Microsoft-Windows-HttpService

132 events across 3 channels

Event	Title	Channel	Sample
1	Request received (request ID RequestId) on connection (connection ID …	Trace	Y
2	Parsed request (request pointer RequestObj, method HttpVerb) with URI Url.	Trace	Y
3	Delivered request to server application (request pointer RequestObj, request ID …	Trace	Y
4	Server application passed response (request ID RequestId, connection ID …	Trace	N
5	Server application passed the last response (corresponding to request ID …	Trace	N
6	Server application passed entity body for request ID RequestId (connection ID …	Trace	N
7	Server application passed the last entity body for request ID RequestId.	Trace	N
8	Server application passed response (request ID RequestId, connection ID …	Trace	Y
9	Server application passed the last response (corresponding to request ID …	Trace	Y
10	Response ready for send (corresponding to request ID RequestId) with status code …	Trace	N
11	Cached the response (corresponding to request ID RequestId) with status code …	Trace	N
12	Queued last response (corresponding to request ID RequestId) for sending.	Trace	Y
13	Response sent (corresponding to request ID RequestId) with status code …	Trace	N
14	Error occurred while sending the last response (corresponding to request ID …	Trace	N
15	Error Status occurred while sending (corresponding to request ID RequestId).	Trace	N
16	Response (request pointer RequestObj, site ID SiteId, number of bytes BytesSent) …	Trace	N
17	Response (request pointer RequestObj, site ID SiteId, number of bytes BytesSent) …	Trace	N
18	Attempted to reserve URL (Url).	Trace	N
19	Successfully read the IP listen list for IP address IpAddrLength.	Trace	N
20	SSL credentials for IP address and port CertHashLength successfully created.	Trace	N
21	New connection created (local IP address LocalAddr and remote address …	Trace	N
22	Connection ID (ConnectionId) assigned to connection and request (request ID …	Trace	N
23	Client closed the connection (connection pointer ConnectionObj).	Trace	N
24	Connection (connection pointer ConnectionObj) cleanup started due to either the …	Trace	N
25	Successfully added entry (URI Uri) to cache.	Trace	N
26	Failed to add an entry (URI UrlBuffer) to the cache.	Trace	N
27	Flushed entry (URI Uri) from the cache.	Trace	N
28	Attempted to set URL group property: Property.	Trace	N
29	Attempted to set server session property: Property.	Trace	N
30	Attempted to set request queue property: Property.	Trace	N
31	Attempted to add URL (Url) to URL group (UrlGroupId).	Trace	N
32	Removed URL (Url) from URL group (UrlGroupId).	Trace	N
33	Removed all URLs from URL group UrlGroupId.	Trace	N
34	Initiating SSL connection.	Trace	N
35	Initiating SSL handshake.	Trace	N
36	SSL handshake completed with status: Status.	Trace	N
37	Server application is attempting to receive the SSL client certificate, which …	Trace	N
38	Attempt by server application to receive client certificate failed with status: …	Trace	N
39	Raw SSL data is available for processing.	Trace	Y
40	Decrypted SSL data is available for processing.	Trace	Y
41	Passed plaintext data for encryption.	Trace	Y
43	Attempt (on connection ID ConnectionId) to authenticate client completed.	Trace	N
44	Attempted to add entry to the AuthCacheType authentication cache.	Trace	N
45	Entry successfully removed from the authentication cache.	Trace	N
46	Successfully associated QoS flow with connection (connection ID ConnectionId).	Trace	N
47	Failed to configure the Type logging (directory Directory), Status: Status.	Trace	N
48	Successfully configured Type logging (directory Directory).	Trace	N
49	Failed to create Type log file Filename.	Trace	N
50	Successfully created new Type log file Filename.	Trace	N
51	Entry has been written to Type log file.	Trace	N
52	Parsing of request (request ID RequestId) failed due to reason: Reason.	Trace	N
53	HTTP timer Timer expired.	Trace	N
56	Failed to acquire handle for SSL credentials.	Trace	N
57	SSL connection will be disconnected as initiated by the client.	Trace	N
58	SSL connection will be disconnected as initiated by the server application.	Trace	N
59	Attempt to decrypt SSL data failed.	Trace	N
60	Query for SSL connection parameters failed.	Trace	N
61	Cannot find SSL endpoint for inbound connection for local IP address and port …	Trace	N
62	Attempt to perform SSL handshake failed.	Trace	N
63	Attempt to encrypt SSL data failed.	Trace	N
64	Request (request ID RequestId) rejected due to reason: Reason.	Trace	N
65	Server application canceled the processing of its request (request ID …	Trace	N
66	Http.	Trace	N
67	Hot-add information: Current UxNumberOfProcessors: …	Trace	N
68	Initialized QoS flow: FlowHandle FlowHandle, bandwidth Bandwidth, peak bandwidth …	Trace	N
69	Initialized QoS flow: FlowHandle FlowHandle, bandwidth Bandwidth, peak bandwidth …	Trace	N
70	QoS flow initialization failed: bandwidth Bandwidth, peak bandwidth …	Trace	N
71	Setting flow: Connection Connection, FlowHandle FlowHandle.	Trace	N
72	Assign to Configuration QoS Flow: FlowHandle FlowHandle.	Trace	N
73	[re]Setting QoS Flow failed: Connection Connection, FlowHandle FlowHandle, …	Trace	N
74	Response range processing done.	Trace	N
75	Begin building slices.	Trace	N
76	Send cached slices.	Trace	N
77	Cached slices match content.	Trace	N
78	Merge slices to cache.	Trace	N
79	Sending range from flat cache entry.	Trace	N
80	Channel bind ASC parameters: connection ConnectionId, buffers NoBindBuffers, …	Trace	N
81	Service bind check done.	Trace	N
82	Captured channel bind config.	Trace	N
83	Channel bind response config overwrites ReplaceConfigOf.	Trace	N
84	Policy-Based QoS: Connection Connection, FlowHandle FlowHandle.	Trace	N
85	Thread pool extension.	Trace	N
86	Thread ready.	Trace	N
87	Thread pool trim.	Trace	N
88	Thread gone.	Trace	N
89	SNI parsed for connection: ConnectionObj with status: Status.	Trace	N
90	Request RequestId has initated opaque mode.	Trace	N
91	Endpoint auto-generated for EndpointName.	Trace	N
92	Deleted auto-generated endpoint for EndpointName.	Trace	N
93	Inbound connection for IP: IpAddress, SNI: SniHostname.	Trace	N
94	SSL connection with local IP address and port Address rejected due to …	Trace	N
95	Parsing of response (response ID ResponseId) failed due to reason: Reason.	Trace	N
96	SSL handshake failed.	System	N
97	HTTP error response sent.	System	N
98	SSL renegotiate timed out.	System	N
99	HTTP 11 Required.	System	N
100	Version: Version Counts: Counts.	System	N
101	Version: Version Counts: Counts.	System	N
105	QUIC Connection.	Trace	N
106	QUIC Connection Callback.	Trace	N
107	QUIC Stream.	Trace	N
108	QUIC Stream Callback.	Trace	N
109	QUIC Registration Failed.	System	N
110	Correlation ID for request RequestId: CorrelationId.	Trace	Y
111	Create URL group UrlGroupId.	System	Y
112	Attempted to reserve URL Url.	System	Y
113	Attempted to add URL (Url) to URL group (UrlGroupId).	System	Y
114	Removed URL (Url) from URL group (UrlGroupId).	System	Y
115	Removed all URLs from URL group UrlGroupId.	System	N
116	Attempted to set URL group UrlGroupId property Property.	Trace	N
117	Delete URL group UrlGroupId.	System	Y
118	Status Status.	System	N
119	SSL Certificate Settings deleted for endpoint : Endpoint.	System	Y
120	SSL Certificate Settings created by an admin process for endpoint : Endpoint.	System	Y
121	SSL Certificate Settings updated by an admin process for endpoint : Endpoint, …	System	N
122	Set the IP address to the listen only list IpList.	System	N
123	QUIC certificate load failed with status Status and was ignored due to disabled …	System	N
124	Request (request ID RequestId) rejected due to request queue overflow.	Trace	N
125	Connection Connection, Connection Id ConnectionId: Stream Created, StreamId …	Trace	N
126	Connection Connection, Connection Id ConnectionId: Stream Aborted, StreamId …	Trace	N
127	Connection Connection, Connection Id ConnectionId: Send StreamId StreamId, …	Trace	N
128	Connection Connection, Connection Id ConnectionId: Data Indincation, StreamId …	Trace	N
129	Connection Connection, Connection Id ConnectionId: Header Indincation, StreamId …	Trace	N
130	Connection Connection, Connection Id ConnectionId: Go Away, StreamId StreamId, …	Trace	N
131	Http2 fault.	Trace	N
132	Connection Connection, Connection Id ConnectionId: Create.	Trace	N
133	Connection Connection, Connection Id ConnectionId: Detach.	Trace	N
134	task_0	Operational	Y
135	task_0135	Operational	Y
136	task_0136	Operational	Y
137	Query for SSL connection cipher info failed	Operational	N
137	Query for SSL connection cipher info failed.	Trace	N

Event ID 1: Request received (request ID RequestId) on connection (connection ID ConnectionId) from remote address RemoteAddr.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Also via: realtime ETW trace
Level: Informational
Task: HTTPRequestTraceTask
Opcode: RecvReq

Description

Request received (request ID RequestId) on connection (connection ID ConnectionId) from remote address RemoteAddr.

Message #

Request received (request ID %1) on connection (connection ID %2) from remote address %4.

Fields #

Name	Description
`RequestId` UInt64
`ConnectionId` UInt64
`RemoteAddrLength` UInt32
`RemoteAddr` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}",
    "event_source_name": "",
    "event_id": 1,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 11,
    "keywords": "0x0000000000000102",
    "time_created": "2026-06-02T05:24:39.889+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0006-6514-818753F0DC01}"
    },
    "execution": {
      "process_id": 4,
      "thread_id": 7864
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ConnectionId": 18230571322465845394,
    "RemoteAddr": "02008900C00002FE0000000000000000",
    "RemoteAddrLength": 16,
    "RequestId": 18230571322734281270
  },
  "message": "HTTP_TASK_REQUEST"
}

Event ID 2: Parsed request (request pointer RequestObj, method HttpVerb) with URI Url.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Also via: realtime ETW trace
Level: Informational
Task: HTTPRequestTraceTask
Opcode: Parse

Description

Parsed request (request pointer RequestObj, method HttpVerb) with URI Url.

Message #

Parsed request (request pointer %1, method %2) with URI %3.

Fields #

Name	Description
`RequestObj` Pointer
`HttpVerb` UInt32
`Url` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}",
    "event_source_name": "",
    "event_id": 2,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 12,
    "keywords": "0x0000000000000002",
    "time_created": "2026-06-02T05:24:39.889+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{40000236-0007-FD00-B63F-84710C7967BB}"
    },
    "execution": {
      "process_id": 4,
      "thread_id": 7864
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "HttpVerb": 6,
    "RequestObj": "0xFFFF878DC1B4B0D0",
    "Url": "http://10.2.10.11:5985/wsman"
  },
  "message": "HTTP_TASK_REQUEST"
}

Event ID 3: Delivered request to server application (request pointer RequestObj, request ID RequestId, site ID SiteId) from request queue RequestQueueName for URI Url with status Status.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Also via: realtime ETW trace
Level: Informational
Task: HTTPRequestTraceTask
Opcode: Deliver

Description

Delivered request to server application (request pointer RequestObj, request ID RequestId, site ID SiteId) from request queue RequestQueueName for URI Url with status Status.

Message #

Delivered request to server application (request pointer %1, request ID %2, site ID %3) from request queue %4 for URI %5 with status %6.

Fields #

Name	Description
`RequestObj` Pointer
`RequestId` UInt64
`SiteId` UInt32
`RequestQueueName` UnicodeString
`Url` UnicodeString
`Status` UInt32	NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}",
    "event_source_name": "",
    "event_id": 3,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 13,
    "keywords": "0x0000000000000102",
    "time_created": "2026-06-02T05:24:39.889+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{40000236-0007-FD00-B63F-84710C7967BB}"
    },
    "execution": {
      "process_id": 4,
      "thread_id": 7864
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RequestId": 18230571322734281270,
    "RequestObj": "0xFFFF878DC1B4B0D0",
    "RequestQueueName": "<<unnamed>>",
    "SiteId": 0,
    "Status": 0,
    "Url": "http://10.2.10.11:5985/wsman"
  },
  "message": "HTTP_TASK_REQUEST"
}

Event ID 4: Server application passed response (request ID RequestId, connection ID ConnectionId, method Verb, header length HeaderLength, number of entity chunks EntityChunkCount, cache policy CachePolicy) wi...

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: RecvResp

Description

Server application passed response (request ID RequestId, connection ID ConnectionId, method Verb, header length HeaderLength, number of entity chunks EntityChunkCount, cache policy CachePolicy) with status code StatusCode.

Message #

Server application passed response (request ID %1, connection ID %2, method %4, header length %5, number of entity chunks %6, cache policy %7) with status code %3.

Fields #

Name	Description
`RequestId` UInt64
`ConnectionId` UInt64
`StatusCode` UInt16	NTSTATUS reference
`Verb` AnsiString
`HeaderLength` UInt32
`EntityChunkCount` UInt16
`CachePolicy` UInt32

Event ID 5: Server application passed the last response (corresponding to request ID RequestId).

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: RecvRespLast

Description

Server application passed the last response (corresponding to request ID RequestId).

Message #

Server application passed the last response (corresponding to request ID %1).

Fields #

Name	Description
`RequestId` UInt64

Event ID 6: Server application passed entity body for request ID RequestId (connection ID ConnectionId).

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: RecvBody

Description

Server application passed entity body for request ID RequestId (connection ID ConnectionId).

Message #

Server application passed entity body for request ID %1 (connection ID %2).

Fields #

Name	Description
`RequestId` UInt64
`ConnectionId` UInt64

Event ID 7: Server application passed the last entity body for request ID RequestId.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: RecvBodyLast

Description

Server application passed the last entity body for request ID RequestId.

Message #

Server application passed the last entity body for request ID %1.

Fields #

Name	Description
`RequestId` UInt64

Event ID 8: Server application passed response (request ID RequestId, connection ID ConnectionId, method Verb, header length HeaderLength, number of entity chunks EntityChunkCount, cache policy CachePolicy) wi...

Provider: Microsoft-Windows-HttpService
Channel: Trace
Also via: realtime ETW trace
Level: Informational
Task: HTTPRequestTraceTask
Opcode: FastResp

Description

Message #

Server application passed response (request ID %1, connection ID %2, method %4, header length %5, number of entity chunks %6, cache policy %7) with status code %3.

Fields #

Name	Description
`RequestId` UInt64
`ConnectionId` UInt64
`StatusCode` UInt16	NTSTATUS reference
`Verb` AnsiString
`HeaderLength` UInt32
`EntityChunkCount` UInt16
`CachePolicy` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}",
    "event_source_name": "",
    "event_id": 8,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 19,
    "keywords": "0x0000000000000006",
    "time_created": "2026-06-02T05:24:39.884+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{40000235-0007-FD00-B63F-84710C7967BB}"
    },
    "execution": {
      "process_id": 4672,
      "thread_id": 16560
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "CachePolicy": 0,
    "ConnectionId": 18230571322465845394,
    "EntityChunkCount": 1,
    "HeaderLength": 0,
    "RequestId": 18230571322734281269,
    "StatusCode": 200,
    "Verb": "POST"
  },
  "message": "HTTP_TASK_REQUEST"
}

Event ID 9: Server application passed the last response (corresponding to request ID RequestId).

Provider: Microsoft-Windows-HttpService
Channel: Trace
Also via: realtime ETW trace
Level: Informational
Task: HTTPRequestTraceTask
Opcode: FastRespLast

Description

Server application passed the last response (corresponding to request ID RequestId).

Message #

Server application passed the last response (corresponding to request ID %1).

Fields #

Name	Description
`RequestId` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}",
    "event_source_name": "",
    "event_id": 9,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 18,
    "keywords": "0x0000000000000006",
    "time_created": "2026-06-02T05:24:39.884+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{40000235-0007-FD00-B63F-84710C7967BB}"
    },
    "execution": {
      "process_id": 4672,
      "thread_id": 16560
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RequestId": 18230571322734281269
  },
  "message": "HTTP_TASK_REQUEST"
}

Event ID 10: Response ready for send (corresponding to request ID RequestId) with status code HttpStatus.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: SendComplete

Description

Response ready for send (corresponding to request ID RequestId) with status code HttpStatus.

Message #

Response ready for send (corresponding to request ID %1) with status code %2.

Fields #

Name	Description
`RequestId` UInt64
`HttpStatus` UInt16

Event ID 11: Cached the response (corresponding to request ID RequestId) with status code HttpStatus.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: CachedAndSend

Description

Cached the response (corresponding to request ID RequestId) with status code HttpStatus. Response to be sent.

Message #

Cached the response (corresponding to request ID %1) with status code %2. Response to be sent.

Fields #

Name	Description
`RequestId` UInt64
`HttpStatus` UInt16

Event ID 12: Queued last response (corresponding to request ID RequestId) for sending.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Also via: realtime ETW trace
Level: Informational
Task: HTTPRequestTraceTask
Opcode: FastSend

Description

Queued last response (corresponding to request ID RequestId) for sending. Status code is HttpStatus.

Message #

Queued last response (corresponding to request ID %1) for sending. Status code is %2.

Fields #

Name	Description
`RequestId` UInt64
`HttpStatus` UInt16

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}",
    "event_source_name": "",
    "event_id": 12,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 21,
    "keywords": "0x0000000000000006",
    "time_created": "2026-06-02T05:24:39.884+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{40000235-0007-FD00-B63F-84710C7967BB}"
    },
    "execution": {
      "process_id": 4672,
      "thread_id": 16560
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "HttpStatus": 200,
    "RequestId": 18230571322734281269
  },
  "message": "HTTP_TASK_REQUEST"
}

Event ID 13: Response sent (corresponding to request ID RequestId) with status code HttpStatus.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: ZeroSend

Description

Response sent (corresponding to request ID RequestId) with status code HttpStatus. If disconnect is required, a TCP FIN has been sent.

Message #

Response sent (corresponding to request ID %1) with status code %2. If disconnect is required, a TCP FIN has been sent.

Fields #

Name	Description
`RequestId` UInt64
`HttpStatus` UInt16

Event ID 14: Error occurred while sending the last response (corresponding to request ID RequestId) with status code HttpStatus.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: LastSndError

Description

Error occurred while sending the last response (corresponding to request ID RequestId) with status code HttpStatus. A TCP Reset has been sent.

Message #

Error occurred while sending the last response (corresponding to request ID %1) with status code %2. A TCP Reset has been sent.

Fields #

Name	Description
`RequestId` UInt64
`HttpStatus` UInt16

Event ID 15: Error Status occurred while sending (corresponding to request ID RequestId).

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: SndError

Description

Error Status occurred while sending (corresponding to request ID RequestId). A TCP Reset will be sent.

Message #

Error %3 occurred while sending (corresponding to request ID %1). A TCP Reset will be sent.

Fields #

Name	Description
`RequestId` UInt64
`Reason` AnsiString
`Status` UInt32	NTSTATUS reference

Event ID 16: Response (request pointer RequestObj, site ID SiteId, number of bytes BytesSent) queued for sending from the cache.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: SrvdFrmCache

Description

Response (request pointer RequestObj, site ID SiteId, number of bytes BytesSent) queued for sending from the cache.

Message #

Response (request pointer %1, site ID %2, number of bytes %3) queued for sending from the cache.

Fields #

Name	Description
`RequestObj` Pointer
`SiteId` UInt32
`BytesSent` UInt32
`RequestId` UInt64
`Encoding` AnsiString

Event ID 17: Response (request pointer RequestObj, site ID SiteId, number of bytes BytesSent) queued for sending with status code 304 (cache not modified).

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: CachedNotModified

Description

Response (request pointer RequestObj, site ID SiteId, number of bytes BytesSent) queued for sending with status code 304 (cache not modified).

Message #

Response (request pointer %1, site ID %2, number of bytes %3) queued for sending with status code 304 (cache not modified).

Fields #

Name	Description
`RequestObj` Pointer
`SiteId` UInt32
`BytesSent` UInt32
`RequestId` UInt64
`Encoding` AnsiString

Event ID 18: Attempted to reserve URL (Url).

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSetupTraceTask
Opcode: ResvUrl

Description

Attempted to reserve URL (Url). Status ReserveStatus.

Message #

Attempted to reserve URL (%1). Status %2.

Fields #

Name	Description
`Url` UnicodeString
`ReserveStatus` UInt32

Event ID 19: Successfully read the IP listen list for IP address IpAddrLength.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSetupTraceTask
Opcode: ReadIpListEntry

Description

Successfully read the IP listen list for IP address IpAddrLength.

Message #

Successfully read the IP listen list for IP address %1.

Fields #

Name	Description
`IpAddrLength` UInt32
`IpAddress` Binary

Event ID 20: SSL credentials for IP address and port CertHashLength successfully created.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSetupTraceTask
Opcode: CreatedSslCred

Description

SSL credentials for IP address and port CertHashLength successfully created.

Message #

SSL credentials for IP address and port %3 successfully created.

Fields #

Name	Description
`EndpointConfigObj` Pointer
`Endpoint` UnicodeString
`CertHashLength` UInt32
`CertHash` Binary
`CertStoreName` UnicodeString
`CertCheckMode` UInt32
`RevokeFreshnessTime` UInt32
`RevokeRetrievalTime` UInt32
`Flags` UInt32
`CtlId` UnicodeString
`CtlStoreName` UnicodeString
`CertificateLoadTimems` UInt32

Event ID 21: New connection created (local IP address LocalAddr and remote address RemoteAddr).

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: ConnConnect

Description

New connection created (local IP address LocalAddr and remote address RemoteAddr).

Message #

New connection created (local IP address %3 and remote address %5).

Fields #

Name	Description
`ConnectionObj` Pointer
`LocalAddrLength` UInt32
`LocalAddr` Binary
`RemoteAddrLength` UInt32
`RemoteAddr` Binary

Event ID 22: Connection ID (ConnectionId) assigned to connection and request (request ID RequestId) will be parsed.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: ConnIdAssgn

Description

Connection ID (ConnectionId) assigned to connection and request (request ID RequestId) will be parsed.

Message #

Connection ID (%2) assigned to connection and request (request ID %1) will be parsed.

Fields #

Name	Description
`RequestId` UInt64
`ConnectionId` UInt64
`ConnectionObj` Pointer

Event ID 23: Client closed the connection (connection pointer ConnectionObj).

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: ConnClose

Description

Client closed the connection (connection pointer ConnectionObj). Status of whether closed by TCP Reset: Abortive.

Message #

Client closed the connection (connection pointer %1). Status of whether closed by TCP Reset: %2.

Fields #

Name	Description
`ConnectionObj` Pointer
`Abortive` UInt32

Event ID 24: Connection (connection pointer ConnectionObj) cleanup started due to either the sending of a TCP Reset, receiving of a TCP Reset, or after the mutual exchange...

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: ConnCleanup

Description

Connection (connection pointer ConnectionObj) cleanup started due to either the sending of a TCP Reset, receiving of a TCP Reset, or after the mutual exchange of TCP Fins.

Message #

Connection (connection pointer %1) cleanup started due to either the sending of a TCP Reset, receiving of a TCP Reset, or after the mutual exchange of TCP Fins.

Fields #

Name	Description
`ConnectionObj` Pointer

Event ID 25: Successfully added entry (URI Uri) to cache.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPCacheTraceTask
Opcode: AddedCacheEntry

Description

Successfully added entry (URI Uri) to cache.

Message #

Successfully added entry (URI %1) to cache.

Fields #

Name	Description
`Uri` UnicodeString
`StatusCode` UInt16	NTSTATUS reference
`Verb` AnsiString
`HeaderLength` UInt32
`ContentLength` UInt32
`ExpirationTime` UInt64
`Encoding` AnsiString

Event ID 26: Failed to add an entry (URI UrlBuffer) to the cache.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPCacheTraceTask
Opcode: AddCacheEntryFailed

Description

Failed to add an entry (URI UrlBuffer) to the cache. Status: ErrorStatus.

Message #

Failed to add an entry (URI %1) to the cache. Status: %2.

Fields #

Name	Description
`UrlBuffer` UnicodeString
`ErrorStatus` UInt32
`Encoding` AnsiString

Event ID 27: Flushed entry (URI Uri) from the cache.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPCacheTraceTask
Opcode: FlushedCache

Description

Flushed entry (URI Uri) from the cache.

Message #

Flushed entry (URI %1) from the cache.

Fields #

Name	Description
`Uri` UnicodeString
`StatusCode` UInt16	NTSTATUS reference
`Verb` AnsiString
`HeaderLength` UInt32
`ContentLength` UInt32
`ExpirationTime` UInt64

Event ID 28: Attempted to set URL group property: Property.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConfigurationPropertyTraceTask
Opcode: ChgUrlGrpProp

Description

Attempted to set URL group property: Property. Status: Status.

Message #

Attempted to set URL group property: %1. Status: %2.

Fields #

Name	Description
`Property` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 29: Attempted to set server session property: Property.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConfigurationPropertyTraceTask
Opcode: ChgSrvSesProp

Description

Attempted to set server session property: Property. Status: Status.

Message #

Attempted to set server session property: %1. Status: %2.

Fields #

Name	Description
`Property` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 30: Attempted to set request queue property: Property.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConfigurationPropertyTraceTask
Opcode: ChgReqQueueProp

Description

Attempted to set request queue property: Property. Status: Status.

Message #

Attempted to set request queue property: %1. Status: %2.

Fields #

Name	Description
`Property` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 31: Attempted to add URL (Url) to URL group (UrlGroupId).

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConfigurationPropertyTraceTask
Opcode: AddUrl

Description

Attempted to add URL (Url) to URL group (UrlGroupId). Status: Status.

Message #

Attempted to add URL (%2) to URL group (%1). Status: %3.

Fields #

Name	Description
`UrlGroupId` UInt64
`Url` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 32: Removed URL (Url) from URL group (UrlGroupId).

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConfigurationPropertyTraceTask
Opcode: RemUrl

Description

Removed URL (Url) from URL group (UrlGroupId).

Message #

Removed URL (%2) from URL group (%1).

Fields #

Name	Description
`UrlGroupId` UInt64
`Url` UnicodeString

Event ID 33: Removed all URLs from URL group UrlGroupId.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConfigurationPropertyTraceTask
Opcode: RemAllUrls

Description

Removed all URLs from URL group UrlGroupId.

Message #

Removed all URLs from URL group %1.

Fields #

Name	Description
`UrlGroupId` UInt64

Event ID 34: Initiating SSL connection.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslConnEvent

Description

Initiating SSL connection.

Message #

Initiating SSL connection.

Fields #

Name	Description
`ConnectionObj` Pointer

Event ID 35: Initiating SSL handshake.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslInitiateHandshake

Description

Initiating SSL handshake.

Message #

Initiating SSL handshake.

Fields #

Name	Description
`ConnectionObj` Pointer

Event ID 36: SSL handshake completed with status: Status.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslHandshakeComplete

Description

SSL handshake completed with status: Status.

Message #

SSL handshake completed with status: %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`ConnectionObj` Pointer

Event ID 37: Server application is attempting to receive the SSL client certificate, which will be provided if available.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslInititateSslRcvClientCert

Description

Server application is attempting to receive the SSL client certificate, which will be provided if available. If the client certificate is not available, a renegotiation will be initiated.

Message #

Server application is attempting to receive the SSL client certificate, which will be provided if available. If the client certificate is not available, a renegotiation will be initiated.

Fields #

Name	Description
`ConnectionObj` Pointer

Event ID 38: Attempt by server application to receive client certificate failed with status: Status.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslRcvClientCertFailed

Description

Attempt by server application to receive client certificate failed with status: Status.

Message #

Attempt by server application to receive client certificate failed with status: %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`ConnectionObj` Pointer

Event ID 39: Raw SSL data is available for processing.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Also via: realtime ETW trace
Level: Informational
Task: HTTPSSLTraceTask
Opcode: SslRcvdRawData

Description

Raw SSL data is available for processing.

Message #

Raw SSL data is available for processing.

Fields #

Name	Description
`DataLength` UInt32
`ConnectionObj` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}",
    "event_source_name": "",
    "event_id": 39,
    "version": 0,
    "level": 4,
    "task": 7,
    "opcode": 45,
    "keywords": "0x0000000000000212",
    "time_created": "2026-06-02T05:52:20.869+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{72529F65-EE0F-0002-2CC6-83720FEEDC01}"
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ConnectionObj": "0xFFFFBD09ED73B010",
    "DataLength": 4874
  },
  "message": "HTTP_TASK_SSL"
}

Event ID 40: Decrypted SSL data is available for processing.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Also via: realtime ETW trace
Level: Informational
Task: HTTPSSLTraceTask
Opcode: SslDlvrdStreamData

Description

Decrypted SSL data is available for processing.

Message #

Decrypted SSL data is available for processing.

Fields #

Name	Description
`DataLength` UInt32
`ConnectionObj` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}",
    "event_source_name": "",
    "event_id": 40,
    "version": 0,
    "level": 4,
    "task": 7,
    "opcode": 46,
    "keywords": "0x0000000000000202",
    "time_created": "2026-06-02T05:52:20.869+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{72529F65-EE0F-0002-2CC6-83720FEEDC01}"
    },
    "execution": {
      "process_id": 4,
      "thread_id": 13660
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ConnectionObj": "0xFFFFBD09ED73B010",
    "DataLength": 216
  },
  "message": "HTTP_TASK_SSL"
}

Event ID 41: Passed plaintext data for encryption.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Also via: realtime ETW trace
Level: Informational
Task: HTTPSSLTraceTask
Opcode: SslAcceptStreamData

Description

Passed plaintext data for encryption.

Message #

Passed plaintext data for encryption.

Fields #

Name	Description
`DataLength` UInt32
`ConnectionObj` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}",
    "event_source_name": "",
    "event_id": 41,
    "version": 0,
    "level": 4,
    "task": 7,
    "opcode": 47,
    "keywords": "0x0000000000000206",
    "time_created": "2026-06-02T05:52:20.863+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{72529F65-EE0F-0002-2CC6-83720FEEDC01}"
    },
    "execution": {
      "process_id": 2940,
      "thread_id": 14072
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ConnectionObj": "0xFFFFBD09ED73B010",
    "DataLength": 1542
  },
  "message": "HTTP_TASK_SSL"
}

Event ID 43: Attempt (on connection ID ConnectionId) to authenticate client completed.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPAuthenticationTraceTask
Opcode: SspiCall

Description

Attempt (on connection ID ConnectionId) to authenticate client completed. Authentication type AuthType. Security status: SecStatus.

Message #

Attempt (on connection ID %1) to authenticate client completed. Authentication type %2. Security status: %3.

Fields #

Name	Description
`ConnectionId` UInt64
`AuthType` AnsiString
`SecStatus` UInt32
`AuthStatus` UInt32
`ContextAttributes` UInt32

Event ID 44: Attempted to add entry to the AuthCacheType authentication cache.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPAuthenticationTraceTask
Opcode: AuthCacheEntryAdded

Description

Attempted to add entry to the AuthCacheType authentication cache. Status: Status.

Message #

Attempted to add entry to the %2 authentication cache. Status: %4.

Fields #

Name	Description
`ConnectionId` UInt64
`AuthCacheType` AnsiString
`AccessTokenOrHandle` Pointer
`Status` UInt32	NTSTATUS reference

Event ID 45: Entry successfully removed from the authentication cache.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPAuthenticationTraceTask
Opcode: AuthCacheEntryFreed

Description

Entry successfully removed from the authentication cache.

Message #

Entry successfully removed from the authentication cache.

Fields #

Name	Description
`AccessTokenOrHandle` Pointer
`Status` UInt32	NTSTATUS reference

Event ID 46: Successfully associated QoS flow with connection (connection ID ConnectionId).

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: QosFlowSetReset

Description

Successfully associated QoS flow with connection (connection ID ConnectionId). Bandwidth throttled to: Bandwidth Bytes per second.

Message #

Successfully associated QoS flow with connection (connection ID %1). Bandwidth throttled to: %2 Bytes per second.

Fields #

Name	Description
`ConnectionId` UInt64
`Bandwidth` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 47: Failed to configure the Type logging (directory Directory), Status: Status.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPLoggingTraceTask
Opcode: LoggingConfigFailed

Description

Failed to configure the Type logging (directory Directory), Status: Status.

Message #

Failed to configure the %2 logging (directory %4), Status: %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`Type` UInt32
`Group` UInt32
`Directory` UnicodeString
`Software` UnicodeString
`SiteId` UInt32

Event ID 48: Successfully configured Type logging (directory Directory).

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPLoggingTraceTask
Opcode: LoggingConfig

Description

Successfully configured Type logging (directory Directory).

Message #

Successfully configured %2 logging (directory %5).

Fields #

Name	Description
`Present` UInt32
`Type` UInt32
`Group` UInt32
`Format` UInt32
`Directory` UnicodeString
`Software` UnicodeString
`SiteId` UInt32

Event ID 49: Failed to create Type log file Filename.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPLoggingTraceTask
Opcode: LogFileCreateFailed

Description

Failed to create Type log file Filename. Status: Status.

Message #

Failed to create %2 log file %5. Status: %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`Type` UInt32
`Group` UInt32
`Format` UInt32
`Filename` UnicodeString
`SiteId` UInt32

Event ID 50: Successfully created new Type log file Filename.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPLoggingTraceTask
Opcode: LogFileCreate

Description

Successfully created new Type log file Filename.

Message #

Successfully created new %2 log file %5.

Fields #

Name	Description
`Handle` Pointer
`Type` UInt32
`Group` UInt32
`Format` UInt32
`Filename` UnicodeString
`SiteId` UInt32

Event ID 51: Entry has been written to Type log file.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPLoggingTraceTask
Opcode: LogFileWrite

Description

Entry has been written to Type log file.

Message #

Entry has been written to %3 log file.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`Handle` Pointer
`Type` UInt32
`Group` UInt32
`Format` UInt32
`ResType` AnsiString
`SiteId` UInt32

Event ID 52: Parsing of request (request ID RequestId) failed due to reason: Reason.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: ParseRequestFailed

Description

Parsing of request (request ID RequestId) failed due to reason: Reason. Request may not be compliant with HTTP/1.1.

Message #

Parsing of request (request ID %2) failed due to reason: %3. Request may not be compliant with HTTP/1.1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`RequestId` UInt64
`Reason` AnsiString
`ErrorCode` UInt32
`HintLength` UInt32
`HintData` Binary

Event ID 53: HTTP timer Timer expired.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPTimeoutTraceTask
Opcode: ConnTimedOut

Description

HTTP timer Timer expired. The connection will be reset.

Message #

HTTP timer %3 expired. The connection will be reset.

Fields #

Name	Description
`ConnectionId` UInt64
`ConnectionObj` Pointer
`Timer` AnsiString

Event ID 56: Failed to acquire handle for SSL credentials.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslEndpointCreationFailed

Description

Failed to acquire handle for SSL credentials. Failure will be event logged. Security status: SecStatus.

Message #

Failed to acquire handle for SSL credentials. Failure will be event logged. Security status: %2.

Fields #

Name	Description
`EndpointConfigObj` Pointer
`SecStatus` UInt32
`Detail` AnsiString

Event ID 57: SSL connection will be disconnected as initiated by the client.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslDisconnEvent

Description

SSL connection will be disconnected as initiated by the client.

Message #

SSL connection will be disconnected as initiated by the client.

Fields #

Name	Description
`ConnectionObj` Pointer

Event ID 58: SSL connection will be disconnected as initiated by the server application.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslDisconnReq

Description

SSL connection will be disconnected as initiated by the server application. Status: Status.

Message #

SSL connection will be disconnected as initiated by the server application. Status: %2.

Fields #

Name	Description
`ConnectionObj` Pointer
`Status` UInt32	NTSTATUS reference

Event ID 59: Attempt to decrypt SSL data failed.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslUnsealMsg

Description

Attempt to decrypt SSL data failed. Security status: SecStatus.

Message #

Attempt to decrypt SSL data failed. Security status: %2.

Fields #

Name	Description
`ConnectionObj` Pointer
`SecStatus` UInt32

Event ID 60: Query for SSL connection parameters failed.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslQueryConnInfoFailed

Description

Query for SSL connection parameters failed. Security status: SecStatus. Connection will be reset.

Message #

Query for SSL connection parameters failed. Security status: %2. Connection will be reset.

Fields #

Name	Description
`ConnectionObj` Pointer
`SecStatus` UInt32
`Detail` AnsiString

Event ID 61: Cannot find SSL endpoint for inbound connection for local IP address and port Address.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslEndpointConfigNotFound

Description

Cannot find SSL endpoint for inbound connection for local IP address and port Address.

Message #

Cannot find SSL endpoint for inbound connection for local IP address and port %3.

Fields #

Name	Description
`ConnectionObj` Pointer
`AddressLength` UInt32
`Address` Binary

Event ID 62: Attempt to perform SSL handshake failed.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslAsc

Description

Attempt to perform SSL handshake failed. Security status: SecStatus.

Message #

Attempt to perform SSL handshake failed. Security status: %2.

Fields #

Name	Description
`ConnectionObj` Pointer
`SecStatus` UInt32

Event ID 63: Attempt to encrypt SSL data failed.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslSealMsg

Description

Attempt to encrypt SSL data failed. Security status: SecStatus.

Message #

Attempt to encrypt SSL data failed. Security status: %2.

Fields #

Name	Description
`ConnectionObj` Pointer
`SecStatus` UInt32

Event ID 64: Request (request ID RequestId) rejected due to reason: Reason.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: RequestRejected

Description

Request (request ID RequestId) rejected due to reason: Reason.

Message #

Request (request ID %1) rejected due to reason: %2.

Fields #

Name	Description
`RequestId` UInt64
`Reason` AnsiString
`RequestQueueName` UnicodeString

Event ID 65: Server application canceled the processing of its request (request ID RequestId).

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: RequestCancelled

Description

Server application canceled the processing of its request (request ID RequestId).

Message #

Server application canceled the processing of its request (request ID %1).

Fields #

Name	Description
`RequestId` UInt64
`Reason` AnsiString
`RequestQueueName` UnicodeString

Event ID 66: Http.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPDriverGlobalSettingsTask
Opcode: HotAddProcFailed

Description

Http.sys failed to process CPU hot-add. Processor number: NewProcNumber, reason: ReasonString, status: Status.

Message #

Http.sys failed to process CPU hot-add. Processor number: %1, reason: %2, status: %3.

Fields #

Name	Description
`NewProcNumber` UInt8
`ReasonString` AnsiString
`Status` UInt32	NTSTATUS reference

Event ID 67: Hot-add information: Current UxNumberOfProcessors: Hotadd_information_Current_UxNumberOfProcessors, comment: comment.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPDriverGlobalSettingsTask
Opcode: HotAddProcSucceeded

Description

Hot-add information: Current UxNumberOfProcessors: Hotadd_information_Current_UxNumberOfProcessors, comment: comment.

Message #

Hot-add information: Current UxNumberOfProcessors: %1, comment: %2.

Fields #

Name	Description
`NewProcNumber` UInt8
`Comment` AnsiString

Event ID 68: Initialized QoS flow: FlowHandle FlowHandle, bandwidth Bandwidth, peak bandwidth PeakBandwidth, burst size BurstSize.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: UserResponseFlowInit

Description

Initialized QoS flow: FlowHandle FlowHandle, bandwidth Bandwidth, peak bandwidth PeakBandwidth, burst size BurstSize.

Message #

Initialized QoS flow: FlowHandle %1, bandwidth %2, peak bandwidth %3, burst size %4

Fields #

Name	Description
`FlowHandle` Pointer
`Bandwidth` UInt32
`PeakBandwidth` UInt32
`BurstSize` UInt32

Event ID 69: Initialized QoS flow: FlowHandle FlowHandle, bandwidth Bandwidth, peak bandwidth PeakBandwidth, burst size BurstSize.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: CachedResponseFlowInit

Description

Initialized QoS flow: FlowHandle FlowHandle, bandwidth Bandwidth, peak bandwidth PeakBandwidth, burst size BurstSize.

Message #

Initialized QoS flow: FlowHandle %1, bandwidth %2, peak bandwidth %3, burst size %4

Fields #

Name	Description
`FlowHandle` Pointer
`Bandwidth` UInt32
`PeakBandwidth` UInt32
`BurstSize` UInt32

Event ID 70: QoS flow initialization failed: bandwidth Bandwidth, peak bandwidth PeakBandwidth, burst size BurstSize, status Status.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: FlowInitFailed

Description

QoS flow initialization failed: bandwidth Bandwidth, peak bandwidth PeakBandwidth, burst size BurstSize, status Status.

Message #

QoS flow initialization failed: bandwidth %1, peak bandwidth %2, burst size %3, status %4

Fields #

Name	Description
`Bandwidth` UInt32
`PeakBandwidth` UInt32
`BurstSize` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 71: Setting flow: Connection Connection, FlowHandle FlowHandle.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: SetConnectionFlow

Description

Setting flow: Connection Connection, FlowHandle FlowHandle.

Message #

Setting flow: Connection %1, FlowHandle %2

Fields #

Name	Description
`Connection` Pointer
`FlowHandle` Pointer

Event ID 72: Assign to Configuration QoS Flow: FlowHandle FlowHandle.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: RequestAssociatedToConfigurationFlow

Description

Assign to Configuration QoS Flow: FlowHandle FlowHandle.

Message #

Assign to Configuration QoS Flow: FlowHandle %1

Fields #

Name	Description
`FlowHandle` Pointer

Event ID 73: [re]Setting QoS Flow failed: Connection Connection, FlowHandle FlowHandle, status Status.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: ConnectionFlowFailed

Description

[re]Setting QoS Flow failed: Connection Connection, FlowHandle FlowHandle, status Status.

Message #

[re]Setting QoS Flow failed: Connection %1, FlowHandle %2, status %3

Fields #

Name	Description
`Connection` Pointer
`FlowHandle` Pointer
`Status` UInt32	NTSTATUS reference

Event ID 74: Response range processing done.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: ResponseRangeProcessingOK

Description

Response range processing done. Req. RequestId, response content size ContentBytes, ranges NumberOfRanges (Range1Start-Range1End, Range2Start-Range2End,...).

Message #

Response range processing done. Req. %1, response content size %2, ranges %3 (%4-%5, %6-%7,...)

Fields #

Name	Description
`RequestId` UInt64
`ContentBytes` UInt64
`NumberOfRanges` UInt32
`Range1Start` UInt64
`Range1End` UInt64
`Range2Start` UInt64
`Range2End` UInt64

Event ID 75: Begin building slices.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPCacheTraceTask
Opcode: BeginBuildingSlices

Description

Begin building slices. Req. RequestId, slices NumberOfSlices (SliceIndex1,SliceIndex2,...), ranges NumberOfRanges (Range1Start-Range1End, Range2Start-Range2End,...).

Message #

Begin building slices. Req. %1, slices %2 (%3,%4,...), ranges %5 (%6-%7, %8-%9,...)

Fields #

Name	Description
`RequestId` UInt64
`NumberOfSlices` UInt32
`SliceIndex1` UInt32
`SliceIndex2` UInt32
`NumberOfRanges` UInt32
`Range1Start` UInt64
`Range1End` UInt64
`Range2Start` UInt64
`Range2End` UInt64

Event ID 76: Send cached slices.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPCacheTraceTask
Opcode: SendSliceCacheContent

Description

Send cached slices. Req. RequestId, CacheEntry CacheEntryPtr, slices NumberOfSlices (SliceIndex1,SliceIndex2,...), ranges NumberOfRanges (Range1Start-Range1End, Range2Start-Range2End,...).

Message #

Send cached slices. Req. %1, CacheEntry %2, slices %3 (%4,%5,...), ranges %6 (%7-%8, %9-%10,...)

Fields #

Name	Description
`RequestId` UInt64
`CacheEntryPtr` Pointer
`NumberOfSlices` UInt32
`SliceIndex1` UInt32
`SliceIndex2` UInt32
`NumberOfRanges` UInt32
`Range1Start` UInt64
`Range1End` UInt64
`Range2Start` UInt64
`Range2End` UInt64

Event ID 77: Cached slices match content.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPCacheTraceTask
Opcode: CachedSlicesMatchContent

Description

Cached slices match content. Req. RequestId, CacheEntry CacheEntryPtr, slices NumberOfSlices (SliceIndex1,SliceIndex2,...), ranges NumberOfRanges (Range1Start-Range1End, Range2Start-Range2End,...).

Message #

Cached slices match content. Req. %1, CacheEntry %2, slices %3 (%4,%5,...), ranges %6 (%7-%8, %9-%10,...)

Fields #

Name	Description
`RequestId` UInt64
`CacheEntryPtr` Pointer
`NumberOfSlices` UInt32
`SliceIndex1` UInt32
`SliceIndex2` UInt32
`NumberOfRanges` UInt32
`Range1Start` UInt64
`Range1End` UInt64
`Range2Start` UInt64
`Range2End` UInt64

Event ID 78: Merge slices to cache.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPCacheTraceTask
Opcode: MergeSlicesToCache

Description

Merge slices to cache. CacheEntry CacheEntryPtr, slices to merge NofSlicesToMerge, slices to cache NofSlicesInCache.

Message #

Merge slices to cache. CacheEntry %1, slices to merge %2, slices to cache %3

Fields #

Name	Description
`CacheEntryPtr` Pointer
`NofSlicesToMerge` UInt32
`NofSlicesInCache` UInt32

Event ID 79: Sending range from flat cache entry.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPCacheTraceTask
Opcode: FlatCacheRangeSend

Description

Sending range from flat cache entry. CacheEntry CacheEntryPtr, range Range1Start-Range1End.

Message #

Sending range from flat cache entry. CacheEntry %1, range %2-%3

Fields #

Name	Description
`CacheEntryPtr` Pointer
`Range1Start` UInt64
`Range1End` UInt64

Event ID 80: Channel bind ASC parameters: connection ConnectionId, buffers NoBindBuffers, flags SecFlags.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPAuthenticationTraceTask
Opcode: ChannelBindAscParams

Description

Channel bind ASC parameters: connection ConnectionId, buffers NoBindBuffers, flags SecFlags.

Message #

Channel bind ASC parameters: connection %1, buffers %2, flags %3

Fields #

Name	Description
`ConnectionId` UInt64
`NoBindBuffers` UInt32
`SecFlags` UInt32

Event ID 81: Service bind check done.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPAuthenticationTraceTask
Opcode: ServiceBindCheckComplete

Description

Service bind check done. Connection ConnectionId, Context SecContextL-SecContextH, status SecStatus, target Target.

Message #

Service bind check done. Connection %1, Context %2-%3, status %4, target %5

Fields #

Name	Description
`ConnectionId` UInt64
`SecContextL` Pointer
`SecContextH` Pointer
`SecStatus` UInt32
`Target` UnicodeString

Event ID 82: Captured channel bind config.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPAuthenticationTraceTask
Opcode: ChannelBindConfigCapture

Description

Captured channel bind config. Hardening Hardening, flags Flags, service count ServiceNameCount.

Message #

Captured channel bind config. Hardening %1, flags %2, service count %3

Fields #

Name	Description
`Hardening` UInt8
`Flags` UInt32
`ServiceNameCount` UInt32

Event ID 83: Channel bind response config overwrites ReplaceConfigOf.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPAuthenticationTraceTask
Opcode: ChannelBindPerResponseConfig

Description

Channel bind response config overwrites ReplaceConfigOf.

Message #

Channel bind response config overwrites %1

Fields #

Name	Description
`ReplaceConfigOf` AnsiString

Event ID 84: Policy-Based QoS: Connection Connection, FlowHandle FlowHandle.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: UsePolicyBasedQoSFlow

Description

Policy-Based QoS: Connection Connection, FlowHandle FlowHandle.

Message #

Policy-Based QoS: Connection %1, FlowHandle %2

Fields #

Name	Description
`Connection` Pointer
`FlowHandle` Pointer

Event ID 85: Thread pool extension.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPThreadPool
Opcode: ThreadPoolExtension

Description

Thread pool extension. Pool type: Thread_pool_extension_Pool_type, active pools: active_pools.

Message #

Thread pool extension. Pool type: %1, active pools: %2.

Fields #

Name	Description
`PoolType` AnsiString
`ActivePools` UInt16

Event ID 86: Thread ready.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPThreadPool
Opcode: ThreadReady

Description

Thread ready. Pool type: Thread_ready_Pool_type, active pools: active_pools, thread count: thread_count.

Message #

Thread ready. Pool type: %1, active pools: %2, thread count: %3

Fields #

Name	Description
`PoolType` AnsiString
`ActivePools` UInt16
`ThreadCount` UInt8

Event ID 87: Thread pool trim.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPThreadPool
Opcode: ThreadPoolTrim

Description

Thread pool trim. Pool type: Thread_pool_trim_Pool_type, active pools: active_pools.

Message #

Thread pool trim. Pool type: %1, active pools: %2.

Fields #

Name	Description
`PoolType` AnsiString
`ActivePools` UInt16

Event ID 88: Thread gone.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPThreadPool
Opcode: ThreadGone

Description

Thread gone. Pool type: Thread_gone_Pool_type, active pools: active_pools, thread count: thread_count.

Message #

Thread gone. Pool type: %1, active pools: %2, thread count: %3

Fields #

Name	Description
`PoolType` AnsiString
`ActivePools` UInt16
`ThreadCount` UInt8

Event ID 89: SNI parsed for connection: ConnectionObj with status: Status.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SniParsed

Description

SNI parsed for connection: ConnectionObj with status: Status.

Message #

SNI parsed for connection: %1 with status: %2

Fields #

Name	Description
`ConnectionObj` Pointer
`Status` UInt32	NTSTATUS reference
`SniLength` UInt32
`SniHost` Binary
`NormalizedHost` UnicodeString

Event ID 90: Request RequestId has initated opaque mode.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: InitiateOpaqueMode

Description

Request RequestId has initated opaque mode.

Message #

Request %1 has initated opaque mode

Fields #

Name	Description
`RequestId` UInt64

Event ID 91: Endpoint auto-generated for EndpointName.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: EndpointAutoGenerated

Description

Endpoint auto-generated for EndpointName.

Message #

Endpoint auto-generated for %2

Fields #

Name	Description
`EndpointConfigObj` Pointer
`EndpointName` UnicodeString

Event ID 92: Deleted auto-generated endpoint for EndpointName.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: AutoGeneratedEndpointDeleted

Description

Deleted auto-generated endpoint for EndpointName.

Message #

Deleted auto-generated endpoint for %2

Fields #

Name	Description
`EndpointConfigObj` Pointer
`EndpointName` UnicodeString

Event ID 93: Inbound connection for IP: IpAddress, SNI: SniHostname.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslEndpointConfigFound

Description

Inbound connection for IP: IpAddress, SNI: SniHostname. SSL endpoint found: MatchingEndpointName.

Message #

Inbound connection for IP: %3, SNI: %4. SSL endpoint found: %5

Fields #

Name	Description
`EndpointConfigObj` Pointer
`IpAddrLength` UInt32
`IpAddress` Binary
`SniHostname` UnicodeString
`MatchingEndpointName` UnicodeString
`AutoGeneratedEndpoint` Boolean

Event ID 94: SSL connection with local IP address and port Address rejected due to configuration policy.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslEndpointConfigRejected

Description

SSL connection with local IP address and port Address rejected due to configuration policy.

Message #

SSL connection with local IP address and port %2 rejected due to configuration policy.

Fields #

Name	Description
`AddressLength` UInt32
`Address` Binary

Event ID 95: Parsing of response (response ID ResponseId) failed due to reason: Reason.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPResponseTraceTask
Opcode: ParseRequestFailed

Description

Parsing of response (response ID ResponseId) failed due to reason: Reason. Request may not be compliant with HTTP/1.1.

Message #

Parsing of response (response ID %2) failed due to reason: %3. Request may not be compliant with HTTP/1.1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`ResponseId` UInt64
`Reason` AnsiString
`ErrorCode` UInt32
`HintLength` UInt32
`HintData` Binary

Event ID 96: SSL handshake failed.

Provider: Microsoft-Windows-HttpService
Channel: System
Task: HTTPSSLTraceTask
Opcode: SslHandshakeFailure

Description

SSL handshake failed. Local IP: Remote_IP, Remote IP: Thumbprint, SNI: Client_Initiated_Disconnect, Thumbprint: Connection_Status, Client Initiated Disconnect: LocalAddressLength, Abortive Disconnect: LocalAddress, Connection Status: RemoteAddressLength.

Message #

SSL handshake failed. Local IP: %2, Remote IP: %4, SNI: %5, Thumbprint: %7, Client Initiated Disconnect: %8, Abortive Disconnect: %9, Connection Status: %10

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`SniHostname` UnicodeString
`ThumbprintLength` UInt16
`Thumbprint` Binary
`ClientDisconnect` Boolean
`AbortiveDisconnect` Boolean
`Status` UInt32	NTSTATUS reference

Event ID 97: HTTP error response sent.

Provider: Microsoft-Windows-HttpService
Channel: System
Task: HTTPRequestTraceTask
Opcode: HttpErrorResponseSent

Description

HTTP error response sent. Url: Url, Verb: Verb, Status Code: StatusCode, Cache Send: CacheSend, Request Queue: RequestQueue, PID: ProcessId, TID: ThreadId, Image Name: ImageFileName, Working Set(Bytes): WorkingSetSize, Send Status: SendStatus, Thread Count: ThreadCount, Reason Phrase: ReasonPhrase, Error Cause: ErrorCause, Verbosity: Verbosity

Message #

HTTP error response sent. Url: %1, Verb: %2, Status Code: %3, Cache Send: %4, Request Queue: %5, PID: %6, TID: %7, Image Name: %8, Working Set(Bytes): %9, Send Status: %10, Thread Count: %11, Reason Phrase: %12, Error Cause: %13, Verbosity: %14

Fields #

Name	Description
`Url` UnicodeString
`Verb` UInt32
`StatusCode` UInt16	NTSTATUS reference
`CacheSend` Boolean
`RequestQueue` UnicodeString
`ProcessId` UInt32
`ThreadId` UInt32
`ImageFileName` AnsiString
`WorkingSetSize` UInt64
`SendStatus` UInt32
`ThreadCount` UInt32
`ReasonPhrase` AnsiString
`ErrorCause` AnsiString
`Verbosity` UInt32

Event ID 98: SSL renegotiate timed out.

Provider: Microsoft-Windows-HttpService
Channel: System
Task: HTTPSSLTraceTask
Opcode: SslRenegotiateTimedOut

Description

SSL renegotiate timed out. Local IP: Remote_IP, Remote IP: Thumbprint, SNI: Connection_Buffer_Full, Thumbprint: LocalAddress, Connection Buffer Full: RemoteAddressLength.

Message #

SSL renegotiate timed out. Local IP: %2, Remote IP: %4, SNI: %5, Thumbprint: %7, Connection Buffer Full: %8

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`SniHostname` UnicodeString
`ThumbprintLength` UInt16
`Thumbprint` Binary
`ConnectionBufferFull` Boolean

Event ID 99: HTTP 11 Required.

Provider: Microsoft-Windows-HttpService
Channel: System
Task: HTTPRequestTraceTask
Opcode: Http11Required

Description

HTTP 11 Required. Verb: HTTP_11_Required_Verb, Fault Code: Fault_Code.

Message #

HTTP 11 Required. Verb: %1, Fault Code: %2

Fields #

Name	Description
`Verb` UInt32
`FaultCode` UInt32

Event ID 100: Version: Version Counts: Counts.

Provider: Microsoft-Windows-HttpService
Channel: System
Task: HTTPConnectionTraceTask
Opcode: QuicCounts

Description

Version: Version Counts: Counts.

Message #

Version: %1 Counts: %2

Fields #

Name	Description
`Version` UInt32
`CountsLength` UInt32
`Counts` Binary

Event ID 101: Version: Version Counts: Counts.

Provider: Microsoft-Windows-HttpService
Channel: System
Task: HTTPConnectionTraceTask
Opcode: WskCounts

Description

Version: Version Counts: Counts.

Message #

Version: %1 Counts: %2

Fields #

Name	Description
`Version` UInt32
`CountsLength` UInt32
`Counts` Binary

Event ID 105: QUIC Connection.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: QuicConnection

Description

QUIC Connection. QuicConnectionId: QUIC_Connection_QuicConnectionId, Connection: Connection, Local IP: Remote_IP, Remote IP: ErrorCode, SNI: QuicConnectionId, ErrorCode: LocalAddressLength, Status: LocalAddress.

Message #

QUIC Connection. QuicConnectionId: %1, Connection: %2, Local IP: %4, Remote IP: %6, SNI: %8, ErrorCode: %9, Status: %10

Fields #

Name	Description
`QuicConnectionId` UInt64
`Connection` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`SniLength` UInt32
`SniHost` Binary
`ErrorLogCode` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 106: QUIC Connection Callback.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: QuicConnectionCallback

Description

QUIC Connection Callback. Connection: QUIC_Connection_Callback_Connection, Event: Event, EventParam: EventParam.

Message #

QUIC Connection Callback. Connection: %1, Event: %2, EventParam: %3

Fields #

Name	Description
`Connection` Pointer
`Event` UInt8
`EventParam` UInt64

Event ID 107: QUIC Stream.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: QuicStream

Description

QUIC Stream. QuicStreamId: QUIC_Stream_QuicStreamId, Connection: Connection, Stream: Stream.

Message #

QUIC Stream. QuicStreamId: %1, Connection: %2, Stream: %3

Fields #

Name	Description
`QuicStreamId` UInt64
`Connection` Pointer
`Stream` Pointer

Event ID 108: QUIC Stream Callback.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: QuicStreamCallback

Description

QUIC Stream Callback. Stream: QUIC_Stream_Callback_Stream, Connection: Connection, StreamType: StreamType, Event: Event, EventParam: EventParam.

Message #

QUIC Stream Callback. Stream: %1, Connection: %2, StreamType: %3, Event: %4, EventParam: %5

Fields #

Name	Description
`Stream` Pointer
`Connection` Pointer
`StreamType` AnsiString
`Event` UInt8
`EventParam` UInt64

Event ID 109: QUIC Registration Failed.

Provider: Microsoft-Windows-HttpService
Channel: System
Task: HTTPDriverGlobalSettingsTask
Opcode: QuicRegistration

Description

QUIC Registration Failed. Status: QUIC_Registration_Failed_Status.

Message #

QUIC Registration Failed. Status: %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 110: Correlation ID for request RequestId: CorrelationId.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Also via: realtime ETW trace
Level: Informational
Task: HTTPRequestTraceTask
Opcode: ClientCorrelation

Description

Correlation ID for request RequestId: CorrelationId.

Message #

Correlation ID for request %1: %2

Fields #

Name	Description
`RequestId` UInt64
`CorrelationId` GUID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}",
    "event_source_name": "",
    "event_id": 110,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 120,
    "keywords": "0x0000000000000002",
    "time_created": "2026-06-02T05:52:20.869+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{4000072C-0001-FE00-B63F-84710C7967BB}"
    },
    "execution": {
      "process_id": 4,
      "thread_id": 12180
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "CorrelationId": "{DBC7C805-5E45-11F1-A6BE-010101010000}",
    "RequestId": 18302628891002406700
  },
  "message": "HTTP_TASK_REQUEST"
}

Event ID 111: Create URL group UrlGroupId.

Provider: Microsoft-Windows-HttpService
Channel: System
Level: Informational
Task: HTTPConfigurationPropertyTraceTask
Opcode: CreateUrlGroup

Description

Create URL group UrlGroupId. Status Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Create URL group %1. Status %2. Process Id %3 Executable path %4, User %5

Fields #

Name	Description
`UrlGroupId` UInt64
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt64
`ExecutablePath` UnicodeString
`UserSid` SID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "DD5EF90A-6398-47A4-AD34-4DCECDEF795F",
    "event_source_name": "",
    "event_id": 111,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 125,
    "keywords": 4611686018427387968,
    "time_created": "2026-03-13T20:06:22.592017+00:00",
    "event_record_id": 2069,
    "correlation": {},
    "execution": {
      "process_id": 4260,
      "thread_id": 4596
    },
    "channel": "System",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "UrlGroupId": 18302628890465533953,
    "Status": 0,
    "ProcessId": 4260,
    "ExecutablePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
    "UserSid": "S-1-5-18"
  },
  "message": ""
}

Event ID 112: Attempted to reserve URL Url.

Provider: Microsoft-Windows-HttpService
Channel: System
Level: Informational
Task: HTTPSetupTraceTask
Opcode: ResvUrlV2

Description

Attempted to reserve URL Url. Status ReserveStatus. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Attempted to reserve URL %1. Status %2. Process Id %3 Executable path %4, User %5

Fields #

Name	Description
`Url` UnicodeString
`ReserveStatus` UInt32
`ProcessId` UInt64
`ExecutablePath` UnicodeString
`UserSid` SID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}",
    "event_source_name": "",
    "event_id": 112,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 121,
    "keywords": 4611686018427387905,
    "time_created": "2026-06-13T13:53:53.8268372+00:00",
    "event_record_id": 2699,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 160
    },
    "channel": "System",
    "computer": "telemetry-W11-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Url": "http://+:47001/wsman/",
    "ReserveStatus": "0",
    "ProcessId": "4",
    "ExecutablePath": "",
    "UserSid": "S-1-5-18"
  },
  "message": "Attempted to reserve URL http://+:47001/wsman/. Status 0x0. Process Id 0x4 Executable path , User S-1-5-18"
}

Event ID 113: Attempted to add URL (Url) to URL group (UrlGroupId).

Provider: Microsoft-Windows-HttpService
Channel: System
Level: Informational
Task: HTTPConfigurationPropertyTraceTask
Opcode: AddUrl_5_122

Description

Attempted to add URL (Url) to URL group (UrlGroupId). Status: Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Attempted to add URL (%2) to URL group (%1). Status: %3. Process Id %4 Executable path %5, User %6

Fields #

Name	Description
`UrlGroupId` UInt64
`Url` UnicodeString
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt64
`ExecutablePath` UnicodeString
`UserSid` SID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "DD5EF90A-6398-47A4-AD34-4DCECDEF795F",
    "event_source_name": "",
    "event_id": 113,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 122,
    "keywords": 4611686018427387968,
    "time_created": "2026-03-11T06:29:35.510270+00:00",
    "event_record_id": 2802,
    "correlation": {},
    "execution": {
      "process_id": 1608,
      "thread_id": 1656
    },
    "channel": "System",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "UrlGroupId": 18302628907645403137,
    "Url": "https://+:5986/wsman/",
    "Status": 0,
    "ProcessId": 1608,
    "ExecutablePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
    "UserSid": "S-1-5-20"
  },
  "message": ""
}

Event ID 114: Removed URL (Url) from URL group (UrlGroupId).

Provider: Microsoft-Windows-HttpService
Channel: System
Level: Informational
Task: HTTPConfigurationPropertyTraceTask
Opcode: RemUrl_5_123

Description

Removed URL (Url) from URL group (UrlGroupId). Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Removed URL (%2) from URL group (%1). Process Id %3 Executable path %4, User %5

Fields #

Name	Description
`UrlGroupId` UInt64
`Url` UnicodeString
`ProcessId` UInt64
`ExecutablePath` UnicodeString
`UserSid` SID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}",
    "event_source_name": "",
    "event_id": 114,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 123,
    "keywords": 4611686018427387968,
    "time_created": "2026-06-13T13:53:22.9529441+00:00",
    "event_record_id": 2602,
    "correlation": {},
    "execution": {
      "process_id": 7116,
      "thread_id": 9664
    },
    "channel": "System",
    "computer": "telemetry-W11-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "UrlGroupId": "18302628894760501249",
    "Url": "https://+:5986/wsman/",
    "ProcessId": "7116",
    "ExecutablePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
    "UserSid": "S-1-5-20"
  },
  "message": "Removed URL (https://+:5986/wsman/) from URL group (0xFE00000220000001). Process Id 0x1BCC Executable path \\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe, User S-1-5-20"
}

Event ID 115: Removed all URLs from URL group UrlGroupId.

Provider: Microsoft-Windows-HttpService
Channel: System
Task: HTTPConfigurationPropertyTraceTask
Opcode: RemAllUrls_5_124

Description

Removed all URLs from URL group UrlGroupId. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Removed all URLs from URL group %1. Process Id %2 Executable path %3, User %4

Fields #

Name	Description
`UrlGroupId` UInt64
`ProcessId` UInt64
`ExecutablePath` UnicodeString
`UserSid` SID

Event ID 116: Attempted to set URL group UrlGroupId property Property.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConfigurationPropertyTraceTask
Opcode: ChgUrlGrpProp_5_127

Description

Attempted to set URL group UrlGroupId property Property. Status: Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Attempted to set URL group %1 property %2. Status: %3. Process Id %4 Executable path %5, User %6

Fields #

Name	Description
`UrlGroupId` UInt64
`Property` UInt32
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt64
`ExecutablePath` UnicodeString
`UserSid` SID

Event ID 117: Delete URL group UrlGroupId.

Provider: Microsoft-Windows-HttpService
Channel: System
Level: Informational
Task: HTTPConfigurationPropertyTraceTask
Opcode: DeleteUrlGroup

Description

Delete URL group UrlGroupId. Status Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Delete URL group %1. Status %2. Process Id %3 Executable path %4, User %5

Fields #

Name	Description
`UrlGroupId` UInt64
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt64
`ExecutablePath` UnicodeString
`UserSid` SID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "DD5EF90A-6398-47A4-AD34-4DCECDEF795F",
    "event_source_name": "",
    "event_id": 117,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 126,
    "keywords": 4611686018427387968,
    "time_created": "2023-10-25T22:56:15.387403+00:00",
    "event_record_id": 1478,
    "correlation": {},
    "execution": {
      "process_id": 3840,
      "thread_id": 3904
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "UrlGroupId": 18302628886170566657,
    "Status": 0,
    "ProcessId": 3840,
    "ExecutablePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
    "UserSid": "S-1-5-19"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 118: Status Status.

Provider: Microsoft-Windows-HttpService
Channel: System
Task: HTTPConfigurationPropertyTraceTask
Opcode: FlushResponseCache

Description

Status Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Status %1. Process Id %2 Executable path %3, User %4

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt64
`ExecutablePath` UnicodeString
`UserSid` SID

Event ID 119: SSL Certificate Settings deleted for endpoint : Endpoint.

Provider: Microsoft-Windows-HttpService
Channel: System
Level: Informational
Task: HTTPSSLTraceTask
Opcode: SslCertSettingsDeleted

Description

SSL Certificate Settings deleted for endpoint : Endpoint. Status Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

SSL Certificate Settings deleted for endpoint : %1. Status %2. Process Id %3 Executable path %4, User %5

Fields #

Name	Description
`Endpoint` UnicodeString
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt64
`ExecutablePath` UnicodeString
`UserSid` SID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "DD5EF90A-6398-47A4-AD34-4DCECDEF795F",
    "event_source_name": "",
    "event_id": 119,
    "version": 0,
    "level": 4,
    "task": 7,
    "opcode": 129,
    "keywords": 4611686018427388416,
    "time_created": "2025-12-31T19:35:47.939697+00:00",
    "event_record_id": 419,
    "correlation": {},
    "execution": {
      "process_id": 7104,
      "thread_id": 5100
    },
    "channel": "System",
    "computer": "WIN11-22H2-X64",
    "security": {
      "user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
    }
  },
  "event_data": {
    "Endpoint": "NULL",
    "Status": 3221225524,
    "ProcessId": 7104,
    "ExecutablePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
    "UserSid": "S-1-5-21-3407486967-1585450050-1838039599-1000"
  },
  "message": ""
}

Event ID 120: SSL Certificate Settings created by an admin process for endpoint : Endpoint.

Provider: Microsoft-Windows-HttpService
Channel: System
Level: Informational
Task: HTTPSSLTraceTask
Opcode: SslCertSettingsCreated

Description

SSL Certificate Settings created by an admin process for endpoint : Endpoint. Status Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

SSL Certificate Settings created by an admin process for endpoint : %1. Status %2. Process Id %3 Executable path %4, User %5

Fields #

Name	Description
`Endpoint` UnicodeString
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt64
`ExecutablePath` UnicodeString
`UserSid` SID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "DD5EF90A-6398-47A4-AD34-4DCECDEF795F",
    "event_source_name": "",
    "event_id": 120,
    "version": 0,
    "level": 4,
    "task": 7,
    "opcode": 130,
    "keywords": 4611686018427388416,
    "time_created": "2025-12-31T19:35:47.964183+00:00",
    "event_record_id": 420,
    "correlation": {},
    "execution": {
      "process_id": 7104,
      "thread_id": 5100
    },
    "channel": "System",
    "computer": "WIN11-22H2-X64",
    "security": {
      "user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
    }
  },
  "event_data": {
    "Endpoint": "0.0.0.0:5986",
    "Status": 0,
    "ProcessId": 7104,
    "ExecutablePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
    "UserSid": "S-1-5-21-3407486967-1585450050-1838039599-1000"
  },
  "message": ""
}

Event ID 121: SSL Certificate Settings updated by an admin process for endpoint : Endpoint, Extended Param Type ExtendedParamType.

Provider: Microsoft-Windows-HttpService
Channel: System
Task: HTTPSSLTraceTask
Opcode: SslCertSettingsUpdeted

Description

SSL Certificate Settings updated by an admin process for endpoint : Endpoint, Extended Param Type ExtendedParamType. Status Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

SSL Certificate Settings updated by an admin process for endpoint : %1, Extended Param Type %2. Status %3. Process Id %4 Executable path %5, User %6

Fields #

Name	Description
`Endpoint` UnicodeString
`ExtendedParamType` UInt32
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt64
`ExecutablePath` UnicodeString
`UserSid` SID

Event ID 122: Set the IP address to the listen only list IpList.

Provider: Microsoft-Windows-HttpService
Channel: System
Task: HTTPSetupTraceTask
Opcode: SetIpListenList

Description

Set the IP address to the listen only list IpList. Status Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Set the IP address to the listen only list %1. Status %2. Process Id %3 Executable path %4, User %5

Fields #

Name	Description
`IpList` UnicodeString
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt64
`ExecutablePath` UnicodeString
`UserSid` SID

Event ID 123: QUIC certificate load failed with status Status and was ignored due to disabled TLS 1.

Provider: Microsoft-Windows-HttpService
Channel: System
Task: HTTPSSLTraceTask
Opcode: QuicTls13Disabled

Description

QUIC certificate load failed with status Status and was ignored due to disabled TLS 1.3 (status Tls13Status).

Message #

QUIC certificate load failed with status %1 and was ignored due to disabled TLS 1.3 (status %2).

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`Tls13Status` UInt32

Event ID 124: Request (request ID RequestId) rejected due to request queue overflow.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPRequestTraceTask
Opcode: RequestQueueOverflow

Description

Request (request ID RequestId) rejected due to request queue overflow.

Message #

Request (request ID %1) rejected due to request queue overflow

Fields #

Name	Description
`RequestId` UInt64
`RequestQueueName` UnicodeString
`LastPendingReceiveRequest` FILETIME
`LastSucceededReceiveRequest` FILETIME
`LastFailedReceiveRequest` FILETIME

Event ID 125: Connection Connection, Connection Id ConnectionId: Stream Created, StreamId StreamId.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: CreatHttp2Stream

Description

Connection Connection, Connection Id ConnectionId: Stream Created, StreamId StreamId.

Message #

Connection %1, Connection Id %2: Stream Created, StreamId %3

Fields #

Name	Description
`Connection` Pointer
`ConnectionId` UInt64
`StreamId` UInt32

Event ID 126: Connection Connection, Connection Id ConnectionId: Stream Aborted, StreamId StreamId, HRESULT error Error, Reset Code ResetCode.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: AbortHttp2Stream

Description

Connection Connection, Connection Id ConnectionId: Stream Aborted, StreamId StreamId, HRESULT error Error, Reset Code ResetCode.

Message #

Connection %1, Connection Id %2: Stream Aborted, StreamId %3, HRESULT error %4, Reset Code %5

Fields #

Name	Description
`Connection` Pointer
`ConnectionId` UInt64
`StreamId` UInt32
`Error` Int32
`ResetCode` UInt32

Event ID 127: Connection Connection, Connection Id ConnectionId: Send StreamId StreamId, Length Length.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: SendHttp2Stream

Description

Connection Connection, Connection Id ConnectionId: Send StreamId StreamId, Length Length.

Message #

Connection %1, Connection Id %2: Send StreamId %3, Length %4

Fields #

Name	Description
`Connection` Pointer
`ConnectionId` UInt64
`StreamId` UInt32
`Length` UInt64

Event ID 128: Connection Connection, Connection Id ConnectionId: Data Indincation, StreamId StreamId, BytesIndicated BytesIndicated, BytesAccepted BytesAccepted, Status Status.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: Http2DataIndicate

Description

Connection Connection, Connection Id ConnectionId: Data Indincation, StreamId StreamId, BytesIndicated BytesIndicated, BytesAccepted BytesAccepted, Status Status.

Message #

Connection %1, Connection Id %2: Data Indincation, StreamId %3, BytesIndicated %4, BytesAccepted %5, Status %6

Fields #

Name	Description
`Connection` Pointer
`ConnectionId` UInt64
`StreamId` UInt32
`BytesIndicated` UInt32
`BytesAccepted` UInt32
`Status` Int32	NTSTATUS reference

Event ID 129: Connection Connection, Connection Id ConnectionId: Header Indincation, StreamId StreamId, Headers indicated Headers, Status Status.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: Http2HeaderIndicate

Description

Connection Connection, Connection Id ConnectionId: Header Indincation, StreamId StreamId, Headers indicated Headers, Status Status.

Message #

Connection %1, Connection Id %2: Header Indincation, StreamId %3, Headers indicated %4, Status %5

Fields #

Name	Description
`Connection` Pointer
`ConnectionId` UInt64
`StreamId` UInt32
`Headers` UInt32
`Status` Int32	NTSTATUS reference

Event ID 130: Connection Connection, Connection Id ConnectionId: Go Away, StreamId StreamId, ErrorCode ErrorCode, FaultCode FaultCode.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: Http2GoAway

Description

Connection Connection, Connection Id ConnectionId: Go Away, StreamId StreamId, ErrorCode ErrorCode, FaultCode FaultCode.

Message #

Connection %1, Connection Id %2: Go Away, StreamId %3, ErrorCode %4, FaultCode %5

Fields #

Name	Description
`Connection` Pointer
`ConnectionId` UInt64
`StreamId` UInt32
`ErrorCode` UInt32
`FaultCode` UInt32

Event ID 131: Http2 fault.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: Http2Fault

Description

Http2 fault. Connection Connection, Connection Id ConnectionId:, StreamId StreamId, Code FaultCode, Status Status.

Message #

Http2 fault. Connection %1, Connection Id %2:, StreamId %3, Code %4, Status %5

Fields #

Name	Description
`Connection` Pointer
`ConnectionId` UInt64
`StreamId` UInt32
`FaultCode` UInt32
`Status` Int32	NTSTATUS reference

Event ID 132: Connection Connection, Connection Id ConnectionId: Create.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: CreatHttp2Connection

Description

Connection Connection, Connection Id ConnectionId: Create.

Message #

Connection %1, Connection Id %2: Create

Fields #

Name	Description
`Connection` Pointer
`ConnectionId` UInt64

Event ID 133: Connection Connection, Connection Id ConnectionId: Detach.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPConnectionTraceTask
Opcode: CreatHttp2Detach

Description

Connection Connection, Connection Id ConnectionId: Detach.

Message #

Connection %1, Connection Id %2: Detach

Fields #

Name	Description
`Connection` Pointer
`ConnectionId` UInt64

Event ID 134: task_0

Provider: Microsoft-Windows-HttpService
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Opcode: win:Info

Fields #

Name	Description
`RequestId` UInt64
`ReceiveStart` UInt64
`ReceiveHeadersEnd` UInt64
`ResponseStart` UInt64
`ResponseEnd` UInt64
`BufferedSend` Boolean

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}",
    "event_source_name": "",
    "event_id": 134,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": "0x0000000000010000",
    "time_created": "2026-06-02T05:52:20.875+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 2284
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "BufferedSend": false,
    "ReceiveHeadersEnd": 1227505232003,
    "ReceiveStart": 1214802420460,
    "RequestId": 18302628891002406700,
    "ResponseEnd": 1227505280233,
    "ResponseStart": 1227505257772
  },
  "message": ""
}

Event ID 135: task_0135

Provider: Microsoft-Windows-HttpService
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Opcode: win:Info

Fields #

Name	Description
`PerfCounterPeriod` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}",
    "event_source_name": "",
    "event_id": 135,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": "0x0000000000010000",
    "time_created": "2026-06-02T05:52:19.190+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 15468,
      "thread_id": 14180
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PerfCounterPeriod": 10000000
  },
  "message": ""
}

Event ID 136: task_0136

Provider: Microsoft-Windows-HttpService
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Opcode: win:Info

Fields #

Name	Description
`RequestId` UInt64
`StatsType` UInt32
`StatsLength` UInt32
`StatsData` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "{DD5EF90A-6398-47A4-AD34-4DCECDEF795F}",
    "event_source_name": "",
    "event_id": 136,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": "0x0000000000010000",
    "time_created": "2026-06-02T05:52:20.875+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 2284
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "RequestId": 18302628891002406700,
    "StatsData": "04000000B405000018621300000000000000000021090000A601000000000000801C0400801C0400FFFF0000FFFF000020FC130000000000EAEC3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000001962130022FC13000000000000000000000000000000000000000000",
    "StatsLength": 152,
    "StatsType": 0
  },
  "message": ""
}

Event ID 137: Query for SSL connection cipher info failed

Provider: Microsoft-Windows-HttpService
Channel: Operational
Task: HTTPSSLTraceTask
Opcode: SslQueryCipherInfoFailed

Description

Query for SSL connection cipher info failed. Security status: . Connection will be reset.

Fields #

Name	Description
`ConnectionObj` Pointer
`SecStatus` UInt32
`Detail` AnsiString

Event ID 137: Query for SSL connection cipher info failed.

Provider: Microsoft-Windows-HttpService
Channel: Trace
Task: HTTPSSLTraceTask
Opcode: SslQueryCipherInfoFailed

Description

Query for SSL connection cipher info failed. Security status: SecStatus. Connection will be reset.

Message #

Query for SSL connection cipher info failed. Security status: %2. Connection will be reset.

Fields #

Name	Description
`ConnectionObj` Pointer
`SecStatus` UInt32
`Detail` AnsiString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {DD5EF90A-6398-47A4-AD34-4DCECDEF795F}

Defined in HTTP.SYS, the binary that emits these events.

Observed on:

WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.3451, captured 2026-06-02
Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.4202, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3451, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4202, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)