Microsoft-Windows-NlaSvc

52 events across 2 channels

Event	Title	Channel	Sample
4001	Entered State: Entered_State Interface Guid: Interface_Guid.	Diagnostic	N
4002	Transitioning to State: CurrentOrNextState Interface Guid: InterfaceGuid.	Diagnostic	N
4101	Received WMI Media Connect Notification for 'AdapterName' InterfaceGuid.	Diagnostic	N
4102	Received WMI Media Disconnect Notification for 'AdapterName' InterfaceGuid.	Diagnostic	N
4103	Route change has occurred for interface InterfaceGuid (MibNotificationType).	Diagnostic	N
4104	Address change has occurred for interface InterfaceGuid (MibNotificationType).	Diagnostic	N
4105	Quarantine state has changed	Diagnostic	N
4106	Received DHCP notification	Diagnostic	N
4201	Start link resolver	Diagnostic	N
4202	Stop link resolver	Diagnostic	N
4203	Start gateway resolution on interface InterfaceGuid for GatewayIpAddress.	Diagnostic	N
4204	Stop gateway resolution on interface NlnsState for MAC.	Diagnostic	N
4205	Gateway resolution failed on interface InterfaceGuid for GatewayIpAddress with …	Operational	Y
4251	Plug-in data indicated from PluginName for entity EntityName (IndicatedRowCount …	Diagnostic	N
4261	DHCP has stabilized for InterfaceGuid (NlaState).	Diagnostic	N
4301	Start Intranet resolver	Diagnostic	N
4302	Stop Intranet resolver	Diagnostic	N
4311	Start DsGetDcName(DnsSuffix,Flags) for DnsSuffix.	Diagnostic	N
4312	Stop DsGetDcName(DnsSuffix,Flags) for DnsSuffix returned error ErrorCode …	Diagnostic	N
4313	DsGetDcName(DnsSuffix,Flags) for DnsSuffix failed with error ErrorCode.	Diagnostic	N
4321	Start DsGetDcName(Flags) for DS info.	Diagnostic	N
4322	Stop DsGetDcName(Flags) for DS info returned error ErrorCode …	Diagnostic	N
4323	DsGetDcName(Flags) for DS info failed with error ErrorCode.	Diagnostic	N
4331	Start DsGetDcName(Flags) for root domain GUID.	Diagnostic	N
4332	Stop DsGetDcName(Flags) for root domain GUID returned error ErrorCode …	Diagnostic	N
4333	DsGetDcName(Flags) for root domain GUID failed with error ErrorCode.	Operational	N
4341	Start LDAP authentication on interface Interface Name (Addresses) (Try Count …	Diagnostic	N
4342	Stop LDAP authentication on interface Interface Name (Addresses).	Diagnostic	N
4343	LDAP authentication on interface Interface Name (Addresses) failed with error …	Operational	Y
4351	Start ldap_connect(Addresses) for DC=DcName (Try Number of Try Count tries).	Diagnostic	N
4352	Stop ldap_connect(Addresses) for DC=DcName (Try Number of Try Count tries).	Diagnostic	N
4353	ldap_connect(Addresses) for DC=DcName (Try Number of Try Count tries) failed …	Diagnostic	N
4354	Start ldap_bind(Addresses) for DC=DcName (Try Number of Try Count tries).	Diagnostic	N
4355	Stop ldap_bind(Addresses) for DC=DcName (Try Number of Try Count tries).	Diagnostic	N
4356	ldap_bind(Addresses) for DC=DcName (Try Number of Try Count tries) failed with …	Diagnostic	N
4401	Inserting identifying signature for interface InterfaceGuid.	Diagnostic	N
4402	Inserting identified signature for interface InterfaceGuid.	Diagnostic	N
4403	Removing identified signature for interface InterfaceGuid.	Diagnostic	N
4404	Inserting identified signature for interface InterfaceGuid.	Diagnostic	N
4405	Inserting identified signature for interface InterfaceGuid.	Diagnostic	N
4407	Adding interface 'AdapterName' InterfaceGuid.	Diagnostic	N
4408	Removing interface 'AdapterName' InterfaceGuid.	Diagnostic	N
4409	Adding interface 'AdapterName' InterfaceGuid.	Diagnostic	N
4410	Inserting identified signature for interface InterfaceGuid.	Diagnostic	N
4411	Inserting identified signature for interface InterfaceGuid.	Diagnostic	N
4451	Network on Reason is unlikely to be authentication-capable; authentication will …	Diagnostic	N
5001	Dhcp	Diagnostic	N
5002	Inserting identified signature for interface InterfaceGuid.	Diagnostic	N
6101	Perftrack cancel event for interface 'AdapterName' InterfaceGuid.	Diagnostic	N
6102	Perftrack cancel event for interface 'AdapterName' InterfaceGuid.	Diagnostic	N
6103	Perftrack cancel event for interface 'AdapterName' InterfaceGuid.	Diagnostic	N
6104	Perftrack cancel event for interface 'AdapterName' InterfaceGuid.	Diagnostic	N

Event ID 4001: Entered State: Entered_State Interface Guid: Interface_Guid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: WaitforIdentification
Opcode: Start

Description

Entered State: Entered_State Interface Guid: Interface_Guid.

Message #

Entered State: %2 Interface Guid: %1

Fields #

Name	Description
`InterfaceGuid` GUID
`CurrentOrNextState` UInt8

Event ID 4002: Transitioning to State: CurrentOrNextState Interface Guid: InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: WaitforIdentification
Opcode: Stop

Description

Transitioning to State: CurrentOrNextState Interface Guid: InterfaceGuid.

Message #

Transitioning to State: %2 Interface Guid: %1

Fields #

Name	Description
`InterfaceGuid` GUID
`CurrentOrNextState` UInt8

Event ID 4101: Received WMI Media Connect Notification for 'AdapterName' InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Trigger
Opcode: MediaConnect

Description

Received WMI Media Connect Notification for 'AdapterName' InterfaceGuid.

Message #

Received WMI Media Connect Notification for '%2' %1

Fields #

Name	Description
`InterfaceGuid` GUID
`AdapterName` UnicodeString

Event ID 4102: Received WMI Media Disconnect Notification for 'AdapterName' InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Trigger
Opcode: MediaDisconnect

Description

Received WMI Media Disconnect Notification for 'AdapterName' InterfaceGuid.

Message #

Received WMI Media Disconnect Notification for '%2' %1

Fields #

Name	Description
`InterfaceGuid` GUID
`AdapterName` UnicodeString

Event ID 4103: Route change has occurred for interface InterfaceGuid (MibNotificationType).

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Trigger
Opcode: RouteChange

Description

Route change has occurred for interface InterfaceGuid (MibNotificationType).

Message #

Route change has occurred for interface %1 (%2)

Fields #

Name	Description
`InterfaceGuid` GUID
`MibNotificationType` UInt32

Event ID 4104: Address change has occurred for interface InterfaceGuid (MibNotificationType).

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Trigger
Opcode: AddressChange

Description

Address change has occurred for interface InterfaceGuid (MibNotificationType).

Message #

Address change has occurred for interface %1 (%2)

Fields #

Name	Description
`InterfaceGuid` GUID
`MibNotificationType` UInt32

Event ID 4105: Quarantine state has changed

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Trigger
Opcode: QuarantineStateChange

Description

Quarantine state has changed.

Message #

Quarantine state has changed

Event ID 4106: Received DHCP notification

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Trigger
Opcode: DhcpNotification

Description

Received DHCP notification.

Message #

Received DHCP notification

Event ID 4201: Start link resolver

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: GatewayResolution
Opcode: Start

Description

Start link resolver.

Message #

Start link resolver

Event ID 4202: Stop link resolver

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: GatewayResolution
Opcode: Stop

Description

Stop link resolver.

Message #

Stop link resolver

Event ID 4203: Start gateway resolution on interface InterfaceGuid for GatewayIpAddress.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: GatewayResolution
Opcode: Start

Description

Start gateway resolution on interface InterfaceGuid for GatewayIpAddress.

Message #

Start gateway resolution on interface %1 for %2

Fields #

Name	Description
`InterfaceGuid` GUID
`GatewayIpAddress` UnicodeString

Event ID 4204: Stop gateway resolution on interface NlnsState for MAC.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: GatewayResolution
Opcode: Stop

Description

Stop gateway resolution on interface NlnsState for MAC. Error: InterfaceGuid NlnsState: GatewayIpAddress MAC: MacAddrLen.

Message #

Stop gateway resolution on interface %1 for %2. Error: %3 NlnsState: %4 MAC: %6

Fields #

Name	Description
`InterfaceGuid` GUID
`GatewayIpAddress` UnicodeString
`ErrorCode` UInt32
`NlnsState` UInt32
`MacAddrLen` UInt16
`MacAddr` Binary

Event ID 4205: Gateway resolution failed on interface InterfaceGuid for GatewayIpAddress with error: ErrorCode.

Provider: Microsoft-Windows-NlaSvc
Channel: Operational
Level: Error
Task: GatewayResolution
Opcode: Failed

Description

Gateway resolution failed on interface InterfaceGuid for GatewayIpAddress with error: ErrorCode.

Message #

Gateway resolution failed on interface %1 for %2 with error: %3

Fields #

Name	Description
`InterfaceGuid` GUID
`GatewayIpAddress` UnicodeString
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-NlaSvc",
    "guid": "63B530F8-29C9-4880-A5B4-B8179096E7B8",
    "event_source_name": "",
    "event_id": 4205,
    "version": 0,
    "level": 2,
    "task": 3,
    "opcode": 21,
    "keywords": 4611686018427387938,
    "time_created": "2026-03-15T05:30:49.223016+00:00",
    "event_record_id": 1,
    "correlation": {
      "ActivityID": "6FDE36A2-B353-0009-B736-DE6F53B3DC01"
    },
    "execution": {
      "process_id": 1992,
      "thread_id": 12780
    },
    "channel": "Microsoft-Windows-NlaSvc/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "InterfaceGuid": "8A1760B6-DC99-4B90-9C4A-029698E5AE27",
    "GatewayIpAddress": "10.2.10.1",
    "ErrorCode": 67
  },
  "message": ""
}

Event ID 4251: Plug-in data indicated from PluginName for entity EntityName (IndicatedRowCount rows).

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Plugin
Opcode: DataIndication

Description

Plug-in data indicated from PluginName for entity EntityName (IndicatedRowCount rows).

Message #

Plug-in data indicated from %1 for entity %2 (%3 rows)
%5

Fields #

Name	Description
`PluginName` UnicodeString
`EntityName` UnicodeString
`IndicatedRowCount` UInt16
`RowsWithInterfacesIndicatedCount` UInt16
`RowInterfaceGuid` GUID

Event ID 4261: DHCP has stabilized for InterfaceGuid (NlaState).

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Dhcp
Opcode: Stabilized

Description

DHCP has stabilized for InterfaceGuid (NlaState).

Message #

DHCP has stabilized for %1 (%2)

Fields #

Name	Description
`InterfaceGuid` GUID
`NlaState` UInt32

Event ID 4301: Start Intranet resolver

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: IntranetResolution
Opcode: Start

Description

Start Intranet resolver.

Message #

Start Intranet resolver

Event ID 4302: Stop Intranet resolver

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: IntranetResolution
Opcode: Stop

Description

Stop Intranet resolver.

Message #

Stop Intranet resolver

References #

Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/dfsr-diagnostics-shows-sharing-violations-events

Event ID 4311: Start DsGetDcName(DnsSuffix,Flags) for DnsSuffix.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: DsGetDcName(DnsSuffix)
Opcode: Start

Description

Start DsGetDcName(DnsSuffix,Flags) for DnsSuffix.

Message #

Start DsGetDcName(%1,%2) for DnsSuffix

Fields #

Name	Description
`DnsSuffix` UnicodeString
`Flags` UInt32
`ErrorCode` UInt32
`RetrievedDomain` UnicodeString
`RetrievedForest` UnicodeString

Event ID 4312: Stop DsGetDcName(DnsSuffix,Flags) for DnsSuffix returned error ErrorCode (domain=RetrievedDomain, forest=RetrievedForest).

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: DsGetDcName(DnsSuffix)
Opcode: Stop

Description

Stop DsGetDcName(DnsSuffix,Flags) for DnsSuffix returned error ErrorCode (domain=RetrievedDomain, forest=RetrievedForest).

Message #

Stop DsGetDcName(%1,%2) for DnsSuffix returned error %3 (domain=%4, forest=%5)

Fields #

Name	Description
`DnsSuffix` UnicodeString
`Flags` UInt32
`ErrorCode` UInt32
`RetrievedDomain` UnicodeString
`RetrievedForest` UnicodeString

Event ID 4313: DsGetDcName(DnsSuffix,Flags) for DnsSuffix failed with error ErrorCode.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: DsGetDcName(DnsSuffix)
Opcode: Failed

Description

DsGetDcName(DnsSuffix,Flags) for DnsSuffix failed with error ErrorCode.

Message #

DsGetDcName(%1,%2) for DnsSuffix failed with error %3

Fields #

Name	Description
`DnsSuffix` UnicodeString
`Flags` UInt32
`ErrorCode` UInt32
`RetrievedDomain` UnicodeString
`RetrievedForest` UnicodeString

Event ID 4321: Start DsGetDcName(Flags) for DS info.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: DsGetDcName(Ds)
Opcode: Start

Description

Start DsGetDcName(Flags) for DS info.

Message #

Start DsGetDcName(%2) for DS info

Fields #

Name	Description
`DnsSuffix` UnicodeString
`Flags` UInt32
`ErrorCode` UInt32
`RetrievedDomain` UnicodeString
`RetrievedForest` UnicodeString

Event ID 4322: Stop DsGetDcName(Flags) for DS info returned error ErrorCode (domain=RetrievedDomain, forest=RetrievedForest).

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: DsGetDcName(Ds)
Opcode: Stop

Description

Stop DsGetDcName(Flags) for DS info returned error ErrorCode (domain=RetrievedDomain, forest=RetrievedForest).

Message #

Stop DsGetDcName(%2) for DS info returned error %3 (domain=%4, forest=%5)

Fields #

Name	Description
`DnsSuffix` UnicodeString
`Flags` UInt32
`ErrorCode` UInt32
`RetrievedDomain` UnicodeString
`RetrievedForest` UnicodeString

Event ID 4323: DsGetDcName(Flags) for DS info failed with error ErrorCode.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: DsGetDcName(Ds)
Opcode: Failed

Description

DsGetDcName(Flags) for DS info failed with error ErrorCode.

Message #

DsGetDcName(%2) for DS info failed with error %3

Fields #

Name	Description
`DnsSuffix` UnicodeString
`Flags` UInt32
`ErrorCode` UInt32
`RetrievedDomain` UnicodeString
`RetrievedForest` UnicodeString

Event ID 4331: Start DsGetDcName(Flags) for root domain GUID.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: DsGetDcName(RootDomainGuid)
Opcode: Start

Description

Start DsGetDcName(Flags) for root domain GUID.

Message #

Start DsGetDcName(%2) for root domain GUID

Fields #

Name	Description
`DnsSuffix` UnicodeString
`Flags` UInt32
`ErrorCode` UInt32
`RetrievedDomain` UnicodeString
`RetrievedForest` UnicodeString

Event ID 4332: Stop DsGetDcName(Flags) for root domain GUID returned error ErrorCode (domain=RetrievedDomain, forest=RetrievedForest).

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: DsGetDcName(RootDomainGuid)
Opcode: Stop

Description

Stop DsGetDcName(Flags) for root domain GUID returned error ErrorCode (domain=RetrievedDomain, forest=RetrievedForest).

Message #

Stop DsGetDcName(%2) for root domain GUID returned error %3 (domain=%4, forest=%5)

Fields #

Name	Description
`DnsSuffix` UnicodeString
`Flags` UInt32
`ErrorCode` UInt32
`RetrievedDomain` UnicodeString
`RetrievedForest` UnicodeString

Event ID 4333: DsGetDcName(Flags) for root domain GUID failed with error ErrorCode.

Provider: Microsoft-Windows-NlaSvc
Channel: Operational
Task: DsGetDcName(RootDomainGuid)
Opcode: Failed

Description

DsGetDcName(Flags) for root domain GUID failed with error ErrorCode.

Message #

DsGetDcName(%2) for root domain GUID failed with error %3

Fields #

Name	Description
`DnsSuffix` UnicodeString
`Flags` UInt32
`ErrorCode` UInt32
`RetrievedDomain` UnicodeString
`RetrievedForest` UnicodeString

Event ID 4341: Start LDAP authentication on interface Interface Name (Addresses) (Try Count tries).

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: LdapAuthentication
Opcode: Start

Description

Start LDAP authentication on interface Interface Name (Addresses) (Try Count tries).

Message #

Start LDAP authentication on interface %1 (%2) (%3 tries)

Fields #

Name	Description
`InterfaceName` UnicodeString
`Addresses` UnicodeString
`TryCount` UInt32
`ErrorCode` UInt32

Event ID 4342: Stop LDAP authentication on interface Interface Name (Addresses).

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: LdapAuthentication
Opcode: Stop

Description

Stop LDAP authentication on interface Interface Name (Addresses).

Message #

Stop LDAP authentication on interface %1 (%2)

Fields #

Name	Description
`InterfaceName` UnicodeString
`Addresses` UnicodeString
`TryCount` UInt32
`ErrorCode` UInt32

Event ID 4343: LDAP authentication on interface Interface Name (Addresses) failed with error ErrorCode.

Provider: Microsoft-Windows-NlaSvc
Channel: Operational
Task: LdapAuthentication
Opcode: Failed

Description

LDAP authentication on interface Interface Name (Addresses) failed with error ErrorCode.

Message #

LDAP authentication on interface %1 (%2) failed with error %4

Fields #

Name	Description
`InterfaceName` UnicodeString
`Addresses` UnicodeString
`TryCount` UInt32
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-NlaSvc",
    "event_id": 4343,
    "level": "Error",
    "task": "Ldap Authentication",
    "opcode": null,
    "time_created": "2026-03-29T23:39:11.7779321+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "Microsoft-Windows-NlaSvc/Operational"
  },
  "event_data": {
    "Addresses": "10.2.10.11",
    "Try Count": "3",
    "Interface Name": "{2A7BD48E-DDC6-4641-9F41-682F29F1D76C}",
    "ErrorCode": "81"
  }
}

Event ID 4351: Start ldap_connect(Addresses) for DC=DcName (Try Number of Try Count tries).

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: ldap_connect
Opcode: Start

Description

Start ldap_connect(Addresses) for DC=DcName (Try Number of Try Count tries).

Message #

Start ldap_connect(%1) for DC=%2 (%3 of %4 tries)

Fields #

Name	Description
`Addresses` UnicodeString
`DcName` UnicodeString
`TryNumber` UInt32
`TryCount` UInt32
`ErrorCode` UInt32

Event ID 4352: Stop ldap_connect(Addresses) for DC=DcName (Try Number of Try Count tries).

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: ldap_connect
Opcode: Stop

Description

Stop ldap_connect(Addresses) for DC=DcName (Try Number of Try Count tries).

Message #

Stop ldap_connect(%1) for DC=%2 (%3 of %4 tries)

Fields #

Name	Description
`Addresses` UnicodeString
`DcName` UnicodeString
`TryNumber` UInt32
`TryCount` UInt32
`ErrorCode` UInt32

Event ID 4353: ldap_connect(Addresses) for DC=DcName (Try Number of Try Count tries) failed with ErrorCode.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: ldap_connect
Opcode: Failed

Description

ldap_connect(Addresses) for DC=DcName (Try Number of Try Count tries) failed with ErrorCode.

Message #

ldap_connect(%1) for DC=%2 (%3 of %4 tries) failed with %5

Fields #

Name	Description
`Addresses` UnicodeString
`DcName` UnicodeString
`TryNumber` UInt32
`TryCount` UInt32
`ErrorCode` UInt32

Event ID 4354: Start ldap_bind(Addresses) for DC=DcName (Try Number of Try Count tries).

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: ldap_bind
Opcode: Start

Description

Start ldap_bind(Addresses) for DC=DcName (Try Number of Try Count tries).

Message #

Start ldap_bind(%1) for DC=%2 (%3 of %4 tries)

Fields #

Name	Description
`Addresses` UnicodeString
`DcName` UnicodeString
`TryNumber` UInt32
`TryCount` UInt32
`ErrorCode` UInt32

Event ID 4355: Stop ldap_bind(Addresses) for DC=DcName (Try Number of Try Count tries).

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: ldap_bind
Opcode: Stop

Description

Stop ldap_bind(Addresses) for DC=DcName (Try Number of Try Count tries).

Message #

Stop ldap_bind(%1) for DC=%2 (%3 of %4 tries)

Fields #

Name	Description
`Addresses` UnicodeString
`DcName` UnicodeString
`TryNumber` UInt32
`TryCount` UInt32
`ErrorCode` UInt32

Event ID 4356: ldap_bind(Addresses) for DC=DcName (Try Number of Try Count tries) failed with ErrorCode.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: ldap_bind
Opcode: Failed

Description

ldap_bind(Addresses) for DC=DcName (Try Number of Try Count tries) failed with ErrorCode.

Message #

ldap_bind(%1) for DC=%2 (%3 of %4 tries) failed with %5

Fields #

Name	Description
`Addresses` UnicodeString
`DcName` UnicodeString
`TryNumber` UInt32
`TryCount` UInt32
`ErrorCode` UInt32

Event ID 4401: Inserting identifying signature for interface InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Identifying

Description

Inserting identifying signature for interface InterfaceGuid.

Message #

Inserting identifying signature for interface %1 
Source=%4 Signature=%3

Fields #

Name	Description
`InterfaceGuid` GUID
`SignatureLength` UInt16
`Signature` Binary
`SignatureSource` UInt32

Event ID 4402: Inserting identified signature for interface InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Identified

Description

Inserting identified signature for interface InterfaceGuid.

Message #

Inserting identified signature for interface %1 
Source=%4 Signature=%3

Fields #

Name	Description
`InterfaceGuid` GUID
`SignatureLength` UInt16
`Signature` Binary
`SignatureSource` UInt32

Event ID 4403: Removing identified signature for interface InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Disconnect

Description

Removing identified signature for interface InterfaceGuid.

Message #

Removing identified signature for interface %1 
Source=%4 Signature=%3

Fields #

Name	Description
`InterfaceGuid` GUID
`SignatureLength` UInt16
`Signature` Binary
`SignatureSource` UInt32

Event ID 4404: Inserting identified signature for interface InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: InsertIdentifiedSignature

Description

Inserting identified signature for interface InterfaceGuid.

Message #

Inserting identified signature for interface %1 

Source=%4 Signature=%3

Fields #

Name	Description
`InterfaceGuid` GUID
`SignatureLength` UInt16
`Signature` Binary
`SignatureSource` UInt32

Event ID 4405: Inserting identified signature for interface InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Identified

Description

Inserting identified signature for interface InterfaceGuid.

Message #

Inserting identified signature for interface %1 
Source=%4 Signature=%3

Fields #

Name	Description
`InterfaceGuid` GUID
`SignatureLength` UInt16
`Signature` Binary
`SignatureSource` UInt32

Event ID 4407: Adding interface 'AdapterName' InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Interface
Opcode: MediaConnect

Description

Adding interface 'AdapterName' InterfaceGuid.

Message #

Adding interface '%2' %1

Fields #

Name	Description
`InterfaceGuid` GUID
`AdapterName` UnicodeString

Event ID 4408: Removing interface 'AdapterName' InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Interface
Opcode: MediaDisconnect

Description

Removing interface 'AdapterName' InterfaceGuid.

Message #

Removing interface '%2' %1

Fields #

Name	Description
`InterfaceGuid` GUID
`AdapterName` UnicodeString

Event ID 4409: Adding interface 'AdapterName' InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Interface

Description

Adding interface 'AdapterName' InterfaceGuid.

Message #

Adding interface '%2' %1

Fields #

Name	Description
`InterfaceGuid` GUID
`AdapterName` UnicodeString

Event ID 4410: Inserting identified signature for interface InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Identified

Description

Inserting identified signature for interface InterfaceGuid.

Message #

Inserting identified signature for interface %1 
Source=%4 Signature=%3

Fields #

Name	Description
`InterfaceGuid` GUID
`SignatureLength` UInt16
`Signature` Binary
`SignatureSource` UInt32

Event ID 4411: Inserting identified signature for interface InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: InsertIdentifiedSignature

Description

Inserting identified signature for interface InterfaceGuid.

Message #

Inserting identified signature for interface %1 

Source=%4 Signature=%3

Fields #

Name	Description
`InterfaceGuid` GUID
`SignatureLength` UInt16
`Signature` Binary
`SignatureSource` UInt32

Event ID 4451: Network on Reason is unlikely to be authentication-capable; authentication will continue in the background.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: LdapAuthentication

Description

Network on Reason is unlikely to be authentication-capable; authentication will continue in the background.

Message #

Network on %1 is unlikely to be authentication-capable; authentication will continue in the background. 
Reason: %2

Fields #

Name	Description
`InterfaceGuid` GUID
`AuthCapUnlikelyReason` UInt32
`SpeculativeTimeout` UInt32

Event ID 5001: Dhcp

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: Dhcp
Opcode: Stabilized

Fields #

Name	Description
`InterfaceGuid` GUID
`NlaState` UInt32

Event ID 5002: Inserting identified signature for interface InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: InsertIdentifiedSignature

Description

Inserting identified signature for interface InterfaceGuid.

Message #

Inserting identified signature for interface %1 

Source=%2 Characteristics=%3

Fields #

Name	Description
`InterfaceGuid` GUID
`SignatureSource` UInt32
`SignatureCharacteristics` UInt32

Event ID 6101: Perftrack cancel event for interface 'AdapterName' InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: PerftrackCancel

Description

Perftrack cancel event for interface 'AdapterName' InterfaceGuid.

Message #

Perftrack cancel event for interface '%2' %1

Fields #

Name	Description
`InterfaceGuid` GUID
`AdapterName` UnicodeString

Event ID 6102: Perftrack cancel event for interface 'AdapterName' InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: PerftrackCancel

Description

Perftrack cancel event for interface 'AdapterName' InterfaceGuid.

Message #

Perftrack cancel event for interface '%2' %1

Fields #

Name	Description
`InterfaceGuid` GUID
`AdapterName` UnicodeString

Event ID 6103: Perftrack cancel event for interface 'AdapterName' InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: PerftrackCancel

Description

Perftrack cancel event for interface 'AdapterName' InterfaceGuid.

Message #

Perftrack cancel event for interface '%2' %1

Fields #

Name	Description
`InterfaceGuid` GUID
`AdapterName` UnicodeString

Event ID 6104: Perftrack cancel event for interface 'AdapterName' InterfaceGuid.

Provider: Microsoft-Windows-NlaSvc
Channel: Diagnostic
Task: PerftrackCancel

Description

Perftrack cancel event for interface 'AdapterName' InterfaceGuid.

Message #

Perftrack cancel event for interface '%2' %1

Fields #

Name	Description
`InterfaceGuid` GUID
`AdapterName` UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 63b530f8-29c9-4880-a5b4-b8179096e7b8

Defined in nlasvc.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)