Microsoft-Windows-IIS-Configuration

104 events across 5 channels

Event	Title	Channel	Sample
3	A cache node for 'ConfigPath' has been added to cache.	Debug	N
3	A cache node for 'ConfigPath' has been added to cache	Operational	N
7	Configuration cache is handling change notification for 'ConfigPath'.	Analytic	N
7	Configuration cache is handling change notification for 'ConfigPath'	Operational	N
8	Configuration cache is polling for changes at 'ConfigPath'.	Analytic	N
8	Configuration cache is polling for changes at 'ConfigPath'	Operational	N
9	Configuration cache is discarding all config files whose configuration path is …	Debug	N
9	Configuration cache is discarding all config files whose configuration path is …	Operational	N
10	An error has occurred: Message.	Administrative	Y
10	An error has occurred:	Operational	N
12	Unable to find schema for config section 'SectionPath'.	Administrative	Y
12	Unable to find schema for config section 'SectionPath'	Operational	Y
13	Parsing config file 'PhysicalPath'.	Analytic	N
13	Parsing config file 'PhysicalPath'	Operational	N
14	MACHINE/WEBROOT/APPHOST configuration redirection has been enabled.	Analytic	N
14	MACHINE/WEBROOT/APPHOST configuration redirection has been enabled	Operational	N
15	Attempting to open file or directory 'lpFileName'.	Debug	N
15	Attempting to open file or directory 'lpFileName'	Operational	N
16	An impersonation token with handle 'TokenHandle' for the credentials of …	Debug	N
16	An impersonation token with handle 'TokenHandle' for the credentials of …	Operational	N
17	File change notification monitor that watches for changes in 'Directory' has …	Debug	N
17	File change notification monitor that watches for changes in 'Directory' has …	Operational	N
18	File change notification monitor that watches for changes in 'Directory' has …	Debug	N
18	File change notification monitor that watches for changes in 'Directory' has …	Operational	N
19	File change notification monitor that watches for changes in 'Directory' …	Debug	N
19	File change notification monitor that watches for changes in 'Directory' …	Operational	N
20	File change notification monitor that watches for changes in 'Directory' is …	Analytic	N
20	File change notification monitor that watches for changes in 'Directory' is …	Operational	N
21	File change notification monitor that watches for changes in 'Directory' has …	Debug	N
21	File change notification monitor that watches for changes in 'Directory' has …	Operational	N
23	A change listener of type 'TargetType' is being informed about a configuration …	Debug	N
23	A change listener of type 'TargetType' is being informed about a configuration …	Operational	N
24	During schema file enumeration, the file 'PhysicalPath' was detected in the …	Analytic	N
24	During schema file enumeration, the file 'PhysicalPath' was detected in the …	Operational	N
25	The virtual path 'ConfigPath' has been mapped to the physical path …	Analytic	N
25	The virtual path 'ConfigPath' has been mapped to the physical path …	Operational	N
27	The 'MetadataName' metadata of a configuration system object was set to 'Value'.	Analytic	N
27	The 'MetadataName' metadata of a configuration system object was set to 'Value'	Operational	N
28	Thread is impersonating an access token belonging to handle …	Debug	N
28	Thread is impersonating an access token belonging to handle …	Operational	N
29	Changes to 'Configuration' at 'ConfigPath' have successfully been committed.	Operational	Y
29	Changes to 'Configuration' at 'ConfigPath' have successfully been committed	Operational	Y
30	Failed to commit changes to 'Configuration' at 'ConfigPath'.	Administrative	N
30	Failed to commit changes to 'Configuration' at 'ConfigPath'	Operational	N
33	Unable to locate IIS_Schema.	Administrative	N
33	Unable to locate IIS_Schema	Operational	N
36	Handle 'hSourceHandle' duplicated to 'hTargetHandle'.	Debug	N
36	Handle 'hSourceHandle' duplicated to 'hTargetHandle'	Operational	N
37	Unable to locate a site with SiteName 'SiteName'.	Analytic	N
37	Unable to locate a site with SiteName 'SiteName'	Operational	N
38	Unable to locate a site with SiteId 'Id'.	Analytic	N
38	Unable to locate a site with SiteId 'Id'	Operational	N
39	The SiteId 'Id' has been assigned to more than one site.	Administrative	N
39	The SiteId 'Id' has been assigned to more than one site	Operational	N
40	The SiteName 'SiteName' has been assigned to more than one site.	Administrative	N
40	The SiteName 'SiteName' has been assigned to more than one site	Operational	N
41	Failed to instantiate 'ProgId' when attempting to populate dynamic configuration …	Administrative	N
41	Failed to instantiate 'ProgId' when attempting to populate dynamic configuration …	Operational	N
42	Failed to initialize the 'ProviderName' encryption provider in 'PhysicalPath'.	Administrative	N
42	Failed to initialize the 'ProviderName' encryption provider in 'PhysicalPath'	Operational	N
43	Failed to encrypt attribute 'ProviderType'.	Administrative	N
43	Failed to encrypt attribute 'ProviderType'	Operational	N
44	Failed to decrypt attribute 'ProviderType'.	Administrative	N
44	Failed to decrypt attribute 'ProviderType'	Operational	N
45	Unable to map 'ConfigPath' to the subpath of any known virtual directory.	Analytic	N
45	Unable to map 'ConfigPath' to the subpath of any known virtual directory	Operational	N
46	Virtual directory mapping from 'RelativeVirtualPath' to 'PhysicalPath' created.	Analytic	N
46	Virtual directory mapping from 'RelativeVirtualPath' to 'PhysicalPath' created	Operational	N
47	The location of the configuration file whose config path is 'ConfigPath' was …	Analytic	N
47	The location of the configuration file whose config path is 'ConfigPath' was …	Operational	N
49	Config/child source file for configuration 'ConfigSourceFilePath' specified in …	Analytic	N
49	Config/child source file for configuration 'ConfigSourceFilePath' specified in …	Operational	N
50	Changes have successfully been committed to 'ConfigPath'.	Operational	Y
50	Changes have successfully been committed to 'ConfigPath'	Operational	Y
51	Failed to commit changes to 'PhysicalPath' because file on the disk has been …	Administrative	N
51	Failed to commit changes to 'PhysicalPath' because file on the disk has been …	Operational	N
52	Checking whether file 'PhysicalPath' has changed on the disk returned …	Analytic	N
52	Checking whether file 'PhysicalPath' has changed on the disk returned …	Operational	N
53	Unable to create a path mapping for the virtual directory, /system.	Administrative	N
53	Unable to create a path mapping for the virtual directory, /system	Operational	N
54	A commit operation has been initiated.	Analytic	N
54	A commit operation has been initiated	Operational	N
55	A commit operation has completed.	Analytic	N
55	A commit operation has completed	Operational	N
56	A kernel transaction for a commit operation has been created.	Debug	N
56	A kernel transaction for a commit operation has been created	Operational	N
57	Failed to create a kernel transaction for the commit operation.	Analytic	N
57	Failed to create a kernel transaction for the commit operation	Operational	N
58	Changes have successfully been committed with a kernel transaction.	Debug	N
58	Changes have successfully been committed with a kernel transaction	Operational	N
59	Failed to commit the changes with a kernel transaction.	Analytic	N
59	Failed to commit the changes with a kernel transaction	Operational	N
60	A file write operation in a commit operation has been initiated.	Debug	N
60	A file write operation in a commit operation has been initiated	Operational	N
61	The contents of the file 'PhysicalPath' could not be erased.	Debug	N
61	The contents of the file 'PhysicalPath' could not be erased	Operational	N
62	The contents of the file 'PhysicalPath' have successfully been erased.	Debug	N
62	The contents of the file 'PhysicalPath' have successfully been erased	Operational	N
63	The new contents of the file 'PhysicalPath' could not be written to.	Debug	N
63	The new contents of the file 'PhysicalPath' could not be written to	Operational	N
64	A file write operation in a commit operation has completed.	Debug	N
64	A file write operation in a commit operation has completed	Operational	N
65	A change listener of type 'TargetType' has been informed about a configuration …	Debug	N
65	A change listener of type 'TargetType' has been informed about a configuration …	Operational	N

Event ID 3: A cache node for 'ConfigPath' has been added to cache.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

A cache node for 'ConfigPath' has been added to cache.

Message #

A cache node for '%3' has been added to cache.

Fields #

Name	Description
`Address` Pointer
`ConfigCacheAddress` Pointer
`ConfigPath` UnicodeString
`FileChangeNotificationMonitorAddress` Pointer
`ConfigFileAddress` Pointer
`PhysicalPath` UnicodeString

Event ID 3: A cache node for 'ConfigPath' has been added to cache

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

A cache node for 'ConfigPath' has been added to cache.

Fields #

Name	Description
`Address` Pointer
`ConfigCacheAddress` Pointer
`ConfigPath` UnicodeString
`FileChangeNotificationMonitorAddress` Pointer
`ConfigFileAddress` Pointer
`PhysicalPath` UnicodeString

Event ID 7: Configuration cache is handling change notification for 'ConfigPath'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

Configuration cache is handling change notification for 'ConfigPath'.

Message #

Configuration cache is handling change notification for '%1'.

Fields #

Name	Description
`ConfigPath` UnicodeString

Event ID 7: Configuration cache is handling change notification for 'ConfigPath'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Configuration cache is handling change notification for 'ConfigPath'.

Fields #

Name	Description
`ConfigPath` UnicodeString

Event ID 8: Configuration cache is polling for changes at 'ConfigPath'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

Configuration cache is polling for changes at 'ConfigPath'.

Message #

Configuration cache is polling for changes at '%1'.

Fields #

Name	Description
`ConfigPath` UnicodeString

Event ID 8: Configuration cache is polling for changes at 'ConfigPath'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Configuration cache is polling for changes at 'ConfigPath'.

Fields #

Name	Description
`ConfigPath` UnicodeString

Event ID 9: Configuration cache is discarding all config files whose configuration path is equal to or a subpath of 'ConfigPath'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

Configuration cache is discarding all config files whose configuration path is equal to or a subpath of 'ConfigPath'.

Message #

Configuration cache is discarding all config files whose configuration path is equal to or a subpath of '%1'.

Fields #

Name	Description
`ConfigPath` UnicodeString

Event ID 9: Configuration cache is discarding all config files whose configuration path is equal to or a subpath of 'ConfigPath'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Configuration cache is discarding all config files whose configuration path is equal to or a subpath of 'ConfigPath'.

Fields #

Name	Description
`ConfigPath` UnicodeString

Event ID 10: An error has occurred: Message.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Administrative
Level: Error

Description

An error has occurred: Message.

Message #

An error has occurred: %4

Fields #

Name	Description
`HRESULT` HexInt32
`PhysicalPath` UnicodeString
`Type` UInt32
`Message` UnicodeString
`LineNumber` UInt32
`PreviousLine` UnicodeString
`ErrorLine` UnicodeString
`NextLine` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IIS-Configuration",
    "guid": "DC0B8E51-4863-407A-BC3C-1B479B2978AC",
    "event_source_name": "",
    "event_id": 10,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T20:16:52.684481+00:00",
    "event_record_id": 1197,
    "correlation": {},
    "execution": {
      "process_id": 8424,
      "thread_id": 2136
    },
    "channel": "Microsoft-IIS-Configuration/Administrative",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "HRESULT": "0x800700b7",
    "PhysicalPath": "",
    "Type": 3,
    "Message": "Cannot add duplicate collection entry of type 'add' with unique key attribute 'name' set to 'SecurityCertificate'\r\n",
    "LineNumber": 0,
    "PreviousLine": "",
    "ErrorLine": "",
    "NextLine": ""
  },
  "message": ""
}

Event ID 10: An error has occurred:

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

An error has occurred.

Fields #

Name	Description
`HRESULT` HexInt32
`PhysicalPath` UnicodeString
`Type` UInt32
`Message` UnicodeString
`LineNumber` UInt32
`PreviousLine` UnicodeString
`ErrorLine` UnicodeString
`NextLine` UnicodeString

Event ID 12: Unable to find schema for config section 'SectionPath'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Administrative
Level: Warning

Description

Unable to find schema for config section 'SectionPath'. This section will be ignored.

Message #

Unable to find schema for config section '%4'. This section will be ignored.

Fields #

Name	Description
`PhysicalPath` UnicodeString
`FileConfigPath` UnicodeString
`EffectiveLocationPath` UnicodeString
`SectionPath` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IIS-Configuration",
    "guid": "DC0B8E51-4863-407A-BC3C-1B479B2978AC",
    "event_source_name": "",
    "event_id": 12,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T20:00:13.509827+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 8484,
      "thread_id": 8704
    },
    "channel": "Microsoft-IIS-Configuration/Administrative",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PhysicalPath": "\\\\?\\C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CONFIG\\machine.config",
    "FileConfigPath": "MACHINE",
    "EffectiveLocationPath": "",
    "SectionPath": "system.serviceModel/extensions"
  },
  "message": ""
}

Event ID 12: Unable to find schema for config section 'SectionPath'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Unable to find schema for config section 'SectionPath'. This section will be ignored.

Fields #

Name	Description
`PhysicalPath` UnicodeString
`FileConfigPath` UnicodeString
`EffectiveLocationPath` UnicodeString
`SectionPath` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IIS-Configuration",
    "event_id": 12,
    "level": "Warning",
    "task": null,
    "opcode": "Info",
    "time_created": "2026-05-25T00:18:28.9958981+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "Microsoft-IIS-Configuration/Administrative"
  },
  "event_data": {
    "EffectiveLocationPath": null,
    "SectionPath": "system.xaml.hosting/httpHandlers",
    "PhysicalPath": "\\\\?\\C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CONFIG\\web.config",
    "FileConfigPath": "MACHINE/WEBROOT"
  }
}

Event ID 13: Parsing config file 'PhysicalPath'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

Parsing config file 'PhysicalPath'.

Message #

Parsing config file '%2'.

Fields #

Name	Description
`ConfigFileObjectAddress` Pointer
`PhysicalPath` UnicodeString
`ConfigPath` UnicodeString
`CryptoImpersonationToken` Pointer
`FileImpersonationToken` Pointer
`LastModifiedTime` FILETIME
`FileSize` UInt64

Event ID 13: Parsing config file 'PhysicalPath'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Parsing config file 'PhysicalPath'.

Fields #

Name	Description
`ConfigFileObjectAddress` Pointer
`PhysicalPath` UnicodeString
`ConfigPath` UnicodeString
`CryptoImpersonationToken` Pointer
`FileImpersonationToken` Pointer
`LastModifiedTime` FILETIME
`FileSize` UInt64

Event ID 14: MACHINE/WEBROOT/APPHOST configuration redirection has been enabled.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

MACHINE/WEBROOT/APPHOST configuration redirection has been enabled. The redirected physical path is 'RedirectionPath'.

Message #

MACHINE/WEBROOT/APPHOST configuration redirection has been enabled. The redirected physical path is '%1'.

Fields #

Name	Description
`RedirectionPath` UnicodeString
`Username` UnicodeString
`Password` UnicodeString

Event ID 14: MACHINE/WEBROOT/APPHOST configuration redirection has been enabled

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

MACHINE/WEBROOT/APPHOST configuration redirection has been enabled. The redirected physical path is 'RedirectionPath'.

Fields #

Name	Description
`RedirectionPath` UnicodeString
`Username` UnicodeString
`Password` UnicodeString

Event ID 15: Attempting to open file or directory 'lpFileName'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

Attempting to open file or directory 'lpFileName'.

Message #

Attempting to open file or directory '%2'.

Fields #

Name	Description
`CallSite` UnicodeString
`lpFileName` UnicodeString
`dwDesiredAccess` HexInt32
`dwShareMode` HexInt32
`dwCreationDisposition` HexInt32
`dwFlagsAndAttributes` HexInt32
`IsTransacted` Boolean
`Handle` Pointer
`GetLastError` HexInt32

Event ID 15: Attempting to open file or directory 'lpFileName'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Attempting to open file or directory 'lpFileName'.

Fields #

Name	Description
`CallSite` UnicodeString
`lpFileName` UnicodeString
`dwDesiredAccess` HexInt32
`dwShareMode` HexInt32
`dwCreationDisposition` HexInt32
`dwFlagsAndAttributes` HexInt32
`IsTransacted` Boolean
`Handle` Pointer
`GetLastError` HexInt32

Event ID 16: An impersonation token with handle 'TokenHandle' for the credentials of 'Domain\User' has been created.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

An impersonation token with handle 'TokenHandle' for the credentials of 'Domain\User' has been created.

Message #

An impersonation token with handle '%4' for the credentials of '%1\%2' has been created.

Fields #

Name	Description
`Domain` UnicodeString
`User` UnicodeString
`Password` UnicodeString
`TokenHandle` Pointer

Event ID 16: An impersonation token with handle 'TokenHandle' for the credentials of 'Domain\User' has been created

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

An impersonation token with handle 'TokenHandle' for the credentials of 'Domain\User' has been created.

Fields #

Name	Description
`Domain` UnicodeString
`User` UnicodeString
`Password` UnicodeString
`TokenHandle` Pointer

Event ID 17: File change notification monitor that watches for changes in 'Directory' has been created.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

File change notification monitor that watches for changes in 'Directory' has been created.

Message #

File change notification monitor that watches for changes in '%3' has been created.

Fields #

Name	Description
`Address` Pointer
`ConfigPath` UnicodeString
`Directory` UnicodeString
`File` UnicodeString
`WatchSubPaths` Boolean
`IsPollingMonitor` Boolean
`IsSchemaFileMonitor` Boolean

Event ID 17: File change notification monitor that watches for changes in 'Directory' has been created

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

File change notification monitor that watches for changes in 'Directory' has been created.

Fields #

Name	Description
`Address` Pointer
`ConfigPath` UnicodeString
`Directory` UnicodeString
`File` UnicodeString
`WatchSubPaths` Boolean
`IsPollingMonitor` Boolean
`IsSchemaFileMonitor` Boolean

Event ID 18: File change notification monitor that watches for changes in 'Directory' has blocked waiting for file changes.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

File change notification monitor that watches for changes in 'Directory' has blocked waiting for file changes.

Message #

File change notification monitor that watches for changes in '%3' has blocked waiting for file changes.

Fields #

Name	Description
`Address` Pointer
`ConfigPath` UnicodeString
`Directory` UnicodeString
`File` UnicodeString
`WatchSubPaths` Boolean
`IsPollingMonitor` Boolean
`IsSchemaFileMonitor` Boolean

Event ID 18: File change notification monitor that watches for changes in 'Directory' has blocked waiting for file changes

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

File change notification monitor that watches for changes in 'Directory' has blocked waiting for file changes.

Fields #

Name	Description
`Address` Pointer
`ConfigPath` UnicodeString
`Directory` UnicodeString
`File` UnicodeString
`WatchSubPaths` Boolean
`IsPollingMonitor` Boolean
`IsSchemaFileMonitor` Boolean

Event ID 19: File change notification monitor that watches for changes in 'Directory' received a change notification.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

File change notification monitor that watches for changes in 'Directory' received a change notification.

Message #

File change notification monitor that watches for changes in '%3' received a change notification.

Fields #

Name	Description
`Address` Pointer
`ConfigPath` UnicodeString
`Directory` UnicodeString
`File` UnicodeString
`WatchSubPaths` Boolean
`IsPollingMonitor` Boolean
`IsSchemaFileMonitor` Boolean

Event ID 19: File change notification monitor that watches for changes in 'Directory' received a change notification

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

File change notification monitor that watches for changes in 'Directory' received a change notification.

Fields #

Name	Description
`Address` Pointer
`ConfigPath` UnicodeString
`Directory` UnicodeString
`File` UnicodeString
`WatchSubPaths` Boolean
`IsPollingMonitor` Boolean
`IsSchemaFileMonitor` Boolean

Event ID 20: File change notification monitor that watches for changes in 'Directory' is processing notified changes.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

File change notification monitor that watches for changes in 'Directory' is processing notified changes.

Message #

File change notification monitor that watches for changes in '%3' is processing notified changes.

Fields #

Name	Description
`Address` Pointer
`ConfigPath` UnicodeString
`Directory` UnicodeString
`File` UnicodeString
`WatchSubPaths` Boolean
`IsPollingMonitor` Boolean
`IsSchemaFileMonitor` Boolean

Event ID 20: File change notification monitor that watches for changes in 'Directory' is processing notified changes

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

File change notification monitor that watches for changes in 'Directory' is processing notified changes.

Fields #

Name	Description
`Address` Pointer
`ConfigPath` UnicodeString
`Directory` UnicodeString
`File` UnicodeString
`WatchSubPaths` Boolean
`IsPollingMonitor` Boolean
`IsSchemaFileMonitor` Boolean

Event ID 21: File change notification monitor that watches for changes in 'Directory' has been destroyed.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

File change notification monitor that watches for changes in 'Directory' has been destroyed.

Message #

File change notification monitor that watches for changes in '%3' has been destroyed.

Fields #

Name	Description
`Address` Pointer
`ConfigPath` UnicodeString
`Directory` UnicodeString
`File` UnicodeString
`WatchSubPaths` Boolean
`IsPollingMonitor` Boolean
`IsSchemaFileMonitor` Boolean

Event ID 21: File change notification monitor that watches for changes in 'Directory' has been destroyed

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

File change notification monitor that watches for changes in 'Directory' has been destroyed.

Fields #

Name	Description
`Address` Pointer
`ConfigPath` UnicodeString
`Directory` UnicodeString
`File` UnicodeString
`WatchSubPaths` Boolean
`IsPollingMonitor` Boolean
`IsSchemaFileMonitor` Boolean

Event ID 23: A change listener of type 'TargetType' is being informed about a configuration change at 'ConfigPath'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

A change listener of type 'TargetType' is being informed about a configuration change at 'ConfigPath'.

Message #

A change listener of type '%2' is being informed about a configuration change at '%3'.

Fields #

Name	Description
`TargetAddress` Pointer
`TargetType` UInt32
`ConfigPath` UnicodeString
`IsGranular` Boolean
`IsApplicationSpecific` Boolean
`IsLocationTag` Boolean

Event ID 23: A change listener of type 'TargetType' is being informed about a configuration change at 'ConfigPath'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

A change listener of type 'TargetType' is being informed about a configuration change at 'ConfigPath'.

Fields #

Name	Description
`TargetAddress` Pointer
`TargetType` UInt32
`ConfigPath` UnicodeString
`IsGranular` Boolean
`IsApplicationSpecific` Boolean
`IsLocationTag` Boolean

Event ID 24: During schema file enumeration, the file 'PhysicalPath' was detected in the schema directory.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

During schema file enumeration, the file 'PhysicalPath' was detected in the schema directory.

Message #

During schema file enumeration, the file '%1' was detected in the schema directory.

Fields #

Name	Description
`PhysicalPath` UnicodeString
`LastModifiedTime` FILETIME
`FileSize` UInt64

Event ID 24: During schema file enumeration, the file 'PhysicalPath' was detected in the schema directory

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

During schema file enumeration, the file 'PhysicalPath' was detected in the schema directory.

Fields #

Name	Description
`PhysicalPath` UnicodeString
`LastModifiedTime` FILETIME
`FileSize` UInt64

Event ID 25: The virtual path 'ConfigPath' has been mapped to the physical path 'PhysicalPath'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

The virtual path 'ConfigPath' has been mapped to the physical path 'PhysicalPath'.

Message #

The virtual path '%1' has been mapped to the physical path '%2'.

Fields #

Name	Description
`ConfigPath` UnicodeString
`PhysicalPath` UnicodeString

Event ID 25: The virtual path 'ConfigPath' has been mapped to the physical path 'PhysicalPath'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

The virtual path 'ConfigPath' has been mapped to the physical path 'PhysicalPath'.

Fields #

Name	Description
`ConfigPath` UnicodeString
`PhysicalPath` UnicodeString

Event ID 27: The 'MetadataName' metadata of a configuration system object was set to 'Value'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

The 'MetadataName' metadata of a configuration system object was set to 'Value'.

Message #

The '%6' metadata of a configuration system object was set to '%7'.

Fields #

Name	Description
`FileConfigPath` UnicodeString
`EffectiveLocationPath` UnicodeString
`CallSite` UnicodeString
`Address` Pointer
`TargetName` UnicodeString
`MetadataName` UnicodeString
`Value` UnicodeString

Event ID 27: The 'MetadataName' metadata of a configuration system object was set to 'Value'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

The 'MetadataName' metadata of a configuration system object was set to 'Value'.

Fields #

Name	Description
`FileConfigPath` UnicodeString
`EffectiveLocationPath` UnicodeString
`CallSite` UnicodeString
`Address` Pointer
`TargetName` UnicodeString
`MetadataName` UnicodeString
`Value` UnicodeString

Event ID 28: Thread is impersonating an access token belonging to handle 'ImpersonationTokenHandle'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

Thread is impersonating an access token belonging to handle 'ImpersonationTokenHandle'.

Message #

Thread is impersonating an access token belonging to handle '%2'.

Fields #

Name	Description
`OriginalImpersonationTokenHandle` Pointer
`ImpersonationTokenHandle` Pointer

Event ID 28: Thread is impersonating an access token belonging to handle 'ImpersonationTokenHandle'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Thread is impersonating an access token belonging to handle 'ImpersonationTokenHandle'.

Fields #

Name	Description
`OriginalImpersonationTokenHandle` Pointer
`ImpersonationTokenHandle` Pointer

Event ID 29: Changes to 'Configuration' at 'ConfigPath' have successfully been committed.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational
Level: Verbose

Description

Changes to 'Configuration' at 'ConfigPath' have successfully been committed.

Message #

Changes to '%4' at '%2' have successfully been committed.

Fields #

Name	Description	Rules
`PhysicalPath` UnicodeString
`ConfigPath` UnicodeString
`EffectiveLocationPath` UnicodeString
`Configuration` UnicodeString		4 detection rules
`EditOperationType` UInt32
`OldValue` UnicodeString		1 detection rule
`NewValue` UnicodeString		15 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IIS-Configuration",
    "guid": "DC0B8E51-4863-407A-BC3C-1B479B2978AC",
    "event_source_name": "",
    "event_id": 29,
    "version": 0,
    "level": 5,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-13T20:06:38.758372+00:00",
    "event_record_id": 2219,
    "correlation": {},
    "execution": {
      "process_id": 2732,
      "thread_id": 1444
    },
    "channel": "Microsoft-IIS-Configuration/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PhysicalPath": "\\\\?\\C:\\Windows\\system32\\inetsrv\\config\\applicationHost.config",
    "ConfigPath": "MACHINE/WEBROOT/APPHOST",
    "EffectiveLocationPath": "",
    "Configuration": "/system.webServer/handlers/add[@name=\"HttpRemotingHandlerFactory-rem-Integrated-4.0\"]/@type",
    "EditOperationType": 1,
    "OldValue": "",
    "NewValue": "System.Runtime.Remoting.Channels.Http.HttpRemotingHandlerFactory, System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

ETW Logging/Processing Option Disabled On IIS Server source medium: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
HTTP Logging Disabled On IIS Server source high: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
New Module Module Added To IIS Server source medium: Detects the addition of a new module to an IIS server.

Show 1 more (4 total)

Previously Installed IIS Module Was Removed source low: Detects the removal of a previously installed IIS module.

Event ID 29: Changes to 'Configuration' at 'ConfigPath' have successfully been committed

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Changes to 'Configuration' at 'ConfigPath' have successfully been committed.

Fields #

Name	Description	Rules
`PhysicalPath` UnicodeString
`ConfigPath` UnicodeString
`EffectiveLocationPath` UnicodeString
`Configuration` UnicodeString		4 detection rules
`EditOperationType` UInt32
`OldValue` UnicodeString		1 detection rule
`NewValue` UnicodeString		15 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IIS-Configuration",
    "event_id": 29,
    "level": "Verbose",
    "task": null,
    "opcode": "Info",
    "time_created": "2026-03-17T19:25:10.4723631+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "Microsoft-IIS-Configuration/Operational"
  },
  "event_data": {
    "PhysicalPath": "\\\\?\\C:\\Windows\\system32\\inetsrv\\config\\applicationHost.config",
    "EditOperationType": "1",
    "EffectiveLocationPath": null,
    "Configuration": "/system.webServer/staticContent/mimeMap[@fileExtension=\".wim\"]/@mimeType",
    "ConfigPath": "MACHINE/WEBROOT/APPHOST",
    "OldValue": null,
    "NewValue": "application/x-ms-wim"
  }
}

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

ETW Logging/Processing Option Disabled On IIS Server source medium: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
HTTP Logging Disabled On IIS Server source high: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
New Module Module Added To IIS Server source medium: Detects the addition of a new module to an IIS server.

Show 1 more (4 total)

Previously Installed IIS Module Was Removed source low: Detects the removal of a previously installed IIS module.

Event ID 30: Failed to commit changes to 'Configuration' at 'ConfigPath'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Administrative

Description

Failed to commit changes to 'Configuration' at 'ConfigPath'.

Message #

Failed to commit changes to '%4' at '%2'.

Fields #

Name	Description
`PhysicalPath` UnicodeString
`ConfigPath` UnicodeString
`EffectiveLocationPath` UnicodeString
`Configuration` UnicodeString
`EditOperationType` UInt32
`OldValue` UnicodeString
`NewValue` UnicodeString

Event ID 30: Failed to commit changes to 'Configuration' at 'ConfigPath'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Failed to commit changes to 'Configuration' at 'ConfigPath'.

Fields #

Name	Description
`PhysicalPath` UnicodeString
`ConfigPath` UnicodeString
`EffectiveLocationPath` UnicodeString
`Configuration` UnicodeString
`EditOperationType` UInt32
`OldValue` UnicodeString
`NewValue` UnicodeString

Event ID 33: Unable to locate IIS_Schema.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Administrative

Description

Unable to locate IIS_Schema.xml in 'PhysicalPath'.

Message #

Unable to locate IIS_Schema.xml in '%1'.

Fields #

Name	Description
`PhysicalPath` UnicodeString

Event ID 33: Unable to locate IIS_Schema

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Unable to locate IIS_Schema.xml in 'PhysicalPath'.

Fields #

Name	Description
`PhysicalPath` UnicodeString

Event ID 36: Handle 'hSourceHandle' duplicated to 'hTargetHandle'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

Handle 'hSourceHandle' duplicated to 'hTargetHandle'.

Message #

Handle '%2' duplicated to '%3'

Fields #

Name	Description
`CallSite` UnicodeString
`hSourceHandle` Pointer
`hTargetHandle` Pointer

Event ID 36: Handle 'hSourceHandle' duplicated to 'hTargetHandle'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Handle 'hSourceHandle' duplicated to 'hTargetHandle'.

Fields #

Name	Description
`CallSite` UnicodeString
`hSourceHandle` Pointer
`hTargetHandle` Pointer

Event ID 37: Unable to locate a site with SiteName 'SiteName'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

Unable to locate a site with SiteName 'SiteName'.

Message #

Unable to locate a site with SiteName '%1'.

Fields #

Name	Description
`SiteName` UnicodeString

Event ID 37: Unable to locate a site with SiteName 'SiteName'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Unable to locate a site with SiteName 'SiteName'.

Fields #

Name	Description
`SiteName` UnicodeString

Event ID 38: Unable to locate a site with SiteId 'Id'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

Unable to locate a site with SiteId 'Id'.

Message #

Unable to locate a site with SiteId '%1'.

Fields #

Name	Description
`Id` UInt32

Event ID 38: Unable to locate a site with SiteId 'Id'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Unable to locate a site with SiteId 'Id'.

Fields #

Name	Description
`Id` UInt32

Event ID 39: The SiteId 'Id' has been assigned to more than one site.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Administrative

Description

The SiteId 'Id' has been assigned to more than one site. Please change your configuration such that each site is assigned a unique SiteId.

Message #

The SiteId '%1' has been assigned to more than one site. Please change your configuration such that each site is assigned a unique SiteId.

Fields #

Name	Description
`Id` UInt32

Event ID 39: The SiteId 'Id' has been assigned to more than one site

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

The SiteId 'Id' has been assigned to more than one site. Please change your configuration such that each site is assigned a unique SiteId.

Fields #

Name	Description
`Id` UInt32

Event ID 40: The SiteName 'SiteName' has been assigned to more than one site.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Administrative

Description

The SiteName 'SiteName' has been assigned to more than one site. Please change your configuration such that each site is assigned a unique SiteName.

Message #

The SiteName '%1' has been assigned to more than one site. Please change your configuration such that each site is assigned a unique SiteName.

Fields #

Name	Description
`SiteName` UnicodeString

Event ID 40: The SiteName 'SiteName' has been assigned to more than one site

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

The SiteName 'SiteName' has been assigned to more than one site. Please change your configuration such that each site is assigned a unique SiteName.

Fields #

Name	Description
`SiteName` UnicodeString

Event ID 41: Failed to instantiate 'ProgId' when attempting to populate dynamic configuration for 'Configuration'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Administrative

Description

Failed to instantiate 'ProgId' when attempting to populate dynamic configuration for 'Configuration'. This COM component may not be registered.

Message #

Failed to instantiate '%3' when attempting to populate dynamic configuration for '%1'. This COM component may not be registered.

Fields #

Name	Description
`Configuration` UnicodeString
`CLSID` GUID
`ProgId` UnicodeString
`HRESULT` HexInt32

Event ID 41: Failed to instantiate 'ProgId' when attempting to populate dynamic configuration for 'Configuration'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Failed to instantiate 'ProgId' when attempting to populate dynamic configuration for 'Configuration'. This COM component may not be registered.

Fields #

Name	Description
`Configuration` UnicodeString
`CLSID` GUID
`ProgId` UnicodeString
`HRESULT` HexInt32

Event ID 42: Failed to initialize the 'ProviderName' encryption provider in 'PhysicalPath'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Administrative

Description

Failed to initialize the 'ProviderName' encryption provider in 'PhysicalPath'. Please check your configuration.

Message #

Failed to initialize the '%3' encryption provider in '%1'. Please check your configuration.

Fields #

Name	Description
`PhysicalPath` UnicodeString
`FileConfigPath` UnicodeString
`ProviderName` UnicodeString
`ProviderType` UnicodeString
`Blob` UnicodeString
`ErrorType` UInt32
`HRESULT` HexInt32

Event ID 42: Failed to initialize the 'ProviderName' encryption provider in 'PhysicalPath'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Failed to initialize the 'ProviderName' encryption provider in 'PhysicalPath'. Please check your configuration.

Fields #

Name	Description
`PhysicalPath` UnicodeString
`FileConfigPath` UnicodeString
`ProviderName` UnicodeString
`ProviderType` UnicodeString
`Blob` UnicodeString
`ErrorType` UInt32
`HRESULT` HexInt32

Event ID 43: Failed to encrypt attribute 'ProviderType'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Administrative

Description

Failed to encrypt attribute 'ProviderType'.

Message #

Failed to encrypt attribute '%4'.

Fields #

Name	Description
`PhysicalPath` UnicodeString
`FileConfigPath` UnicodeString
`ProviderName` UnicodeString
`ProviderType` UnicodeString
`Blob` UnicodeString
`ErrorType` UInt32
`HRESULT` HexInt32

Event ID 43: Failed to encrypt attribute 'ProviderType'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Failed to encrypt attribute 'ProviderType'.

Fields #

Name	Description
`PhysicalPath` UnicodeString
`FileConfigPath` UnicodeString
`ProviderName` UnicodeString
`ProviderType` UnicodeString
`Blob` UnicodeString
`ErrorType` UInt32
`HRESULT` HexInt32

Event ID 44: Failed to decrypt attribute 'ProviderType'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Administrative

Description

Failed to decrypt attribute 'ProviderType'.

Message #

Failed to decrypt attribute '%4'.

Fields #

Name	Description
`PhysicalPath` UnicodeString
`FileConfigPath` UnicodeString
`ProviderName` UnicodeString
`ProviderType` UnicodeString
`Blob` UnicodeString
`ErrorType` UInt32
`HRESULT` HexInt32

Event ID 44: Failed to decrypt attribute 'ProviderType'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Failed to decrypt attribute 'ProviderType'.

Fields #

Name	Description
`PhysicalPath` UnicodeString
`FileConfigPath` UnicodeString
`ProviderName` UnicodeString
`ProviderType` UnicodeString
`Blob` UnicodeString
`ErrorType` UInt32
`HRESULT` HexInt32

Event ID 45: Unable to map 'ConfigPath' to the subpath of any known virtual directory.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

Unable to map 'ConfigPath' to the subpath of any known virtual directory.

Message #

Unable to map '%1' to the subpath of any known virtual directory.

Fields #

Name	Description
`ConfigPath` UnicodeString

Event ID 45: Unable to map 'ConfigPath' to the subpath of any known virtual directory

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Unable to map 'ConfigPath' to the subpath of any known virtual directory.

Fields #

Name	Description
`ConfigPath` UnicodeString

Event ID 46: Virtual directory mapping from 'RelativeVirtualPath' to 'PhysicalPath' created.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

Virtual directory mapping from 'RelativeVirtualPath' to 'PhysicalPath' created.

Message #

Virtual directory mapping from '%4' to '%5' created.

Fields #

Name	Description
`SiteName` UnicodeString
`ApplicationPath` UnicodeString
`VirtualDirectoryPath` UnicodeString
`RelativeVirtualPath` UnicodeString
`PhysicalPath` UnicodeString

Event ID 46: Virtual directory mapping from 'RelativeVirtualPath' to 'PhysicalPath' created

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Virtual directory mapping from 'RelativeVirtualPath' to 'PhysicalPath' created.

Fields #

Name	Description
`SiteName` UnicodeString
`ApplicationPath` UnicodeString
`VirtualDirectoryPath` UnicodeString
`RelativeVirtualPath` UnicodeString
`PhysicalPath` UnicodeString

Event ID 47: The location of the configuration file whose config path is 'ConfigPath' was mapped to 'Directory'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

The location of the configuration file whose config path is 'ConfigPath' was mapped to 'Directory'.

Message #

The location of the configuration file whose config path is '%1' was mapped to '%2'.

Fields #

Name	Description
`ConfigPath` UnicodeString
`Directory` UnicodeString
`Filename` UnicodeString
`ImpersonationToken` Pointer
`IsCustomMapping` Boolean

Event ID 47: The location of the configuration file whose config path is 'ConfigPath' was mapped to 'Directory'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

The location of the configuration file whose config path is 'ConfigPath' was mapped to 'Directory'.

Fields #

Name	Description
`ConfigPath` UnicodeString
`Directory` UnicodeString
`Filename` UnicodeString
`ImpersonationToken` Pointer
`IsCustomMapping` Boolean

Event ID 49: Config/child source file for configuration 'ConfigSourceFilePath' specified in 'PhysicalPath' is being loaded.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

Config/child source file for configuration 'ConfigSourceFilePath' specified in 'PhysicalPath' is being loaded.

Message #

Config/child source file for configuration '%6' specified in '%2' is being loaded.

Fields #

Name	Description
`CallSite` UnicodeString
`PhysicalPath` UnicodeString
`FileConfigPath` UnicodeString
`EffectiveLocationPath` UnicodeString
`ConfigurationElementName` UnicodeString
`ConfigSourceFilePath` UnicodeString
`LastModifiedTime` FILETIME

Event ID 49: Config/child source file for configuration 'ConfigSourceFilePath' specified in 'PhysicalPath' is being loaded

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Config/child source file for configuration 'ConfigSourceFilePath' specified in 'PhysicalPath' is being loaded.

Fields #

Name	Description
`CallSite` UnicodeString
`PhysicalPath` UnicodeString
`FileConfigPath` UnicodeString
`EffectiveLocationPath` UnicodeString
`ConfigurationElementName` UnicodeString
`ConfigSourceFilePath` UnicodeString
`LastModifiedTime` FILETIME

Event ID 50: Changes have successfully been committed to 'ConfigPath'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational
Level: Informational

Description

Changes have successfully been committed to 'ConfigPath'.

Message #

Changes have successfully been committed to '%1'.

Fields #

Name	Description
`ConfigPath` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IIS-Configuration",
    "guid": "DC0B8E51-4863-407A-BC3C-1B479B2978AC",
    "event_source_name": "",
    "event_id": 50,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-13T20:06:38.758521+00:00",
    "event_record_id": 2281,
    "correlation": {},
    "execution": {
      "process_id": 2732,
      "thread_id": 1444
    },
    "channel": "Microsoft-IIS-Configuration/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ConfigPath": "MACHINE/WEBROOT/APPHOST"
  },
  "message": ""
}

Event ID 50: Changes have successfully been committed to 'ConfigPath'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Changes have successfully been committed to 'ConfigPath'.

Fields #

Name	Description
`ConfigPath` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-IIS-Configuration",
    "event_id": 50,
    "level": "Information",
    "task": null,
    "opcode": "Info",
    "time_created": "2026-03-17T19:25:10.4723748+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "Microsoft-IIS-Configuration/Operational"
  },
  "event_data": {
    "ConfigPath": "MACHINE/WEBROOT/APPHOST"
  }
}

Event ID 51: Failed to commit changes to 'PhysicalPath' because file on the disk has been changed.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Administrative

Description

Failed to commit changes to 'PhysicalPath' because file on the disk has been changed.

Message #

Failed to commit changes to '%2' because file on the disk has been changed.

Fields #

Name	Description
`ConfigPath` UnicodeString
`PhysicalPath` UnicodeString
`FileExistsInMemory` Boolean
`FileLastModifiedTimeInMemory` FILETIME
`FileSizeInMemory` UInt64
`FileExistsOnDisk` Boolean
`FileLastModifiedTimeOnDisk` FILETIME
`FileSizeOnDisk` UInt64
`IsInMemoryViewOfFileRecent` Boolean

Event ID 51: Failed to commit changes to 'PhysicalPath' because file on the disk has been changed

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Failed to commit changes to 'PhysicalPath' because file on the disk has been changed.

Fields #

Name	Description
`ConfigPath` UnicodeString
`PhysicalPath` UnicodeString
`FileExistsInMemory` Boolean
`FileLastModifiedTimeInMemory` FILETIME
`FileSizeInMemory` UInt64
`FileExistsOnDisk` Boolean
`FileLastModifiedTimeOnDisk` FILETIME
`FileSizeOnDisk` UInt64
`IsInMemoryViewOfFileRecent` Boolean

Event ID 52: Checking whether file 'PhysicalPath' has changed on the disk returned 'IsInMemoryViewOfFileRecent'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

Checking whether file 'PhysicalPath' has changed on the disk returned 'IsInMemoryViewOfFileRecent'.

Message #

Checking whether file '%2' has changed on the disk returned '%9'.

Fields #

Name	Description
`ConfigPath` UnicodeString
`PhysicalPath` UnicodeString
`FileExistsInMemory` Boolean
`FileLastModifiedTimeInMemory` FILETIME
`FileSizeInMemory` UInt64
`FileExistsOnDisk` Boolean
`FileLastModifiedTimeOnDisk` FILETIME
`FileSizeOnDisk` UInt64
`IsInMemoryViewOfFileRecent` Boolean

Event ID 52: Checking whether file 'PhysicalPath' has changed on the disk returned 'IsInMemoryViewOfFileRecent'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Checking whether file 'PhysicalPath' has changed on the disk returned 'IsInMemoryViewOfFileRecent'.

Fields #

Name	Description
`ConfigPath` UnicodeString
`PhysicalPath` UnicodeString
`FileExistsInMemory` Boolean
`FileLastModifiedTimeInMemory` FILETIME
`FileSizeInMemory` UInt64
`FileExistsOnDisk` Boolean
`FileLastModifiedTimeOnDisk` FILETIME
`FileSizeOnDisk` UInt64
`IsInMemoryViewOfFileRecent` Boolean

Event ID 53: Unable to create a path mapping for the virtual directory, /system.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Administrative

Description

Unable to create a path mapping for the virtual directory, /system.applicationHost/sites/site[@name='SiteName']/application[@path='ApplicationPath']/virtualDirectory[@path='VirtualDirectoryPath'] because the mapping with the relative virtual path, 'PhysicalPath' was already created for another virtual directory.

Message #

Unable to create a path mapping for the virtual directory, /system.applicationHost/sites/site[@name='%1']/application[@path='%2']/virtualDirectory[@path='%3'] because the mapping with the relative virtual path, '%5' was already created for another virtual directory.

Fields #

Name	Description
`SiteName` UnicodeString
`ApplicationPath` UnicodeString
`VirtualDirectoryPath` UnicodeString
`RelativeVirtualPath` UnicodeString
`PhysicalPath` UnicodeString

Event ID 53: Unable to create a path mapping for the virtual directory, /system

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Fields #

Name	Description
`SiteName` UnicodeString
`ApplicationPath` UnicodeString
`VirtualDirectoryPath` UnicodeString
`RelativeVirtualPath` UnicodeString
`PhysicalPath` UnicodeString

Event ID 54: A commit operation has been initiated.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

A commit operation has been initiated.

Message #

A commit operation has been initiated.

Event ID 54: A commit operation has been initiated

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

A commit operation has been initiated.

Event ID 55: A commit operation has completed.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

A commit operation has completed. The status code is: 'HRESULT'.

Message #

A commit operation has completed. The status code is: '%1'.

Fields #

Name	Description
`HRESULT` HexInt32

Event ID 55: A commit operation has completed

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

A commit operation has completed. The status code is: 'HRESULT'.

Fields #

Name	Description
`HRESULT` HexInt32

Event ID 56: A kernel transaction for a commit operation has been created.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

A kernel transaction for a commit operation has been created.

Message #

A kernel transaction for a commit operation has been created.

Fields #

Name	Description
`Handle` Pointer
`HRESULT` HexInt32

Event ID 56: A kernel transaction for a commit operation has been created

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

A kernel transaction for a commit operation has been created.

Fields #

Name	Description
`Handle` Pointer
`HRESULT` HexInt32

Event ID 57: Failed to create a kernel transaction for the commit operation.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

Failed to create a kernel transaction for the commit operation. The commit operation will proceed without a kernel transaction.

Message #

Failed to create a kernel transaction for the commit operation. The commit operation will proceed without a kernel transaction.

Fields #

Name	Description
`HRESULT` HexInt32

Event ID 57: Failed to create a kernel transaction for the commit operation

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Failed to create a kernel transaction for the commit operation. The commit operation will proceed without a kernel transaction.

Fields #

Name	Description
`HRESULT` HexInt32

Event ID 58: Changes have successfully been committed with a kernel transaction.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

Changes have successfully been committed with a kernel transaction.

Message #

Changes have successfully been committed with a kernel transaction.

Fields #

Name	Description
`Handle` Pointer
`HRESULT` HexInt32

Event ID 58: Changes have successfully been committed with a kernel transaction

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Changes have successfully been committed with a kernel transaction.

Fields #

Name	Description
`Handle` Pointer
`HRESULT` HexInt32

Event ID 59: Failed to commit the changes with a kernel transaction.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Analytic

Description

Failed to commit the changes with a kernel transaction. The changes will be reverted.

Message #

Failed to commit the changes with a kernel transaction. The changes will be reverted.

Fields #

Name	Description
`Handle` Pointer
`HRESULT` HexInt32

Event ID 59: Failed to commit the changes with a kernel transaction

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

Failed to commit the changes with a kernel transaction. The changes will be reverted.

Fields #

Name	Description
`Handle` Pointer
`HRESULT` HexInt32

Event ID 60: A file write operation in a commit operation has been initiated.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

A file write operation in a commit operation has been initiated.

Message #

A file write operation in a commit operation has been initiated.

Event ID 60: A file write operation in a commit operation has been initiated

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

A file write operation in a commit operation has been initiated.

Event ID 61: The contents of the file 'PhysicalPath' could not be erased.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

The contents of the file 'PhysicalPath' could not be erased. The operation will be tried 'RemainingRetryCount' more time(s).

Message #

The contents of the file '%2' could not be erased. The operation will be tried '%4' more time(s).

Fields #

Name	Description
`Handle` Pointer
`PhysicalPath` UnicodeString
`ConfigPath` UnicodeString
`RemainingRetryCount` UInt32
`HRESULT` HexInt32

Event ID 61: The contents of the file 'PhysicalPath' could not be erased

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

The contents of the file 'PhysicalPath' could not be erased. The operation will be tried 'RemainingRetryCount' more time(s).

Fields #

Name	Description
`Handle` Pointer
`PhysicalPath` UnicodeString
`ConfigPath` UnicodeString
`RemainingRetryCount` UInt32
`HRESULT` HexInt32

Event ID 62: The contents of the file 'PhysicalPath' have successfully been erased.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

The contents of the file 'PhysicalPath' have successfully been erased. The size of the file is now zero.

Message #

The contents of the file '%2' have successfully been erased. The size of the file is now zero.

Fields #

Name	Description
`Handle` Pointer
`PhysicalPath` UnicodeString
`ConfigPath` UnicodeString
`HRESULT` HexInt32

Event ID 62: The contents of the file 'PhysicalPath' have successfully been erased

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

The contents of the file 'PhysicalPath' have successfully been erased. The size of the file is now zero.

Fields #

Name	Description
`Handle` Pointer
`PhysicalPath` UnicodeString
`ConfigPath` UnicodeString
`HRESULT` HexInt32

Event ID 63: The new contents of the file 'PhysicalPath' could not be written to.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

The new contents of the file 'PhysicalPath' could not be written to.

Message #

The new contents of the file '%2' could not be written to.

Fields #

Name	Description
`Handle` Pointer
`PhysicalPath` UnicodeString
`ConfigPath` UnicodeString
`SizeInBytes` HexInt32
`HRESULT` HexInt32

Event ID 63: The new contents of the file 'PhysicalPath' could not be written to

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

The new contents of the file 'PhysicalPath' could not be written to.

Fields #

Name	Description
`Handle` Pointer
`PhysicalPath` UnicodeString
`ConfigPath` UnicodeString
`SizeInBytes` HexInt32
`HRESULT` HexInt32

Event ID 64: A file write operation in a commit operation has completed.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

A file write operation in a commit operation has completed. The status code is: 'HRESULT'.

Message #

A file write operation in a commit operation has completed. The status code is: '%1'.

Fields #

Name	Description
`HRESULT` HexInt32

Event ID 64: A file write operation in a commit operation has completed

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

A file write operation in a commit operation has completed. The status code is: 'HRESULT'.

Fields #

Name	Description
`HRESULT` HexInt32

Event ID 65: A change listener of type 'TargetType' has been informed about a configuration change at 'ConfigPath'.

Provider: Microsoft-Windows-IIS-Configuration
Channel: Debug

Description

A change listener of type 'TargetType' has been informed about a configuration change at 'ConfigPath'.

Message #

A change listener of type '%2' has been informed about a configuration change at '%3'.

Fields #

Name	Description
`TargetAddress` Pointer
`TargetType` UInt32
`ConfigPath` UnicodeString
`IsGranular` Boolean
`IsApplicationSpecific` Boolean
`IsLocationTag` Boolean

Event ID 65: A change listener of type 'TargetType' has been informed about a configuration change at 'ConfigPath'

Provider: Microsoft-Windows-IIS-Configuration
Channel: Operational

Description

A change listener of type 'TargetType' has been informed about a configuration change at 'ConfigPath'.

Fields #

Name	Description
`TargetAddress` Pointer
`TargetType` UInt32
`ConfigPath` UnicodeString
`IsGranular` Boolean
`IsApplicationSpecific` Boolean
`IsLocationTag` Boolean

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID dc0b8e51-4863-407a-bc3c-1b479b2978ac

Defined in iisres.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02

Downloads

Microsoft-Windows-IIS-Configuration registered manifest XML (in the WS2022-20348.4893 manifest pack, 1.9 MB) manifest-xml

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)