Microsoft-Windows-NDIS
165 events across 3 channels
Event ID 10000: Aborting Request Request on Filter LowerIf.
#Event ID 10001: Aborting Request Request on Miniport LowerIf.
#Event ID 10002: Add Device Miniport DeviceName.
#Event ID 10003: Add Device Failed ErrorCode.
#Event ID 10004: Add PnP Device: Add_PnP_Device.
#Event ID 10005: Allocate Adapter Channel Failed ErrorCode.
#Event ID 10006: Initialize Binding - Protocol: IfGuid, Adapter: Adapter, Result: IfIndex.
#Description
Initialize Binding - Protocol: IfGuid, Adapter: Adapter, Result: IfIndex.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
NetLuid UInt64 | |
ProtocolName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS",
"guid": "{CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}",
"event_source_name": "",
"event_id": 10006,
"version": 0,
"level": 4,
"task": 4,
"opcode": 0,
"keywords": "0x4000000000000008",
"time_created": "2026-06-02T05:29:07.638+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{E47DFBE0-FE90-4385-8C84-1A825F85A4C2}"
},
"execution": {
"process_id": 13372,
"thread_id": 18092
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"IfGuid": "{E47DFBE0-FE90-4385-8C84-1A825F85A4C2}",
"IfIndex": 16,
"NetLuid": 36873771788795904,
"ProtocolName": "RDMANDK",
"Status": "01000100"
},
"message": "Bind"
}
Event ID 10007: Miniport IfGuid, Calling miniport reset.
#Event ID 10008: Filter IfGuid, Aborting Request Request.
#Description
Filter IfGuid, Aborting Request Request.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
NetLuid UInt64 | |
Request Pointer | |
Status HexInt32 | NTSTATUS reference |
Location UInt32 |
Event ID 10009: Miniport IfGuid, Successfully canceled wake irp.
#Event ID 10010: Miniport IfGuid, Aborting Request Request.
#Description
Miniport IfGuid, Aborting Request Request.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
NetLuid UInt64 | |
Request Pointer | |
Status HexInt32 | NTSTATUS reference |
Location UInt32 |
Event ID 10011: Miniport IfGuid, Failed to set the new information on the miniport.
#Event ID 10012: Compartment change notification, compartment CompartmentId.
#Event ID 10013: Interface change notification, interface IfType IfType, NetLuid index NetLuid.
#Event ID 10014: Interface change notification, interface IfType IfType, NetLuid index NetLuid.
#Description
Interface change notification, interface IfType IfType, NetLuid index NetLuid.
Message #
Fields #
| Name | Description |
|---|---|
IfType UInt32 | |
NetLuid UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS",
"guid": "{CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}",
"event_source_name": "",
"event_id": 10014,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": "0x4000000000000040",
"time_created": "2026-06-02T05:29:07.633+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}"
},
"execution": {
"process_id": 13372,
"thread_id": 18092
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"IfType": 131,
"NetLuid": 3
},
"message": "Interface"
}
Event ID 10015: Network change notification, network NetworkId.
#Event ID 10016: Request Clearing Processing Request Miniport IfGuid.
#Description
Request Clearing Processing Request Miniport IfGuid.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
IfLuid UInt64 | |
ReferenceContext UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS",
"guid": "{CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}",
"event_source_name": "",
"event_id": 10016,
"version": 0,
"level": 5,
"task": 1,
"opcode": 0,
"keywords": "0x4000000000000001",
"time_created": "2026-06-02T05:29:07.634+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{2A7BD48E-DDC6-4641-9F41-682F29F1D76C}"
},
"execution": {
"process_id": 4,
"thread_id": 12056
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"IfGuid": "{2A7BD48E-DDC6-4641-9F41-682F29F1D76C}",
"IfIndex": 4,
"IfLuid": 1689399632855040,
"ReferenceContext": 65537
},
"message": "Request"
}
Event ID 10017: Protocol ProtocolName is closing Miniport IfGuid.
#Event ID 10018: Completing Request Request to Filter IfGuid.
#Description
Completing Request Request to Filter IfGuid.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
NetLuid UInt64 | |
Request Pointer | |
Status HexInt32 | NTSTATUS reference |
Location UInt32 |
Event ID 10019: Miniport IfGuid, WaitWakeIrp ReferenceContext.
#Event ID 10020: Miniport IfGuid, activating default port.
#Event ID 10021: Miniport IfGuid, deactivating default port.
#Event ID 10022: Failed to deregister interface IfBlock Context.
#Event ID 10023: DevicePowerStateChange Miniport IfGuid, Going to device state State.
#Event ID 10024: Dispatch PnP Irp Miniport IfGuid, MinorFunction: IrpMinorFunction.
#Event ID 10025: Dispatch WMI Irp Miniport IfGuid, MinorFunction IrpMinorFunction.
#Event ID 10026: Miniport IfGuid, Failed to execute WMI method (Context) on the miniport.
#Event ID 10027: Failed to indicate filter arrival
#Event ID 10028: Miniport MiniportIfGuid, Filter FilterIfGuid changed media type from OriginalMediaType to NewMediaType.
#Description
Miniport MiniportIfGuid, Filter FilterIfGuid changed media type from OriginalMediaType to NewMediaType.
Message #
Fields #
| Name | Description |
|---|---|
MiniportIfGuid GUID | |
MiniportIfIndex UInt32 | |
MiniportNetLuid UInt64 | |
FilterIfGuid GUID | |
FilterIfIndex UInt32 | |
FilterNetLuid UInt64 | |
OriginalMediaType HexInt32 | |
NewMediaType HexInt32 |
Event ID 10029: Filter Registration Failed FilterName - Reason.
#Event ID 10030: Failed to indicate filter removal
#Event ID 10031: Failed to indicate adapter removal
#Event ID 10032: Miniport IfGuid, InitializeAdapter status - Reason (State).
#Event ID 10033: Miniport IfGuid, InitializeAdapter error - Reason (State).
#Event ID 10034: Could not read Bind/Export for DeviceName: ErrorCode.
#Event ID 10035: Miniport State, Not a system state!
#Event ID 10037: IoSetDeviceInterfaceState failed: Miniport IfGuid, Status Error.
#Event ID 10038: IoWMIWriteEvent failed ErrorCode.
#Event ID 10039: DeviceObject Context, IRP_MN_SET_POWER failed!
#Event ID 10040: Keeping the fake handlers on Filter IfGuid, State flags StateFlags.
#Event ID 10041: Keeping the fake handlers on Miniport IfGuid, State flags StateFlags.
#Event ID 10042: Open Context is already getting unbind.
#Event ID 10043: Miniport IfGuid is Action.
#Event ID 10044: Miniport IfGuid - MiniportInitialize handler failed, Status Error.
#Event ID 10045: Miniport IfGuid, Ethernet Address MacAddress.
#Event ID 10046: Miniport IfGuid, DeviceState[State].
#Event ID 10047: Miniport IfGuid, Powering up the Miniport.
#Event ID 10048: Miniport IfGuid, SystemPowerState[SystemState] DevicePowerState[DeviceState].
#Event ID 10049: Miniport IfGuid, SystemState[State].
#Event ID 10050: Failed to restart miniport IfGuid.
#Event ID 10052: Error querying Oid : Status.
#Description
Error querying Oid : Status.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
NetLuid UInt64 | |
Oid UInt32 | |
Status UInt32 | NTSTATUS reference |
Location UInt32 |
Event ID 10053: Failing open because the miniport is not started, Miniport IfGuid, Open ReferenceContext.
#Event ID 10054: Port Activation Failed Miniport IfGuid Reason.
#Event ID 10055: Miniport IfGuid, Disabling wake-up on the miniport.
#Event ID 10056: Miniport IfGuid, Failed to power the device down.
#Event ID 10057: Miniport IfGuid, failed to power down but we are not able to reinitialize it.
#Event ID 10058: Miniport IfGuid, Halt the miniport.
#Event ID 10059: Miniport IfGuid, System is either entering hibernate or shutting down.
#Event ID 10060: DeviceObject Context, Going to system power state State.
#Event ID 10061: Miniport IfGuid is not started yet.
#Event ID 10062: Miniport IfGuid is being removed.
#Event ID 10063: Miniport IfGuid, MagicPacket and pattern match are not enabled.
#Event ID 10064: Miniport IfGuid, Place legacy or PM disabled device in D3.
#Event ID 10065: Miniport IfGuid, SystemState SystemState, DeviceState DeviceState.
#Event ID 10066: Miniport IfGuid, shutting down.
#Event ID 10067: Miniport IfGuid, Device power wake is not enabled (ReferenceContext).
#Event ID 10068: Miniport IfGuid, Waking up the device.
#Event ID 10069: BIND (Layer) ProtocolName to DeviceName.
#Event ID 10070: UNBIND(Layer) ProtocolName to DeviceName.
#Event ID 10071: Miniport IfGuid, IRP_MN_QUERY_PNP_DEVICE_STATE device failed.
#Event ID 10072: Miniport IfGuid, Bus Driver returned ReferenceContext for QueryPower.
#Event ID 10073: Miniport IfGuid, Bus Driver returned ReferenceContext for QueryPower.
#Event ID 10074: Miniport IfGuid, failed power Oid Oid, Set = Set with error Error.
#Event ID 10075: ndisReferenceProtocolByName failed ErrorCode.
#Event ID 10076: Miniport IfGuid failed to register for interrupts.
#Event ID 10077: DriverObject Context, Miniport Driver should register both a DirectRequest and CancelDirectRequest handler or neither one.
#Event ID 10078: SendPacketCompleteToOpen Open OpenRef, Packet Packet.
#Event ID 10079: ndisSetEnableWakeUp Completed
#Event ID 10080: SetMiniportEthMulticastList Failed Miniport IfGuid, Request Context.
#Event ID 10081: SetMiniportRSSCaps Failed Miniport IfGuid, Request Context, Status Error.
#Event ID 10082: SetOpenEthAddDeleteMulticast Failed, Miniport = IfGuid, Open = Context, Status = Error.
#Event ID 10083: SetOpenEthMulticastList failed - Miniport IfGuid, Open Context.
#Event ID 10084: SetOpenFunctional - Invalid media type
#Event ID 10085: SetOpenGroupAddress - Invalid media type
#Event ID 10086: SetOpenRSSCaps: Miniport IfGuid, Open Context, Status Error.
#Event ID 10087: Miniport IfGuid, Going to system power state State.
#Event ID 10088: Transport Transport failed the PnP event: PnPEvent for Miniport IfGuid with Status Status.
#Description
Transport Transport failed the PnP event: PnPEvent for Miniport IfGuid with Status Status.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
NetLuid UInt64 | |
Transport UnicodeString | |
PnPEvent HexInt32 | |
Status HexInt32 | NTSTATUS reference |
Event ID 10089: Miniport IfGuid, This version of NDIS does not support Arcnet, FDDI, IP1394, or Token Ring.
#Event ID 10090: ProtocolName, Reason.
#Event ID 10091: Miniport IfGuid, Wake irp was complete due to wake event.
#Event ID 10092: WaitWakeIrpFailed Miniport IfGuid, WAIT_WAKE irp failed or cancelled.
#Event ID 10093: Miniport IfGuid woke up the system.
#Event ID 10094: Error Log Entry : Miniport IfGuid (AdapterName) Error Error.
#Event ID 10095: Aborting Request Request.
#Event ID 10096: Port Deactivation Failed Miniport IfGuid Reason.
#Event ID 10097: Miniport IfGuid, PoRequestPowerIrp for device state returned ReferenceContext.
#Event ID 10098: Miniport IfGuid, failed query power.
#Event ID 10099: DevicePowerOn failed Miniport IfGuid, status Error.
#Event ID 10100: Power policy - Unable to enter requested state
#Event ID 10101: Miniport IfGuid: Oid Oid, Completed by NDIS on behalf of miniport with Status Status: CompleteRequest.
#Description
Miniport IfGuid: Oid Oid, Completed by NDIS on behalf of miniport with Status Status: CompleteRequest.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
NetLuid UInt64 | |
Request Pointer | |
CompleteRequest Boolean | |
Status HexInt32 | NTSTATUS reference |
Oid UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS",
"guid": "{CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}",
"event_source_name": "",
"event_id": 10101,
"version": 0,
"level": 5,
"task": 1,
"opcode": 0,
"keywords": "0x4000000000000001",
"time_created": "2026-06-02T05:29:07.634+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{2A7BD48E-DDC6-4641-9F41-682F29F1D76C}"
},
"execution": {
"process_id": 4,
"thread_id": 12056
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"CompleteRequest": false,
"IfGuid": "{2A7BD48E-DDC6-4641-9F41-682F29F1D76C}",
"IfIndex": 4,
"NetLuid": 1689399632855040,
"Oid": 131334,
"Request": "0xFFFF878DC8506280",
"Status": "00000000"
},
"message": "Request"
}
Event ID 10102: Completing Request Request to Miniport IfGuid.
#Description
Completing Request Request to Miniport IfGuid.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
NetLuid UInt64 | |
Request Pointer | |
Status HexInt32 | NTSTATUS reference |
Location UInt32 |
Event ID 10103: Filter IfGuid entering state State.
#Event ID 10104: Miniport IfGuid, NDIS_STATUS_MEDIA_CONNECT, Flags: Flags, PnpFlags PnPFlags, DevicePowerState DevicePowerState.
#Event ID 10105: Miniport IfGuid, NDIS_STATUS_MEDIA_DISCONNECT, Flags: Flags, PnpFlags PnPFlags, DevicePowerState DevicePowerState.
#Event ID 10106: Miniport OperationalStatusFlags, NDIS_STATUS_OPER_STATUS, OperationalStatus: NetLuid, OperationalStatusFlags: OperationalStatus.
#Description
Miniport OperationalStatusFlags, NDIS_STATUS_OPER_STATUS, OperationalStatus: NetLuid, OperationalStatusFlags: OperationalStatus.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
NetLuid UInt64 | |
OperationalStatus UInt32 | |
OperationalStatusFlags UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS",
"guid": "{CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}",
"event_source_name": "",
"event_id": 10106,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": "0x4000000000000200",
"time_created": "2026-06-02T05:29:07.646+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{2A7BD48E-DDC6-4641-9F41-682F29F1D76C}"
},
"execution": {
"process_id": 13372,
"thread_id": 18092
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"IfGuid": "{2A7BD48E-DDC6-4641-9F41-682F29F1D76C}",
"IfIndex": 4,
"NetLuid": 1689399632855040,
"OperationalStatus": 1,
"OperationalStatusFlags": 0
},
"message": "Indication"
}
Event ID 10107: Miniport OperationalStatusFlags, NDIS_STATUS_OPER_STATUS, OperationalStatus: NetLuid, OperationalStatusFlags: OperationalStatus.
#Event ID 10108: Miniport IfGuid, NDIS_STATUS_NETWORK_CHANGE, Change Type: ChangeType.
#Event ID 10109: Filter IfGuid, Aborting Request RequestType.
#Description
Filter IfGuid, Aborting Request RequestType.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
NetLuid UInt64 | |
RequestType UInt32 | |
Status HexInt32 | NTSTATUS reference |
Location UInt32 |
Event ID 10110: Miniport IfGuid, Aborting Request RequestType.
#Description
Miniport IfGuid, Aborting Request RequestType.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
NetLuid UInt64 | |
RequestType UInt32 | |
Status HexInt32 | NTSTATUS reference |
Location UInt32 |
Event ID 10111: Completing Request RequestType to Filter IfGuid.
#Description
Completing Request RequestType to Filter IfGuid.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
NetLuid UInt64 | |
RequestType UInt32 | |
Status HexInt32 | NTSTATUS reference |
Location UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS",
"guid": "{CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}",
"event_source_name": "",
"event_id": 10111,
"version": 0,
"level": 5,
"task": 1,
"opcode": 0,
"keywords": "0x4000000000000001",
"time_created": "2026-06-02T05:29:07.634+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{C5883B93-5C46-11F1-9665-806E6F6E6963}"
},
"execution": {
"process_id": 4,
"thread_id": 12056
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"IfGuid": "{C5883B93-5C46-11F1-9665-806E6F6E6963}",
"IfIndex": 17,
"Location": 65537,
"NetLuid": 1688849860263936,
"RequestType": 131334,
"Status": "00000000"
},
"message": "Request"
}
Event ID 10112: Completing Request RequestType to Miniport IfGuid.
#Description
Completing Request RequestType to Miniport IfGuid.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
NetLuid UInt64 | |
RequestType UInt32 | |
Status HexInt32 | NTSTATUS reference |
Location UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS",
"guid": "{CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}",
"event_source_name": "",
"event_id": 10112,
"version": 0,
"level": 5,
"task": 1,
"opcode": 0,
"keywords": "0x4000000000000001",
"time_created": "2026-06-02T05:29:07.634+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{2A7BD48E-DDC6-4641-9F41-682F29F1D76C}"
},
"execution": {
"process_id": 4,
"thread_id": 12056
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"IfGuid": "{2A7BD48E-DDC6-4641-9F41-682F29F1D76C}",
"IfIndex": 4,
"Location": 65537,
"NetLuid": 1689399632855040,
"RequestType": 131334,
"Status": "00000000"
},
"message": "Request"
}
Event ID 10113: Aborting Request RequestType.
#Event ID 10114: Aborting Request RequestType on Filter LowerIf.
#Event ID 10115: Aborting Request RequestType on Miniport LowerIf.
#Event ID 10200: DPC/OtherDispatchRoutine Start
#Event ID 10201: DPC/OtherDispatchRoutine End
#Event ID 10202: Queued Receive Indication Start
#Event ID 10203: Queued Receive Indication End
#Event ID 10204: Miniport Duration on processor Individual has an RST limit change from CurrentProcessorIndex to NumberOfNetBufferLists NBLs per indication (NumNbls: Cummulative, Duration: NetLuidIndex, Individual:...
#Description
Miniport Duration on processor Individual has an RST limit change from CurrentProcessorIndex to NumberOfNetBufferLists NBLs per indication (NumNbls: Cummulative, Duration: NetLuidIndex, Individual: ProcessingDurationMilliseconds, Cummulative: PreviousLimit).
Message #
Fields #
| Name | Description |
|---|---|
NetLuidIndex UInt32 | |
CurrentProcessorIndex UInt32 | |
NumberOfNetBufferLists UInt32 | |
ProcessingDurationMilliseconds UInt32 | |
PreviousLimit UInt32 | |
NewLimit UInt32 | |
IndividualMeasurement UInt32 | |
CummulativeMeasurement UInt32 |
Event ID 10300: The network adapter is idle and can be suspended now.
#Event ID 10301: The network adapter declined to enter a suspended state.
#Event ID 10302: The network adapter must be resumed.
#Event ID 10303: NIC Active state is acquired.
#Event ID 10304: NIC Active state is released.
#Event ID 10305: The network adapter indicated a wake signal.
#Event ID 10306: Working power state is requested for network adapter.
#Event ID 10307: Working power request is completed for network adapter.
#Description
Working power request is completed for network adapter. Interface Luid: IfLuid Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
IfLuid UInt64 | |
Status UInt32 | NTSTATUS reference |
Event ID 10308: Low power state is requested for network adapter.
#Event ID 10309: Low power request is completed for network adapter.
#Description
Low power request is completed for network adapter. Interface Luid: IfLuid Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
IfLuid UInt64 | |
Status UInt32 | NTSTATUS reference |
Event ID 10310: Wait/Wake IRP is completed for network adapter.
#Event ID 10311: Miniport AdapterName, IfGuid, had event MiniportEventEnum.
#Description
Miniport AdapterName, IfGuid, had event MiniportEventEnum.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
IfLuid UInt64 | |
AdapterName UnicodeString | |
MiniportEventEnum UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS",
"guid": "{CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}",
"event_source_name": "",
"event_id": 10311,
"version": 0,
"level": 4,
"task": 2,
"opcode": 0,
"keywords": "0x4000000000004016",
"time_created": "2026-06-02T05:29:07.631+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{E47DFBE0-FE90-4385-8C84-1A825F85A4C2}"
},
"execution": {
"process_id": 13372,
"thread_id": 18092
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AdapterName": "Microsoft Failover Cluster Virtual Adapter",
"IfGuid": "{E47DFBE0-FE90-4385-8C84-1A825F85A4C2}",
"IfIndex": 16,
"IfLuid": 36873771788795904,
"MiniportEventEnum": 53
},
"message": "PnP"
}
Event ID 10312: Filter IfGuid entering state State (FriendlyName: FilterFriendlyName).
#Description
Filter IfGuid entering state State (FriendlyName: FilterFriendlyName).
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
State UInt8 | |
Location UInt32 | |
MiniportIfGuid GUID | |
MiniportAdapterName UnicodeString | |
FilterInstanceName UnicodeString | |
FilterFriendlyName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS",
"guid": "{CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}",
"event_source_name": "",
"event_id": 10312,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": "0x4000000000000100",
"time_created": "2026-06-02T05:29:07.631+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{C5883B98-5C46-11F1-9665-806E6F6E6963}"
},
"execution": {
"process_id": 13372,
"thread_id": 18092
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"FilterFriendlyName": "Microsoft Failover Cluster Virtual Adapter-WFP 802.3 MAC Layer LightWeight Filter-0000",
"FilterInstanceName": "{E47DFBE0-FE90-4385-8C84-1A825F85A4C2}-{B70D6460-3635-4D42-B866-B8AB1A24454C}-0000",
"IfGuid": "{C5883B98-5C46-11F1-9665-806E6F6E6963}",
"Location": 1,
"MiniportAdapterName": "Microsoft Failover Cluster Virtual Adapter",
"MiniportIfGuid": "{E47DFBE0-FE90-4385-8C84-1A825F85A4C2}",
"State": 5
},
"message": "WorkItem"
}
Event ID 10314: Exiting Connected Standby.
#Event ID 10315: Miniport IfLuid: CS active ActiveTime seconds, PowerTransitionCount power transitions.
#Event ID 10316: Component ComponentId: CS active ActiveTime seconds, Miniport InterfaceLuid.
#Event ID 10317: Miniport AdapterName, IfGuid, had event MiniportEventEnum.
#Event ID 10320: Refcount rundown for miniport NetLuid will follow.
#Event ID 10321: Refcount rundown for miniport NetLuid: component ComponentId has refcount RefcountValue.
#Event ID 10322: Refcount rundown for miniport NetLuid: stop flags StopFlags Rundown complete.
#Event ID 10323: Power transition for Miniport IfLuid in CS (PowerStateFrom to PowerStateTo).
#Description
Power transition for Miniport IfLuid in CS (PowerStateFrom to PowerStateTo). PowerStateFrom traffic (In-Out): Unicast Packets (IfInUnicastPackets-IfOutUnicastPackets), Multicast Packets (IfInMulticastPackets-IfOutMulticastPackets), Broadcast Packets (IfInBroadcastPackets-IfOutBroadcastPackets).
Message #
Fields #
| Name | Description |
|---|---|
IfIndex UInt32 | |
IfLuid UInt64 | |
PowerStateFrom UnicodeString | |
PowerStateTo UnicodeString | |
IfInUnicastPackets UInt64 | |
IfOutUnicastPackets UInt64 | |
IfInMulticastPackets UInt64 | |
IfOutMulticastPackets UInt64 | |
IfInBroadcastPackets UInt64 | |
IfOutBroadcastPackets UInt64 |
Event ID 10324: Miniport PDO information for Sleepstudy
#Event ID 10325: Miniport IfGuid indicated a Wake Packet WakePacketPayload.
#Event ID 10400: The network interface "AdapterName" has begun resetting.
#Description
The network interface "AdapterName" has begun resetting. There will be a momentary disruption in network connectivity while the hardware resets. Reason: ResetReason. This network interface has reset ResetCount time(s) since it was last initialized.
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
IfIndex UInt32 | |
IfLuid UInt64 | |
AdapterName UnicodeString | |
ResetReason UInt32 | 4" has begun resetting. There will be a momentary disruption in network connectivity while the hardware resets. Reason. |
ResetCount UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS",
"guid": "CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9",
"event_source_name": "",
"event_id": 10400,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2023-11-06T00:53:47.295624+00:00",
"event_record_id": 2138,
"correlation": {
"ActivityID": "3D03B11E-98A0-4304-84E2-CD3AAE8EFE1D"
},
"execution": {
"process_id": 4,
"thread_id": 20768
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"IfGuid": "3D03B11E-98A0-4304-84E2-CD3AAE8EFE1D",
"IfIndex": 4,
"IfLuid": 1689399649632256,
"AdapterName": "Intel(R) PRO/1000 MT Network Connection #2",
"ResetReason": 1,
"ResetCount": 2
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 10401: Timestamping change notification, interface NetLuid NetLuid.
#Event ID 10402: Miniport IfGuid Capabilities: Flags Flags, SupportedWoLPatterns SupportedWolPatterns, SupportedProtocolOffloads SupportedProtocolOffloads, SupportedWakeUpEvents SupportedWakeUpFlags, SupportedMedia...
#Description
Miniport IfGuid Capabilities: Flags % 2, SupportedWoLPatterns SupportedWolPatterns, SupportedProtocolOffloads SupportedProtocolOffloads, SupportedWakeUpEvents SupportedWakeUpFlags, SupportedMediaWakeUpEvents SupportedMediaWakeUpEvents; PmParameter: IdleCondition Flags, WolPatterns SupportedWolPatterns, ProtocolOffloads SupportedProtocolOffloads, WakeUpFlags SupportedWakeUpFlags, MediaWakeUpEvents SupportedMediaWakeUpEvents
Message #
Fields #
| Name | Description |
|---|---|
IfGuid GUID | |
Flags UInt32 | |
SupportedWolPatterns UInt32 | |
SupportedProtocolOffloads UInt32 | |
SupportedWakeUpFlags UInt32 | |
SupportedMediaWakeUpEvents UInt32 | |
IdleCondition UInt32 | |
WolPatterns UInt32 | |
ProtocolOffloads UInt32 | |
WakeUpFlags UInt32 | |
MediaWakeUpEvents UInt32 |
Event ID 10500: HAL's SupportFlags(value=SupportFlags) indicates DMA hybrid passthrough is not supported on system.
#Event ID 10501: A NDIS object (type=ObjectType, handle=ObjectHandle) registers hybrid SG_DMA_BLOCK on system that doesn't support hybrid DMA (SupportFlags=SupportFlags).
#Event ID 10502: AzDmaV3 version NdisAllocateSharedMemory exceeds threshold: State State, NetworkInterfaceGuid NetworkInterfaceGuid, QueueId QueueId, VPortId VPortId, NumaNode NumaNode, AllocationSize ...
#Description
AzDmaV3 version NdisAllocateSharedMemory exceeds threshold: State , NetworkInterfaceGuid , QueueId , VPortId , NumaNode , AllocationSize , AllocationTimeUs , AllocationTimeThresholdUs.
Message #
Fields #
| Name | Description |
|---|---|
State UInt32 | |
NetworkInterfaceGuid GUID | |
QueueId UInt32 | |
VPortId UInt32 | |
NumaNode UInt32 | |
AllocationSize UInt32 | |
AllocationTime UInt64 | |
AllocationTimeThreshold UInt64 |
Event ID 10503: Enabling Hybrid DMA for miniport stack MiniportStack because of back compat configuration.
#Description
Enabling Hybrid DMA for miniport stack MiniportStack because of back compat configuration. Driver service name DriverServiceName, driver requested OriginalFlags flags, effective flags will be EffectiveFlags.
Message #
Fields #
| Name | Description |
|---|---|
MiniportStack GUID | |
DriverServiceName CountedUtf16String | |
OriginalFlags UInt32 | |
EffectiveFlags UInt32 |
Event ID 10504: Enabled Hybrid DMA for NDIS Generic Object because of back compat configuration.
#Event ID 10505: Failed to enable Hybrid DMA for NDIS Generic Object required by back compat configuration.
#Description
Failed to enable Hybrid DMA for NDIS Generic Object required by back compat configuration. Driver name DriverName, ntStatus Status.
Message #
Fields #
| Name | Description |
|---|---|
DriverName CountedUtf16String | |
Status HexInt32 | NTSTATUS reference |
Event ID 10506: NDIS requested Hybrid DMA, but the DMA_ADAPTER does not have Hybrid Passthrough enabled.
#Event ID 10507: Unable to find parent stack PDO to enable CX-3 NDIS DMA Cache compatibility.
#Event ID 10600: task_010600
#Fields #
| Name | Description |
|---|---|
Name CountedUtf16String | |
MatchingHardwareId UnicodeString | |
CaptureErrors UInt32 | |
DriverService CountedUtf16String | |
DriverDate CountedUtf16String | |
DriverVersion CountedUtf16String | |
InfPath CountedUtf16String | |
InstallTimestamp SYSTEMTIME | |
IfGuid GUID | |
IfIndex UInt32 | |
IfLuid UInt64 | |
Flags UInt32 | |
PnPFlags UInt32 | |
FilterPnPFlags UInt32 | |
AdminStatus UInt32 | |
OperStatus UInt32 | |
OperStatusFlags UInt32 | |
SyncFlags UInt32 | |
WSyncFlags UInt32 | |
InterlockedFlags UInt32 | |
EventLogCount UInt32 | |
EventLog 27 | |
LastEventTimestamp FILETIME | |
FilterListCount UInt32 | |
FilterList 29 | |
ProtocolListCount UInt32 | |
ProtocolList 37 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS",
"guid": "{CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}",
"event_source_name": "",
"event_id": 10600,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000020000",
"time_created": "2026-06-02T05:58:43.440+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{73315E02-1FED-46EB-BADF-BDE47D827AD3}"
},
"execution": {
"process_id": 12516,
"thread_id": 716
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"AdminStatus": 1,
"CaptureErrors": 0,
"DriverDate": "120036002D00320031002D003200300030003600",
"DriverService": "0E004E00640069007300570061006E00",
"DriverVersion": "1800310030002E0030002E00320036003100300030002E003100",
"EventLog": "03001F0000002000020033000B003600",
"EventLogCount": 4,
"FilterList": "2078FD3B5CD61B4C9FEA983A019639EA0000000000000000010000000100000000000000000000000000000059D6F4B5AA7D65458E41BE220ED6054200000000000000000100000001000000000000000000000000000000",
"FilterListCount": 2,
"FilterPnPFlags": 0,
"Flags": 608632832,
"IfGuid": "{73315E02-1FED-46EB-BADF-BDE47D827AD3}",
"IfIndex": 8,
"IfLuid": 1689399683186688,
"InfPath": "16006E006500740072006100730061002E0069006E006600",
"InstallTimestamp": "2026-04-17 22:10:11.682Z",
"InterlockedFlags": 0,
"LastEventTimestamp": "2026-05-27 20:12:49.444Z",
"MatchingHardwareId": "ms_ndiswanbh",
"Name": "3C00570041004E0020004D0069006E00690070006F0072007400200028004E006500740077006F0072006B0020004D006F006E00690074006F0072002900",
"OperStatus": 1,
"OperStatusFlags": 0,
"PnPFlags": 102435,
"ProtocolList": "",
"ProtocolListCount": 0,
"SyncFlags": 0,
"WSyncFlags": 0
},
"message": ""
}
Event ID 10601: task_010601
#Fields #
| Name | Description |
|---|---|
ServiceName CountedUtf16String | |
ImageName CountedUtf16String | |
RegistryPath CountedUtf16String | |
MajorNdisVersion UInt8 | |
MinorNdisVersion UInt8 | |
DriverVersion UInt32 | |
Flags UInt32 | |
CharacteristicsFlags UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS",
"guid": "{CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}",
"event_source_name": "",
"event_id": 10601,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000020000",
"time_created": "2026-06-02T05:58:43.441+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 12516,
"thread_id": 716
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CharacteristicsFlags": 0,
"DriverVersion": 65537,
"Flags": 0,
"ImageName": "16006E00640069007300770061006E002E00730079007300",
"MajorNdisVersion": 6,
"MinorNdisVersion": 30,
"RegistryPath": "6E005C00520045004700490053005400520059005C004D0041004300480049004E0045005C00530059005300540045004D005C0043006F006E00740072006F006C005300650074003000300031005C00530065007200760069006300650073005C004E00640069007300570061006E00",
"ServiceName": "0E004E00640069007300570061006E00"
},
"message": ""
}
Event ID 10602: task_010602
#Fields #
| Name | Description |
|---|---|
ServiceName CountedUtf16String | |
UniqueName CountedUtf16String | |
FriendlyName CountedUtf16String | |
ImageName CountedUtf16String | |
MajorNdisVersion UInt8 | |
MinorNdisVersion UInt8 | |
MajorDriverVersion UInt8 | |
MinorDriverVersion UInt8 | |
Flags UInt32 | |
CharacteristicsFlags UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS",
"guid": "{CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}",
"event_source_name": "",
"event_id": 10602,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000020000",
"time_created": "2026-06-02T05:58:43.441+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 12516,
"thread_id": 716
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CharacteristicsFlags": 0,
"Flags": 0,
"FriendlyName": "4E00480079007000650072002D00560020005600690072007400750061006C002000530077006900740063006800200045007800740065006E00730069006F006E002000460069006C00740065007200",
"ImageName": "180076006D007300770069007400630068002E00730079007300",
"MajorDriverVersion": 19,
"MajorNdisVersion": 6,
"MinorDriverVersion": 0,
"MinorNdisVersion": 83,
"ServiceName": "0C0056004D005300560053004600",
"UniqueName": "4C007B00350032003900420038003900380033002D0039003600320035002D0034003900410035002D0038003200380034002D004300450039003400340046004400380045003200340032007D00"
},
"message": ""
}
Event ID 10603: task_010603
#Fields #
| Name | Description |
|---|---|
ServiceName CountedUtf16String | |
ImageName CountedUtf16String | |
MajorNdisVersion UInt8 | |
MinorNdisVersion UInt8 | |
MajorDriverVersion UInt8 | |
MinorDriverVersion UInt8 | |
BindFlags UInt32 | |
Guid GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NDIS",
"guid": "{CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}",
"event_source_name": "",
"event_id": 10603,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000020000",
"time_created": "2026-06-02T05:58:43.442+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 12516,
"thread_id": 716
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"BindFlags": 1,
"Guid": "{00000000-0000-0000-0000-000000000000}",
"ImageName": "16006E00640069007300770061006E002E00730079007300",
"MajorDriverVersion": 0,
"MajorNdisVersion": 5,
"MinorDriverVersion": 0,
"MinorNdisVersion": 0,
"ServiceName": "1A004E00440049005300570041004E004C0045004700410043005900"
},
"message": ""
}
Event ID 60001: Error: Error Location: Location Context: Context.
#Event ID 60002: Warning: Warning Location: Location Context: Context.
#Event ID 60003: Transitioned to State: NextState Context: Context.
#Event ID 60004: Updated Context: Updated_Context Update Reason: Update_Reason.
#Event ID 60101: SourceAddress: SourceAddress SourcePort: SourcePort DestinationAddress: DestinationAddress DestinationPort: DestinationPort Protocol: Protocol ReferenceContext: ReferenceContext.
#Description
SourceAddress: SourceAddress SourcePort: SourcePort DestinationAddress: DestinationAddress DestinationPort: DestinationPort Protocol: Protocol ReferenceContext: ReferenceContext.
Message #
Fields #
| Name | Description |
|---|---|
SourceAddress UInt32 | |
SourcePort UInt32 | |
DestinationAddress UInt32 | |
DestinationPort UInt32 | |
Protocol UInt32 | Known values
|
ReferenceContext UInt32 |
Event ID 60102: SourceAddress: SourceAddress SourcePort: SourcePort DestinationAddress: DestinationAddress DestinationPort: DestinationPort Protocol: Protocol ReferenceContext: ReferenceContext.
#Description
SourceAddress: SourceAddress SourcePort: SourcePort DestinationAddress: DestinationAddress DestinationPort: DestinationPort Protocol: Protocol ReferenceContext: ReferenceContext.
Message #
Fields #
| Name | Description |
|---|---|
SourceAddress Binary | |
SourcePort UInt32 | |
DestinationAddress Binary | |
DestinationPort UInt32 | |
Protocol UInt32 | Known values
|
ReferenceContext UInt32 |
Event ID 60103: Interface Guid: Interface_Guid IfIndex: IfIndex Interface Luid: Interface_Luid ReferenceContext: ReferenceContext.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {CDEAD503-17F5-4A3E-B7AE-DF8CC2902EB9}
Defined in ndis.sys, the binary that emits these events.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.3323, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.3323, captured 2026-06-02