Microsoft-Windows-NetworkProfile
18 events across 2 channels
Event ID 4001: Entered State: CurrentOrNextState Interface Guid: InterfaceGuid.
#Description
Entered State: CurrentOrNextState Interface Guid: InterfaceGuid.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
CurrentOrNextState UInt8 | Entered State. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NetworkProfile",
"guid": "FBCFAC3F-8459-419F-8E48-1F0B49CDB85E",
"event_source_name": "",
"event_id": 4001,
"version": 0,
"level": 4,
"task": 1,
"opcode": 1,
"keywords": 4611721202799476736,
"time_created": "2023-11-06T06:25:40.457207+00:00",
"event_record_id": 102,
"correlation": {
"ActivityID": "F590C418-1079-0000-E6C4-90F57910DA01"
},
"execution": {
"process_id": 1696,
"thread_id": 2248
},
"channel": "Microsoft-Windows-NetworkProfile/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"InterfaceGuid": "8E4162AD-6500-4899-BA95-24051405E207",
"CurrentOrNextState": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4002: Transitioning to State: CurrentOrNextState Interface Guid: InterfaceGuid.
#Description
Transitioning to State: CurrentOrNextState Interface Guid: InterfaceGuid.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
CurrentOrNextState UInt8 | Transitioning to State. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NetworkProfile",
"guid": "{FBCFAC3F-8459-419F-8E48-1F0B49CDB85E}",
"event_source_name": "",
"event_id": 4002,
"version": 0,
"level": 4,
"task": 1,
"opcode": 2,
"keywords": 4612002677776187392,
"time_created": "2026-05-29T16:32:54.5133303+00:00",
"event_record_id": 103,
"correlation": {},
"execution": {
"process_id": 1244,
"thread_id": 2136
},
"channel": "Microsoft-Windows-NetworkProfile/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"InterfaceGuid": "{2a7bd48e-ddc6-4641-9f41-682f29f1d76c}",
"CurrentOrNextState": "1"
},
"message": "Transitioning to State: Identified Network Interface Guid: {2a7bd48e-ddc6-4641-9f41-682f29f1d76c}"
}
Event ID 4003: Transitioning to State: CurrentOrNextState Interface Guid: InterfaceGuid.
#Description
Transitioning to State: CurrentOrNextState Interface Guid: InterfaceGuid.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
CurrentOrNextState UInt8 | Transitioning to State. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NetworkProfile",
"guid": "FBCFAC3F-8459-419F-8E48-1F0B49CDB85E",
"event_source_name": "",
"event_id": 4003,
"version": 0,
"level": 4,
"task": 1,
"opcode": 2,
"keywords": 4612002677776187392,
"time_created": "2023-10-26T04:21:55.694878+00:00",
"event_record_id": 8,
"correlation": {
"ActivityID": "DE03B784-07C3-0000-2AB9-03DEC307DA01"
},
"execution": {
"process_id": 1664,
"thread_id": 2128
},
"channel": "Microsoft-Windows-NetworkProfile/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"InterfaceGuid": "8E4162AD-6500-4899-BA95-24051405E207",
"CurrentOrNextState": 2
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4004: Network State Change Fired.
#Description
Network State Change Fired.
Message #
Fields #
| Name | Description |
|---|---|
NewInternetConnectionProfile Boolean | |
ConnectionCostChanged Boolean | |
DomainConnectivityLevelChanged Boolean | |
NetworkConnectivityLevelChanged Boolean | |
HostNameChanged Boolean | |
WwanRegistrationStateChanged Boolean | |
TetheringOperationalStateChanged Boolean | |
TetheringClientCountChanged Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NetworkProfile",
"guid": "{FBCFAC3F-8459-419F-8E48-1F0B49CDB85E}",
"event_source_name": "",
"event_id": 4004,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-29T16:33:36.5901267+00:00",
"event_record_id": 108,
"correlation": {},
"execution": {
"process_id": 1244,
"thread_id": 2172
},
"channel": "Microsoft-Windows-NetworkProfile/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"NewInternetConnectionProfile": "false",
"ConnectionCostChanged": "false",
"DomainConnectivityLevelChanged": "false",
"NetworkConnectivityLevelChanged": "true",
"HostNameChanged": "false",
"WwanRegistrationStateChanged": "false",
"TetheringOperationalStateChanged": "false",
"TetheringClientCountChanged": "false"
},
"message": "Network State Change Fired\r\n\tNew Internet Connection Profile: false\r\n\tConnection Cost Changed: false\r\n\tDomain Connectivity Level Changed: false\r\n\tNetwork Connectivity Level Changed: true\r\n\tHost Name Changed: false\r\n\tWwan Registration State Changed: false\r\n\tTethering Operational State Changed: false\r\n\tTethering Client Count Changed: false"
}
Event ID 10000: Network Connected.
#Description
Network Connected.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Description UnicodeString | Desc. |
Guid GUID | |
Type UInt32 | |
State UInt32 | |
Category UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NetworkProfile",
"guid": "{FBCFAC3F-8459-419F-8E48-1F0B49CDB85E}",
"event_source_name": "",
"event_id": 10000,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611721202799476768,
"time_created": "2026-05-29T16:32:54.5143895+00:00",
"event_record_id": 105,
"correlation": {},
"execution": {
"process_id": 1244,
"thread_id": 2136
},
"channel": "Microsoft-Windows-NetworkProfile/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"Name": "Network 2",
"Description": "Network",
"Guid": "{6f06ea84-07ca-400e-95d9-4ccb6a203bb7}",
"Type": "0",
"State": "1",
"Category": "0"
},
"message": "Network Connected\r\n\tName: Network 2\r\n\tDesc: Network\r\n\tType: Unmanaged\r\n\tState: Connected\r\n\tCategory: Public\r\n"
}
Event ID 10001: Network Disconnected.
#Description
Network Disconnected.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Description UnicodeString | Desc. |
Guid GUID | |
Type UInt32 | |
State UInt32 | |
Category UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NetworkProfile",
"guid": "{FBCFAC3F-8459-419F-8E48-1F0B49CDB85E}",
"event_source_name": "",
"event_id": 10001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611721202799476768,
"time_created": "2026-06-13T05:12:16.7004369+00:00",
"event_record_id": 112,
"correlation": {},
"execution": {
"process_id": 2008,
"thread_id": 2380
},
"channel": "Microsoft-Windows-NetworkProfile/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"Name": "Network 2",
"Description": "Network",
"Guid": "{daf5f7e9-db68-49bc-95f6-959c385fdd77}",
"Type": "0",
"State": "2",
"Category": "0"
},
"message": "Network Disconnected\r\n\tName: Network 2\r\n\tDesc: Network\r\n\tType: Unmanaged\r\n\tState: Disconnected\r\n\tCategory: Public\r\n"
}
Event ID 10002: Network Category Changed.
#Description
Network Category Changed.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Description UnicodeString | Desc. |
Guid GUID | |
Type UInt32 | |
State UInt32 | |
Category UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NetworkProfile",
"guid": "FBCFAC3F-8459-419F-8E48-1F0B49CDB85E",
"event_source_name": "",
"event_id": 10002,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611721202799476768,
"time_created": "2023-10-25T21:24:15.431361+00:00",
"event_record_id": 15,
"correlation": {
"ActivityID": "DE03B784-07C3-0001-12DB-03DEC307DA01"
},
"execution": {
"process_id": 1664,
"thread_id": 1716
},
"channel": "Microsoft-Windows-NetworkProfile/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"Name": "Unidentified network",
"Description": "Unidentified network",
"Guid": "D96782F8-AD48-42CC-BA6F-1DE099772EC0",
"Type": 0,
"State": 5,
"Category": 1
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 10003: Posting Network Connected Event Type: Posting_Network_Connected_Event_Type.
#Event ID 10004: Posted Network Connected Event Type: Posted_Network_Connected_Event_Type.
#Event ID 10005: Posting Network Profile Event Type: Posting_Network_Profile_Event_Type.
#Event ID 10006: Posted Network Profile Event Type: Posted_Network_Profile_Event_Type.
#Event ID 10007: Posting Network Disconnected Event Type: Posting_Network_Disconnected_Event_Type.
#Event ID 10008: Posted Network Disconnected Event Type: Posted_Network_Disconnected_Event_Type.
#Event ID 20001: NLM service initialization failed (error=ErrorCode).
#Event ID 20002: NSI Set Category Result.
#Description
NSI Set Category Result.
Message #
Fields #
| Name | Description |
|---|---|
ProfileGuid GUID | |
InterfaceGuid GUID | |
Category UInt32 | Network Category. |
ErrorCodev4 Int32 | IPv4 Error Code. |
ErrorCodev6 Int32 | IPv6 Error Code. |
Context UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-NetworkProfile",
"guid": "{FBCFAC3F-8459-419F-8E48-1F0B49CDB85E}",
"event_source_name": "",
"event_id": 20002,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387936,
"time_created": "2026-05-29T16:32:55.8401330+00:00",
"event_record_id": 106,
"correlation": {},
"execution": {
"process_id": 1244,
"thread_id": 2880
},
"channel": "Microsoft-Windows-NetworkProfile/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ProfileGuid": "{6f06ea84-07ca-400e-95d9-4ccb6a203bb7}",
"InterfaceGuid": "{2a7bd48e-ddc6-4641-9f41-682f29f1d76c}",
"Category": "0",
"ErrorCodev4": "0",
"ErrorCodev6": "1168",
"Context": "3986"
},
"message": "NSI Set Category Result\r\n\tProfile GUID: {6f06ea84-07ca-400e-95d9-4ccb6a203bb7}\r\n\tInterface GUID: {2a7bd48e-ddc6-4641-9f41-682f29f1d76c}\r\n\tNetwork Category: Public\r\n\tIPv4 Error Code: 0\r\n\tIPv6 Error Code: 1168\r\n\tContext: 3986\r\n"
}
Event ID 20005: Url Url is of incorrect format.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID fbcfac3f-8459-419f-8e48-1f0b49cdb85e
Defined in netprofmsvc.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02