Microsoft-Windows-NCSI
58 events across 2 channels
Event ID 2001: Corporate connectivity check will be skipped.
#Event ID 2002: Corporate connectivity check is enabled
#Description
Corporate connectivity check is enabled.
Message #
Event ID 2003: Corporate inside/outside location check will be skipped.
#Event ID 2004: Corporate inside/outside location check is enabled
#Description
Corporate inside/outside location check is enabled.
Message #
Event ID 4001: Entered State: Interface_Luid Interface Luid: InterfaceGuid.
#Event ID 4002: Transitioning to State: CurrentOrNextState Interface Luid: IfLuid.
#Event ID 4003: Entered State: Interface_Luid Interface Luid: InterfaceGuid.
#Event ID 4004: Transitioning to State: CurrentOrNextState Interface Luid: IfLuid.
#Event ID 4005: Entered State: Interface_Luid Interface Luid: InterfaceGuid.
#Event ID 4006: Transitioning to State: CurrentOrNextState Interface Luid: IfLuid.
#Event ID 4007: Entered State: Interface_Luid Interface Luid: InterfaceGuid.
#Event ID 4008: Transitioning to State: CurrentOrNextState Interface Luid: IfLuid.
#Event ID 4009: Inside/Outside detection started for interface IfLuid.
#Event ID 4010: Inside/Outside detection finished for interface IfLuid (CorporateLocation).
#Event ID 4011: Windows Firewall Group Policy settings have been updated.
#Description
Windows Firewall Group Policy settings have been updated. Triggering another inside/outside location detection.
Message #
Event ID 4012: Inside/Outside probe failed for interface Host.
#Event ID 4013: Active Internet Probe started on interface InterfaceGuid.
#Event ID 4014: Active Internet Probe finished on interface InterfaceGuid (Succeeded).
#Event ID 4015: Active Internet Probe (DNS) started on interface InterfaceGuid.
#Event ID 4016: Active Internet Probe (DNS) finished on interface InterfaceGuid.
#Event ID 4017: Active Internet Probe (HTTP) started on interface InterfaceGuid.
#Event ID 4018: Active Internet Probe (HTTP) finished on interface InterfaceGuid.
#Event ID 4019: Active Corp Probe started on interface InterfaceGuid.
#Event ID 4020: Active Corp Probe finished on interface InterfaceGuid (Succeeded).
#Event ID 4021: Active Corp Probe (DNS) started on interface InterfaceGuid.
#Event ID 4022: Active Corp Probe (DNS) finished on interface InterfaceGuid.
#Event ID 4023: Active Corp Probe (HTTP) started on interface InterfaceGuid.
#Event ID 4024: Active Corp Probe (HTTP) finished on interface InterfaceGuid.
#Event ID 4026: Proxy Detection stopped (HasProxy=ErrorCode).
#Event ID 4027: Opportunistic Internet flag on interface InterfaceGuid for family Family marked.
#Event ID 4028: Inside/Outside detection is suspect
#Description
Inside/Outside detection is suspect.
Message #
Event ID 4029: Entered suspect state on interface InterfaceGuid (Family: IfLuid Reason: Family).
#Event ID 4030: Suspect state cancelled on interface IfLuid (Family: Family).
#Event ID 4031: Suspect state expired on interface IfLuid (Family: Family).
#Event ID 4032: Entered corporate suspect state on interface IfLuid.
#Event ID 4033: Corporate suspect state cancelled on interface IfLuid.
#Event ID 4034: Corporate suspect state expired on interface IfLuid.
#Event ID 4035: Cancelling hotspot detection scenario for interface InterfaceGuid.
#Event ID 4037: Starting hotspot detection for family Family on interface IfLuid.
#Event ID 4038: Hotspot detected on interface IfLuid (Family: Family).
#Event ID 4039: Hotspot not detected on interface IfLuid (Family: Family).
#Event ID 4040: Interface ConnectedInterfaceGuid (IfLuid) has been connected.
#Event ID 4041: Interface DisconnectedInterfaceGuid (IfLuid) has been disconnected.
#Event ID 4042: Capability change on InterfaceGuid (IfLuid Family: Family Capability: Capability ChangeReason: CapabilityChangeReason).
#Description
Capability change on InterfaceGuid (IfLuid Family: Family Capability: Capability ChangeReason: CapabilityChangeReason).
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
IfLuid UInt64 | |
Family UInt32 | 2 Family. |
Capability UInt32 | |
CapabilityChangeReason UInt32 | ChangeReason. |
PreviousCapability UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NCSI",
"guid": "{314DE49F-CE63-4779-BA2B-D616F6963A88}",
"event_source_name": "",
"event_id": 4042,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387936,
"time_created": "2026-05-29T16:33:35.2696049+00:00",
"event_record_id": 43,
"correlation": {},
"execution": {
"process_id": 1828,
"thread_id": 2016
},
"channel": "Microsoft-Windows-NCSI/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"InterfaceGuid": "{2a7bd48e-ddc6-4641-9f41-682f29f1d76c}",
"IfLuid": "1689399632855040",
"Family": "0",
"Capability": "2",
"CapabilityChangeReason": "8",
"PreviousCapability": "1"
},
"message": "Capability change on {2a7bd48e-ddc6-4641-9f41-682f29f1d76c} (0x6008001000000 Family: V4 Capability: Internet ChangeReason: ActiveDnsProbeSucceeded)"
}
Event ID 4043: Proxied capability change on ProxiedCapability (InterfaceGuid Family: IfLuid ProxiedCapability: Family).
#Event ID 4044: Passive Poll state change.
#Description
Passive Poll state change (ShouldPassivePollRun: ShouldPassivePollRun WasPassivePollRunning: WasPassivePollRunning IsPassivePollAllowed: IsPassivePollAllowed ClientPresent: ClientPresent UserPresent: UserPresent NetworkQuietMode: NetworkQuietMode DeadUserPollCount: DeadUserPollCount DeadNetPollCountV4: DeadNetPollCountV4 DeadNetPollCountV6: DeadNetPollCountV6)
Message #
Fields #
| Name | Description |
|---|---|
ShouldPassivePollRun Boolean | |
WasPassivePollRunning Boolean | |
IsPassivePollAllowed Boolean | |
ClientPresent Boolean | |
UserPresent Boolean | |
NetworkQuietMode Boolean | |
DeadUserPollCount UInt32 | |
DeadNetPollCountV4 UInt32 | |
DeadNetPollCountV6 UInt32 |
Event ID 4045: NetReady update on NetReady (InterfaceGuid Family: IfLuid NetReady: Family).
#Event ID 4046: Corporate connectivity change on HasCorporateConnectivity (InterfaceGuid Family: IfLuid HasCorporateConnectivity: Family).
#Event ID 4047: Default gateway is set on GatewayIP (GatewayMAC Family: KnownProxyless GatewayIP: KnownOppInternet GatewayMAC: InterfaceGuid KnownHotspot: IfLuid KnownOppInternet: Family KnownProxiedOppInternet: I...
#Description
Default gateway is set on GatewayIP (GatewayMAC Family: KnownProxyless GatewayIP: KnownOppInternet GatewayMAC: InterfaceGuid KnownHotspot: IfLuid KnownOppInternet: Family KnownProxiedOppInternet: IpAddressLength).
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
IfLuid UInt64 | |
Family UInt32 | |
IpAddressLength UInt32 | |
IpAddress Binary | |
MacAddressLength UInt32 | |
MacAddress Binary | |
KnownHotspot Boolean | GatewayIP. |
KnownOppInternet Boolean | |
KnownProxiedOppInternet Boolean | GatewayMAC. |
Event ID 4048: Next hop to Internet has changed on HasNextHopToInternet (NextHopAddress Family: InterfaceGuid HasNextHopToInternet: IfLuid NextHopAddress: NextHopAddressLength).
#Description
Next hop to Internet has changed on HasNextHopToInternet (NextHopAddress Family: InterfaceGuid HasNextHopToInternet: IfLuid NextHopAddress: NextHopAddressLength).
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
IfLuid UInt64 | |
Family UInt32 | |
HasNextHopToInternet Boolean | |
NextHopAddressLength UInt32 | |
NextHopAddress Binary | 2 Family. |
Event ID 4049: Preferred address change on HasPreferredAddress (AddressSuffixOrigins Family: InterfaceGuid HasPreferredAddress: IfLuid AddressSuffixOrigins: Family).
#Description
Preferred address change on HasPreferredAddress (AddressSuffixOrigins Family: InterfaceGuid HasPreferredAddress: IfLuid AddressSuffixOrigins: Family).
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
IfLuid UInt64 | |
Family UInt32 | |
HasPreferredAddress Boolean | |
AddressSuffixOrigins UInt32 | 2 Family. |
Event ID 4050: Preferred global address change on HasPreferredGlobalAddress (AddressSuffixOrigins Family: InterfaceGuid HasPreferredGlobalAddress: IfLuid AddressSuffixOrigins: Family).
#Description
Preferred global address change on HasPreferredGlobalAddress (AddressSuffixOrigins Family: InterfaceGuid HasPreferredGlobalAddress: IfLuid AddressSuffixOrigins: Family).
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
IfLuid UInt64 | |
Family UInt32 | |
HasPreferredGlobalAddress Boolean | |
AddressSuffixOrigins UInt32 | 2 Family. |
Event ID 4051: Active probe result code on interface InterfaceGuid (IfLuid Family: Family) = ActiveProbeResultCode.
#Event ID 4052: Interface diagnostic for IPv6_address (IPv4_capability): IPv4 address: IPv6_capability, IPv6 address: IPv4_test_used, IPv4 capability: IPv6_test_used, IPv6 capability: InterfaceGuid, IPv4 test used...
#Description
Interface diagnostic for IPv6_address (IPv4_capability): IPv4 address: IPv6_capability, IPv6 address: IPv4_test_used, IPv4 capability: IPv6_test_used, IPv6 capability: InterfaceGuid, IPv4 test used: IfLuid, IPv6 test used: HasPreferredGlobalAddressIPv4.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
IfLuid UInt64 | |
HasPreferredGlobalAddressIPv4 Boolean | |
HasPreferredGlobalAddressIPv6 Boolean | |
InternetCapabilityIPv4 UInt8 | |
InternetCapabilityIPv6 UInt8 | |
InternetTestIPv4 UInt8 | |
InternetTestIPv6 UInt8 |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 314de49f-ce63-4779-ba2b-d616f6963a88
Defined in ncsi.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02