Microsoft-Windows-Network-Connection-Broker
32 events across 1 channel
Event ID 1001: StatusDescription - Status : Status.
#Description
StatusDescription - Status : Status
Message #
Fields #
| Name | Description |
|---|---|
StatusDescription UnicodeString | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Network-Connection-Broker",
"guid": "{3EB875EB-8F4A-4800-A00B-E484C97D7551}",
"event_source_name": "",
"event_id": 1001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:29:07.763+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 8,
"thread_id": 12396
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Status": 0,
"StatusDescription": "Kam: processed network change notification"
},
"message": ""
}
Event ID 1002: Reference: Reference -RefCount : RefCount, file: file line: line.
#Event ID 1003: Dereference: Dereference -RefCount : RefCount, file: file line: line.
#Event ID 1101: Provider registration completed with context Object and status Status.
#Description
Provider registration completed with context Object and status Status.
Message #
Fields #
| Name | Description |
|---|---|
Object Pointer | |
Status UInt32 | NTSTATUS reference |
Event ID 1102: Provider deregistration completed with context Object and status Status.
#Description
Provider deregistration completed with context Object and status Status.
Message #
Fields #
| Name | Description |
|---|---|
Object Pointer | |
Status UInt32 | NTSTATUS reference |
Event ID 1103: Provider rundown completed with context Object and status Status.
#Description
Provider rundown completed with context Object and status Status.
Message #
Fields #
| Name | Description |
|---|---|
Object Pointer | |
Status UInt32 | NTSTATUS reference |
Event ID 1104: Update sample completed for context ContextHandle, provider Provider, value Value, value type ValueType with status Status.
#Description
Update sample completed for context ContextHandle, provider Provider, value Value, value type ValueType with status Status.
Message #
Fields #
| Name | Description |
|---|---|
ContextHandle Pointer | |
Provider Pointer | |
ServiceNlmEpoch UInt64 | |
ServiceNlmSignature Pointer | |
ClientNlmEpoch UInt64 | |
Value UInt32 | |
ValueType Int32 | |
ScheduleUpdate Boolean | |
Status UInt32 | NTSTATUS reference |
Event ID 1105: Network change occured, new value = Value, new value type = ValueType.
#Description
Network change occured, new value = Value, new value type = ValueType.
Message #
Fields #
| Name | Description |
|---|---|
NlmEpochBefore UInt64 | |
NlmSignatureBefore Pointer | |
NlmSignatureStableBefore Boolean | |
NlmEpochAfter UInt64 | |
NlmSignatureAfter Pointer | |
NlmSignatureStableAfter Boolean | |
Value UInt32 | |
ValueType Int32 | |
ScheduleUpdate Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Network-Connection-Broker",
"guid": "{3EB875EB-8F4A-4800-A00B-E484C97D7551}",
"event_source_name": "",
"event_id": 1105,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:29:07.763+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 8,
"thread_id": 8316
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"NlmEpochAfter": 2,
"NlmEpochBefore": 1,
"NlmSignatureAfter": "0x2445AA7E210",
"NlmSignatureBefore": "0x2445AA98550",
"NlmSignatureStableAfter": true,
"NlmSignatureStableBefore": true,
"ScheduleUpdate": true,
"Value": 960,
"ValueType": 1
},
"message": ""
}
Event ID 1106: Collecting provider Provider with request holder RequestHolder for notification.
#Description
Collecting provider Provider with request holder RequestHolder for notification.
Message #
Fields #
| Name | Description |
|---|---|
Provider Pointer | |
RequestHolder Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Network-Connection-Broker",
"guid": "{3EB875EB-8F4A-4800-A00B-E484C97D7551}",
"event_source_name": "",
"event_id": 1106,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:29:07.763+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 8,
"thread_id": 8316
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"Provider": "0x2445AA98850",
"RequestHolder": "0x2445AA722F0"
},
"message": ""
}
Event ID 1107: Accepting update request for provider ContextHandle finished with status Status.
#Description
Accepting update request for provider ContextHandle finished with status Status.
Message #
Fields #
| Name | Description |
|---|---|
ContextHandle Pointer | |
Provider Pointer | |
RequestHolder Pointer | |
UpdateRequested Boolean | |
CompleteCall Boolean | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Network-Connection-Broker",
"guid": "{3EB875EB-8F4A-4800-A00B-E484C97D7551}",
"event_source_name": "",
"event_id": 1107,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:29:07.796+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8BC7C5F0-6A9E-4327-B8D3-F0B6E97F4665}"
},
"execution": {
"process_id": 8,
"thread_id": 16080
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"CompleteCall": false,
"ContextHandle": "0x2445AA98850",
"Provider": "0x2445AA98850",
"RequestHolder": "0x0",
"Status": 0,
"UpdateRequested": false
},
"message": ""
}
Event ID 1108: Completing update request for provider Provider finished with status Status.
#Description
Completing update request for provider Provider finished with status Status.
Message #
Fields #
| Name | Description |
|---|---|
Provider Pointer | |
RequestHolder Pointer | |
Value UInt32 | |
ValueType Int32 | |
NlmEpoch UInt64 | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Network-Connection-Broker",
"guid": "{3EB875EB-8F4A-4800-A00B-E484C97D7551}",
"event_source_name": "",
"event_id": 1108,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:29:07.763+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 8,
"thread_id": 8316
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"NlmEpoch": 2,
"Provider": "0x2445AA98850",
"RequestHolder": "0x2445AA722F0",
"Status": 0,
"Value": 960,
"ValueType": 1
},
"message": ""
}
Event ID 1109: Provider Provider created with refcount RefCount.
#Event ID 1110: Provider Provider destroyed.
#Event ID 1111: Provider Provider referenced, the previous refcount was RefCount.
#Description
Provider Provider referenced, the previous refcount was RefCount.
Message #
Fields #
| Name | Description |
|---|---|
Provider Pointer | |
RefCount UInt32 | |
FileName AnsiString | |
LineNumber UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Network-Connection-Broker",
"guid": "{3EB875EB-8F4A-4800-A00B-E484C97D7551}",
"event_source_name": "",
"event_id": 1111,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:29:07.763+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 8,
"thread_id": 8316
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"FileName": "onecoreuap\\net\\netio\\iphlpsvc\\kaprovider\\kapisrv\\kapisrv.c",
"LineNumber": 1386,
"Provider": "0x2445AA98850",
"RefCount": 1
},
"message": ""
}
Event ID 1112: Provider Provider dereferenced, the previous refcount was RefCount.
#Description
Provider Provider dereferenced, the previous refcount was RefCount.
Message #
Fields #
| Name | Description |
|---|---|
Provider Pointer | |
RefCount UInt32 | |
FileName AnsiString | |
LineNumber UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Network-Connection-Broker",
"guid": "{3EB875EB-8F4A-4800-A00B-E484C97D7551}",
"event_source_name": "",
"event_id": 1112,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:29:07.763+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 8,
"thread_id": 8316
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"FileName": "onecoreuap\\net\\netio\\iphlpsvc\\kaprovider\\kapisrv\\kapisrv.c",
"LineNumber": 1352,
"Provider": "0x2445AA98850",
"RefCount": 2
},
"message": ""
}
Event ID 1113: Description updated timer values -.
#Description
Description updated timer values -.
Message #
Fields #
| Name | Description |
|---|---|
Description UnicodeString | |
Appprovidedtime UInt32 | |
Currentkeepalivetime UInt32 | |
Loweredkeepalivetime UInt32 | |
WNStestinputtime UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Network-Connection-Broker",
"guid": "{3EB875EB-8F4A-4800-A00B-E484C97D7551}",
"event_source_name": "",
"event_id": 1113,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:29:07.769+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 8,
"thread_id": 16080
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"App provided time": 33,
"Current keepalive time": 16,
"Description": "Kam:KapiUpdateCallback",
"Lowered keepalive time": 4294967295,
"WNS test input time": 16
},
"message": ""
}
Event ID 1114: LogMessage.
#Event ID 1115: Reference context: Reference_context -RefCount : RefCount, file: file line: line.
#Event ID 1116: Dereference context: Dereference_context -RefCount : RefCount, file: file line: line.
#Event ID 1117: CCReset event occurred of type ApplicationRestart for package: PackageName and fired: Fired.
#Event ID 2001: Socket Broker: Registered trigger notifications for event id EventId and application name AppName.
#Event ID 2002: Socket Broker: De-Registered trigger notifications for event id EventId and application name AppName.
#Event ID 2003: Socket Broker: Application AppName is transferring ownership of a socket SocketId with address family AddressFamily, socket type SocketType, protocol Protocol, tcp listener IsTcpListener and eve...
#Description
Socket Broker: Application AppName is transferring ownership of a socket SocketId with address family AddressFamily, socket type SocketType, protocol Protocol, tcp listener IsTcpListener and event id EventId.
Message #
Fields #
| Name | Description |
|---|---|
EventId GUID | |
SocketId UnicodeString | |
AppName UnicodeString | |
AddressFamily Int32 | |
SocketType Int32 | |
Protocol Int32 | Known values
|
IsTcpListener Boolean |
Event ID 2004: Socket Broker: Application AppName is retrieving socket SocketId for event id EventId.
#Event ID 2005: Socket Broker: BICreateEvent is called for event id BrokerEventId and application AppName.
#Event ID 2006: Socket Broker: BIEnableEvent is called for event id BrokerEventId, application AppName and call reason CallReason.
#Event ID 2007: Socket Broker: BIDisableEvent is called for event id BrokerEventId, application AppName and call reason CallReason.
#Event ID 2008: Socket Broker: BIDeleteEvent is called for event id BrokerEventId, application AppName and call reason CallReason.
#Event ID 2009: Socket Broker: Notifying background task for event id BrokerEventId, socket id SocketId, socket type SocketType, trigger reason TriggerReason and status Status.
#Description
Socket Broker: Notifying background task for event id BrokerEventId, socket id SocketId, socket type SocketType, trigger reason TriggerReason and status Status.
Message #
Fields #
| Name | Description |
|---|---|
BrokerEventId GUID | |
SocketId UnicodeString | |
SocketType Int32 | |
TriggerReason Int32 | |
Status Int32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Network-Connection-Broker",
"guid": "{3EB875EB-8F4A-4800-A00B-E484C97D7551}",
"event_source_name": "",
"event_id": 2009,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T05:29:08.059+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 8,
"thread_id": 16080
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"BrokerEventId": "{00000000-0000-0000-0000-000000000000}",
"SocketId": "NULL",
"SocketType": 0,
"Status": 0,
"TriggerReason": 4
},
"message": ""
}
Event ID 2010: Socket Broker: CreatePushEnabledContext for event id BrokerEventId returned Status.
#Description
Socket Broker: CreatePushEnabledContext for event id BrokerEventId returned Status.
Message #
Fields #
| Name | Description |
|---|---|
BrokerEventId GUID | |
Status Int32 | NTSTATUS reference |
Event ID 2011: Socket Broker: RetrieveContext for event id BrokerEventId and socket id SocketId returned Status.
#Description
Socket Broker: RetrieveContext for event id BrokerEventId and socket id SocketId returned Status.
Message #
Fields #
| Name | Description |
|---|---|
BrokerEventId GUID | |
SocketId UnicodeString | |
Status Int32 | NTSTATUS reference |
Event ID 2012: Socket Broker: EnumerateSockets for application name AppName returned status Status with sockets NumSockets.
#Description
Socket Broker: EnumerateSockets for application name AppName returned status Status with sockets NumSockets.
Message #
Fields #
| Name | Description |
|---|---|
AppName UnicodeString | |
Status Int32 | NTSTATUS reference |
NumSockets Int32 |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {3EB875EB-8F4A-4800-A00B-E484C97D7551}
Defined in ncbservice.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02