Microsoft-Windows-MiStreamProvider

49 events across 2 channels

Event	Title	Channel	Sample
1000	Provider loaded.	Operational	N
1001	Provider unloaded.	Operational	N
1010	Collect started.	Operational	N
1011	Collect error.	Operational	N
1012	Collect stopped.	Operational	N
1013	Collect pipeline error started.	Operational	N
1014	Collect pipeline error.	Operational	N
1015	Collect pipeline OnComplete started.	Operational	N
1016	Collect pipeline OnComplete stopped.	Operational	N
1017	Collect pipeline OnNext started.	Operational	N
1018	Collect pipeline OnNext stopped.	Operational	N
1019	Collect pipeline release started.	Operational	N
1020	Collect pipeline release stopped.	Operational	N
1030	Push started.	Operational	N
1031	Push error.	Operational	N
1032	Push stopped.	Operational	N
1033	Push pipeline error started.	Operational	N
1034	Push pipeline error.	Operational	N
1035	Push pipeline release started.	Operational	N
1036	Push pipeline release stopped.	Operational	N
1040	Flush started.	Operational	N
1041	Flush error.	Operational	N
1042	Flush stopped.	Operational	N
1050	Flush started.	Operational	N
1051	Flush stopped.	Operational	N
1052	Connection info.	Operational	N
1053	Getting filename for KVP write.	Operational	N
1054	Filename for KVP write: message.	Operational	N
1055	Cleaning up cached files older than result days.	Operational	N
1056	Deleting cached file: message.	Operational	N
1057	Data is being collected locally because the Target URI and/or Certificate …	Operational	N
1060	Creating pipeline from .	Operational	N
1061	Creating pipeline from.	Operational	N
1062	Creating push pipeline started.	Operational	N
1063	Creating push pipeline stopped.	Operational	N
1501	Http client loaded.	Operational	N
1502	Http client unloaded.	Operational	N
1503	Http Session opened.	Debug	N
1504	Failed to enumerate directory to upload.	Debug	N
1505	Failed to read file.	Operational	N
1506	Failed to add headers to HTTP request.	Operational	N
1507	Failed to load certificates.	Operational	N
1508	Failed to send Http request.	Operational	N
1509	Failed to delete file.	Operational	N
1510	Invalid status received from server.	Operational	N
1511	callback status request error.	Operational	N
1512	Failed to write file stream.	Operational	N
1513	Cannot use the client certificate specified.	Operational	N
1514	One or more errors were found in the Secure Sockets Layer (SSL) certificate sent …	Operational	N

Event ID 1000: Provider loaded.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Start

Description

Provider loaded.

Message #

Provider loaded.

Event ID 1001: Provider unloaded.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Stop

Description

Provider unloaded.

Message #

Provider unloaded.

Event ID 1010: Collect started.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Start

Description

Collect started.

Message #

Collect started.

Event ID 1011: Collect error.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime

Description

Collect error. Error code: error, Message: message.

Message #

Collect error. Error code: %1, Message: %2

Fields #

Name	Description
`error` UInt32
`message` UnicodeString

Event ID 1012: Collect stopped.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Stop

Description

Collect stopped.

Message #

Collect stopped.

Event ID 1013: Collect pipeline error started.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Start

Description

Collect pipeline error started.

Message #

Collect pipeline error started.

Event ID 1014: Collect pipeline error.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime

Description

Collect pipeline error. Error code: error, Message: message.

Message #

Collect pipeline error. Error code: %1, Message: %2

Fields #

Name	Description
`error` UInt32
`message` UnicodeString

Event ID 1015: Collect pipeline OnComplete started.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Start

Description

Collect pipeline OnComplete started.

Message #

Collect pipeline OnComplete started.

Event ID 1016: Collect pipeline OnComplete stopped.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Stop

Description

Collect pipeline OnComplete stopped.

Message #

Collect pipeline OnComplete stopped.

Event ID 1017: Collect pipeline OnNext started.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Start

Description

Collect pipeline OnNext started.

Message #

Collect pipeline OnNext started.

Event ID 1018: Collect pipeline OnNext stopped.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Stop

Description

Collect pipeline OnNext stopped.

Message #

Collect pipeline OnNext stopped.

Event ID 1019: Collect pipeline release started.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Start

Description

Collect pipeline release started.

Message #

Collect pipeline release started.

Event ID 1020: Collect pipeline release stopped.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Stop

Description

Collect pipeline release stopped.

Message #

Collect pipeline release stopped.

Event ID 1030: Push started.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Start

Description

Push started.

Message #

Push started.

Event ID 1031: Push error.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime

Description

Push error. Error code: error, Message: message.

Message #

Push error. Error code: %1, Message: %2

Fields #

Name	Description
`error` UInt32
`message` UnicodeString

Event ID 1032: Push stopped.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Stop

Description

Push stopped.

Message #

Push stopped.

Event ID 1033: Push pipeline error started.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Start

Description

Push pipeline error started.

Message #

Push pipeline error started.

Event ID 1034: Push pipeline error.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime

Description

Push pipeline error. Error code: error, Message: message.

Message #

Push pipeline error. Error code: %1, Message: %2

Fields #

Name	Description
`error` UInt32
`message` UnicodeString

Event ID 1035: Push pipeline release started.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Start

Description

Push pipeline release started.

Message #

Push pipeline release started.

Event ID 1036: Push pipeline release stopped.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Stop

Description

Push pipeline release stopped.

Message #

Push pipeline release stopped.

Event ID 1040: Flush started.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Start

Description

Flush started.

Message #

Flush started.

Event ID 1041: Flush error.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime

Description

Flush error. Error code: error, Message: message.

Message #

Flush error. Error code: %1, Message: %2

Fields #

Name	Description
`error` UInt32
`message` UnicodeString

Event ID 1042: Flush stopped.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime
Opcode: Stop

Description

Flush stopped.

Message #

Flush stopped.

Event ID 1050: Flush started.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Flush
Opcode: Start

Description

Flush started.

Message #

Flush started.

Event ID 1051: Flush stopped.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Flush
Opcode: Stop

Description

Flush stopped.

Message #

Flush stopped.

Event ID 1052: Connection info.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Flush

Description

Connection info. Target URI: message.

Message #

Connection info. Target URI: %1

Fields #

Name	Description
`message` UnicodeString

Event ID 1053: Getting filename for KVP write.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Flush
Opcode: Start

Description

Getting filename for KVP write. Is guest server: result.

Message #

Getting filename for KVP write. Is guest server: %1

Fields #

Name	Description
`result` UInt32

Event ID 1054: Filename for KVP write: message.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Flush

Description

Filename for KVP write: message.

Message #

Filename for KVP write: %1

Fields #

Name	Description
`message` UnicodeString

Event ID 1055: Cleaning up cached files older than result days.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Flush

Description

Cleaning up cached files older than result days.

Message #

Cleaning up cached files older than %1 days.

Fields #

Name	Description
`result` UInt32

Event ID 1056: Deleting cached file: message.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Flush

Description

Deleting cached file: message.

Message #

Deleting cached file: %1

Fields #

Name	Description
`message` UnicodeString

Event ID 1057: Data is being collected locally because the Target URI and/or Certificate Thumbprint is not set.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Flush

Description

Data is being collected locally because the Target URI and/or Certificate Thumbprint is not set.

Message #

Data is being collected locally because the Target URI and/or Certificate Thumbprint is not set.

Event ID 1060: Creating pipeline from .

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime

Description

Creating pipeline from .mof started. Filename: message.

Message #

Creating pipeline from .mof started. Filename: %1

Fields #

Name	Description
`message` UnicodeString

Event ID 1061: Creating pipeline from.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime

Description

Creating pipeline from .mof stopped.

Message #

Creating pipeline from .mof stopped.

Event ID 1062: Creating push pipeline started.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime

Description

Creating push pipeline started.

Message #

Creating push pipeline started.

Event ID 1063: Creating push pipeline stopped.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: Lifetime

Description

Creating push pipeline stopped.

Message #

Creating push pipeline stopped.

Event ID 1501: Http client loaded.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: HttpClient
Opcode: Start

Description

Http client loaded.

Message #

Http client loaded.

Event ID 1502: Http client unloaded.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: HttpClient
Opcode: Start

Description

Http client unloaded.

Message #

Http client unloaded.

Event ID 1503: Http Session opened.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Debug
Task: HttpClient
Opcode: Start

Description

Http Session opened.

Message #

Http Session opened.

Event ID 1504: Failed to enumerate directory to upload.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Debug
Task: HttpClient

Description

Failed to enumerate directory to upload.

Message #

Failed to enumerate directory to upload.

Event ID 1505: Failed to read file.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: HttpClient

Description

Failed to read file. Error: error, File: fileName.

Message #

Failed to read file. Error: %1, File: %2

Fields #

Name	Description
`error` UInt32
`fileName` UnicodeString

Event ID 1506: Failed to add headers to HTTP request.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: HttpClient

Description

Failed to add headers to HTTP request. Error: error.

Message #

Failed to add headers to HTTP request. Error: %1

Fields #

Name	Description
`error` UInt32

Event ID 1507: Failed to load certificates.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: HttpClient

Description

Failed to load certificates. Error: error.

Message #

Failed to load certificates. Error: %1

Fields #

Name	Description
`error` UInt32

Event ID 1508: Failed to send Http request.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: HttpClient

Description

Failed to send Http request. Error: error.

Message #

Failed to send Http request. Error: %1

Fields #

Name	Description
`error` UInt32

Event ID 1509: Failed to delete file.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: HttpClient

Description

Failed to delete file. Error: error, File: fileName.

Message #

Failed to delete file. Error: %1, File: %2

Fields #

Name	Description
`error` UInt32
`fileName` UnicodeString

Event ID 1510: Invalid status received from server.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: HttpClient

Description

Invalid status received from server. Error: error.

Message #

Invalid status received from server. Error: %1

Fields #

Name	Description
`error` UInt32

Event ID 1511: callback status request error.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: HttpClient

Description

callback status request error. Error: error.

Message #

callback status request error. Error: %1

Fields #

Name	Description
`error` UInt32

Event ID 1512: Failed to write file stream.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: HttpClient

Description

Failed to write file stream. Error: error.

Message #

Failed to write file stream. Error: %1

Fields #

Name	Description
`error` UInt32

Event ID 1513: Cannot use the client certificate specified.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: HttpClient

Description

Cannot use the client certificate specified. Error: Certificate expired.

Message #

Cannot use the client certificate specified. Error: Certificate expired.

Event ID 1514: One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server.

Provider: Microsoft-Windows-MiStreamProvider
Channel: Operational
Task: HttpClient

Description

One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server. The errors are: message.

Message #

One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server. The errors are: %1

Fields #

Name	Description
`message` UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 018c05b7-0e3b-4c5a-9ab2-553ba1489332

Defined in mistreamprov.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02

Downloads

Microsoft-Windows-MiStreamProvider registered manifest XML (in the WS2022-20348.4893 manifest pack, 1.9 MB) manifest-xml

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)