Microsoft-Windows-Iphlpsvc

18 events across 2 channels

Event	Title	Channel	Sample
4000	Teredo server has successfully started.	System	N
4001	Teredo server has failed to start with the following error: ErrorCode.	System	N
4002	Teredo server primary or secondary IPv4 address is invalid.	System	N
4003	Configured Teredo server name ServerName is invalid.	System	N
4004	Teredo server initialization has failed with the following error code ErrorCode.	System	N
4005	Teredo server has stopped.	System	N
4100	ISATAP router address IsatapRouter was set with status ErrorCode.	System	N
4200	ProtocolType interface Interface with address Address has been brought up.	System	N
4201	ProtocolType interface Interface is no longer active.	System	N
4202	Unable to update the IP address on Error_Code interface ProtocolType.	System	N
4300	IP-HTTPS server has successfully started using the server URL ServerUrl.	System	N
4301	IP-HTTPS server has stopped.	System	N
4302	IP-HTTPS server has failed to start with the following error: ErrorCode.	System	N
4303	IP-HTTPS client ClientMachineName (TunnelSourceIP) is associated with IP address …	Operational	N
4304	IP-HTTPS client ClientMachineName (TunnelSourceIP) is disassociated from IP …	Operational	N
4400	DNS64: No matching IPv6 prefix found for IPv4 address Translated IPv4 Address, …	Operational	N
4500	DA MULTISITE: Configured DA site SiteName.	Operational	N
4501	DA MULTISITE: Unconfigured DA site SiteName.	Operational	N

Event ID 4000: Teredo server has successfully started.

Provider: Microsoft-Windows-Iphlpsvc
Channel: System

Description

Teredo server has successfully started.

Message #

Teredo server has successfully started.

Event ID 4001: Teredo server has failed to start with the following error: ErrorCode.

Provider: Microsoft-Windows-Iphlpsvc
Channel: System

Description

Teredo server has failed to start with the following error: ErrorCode.

Message #

Teredo server has failed to start with the following error: %1.
Teredo Reason Code: %2.

Fields #

Name	Description
`ErrorCode` UInt32
`TeredoReasonCode` UInt32

Event ID 4002: Teredo server primary or secondary IPv4 address is invalid.

Provider: Microsoft-Windows-Iphlpsvc
Channel: System

Description

Teredo server primary or secondary IPv4 address is invalid. Primary IPv4 address: Interface. Error Code: ErrorCode.

Message #

Teredo server primary or secondary IPv4 address is invalid. Primary IPv4 address: %1. Error Code: %2.

Fields #

Name	Description
`Interface` UnicodeString
`ErrorCode` UInt32

Event ID 4003: Configured Teredo server name ServerName is invalid.

Provider: Microsoft-Windows-Iphlpsvc
Channel: System

Description

Configured Teredo server name ServerName is invalid. Error Code: ErrorCode.

Message #

Configured Teredo server name %1 is invalid. Error Code: %2.

Fields #

Name	Description
`ServerName` UnicodeString
`ErrorCode` UInt32

Event ID 4004: Teredo server initialization has failed with the following error code ErrorCode.

Provider: Microsoft-Windows-Iphlpsvc
Channel: System

Description

Teredo server initialization has failed with the following error code ErrorCode.

Message #

Teredo server initialization has failed with the following error code %1.

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 4005: Teredo server has stopped.

Provider: Microsoft-Windows-Iphlpsvc
Channel: System

Description

Teredo server has stopped.

Message #

Teredo server has stopped.

Event ID 4100: ISATAP router address IsatapRouter was set with status ErrorCode.

Provider: Microsoft-Windows-Iphlpsvc
Channel: System

Description

ISATAP router address IsatapRouter was set with status ErrorCode.

Message #

ISATAP router address %1 was set with status %2.

Fields #

Name	Description	Rules
`IsatapRouter` UnicodeString		2 detection rules
`ErrorCode` UInt32

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

ISATAP Router Address Was Set source medium: Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.

Event ID 4200: ProtocolType interface Interface with address Address has been brought up.

Provider: Microsoft-Windows-Iphlpsvc
Channel: System

Description

ProtocolType interface Interface with address Address has been brought up.

Message #

%1 interface %2 with address %3 has been brought up.

Fields #

Name	Description
`ProtocolType` UInt32
`Interface` UnicodeString
`Address` UnicodeString

Event ID 4201: ProtocolType interface Interface is no longer active.

Provider: Microsoft-Windows-Iphlpsvc
Channel: System

Description

ProtocolType interface Interface is no longer active.

Message #

%1 interface %2 is no longer active.

Fields #

Name	Description
`ProtocolType` UInt32
`Interface` UnicodeString

Event ID 4202: Unable to update the IP address on Error_Code interface ProtocolType.

Provider: Microsoft-Windows-Iphlpsvc
Channel: System

Description

Unable to update the IP address on Error_Code interface ProtocolType. Update Type: Interface. Error Code: UpdateType.

Message #

Unable to update the IP address on %1 interface %2. Update Type: %3. Error Code: %4.

Fields #

Name	Description
`ProtocolType` UInt32
`Interface` UnicodeString
`UpdateType` UInt32
`ErrorCode` UInt32

Event ID 4300: IP-HTTPS server has successfully started using the server URL ServerUrl.

Provider: Microsoft-Windows-Iphlpsvc
Channel: System

Description

IP-HTTPS server has successfully started using the server URL ServerUrl.

Message #

IP-HTTPS server has successfully started using the server URL %1.

Fields #

Name	Description
`ServerUrl` UnicodeString

Event ID 4301: IP-HTTPS server has stopped.

Provider: Microsoft-Windows-Iphlpsvc
Channel: System

Description

IP-HTTPS server has stopped.

Message #

IP-HTTPS server has stopped.

Event ID 4302: IP-HTTPS server has failed to start with the following error: ErrorCode.

Provider: Microsoft-Windows-Iphlpsvc
Channel: System

Description

IP-HTTPS server has failed to start with the following error: ErrorCode.

Message #

IP-HTTPS server has failed to start with the following error: %1. 
 IP HTTPS reason code %2.

Fields #

Name	Description
`ErrorCode` UInt32
`IpHTTPSReasonCode` UInt32

Event ID 4303: IP-HTTPS client ClientMachineName (TunnelSourceIP) is associated with IP address RemoteIP.

Provider: Microsoft-Windows-Iphlpsvc
Channel: Operational

Description

IP-HTTPS client ClientMachineName (TunnelSourceIP) is associated with IP address RemoteIP.

Message #

IP-HTTPS client %1 (%2) is associated with IP address %3.

Fields #

Name	Description
`ClientMachineName` UnicodeString
`TunnelSourceIP` UnicodeString
`RemoteIP` UnicodeString

Event ID 4304: IP-HTTPS client ClientMachineName (TunnelSourceIP) is disassociated from IP address RemoteIP.

Provider: Microsoft-Windows-Iphlpsvc
Channel: Operational

Description

IP-HTTPS client ClientMachineName (TunnelSourceIP) is disassociated from IP address RemoteIP.

Message #

IP-HTTPS client %1 (%2) is disassociated from IP address %3.

Fields #

Name	Description
`ClientMachineName` UnicodeString
`TunnelSourceIP` UnicodeString
`RemoteIP` UnicodeString

Event ID 4400: DNS64: No matching IPv6 prefix found for IPv4 address Translated IPv4 Address, received for name QuestionName queried by client ClientIP.

Provider: Microsoft-Windows-Iphlpsvc
Channel: Operational

Description

DNS64: No matching IPv6 prefix found for IPv4 address Translated IPv4 Address, received for name QuestionName queried by client ClientIP.

Message #

DNS64: No matching IPv6 prefix found for IPv4 address %4, received for name %3 queried by client %2.

Fields #

Name	Description
`AddrLength` UInt32
`ClientIP` Binary
`QuestionName` UnicodeString
`TranslatedIPv4Address` UInt32

Event ID 4500: DA MULTISITE: Configured DA site SiteName.

Provider: Microsoft-Windows-Iphlpsvc
Channel: Operational

Description

DA MULTISITE: Configured DA site SiteName.

Message #

DA MULTISITE: Configured DA site %1.

Fields #

Name	Description
`SiteName` UnicodeString

Event ID 4501: DA MULTISITE: Unconfigured DA site SiteName.

Provider: Microsoft-Windows-Iphlpsvc
Channel: Operational

Description

DA MULTISITE: Unconfigured DA site SiteName.

Message #

DA MULTISITE: Unconfigured DA site %1.

Fields #

Name	Description
`SiteName` UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 66a5c15c-4f8e-4044-bf6e-71d896038977

Defined in iphlpsvc.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4484, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Windows-Iphlpsvc

Event ID 4000: Teredo server has successfully started.

Description

Message #

Event ID 4001: Teredo server has failed to start with the following error: ErrorCode.

Description

Message #

Fields #

Event ID 4002: Teredo server primary or secondary IPv4 address is invalid.

Description

Message #

Fields #

Event ID 4003: Configured Teredo server name ServerName is invalid.

Description

Message #

Fields #

Event ID 4004: Teredo server initialization has failed with the following error code ErrorCode.

Description

Message #

Fields #

Event ID 4005: Teredo server has stopped.

Description

Message #

Event ID 4100: ISATAP router address IsatapRouter was set with status ErrorCode.

Description

Message #

Fields #

Detection Rules #

Sigma # view in coverage

Event ID 4200: ProtocolType interface Interface with address Address has been brought up.

Description

Message #

Fields #

Event ID 4201: ProtocolType interface Interface is no longer active.

Description

Message #

Fields #

Event ID 4202: Unable to update the IP address on Error_Code interface ProtocolType.

Description

Message #

Fields #

Event ID 4300: IP-HTTPS server has successfully started using the server URL ServerUrl.

Description

Message #

Fields #

Event ID 4301: IP-HTTPS server has stopped.

Description

Message #

Event ID 4302: IP-HTTPS server has failed to start with the following error: ErrorCode.

Description

Message #

Fields #

Event ID 4303: IP-HTTPS client ClientMachineName (TunnelSourceIP) is associated with IP address RemoteIP.

Description

Message #

Fields #

Event ID 4304: IP-HTTPS client ClientMachineName (TunnelSourceIP) is disassociated from IP address RemoteIP.

Description

Message #

Fields #

Event ID 4400: DNS64: No matching IPv6 prefix found for IPv4 address Translated IPv4 Address, received for name QuestionName queried by client ClientIP.

Description

Message #

Fields #

Event ID 4500: DA MULTISITE: Configured DA site SiteName.

Description

Message #

Fields #

Event ID 4501: DA MULTISITE: Unconfigured DA site SiteName.

Description

Message #

Fields #

Provenance

Downloads