Microsoft-Windows-RRAS
84 events across 2 channels
| Event | Title | Channel | Sample |
|---|---|---|---|
| 1000 | DebugString. | Operational | N |
| 1001 | DebugString. | Operational | N |
| 1002 | DebugString. | Operational | N |
| 1003 | DebugString. | Operational | N |
| 2000 | DebugString. | Debug | N |
| 2001 | DebugString. | Debug | N |
| 2002 | DebugString. | Debug | N |
| 2003 | DebugString. | Debug | N |
| 3000 | DebugString. | Operational | N |
| 3001 | DebugString. | Operational | N |
| 3002 | DebugString. | Operational | N |
| 3003 | DebugString. | Operational | N |
| 4000 | DebugString. | Debug | N |
| 4001 | DebugString. | Debug | N |
| 4002 | DebugString. | Debug | N |
| 4003 | DebugString. | Debug | N |
| 5000 | DebugString. | Operational | N |
| 5001 | DebugString. | Operational | N |
| 5002 | DebugString. | Operational | N |
| 5003 | DebugString. | Operational | N |
| 6000 | DebugString. | Debug | N |
| 6001 | DebugString. | Debug | Y |
| 6002 | DebugString. | Debug | N |
| 6003 | DebugString. | Debug | N |
| 6004 | DebugString. | Debug | N |
| 7000 | DebugString. | Operational | N |
| 7001 | DebugString. | Operational | N |
| 7002 | DebugString. | Operational | N |
| 7003 | DebugString. | Operational | N |
| 8000 | DebugString. | Debug | N |
| 8001 | DebugString. | Debug | N |
| 8002 | DebugString. | Debug | N |
| 8003 | DebugString. | Debug | N |
| 9000 | DebugString. | Operational | N |
| 9001 | DebugString. | Operational | N |
| 9002 | DebugString. | Operational | N |
| 9003 | DebugString. | Operational | N |
| 10000 | DebugString. | Operational | N |
| 10001 | DebugString. | Debug | N |
| 10002 | DebugString. | Debug | N |
| 10003 | DebugString. | Debug | N |
| 11000 | DebugString. | Operational | N |
| 11001 | DebugString. | Operational | N |
| 11002 | DebugString. | Operational | N |
| 11003 | DebugString. | Operational | N |
| 12000 | DebugString. | Debug | Y |
| 12001 | DebugString. | Debug | N |
| 12002 | DebugString. | Debug | N |
| 12003 | DebugString. | Debug | N |
| 13000 | DebugString. | Operational | N |
| 13001 | DebugString. | Operational | N |
| 13002 | DebugString. | Operational | N |
| 13003 | DebugString. | Operational | N |
| 14000 | DebugString. | Debug | N |
| 14001 | DebugString. | Debug | Y |
| 14002 | DebugString. | Debug | N |
| 14003 | DebugString. | Debug | N |
| 15000 | DebugString. | Operational | N |
| 15001 | DebugString. | Operational | N |
| 15002 | DebugString. | Operational | N |
| 15003 | DebugString. | Operational | N |
| 16000 | DebugString. | Debug | N |
| 16001 | DebugString. | Debug | Y |
| 16002 | DebugString. | Debug | N |
| 16003 | DebugString. | Debug | N |
| 16004 | DebugString. | Debug | N |
| 17000 | DebugString. | Operational | N |
| 17001 | DebugString. | Operational | N |
| 17002 | DebugString. | Operational | N |
| 17003 | DebugString. | Operational | N |
| 18000 | DebugString. | Debug | N |
| 18001 | DebugString. | Debug | N |
| 18002 | DebugString. | Debug | N |
| 18003 | DebugString. | Debug | N |
| 18004 | DebugString. | Debug | N |
| 19000 | DebugString. | Operational | N |
| 19001 | DebugString. | Operational | N |
| 19002 | DebugString. | Operational | N |
| 19003 | DebugString. | Operational | N |
| 20000 | DebugString. | Debug | N |
| 20001 | DebugString. | Debug | N |
| 20002 | DebugString. | Debug | N |
| 20003 | DebugString. | Debug | N |
| 20004 | DebugString. | Debug | N |
Event ID 1000: DebugString.
#Event ID 1001: DebugString.
#Event ID 1002: DebugString.
#Event ID 1003: DebugString.
#Event ID 2000: DebugString.
#Event ID 2001: DebugString.
#Event ID 2002: DebugString.
#Event ID 2003: DebugString.
#Event ID 3000: DebugString.
#Event ID 3001: DebugString.
#Event ID 3002: DebugString.
#Event ID 3003: DebugString.
#Event ID 4000: DebugString.
#Event ID 4001: DebugString.
#Event ID 4002: DebugString.
#Event ID 4003: DebugString.
#Event ID 5000: DebugString.
#Event ID 5001: DebugString.
#Event ID 5002: DebugString.
#Event ID 5003: DebugString.
#Event ID 6000: DebugString.
#Event ID 6001: DebugString.
#Description
DebugString
Message #
Fields #
| Name | Description |
|---|---|
DebugString UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RRAS",
"guid": "{24989972-0967-4E21-A926-93854033638E}",
"event_source_name": "",
"event_id": 6001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000008",
"time_created": "2026-06-02T05:30:26.119+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 5892,
"thread_id": 6016
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DebugString": "FROM !!!!!WFP.LIB!!!!!!!!"
},
"message": ""
}
Event ID 6002: DebugString.
#Event ID 6003: DebugString.
#Event ID 6004: DebugString.
#Event ID 7000: DebugString.
#Event ID 7001: DebugString.
#Event ID 7002: DebugString.
#Event ID 7003: DebugString.
#Event ID 8000: DebugString.
#Event ID 8001: DebugString.
#Event ID 8002: DebugString.
#Event ID 8003: DebugString.
#Event ID 9000: DebugString.
#Event ID 9001: DebugString.
#Event ID 9002: DebugString.
#Event ID 9003: DebugString.
#Event ID 10000: DebugString.
#Event ID 10001: DebugString.
#Event ID 10002: DebugString.
#Event ID 10003: DebugString.
#Event ID 11000: DebugString.
#Event ID 11001: DebugString.
#Event ID 11002: DebugString.
#Event ID 11003: DebugString.
#Event ID 12000: DebugString.
#Description
DebugString
Message #
Fields #
| Name | Description |
|---|---|
DebugString UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RRAS",
"guid": "{24989972-0967-4E21-A926-93854033638E}",
"event_source_name": "",
"event_id": 12000,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000040",
"time_created": "2026-06-02T05:30:26.119+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4664,
"thread_id": 20072
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DebugString": "From !!!!!SDOWRAPPER.LIB!!!!!!!!!!"
},
"message": ""
}
Event ID 12001: DebugString.
#Event ID 12002: DebugString.
#Event ID 12003: DebugString.
#Event ID 13000: DebugString.
#Event ID 13001: DebugString.
#Event ID 13002: DebugString.
#Event ID 13003: DebugString.
#Event ID 14000: DebugString.
#Event ID 14001: DebugString.
#Description
DebugString
Message #
Fields #
| Name | Description |
|---|---|
DebugString UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RRAS",
"guid": "{24989972-0967-4E21-A926-93854033638E}",
"event_source_name": "",
"event_id": 14001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000080",
"time_created": "2026-06-02T05:30:26.119+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4588,
"thread_id": 20488
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DebugString": "From !!!!HOSTROUT.LIB!!!!!"
},
"message": ""
}
Event ID 14002: DebugString.
#Event ID 14003: DebugString.
#Event ID 15000: DebugString.
#Event ID 15001: DebugString.
#Event ID 15002: DebugString.
#Event ID 15003: DebugString.
#Event ID 16000: DebugString.
#Event ID 16001: DebugString.
#Description
DebugString
Message #
Fields #
| Name | Description |
|---|---|
DebugString UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RRAS",
"guid": "{24989972-0967-4E21-A926-93854033638E}",
"event_source_name": "",
"event_id": 16001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0000000000000100",
"time_created": "2026-06-02T05:30:26.118+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 5892,
"thread_id": 6016
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DebugString": "IPv6CP: Setting tracing parameters"
},
"message": ""
}
Event ID 16002: DebugString.
#Event ID 16003: DebugString.
#Event ID 16004: DebugString.
#Event ID 17000: DebugString.
#Event ID 17001: DebugString.
#Event ID 17002: DebugString.
#Event ID 17003: DebugString.
#Event ID 18000: DebugString.
#Event ID 18001: DebugString.
#Event ID 18002: DebugString.
#Event ID 18003: DebugString.
#Event ID 18004: DebugString.
#Event ID 19000: DebugString.
#Event ID 19001: DebugString.
#Event ID 19002: DebugString.
#Event ID 19003: DebugString.
#Event ID 20000: DebugString.
#Event ID 20001: DebugString.
#Event ID 20002: DebugString.
#Event ID 20003: DebugString.
#Event ID 20004: DebugString.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {24989972-0967-4E21-A926-93854033638E}
Defined in rtutils.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02