record_id": 35,
"correlation": {},
"execution": {
"process_id": 852,
"thread_id": 848
},
"channel": "Microsoft-Windows-Crypto-NCrypt/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ProviderName": "Microsoft Software Key Storage Provider",
"KeyModificationType": "0x1",
"Flags": "0x0",
"KeyName": "iisCngWasKey",
"KeyFileName": "597367cc37b886d7ee6c493e3befb421_8a99384c-f40f-46dc-9dc2-13adf38045d6",
"ProcessName": "C:\\Windows\\System32\\inetsrv\\iissetup.exe",
"ProcessId": "0x1df4",
"ThreadId": "0x350",
"UserId": "S-1-5-18",
"ServiceTag": "",
"Status": "0x0"
},
"message": "Key write succeeded.\r\n\r\n Provider Name:\tMicrosoft Software Key Storage Provider\r\n ModificationType: \t\t0x1\r\n Flags:\t\t0x0\r\n Key Name:\tiisCngWasKey\r\n Key File Name:\t597367cc37b886d7ee6c493e3befb421_8a99384c-f40f-46dc-9dc2-13adf38045d6\r\n ProcessName:\tC:\\Windows\\System32\\inetsrv\\iissetup.exe\r\n ProcessId:\t0x1DF4\r\n ServerThreadId:\t0x350\r\n UserId:\tS-1-5-18\r\n ServiceTag:\t\r\n Return Code:\t0x0"
}
Event ID 10: Key write failed.
#Description
Key write failed.
Message #
Fields #
| Name | Description |
|---|---|
ProviderName UnicodeString | |
KeyModificationType HexInt32 | |
Flags HexInt32 | |
KeyName UnicodeString | |
KeyFileName UnicodeString | |
ProcessName UnicodeString | |
ProcessId HexInt32 | |
ThreadId HexInt32 | |
UserId UnicodeString | |
ServiceTag UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 11: Delete key succeeded.
#Description
Delete key succeeded.
Message #
Fields #
| Name | Description |
|---|---|
ProviderName UnicodeString | |
Flags HexInt32 | |
DeletionType HexInt32 | |
KeyName UnicodeString | |
KeyFileName UnicodeString | |
ProcessName UnicodeString | |
ProcessId HexInt32 | |
ThreadId HexInt32 | ServerThreadId. |
UserId UnicodeString | |
ServiceTag UnicodeString | |
Status HexInt32 | Return Code. NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Crypto-NCrypt",
"guid": "E8ED09DC-100C-45E2-9FC8-B53399EC1F70",
"event_source_name": "",
"event_id": 11,
"version": 0,
"level": 5,
"task": 11,
"opcode": 0,
"keywords": 9223372036854775809,
"time_created": "2023-11-05T22:28:56.224021+00:00",
"event_record_id": 29,
"correlation": {},
"execution": {
"process_id": 808,
"thread_id": 856
},
"channel": "Microsoft-Windows-Crypto-NCrypt/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ProviderName": "Microsoft Software Key Storage Provider",
"Flags": "0x40",
"DeletionType": "0x0",
"KeyName": "Microsoft Connected Devices Platform device certificate",
"KeyFileName": "de7cf8a7901d2ad13e5c67c29e5d1662_31383106-803d-411b-9763-a28cdc0f0c3f",
"ProcessName": "C:\\Windows\\System32\\svchost.exe",
"ProcessId": "0x1528",
"ThreadId": "0x358",
"UserId": "S-1-5-19",
"ServiceTag": "CDPSvc",
"Status": "0x0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 12: Delete key failed.
#Description
Delete key failed.
Message #
Fields #
| Name | Description |
|---|---|
ProviderName UnicodeString | |
Flags HexInt32 | |
DeletionType HexInt32 | |
KeyName UnicodeString | |
KeyFileName UnicodeString | |
ProcessName UnicodeString | |
ProcessId HexInt32 | |
ThreadId HexInt32 | |
UserId UnicodeString | |
ServiceTag UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Crypto-NCrypt",
"guid": "{E8ED09DC-100C-45E2-9FC8-B53399EC1F70}",
"event_source_name": "",
"event_id": 12,
"version": 0,
"level": 2,
"task": 12,
"opcode": 0,
"keywords": -9223372036854775807,
"time_created": "2026-05-30T04:27:48.7405078+00:00",
"event_record_id": 500,
"correlation": {
"ActivityID": "{B8277B24-BBEE-4F03-8F3C-0302F5FBC0D9}"
},
"execution": {
"process_id": 868,
"thread_id": 8732
},
"channel": "Microsoft-Windows-Crypto-NCrypt/Operational",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133"
}
},
"event_data": {
"ProviderName": "Microsoft Software Key Storage Provider",
"Flags": "0x0",
"DeletionType": "0x0",
"KeyName": "Microsoft SQL Server$SQLEXPRESS$FallBackCertCng",
"KeyFileName": "0d1bcf560fac62a46acc682f4472a9ed_8a99384c-f40f-46dc-9dc2-13adf38045d6",
"ProcessName": "C:\\Program Files\\Microsoft SQL Server\\MSSQL16.SQLEXPRESS\\MSSQL\\Binn\\sqlservr.exe",
"ProcessId": "0x2efc",
"ThreadId": "0x221c",
"UserId": "S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133",
"ServiceTag": "MSSQL$SQLEXPRESS",
"Status": "0x80090016"
},
"message": "Delete key failed.\r\n\r\n Provider Name:\tMicrosoft Software Key Storage Provider\r\n Flags:\t\t0x0\r\n DeletionType: \t\t0x0\r\n Key Name:\tMicrosoft SQL Server$SQLEXPRESS$FallBackCertCng\r\n Key File Name:\t0d1bcf560fac62a46acc682f4472a9ed_8a99384c-f40f-46dc-9dc2-13adf38045d6\r\n ProcessName:\tC:\\Program Files\\Microsoft SQL Server\\MSSQL16.SQLEXPRESS\\MSSQL\\Binn\\sqlservr.exe\r\n ProcessId:\t0x2EFC\r\n ServerThreadId:\t0x221C\r\n UserId:\tS-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\r\n ServiceTag:\tMSSQL$SQLEXPRESS\r\n Return Code:\t0x80090016"
}
Event ID 13: VBS Key Isolation operation failed.
#Description
VBS Key Isolation operation failed.
Message #
Fields #
| Name | Description |
|---|---|
Function AnsiString | |
Info UnicodeString | |
StatusCode HexInt32 | NTSTATUS reference |
StatusString HexInt32 |
Event ID 14: VBS Key Isolation operation failed.
#Description
VBS Key Isolation operation failed.
Message #
Fields #
| Name | Description |
|---|---|
Function AnsiString | |
Info UnicodeString | |
StatusCode HexInt32 | NTSTATUS reference |
StatusString HexInt32 | |
Client UnicodeString | |
FailuresCount Int64 | |
FailuresCountGlobal Int64 | |
SuccessCountGlobal Int64 |
Event ID 15: New client uses VBS Key Isolation.
#Description
New client uses VBS Key Isolation.
Message #
Fields #
| Name | Description |
|---|---|
Client UnicodeString | Name. |
BindingStatusCode HexInt32 | Binding status. |
BindingStatusString Int32 | |
InstanceBindingAttempts Int64 | Client instance binding attempts. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Crypto-NCrypt",
"guid": "E8ED09DC-100C-45E2-9FC8-B53399EC1F70",
"event_source_name": "",
"event_id": 15,
"version": 0,
"level": 4,
"task": 13,
"opcode": 0,
"keywords": 9223372036854775816,
"time_created": "2023-11-06T01:47:51.932692+00:00",
"event_record_id": 46,
"correlation": {
"ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
},
"execution": {
"process_id": 808,
"thread_id": 15768
},
"channel": "Microsoft-Windows-Crypto-NCrypt/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"Client": "chrome.exe",
"BindingStatusCode": "0x80090029",
"BindingStatusString": -2146893783,
"InstanceBindingAttempts": 1,
"ImageBindingAttempts": 2,
"ActiveInstances": 1,
"ActiveInstancesMax": 1,
"InstancesLifetime": 2
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 16: Cert-In-Use Message.
#Event ID 17: Cert-In-Use Failed.
#Event ID 18: Key Guard attestation operation failed.
#Description
Key Guard attestation operation failed.
Message #
Fields #
| Name | Description |
|---|---|
Function AnsiString | |
Info UnicodeString | |
StatusCode HexInt32 | NTSTATUS reference |
StatusString HexInt32 | |
FailuresCountGlobal Int64 | |
SuccessCountGlobal Int64 |
Event ID 19: Key Guard attestation operation failed.
#Description
Key Guard attestation operation failed.
Message #
Fields #
| Name | Description |
|---|---|
Function AnsiString | |
Info UnicodeString | |
StatusCode HexInt32 | NTSTATUS reference |
StatusString HexInt32 |
Event ID 20: VBS Key Isolation is not available.
#Event ID 21: Key write succeeded.
#Description
Key write succeeded.
Message #
Fields #
| Name | Description |
|---|---|
ProviderName UnicodeString | |
KeyModificationType HexInt32 | |
Flags HexInt32 | |
KeyName UnicodeString | |
KeyFileName UnicodeString | |
ProcessName UnicodeString | |
ProcessId HexInt32 | |
ThreadId HexInt32 | |
UserId UnicodeString | |
ServiceTag UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Crypto-NCrypt",
"event_id": 21,
"level": 4,
"task": 16,
"opcode": 0,
"time_created": "2026-05-27T20:02:13.2246525+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-Crypto-NCrypt"
},
"event_data": {
"ProcessId": "0x2578",
"KeyModificationType": "0x1",
"ServiceTag": "",
"Flags": "0x1",
"ProcessName": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\148.0.3967.83\\msedgewebview2.exe",
"Status": "0x0",
"KeyFileName": "1e313dfb17707690d41bc1ce552b952a_e124ce79-d815-429f-bde2-b7c05bc3199e",
"UserId": "S-1-5-21-3798294047-1846905762-1150995898-1000",
"ProviderName": "Microsoft Software Key Storage Provider",
"KeyName": "ChromeMetricsTestKey",
"ThreadId": "0x918"
}
}
Event ID 22: Delete key succeeded.
#Description
Delete key succeeded.
Message #
Fields #
| Name | Description |
|---|---|
ProviderName UnicodeString | |
Flags HexInt32 | |
DeletionType HexInt32 | |
KeyName UnicodeString | |
KeyFileName UnicodeString | |
ProcessName UnicodeString | |
ProcessId HexInt32 | |
ThreadId HexInt32 | |
UserId UnicodeString | |
ServiceTag UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Crypto-NCrypt",
"event_id": 22,
"level": 4,
"task": 17,
"opcode": 0,
"time_created": "2026-05-27T20:02:13.2556595+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-Crypto-NCrypt"
},
"event_data": {
"ProcessId": "0x2578",
"DeletionType": "0x0",
"Status": "0x0",
"Flags": "0x40",
"ProcessName": "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\148.0.3967.83\\msedgewebview2.exe",
"ServiceTag": "",
"KeyFileName": "1e313dfb17707690d41bc1ce552b952a_e124ce79-d815-429f-bde2-b7c05bc3199e",
"UserId": "S-1-5-21-3798294047-1846905762-1150995898-1000",
"ProviderName": "Microsoft Software Key Storage Provider",
"KeyName": "ChromeMetricsTestKey",
"ThreadId": "0x918"
}
}
Event ID 23: Capi1 Container write succeeded.
#Description
Capi1 Container write succeeded.
Message #
Fields #
| Name | Description |
|---|---|
KeyName AnsiString | |
KeyFileName UnicodeString | |
ProcessName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Crypto-NCrypt",
"event_id": 23,
"level": 4,
"task": 16,
"opcode": 0,
"time_created": "2026-04-18T03:03:29.3327868+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-Crypto-NCrypt"
},
"event_data": {
"KeyFileName": "f686aace6942fb7f7ceb231212eef4a4_e124ce79-d815-429f-bde2-b7c05bc3199e",
"ProcessName": "svchost.exe",
"KeyName": "TSSecKeySet1"
}
}
Event ID 24: Capi1 Container Delete succeeded.
#Description
Capi1 Container Delete succeeded.
Message #
Fields #
| Name | Description |
|---|---|
KeyName AnsiString | |
KeyFileName UnicodeString | |
ProcessName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Crypto-NCrypt",
"event_id": 24,
"level": 4,
"task": 17,
"opcode": 0,
"time_created": "2026-04-18T03:03:29.3302190+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-Crypto-NCrypt"
},
"event_data": {
"KeyFileName": "f686aace6942fb7f7ceb231212eef4a4_e124ce79-d815-429f-bde2-b7c05bc3199e",
"ProcessName": "svchost.exe",
"KeyName": "TSSecKeySet1"
}
}
Event ID 25: VBS Key Isolation status: Status.
#Description
VBS Key Isolation status: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status UnicodeString | NTSTATUS reference |
Event ID 26: VBS Key Protection restart attempted.
#Description
VBS Key Protection restart attempted.
Message #
Fields #
| Name | Description |
|---|---|
LsaIsoLaunchAttempted Int64 | |
Status HexInt32 | NTSTATUS reference |
TotalAttemptedRestarts Int64 | |
TotalSuccessfulRestarts Int64 | |
CanBeEnabled Int64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Crypto-NCrypt",
"event_id": 26,
"level": 4,
"task": 13,
"opcode": 0,
"time_created": "2026-05-27T16:17:08.8482340+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-Crypto-NCrypt"
},
"event_data": {
"LsaIsoLaunchAttempted": "0",
"Status": "0xc0000001",
"TotalAttemptedRestarts": "5",
"TotalSuccessfulRestarts": "0",
"CanBeEnabled": "0"
}
}
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID e8ed09dc-100c-45e2-9fc8-b53399ec1f70
Defined in ncrypt.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3207, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1591, captured 2026-06-02