Microsoft-Windows-RPC
17 events across 2 channels
| Event | Title | Channel | Sample |
|---|---|---|---|
| 1 | Extended Error Information. | EEInfo | Y |
| 2 | An RPC call was blocked by an RPC firewall filter. | Debug | N |
| 3 | An error occured. | Debug | N |
| 4 | RPC Log Event. | Debug | Y |
| 5 | Client RPC call started. | Debug | Y |
| 6 | Server RPC call started. | Debug | Y |
| 7 | Client RPC call completed. | Debug | Y |
| 8 | Server RPC call was completed. | Debug | Y |
| 9 | Call failed due to RpcRaiseException. | Debug | Y |
| 10 | RPC received a packet | Debug | N |
| 11 | RPC sent a packet | Debug | N |
| 12 | RPC/HTTP start event | Debug | N |
| 13 | RPC/HTTP stop event | Debug | N |
| 14 | RPC interface registered. | Debug | Y |
| 15 | RPC interface unregistered. | Debug | Y |
| 16 | RPC Server bound to protocol. | Debug | Y |
| 17 | RPC interface re-triggering failed with error RPC Status. | Debug | N |
Event ID 1: Extended Error Information.
#Description
Extended Error Information.
Message #
Fields #
| Name | Description |
|---|---|
ImageName UnicodeString | |
ComputerName UnicodeString | [Extended Error Information] ComputerName. |
ProcessID UInt32 | |
TimeStamp SYSTEMTIME | |
GeneratingComponent UInt32 | |
Status HexInt32 | NTSTATUS reference |
DetectionLocation UInt16 | |
Flags UInt16 | |
NumberOfParameters UInt16 | |
Params UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RPC",
"guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
"event_source_name": "",
"event_id": "1",
"version": "1",
"level": "2",
"task": "1",
"opcode": "2",
"keywords": 9223372036854775808,
"time_created": "2026-03-15T23:30:32.748148700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{ddfcc07c-682f-4c87-aa7a-a64b052307bc}"
},
"execution": {
"process_id": "7800",
"thread_id": "1480"
},
"channel": "Microsoft-Windows-RPC/EEInfo",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ImageName": "DFSRs.exe",
"ComputerName": "",
"ProcessID": " 7800",
"TimeStamp": "2026-03-15T23:30:32.749Z",
"GeneratingComponent": " 2",
"Status": "0x6D9",
"DetectionLocation": "883",
"Flags": "0",
"NumberOfParameters": "0",
"Params": "\n\t\t"
},
"message": ""
}
Event ID 2: An RPC call was blocked by an RPC firewall filter.
#Event ID 3: An error occured.
#Description
An error occured.
Message #
Fields #
| Name | Description |
|---|---|
ImageName UnicodeString | |
DetectionLocation UInt16 | |
Status UInt32 | NTSTATUS reference |
AdditionalData1 HexInt32 | |
AdditionalData2 HexInt32 |
Event ID 4: RPC Log Event.
#Description
RPC Log Event.
Message #
Fields #
| Name | Description |
|---|---|
Subject UInt8 | |
Verb UInt8 | |
SubjectPointer UInt64 | |
ObjectPointer UInt64 | |
DataPointer UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RPC",
"guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
"event_source_name": "",
"event_id": "4",
"version": "1",
"level": "5",
"task": "3",
"opcode": "0",
"keywords": 4611686018427387904,
"time_created": "2026-03-15T04:33:21.215462200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{3752554e-5fb8-4d7f-a7ce-5882de61dd12}"
},
"execution": {
"process_id": "1208",
"thread_id": "15148"
},
"channel": "Microsoft-Windows-RPC/Debug",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Subject": "108",
"Verb": "45",
"SubjectPointer": "0x256B32635E0",
"ObjectPointer": "0x0",
"DataPointer": "0x1"
},
"message": ""
}
Event ID 5: Client RPC call started.
#Description
Client RPC call started. InterfaceUuid: InterfaceUuid OpNum: ProcNum Protocol: Protocol NetworkAddress NetworkAddress Endpoint Endpoint Binding Options Options Authentication Level AuthenticationLevel Authentication Service AuthenticationService Impersonation Level ImpersonationLevel.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceUuid GUID | |
ProcNum UInt32 | |
Protocol UInt32 | Known values
|
NetworkAddress UnicodeString | |
Endpoint UnicodeString | |
Options UnicodeString | |
AuthenticationLevel UInt32 | |
AuthenticationService UInt32 | |
ImpersonationLevel UInt32 | Impersonation level (SecurityAnonymous=0, SecurityIdentification=1, SecurityImpersonation=2, SecurityDelegation=3). Known values
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RPC",
"guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
"event_source_name": "",
"event_id": "5",
"version": "1",
"level": "4",
"task": "1",
"opcode": "1",
"keywords": 4611686018427387904,
"time_created": "2026-03-15T04:33:21.215705400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{a5815ac6-1491-48eb-83e1-5dce6480a060}"
},
"execution": {
"process_id": "7284",
"thread_id": "6724"
},
"channel": "Microsoft-Windows-RPC/Debug",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"InterfaceUuid": "{4f32adc8-6052-4a04-8701-293ccf2096f0}",
"ProcNum": "0xE",
"Protocol": " 3",
"NetworkAddress": "NULL",
"Endpoint": "lsasspirpc",
"Options": "NULL",
"AuthenticationLevel": " 6",
"AuthenticationService": " 20",
"ImpersonationLevel": " 0"
},
"message": ""
}
Event ID 6: Server RPC call started.
#Description
Server RPC call started. InterfaceUuid: InterfaceUuid OpNum: ProcNum Protocol: Protocol Endpoint Endpoint Authentication Level AuthenticationLevel Authentication Service AuthenticationService.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceUuid GUID | |
ProcNum UInt32 | |
Protocol UInt32 | Known values
|
NetworkAddress UnicodeString | |
Endpoint UnicodeString | |
Options UnicodeString | |
AuthenticationLevel UInt32 | |
AuthenticationService UInt32 | |
ImpersonationLevel UInt32 | Impersonation level (SecurityAnonymous=0, SecurityIdentification=1, SecurityImpersonation=2, SecurityDelegation=3). Known values
|
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RPC",
"guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
"event_source_name": "",
"event_id": "6",
"version": "1",
"level": "4",
"task": "2",
"opcode": "1",
"keywords": 4611686018427387904,
"time_created": "2026-03-15T04:33:21.215559300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{8c1139c0-0115-4536-ab2e-f8988fa6709c}"
},
"execution": {
"process_id": "7284",
"thread_id": "6724"
},
"channel": "Microsoft-Windows-RPC/Debug",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"InterfaceUuid": "{9556dc99-828c-11cf-a37e-00aa003240c7}",
"ProcNum": "0x13",
"Protocol": " 3",
"NetworkAddress": "NULL",
"Endpoint": "OLEA4C20506C22A06548F25B11DD64D",
"Options": "NULL",
"AuthenticationLevel": " 6",
"AuthenticationService": " 20",
"ImpersonationLevel": " 0"
},
"message": ""
}
Event ID 7: Client RPC call completed.
#Description
Client RPC call completed. Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RPC",
"guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
"event_source_name": "",
"event_id": "7",
"version": "1",
"level": "4",
"task": "1",
"opcode": "2",
"keywords": 4611686018427387904,
"time_created": "2026-03-15T04:33:21.215489700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{49470a04-b8d9-40fa-a695-fb986574536f}"
},
"execution": {
"process_id": "4020",
"thread_id": "2900"
},
"channel": "Microsoft-Windows-RPC/Debug",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Status": "0x0"
},
"message": ""
}
Event ID 8: Server RPC call was completed.
#Description
Server RPC call was completed. Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RPC",
"guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
"event_source_name": "",
"event_id": "8",
"version": "1",
"level": "4",
"task": "2",
"opcode": "2",
"keywords": 4611686018427387904,
"time_created": "2026-03-15T04:33:21.215464600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{3752554e-5fb8-4d7f-a7ce-5882de61dd12}"
},
"execution": {
"process_id": "1208",
"thread_id": "15148"
},
"channel": "Microsoft-Windows-RPC/Debug",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Status": "0x0"
},
"message": ""
}
Event ID 9: Call failed due to RpcRaiseException.
#Description
Call failed due to RpcRaiseException. Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RPC",
"guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
"event_source_name": "",
"event_id": "9",
"version": "1",
"level": "5",
"task": "0",
"opcode": "0",
"keywords": 4611686018427387904,
"time_created": "2026-03-15T23:30:32.748153900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{ddfcc07c-682f-4c87-aa7a-a64b052307bc}"
},
"execution": {
"process_id": "7800",
"thread_id": "1480"
},
"channel": "Microsoft-Windows-RPC/Debug",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Status": "0x6D9"
},
"message": ""
}
Event ID 10: RPC received a packet
#Event ID 11: RPC sent a packet
#Event ID 12: RPC/HTTP start event
#Description
RPC/HTTP start event.
Message #
Fields #
| Name | Description |
|---|---|
ObjectType UInt32 | |
Operation UInt32 | Known values
|
Address UInt64 | |
Data UInt64 |
Event ID 13: RPC/HTTP stop event
#Description
RPC/HTTP stop event.
Message #
Fields #
| Name | Description |
|---|---|
ObjectType UInt32 | |
Operation UInt32 | Known values
|
Address UInt64 | |
Data UInt64 |
Event ID 14: RPC interface registered.
#Description
RPC interface registered. Interface UUID InterfaceUuid TypeMgr TypeMgrUuid Flags Flags Max Calls Max Calls.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceUuid GUID | |
TypeMgrUuid GUID | |
Flags UInt32 | |
MaxCalls UInt32 | |
SDSize UInt32 | |
SD Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RPC",
"guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
"event_source_name": "",
"event_id": "14",
"version": "1",
"level": "4",
"task": "4",
"opcode": "1",
"keywords": 4611686018427387904,
"time_created": "2026-03-15T04:33:34.952456400+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{6ac3d8ef-0d1a-428d-b5ba-29d4db562727}"
},
"execution": {
"process_id": "4368",
"thread_id": "10432"
},
"channel": "Microsoft-Windows-RPC/Debug",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"InterfaceUuid": "{00000001-0000-0000-c000-000000000046}",
"TypeMgrUuid": "{00000000-0000-0000-0000-000000000000}",
"Flags": "0x53",
"Max Calls": " 1234",
"SDSize": " 164",
"SD": "0x0100048000000000000000000000000014000000020090000200000000001400FFFFF3EF01010000000000010000000000001400FFFFF3EF010100000000000507000000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000100000004000000000000000000000000000000000000000000000000000000"
},
"message": ""
}
Event ID 15: RPC interface unregistered.
#Description
RPC interface unregistered. Interface UUID InterfaceUuid TypeMgr.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceUuid GUID | |
TypeMgrUuid GUID | |
Flags UInt32 | |
MaxCalls UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RPC",
"guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
"event_source_name": "",
"event_id": "15",
"version": "1",
"level": "4",
"task": "4",
"opcode": "2",
"keywords": 4611686018427387904,
"time_created": "2026-03-15T23:26:30.306713200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "13380",
"thread_id": "9092"
},
"channel": "Microsoft-Windows-RPC/Debug",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"InterfaceUuid": "{18f70770-8e64-11cf-9af1-0020af6e72f4}",
"TypeMgrUuid": "{00000000-0000-0000-0000-000000000000}",
"Flags": "0x0",
"Max Calls": " 0"
},
"message": ""
}
Event ID 16: RPC Server bound to protocol.
#Description
RPC Server bound to protocol. Protocol Protocol Endpoint Endpoint.
Message #
Fields #
| Name | Description |
|---|---|
Protocol UnicodeString | Known values
|
Endpoint UnicodeString | |
NetworkAddress UnicodeString | |
PendingQueueSize UInt32 | |
EndpointFlags UInt32 | |
NicFlags UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RPC",
"guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
"event_source_name": "",
"event_id": "16",
"version": "1",
"level": "4",
"task": "4",
"opcode": "1",
"keywords": 4611686018427387904,
"time_created": "2026-03-15T23:27:13.914822600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10844",
"thread_id": "8932"
},
"channel": "Microsoft-Windows-RPC/Debug",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Protocol": "ncalrpc",
"Endpoint": "OLE173E898F7677BDB64DE2071842AC",
"NetworkAddress": "NULL",
"PendingQueueSize": " 11",
"EndpointFlags": "0x0",
"NicFlags": "0x0"
},
"message": ""
}
Event ID 17: RPC interface re-triggering failed with error RPC Status.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {6AD52B32-D609-4BE9-AE07-CE8DAE937E39}
Defined in rpcrt4.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.2849, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02