detection.wiki

Microsoft-Windows-NTDSAI

15 events across 1 channel

EventTitleChannelSample
101Search_V1AnalyticN
102Search102_V1AnalyticN
103ReplicationDirectoryReplicateNCoperation_V1AnalyticN
104ReplicationDirectoryReplicateNCoperation104_V1AnalyticN
105ReplicationDirectoryReplicateNCoperation105_V1AnalyticN
106Statistic_V1AnalyticN
107Statistic107_V1AnalyticN
108Statistic108_V1AnalyticN
109SecurityAuditDirectoryIDL_DRSReplicaSyncRPCCallSecurityAudit_V1AnalyticN
110SecurityAuditDirectoryIDL_DRSGetNCChangesRPCCallSecurityAudit_V1AnalyticN
111SecurityAuditDirectoryGroupPolicyContainerUpdateSecurityAudit_V1AnalyticN
112SecurityAuditDirectoryLDAPReadSecurityAudit_V1AnalyticN
113SecurityAuditDirectoryLDAPPingSecurityAudit_V1AnalyticN
114SecurityAuditDirectoryLDAPBindSecurityAudit_V1AnalyticN
115Statistic115_V1AnalyticN

Event ID 101: Search_V1

#
Provider
Microsoft-Windows-NTDSAI
Channel
Analytic
Task
Search

Message #

Ldap Search operation

Fields #

NameDescription
Caller AnsiString
ElapsedTime UInt64
errCode UInt32
Signature GUID
CPUTime UInt64
QueueDelay UInt64

Event ID 102: Search102_V1

#
Provider
Microsoft-Windows-NTDSAI
Channel
Analytic
Task
Search

Message #

Directory Search operation

Fields #

NameDescription
Caller AnsiString
ElapsedTime UInt64
Scope UInt8
BaseDN UnicodeString
Filter UnicodeString
RequestedAttributes UnicodeString
CommArg UnicodeString
errCode UInt32
Indexes AnsiString
SearchEntriesVisited UInt32
SearchEntriesReturned UInt32
QueryOptimizerState UnicodeString
Signature GUID
CPUTime UInt64
QueueDelay UInt64
ThreadKiloCyclesTime UInt64
QOTime UInt64
EntrySelectionTime UInt64
AttributeReadTime UInt64
FilterMatchTime UInt64

Event ID 103: ReplicationDirectoryReplicateNCoperation_V1

#
Provider
Microsoft-Windows-NTDSAI
Channel
Analytic
Task
Replication
Opcode
ReplicateNC

Message #

Directory ReplicationStart operation

Fields #

NameDescription
DestinationGUID GUID
SourceGUID GUID
SourceName UnicodeString
NC UnicodeString
Flags UInt32
usnHighObjUpdate UInt64
usnHighPropUpdate UInt64
cMaxBytes UInt32
cMaxObjects UInt32
startTime SYSTEMTIME
correlationID GUID

Event ID 104: ReplicationDirectoryReplicateNCoperation104_V1

#
Provider
Microsoft-Windows-NTDSAI
Channel
Analytic
Task
Replication
Opcode
ReplicateNC

Message #

Directory ReplicationProgress operation

Fields #

NameDescription
DestinationGUID GUID
SourceGUID GUID
NC UnicodeString
Ret UInt32
fMoreData UInt32
usnHighObjUpdate UInt64
usnHighPropUpdate UInt64
cNumObjects UInt32
cNumValues UInt32
cNumBytes UInt32
numPackets UInt32
cTickPregressInterval UInt32
correlationID GUID

Event ID 105: ReplicationDirectoryReplicateNCoperation105_V1

#
Provider
Microsoft-Windows-NTDSAI
Channel
Analytic
Task
Replication
Opcode
ReplicateNC

Message #

Directory ReplicationEnd operation

Fields #

NameDescription
DestinationGUID GUID
SourceGUID GUID
NC UnicodeString
Ret UInt32
SyncFailure UInt32
RepFlags UInt32
numPackets UInt32
usnHighObjUpdate UInt64
usnHighPropUpdate UInt64
TotalBytesReceived UInt32
TotalObjectsReceived UInt32
TotalObjectsCreated UInt32
TotalValuesReceived UInt32
TotalValuesCreated UInt32
cTickReplicateNC UInt32
cTickUpdateNC UInt32
correlationID GUID

Event ID 106: Statistic_V1

#
Provider
Microsoft-Windows-NTDSAI
Channel
Analytic
Task
Statistic

Message #

Batch Conflict

Fields #

NameDescription
Blocked_CorrelationID GUID
Blocking_CorrelationID GUID
Blocked_DSCorrelationID GUID
Blocking_DSCorrelationID GUID
Blocked_DsName UnicodeString
Blocking_DsName UnicodeString
Blocked_AttributeName AnsiString
Blocking_AttributeName AnsiString
Blocked_Scope UInt32
Blocking_Scope UInt32
Blocked_AttributeLockType UInt8
Blocking_AttributeLockType UInt8

Event ID 107: Statistic107_V1

#
Provider
Microsoft-Windows-NTDSAI
Channel
Analytic
Task
Statistic

Message #

Thread State Dump

Fields #

NameDescription
SnapshotID GUID
ThreadName UnicodeString
LdapDn UnicodeString
SystemThreadID UInt32
CorrelationID GUID
MemoryUsage UInt64
ElapsedMS UInt32
BlockedBy GUID
Blocking GUID
RawCallData UInt64
DSIDHi UInt16
DSIDLo UInt16
Build UnicodeString
NumaProcessor UInt32

Event ID 108: Statistic108_V1

#
Provider
Microsoft-Windows-NTDSAI
Channel
Analytic
Task
Statistic

Message #

Write Conflict

Fields #

NameDescription
CorrelationID GUID
Caller AnsiString
ThreadLabel UnicodeString
Description AnsiString
Subsystem UInt32
DSID UInt32
Build UnicodeString

Event ID 109: SecurityAuditDirectoryIDL_DRSReplicaSyncRPCCallSecurityAudit_V1

#
Provider
Microsoft-Windows-NTDSAI
Channel
Analytic
Task
SecurityAudit
Opcode
IDL_DRSReplicaSync

Message #

IDL_DRSReplicaSync RPC call

Fields #

NameDescription
CallerSID AnsiString
CallerIP AnsiString
NC UnicodeString
Ret UInt32

Event ID 110: SecurityAuditDirectoryIDL_DRSGetNCChangesRPCCallSecurityAudit_V1

#
Provider
Microsoft-Windows-NTDSAI
Channel
Analytic
Task
SecurityAudit
Opcode
IDL_DRSGetNCChanges

Message #

IDL_DRSGetNCChanges RPC call

Fields #

NameDescription
CallerSID AnsiString
CallerIP AnsiString
NC UnicodeString
ObjectGUIDSizeInBytes UInt32
ObjectGUIDs Binary
Ret UInt32

Event ID 111: SecurityAuditDirectoryGroupPolicyContainerUpdateSecurityAudit_V1

#
Provider
Microsoft-Windows-NTDSAI
Channel
Analytic
Task
SecurityAudit
Opcode
GPO_Update

Message #

GPO Update

Fields #

NameDescription
CallerSID AnsiString
CallerIP AnsiString
DSName UnicodeString
Operation UnicodeString

Event ID 112: SecurityAuditDirectoryLDAPReadSecurityAudit_V1

#
Provider
Microsoft-Windows-NTDSAI
Channel
Analytic
Task
SecurityAudit
Opcode
LDAPReadAudit

Message #

LDAP Read Audit

Fields #

NameDescription
CallerSID AnsiString
CallerIP AnsiString
Base UnicodeString
Scope UInt32
Filter UnicodeString

Event ID 113: SecurityAuditDirectoryLDAPPingSecurityAudit_V1

#
Provider
Microsoft-Windows-NTDSAI
Channel
Analytic
Task
SecurityAudit
Opcode
LDAPPingAudit

Message #

LDAP Ping Audit

Fields #

NameDescription
CallerSID SID
CallerIP AnsiString
ResponseWithOpcode UnicodeString
Filter UnicodeString

Event ID 114: SecurityAuditDirectoryLDAPBindSecurityAudit_V1

#
Provider
Microsoft-Windows-NTDSAI
Channel
Analytic
Task
SecurityAudit
Opcode
LDAPBindAudit

Message #

LDAP Bind Audit

Fields #

NameDescription
AuthenticatedUSerIdentity SID
CallerIP AnsiString
AuthenticationMethod AnsiString
BindResultCodeAndMsg AnsiString

Event ID 115: Statistic115_V1

#
Provider
Microsoft-Windows-NTDSAI
Channel
Analytic
Task
Statistic

Message #

Directory Request

Fields #

NameDescription
CorrelationID GUID
Caller AnsiString
Label UnicodeString
DN UnicodeString
RequestType UInt32
SearchEntriesVisited UInt32
SearchEntriesReturned UInt32
EstimatedLinkExpense UInt32
ThreadSleepTime UInt32
LdapStatusCode UInt32
ProblemCode UInt16
ProblemData UInt32
Win32Error UInt32
ErrorDSID UInt32
RetryCount UInt32
WillRetry UInt32
CpuTime UInt32
CallTime UInt32
RemoteRPCTime UInt32
LdapTime UInt32
QueueDelay UInt32
MemoryUsage UInt64
Build UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 552accf2-909b-5c66-f987-b7f5d250edcd

Defined in ntdsai.dll, which carries the event manifest.

Observed on:

  • WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.4767, captured 2026-06-02

Downloads