Microsoft-Windows-Ndu
23 events across 1 channel
Event ID 2001: _DebugString.
#Description
_DebugString
Message #
Fields #
| Name | Description |
|---|---|
_DebugString UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ndu",
"guid": "{DF271536-4298-45E1-B0F2-E88F78619C5D}",
"event_source_name": "",
"event_id": 2001,
"version": 0,
"level": 4,
"task": 1001,
"opcode": 0,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:59:00.005+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{72529F65-EE0F-0001-46A2-52720FEEDC01}"
},
"execution": {
"process_id": 3824,
"thread_id": 11304
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"_DebugString": "Found matching service tag in service map"
},
"message": "TaskNduDebugTrace"
}
Event ID 2002: _FunctionName Failed with _Status.
#Event ID 2003: Interface (Luid:Interface_Luid) added to per-interface list for proc _IfLuid at active index _ProcNum.
#Description
Interface (Luid:Interface_Luid) added to per-interface list for proc _IfLuid at active index _ProcNum.
Message #
Fields #
| Name | Description |
|---|---|
_IfLuid UInt64 | |
_ProcNum UInt32 | |
_ListIndex UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ndu",
"guid": "{DF271536-4298-45E1-B0F2-E88F78619C5D}",
"event_source_name": "",
"event_id": 2003,
"version": 0,
"level": 4,
"task": 1002,
"opcode": 0,
"keywords": "0x0000000000000002",
"time_created": "2026-06-02T05:59:00.247+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{DF271536-4298-45E1-B0F2-E88F78619C5D}"
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"_IfLuid": 1689399632855040,
"_ListIndex": 0,
"_ProcNum": 2
},
"message": "TaskNduPerInterfaceStats"
}
Event ID 2004: established_ExePath Flow (Id:SvcTag) established.
#Description
established_ExePath Flow (Id:SvcTag) established. ExePath: PkgName SvcTag:UserId PkgName:Pid UserId:_Direction Pid: _FlowHandle.
Message #
Fields #
| Name | Description |
|---|---|
_Direction UnicodeString | |
_FlowHandle UInt64 | |
_ExePath UnicodeString | |
_SvcTag UInt32 | |
_PkgName UnicodeString | |
_UserId SID | |
_Pid UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ndu",
"guid": "{DF271536-4298-45E1-B0F2-E88F78619C5D}",
"event_source_name": "",
"event_id": 2004,
"version": 0,
"level": 4,
"task": 1003,
"opcode": 0,
"keywords": "0x0000000000000004",
"time_created": "2026-06-02T05:59:07.101+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{DF271536-4298-45E1-B0F2-E88F78619C5D}"
},
"execution": {
"process_id": 9180,
"thread_id": 3556
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"_Direction": "Inbound",
"_ExePath": "System",
"_FlowHandle": 31775,
"_Pid": 4,
"_PkgName": "NULL",
"_SvcTag": 0,
"_UserId": "NT AUTHORITY\\SYSTEM"
},
"message": "TaskNduPerFlowStats"
}
Event ID 2005: Flow Context (Flow Id:Flow_Context_Flow_Id) Refcount_FlowHandle.
#Description
Flow Context (Flow Id:Flow_Context_Flow_Id) Refcount_FlowHandle.
Message #
Fields #
| Name | Description |
|---|---|
_FlowHandle UInt64 | |
_RefDeref UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ndu",
"guid": "{DF271536-4298-45E1-B0F2-E88F78619C5D}",
"event_source_name": "",
"event_id": 2005,
"version": 0,
"level": 5,
"task": 1003,
"opcode": 0,
"keywords": "0x0000000000000004",
"time_created": "2026-06-02T05:59:00.246+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{DF271536-4298-45E1-B0F2-E88F78619C5D}"
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"_FlowHandle": 31717,
"_RefDeref": "++"
},
"message": "TaskNduPerFlowStats"
}
Event ID 2006: Updated Interface Stats IfLuid:Updated_Interface_Stats_IfLuid ProfileId:ProfileId BytesSent:BytesSent BytesRecvd:BytesRecvd.
#Description
Updated Interface Stats IfLuid:Updated_Interface_Stats_IfLuid ProfileId:ProfileId BytesSent:BytesSent BytesRecvd:BytesRecvd.
Message #
Fields #
| Name | Description |
|---|---|
_IfLuid UInt64 | |
_ProfileId UInt32 | |
_BytesSent UInt32 | |
_BytesRecvd UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ndu",
"guid": "{DF271536-4298-45E1-B0F2-E88F78619C5D}",
"event_source_name": "",
"event_id": 2006,
"version": 0,
"level": 5,
"task": 1002,
"opcode": 0,
"keywords": "0x0000000000000002",
"time_created": "2026-06-02T05:59:00.247+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{DF271536-4298-45E1-B0F2-E88F78619C5D}"
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"_BytesRecvd": 292,
"_BytesSent": 0,
"_IfLuid": 1689399632855040,
"_ProfileId": 0
},
"message": "TaskNduPerInterfaceStats"
}
Event ID 2007: Updated Flow Stats (Flow Id:Updated_Flow_Stats_Flow_Id) IfLuid:IfLuid BytesSent:BytesSent BytesRecvd:BytesRecvd.
#Description
Updated Flow Stats (Flow Id:Updated_Flow_Stats_Flow_Id) IfLuid:IfLuid BytesSent:BytesSent BytesRecvd:BytesRecvd.
Message #
Fields #
| Name | Description |
|---|---|
_IfLuid UInt64 | |
_FlowHandle UInt64 | |
_BytesSent UInt32 | |
_BytesRecvd UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ndu",
"guid": "{DF271536-4298-45E1-B0F2-E88F78619C5D}",
"event_source_name": "",
"event_id": 2007,
"version": 0,
"level": 5,
"task": 1003,
"opcode": 0,
"keywords": "0x0000000000000004",
"time_created": "2026-06-02T05:59:00.247+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{DF271536-4298-45E1-B0F2-E88F78619C5D}"
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"_BytesRecvd": 292,
"_BytesSent": 0,
"_FlowHandle": 31717,
"_IfLuid": 1689399632855040
},
"message": "TaskNduPerFlowStats"
}
Event ID 2008: Registration for quota exceeded notification.
#Event ID 2009: Unregistered from quota exceeded notification.
#Event ID 2010: Registration for byte count limit.
#Event ID 2011: Unregistered from byte count limit notification.
#Event ID 2012: _DebugString.
#Description
_DebugString
Message #
Fields #
| Name | Description |
|---|---|
_DebugString UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ndu",
"guid": "{DF271536-4298-45E1-B0F2-E88F78619C5D}",
"event_source_name": "",
"event_id": 2012,
"version": 0,
"level": 5,
"task": 1001,
"opcode": 0,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:59:00.001+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{72529F65-EE0F-0001-46A2-52720FEEDC01}"
},
"execution": {
"process_id": 3824,
"thread_id": 11304
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"_DebugString": "==> NduProvQueryStats"
},
"message": "TaskNduDebugTrace"
}
Event ID 2013: _DebugString.
#Event ID 2014: IfLuid:IfLuid ProfileId:ProfileId BytesSent:BytesSent BytesRecvd:BytesRecvd IsCosted: IsCosted.
#Description
IfLuid:IfLuid ProfileId:ProfileId BytesSent:BytesSent BytesRecvd:BytesRecvd IsCosted: IsCosted.
Message #
Fields #
| Name | Description |
|---|---|
_IfLuid UInt64 | |
_ProfileId UInt32 | |
_BytesSent UInt64 | |
_BytesRecvd UInt64 | |
_IsCosted Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ndu",
"guid": "{DF271536-4298-45E1-B0F2-E88F78619C5D}",
"event_source_name": "",
"event_id": 2014,
"version": 0,
"level": 4,
"task": 1002,
"opcode": 0,
"keywords": "0x0000000000000010",
"time_created": "2026-06-02T05:59:00.005+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{72529F65-EE0F-0001-46A2-52720FEEDC01}"
},
"execution": {
"process_id": 3824,
"thread_id": 11304
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"_BytesRecvd": 0,
"_BytesSent": 315,
"_IfLuid": 1689399632855040,
"_IsCosted": false,
"_ProfileId": 0
},
"message": "TaskNduPerInterfaceStats"
}
Event ID 2015: NduPowerDebug
#Fields #
| Name | Description |
|---|---|
_IfLuid UInt64 | |
TimeSinceLast UInt64 | |
Energy UInt64 | |
CurrentProc UInt32 | |
BytesTxRx UInt32 | |
Pid UInt32 | |
IfMediaType UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ndu",
"guid": "{DF271536-4298-45E1-B0F2-E88F78619C5D}",
"event_source_name": "",
"event_id": 2015,
"version": 0,
"level": 4,
"task": 1005,
"opcode": 0,
"keywords": "0x0000000000000020",
"time_created": "2026-06-02T05:59:00.247+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{DF271536-4298-45E1-B0F2-E88F78619C5D}"
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"BytesTxRx": 292,
"CurrentProc": 2,
"Energy": 61658100,
"IfMediaType": 1,
"Pid": 4,
"TimeSinceLast": 1128,
"_IfLuid": 1689399632855040
},
"message": "TaskNduPowerDebug"
}
Event ID 2016: NduPowerQueueWorkItem
#Fields #
| Name | Description |
|---|---|
ProcId UInt32 | |
Count UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ndu",
"guid": "{DF271536-4298-45E1-B0F2-E88F78619C5D}",
"event_source_name": "",
"event_id": 2016,
"version": 0,
"level": 4,
"task": 1006,
"opcode": 0,
"keywords": "0x0000000000000020",
"time_created": "2026-06-02T05:59:00.247+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{DF271536-4298-45E1-B0F2-E88F78619C5D}"
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Count": 0,
"ProcId": 2
},
"message": "TaskNduPowerQueueWorkItem"
}
Event ID 2017: NduMergeSmbStatsList: Not transferred InterfaceLuid and ProfileId to Smb stats because there is no one-and-only-one file transfer service (SMB) in ...
#Description
NduMergeSmbStatsList: Not transferred InterfaceLuid and ProfileId to Smb stats because there is no one-and-only-one file transfer service (SMB) in the system. SystemSMB count:_SystemSmbCount InContainer:_IsContainer.
Message #
Fields #
| Name | Description |
|---|---|
_SystemSmbCount UInt64 | |
_IsContainer Boolean |
Event ID 2018: ProfileIdTracker::GetProfileIdForInterface: Profile Id not found.
#Event ID 2019: NduGetHostSid::UMgrEnumerateSessionUsers could not find SessionId: _SessionId.
#Event ID 2020: NduUpdateProcessStatsForContainerOrVmId succeeded: CurrentProcNumber:NduUpdateProcessStatsForContainerOrVmId_succeeded_CurrentProcNumber PartitionId:PartitionId Direction:Direction IfLuid:IfLuid If...
#Description
NduUpdateProcessStatsForContainerOrVmId succeeded: CurrentProcNumber:NduUpdateProcessStatsForContainerOrVmId_succeeded_CurrentProcNumber PartitionId:PartitionId Direction:Direction IfLuid:IfLuid IfType:IfType BytesSent:BytesSent BytesRecvd:BytesRecvd.
Message #
Fields #
| Name | Description |
|---|---|
CurrentProcNumber UInt32 | |
PartitionId GUID | |
Direction UInt8 | Known values
|
IfLuid UInt64 | |
IfType UInt32 | |
BytesSent UInt64 | |
BytesRecvd UInt64 |
Event ID 2021: OuterProcessId: VirtualIfLuid:IfAlias OuterProcessId:Title IfAlias:VirtualIfLuid.
#Event ID 2022: Wake count updated IfLuid:IfLuid Flow Id:FlowHandle (0 means interface) WakeCount:WakeCount.
#Event ID 2023
#Fields #
| Name | Description |
|---|---|
_ProcNum UInt32 | |
_ListIndex UInt16 | |
_ListHead UInt64 | |
_Entry UInt64 | |
_EntryFlink UInt64 | |
_EntryBlink UInt64 | |
_Flags UInt32 |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {DF271536-4298-45E1-B0F2-E88F78619C5D}
Defined in ndu.sys, the binary that emits these events.
Observed on:
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.5074, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02