Microsoft-Windows-SMBClient
181 events across 9 channels
Event ID 101: Create SrvCall Error: ErrorCode Location: Location Context: Context.
#Event ID 201: Session Setup Error: ErrorCode Location: Location Context: Context.
#Event ID 301: Tree Connect Error: ErrorCode Location: Location Context: Context.
#Event ID 401: Create VNetRoot Error: ErrorCode Location: Location Context: Context.
#Event ID 501: Create File Error: ErrorCode Location: Location Context: Context.
#Event ID 2000: Packet Fragment (FragmentSize bytes).
#Event ID 20001: Transitioned to State: CurrentOrNextState Context: Context.
#Event ID 30101: SMB ISC request: SessionEntry {SessionEntry} ServerName {ServerName}.
#Event ID 30102: SMB ISC completion: SessionEntry {SessionEntry} ServerName {ServerName} Status {Status}.
#Description
SMB ISC completion: SessionEntry {SessionEntry} ServerName {ServerName} Status {Status}.
Message #
Fields #
| Name | Description |
|---|---|
SessionEntry | |
ServerName | |
Status | NTSTATUS reference |
Event ID 30103: SMB exchange suspended: RxContext RxContext Exchange Exchange ListHead ListHead.
#Event ID 30104: SMB exchange resumed: RxContext RxContext Exchange Exchange ExchangeState ExchangeState ExchangeStatus ExchangeStatus.
#Event ID 30105: SMB buffer context suspended: BufferCtxt BufferCtxt Exchange Exchange MidCharge MidCharge Window Window CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit CurrentWind...
#Description
SMB buffer context suspended: BufferCtxt BufferCtxt Exchange Exchange MidCharge MidCharge Window Window CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit CurrentWindowSize CurrentWindowSize.
Message #
Fields #
| Name | Description |
|---|---|
BufferCtxt Pointer | |
Exchange Pointer | |
MidCharge UInt32 | |
Window Pointer | |
CurrentWindowLimit UInt32 | |
ThrottlingWindowLimit UInt32 | |
CurrentWindowSize UInt32 |
Event ID 30106: SMB buffer context resumed: BufferCtxt BufferCtxt Exchange Exchange MidCharge MidCharge Window Window CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit CurrentWindow...
#Description
SMB buffer context resumed: BufferCtxt BufferCtxt Exchange Exchange MidCharge MidCharge Window Window CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit CurrentWindowSize CurrentWindowSize.
Message #
Fields #
| Name | Description |
|---|---|
BufferCtxt Pointer | |
Exchange Pointer | |
MidCharge UInt32 | |
Window Pointer | |
CurrentWindowLimit UInt32 | |
ThrottlingWindowLimit UInt32 | |
CurrentWindowSize UInt32 |
Event ID 30107: SMB exchange expired: Exchange {Exchange} Window {Window}.
#Event ID 30108: SMB Mid window blocked: Window Window HungSession HungSession.
#Event ID 30109: SMB rechunk multi-credit request: BufferCtxt BufferCtxt Exchange Exchange MidCharge MidCharge Window Window CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit Current...
#Description
SMB rechunk multi-credit request: BufferCtxt BufferCtxt Exchange Exchange MidCharge MidCharge Window Window CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit CurrentWindowSize CurrentWindowSize.
Message #
Fields #
| Name | Description |
|---|---|
BufferCtxt Pointer | |
Exchange Pointer | |
MidCharge UInt32 | |
Window Pointer | |
CurrentWindowLimit UInt32 | |
ThrottlingWindowLimit UInt32 | |
CurrentWindowSize UInt32 |
Event ID 30110: SMB initialize Mid window: Server ServerName Window MidWindow.
#Event ID 30111: SMB Mid window state: Window MidWindow CurrentWindowSize CurrentWindowSize CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit OldestPendingMid OldestPendingMid NextAv...
#Description
SMB Mid window state: Window MidWindow CurrentWindowSize CurrentWindowSize CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit OldestPendingMid OldestPendingMid NextAvailableMid NextAvailableMid CreditsGranted CreditsGranted.
Message #
Fields #
| Name | Description |
|---|---|
MidWindow Pointer | |
CurrentWindowSize UInt32 | |
CurrentWindowLimit UInt32 | |
ThrottlingWindowLimit UInt32 | |
OldestPendingMid UInt64 | |
NextAvailableMid UInt64 | |
CreditsGranted Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 30111,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": "0x1000000000000001",
"time_created": "2026-06-02T06:02:54.813+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8936
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CreditsGranted": 0,
"CurrentWindowLimit": 33,
"CurrentWindowSize": 1,
"MidWindow": "0xFFFFBD09ED260610",
"NextAvailableMid": 7,
"OldestPendingMid": 6,
"ThrottlingWindowLimit": 2
},
"message": "SmbMidWindowState "
}
Event ID 30112: SMB teardown Mid window: Server ServerName Window MidWindow.
#Description
SMB teardown Mid window: Server ServerName Window MidWindow.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString | |
MidWindow Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 30112,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": "0x1000000000000001",
"time_created": "2026-06-02T06:02:54.815+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8936
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"MidWindow": "0xFFFFBD09ED260610",
"ServerName": "",
"ServerNameLength": 0
},
"message": "SmbTeardownMidWindow "
}
Event ID 30113: SMB copy data completion: Status Status VcEndpoint VcEndpoint.
#Description
SMB copy data completion: Status Status VcEndpoint VcEndpoint.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
VcEndpoint Pointer |
Event ID 30114: SMB send completion: Status Status VcEndpoint VcEndpoint.
#Description
SMB send completion: Status Status VcEndpoint VcEndpoint.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
VcEndpoint Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 30114,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": "0x1000000000000001",
"time_created": "2026-06-02T06:02:54.814+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 10660,
"thread_id": 17284
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Status": 0,
"VcEndpoint": "0xFFFFBD09F3610AE0"
},
"message": "SmbSendCompletion "
}
Event ID 30201: WSK get address info request: ServerName {ServerName} Irp {Irp}.
#Event ID 30202: WSK get address info completion: Irp {Irp} Status {Status}.
#Description
WSK get address info completion: Irp {Irp} Status {Status}.
Message #
Fields #
| Name | Description |
|---|---|
Irp | |
Status | NTSTATUS reference |
Event ID 30203: WSK connect: SocketAddress RemoteAddress VcEndpoint VcEndpoint Socket Socket.
#Event ID 30204: WSK connect completion: VcEndpoint VcEndpoint Socket Socket Status Status.
#Description
WSK connect completion: VcEndpoint VcEndpoint Socket Socket Status Status.
Message #
Fields #
| Name | Description |
|---|---|
VcEndpoint Pointer | |
Socket Pointer | |
Status UInt32 | NTSTATUS reference |
ConnectionType UInt32 |
Event ID 30205: WSK send: VcEndpoint VcEndpoint Socket Socket SendMdl SendMdl SendLength SendLength.
#Description
WSK send: VcEndpoint VcEndpoint Socket Socket SendMdl SendMdl SendLength SendLength.
Message #
Fields #
| Name | Description |
|---|---|
VcEndpoint Pointer | |
Socket Pointer | |
SendMdl Pointer | |
SendLength UInt32 | |
ConnectionType UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 30205,
"version": 2,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": "0x1000000000000002",
"time_created": "2026-06-02T06:02:54.813+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8936
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"ConnectionType": 1,
"SendLength": 72,
"SendMdl": "0xFFFFBD09F1C62860",
"Socket": "0xFFFFBD09F4380208",
"VcEndpoint": "0xFFFFBD09F3610AE0"
},
"message": "NetSend "
}
Event ID 30206: WSK send completion: VcEndpoint VcEndpoint Socket Socket SendMdl SendMdl SendLength SendLength Status Status.
#Description
WSK send completion: VcEndpoint VcEndpoint Socket Socket SendMdl SendMdl SendLength SendLength Status Status.
Message #
Fields #
| Name | Description |
|---|---|
VcEndpoint Pointer | |
Socket Pointer | |
SendMdl Pointer | |
SendLength UInt32 | |
Status UInt32 | NTSTATUS reference |
ConnectionType UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 30206,
"version": 2,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": "0x1000000000000002",
"time_created": "2026-06-02T06:02:54.814+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 10660,
"thread_id": 17284
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"ConnectionType": 1,
"SendLength": 68,
"SendMdl": "0xFFFFBD09F1961DD0",
"Socket": "0xFFFFBD09F4380208",
"Status": 0,
"VcEndpoint": "0xFFFFBD09F3610AE0"
},
"message": "NetSendCompletion "
}
Event ID 30207: WSK receive: VcEndpoint VcEndpoint Socket Socket ReceiveMdl SendMdl ReceiveLength SendLength.
#Event ID 30208: WSK receive completion: VcEndpoint VcEndpoint Socket Socket ReceiveMdl SendMdl ReceiveLength SendLength Status Status.
#Description
WSK receive completion: VcEndpoint VcEndpoint Socket Socket ReceiveMdl SendMdl ReceiveLength SendLength Status Status.
Message #
Fields #
| Name | Description |
|---|---|
VcEndpoint Pointer | |
Socket Pointer | |
SendMdl Pointer | |
SendLength UInt32 | |
Status UInt32 | NTSTATUS reference |
ConnectionType UInt32 |
Event ID 30209: Compression requested for file object Smb2Fobx: Status Status.
#Description
Compression requested for file object Smb2Fobx: Status Status.
Message #
Fields #
| Name | Description |
|---|---|
VcEndpoint Pointer | |
Socket Pointer | |
Smb2Fobx Pointer | |
Status UInt32 | NTSTATUS reference |
Event ID 30210: Decompression failed: VcEndpoint VcEndpoint Socket Socket ReceiveBuffer SendMdl ReceiveLength SendLength Status Status.
#Description
Decompression failed: VcEndpoint VcEndpoint Socket Socket ReceiveBuffer SendMdl ReceiveLength SendLength Status Status.
Message #
Fields #
| Name | Description |
|---|---|
VcEndpoint Pointer | |
Socket Pointer | |
SendMdl Pointer | |
SendLength UInt32 | |
Status UInt32 | NTSTATUS reference |
ConnectionType UInt32 |
Event ID 30211: Compression failed: VcEndpoint VcEndpoint Socket Socket SendBuffer SendMdl SendLength SendLength Status Status.
#Description
Compression failed: VcEndpoint VcEndpoint Socket Socket SendBuffer SendMdl SendLength SendLength Status Status.
Message #
Fields #
| Name | Description |
|---|---|
VcEndpoint Pointer | |
Socket Pointer | |
SendMdl Pointer | |
SendLength UInt32 | |
Status UInt32 | NTSTATUS reference |
ConnectionType UInt32 |
Event ID 30401: SMB session expired: SessionEntry SessionEntry ServerName ServerName.
#Event ID 30402: SMB 3 part SPN reauth: SessionEntry SessionEntry ServiceName ServerName.
#Event ID 30403: SMB reconnect durable open: Fcb Fcb SrvOpen SrvOpen.
#Event ID 30404: SMB defer open: Fcb Fcb SrvOpen SrvOpen.
#Event ID 30405: SMB undefer open: Fcb Fcb SrvOpen SrvOpen.
#Event ID 30406: SMB send[Count]: [Command] (Mid/Sid/Tid) (MessageId/SessionId/TreeId) MidCharge MidCharge Creds CreditRequested SendLengh SendLength VcEndpoint VcEndpoint.
#Description
SMB send[Count]: [Command] (Mid/Sid/Tid) (MessageId/SessionId/TreeId) MidCharge MidCharge Creds CreditRequested SendLengh SendLength VcEndpoint VcEndpoint.
Message #
Fields #
| Name | Description |
|---|---|
Count UInt32 | |
Command AnsiString | |
MessageId UInt64 | |
SessionId UInt64 | |
TreeId UInt32 | |
MidCharge UInt16 | |
CreditRequested UInt16 | |
SendLength UInt32 | |
VcEndpoint Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 30406,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x1000000000000004",
"time_created": "2026-06-02T06:02:54.813+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8936
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Command": "TRE_DCON",
"Count": 0,
"CreditRequested": 1,
"MessageId": 6,
"MidCharge": 1,
"SendLength": 68,
"SessionId": 105556337492013,
"TreeId": 1,
"VcEndpoint": "0xFFFFBD09F3610AE0"
},
"message": "SmbSend "
}
Event ID 30407: SMB receive: [Command] (Mid/Sid/Tid) (MessageId/SessionId/TreeId) Creds CreditGranted Status Status VcEndpoint VcEndpoint.
#Description
SMB receive: [Command] (Mid/Sid/Tid) (MessageId/SessionId/TreeId) Creds CreditGranted Status Status VcEndpoint VcEndpoint.
Message #
Fields #
| Name | Description |
|---|---|
Command AnsiString | |
MessageId UInt64 | |
AsyncId UInt64 | |
SessionId UInt64 | |
TreeId UInt32 | |
CreditGranted UInt16 | |
Status UInt32 | NTSTATUS reference |
VcEndpoint Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 30407,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x1000000000000004",
"time_created": "2026-06-02T06:02:54.814+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 10660,
"thread_id": 17284
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"AsyncId": 0,
"Command": "TRE_DCON",
"CreditGranted": 1,
"MessageId": 6,
"SessionId": 3221225517,
"Status": 0,
"TreeId": 1,
"VcEndpoint": "0xFFFFBD09F3610AE0"
},
"message": "SmbReceive "
}
Event ID 30408: SMB receive interim: [Command] (Mid/AsyncId/Sid/Tid) (MessageId/AsyncId/SessionId/TreeId) Creds CreditGranted Status Status VcEndpoint VcEndpoint.
#Description
SMB receive interim: [Command] (Mid/AsyncId/Sid/Tid) (MessageId/AsyncId/SessionId/TreeId) Creds CreditGranted Status Status VcEndpoint VcEndpoint.
Message #
Fields #
| Name | Description |
|---|---|
Command AnsiString | |
MessageId UInt64 | |
AsyncId UInt64 | |
SessionId UInt64 | |
TreeId UInt32 | |
CreditGranted UInt16 | |
Status UInt32 | NTSTATUS reference |
VcEndpoint Pointer |
Event ID 30409: SMB receive async: [Command] (AsyncId/Sid/Tid) (AsyncId/SessionId/TreeId) Creds CreditGranted Status Status VcEndpoint VcEndpoint.
#Description
SMB receive async: [Command] (AsyncId/Sid/Tid) (AsyncId/SessionId/TreeId) Creds CreditGranted Status Status VcEndpoint VcEndpoint.
Message #
Fields #
| Name | Description |
|---|---|
Command AnsiString | |
MessageId UInt64 | |
AsyncId UInt64 | |
SessionId UInt64 | |
TreeId UInt32 | |
CreditGranted UInt16 | |
Status UInt32 | NTSTATUS reference |
VcEndpoint Pointer |
Event ID 30410: SMB registry key: RegName = RegValue.
#Description
SMB registry key: RegName = RegValue.
Message #
Fields #
| Name | Description |
|---|---|
RegName UnicodeString | |
RegValue UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 30410,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x1000000000000004",
"time_created": "2026-06-02T05:31:02.286+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 11444,
"thread_id": 12576
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"RegName": "RequireSecuritySignature",
"RegValue": 0
},
"message": ""
}
Event ID 30501: SMB update file info cache: RxContext RxContext Fcb Fcb FileName FileName.
#Description
SMB update file info cache: RxContext RxContext Fcb Fcb FileName FileName.
Message #
Fields #
| Name | Description |
|---|---|
RxContext Pointer | |
Fcb Pointer | |
FileNameLength UInt16 | |
FileName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 30502: SMB fetch file info cache: RxContext RxContext Fcb Fcb FileName FileName Status Status.
#Description
SMB fetch file info cache: RxContext RxContext Fcb Fcb FileName FileName Status Status.
Message #
Fields #
| Name | Description |
|---|---|
RxContext Pointer | |
Fcb Pointer | |
FileNameLength UInt16 | |
FileName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 30503: SMB invalidate file info cache: RxContext RxContext Fcb Fcb FileName FileName.
#Description
SMB invalidate file info cache: RxContext RxContext Fcb Fcb FileName FileName.
Message #
Fields #
| Name | Description |
|---|---|
RxContext Pointer | |
Fcb Pointer | |
FileNameLength UInt16 | |
FileName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 30504: SMB update file not found cache: RxContext RxContext Fcb Fcb FileName FileName.
#Description
SMB update file not found cache: RxContext RxContext Fcb Fcb FileName FileName.
Message #
Fields #
| Name | Description |
|---|---|
RxContext Pointer | |
Fcb Pointer | |
FileNameLength UInt16 | |
FileName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 30505: SMB fetch file not found cache: RxContext RxContext Fcb Fcb FileName FileName Result Status.
#Description
SMB fetch file not found cache: RxContext RxContext Fcb Fcb FileName FileName Result Status.
Message #
Fields #
| Name | Description |
|---|---|
RxContext Pointer | |
Fcb Pointer | |
FileNameLength UInt16 | |
FileName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 30506: SMB invalidate file not found cache: RxContext RxContext Fcb Fcb FileName FileName.
#Description
SMB invalidate file not found cache: RxContext RxContext Fcb Fcb FileName FileName.
Message #
Fields #
| Name | Description |
|---|---|
RxContext Pointer | |
Fcb Pointer | |
FileNameLength UInt16 | |
FileName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 30507: SMB populate dir cache: RxContext RxContext Fcb Fcb DirName FileName.
#Description
SMB populate dir cache: RxContext RxContext Fcb Fcb DirName FileName.
Message #
Fields #
| Name | Description |
|---|---|
RxContext Pointer | |
Fcb Pointer | |
FileNameLength UInt16 | |
FileName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 30508: SMB fetch dir cache: RxContext RxContext Fcb Fcb FileName FileName Status Status.
#Description
SMB fetch dir cache: RxContext RxContext Fcb Fcb FileName FileName Status Status.
Message #
Fields #
| Name | Description |
|---|---|
RxContext Pointer | |
Fcb Pointer | |
FileNameLength UInt16 | |
FileName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 30600: Session Object to ObjectName transitioned from [OldState] to [NewState] with Status Status.
#Description
Session Object to ObjectName transitioned from [OldState] to [NewState] with Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Object Pointer | |
OldState UInt16 | |
NewState UInt16 | |
Status UInt32 | NTSTATUS reference |
NameLength UInt16 | |
ObjectName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 30600,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x4000000000000010",
"time_created": "2026-06-02T06:02:54.814+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8936
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"NameLength": 26,
"NewState": 6,
"Object": "0xFFFFBD09F3149AA0",
"ObjectName": "\\JD-DC01-2022.ludus.domain",
"OldState": 0,
"Status": 3221225996
},
"message": "SessionStateTransition "
}
Event ID 30601: Share connection Object to ObjectName transitioned from [OldState] to [NewState] with Status Status.
#Description
Share connection Object to ObjectName transitioned from [OldState] to [NewState] with Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Object Pointer | |
OldState UInt16 | |
NewState UInt16 | |
Status UInt32 | NTSTATUS reference |
NameLength UInt16 | |
ObjectName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 30601,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x4000000000000010",
"time_created": "2026-06-02T06:02:54.813+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8936
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"NameLength": 31,
"NewState": 6,
"Object": "0xFFFFBD09F46F2620",
"ObjectName": "\\JD-DC01-2022.ludus.domain\\IPC$",
"OldState": 0,
"Status": 3221225996
},
"message": "VNetRootStateTransition "
}
Event ID 30603: Open handle Object to ShareNameObjectName transitioned from [OldState] to [NewState] with Status Status.
#Description
Open handle Object to ShareNameObjectName transitioned from [OldState] to [NewState] with Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Object Pointer | |
PersistentFID UInt64 | |
VolatileFID UInt64 | |
CreateGUID GUID | |
OldState UInt16 | |
NewState UInt16 | |
Status UInt32 | NTSTATUS reference |
Reason UInt32 | |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
ObjectNameLength UInt16 | |
ObjectName UnicodeString | |
PreviousStatus UInt32 | |
PreviousReason UInt32 |
Event ID 30604: The local computer didn't received an SMB1 negotiate response in the last 20 minutes.
#Event ID 30611: Failed to reconnect a persistent handle.
#Description
Failed to reconnect a persistent handle.
Message #
Fields #
| Name | Description |
|---|---|
Object Pointer | |
PersistentFID UInt64 | |
VolatileFID UInt64 | |
CreateGUID GUID | |
OldState UInt16 | |
NewState UInt16 | |
Status UInt32 | NTSTATUS reference |
Reason UInt32 | |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
ObjectNameLength UInt16 | |
ObjectName UnicodeString | |
PreviousStatus UInt32 | |
PreviousReason UInt32 |
Event ID 30612: Failed to reconnect a resilient handle.
#Description
Failed to reconnect a resilient handle.
Message #
Fields #
| Name | Description |
|---|---|
Object Pointer | |
PersistentFID UInt64 | |
VolatileFID UInt64 | |
CreateGUID GUID | |
OldState UInt16 | |
NewState UInt16 | |
Status UInt32 | NTSTATUS reference |
Reason UInt32 | |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
ObjectNameLength UInt16 | |
ObjectName UnicodeString | |
PreviousStatus UInt32 | |
PreviousReason UInt32 |
Event ID 30613: Failed to open a persistent handle.
#Description
Failed to open a persistent handle.
Message #
Fields #
| Name | Description |
|---|---|
Object Pointer | |
PersistentFID UInt64 | |
VolatileFID UInt64 | |
CreateGUID GUID | |
OldState UInt16 | |
NewState UInt16 | |
Status UInt32 | NTSTATUS reference |
Reason UInt32 | |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
ObjectNameLength UInt16 | |
ObjectName UnicodeString | |
PreviousStatus UInt32 | |
PreviousReason UInt32 |
Event ID 30614: Persistent handle {PersistentFID}:{VolatileFID} CreateGUID {CreateGUID} to {Object}0{Object}2 was orphaned.
#Event ID 30615: Resilient handle {PersistentFID}:{VolatileFID} to {Object}0{Object}2 was orphaned.
#Event ID 30620: Connection to server {ServerName} IP Address {RemoteAddress} was aborted.
#Event ID 30621: Session to server {ObjectName} was lost Status {Status}.
#Description
Session to server {ObjectName} was lost Status {Status}.
Message #
Fields #
| Name | Description |
|---|---|
ObjectName | |
Status | NTSTATUS reference |
Event ID 30622: Session to server {ObjectName} was re-established.
#Event ID 30623: Connection to share {ObjectName} was lost.
#Description
Connection to share {ObjectName} was lost. Status {Status}.
Message #
Fields #
| Name | Description |
|---|---|
ObjectName | |
Status | NTSTATUS reference |
Event ID 30624: Connection to share {ObjectName} was re-established.
#Event ID 30625: Handle {PersistentFID}:{VolatileFID} CreateGUID {CreateGUID} to {Object}0{Object}2 granted without persistence.
#Event ID 30626: The SMB client received a request to move file server cluster {ServerName} to IP address {RemoteAddress}.
#Event ID 30627: The SMB client successfully moved file server cluster {ServerName} to IP address {RemoteAddress}.
#Event ID 30628: The SMB client failed to move file server cluster {ServerName}.
#Description
The SMB client failed to move file server cluster {ServerName}. Error: {Status}.
Message #
Fields #
| Name | Description |
|---|---|
ServerName | |
Status | NTSTATUS reference |
Event ID 30700: The server {ServerName} does not support multichannel.
#Event ID 30701: An invalid FSCTL_QUERY_NETWORK_INTERFACE_INFO response was sent by the server ServerName.
#Event ID 30702: The client failed to connect to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over TCP transport.
#Description
The client failed to connect to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over TCP transport. Error: Status.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString | |
LocalAddressLength UInt32 | |
LocalAddress Binary | |
RemoteAddressLength UInt32 | |
RemoteAddress Binary | |
Status UInt32 | NTSTATUS reference |
Event ID 30703: The client failed to connect to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over RDMA transport.
#Description
The client failed to connect to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over RDMA transport. Error: Status.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString | |
LocalAddressLength UInt32 | |
LocalAddress Binary | |
RemoteAddressLength UInt32 | |
RemoteAddress Binary | |
Status UInt32 | NTSTATUS reference |
Event ID 30704: The client connected to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over TCP transport successfully.
#Description
The client connected to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over TCP transport successfully.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString | |
LocalAddressLength UInt32 | |
LocalAddress Binary | |
RemoteAddressLength UInt32 | |
RemoteAddress Binary | |
Status UInt32 | NTSTATUS reference |
Event ID 30705: The client connected to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over RDMA transport successfully.
#Description
The client connected to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over RDMA transport successfully.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString | |
LocalAddressLength UInt32 | |
LocalAddress Binary | |
RemoteAddressLength UInt32 | |
RemoteAddress Binary | |
Status UInt32 | NTSTATUS reference |
Event ID 30706: The client can not connect to the server {ServerName} due to a multichannel constraint registry setting.
#Event ID 30800: The server name cannot be resolved.
#Description
The server name cannot be resolved.
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Status UInt32 | NTSTATUS reference |
ServerNameLength UInt16 | |
ServerName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 30800,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 288230376151711808,
"time_created": "2026-05-28T22:42:26.7714555+00:00",
"event_record_id": 45,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 492
},
"channel": "Microsoft-Windows-SmbClient/Connectivity",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Reason": "1",
"Status": "3221226021",
"ServerNameLength": "19",
"ServerName": "cell-a.ludus.domain"
},
"message": "The server name cannot be resolved.\r\n\r\nError: The object was not found.\r\n\r\nServer name: cell-a.ludus.domain\r\n\r\nGuidance:\r\nThe client cannot resolve the server address in DNS or WINS. This issue often manifests immediately after joining a computer to the domain, when the client's DNS registration may not yet have propagated to all DNS servers. You should also expect this event at system startup on a DNS server (such as a domain controller) that points to itself for the primary DNS. You should validate the DNS client settings on this computer using IPCONFIG /ALL and NSLOOKUP."
}
Event ID 30801: Reason.
#Description
Reason. Error: Status Server name: ServerName
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Status UInt32 | NTSTATUS reference |
ServerNameLength UInt16 | |
ServerName UnicodeString |
Event ID 30802: Reason.
#Description
Reason. Error: Status Server name: ServerName
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Status UInt32 | NTSTATUS reference |
ServerNameLength UInt16 | |
ServerName UnicodeString |
Event ID 30803: Failed to establish a network connection.
#Description
Failed to establish a network connection.
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Status UInt32 | NTSTATUS reference |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
AddressLength UInt32 | |
RemoteAddress Binary | |
LocalAddress Binary | |
InstanceNameLength UInt16 | |
InstanceName UnicodeString | |
ConnectionType UInt32 | |
PortSelectionOrigin UInt32 | |
ConnectionIdSize UInt32 | |
ConnectionId Binary | |
ClientCertSha1HashSize UInt32 | |
ClientCertSha1Hash Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
"event_source_name": "",
"event_id": 30803,
"version": 2,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 288230376151711808,
"time_created": "2026-02-17T05:21:07.002021+00:00",
"event_record_id": 35,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 12828
},
"channel": "Microsoft-Windows-SmbClient/Connectivity",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Reason": 0,
"Status": 3221226045,
"ServerNameLength": 25,
"ServerName": "LAB-DC01.ludus.domain",
"AddressLength": 16,
"RemoteAddress": "020001BB0A020A0B0000000000000000",
"LocalAddress": "00000000000000000000000000000000",
"InstanceNameLength": 24,
"InstanceName": "\\Device\\LanmanRedirector",
"ConnectionType": 4
},
"message": ""
}
Event ID 30804: A network connection was disconnected.
#Description
A network connection was disconnected.
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Status UInt32 | NTSTATUS reference |
InstanceNameLength UInt16 | |
InstanceName UnicodeString | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
AddressLength UInt32 | |
Address Binary | |
ConnectionType UInt32 | |
InterfaceId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
"event_source_name": "",
"event_id": 30804,
"version": 2,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 288230376151711808,
"time_created": "2026-02-11T17:39:20.782502+00:00",
"event_record_id": 30,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Microsoft-Windows-SmbClient/Connectivity",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Reason": 7,
"Status": 3221225996,
"InstanceNameLength": 24,
"InstanceName": "\\Device\\LanmanRedirector",
"ServerNameLength": 26,
"ServerName": "\\LAB-DC01.ludus.domain",
"AddressLength": 16,
"Address": "020001BD0A020A0B0000000000000000",
"ConnectionType": 1,
"InterfaceId": 5
},
"message": ""
}
Event ID 30805: The client lost its session to the server.
#Description
The client lost its session to the server.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
SessionId UInt64 | |
TreeId UInt32 | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
AddressLength UInt32 | |
Address Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
"event_source_name": "",
"event_id": 30805,
"version": 2,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 288230376151711808,
"time_created": "2026-02-11T17:39:20.782525+00:00",
"event_record_id": 31,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Microsoft-Windows-SmbClient/Connectivity",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Status": 3221225996,
"SessionId": 21990366773273,
"TreeId": 0,
"ServerNameLength": 26,
"ServerName": "\\LAB-DC01.ludus.domain",
"AddressLength": 0,
"Address": ""
},
"message": ""
}
Event ID 30806: The client re-established its session to the server.
#Description
The client re-established its session to the server.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
SessionId UInt64 | |
TreeId UInt32 | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
AddressLength UInt32 | |
Address Binary | |
SigningUsed Boolean | |
EncryptionUsed Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
"event_source_name": "",
"event_id": 30806,
"version": 2,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 288230376151711808,
"time_created": "2026-02-11T17:39:20.790247+00:00",
"event_record_id": 33,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 3932
},
"channel": "Microsoft-Windows-SmbClient/Connectivity",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Status": 0,
"SessionId": 21990366773289,
"TreeId": 0,
"ServerNameLength": 26,
"ServerName": "\\LAB-DC01.ludus.domain",
"AddressLength": 16,
"Address": "020001BD0A020A0B0000000000000000"
},
"message": ""
}
Event ID 30807: The connection to the share was lost.
#Description
The connection to the share was lost.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
SessionId UInt64 | |
TreeId UInt32 | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
AddressLength UInt32 | |
Address Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
"event_source_name": "",
"event_id": 30807,
"version": 2,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 288230376151711808,
"time_created": "2026-02-11T17:39:20.782531+00:00",
"event_record_id": 32,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Microsoft-Windows-SmbClient/Connectivity",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Status": 3221225996,
"SessionId": 21990366773273,
"TreeId": 1,
"ServerNameLength": 33,
"ServerName": "\\LAB-DC01.ludus.domain\\sysvol",
"AddressLength": 0,
"Address": ""
},
"message": ""
}
Event ID 30808: The connection to the share was re-established.
#Description
The connection to the share was re-established.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
SessionId UInt64 | |
TreeId UInt32 | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
AddressLength UInt32 | |
Address Binary | |
SigningUsed Boolean | |
EncryptionUsed Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
"event_source_name": "",
"event_id": 30808,
"version": 2,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 288230376151711808,
"time_created": "2026-02-11T17:39:20.790983+00:00",
"event_record_id": 34,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 1000
},
"channel": "Microsoft-Windows-SmbClient/Connectivity",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Status": 0,
"SessionId": 21990366773289,
"TreeId": 1,
"ServerNameLength": 31,
"ServerName": "\\LAB-DC01.ludus.domain\\IPC$",
"AddressLength": 16,
"Address": "020001BD0A020A0B0000000000000000"
},
"message": ""
}
Event ID 30809: A request timed out because there was no response from the server.
#Description
A request timed out because there was no response from the server.
Message #
Fields #
| Name | Description |
|---|---|
Smb2Command UInt16 | |
MessageId UInt64 | |
SessionId UInt64 | |
TreeId UInt32 | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
Status UInt32 | NTSTATUS reference |
InstanceNameLength UInt16 | |
InstanceName UnicodeString | |
RetryCount UInt32 | |
ElapsedTimeInMs UInt32 |
Event ID 30810: Added a TCP/IP transport interface.
#Description
Added a TCP/IP transport interface.
Message #
Fields #
| Name | Description |
|---|---|
NameLength UInt16 | |
Name UnicodeString | |
IfIndex UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 30810,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 288230376151711808,
"time_created": "2026-05-29T16:32:57.4182804+00:00",
"event_record_id": 49,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 288
},
"channel": "Microsoft-Windows-SmbClient/Connectivity",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"NameLength": "8",
"Name": "Ethernet",
"IfIndex": "3"
},
"message": "Added a TCP/IP transport interface.\r\n\r\nName: Ethernet\r\nInterfaceIndex: 0x3\r\n\r\nGuidance:\r\nA TCP/IP binding was added to the specified network adapter for the SMB client. The SMB client can now send and receive SMB traffic on this network adapter using TCP/IP. You should expect this event when a computer restarts or when a previously disabled network adaptor is re-enabled. No user action is required."
}
Event ID 30811: Deleted a TCP/IP transport interface.
#Description
Deleted a TCP/IP transport interface.
Message #
Fields #
| Name | Description |
|---|---|
NameLength UInt16 | |
Name UnicodeString | |
IfIndex UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
"event_source_name": "",
"event_id": 30811,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 288230376151711808,
"time_created": "2023-11-06T06:25:42.599960+00:00",
"event_record_id": 84,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 428
},
"channel": "Microsoft-Windows-SmbClient/Connectivity",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"NameLength": 9,
"Name": "Ethernet1",
"IfIndex": 4
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 30812: Added a TDI transport interface.
#Description
Added a TDI transport interface.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 30812,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 288230376151711808,
"time_created": "2026-05-29T16:32:57.4182136+00:00",
"event_record_id": 48,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 288
},
"channel": "Microsoft-Windows-SmbClient/Connectivity",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ServerNameLength": "58",
"ServerName": "\\Device\\NetBT_Tcpip_{2A7BD48E-DDC6-4641-9F41-682F29F1D76C}"
},
"message": "Added a TDI transport interface.\r\n\r\nName: \\Device\\NetBT_Tcpip_{2A7BD48E-DDC6-4641-9F41-682F29F1D76C}\r\n\r\nGuidance:\r\nA TDI (NetBIOS) binding was added to the specified network adapter for the SMB client. The SMB client can now send and receive SMB traffic on this network adapter using TDI. You should expect this event when a computer restarts or when a previously disabled network adaptor is re-enabled. No user action is required."
}
Event ID 30813: Deleted a TDI transport interface.
#Description
Deleted a TDI transport interface.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
"event_source_name": "",
"event_id": 30813,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 288230376151711808,
"time_created": "2023-11-06T06:25:42.600171+00:00",
"event_record_id": 85,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 224
},
"channel": "Microsoft-Windows-SmbClient/Connectivity",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ServerNameLength": 58,
"ServerName": "\\Device\\NetBT_Tcpip_{3D03B11E-98A0-4304-84E2-CD3AAE8EFE1D}"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 30814: Witness registration has completed.
#Description
Witness registration has completed.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
ShareType UInt8 | |
NameLength UInt16 | |
Name UnicodeString | |
RemoteAddressLength UInt32 | |
RemoteAddress Binary |
Event ID 30815: Witness deregistration has completed.
#Description
Witness deregistration has completed.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
ShareType UInt8 | |
NameLength UInt16 | |
Name UnicodeString | |
RemoteAddressLength UInt32 | |
RemoteAddress Binary |
Event ID 30816: The server failed the negotiate request.
#Description
The server failed the negotiate request.
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Status UInt32 | NTSTATUS reference |
ServerNameLength UInt16 | |
ServerName UnicodeString |
Event ID 30817: Close request failed.
#Description
Close request failed.
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Status UInt32 | NTSTATUS reference |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
ObjectNameLength UInt16 | |
ObjectName UnicodeString |
Event ID 30818: RDMA interfaces are available but the client failed to connect to the server over RDMA transport.
#Event ID 30819: The SMB client received a request to move to a different node on a file server cluster.
#Description
The SMB client received a request to move to a different node on a file server cluster.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
ShareType UInt8 | |
NameLength UInt16 | |
Name UnicodeString | |
RemoteAddressLength UInt32 | |
RemoteAddress Binary |
Event ID 30820: The SMB client successfully moved to a different node on a file server cluster.
#Description
The SMB client successfully moved to a different node on a file server cluster.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
ShareType UInt8 | |
NameLength UInt16 | |
Name UnicodeString | |
RemoteAddressLength UInt32 | |
RemoteAddress Binary |
Event ID 30821: The SMB client failed to move to a different node on a file server cluster.
#Description
The SMB client failed to move to a different node on a file server cluster.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
ShareType UInt8 | |
NameLength UInt16 | |
Name UnicodeString | |
RemoteAddressLength UInt32 | |
RemoteAddress Binary |
Event ID 30822: Failed to establish an SMB multichannel network connection.
#Description
Failed to establish an SMB multichannel network connection.
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Status UInt32 | NTSTATUS reference |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
AddressLength UInt32 | |
RemoteAddress Binary | |
LocalAddress Binary | |
InstanceNameLength UInt16 | |
InstanceName UnicodeString | |
ConnectionType UInt32 | |
PortSelectionOrigin UInt32 |
Event ID 30823: The connection was terminated due to one or more IO request timeouts.
#Description
The connection was terminated due to one or more IO request timeouts.
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Status UInt32 | NTSTATUS reference |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
AddressLength UInt32 | |
RemoteAddress Binary | |
LocalAddress Binary | |
InstanceNameLength UInt16 | |
InstanceName UnicodeString | |
ConnectionType UInt32 |
Event ID 30824: The connection was forcibly disconnected.
#Description
The connection was forcibly disconnected.
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Status UInt32 | NTSTATUS reference |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
AddressLength UInt32 | |
RemoteAddress Binary | |
LocalAddress Binary | |
InstanceNameLength UInt16 | |
InstanceName UnicodeString | |
ConnectionType UInt32 |
Event ID 30825: The disconnect state on connection was cleared.
#Event ID 30826: The SMB negotiate response processing failed on the client to determine the selected encryption cipher for the client and server.
#Description
The SMB negotiate response processing failed on the client to determine the selected encryption cipher for the client and server. Please ensure there is a common cipher between the client and server.
Message #
Fields #
| Name | Description |
|---|---|
ClientCipherSuiteOrderLength UInt32 | |
ClientCipherSuiteOrder UnicodeString | |
ServerChosenEncryptionCipherLength UInt32 | |
ServerChosenEncryptionCipher UnicodeString |
Event ID 30827: Could not find a certificate mapping that matches the server name.
#Description
Could not find a certificate mapping that matches the server name.
Message #
Fields #
| Name | Description |
|---|---|
ConnectionType UInt32 | |
ServerNameLength UInt16 | |
ServerName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 30827,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 288230376151711808,
"time_created": "2026-05-30T01:32:45.7795907+00:00",
"event_record_id": 155,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4056
},
"channel": "Microsoft-Windows-SmbClient/Connectivity",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ConnectionType": "4",
"ServerNameLength": "10",
"ServerName": "10.2.10.31"
},
"message": "Could not find a certificate mapping that matches the server name. \r\n\r\nConnection type: Quic\r\nServer name: 10.2.10.31.\r\n"
}
Event ID 30828: The client established its session to the server.
#Description
The client established its session to the server.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
SessionId UInt64 | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
RemoteAddressLength UInt32 | |
RemoteAddress Binary | |
LocalAddressLength UInt32 | |
LocalAddress Binary |
Event ID 30829: The client failed to establish its session to the server.
#Description
The client failed to establish its session to the server.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
SessionId UInt64 | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
RemoteAddressLength UInt32 | |
RemoteAddress Binary | |
LocalAddressLength UInt32 | |
LocalAddress Binary |
Event ID 30830: The SMB redirector selected the connection initiated with the following parameters.
#Description
The SMB redirector selected the connection initiated with the following parameters.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString | |
ConnectionType UInt32 | |
RemoteAddressLength UInt32 | |
RemoteAddress Binary | |
LocalAddressLength UInt32 | |
LocalAddress Binary | |
InstanceNameLength UInt16 | |
InstanceName UnicodeString | |
PortSelectionOrigin UInt32 | |
Status HexInt32 | NTSTATUS reference |
ConnectionIdSize UInt32 | |
ConnectionId Binary | |
ClientCertSha1HashSize UInt32 | |
ClientCertSha1Hash Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"event_id": 30830,
"level": 4,
"task": 111,
"opcode": 0,
"time_created": "2026-05-27T16:40:13.5431275+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-SmbClient"
},
"event_data": {
"LocalAddressLength": "0",
"ClientCertSha1HashSize": "0",
"ConnectionIdSize": "0",
"RemoteAddressLength": "16",
"ConnectionType": "1",
"ConnectionId": null,
"PortSelectionOrigin": "4",
"ServerName": "JD-DC01-2022.ludus.domain",
"InstanceNameLength": "24",
"LocalAddress": null,
"InstanceName": "\\Device\\LanmanRedirector",
"ClientCertSha1Hash": null,
"ServerNameLength": "25",
"Status": "0x0",
"RemoteAddress": "020001BD0A020A0B0000000000000000"
}
}
Event ID 30831: The SMB client was denied access to the SMB server during mutual authentication.
#Event ID 30832: The SMB connection was successfully established.
#Description
The SMB connection was successfully established.
Message #
Event ID 30833: The initial connection to the share was established.
#Description
The initial connection to the share was established.
Message #
Fields #
| Name | Description |
|---|---|
Status | |
SessionId | |
TreeId | |
ServerNameLength | |
ServerName | |
AddressLength | |
Address | |
ConnectionType | |
SigningUsed | |
EncryptionUsed | |
CompressionRequested | |
NTLMBlocked |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"event_id": 30833,
"level": 4,
"task": 163,
"opcode": 0,
"time_created": "2026-05-27T16:40:13.5498689+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-SmbClient"
},
"event_data": {
"NTLMBlocked": "false",
"EncryptionUsed": "false",
"ServerName": "\\JD-DC01-2022.ludus.domain\\IPC$",
"SigningUsed": "true",
"SessionId": "87974284886033",
"ConnectionType": "1",
"TreeId": "1",
"Address": "020001BD0A020A0B0000000000000000",
"ServerNameLength": "31",
"AddressLength": "16",
"Status": "0",
"CompressionRequested": "false"
}
}
Event ID 30834: The client was unable to perform revocation checks on the server certificate chain.
#Event ID 30835: Server authentication failed.
#Event ID 30837: The requested transport is disabled.
#Event ID 30900: The handle was created without persistence.
#Description
The handle was created without persistence.
Message #
Fields #
| Name | Description |
|---|---|
Object Pointer | |
PersistentFID UInt64 | |
VolatileFID UInt64 | |
CreateGUID GUID | |
OldState UInt16 | |
NewState UInt16 | |
Status UInt32 | NTSTATUS reference |
Reason UInt32 | |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
ObjectNameLength UInt16 | |
ObjectName UnicodeString | |
PreviousStatus UInt32 | |
PreviousReason UInt32 |
Event ID 30904: The server does not support multichannel.
#Event ID 30905: The client cannot connect to the server due to a multichannel constraint registry setting.
#Event ID 30906: A request on persistent/resilient handle failed because the handle was invalid or it exceeded the timeout.
#Description
A request on persistent/resilient handle failed because the handle was invalid or it exceeded the timeout.
Message #
Fields #
| Name | Description |
|---|---|
IrpCode UInt8 | |
RestartCount UInt32 | |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
ObjectNameLength UInt16 | |
ObjectName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Reason UInt32 | |
HistoryCount UInt32 |
Event ID 30907: The SMB Multichannel registry value is not configured with default settings.
#Event ID 30908: The SMB 3 and SMB 2 driver is not configured with the default start type.
#Event ID 30909: The client supports SMB Direct (RDMA) and SMB Signing is in use.
#Event ID 30910: The client supports SMB Direct (RDMA) and SMB Encryption is in use.
#Event ID 30911: The Cipher Suite Order group policy setting is invalid.
#Event ID 30912: The RequireSecureNegotiate setting has been removed.
#Description
The RequireSecureNegotiate setting has been removed.
Message #
Event ID 30913: Server ServerName share ShareName has requested client to use isolated connections to connection to the share.
#Description
Server ServerName share ShareName has requested client to use isolated connections to connection to the share. Asymmetric flag AsymmetricFlag. Isolated transport flag IsolatedTransportFlag. NetRoot already use isolated connections IsIsolatedTransportServerEntry.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString | |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
AsymmetricFlag Boolean | |
IsolatedTransportFlag Boolean | |
IsIsolatedTransportServerEntry Boolean |
Event ID 30914: RDMA rundown is active.
#Event ID 30915: RDMA rundown is complete.
#Event ID 30916: Reactivation of RDMA support has commenced.
#Description
Reactivation of RDMA support has commenced.
Message #
Event ID 30917: RDMA is no longer disabled.
#Event ID 30918: SMBDirect load attempt complete.
#Event ID 30950: Component capabilities: ComponentCapabilities.
#Description
Component capabilities: ComponentCapabilities.
Message #
Fields #
| Name | Description |
|---|---|
ComponentCapabilities HexInt32 | |
PatchNumber HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"event_id": 30950,
"level": 4,
"task": 128,
"opcode": 0,
"time_created": "2026-04-18T03:03:29.0487441+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-SMBClient"
},
"event_data": {
"ComponentCapabilities": "0x3",
"PatchNumber": "0x0"
}
}
Event ID 30951: The alternative port PortNumber is not a valid port within the range 0 to 65535 for mapping name ServerName:TransportName.
#Event ID 30952: The SMB redirector did not select the connection initiated with the following parameters.
#Description
The SMB redirector did not select the connection initiated with the following parameters.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString | |
ConnectionType UInt32 | |
RemoteAddressLength UInt32 | |
RemoteAddress Binary | |
InstanceNameLength UInt16 | |
InstanceName UnicodeString | |
PortSelectionOrigin UInt32 | |
Status HexInt32 | NTSTATUS reference |
Event ID 30953: SMB Dialect Change.
#Event ID 30954: It took CallDuration secs to execute FunctionName.
#Event ID 30955: It took CallDuration secs to execute FunctionName which is longer than threshold of ThresholdDuration secs.
#Event ID 31000: Reason.
#Description
Reason. Error: Status Security status: SecurityStatus User name: UserName Logon ID: LogonId Serrver name: ServerName
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Status UInt32 | NTSTATUS reference |
SecurityStatus UInt32 | |
LogonId UInt64 | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
PrincipalNameLength UInt16 | |
PrincipalName UnicodeString | |
UserNameLength UInt16 | |
UserName UnicodeString |
Event ID 31001: Reason.
#Description
Reason. Error: Status Security status: SecurityStatus User name: UserName Logon ID: LogonId Server name: ServerName Principal name: PrincipalName
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Status UInt32 | NTSTATUS reference |
SecurityStatus UInt32 | |
LogonId UInt64 | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
PrincipalNameLength UInt16 | |
PrincipalName UnicodeString | |
UserNameLength UInt16 | |
UserName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
"event_source_name": "",
"event_id": 31001,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 144115188075856000,
"time_created": "2026-02-18T21:49:45.360595+00:00",
"event_record_id": 101,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 1456
},
"channel": "Microsoft-Windows-SmbClient/Security",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Reason": 10,
"Status": 3221225779,
"SecurityStatus": 3221225779,
"LogonId": 999,
"ServerNameLength": 13,
"ServerName": "\\LAB-DC01",
"PrincipalNameLength": 17,
"PrincipalName": "cifs/LAB-DC01",
"UserNameLength": 0,
"UserName": ""
},
"message": ""
}
Event ID 31002: The outbound authentication failed using a network token.
#Description
The outbound authentication failed using a network token.
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Status UInt32 | NTSTATUS reference |
ServerNameLength UInt16 | |
ServerName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 31002,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 144115188075856000,
"time_created": "2026-05-30T01:48:18.2581895+00:00",
"event_record_id": 1589,
"correlation": {},
"execution": {
"process_id": 1900,
"thread_id": 10424
},
"channel": "Microsoft-Windows-SmbClient/Security",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Reason": "11",
"Status": "3221225506",
"ServerNameLength": "11",
"ServerName": "\\10.2.10.11"
},
"message": "The outbound authentication failed using a network token.\r\n\r\nError: {Access Denied}\r\nA process has requested access to an object, but has not been granted those access rights.\r\n\r\nServer name: \\10.2.10.11\r\n\r\nGuidance:\r\nThis typically indicates that delegation must be configured for a Kerberos double-hop scenario. If delegation is configured, confirm that the services are configured correctly on the middle-tier server."
}
Event ID 31003: The LmCompatibilityLevel value is different from the default.
#Description
The LmCompatibilityLevel value is different from the default.
Message #
Fields #
| Name | Description |
|---|---|
RegName UnicodeString | |
RegValue UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
"event_source_name": "",
"event_id": 31003,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 144115188075856000,
"time_created": "2026-03-14T00:02:38.010007+00:00",
"event_record_id": 15,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 992
},
"channel": "Microsoft-Windows-SmbClient/Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"RegName": "LMCompatibilityLevel",
"RegValue": 5
},
"message": ""
}
Event ID 31010: The SMB client failed to connect to the share.
#Description
The SMB client failed to connect to the share.
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Status UInt32 | NTSTATUS reference |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
ObjectNameLength UInt16 | |
ObjectName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
"event_source_name": "",
"event_id": 31010,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 144115188075856128,
"time_created": "2026-03-13T17:13:50.805757+00:00",
"event_record_id": 1,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Microsoft-Windows-SmbClient/Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Reason": 12,
"Status": 3221225506,
"ShareNameLength": 14,
"ShareName": "\\10.2.10.21\\C$",
"ObjectNameLength": 0,
"ObjectName": ""
},
"message": ""
}
Event ID 31012: The negotiate validation failed.
#Event ID 31013: The signing validation failed.
#Description
The signing validation failed.
Message #
Fields #
| Name | Description |
|---|---|
Smb2Command UInt16 | |
MessageId UInt64 | |
SessionId UInt64 | |
TreeId UInt32 | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
Status UInt32 | NTSTATUS reference |
MessageSize UInt32 | |
FragmentOffset UInt32 | |
FragmentSize UInt32 | |
FragmentData Binary | |
RemoteAddressLength UInt32 | |
RemoteAddress Binary | |
LocalAddressLength UInt32 | |
LocalAddress Binary |
Event ID 31014: The client received an unencrypted message when encryption was expected.
#Description
The client received an unencrypted message when encryption was expected.
Message #
Fields #
| Name | Description |
|---|---|
Smb2Command UInt16 | |
MessageId UInt64 | |
SessionId UInt64 | |
TreeId UInt32 | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
Status UInt32 | NTSTATUS reference |
InstanceNameLength UInt16 | |
InstanceName UnicodeString | |
RetryCount UInt32 | |
ElapsedTimeInMs UInt32 | |
RemoteAddressLength UInt32 | |
RemoteAddress Binary | |
LocalAddressLength UInt32 | |
LocalAddress Binary |
Event ID 31015: Failed to decrypt an encrypted SMB message.
#Description
Failed to decrypt an encrypted SMB message.
Message #
Fields #
| Name | Description |
|---|---|
Smb2Command UInt16 | |
MessageId UInt64 | |
SessionId UInt64 | |
TreeId UInt32 | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
Status UInt32 | NTSTATUS reference |
InstanceNameLength UInt16 | |
InstanceName UnicodeString | |
RetryCount UInt32 | |
ElapsedTimeInMs UInt32 |
Event ID 31016: The SMB Signing registry value is not configured with default settings.
#Event ID 31017: Rejected an insecure guest logon.
#Description
Rejected an insecure guest logon.
Message #
Fields #
| Name | Description |
|---|---|
UserNameLength UInt16 | |
UserName UnicodeString | |
ServerNameLength UInt16 | |
ServerName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 31017,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 144115188075856000,
"time_created": "2026-03-18T00:09:50.2141543+00:00",
"event_record_id": 333,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 6232
},
"channel": "Microsoft-Windows-SmbClient/Security",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UserNameLength": "0",
"UserName": "",
"ServerNameLength": "11",
"ServerName": "\\10.2.10.31"
},
"message": "Rejected an insecure guest logon.\r\n\r\nUser name: \r\nServer name: \\10.2.10.31\r\n\r\nGuidance:\r\nThis event indicates that the server attempted to log the user on as an unauthenticated guest and was denied by the client. Guest logons do not support standard security features such as signing and encryption. As a result, guest logons are vulnerable to man-in-the-middle attacks that can expose sensitive data on the network. Windows disables insecure guest logons by default. Microsoft does not recommend enabling insecure guest logons."
}
Event ID 31018: Guidance: An administrator has enabled AllowInsecureGuestAuth.
#Event ID 31019: Mutual authentication was unexpectedly lost after re-authenticating to ServerName.
#Description
Mutual authentication was unexpectedly lost after re-authenticating to ServerName.
Message #
Fields #
| Name | Description |
|---|---|
Reason UInt32 | |
Status UInt32 | NTSTATUS reference |
SecurityStatus UInt32 | |
LogonId UInt64 | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
UserNameLength UInt16 | |
UserName UnicodeString | |
OldAuthProtocolId UInt16 | |
NewAuthProtocolId UInt16 | |
OldMutualAuthState Boolean | |
NewMutualAuthState Boolean | |
ClusteredServer Boolean |
Event ID 31020: Session key for connection is weaker than required.
#Event ID 31021: SMB DDP security changed from OldValue to NewValue.
#Event ID 31022: Allowed an insecure guest logon.
#Event ID 31023: NTLM is prohibited for authentication on the server.
#Event ID 31997: The SMB client was logged on as Guest account.
#Event ID 31998: The SMB client observed that the server doesn't support signing.
#Event ID 31999: The SMB client observed that the server doesn't support encryption.
#Event ID 32000: SMB1 negotiate response received from remote device when SMB1 cannot be negotiated by the local computer.
#Event ID 32002: The local computer received an SMB1 negotiate response.
#Event ID 32003: The local computer didn't received an SMB1 negotiate response in the last Days days.
#Event ID 32004: SMB2 rxcontext performance work started
#Description
SMB2 rxcontext performance work started.
Message #
Fields #
| Name | Description |
|---|---|
RxContext UInt64 | |
FileNameLength UInt16 | |
FileName UnicodeString | |
MajorFunction UInt8 | |
MinorFunction UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 32004,
"version": 0,
"level": 4,
"task": 1,
"opcode": 1,
"keywords": "0x1000000000000400",
"time_created": "2026-06-02T06:03:00.005+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{72529F65-EE0F-0001-FDCB-90720FEEDC01}"
},
"execution": {
"process_id": 3824,
"thread_id": 14624
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"FileName": "",
"FileNameLength": 0,
"MajorFunction": 14,
"MinorFunction": 0,
"RxContext": 18446670449117978064
},
"message": "Smb2PerfRxContextStart"
}
Event ID 32005: SMB2 exchange performance work started
#Event ID 32006: SMB2 buffer context performance work started
#Event ID 32007: SMB2 performance work transition
#Description
SMB2 performance work transition.
Message #
Fields #
| Name | Description |
|---|---|
BlockType UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 32007,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": "0x1000000000002000",
"time_created": "2026-06-02T06:03:00.005+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{72529F65-EE0F-0001-FDCB-90720FEEDC01}"
},
"execution": {
"process_id": 3824,
"thread_id": 14624
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"BlockType": 1
},
"message": "Smb2PerfWorkTransition"
}
Event ID 32008: SMB2 rxcontext performance work read summary
#Description
SMB2 rxcontext performance work read summary.
Message #
Fields #
| Name | Description |
|---|---|
RxContext UInt64 | |
InstanceId UInt8 | |
FileObject UInt64 | |
IRP UInt64 | |
ByteCount UInt64 | |
TotalDuration UInt64 | |
Construction UInt64 | |
HitCountConstruction UInt64 | |
DispatchProcessing UInt64 | |
HitCountDispatchProcessing UInt64 | |
ReadProcessing UInt64 | |
HitCountReadProcessing UInt64 | |
CallMiniRdr_MRXSMB UInt64 | |
HitCountCallMiniRdr_MRXSMB UInt64 | |
LowIoCompletionRoutine UInt64 | |
HitCountLowIoCompletionRoutine UInt64 | |
CompleteIRP UInt64 | |
HitCountCompleteIRP UInt64 | |
PostIOCompletion UInt64 | |
HitCountPostIOCompletion UInt64 | |
PostIORetry UInt64 | |
HitCountPostIORetry UInt64 | |
AttemptTurboIORead UInt64 | |
HitCountAttemptTurboIORead UInt64 | |
AttemptTurboIOInit UInt64 | |
HitCountAttemptTurboIOInit UInt64 | |
TurboIORxCompletion UInt64 | |
HitCountTurboIORxCompletion UInt64 |
Event ID 32009: SMB2 rxcontext performance work write summary
#Description
SMB2 rxcontext performance work write summary.
Message #
Fields #
| Name | Description |
|---|---|
RxContext UInt64 | |
InstanceId UInt8 | |
FileObject UInt64 | |
IRP UInt64 | |
ByteCount UInt64 | |
TotalDuration UInt64 | |
Construction UInt64 | |
HitCountConstruction UInt64 | |
DispatchProcessing UInt64 | |
HitCountDispatchProcessing UInt64 | |
WriteProcessing UInt64 | |
HitCountWriteProcessing UInt64 | |
CallMiniRdr_MRXSMB UInt64 | |
HitCountCallMiniRdr_MRXSMB UInt64 | |
LowIoCompletionRoutine UInt64 | |
HitCountLowIoCompletionRoutine UInt64 | |
CompleteIRP UInt64 | |
HitCountCompleteIRP UInt64 | |
PostIOCompletion UInt64 | |
HitCountPostIOCompletion UInt64 | |
PostIORetry UInt64 | |
HitCountPostIORetry UInt64 | |
AttemptTurboIOWrite UInt64 | |
HitCountAttemptTurboIOWrite UInt64 | |
AttemptTurboIOInit UInt64 | |
HitCountAttemptTurboIOInit UInt64 | |
TurboIORxCompletion UInt64 | |
HitCountTurboIORxCompletion UInt64 |
Event ID 32010: SMB2 rxcontext performance work create summary
#Description
SMB2 rxcontext performance work create summary.
Message #
Fields #
| Name | Description |
|---|---|
RxContext UInt64 | |
InstanceId UInt8 | |
IRP UInt64 | |
TotalDuration UInt64 | |
Construction UInt64 | |
HitCountConstruction UInt64 | |
DispatchProcessing UInt64 | |
HitCountDispatchProcessing UInt64 | |
CreateProcessing UInt64 | |
HitCountCreateProcessing UInt64 | |
CallMiniRdr_MRXSMB UInt64 | |
HitCountCallMiniRdr_MRXSMB UInt64 | |
LowIoCompletionRoutine UInt64 | |
HitCountLowIoCompletionRoutine UInt64 | |
CompleteIRP UInt64 | |
HitCountCompleteIRP UInt64 | |
PostIOCompletion UInt64 | |
HitCountPostIOCompletion UInt64 | |
PostIORetry UInt64 | |
HitCountPostIORetry UInt64 |
Event ID 32011: SMB2 rxcontext performance work close summary
#Description
SMB2 rxcontext performance work close summary.
Message #
Fields #
| Name | Description |
|---|---|
RxContext UInt64 | |
InstanceId UInt8 | |
IRP UInt64 | |
TotalDuration UInt64 | |
Construction UInt64 | |
HitCountConstruction UInt64 | |
DispatchProcessing UInt64 | |
HitCountDispatchProcessing UInt64 | |
CloseProcessing UInt64 | |
HitCountCloseProcessing UInt64 | |
CallMiniRdr_MRXSMB UInt64 | |
HitCountCallMiniRdr_MRXSMB UInt64 | |
LowIoCompletionRoutine UInt64 | |
HitCountLowIoCompletionRoutine UInt64 | |
CompleteIRP UInt64 | |
HitCountCompleteIRP UInt64 | |
PostIOCompletion UInt64 | |
HitCountPostIOCompletion UInt64 | |
PostIORetry UInt64 | |
HitCountPostIORetry UInt64 |
Event ID 32012: SMB2 rxcontext performance work query directory summary
#Description
SMB2 rxcontext performance work query directory summary.
Message #
Fields #
| Name | Description |
|---|---|
RxContext UInt64 | |
InstanceId UInt8 | |
IRP UInt64 | |
TotalDuration UInt64 | |
Construction UInt64 | |
HitCountConstruction UInt64 | |
DispatchProcessing UInt64 | |
HitCountDispatchProcessing UInt64 | |
QueryDirectoryProcessing UInt64 | |
HitCountQueryDirectoryProcessing UInt64 | |
CallMiniRdr_MRXSMB UInt64 | |
HitCountCallMiniRdr_MRXSMB UInt64 | |
LowIoCompletionRoutine UInt64 | |
HitCountLowIoCompletionRoutine UInt64 | |
CompleteIRP UInt64 | |
HitCountCompleteIRP UInt64 | |
PostIOCompletion UInt64 | |
HitCountPostIOCompletion UInt64 | |
PostIORetry UInt64 | |
HitCountPostIORetry UInt64 |
Event ID 32013: SMB2 rxcontext performance work fsctl summary
#Description
SMB2 rxcontext performance work fsctl summary.
Message #
Fields #
| Name | Description |
|---|---|
RxContext UInt64 | |
InstanceId UInt8 | |
IRP UInt64 | |
TotalDuration UInt64 | |
Construction UInt64 | |
HitCountConstruction UInt64 | |
DispatchProcessing UInt64 | |
HitCountDispatchProcessing UInt64 | |
FsctlProcessing UInt64 | |
HitCountFsctlProcessing UInt64 | |
CallMiniRdr_MRXSMB UInt64 | |
HitCountCallMiniRdr_MRXSMB UInt64 | |
LowIoCompletionRoutine UInt64 | |
HitCountLowIoCompletionRoutine UInt64 | |
CompleteIRP UInt64 | |
HitCountCompleteIRP UInt64 | |
PostIOCompletion UInt64 | |
HitCountPostIOCompletion UInt64 | |
PostIORetry UInt64 | |
HitCountPostIORetry UInt64 |
Event ID 32028: SMB2 exchange performance work read summary
#Description
SMB2 exchange performance work read summary.
Message #
Fields #
| Name | Description |
|---|---|
Exchange UInt64 | |
RxContext UInt64 | |
ByteCount UInt64 | |
InstanceId UInt8 | |
TotalDuration UInt64 | |
RestartCount UInt64 | |
ResolvingConnectionObjects UInt64 | |
HitCountResolvingConnectionObjects UInt64 | |
CommandProcessing UInt64 | |
HitCountCommandProcessing UInt64 | |
ReadStart UInt64 | |
HitCountReadStart UInt64 | |
ReadBuildAndSendChunks UInt64 | |
HitCountReadBuildAndSendChunks UInt64 | |
CommandFinalizationCallback UInt64 | |
HitCountCommandFinalizationCallback UInt64 | |
Finalize UInt64 | |
HitCountFinalize UInt64 | |
PostFinalizeWorker UInt64 | |
HitCountPostFinalizeWorker UInt64 | |
FinalizeWorkerHitCount UInt64 | |
HitCountFinalizeWorkerHitCount UInt64 | |
TurboIOStart UInt64 | |
HitCountTurboIOStart UInt64 | |
TurboIOComplete UInt64 | |
HitCountTurboIOComplete UInt64 |
Event ID 32029: SMB2 exchange performance work write summary
#Description
SMB2 exchange performance work write summary.
Message #
Fields #
| Name | Description |
|---|---|
Exchange UInt64 | |
RxContext UInt64 | |
ByteCount UInt64 | |
InstanceId UInt8 | |
TotalDuration UInt64 | |
RestartCount UInt64 | |
ResolvingConnectionObjects UInt64 | |
HitCountResolvingConnectionObjects UInt64 | |
CommandProcessing UInt64 | |
HitCountCommandProcessing UInt64 | |
WriteStart UInt64 | |
HitCountWriteStart UInt64 | |
WriteBuildAndSendChunks UInt64 | |
HitCountWriteBuildAndSendChunks UInt64 | |
CommandFinalizationCallback UInt64 | |
HitCountCommandFinalizationCallback UInt64 | |
Finalize UInt64 | |
HitCountFinalize UInt64 | |
PostFinalizeWorker UInt64 | |
HitCountPostFinalizeWorker UInt64 | |
FinalizeWorkerHitCount UInt64 | |
HitCountFinalizeWorkerHitCount UInt64 | |
TurboIOStart UInt64 | |
HitCountTurboIOStart UInt64 | |
TurboIOComplete UInt64 | |
HitCountTurboIOComplete UInt64 |
Event ID 32030: SMB2 exchange performance work create summary
#Description
SMB2 exchange performance work create summary.
Message #
Fields #
| Name | Description |
|---|---|
Exchange UInt64 | |
InstanceId UInt8 | |
TotalDuration UInt64 | |
RestartCount UInt64 | |
ResolvingConnectionObjects UInt64 | |
HitCountResolvingConnectionObjects UInt64 | |
CommandProcessing UInt64 | |
HitCountCommandProcessing UInt64 | |
CreateStart UInt64 | |
HitCountCreateStart UInt64 | |
CommandFinalizationCallback UInt64 | |
HitCountCommandFinalizationCallback UInt64 | |
Finalize UInt64 | |
HitCountFinalize UInt64 | |
PostFinalizeWorker UInt64 | |
HitCountPostFinalizeWorker UInt64 | |
FinalizeWorkerHitCount UInt64 | |
HitCountFinalizeWorkerHitCount UInt64 |
Event ID 32031: SMB2 exchange performance work close summary
#Description
SMB2 exchange performance work close summary.
Message #
Fields #
| Name | Description |
|---|---|
Exchange UInt64 | |
InstanceId UInt8 | |
TotalDuration UInt64 | |
RestartCount UInt64 | |
ResolvingConnectionObjects UInt64 | |
HitCountResolvingConnectionObjects UInt64 | |
CommandProcessing UInt64 | |
HitCountCommandProcessing UInt64 | |
CloseStart UInt64 | |
HitCountCloseStart UInt64 | |
CommandFinalizationCallback UInt64 | |
HitCountCommandFinalizationCallback UInt64 | |
Finalize UInt64 | |
HitCountFinalize UInt64 | |
PostFinalizeWorker UInt64 | |
HitCountPostFinalizeWorker UInt64 | |
FinalizeWorkerHitCount UInt64 | |
HitCountFinalizeWorkerHitCount UInt64 |
Event ID 32032: SMB2 exchange performance work query directory summary
#Description
SMB2 exchange performance work query directory summary.
Message #
Fields #
| Name | Description |
|---|---|
Exchange UInt64 | |
InstanceId UInt8 | |
TotalDuration UInt64 | |
RestartCount UInt64 | |
ResolvingConnectionObjects UInt64 | |
HitCountResolvingConnectionObjects UInt64 | |
CommandProcessing UInt64 | |
HitCountCommandProcessing UInt64 | |
QueryDirectoryStart UInt64 | |
HitCountQueryDirectoryStart UInt64 | |
CommandFinalizationCallback UInt64 | |
HitCountCommandFinalizationCallback UInt64 | |
Finalize UInt64 | |
HitCountFinalize UInt64 | |
PostFinalizeWorker UInt64 | |
HitCountPostFinalizeWorker UInt64 | |
FinalizeWorkerHitCount UInt64 | |
HitCountFinalizeWorkerHitCount UInt64 |
Event ID 32033: SMB2 exchange performance work fsctl summary
#Description
SMB2 exchange performance work fsctl summary.
Message #
Fields #
| Name | Description |
|---|---|
Exchange UInt64 | |
InstanceId UInt8 | |
TotalDuration UInt64 | |
RestartCount UInt64 | |
ResolvingConnectionObjects UInt64 | |
HitCountResolvingConnectionObjects UInt64 | |
CommandProcessing UInt64 | |
HitCountCommandProcessing UInt64 | |
FsctlStart UInt64 | |
HitCountFsctlStart UInt64 | |
CommandFinalizationCallback UInt64 | |
HitCountCommandFinalizationCallback UInt64 | |
Finalize UInt64 | |
HitCountFinalize UInt64 | |
PostFinalizeWorker UInt64 | |
HitCountPostFinalizeWorker UInt64 | |
FinalizeWorkerHitCount UInt64 | |
HitCountFinalizeWorkerHitCount UInt64 |
Event ID 32048: SMB2 buffer context performance work read summary
#Description
SMB2 buffer context performance work read summary.
Message #
Fields #
| Name | Description |
|---|---|
BufferContext UInt64 | |
Exchange UInt64 | |
ByteCount UInt64 | |
InstanceId UInt8 | |
TotalDuration UInt64 | |
Initialized UInt64 | |
HitCountInitialized UInt64 | |
WriteRDMABufferRegistration UInt64 | |
HitCountWriteRDMABufferRegistration UInt64 | |
RDMAGetDescriptors UInt64 | |
HitCountRDMAGetDescriptors UInt64 | |
AssociateMID UInt64 | |
HitCountAssociateMID UInt64 | |
Assembly UInt64 | |
HitCountAssembly UInt64 | |
BeginSmbSend UInt64 | |
HitCountBeginSmbSend UInt64 | |
BeginSmbSendAsyncPostWorkerCount UInt64 | |
HitCountBeginSmbSendAsyncPostWorkerCount UInt64 | |
SmbdPrepareSend UInt64 | |
HitCountSmbdPrepareSend UInt64 | |
ServerTimeTakenToReply UInt64 | |
HitCountServerTimeTakenToReply UInt64 | |
ReadReceive UInt64 | |
HitCountReadReceive UInt64 |
Event ID 32049: SMB2 buffer context performance work write summary
#Description
SMB2 buffer context performance work write summary.
Message #
Fields #
| Name | Description |
|---|---|
BufferContext UInt64 | |
Exchange UInt64 | |
ByteCount UInt64 | |
InstanceId UInt8 | |
TotalDuration UInt64 | |
Initialized UInt64 | |
HitCountInitialized UInt64 | |
ReadRDMABufferRegistration UInt64 | |
HitCountReadRDMABufferRegistration UInt64 | |
RDMAGetDescriptors UInt64 | |
HitCountRDMAGetDescriptors UInt64 | |
AssociateMID UInt64 | |
HitCountAssociateMID UInt64 | |
Assembly UInt64 | |
HitCountAssembly UInt64 | |
BeginSmbSend UInt64 | |
HitCountBeginSmbSend UInt64 | |
BeginSmbSendAsyncPostWorkerCount UInt64 | |
HitCountBeginSmbSendAsyncPostWorkerCount UInt64 | |
SmbdPrepareSend UInt64 | |
HitCountSmbdPrepareSend UInt64 | |
ServerTimeTakenToReply UInt64 | |
HitCountServerTimeTakenToReply UInt64 | |
WriteReceive UInt64 | |
HitCountWriteReceive UInt64 |
Event ID 32050: SMB2 buffer context performance work create summary
#Description
SMB2 buffer context performance work create summary.
Message #
Fields #
| Name | Description |
|---|---|
BufferContext UInt64 | |
InstanceId UInt8 | |
TotalDuration UInt64 | |
Initialized UInt64 | |
HitCountInitialized UInt64 | |
RDMAGetDescriptors UInt64 | |
HitCountRDMAGetDescriptors UInt64 | |
AssociateMID UInt64 | |
HitCountAssociateMID UInt64 | |
Assembly UInt64 | |
HitCountAssembly UInt64 | |
BeginSmbSend UInt64 | |
HitCountBeginSmbSend UInt64 | |
BeginSmbSendAsyncPostWorkerCount UInt64 | |
HitCountBeginSmbSendAsyncPostWorkerCount UInt64 | |
SmbdPrepareSend UInt64 | |
HitCountSmbdPrepareSend UInt64 | |
ServerTimeTakenToReply UInt64 | |
HitCountServerTimeTakenToReply UInt64 | |
CreateReceive UInt64 | |
HitCountCreateReceive UInt64 |
Event ID 32051: SMB2 buffer context performance work close summary
#Description
SMB2 buffer context performance work close summary.
Message #
Fields #
| Name | Description |
|---|---|
BufferContext UInt64 | |
InstanceId UInt8 | |
TotalDuration UInt64 | |
Initialized UInt64 | |
HitCountInitialized UInt64 | |
RDMAGetDescriptors UInt64 | |
HitCountRDMAGetDescriptors UInt64 | |
AssociateMID UInt64 | |
HitCountAssociateMID UInt64 | |
Assembly UInt64 | |
HitCountAssembly UInt64 | |
BeginSmbSend UInt64 | |
HitCountBeginSmbSend UInt64 | |
BeginSmbSendAsyncPostWorkerCount UInt64 | |
HitCountBeginSmbSendAsyncPostWorkerCount UInt64 | |
SmbdPrepareSend UInt64 | |
HitCountSmbdPrepareSend UInt64 | |
ServerTimeTakenToReply UInt64 | |
HitCountServerTimeTakenToReply UInt64 | |
CloseReceive UInt64 | |
HitCountCloseReceive UInt64 |
Event ID 32052: SMB2 buffer context performance work query directory summary
#Description
SMB2 buffer context performance work query directory summary.
Message #
Fields #
| Name | Description |
|---|---|
BufferContext UInt64 | |
InstanceId UInt8 | |
TotalDuration UInt64 | |
Initialized UInt64 | |
HitCountInitialized UInt64 | |
RDMAGetDescriptors UInt64 | |
HitCountRDMAGetDescriptors UInt64 | |
AssociateMID UInt64 | |
HitCountAssociateMID UInt64 | |
Assembly UInt64 | |
HitCountAssembly UInt64 | |
BeginSmbSend UInt64 | |
HitCountBeginSmbSend UInt64 | |
BeginSmbSendAsyncPostWorkerCount UInt64 | |
HitCountBeginSmbSendAsyncPostWorkerCount UInt64 | |
SmbdPrepareSend UInt64 | |
HitCountSmbdPrepareSend UInt64 | |
ServerTimeTakenToReply UInt64 | |
HitCountServerTimeTakenToReply UInt64 | |
QueryDirectoryReceive UInt64 | |
HitCountQueryDirectoryReceive UInt64 |
Event ID 32053: SMB2 buffer context performance work fsctl summary
#Description
SMB2 buffer context performance work fsctl summary.
Message #
Fields #
| Name | Description |
|---|---|
BufferContext UInt64 | |
InstanceId UInt8 | |
TotalDuration UInt64 | |
Initialized UInt64 | |
HitCountInitialized UInt64 | |
RDMAGetDescriptors UInt64 | |
HitCountRDMAGetDescriptors UInt64 | |
AssociateMID UInt64 | |
HitCountAssociateMID UInt64 | |
Assembly UInt64 | |
HitCountAssembly UInt64 | |
BeginSmbSend UInt64 | |
HitCountBeginSmbSend UInt64 | |
BeginSmbSendAsyncPostWorkerCount UInt64 | |
HitCountBeginSmbSendAsyncPostWorkerCount UInt64 | |
SmbdPrepareSend UInt64 | |
HitCountSmbdPrepareSend UInt64 | |
ServerTimeTakenToReply UInt64 | |
HitCountServerTimeTakenToReply UInt64 | |
FsctlReceive UInt64 | |
HitCountFsctlReceive UInt64 |
Event ID 32068: SMB2 FCB capture summary
#Description
SMB2 FCB capture summary.
Message #
Fields #
| Name | Description |
|---|---|
InstanceId UInt8 | |
PrefixLength UInt16 | |
Prefix UnicodeString | |
ServerShareLength UInt16 | |
ServerShare UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 32068,
"version": 0,
"level": 4,
"task": 26,
"opcode": 0,
"keywords": "0x1000000000001000",
"time_created": "2026-06-02T04:01:25.060+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 10452,
"thread_id": 9120
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"InstanceId": 0,
"Prefix": "\\ludus.domain\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\Machine",
"PrefixLength": 69,
"ServerShare": "\\JD-DC01-2022.ludus.domain\\SysVol",
"ServerShareLength": 33
},
"message": "Smb2PerfFCBCaptureSummary"
}
Event ID 40000: Packet (PacketSize bytes).
#Description
Packet (PacketSize bytes).
Message #
Fields #
| Name | Description |
|---|---|
ConnectionType UInt32 | |
PeerAddressLength UInt32 | |
PeerAddress Binary | |
PacketSize UInt32 | |
PacketData Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBClient",
"guid": "{988C59C5-0A1C-45B6-A555-0C62276E327D}",
"event_source_name": "",
"event_id": 40000,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x0800040000000000",
"time_created": "2026-06-02T06:02:54.813+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000011-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": 4,
"thread_id": 8936
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"ConnectionType": 1,
"PacketData": "FE534D4240000100000000000400010018000000000000000600000000000000FFFE0000010000002D0000C0006000000C3555C95D82470760BFBAA6B8B39F0404000000",
"PacketSize": 68,
"PeerAddress": "020001BD0A020A0B000000000000000002311DCA79F431303A1A0D31",
"PeerAddressLength": 28
},
"message": "Packet "
}
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {988C59C5-0A1C-45B6-A555-0C62276E327D}
Defined in mrxsmb.sys, the binary that emits these events.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.3932, captured 2026-06-02
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.4768, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4768, captured 2026-06-02