Microsoft-Windows-SMBServer
207 events across 7 channels
Event ID 1: SMB2 Request Negotiate
#Description
SMB2 Request Negotiate.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsRequested UInt16 | |
Flags UInt32 | |
SecurityMode UInt16 | |
Capabilities UInt32 | |
DialectCount UInt16 | |
Dialects UInt16 | |
ClientGuid GUID | |
ConnectionGUID GUID |
Event ID 2: SMB2 Request Session Setup
#Description
SMB2 Request Session Setup.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsRequested UInt16 | |
Flags UInt32 | |
VcNumber UInt8 | |
SecurityMode UInt8 | |
Capabilities UInt32 | |
Channel UInt32 | |
PreviousSessionId UInt64 | |
ConnectionGUID GUID | |
SessionGUID GUID |
Event ID 3: SMB2 Request Logoff
#Event ID 4: SMB2 Request Tree Connect
#Event ID 5: SMB2 Request Tree Disconnect
#Event ID 6: SMB2 Request Echo
#Event ID 7: SMB2 Request Cancel
#Event ID 8: SMB2 Request Create
#Description
SMB2 Request Create.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsRequested UInt16 | |
Flags UInt32 | |
SecurityFlags UInt8 | |
RequestedOplockLevel UInt8 | |
ImpersonationLevel UInt32 | Impersonation level (SecurityAnonymous=0, SecurityIdentification=1, SecurityImpersonation=2, SecurityDelegation=3). Known values
|
CreateFlags UInt64 | |
RootDirectoryFid UInt64 | |
DesiredAccess Int32 | Process access rights reference |
FileAttributes Int32 | |
ShareAccess Int32 | |
CreateDisposition Int32 | |
CreateOptions Int32 | |
NameLength UInt16 | |
FileName UnicodeString | |
CreateContextsCount UInt32 | |
LeaseKey GUID | |
LeaseLevel UInt32 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID |
Event ID 9: SMB2 Request Close
#Event ID 10: SMB2 Request Flush
#Event ID 11: SMB2 Request Read
#Description
SMB2 Request Read.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsRequested UInt16 | |
Flags UInt32 | |
Length UInt32 | |
Offset UInt64 | |
FileId UInt64 | |
MinimumCount UInt32 | |
Channel UInt32 | |
RemainingBytes UInt32 | |
ReadChannelInfoOffset UInt16 | |
ReadChannelInfoLength UInt16 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 12: SMB2 Request Write
#Description
SMB2 Request Write.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsRequested UInt16 | |
Flags UInt32 | |
Length UInt32 | |
Offset UInt64 | |
FileId UInt64 | |
Channel UInt32 | |
RemainingBytes UInt32 | |
WriteChannelInfoOffset UInt16 | |
WriteChannelInfoLength UInt16 | |
WriteFlags UInt32 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 13: SMB2 Request Break Oplock
#Event ID 14: SMB2 Request Notify Break Lease
#Description
SMB2 Request Notify Break Lease.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsRequested UInt16 | |
Flags UInt32 | |
LeaseFlags UInt32 | |
CurrentLeaseState UInt32 | |
NewLeaseState UInt32 | |
BreakReason UInt32 | |
AccessMaskHint UInt32 | |
ShareMaskHint UInt32 | |
LeaseKey GUID | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 15: SMB2 Request Acknowledge Break Lease
#Description
SMB2 Request Acknowledge Break Lease.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsRequested UInt16 | |
Flags UInt32 | |
LeaseFlags UInt32 | |
LeaseState UInt32 | |
LeaseDuration Int64 | |
LeaseKey GUID | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 16: SMB2 Request Lock
#Description
SMB2 Request Lock.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsRequested UInt16 | |
Flags UInt32 | |
FileId UInt64 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID | |
LockCount UInt16 | |
Locks GUID |
Event ID 17: SMB2 Request Ioctl
#Description
SMB2 Request Ioctl.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsRequested UInt16 | |
Flags UInt32 | |
FileId UInt64 | |
ControlCode UInt32 | |
IoctlFlags UInt32 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 18: SMB2 Request Query Directory
#Description
SMB2 Request Query Directory.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsRequested UInt16 | |
Flags UInt32 | |
FileInformationClass UInt8 | |
QueryDirectoryFlags UInt8 | |
FileIndex UInt32 | |
FileId UInt64 | |
OutputBufferLength UInt32 | |
NameLength UInt16 | |
FileName UnicodeString | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 19: SMB2 Request Change Notify
#Description
SMB2 Request Change Notify.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsRequested UInt16 | |
Flags UInt32 | |
ChangeNotifyFlags UInt16 | |
FileId UInt64 | |
OutputBufferLength UInt32 | |
CompletionFilter UInt32 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 20: SMB2 Request Query Info
#Description
SMB2 Request Query Info.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsRequested UInt16 | |
Flags UInt32 | |
InfoType UInt8 | |
InfoClass UInt8 | |
OutputBufferLength UInt32 | |
SecurityInformation UInt32 | |
QueryInfoFlags UInt32 | |
FileId UInt64 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 21: SMB2 Request Set Info
#Description
SMB2 Request Set Info.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsRequested UInt16 | |
Flags UInt32 | |
InfoType UInt8 | |
InfoClass UInt8 | |
SecurityInformation UInt32 | |
FileId UInt64 | |
OutputBufferLength UInt32 | |
OutputBuffer Binary | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 101: SMB2 Response Negotiate
#Description
SMB2 Response Negotiate.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
SecurityMode UInt16 | |
DialectRevision UInt16 | |
Capabilities UInt32 | |
MaxTransactSize UInt32 | |
MaxReadSize UInt32 | |
MaxWriteSize UInt32 | |
SystemTime UInt64 | |
ConnectionGUID GUID |
Event ID 102: SMB2 Response Session Setup
#Description
SMB2 Response Session Setup.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
SessionFlags UInt16 | |
ConnectionGUID GUID | |
SessionGUID GUID |
Event ID 103: SMB2 Response Logoff
#Description
SMB2 Response Logoff.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
ConnectionGUID GUID | |
SessionGUID GUID |
Event ID 104: SMB2 Response Tree Connect
#Description
SMB2 Response Tree Connect.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
ShareType UInt8 | |
ShareFlags UInt32 | |
Capabilities UInt32 | |
MaximalAccess UInt32 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID |
Event ID 105: SMB2 Response Tree Disconnect
#Description
SMB2 Response Tree Disconnect.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID |
Event ID 106: SMB2 Response Echo
#Description
SMB2 Response Echo.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
ConnectionGUID GUID |
Event ID 108: SMB2 Response Create
#Description
SMB2 Response Create.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
OplockLevel UInt8 | |
CreateAction UInt32 | |
CreationTime UInt64 | |
LastAccessTime UInt64 | |
LastWriteTime UInt64 | |
LastChangeTime UInt64 | |
AllocationSize UInt64 | |
EndOfFile UInt64 | |
FileAttributes UInt32 | |
FileId UInt64 | |
CreateContextsCount UInt32 | |
LeaseKey GUID | |
LeaseLevel UInt32 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 109: SMB2 Response Close
#Description
SMB2 Response Close.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
CloseFlags UInt16 | |
CreationTime UInt64 | |
LastAccessTime UInt64 | |
LastWriteTime UInt64 | |
ChangeTime UInt64 | |
AllocationSize UInt64 | |
EndOfFile UInt64 | |
FileAttributes UInt32 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 110: SMB2 Response Flush
#Description
SMB2 Response Flush.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 111: SMB2 Response Read
#Description
SMB2 Response Read.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
TransportDPHits UInt32 | |
TransportDPTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
LengthRead UInt32 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID | |
FileId UInt64 |
Event ID 112: SMB2 Response Write
#Description
SMB2 Response Write.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
TransportDPHits UInt32 | |
TransportDPTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
LengthWritten UInt32 | |
Remaining UInt32 | |
WriteChannelInfoOffset UInt16 | |
WriteChannelInfoLength UInt16 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID | |
FileId UInt64 |
Event ID 113: SMB2 Response Break Oplock
#Description
SMB2 Response Break Oplock.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
OplockLevel UInt8 | |
FileId UInt64 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 115: SMB2 Response Acknowledge Break Lease
#Description
SMB2 Response Acknowledge Break Lease.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
LeaseFlags UInt32 | |
LeaseState UInt32 | |
LeaseDuration Int64 | |
LeaseKey GUID | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 116: SMB2 Response Lock
#Description
SMB2 Response Lock.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 117: SMB2 Response Ioctl
#Description
SMB2 Response Ioctl.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
ControlCode UInt32 | |
IoctlFlags UInt32 | |
FileId UInt64 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 118: SMB2 Response Query Directory
#Description
SMB2 Response Query Directory.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 119: SMB2 Response Change Notify
#Description
SMB2 Response Change Notify.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 120: SMB2 Response Query Info
#Description
SMB2 Response Query Info.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
OutputBufferLength UInt32 | |
OutputBuffer Binary | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 121: SMB2 Response Set Info
#Description
SMB2 Response Set Info.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 122: SMB2 Response Error
#Description
SMB2 Response Error.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsGranted UInt16 | |
Flags UInt32 | |
Status UInt32 | NTSTATUS reference |
Srv2Instance UInt32 | |
ProcessingHits UInt32 | |
ProcessingTime UInt64 | |
QueueHits UInt32 | |
QueueTime UInt64 | |
FileSystemFastHits UInt32 | |
FileSystemFastTime UInt64 | |
FileSystemSlowHits UInt32 | |
FileSystemSlowTime UInt64 | |
TransportFastHits UInt32 | |
TransportFastTime UInt64 | |
TransportSlowHits UInt32 | |
TransportSlowTime UInt64 | |
SecurityHits UInt32 | |
SecurityTime UInt64 | |
TotalTime UInt64 | |
ConnectionGUID GUID | |
SessionGUID GUID | |
TreeConnectGUID GUID | |
FileGUID GUID |
Event ID 200: SMB2 Work Item Component Transition
#Event ID 201: SMB2 Work Item allocated
#Event ID 202: SMB2 Work Item released
#Event ID 203: SMB2 Work Item activity id transfer
#Description
SMB2 Work Item activity id transfer.
Message #
Event ID 204: SMB2 Work Item external activity id stop
#Description
SMB2 Work Item external activity id stop.
Message #
Event ID 500: SMB2 Connection accepted
#Event ID 501: SMB2 Connection Disconnected by Peer
#Event ID 502: SMB2 Connection Terminated
#Description
SMB2 Connection Terminated.
Message #
Fields #
| Name | Description |
|---|---|
ConnectionGUID GUID | |
Reason UInt32 | |
Status HexInt32 | NTSTATUS reference |
AddressLength UInt32 | |
Address Binary | |
TransportLength UInt32 | |
TransportName UnicodeString |
Event ID 550: SMB2 Session Allocated
#Event ID 551: Smb Session Authentication Failure
#Description
SMB Session Authentication Failure.
Message #
Fields #
| Name | Description |
|---|---|
SessionGUID GUID | |
ConnectionGUID GUID | |
Status HexInt32 | NTSTATUS reference |
TranslatedStatus HexInt32 | |
ClientAddressLength UInt32 | |
ClientAddress Binary | |
SessionId HexInt64 | |
UserNameLength UInt16 | |
UserName UnicodeString | |
ClientNameLength UInt16 | |
ClientName UnicodeString | |
SPN UnicodeString | |
SPNValidationPolicy UInt32 | |
ReasonCode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"event_id": 551,
"level": "Error",
"task": null,
"opcode": "Info",
"time_created": "2026-04-18T01:38:02.9935045+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-SMBServer/Security"
},
"event_data": {
"SPNValidationPolicy": "0",
"SessionGUID": "{d604743a-bfc1-0003-9b05-15d6c1bfdc01}",
"ConnectionGUID": "{d604743a-bfc1-0009-d409-13d6c1bfdc01}",
"UserName": "NT AUTHORITY\\ANONYMOUS LOGON",
"UserNameLength": "28",
"ClientNameLength": "12",
"SPN": "session setup failed before the SPN could be queried",
"SessionId": "0x4802a0000039",
"Status": "0xc0000022",
"ClientAddress": "0200D3CC0A020A150000000000000000",
"TranslatedStatus": "0xc0000022",
"ReasonCode": "11",
"ClientAddressLength": "16",
"ClientName": "\\\\10.2.10.21"
}
}
Event ID 551: SMB Session Authentication Failure.
#Description
SMB Session Authentication Failure.
Message #
Fields #
| Name | Description |
|---|---|
SessionGUID | |
ConnectionGUID | |
Status | |
TranslatedStatus | |
ClientAddressLength | |
ClientAddress | |
SessionId | |
UserNameLength | |
UserName | |
ClientNameLength | |
ClientName | |
SPN | |
SPNValidationPolicy | |
ReasonCode |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "D48CE617-33A2-4BC3-A5C7-11AA4F29619E",
"event_source_name": "",
"event_id": 551,
"version": 3,
"level": 2,
"task": 551,
"opcode": 0,
"keywords": 580964351930793992,
"time_created": "2022-04-07T17:25:55.271679+00:00",
"event_record_id": 10,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4460
},
"channel": "Microsoft-Windows-SMBServer/Security",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventData": {
"SessionGUID": "E0AAB88C-4A9F-0000-B5F0-AAE09F4AD801",
"ConnectionGUID": "E0AAB88C-4A9F-0000-A5F0-AAE09F4AD801",
"Status": "0xc000006d",
"TranslatedStatus": "0xc000006d",
"ClientAddressLength": 16,
"ClientAddress": "0200C33B0A0002860000000000000000",
"SessionId": "0x100000000061",
"UserNameLength": 0,
"UserName": null,
"ClientNameLength": 12,
"ClientName": "\\\\10.0.2.134",
"SPN": "session setup failed before the SPN could be queried",
"SPNValidationPolicy": 0,
"ReasonCode": 3
}
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 552: SMB2 Session Authentication Success
#Event ID 553: SMB2 Session Bound to Connection
#Event ID 554: SMB2 Session Terminated
#Event ID 555: SMB2 Session Closed.
#Event ID 600: SMB2 TreeConnect Allocated
#Event ID 601: SMB2 TreeConnect Disconnected
#Event ID 602: SMB2 TreeConnect Terminated
#Event ID 603: SMB2 TreeConnect Failed due to Cluster Endpoint Initializing
#Description
SMB2 TreeConnect Failed due to Cluster Endpoint Initializing.
Message #
Fields #
| Name | Description |
|---|---|
SessionGUID GUID | |
ConnectionGUID GUID | |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
ScopeNameLength UInt16 | |
ScopeName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 604: A client connection to a continuously available share has been marked so that the client will be forced to reconnect to the server node with best p...
#Description
A client connection to a continuously available share has been marked so that the client will be forced to reconnect to the server node with best possible storage connectivity.
Message #
Fields #
| Name | Description |
|---|---|
SessionGUID GUID | |
TreeConnectGUID GUID | |
ShareNameLength UInt16 | |
ShareName UnicodeString |
Event ID 605: A client request on a continuously available share has been failed so that the client will be forced to reconnect to the server node with best poss...
#Event ID 650: SMB2 Open established
#Description
SMB2 Open established.
Message #
Fields #
| Name | Description |
|---|---|
OpenGUID GUID | |
TreeConnectGUID GUID | |
SessionGUID GUID | |
ConnectionGUID GUID | |
ShareGUID GUID | |
NameLength UInt16 | |
Name UnicodeString | |
LeaseId GUID | |
DesiredAccess UInt32 | Process access rights reference |
SharingMode UInt32 | |
CreateOptions UInt32 | |
FileAttributes UInt32 | |
IsReplay Boolean | |
IsResume Boolean |
Event ID 651: SMB2 Open Disconnected - Preserved
#Event ID 652: SMB2 Open Reconnected
#Event ID 653: SMB2 Open Suspended - Preserved
#Event ID 654: SMB2 Open Closed
#Event ID 655: SMB2 Open Timed Out
#Event ID 656: SMB2 Open Terminated
#Event ID 657: SMB2 Open Clustered Client Failover Closed
#Event ID 658: File handle for file "ShareName\FileName" was invalidated by user UserName from computer ComputerName.
#Description
File handle for file "ShareName\FileName" was invalidated by user UserName from computer ComputerName.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | |
FileName UnicodeString | |
UserNameLength UInt16 | |
UserName UnicodeString | |
ComputerNameLength UInt16 | |
ComputerName UnicodeString | |
ShareNameLength UInt16 | |
ShareName UnicodeString |
Event ID 700: SMB2 Share Added
#Event ID 701: SMB2 Share Modified
#Event ID 702: SMB2 Share Deleted
#Event ID 1000: S4U2Self authentication failure - The client could not be reauthenticated with S4U2Self to obtain claims.
#Description
S4U2Self authentication failure - The client could not be reauthenticated with S4U2Self to obtain claims. This may be expected if the account is not a domain account.
Message #
Fields #
| Name | Description |
|---|---|
UserNameLength UInt16 | |
UserName UnicodeString | |
DomainNameLength UInt16 | |
DomainName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 1001: A client attempted to access the server using SMB1 and was rejected because SMB1 file sharing support is disabled or has been uninstalled.
#Description
SRV Disabled - The SMB1 negotiate request fails due to SMB1 is disabled.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "D48CE617-33A2-4BC3-A5C7-11AA4F29619E",
"event_source_name": "",
"event_id": 1001,
"version": 1,
"level": 4,
"task": 1001,
"opcode": 0,
"keywords": 2305843009213693960,
"time_created": "2026-03-13T18:46:45.797325+00:00",
"event_record_id": 30,
"correlation": {},
"execution": {
"process_id": 11352,
"thread_id": 7956
},
"channel": "Microsoft-Windows-SMBServer/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"user_data": {
"EventData": {}
},
"message": ""
}
Event ID 1002: RKF failure - SRV2 failed to get acknowledgement from Resume Key filter for persistent handle request.
#Event ID 1003: The server received an unencrypted message from client when encryption was required.
#Description
The server received an unencrypted message. Message was rejected.
Message #
Fields #
| Name | Description |
|---|---|
ShareNameLength UInt16 | |
ShareName UnicodeString | |
ClientNameLength UInt16 | |
ClientName UnicodeString | |
UserNameLength UInt16 | |
UserName UnicodeString | |
ClientAddressLength UInt32 | |
ClientAddress Binary | |
SessionID HexInt64 |
Event ID 1004: The server rejected an incorrectly signed message.
#Event ID 1005: The server failed to validate negotiation from client TranslatedStatus.
#Description
The server failed to validate negotiation from client TranslatedStatus. Connection was terminated.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
TranslatedStatus HexInt32 | |
ClientNameLength UInt16 | |
ClientName UnicodeString | |
UserNameLength UInt16 | |
UserName UnicodeString | |
ClientAddressLength UInt32 | |
ClientAddress Binary | |
SessionID HexInt64 |
Event ID 1006: The share denied access to the client.
#Description
The share denied access to the client.
Message #
Fields #
| Name | Description |
|---|---|
EventData.ShareNameLength UInt16 | |
EventData.ShareName UnicodeString | |
EventData.SharePathLength UInt16 | |
EventData.SharePath UnicodeString | |
EventData.ClientAddressLength UInt32 | |
EventData.ClientAddress Binary | |
EventData.UserNameLength UInt16 | |
EventData.UserName UnicodeString | |
EventData.ClientNameLength UInt16 | |
EventData.ClientName UnicodeString | |
EventData.MappedAccess HexInt32 | |
EventData.GrantedAccess HexInt32 | Process access rights reference |
EventData.ShareSecurityDescriptorLength UInt32 | |
EventData.ShareSecurityDescriptor Binary | |
EventData.Status HexInt32 | NTSTATUS reference |
EventData.TranslatedStatus HexInt32 | |
EventData.SessionID HexInt64 | |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
SharePathLength UInt16 | |
SharePath UnicodeString | |
ClientAddressLength UInt32 | |
ClientAddress Binary | |
UserNameLength UInt16 | |
UserName UnicodeString | |
ClientNameLength UInt16 | |
ClientName UnicodeString | |
MappedAccess HexInt32 | |
GrantedAccess HexInt32 | Process access rights reference |
ShareSecurityDescriptorLength UInt32 | |
ShareSecurityDescriptor Binary | |
Status HexInt32 | NTSTATUS reference |
TranslatedStatus HexInt32 | |
SessionID HexInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "{D48CE617-33A2-4BC3-A5C7-11AA4F29619E}",
"event_source_name": "",
"event_id": 1006,
"version": 0,
"level": 2,
"task": 1006,
"opcode": 0,
"keywords": 580964351930793992,
"time_created": "2026-05-30T02:01:40.0630814+00:00",
"event_record_id": 62,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 2020
},
"channel": "Microsoft-Windows-SMBServer/Security",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventData": {
"ShareNameLength": "14",
"ShareName": "\\\\*\\EvtLabDeny",
"SharePathLength": "17",
"SharePath": "\\??\\C:\\EvtLabDeny",
"ClientAddressLength": "28",
"ClientAddress": "1700EDB0000000000000000000000000000000000000000100000000",
"UserNameLength": "17",
"UserName": "ludus\\domainadmin",
"ClientNameLength": "7",
"ClientName": "\\\\[::1]",
"MappedAccess": "0x80",
"GrantedAccess": "0x0",
"ShareSecurityDescriptorLength": "96",
"ShareSecurityDescriptor": "0100048048000000540000000000000014000000020034000200000001001400FF011F0001010000000000010000000000001800FF011F0001020000000000052000000020020000010100000000000512000000010100000000000512000000",
"Status": "0xc0000022",
"TranslatedStatus": "0xc0000022",
"SessionID": "0x50032c000029"
}
},
"message": "The share denied access to the client.\r\n\r\nClient Name: \\\\[::1]\r\nClient Address: [::1]:60848\r\nUser Name: ludus\\domainadmin\r\nSession ID: 0x50032C000029\r\nShare Name: \\\\*\\EvtLabDeny\r\nShare Path: \\??\\C:\\EvtLabDeny\r\nStatus: {Access Denied}\r\nA process has requested access to an object, but has not been granted those access rights. (0xC0000022)\r\nMapped Access: 0x80\r\nGranted Access: 0x0\r\nSecurity Descriptor: 0x0100048048000000540000000000000014000000020034000200000001001400FF011F0001010000000000010000000000001800FF011F0001020000000000052000000020020000010100000000000512000000010100000000000512000000\r\n\r\nGuidance:\r\n\r\nYou should expect access denied errors when a principal accesses a share without the necessary permissions. Usually, this indicates that the principal does not have direct security permissions or lacks membership in a group that has direct access permissions. To determine and correct the permissions on the specified share, an administrator can use the Security tab in File Explorer Properties dialog, the SMBSHARE Windows PowerShell module, or the NET SHARE command. You can also use the Effective Access tab in File Explorer to help diagnose the issue.\r\n\r\nApplications may generate access denied errors if they attempt to open files in a writable mode first, and then reopen the files in a read-only mode. In this case, no user action is required.\r\n\r\nIf access to the share is denied and this event is not logged, you can examine the file and folder NTFS/REFS permissions.\r\n\r\nThis error does not indicate a problem with authentication, only authorization."
}
Event ID 1007: The share denied anonymous access to the client.
#Event ID 1009: The server denied anonymous access to the client.
#Description
The server denied anonymous access to the client.
Message #
Fields #
| Name | Description |
|---|---|
ClientAddressLength UInt32 | |
ClientAddress Binary | |
ClientNameLength UInt16 | |
ClientName UnicodeString | |
SessionId HexInt64 | |
SessionGUID GUID | |
ConnectionGUID GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"event_id": 1009,
"level": "Error",
"task": null,
"opcode": "Info",
"time_created": "2026-04-18T01:38:02.9935019+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-SMBServer/Security"
},
"event_data": {
"SessionID": "0x4802a0000039",
"ClientName": "\\\\10.2.10.21",
"ClientAddressLength": "16",
"ClientNameLength": "12",
"ClientAddress": "0200D3CC0A020A150000000000000000",
"ConnectionGUID": "{d604743a-bfc1-0009-d409-13d6c1bfdc01}",
"SessionGUID": "{d604743a-bfc1-0003-9b05-15d6c1bfdc01}"
}
}
Event ID 1010: Endpoint added.
#Description
Endpoint added.
Message #
Fields #
| Name | Description |
|---|---|
EventData.NameLength | |
EventData.Name | |
EventData.DomainNameLength | |
EventData.DomainName | |
EventData.TransportNameLength | |
EventData.TransportName | |
EventData.TransportFlags | |
NameLength | |
Name | |
DomainNameLength | |
DomainName | |
TransportNameLength | |
TransportName | |
TransportFlags |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "{D48CE617-33A2-4BC3-A5C7-11AA4F29619E}",
"event_source_name": "",
"event_id": 1010,
"version": 0,
"level": 4,
"task": 1010,
"opcode": 0,
"keywords": 2305843009213693960,
"time_created": "2026-05-29T16:33:06.3560975+00:00",
"event_record_id": 43,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 488
},
"channel": "Microsoft-Windows-SMBServer/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventData": {
"NameLength": "16",
"Name": "TELEMETRY-DC-A ",
"DomainNameLength": "6",
"DomainName": "cell-a",
"TransportNameLength": "58",
"TransportName": "\\Device\\NetBT_Tcpip_{2A7BD48E-DDC6-4641-9F41-682F29F1D76C}",
"TransportFlags": "0x1"
}
},
"message": "Endpoint added.\r\n\r\nName: TELEMETRY-DC-A \r\nDomain Name: cell-a\r\nTransport Name: \\Device\\NetBT_Tcpip_{2A7BD48E-DDC6-4641-9F41-682F29F1D76C}\r\nTransport Flags: 0x1\r\n\r\nGuidance:\r\n\r\nYou should expect this event when the server starts listening on an interface, such as during system restart or when enabling a network adaptor. No user action is required."
}
Event ID 1011: Endpoint removed.
#Description
Endpoint removed.
Message #
Fields #
| Name | Description |
|---|---|
NameLength | |
Name | |
DomainNameLength | |
DomainName | |
TransportNameLength | |
TransportName |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "D48CE617-33A2-4BC3-A5C7-11AA4F29619E",
"event_source_name": "",
"event_id": 1011,
"version": 0,
"level": 4,
"task": 1011,
"opcode": 0,
"keywords": 2305843009213693960,
"time_created": "2022-04-04T12:00:04.359257+00:00",
"event_record_id": 18,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 196
},
"channel": "Microsoft-Windows-SMBServer/Operational",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventData": {
"NameLength": 0,
"Name": null,
"DomainNameLength": 0,
"DomainName": null,
"TransportNameLength": 58,
"TransportName": "\\Device\\NetBT_Tcpip_{64AAD862-869C-436D-A905-CCB55AA6A79F}"
}
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1012: The network name information changed.
#Description
The network name information changed.
Message #
Fields #
| Name | Description |
|---|---|
ChangeType UInt32 | |
NetNameLength UInt16 | |
NetName UnicodeString | |
Flags HexInt32 | |
InterfaceIndex UInt32 | |
Capability HexInt32 | |
LinkSpeed UInt64 | |
ClientAddressLength UInt16 | |
ClientAddress Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "D48CE617-33A2-4BC3-A5C7-11AA4F29619E",
"event_source_name": "",
"event_id": 1012,
"version": 0,
"level": 4,
"task": 1012,
"opcode": 0,
"keywords": 2305843009213693960,
"time_created": "2026-03-13T17:13:21.447992+00:00",
"event_record_id": 89,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 5676
},
"channel": "Microsoft-Windows-SMBServer/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventData": {
"ChangeType": 0,
"NetNameLength": 1,
"NetName": "*",
"Flags": "0x1",
"InterfaceIndex": 5,
"Capability": "0x1",
"LinkSpeed": 10000000000,
"ClientAddressLength": 128,
"ClientAddress": "020000000A020A15000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
}
},
"message": ""
}
Event ID 1013: Endpoint coming online.
#Event ID 1014: Endpoint going offline.
#Event ID 1015: Decrypt call failed.
#Description
Decrypt call failed.
Message #
Fields #
| Name | Description |
|---|---|
ClientNameLength UInt16 | |
ClientName AnsiString | |
ClientAddressLength UInt16 | |
ClientAddress Binary | |
Status HexInt32 | NTSTATUS reference |
TranslatedStatus HexInt32 | |
SessionID HexInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"event_id": 1015,
"level": 2,
"task": 1015,
"opcode": 0,
"time_created": "2026-04-18T03:08:10.8803405+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-SMBServer"
},
"event_data": {
"ClientAddress": "0200F00F0A020A0B00000000000000000000FFFF0A020A0B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"ClientName": "\\",
"ClientAddressLength": "128",
"ClientNameLength": "24",
"TranslatedStatus": "0xc0000203",
"Status": "0xc0000203",
"SessionID": "0x0"
}
}
Event ID 1016: Reopen failed.
#Description
Reopen failed.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
TranslatedStatus HexInt32 | |
RKFStatus HexInt32 | |
TranslatedRKFStatus HexInt32 | |
ConnectionGUID GUID | |
ClientNameLength UInt16 | |
ClientName UnicodeString | |
ClientAddressLength UInt16 | |
ClientAddress Binary | |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
UserNameLength UInt16 | |
UserName UnicodeString | |
SessionId HexInt64 | |
FileNameLength UInt16 | |
FileName UnicodeString | |
DurableHandle Boolean | |
ResilientHandle Boolean | |
PersistentHandle Boolean | |
ResumeKey GUID | |
Reason UInt32 |
Event ID 1017: Handle scavenged.
#Event ID 1018: Backchannel invalidation of session completed.
#Description
Backchannel invalidation of session completed.
Message #
Fields #
| Name | Description |
|---|---|
SessionId HexInt64 | |
Status HexInt32 | NTSTATUS reference |
TranslatedStatus HexInt32 | |
TaskStatus HexInt32 | |
TranslatedTaskStatus HexInt32 |
Event ID 1019: Backchannel invalidation of file completed.
#Description
Backchannel invalidation of file completed.
Message #
Fields #
| Name | Description |
|---|---|
ResumeKey GUID | |
Status HexInt32 | NTSTATUS reference |
TranslatedStatus HexInt32 | |
TaskStatus HexInt32 | |
TranslatedTaskStatus HexInt32 |
Event ID 1020: File system operation has taken longer than expected.
#Description
File system operation has taken longer than expected.
Message #
Fields #
| Name | Description |
|---|---|
Command UInt32 | |
SessionGuid GUID | |
SessionId HexInt64 | |
ConnectionGuid GUID | |
UserNameLength UInt16 | |
UserName UnicodeString | |
ClientNameLength UInt16 | |
ClientName UnicodeString | |
ClientAddressLength UInt16 | |
ClientAddress Binary | |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
FileNameLength UInt16 | |
FileName UnicodeString | |
DurationInMilliseconds UInt64 | |
ThresholdInMilliseconds UInt64 | |
CtlCode UInt32 | |
SubCode UInt32 | |
TunneledControl UInt32 |
Event ID 1021: LmCompatibilityLevel value is different from the default.
#Description
LmCompatibilityLevel value is different from the default.
Message #
Fields #
| Name | Description |
|---|---|
ConfiguredLmCompatibilityLevel UInt32 | |
DefaultLmCompatibilityLevel UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "D48CE617-33A2-4BC3-A5C7-11AA4F29619E",
"event_source_name": "",
"event_id": 1021,
"version": 0,
"level": 4,
"task": 1021,
"opcode": 0,
"keywords": 576460752303423496,
"time_created": "2026-03-14T00:02:46.284357+00:00",
"event_record_id": 6,
"correlation": {},
"execution": {
"process_id": 3608,
"thread_id": 3620
},
"channel": "Microsoft-Windows-SMBServer/Security",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventData": {
"ConfiguredLmCompatibilityLevel": 5,
"DefaultLmCompatibilityLevel": 3
}
},
"message": ""
}
Event ID 1022: File and printer sharing firewall rule enabled.
#Description
File and printer sharing firewall rule enabled.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "D48CE617-33A2-4BC3-A5C7-11AA4F29619E",
"event_source_name": "",
"event_id": 1022,
"version": 0,
"level": 4,
"task": 1022,
"opcode": 0,
"keywords": 288230376151711752,
"time_created": "2026-03-14T00:03:01.608520+00:00",
"event_record_id": 1,
"correlation": {},
"execution": {
"process_id": 3608,
"thread_id": 3640
},
"channel": "Microsoft-Windows-SMBServer/Connectivity",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventData": {}
},
"message": ""
}
Event ID 1023: One or more shares present on this server have access based enumeration enabled.
#Description
One or more shares present on this server have access based enumeration enabled.
Message #
Event ID 1024: SMB2 and SMB3 have been disabled on this server.
#Description
SMB2 and SMB3 have been disabled on this server. This results in reduced functionality and performance.
Message #
Event ID 1025: One or more named pipes or shares have been marked for access by anonymous users.
#Description
One or more named pipes or shares have been marked for access by anonymous users. This increases the security risk of the computer by allowing unauthenticated users to connect to this server.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "D48CE617-33A2-4BC3-A5C7-11AA4F29619E",
"event_source_name": "",
"event_id": 1025,
"version": 0,
"level": 3,
"task": 1025,
"opcode": 0,
"keywords": 2305843009213693960,
"time_created": "2023-11-06T06:25:44.207725+00:00",
"event_record_id": 96,
"correlation": {},
"execution": {
"process_id": 3912,
"thread_id": 3512
},
"channel": "Microsoft-Windows-SMBServer/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventData": {}
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1026: File leasing has been disabled for the SMB2 and SMB3 protocols.
#Description
File leasing has been disabled for the SMB2 and SMB3 protocols. This reduces functionality and can decrease performance.
Message #
Event ID 1027: The file and printer sharing firewall ports are currently closed.
#Description
The file and printer sharing firewall ports are currently closed. This is the default configuration for a system that is not sharing content or is on a Public network.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "D48CE617-33A2-4BC3-A5C7-11AA4F29619E",
"event_source_name": "",
"event_id": 1027,
"version": 0,
"level": 4,
"task": 1027,
"opcode": 0,
"keywords": 2305843009213693960,
"time_created": "2023-11-05T22:32:38.630794+00:00",
"event_record_id": 124,
"correlation": {},
"execution": {
"process_id": 3368,
"thread_id": 3592
},
"channel": "Microsoft-Windows-SMBServer/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventData": {}
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1028: The maximum cluster-supported SMB dialect has changed.
#Event ID 1029: The Cipher Suite Order group policy setting is invalid.
#Event ID 1030: An MDL read or write completion request failed.
#Description
An MDL read or write completion request failed.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString | |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
FileNameLength UInt16 | |
FileName UnicodeString | |
IsRead Boolean | |
Status HexInt32 | NTSTATUS reference |
Event ID 1031: The server detected a problem and has captured a live kernel dump to collect debug information.
#Event ID 1032: The server detected a problem but was unable to capture a live kernel dump to collect debug information.
#Event ID 1033: Sent RDMA .
#Description
Sent RDMA event to LanmanServer for interface .
Message #
Fields #
| Name | Description |
|---|---|
NotificationType UInt32 | |
InterfaceNameLength UInt16 | |
InterfaceName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"event_id": 1033,
"level": 4,
"task": 3012,
"opcode": 0,
"time_created": "2026-04-17T21:57:31.5541370+00:00",
"computer": "WIN11-25H2-X64",
"channel": "Microsoft-Windows-SMBServer"
},
"event_data": {}
}
Event ID 1033: Sent RDMA EventData.NotificationType event to LanmanServer for interface EventData.InterfaceName.
#Description
Sent RDMA EventData.NotificationType event to LanmanServer for interface EventData.InterfaceName.
Message #
Fields #
| Name | Description |
|---|---|
NotificationType | |
InterfaceNameLength | |
InterfaceName |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "D48CE617-33A2-4BC3-A5C7-11AA4F29619E",
"event_source_name": "",
"event_id": 1033,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213694464,
"time_created": "2023-10-26T04:17:52.198363+00:00",
"event_record_id": 18,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 436
},
"channel": "Microsoft-Windows-SMBServer/Operational",
"computer": "WIN-OQ6R0RVA4NF",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventData": {
"NotificationType": 0,
"InterfaceNameLength": 34,
"InterfaceName": "\\Device\\RdmaSmbIpv4_169.254.253.61"
}
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1034: Send RDMA Endpoint notification failure - .
#Description
Send RDMA Endpoint notification failure -.
Message #
Fields #
| Name | Description |
|---|---|
FailureType UInt32 | |
InterfaceIndex UInt32 | |
Error HexInt32 | |
DeviceNameLength UInt16 | |
DeviceName UnicodeString | |
ExtraInformation UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"event_id": 1034,
"level": 4,
"task": 3013,
"opcode": 0,
"time_created": "2026-04-17T21:57:31.5668163+00:00",
"computer": "WIN11-25H2-X64",
"channel": "Microsoft-Windows-SMBServer"
},
"event_data": {}
}
Event ID 1034: Send RDMA Endpoint notification failure - EventData.FailureType.
#Description
Send RDMA Endpoint notification failure - EventData.FailureType.
Message #
Fields #
| Name | Description |
|---|---|
FailureType | |
InterfaceIndex | |
Error | |
DeviceNameLength | |
DeviceName | |
ExtraInformation |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "D48CE617-33A2-4BC3-A5C7-11AA4F29619E",
"event_source_name": "",
"event_id": 1034,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213694464,
"time_created": "2023-10-26T04:17:52.198365+00:00",
"event_record_id": 19,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 436
},
"channel": "Microsoft-Windows-SMBServer/Operational",
"computer": "WIN-OQ6R0RVA4NF",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventData": {
"FailureType": 6,
"InterfaceIndex": 0,
"Error": "0xc0000034",
"DeviceNameLength": 34,
"DeviceName": "\\Device\\RdmaSmbIpv4_169.254.253.61",
"ExtraInformation": 0
}
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1035: RDMA Endpoint .
#Event ID 1035: RDMA Endpoint TransportName for interface InterfaceIndex was EndpointState.
#Event ID 1036: RDMA Endpoint allocation failure - Endpoint allocation failed for interface .
#Event ID 1036: RDMA Endpoint allocation failure - Endpoint allocation failed for interface InterfaceIndex.
#Event ID 1037: RDMA listener creation failure - .
#Event ID 1037: RDMA listener creation failure - FailureType.
#Event ID 1038: RDMA Send endpoint notification RPC failure for device .
#Event ID 1038: RDMA Send endpoint notification RPC failure for device EventData.DeviceName - EventData.FailureType.
#Description
RDMA Send endpoint notification RPC failure for device EventData.DeviceName - EventData.FailureType.
Message #
Fields #
| Name | Description |
|---|---|
FailureType | |
DeviceNameLength | |
DeviceName | |
Error |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "D48CE617-33A2-4BC3-A5C7-11AA4F29619E",
"event_source_name": "",
"event_id": 1038,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213694464,
"time_created": "2023-11-06T06:25:49.867686+00:00",
"event_record_id": 98,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 428
},
"channel": "Microsoft-Windows-SMBServer/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventData": {
"FailureType": 3,
"DeviceNameLength": 58,
"DeviceName": "\\Device\\NetBT_Tcpip_{8E4162AD-6500-4899-BA95-24051405E207}",
"Error": "0x102"
}
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1039: Received Nsi notification type .
#Event ID 1039: Received Nsi notification type NotificationType for interface InterfaceIndex with NdkOperationalState NdkOperationalState.
#Event ID 1040: Received Mib notification type .
#Description
Received Mib notification type for interface.
Message #
Fields #
| Name | Description |
|---|---|
NotificationType UInt32 | |
InterfaceIndex UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"event_id": 1040,
"level": 4,
"task": 3019,
"opcode": 0,
"time_created": "2026-04-18T03:03:33.7279216+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-SMBServer"
},
"event_data": {}
}
Event ID 1040: Received Mib notification type EventData.NotificationType for interface EventData.InterfaceIndex.
#Description
Received Mib notification type EventData.NotificationType for interface EventData.InterfaceIndex.
Message #
Fields #
| Name | Description |
|---|---|
NotificationType | |
InterfaceIndex |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "D48CE617-33A2-4BC3-A5C7-11AA4F29619E",
"event_source_name": "",
"event_id": 1040,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213694464,
"time_created": "2023-11-05T22:32:37.991590+00:00",
"event_record_id": 123,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 136
},
"channel": "Microsoft-Windows-SMBServer/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventData": {
"NotificationType": 3,
"InterfaceIndex": 0
}
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1041: Error reading FSCTL properties information from the registry.
#Event ID 1042: The certificate for the server is about to expire.
#Event ID 1043: RDMA connection disconnected.
#Event ID 1044: Quic connection shutdown.
#Event ID 1045: The server failed to update server certificate mapping.
#Description
The server failed to update server certificate mapping.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString | |
SubjectLength UInt16 | |
Subject UnicodeString | |
ThumbPrintLength UInt16 | |
ThumbPrint UnicodeString | |
Status HexInt32 | NTSTATUS reference |
RemovedLength UInt16 | |
Removed UnicodeString |
Event ID 1045: The server failed to update server certificate mapping.
#Description
The server failed to update server certificate mapping.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString | |
SubjectLength UInt16 | |
Subject UnicodeString | |
ThumbPrintLength UInt16 | |
ThumbPrint UnicodeString | |
Status HexInt32 | NTSTATUS reference |
RemovedLength UInt16 | |
Removed UnicodeString |
Event ID 1046: The server received a request and the server requires encryption, but the server and client did not negotiate an encryption cipher, nor does server...
#Description
The server received a request and the server requires encryption, but the server and client did not negotiate an encryption cipher, nor does server allow unencrypted access.
Message #
Fields #
| Name | Description |
|---|---|
ShareNameLength UInt16 | |
ShareName UnicodeString | |
ClientNameLength UInt16 | |
ClientName UnicodeString | |
UserNameLength UInt16 | |
UserName UnicodeString | |
ClientAddressLength UInt32 | |
ClientAddress Binary | |
SessionID HexInt64 | |
Smb2Command UInt16 |
Event ID 1047: The server received a Smb2Command request but is taking an abnormal amount of time to process it.
#Event ID 1048: The server processed a Smb2Command request.
#Event ID 1049: The certificate for the server has expired.
#Event ID 1050: Found InterfaceID endpoint(s) related to interface ID NumberOfEndpointsFound, closed NumberOfEndpointsClosed of which.
#Event ID 1051: The SMB negotiate request processing failed on the server to select the encryption cipher for the client and server.
#Description
The SMB negotiate request processing failed on the server to select the encryption cipher for the client and server. Please ensure there is a common cipher between the client and server.
Message #
Fields #
| Name | Description |
|---|---|
ClientCipherSuiteOrderLength UInt32 | |
ClientCipherSuiteOrder UnicodeString | |
ServerCipherSuiteOrderLength UInt32 | |
ServerCipherSuiteOrder UnicodeString | |
ClientCipherCount UInt16 | |
LoggedClientCipherCount UInt16 | |
ClientCipherOrder UInt16 |
Event ID 1052: Failed to restore a server certificate mapping from persistent storage.
#Description
Failed to restore a server certificate mapping from persistent storage.
Message #
Fields #
| Name | Description |
|---|---|
SubjectLength UInt16 | |
Subject UnicodeString | |
ThumbprintLength UInt16 | |
Thumbprint UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 1053: Restored CountOfCertsRestored of CountOfCertsTotal server certificate mappings from persistent storage.
#Description
Restored CountOfCertsRestored of CountOfCertsTotal server certificate mappings from persistent storage. Last error code: Status.
Message #
Fields #
| Name | Description |
|---|---|
CountOfCertsTotal UInt16 | |
CountOfCertsRestored UInt16 | |
Status HexInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"event_id": 1053,
"level": 4,
"task": 3032,
"opcode": 0,
"time_created": "2026-04-18T03:03:33.7687422+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-SMBServer"
},
"event_data": {}
}
Event ID 1054: Network operation has taken longer than expected.
#Description
Network operation has taken longer than expected.
Message #
Fields #
| Name | Description |
|---|---|
Command UInt32 | |
SessionGuid GUID | |
SessionId HexInt64 | |
ConnectionGuid GUID | |
UserNameLength UInt16 | |
UserName UnicodeString | |
ClientNameLength UInt16 | |
ClientName UnicodeString | |
ClientAddressLength UInt16 | |
ClientAddress Binary | |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
FileNameLength UInt16 | |
FileName UnicodeString | |
DurationInMilliseconds UInt64 | |
ThresholdInMilliseconds UInt64 | |
CtlCode UInt32 | |
SubCode UInt32 | |
TunneledControl UInt32 |
Event ID 1055: RDMA rundown is active.
#Event ID 1056: RDMA rundown is complete.
#Event ID 1057: Reactivation of RDMA support has commenced.
#Description
Reactivation of RDMA support has commenced.
Message #
Event ID 1058: RDMA is no longer disabled.
#Event ID 1059: SMBDirect load attempt complete.
#Event ID 1060: SMB DDP security changed from OldValue to NewValue.
#Event ID 1061: SMB2 Request Negotiate Dialect Failure.
#Description
SMB2 Request Negotiate Dialect Failure.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ProcessId UInt32 | |
TreeId UInt32 | |
MessageId UInt64 | |
MasterMessageId UInt64 | |
Command UInt16 | |
CreditsRequested UInt16 | |
Flags UInt32 | |
SecurityMode UInt16 | |
Capabilities UInt32 | |
DialectCount UInt16 | |
Dialects UInt16 | |
ClientGuid GUID | |
ConnectionGUID GUID | |
MinSmb2Dialect HexInt32 | |
MaxSmb2Dialect HexInt32 | |
ClientAddressLength UInt32 | |
ClientAddress Binary | |
ClientNameLength UInt16 | |
ClientName UnicodeString |
Event ID 1062: SMB Dialect Change.
#Event ID 1080: Component capabilities: SrvNetComponentCapabilities.
#Description
Component capabilities: SrvNetComponentCapabilities.
Message #
Fields #
| Name | Description |
|---|---|
SrvNetComponentCapabilities HexInt32 | |
PatchNumber HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"event_id": 1080,
"level": 4,
"task": 3069,
"opcode": 0,
"time_created": "2026-04-18T03:03:30.1025119+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-SMBServer"
},
"event_data": {}
}
Event ID 1800: CA failure - Failed to set continuously available property on a new or existing file share as the file share is not a cluster share.
#Event ID 1801: CA failure - Failed to set continuously available property on a new or existing file share as Resume Key filter is not started or has failed to att...
#Description
CA failure - Failed to set continuously available property on a new or existing file share as Resume Key filter is not started or has failed to attach to the underlying volume.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString | |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
Status UInt32 | NTSTATUS reference |
Event ID 1802: The server failed to reserve the next ID region in the cluster registry.
#Description
The server failed to reserve the next ID region in the cluster registry.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
Event ID 1803: The security descriptor differs from the default value.
#Event ID 1804: No SMB1 usage detected in the last 20 minutes.
#Event ID 1900: TDI mode enabled: .
#Description
TDI mode enabled.
Message #
Fields #
| Name | Description |
|---|---|
IsTdiEnabled Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"event_id": 1900,
"level": 4,
"task": 3042,
"opcode": 0,
"time_created": "2026-04-18T03:03:30.1015487+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-SMBServer"
},
"event_data": {
"IsTdiEnabled": "true"
}
}
Event ID 1900: TDI mode enabled: IsTdiEnabled.
#Description
TDI mode enabled: IsTdiEnabled.
Message #
Fields #
| Name | Description |
|---|---|
IsTdiEnabled Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "D48CE617-33A2-4BC3-A5C7-11AA4F29619E",
"event_source_name": "",
"event_id": 1900,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213694464,
"time_created": "2023-11-06T06:25:43.357313+00:00",
"event_record_id": 95,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 224
},
"channel": "Microsoft-Windows-SMBServer/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"IsTdiEnabled": true
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1901: Failed to allocate an NSI table for network interface enumeration: .
#Description
Failed to allocate an NSI table for network interface enumeration.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1901: Failed to allocate an NSI table for network interface enumeration: Status.
#Description
Failed to allocate an NSI table for network interface enumeration: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1902: Received notification of a newly-started network interface with Luid .
#Event ID 1902: Received notification of a newly-started network interface with Luid NetLuid on address family AddressFamily (IPv4 == 2, IPv6 == 23).
#Event ID 1903: Received notification of a stopped network interface with Luid .
#Event ID 1903: Received notification of a stopped network interface with Luid NetLuid on address family AddressFamily (IPv4 == 2, IPv6 == 23).
#Event ID 1904: Failed to open network interface with Luid .
#Description
Failed to open network interface with Luid : error.
Message #
Fields #
| Name | Description |
|---|---|
NetLuid HexInt64 | |
Status HexInt32 | NTSTATUS reference |
Event ID 1904: Failed to open network interface with Luid NetLuid: error Status.
#Description
Failed to open network interface with Luid NetLuid: error Status.
Message #
Fields #
| Name | Description |
|---|---|
NetLuid HexInt64 | |
Status HexInt32 | NTSTATUS reference |
Event ID 1905: The server closed the session as part of periodic system cleanup.
#Description
The server closed the session as part of periodic system cleanup.
Message #
Fields #
| Name | Description |
|---|---|
SessionId HexInt64 | |
InstanceId UInt32 | |
Reason UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"event_id": 1905,
"level": "Information",
"task": null,
"opcode": "Info",
"time_created": "2026-04-25T05:36:17.4681377+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-SMBServer/Operational"
},
"event_data": {
"Reason": "Idle session, no open files",
"InstanceId": "0",
"SessionId": "0x5000fc000021"
}
}
Event ID 1906: Session key for connection is weaker than required.
#Event ID 1907: Server received STATUS_STOPPED_ON_SYMLINK but the reparse buffer is NULL.
#Description
Server received STATUS_STOPPED_ON_SYMLINK but the reparse buffer is NULL.
Message #
Event ID 1908: Custom FSCTL allow list was not successfully loaded after several retries.
#Description
Custom FSCTL allow list was not successfully loaded after several retries.
Message #
Event ID 1909: Send QUIC Endpoint notification failure - .
#Event ID 1909: Send QUIC Endpoint notification failure - FailureType.
#Event ID 1910: RDMA listen socket disable override is CurrentDisableOverrideState.
#Description
RDMA listen socket disable override is CurrentDisableOverrideState. New value is NewState. SrvNetIsRDMASupportEnabled is SrvNetEnableRdmaSupport. Action taken SrvNetEvaluateRdmaEnabledPolicy.
Message #
Fields #
| Name | Description |
|---|---|
CurrentDisableOverrideState Boolean | |
NewState Boolean | |
SrvNetEnableRdmaSupport Boolean | |
SrvNetEvaluateRdmaEnabledPolicy Boolean | |
SrvNetIsSMBDirectSupported Boolean | |
ActionTaken Boolean |
Event ID 1911: Server Certificate failure - FailureType.
#Event ID 1912: Warning to set the QoS policy on file FileNameLength.
#Description
Warning to set the QoS policy on file FileNameLength.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
ShareNameLength UInt16 | |
ShareName UnicodeString | |
FileNameLength UInt16 | |
FileName UnicodeString |
Event ID 1913: The SMB connection was successfully established.
#Description
The SMB connection was successfully established.
Message #
Fields #
| Name | Description |
|---|---|
EndpointNameLength UInt16 | |
EndpointName UnicodeString | |
ConnectionType UInt32 | |
ServerSocketAddressLength UInt32 | |
ServerSocketAddress Binary | |
ClientSocketAddressLength UInt32 | |
ClientSocketAddress Binary | |
ConnectionIdSize UInt32 | |
ConnectionId Binary | |
MutualAuthentication UInt32 | |
AccessControlCheck UInt32 |
Event ID 1914: The server was unable to perform revocation checks on the client certificate chain.
#Description
The server was unable to perform revocation checks on the client certificate chain. The connection will proceed.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
EndpointNameLength UInt16 | |
EndpointName UnicodeString | |
ConnectionType UInt32 | |
TransportNameLength UInt16 | |
TransportName UnicodeString | |
ClientSocketAddressLength UInt32 | |
ClientSocketAddress Binary |
Event ID 2000: Packet Fragment (FragmentSize bytes).
#Event ID 3000: SMB1 access Client Address: ClientName Guidance: This event indicates that a client attempted to access the server using SMB1.
#Description
SMB1 access.
Message #
Fields #
| Name | Description |
|---|---|
ClientName AnsiString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"guid": "D48CE617-33A2-4BC3-A5C7-11AA4F29619E",
"event_source_name": "",
"event_id": 3000,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 144115188075855872,
"time_created": "2026-03-13T18:46:45.797324+00:00",
"event_record_id": 1,
"correlation": {},
"execution": {
"process_id": 11352,
"thread_id": 7956
},
"channel": "Microsoft-Windows-SMBServer/Audit",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ClientName": "10.2.10.11"
},
"message": ""
}
Event ID 3002: A remote device attempted SMB1 connection to this computer.
#Event ID 3003: SMB1 server service has been automatically uninstalled.
#Event ID 3004: SMB server admin file rundown
#Event ID 3005: SMB server admin session rundown
#Description
SMB server admin session rundown.
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt64 | |
ComputerNameLength UInt16 | |
ComputerName UnicodeString | |
UserNameLength UInt16 | |
UserName UnicodeString | |
DomainNameLength UInt16 | |
DomainName UnicodeString | |
DomainAndUserNameLength UInt16 | |
DomainAndUserName UnicodeString | |
ClientOsLength UInt16 | |
ClientOs UnicodeString | |
TransportNameLength UInt16 | |
TransportName UnicodeString | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
StartTime UInt64 | |
LastActiveTime UInt64 |
Event ID 3006: SMB server admin share rundown
#Event ID 3007: Access Denied Server certificate mapping name: ServerName Client socket address: ClientSocketAddress Client certificate chain: Subject, Issuer, Serial Number, SupportedHashAlgsStr CertChainProperti...
#Description
Access Denied.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString | |
ClientSocketAddressLength UInt32 | |
ClientSocketAddress Binary | |
SupportedHashAlgsStrLength UInt16 | |
SupportedHashAlgsStr UnicodeString | |
CertChainPropertiesStrLength UInt16 | |
CertChainPropertiesStr UnicodeString | |
DenySidsStrLength UInt16 | |
DenySidsStr UnicodeString | |
AllowSidsStrLength UInt16 | |
AllowSidsStr UnicodeString | |
ConnectionIdSize UInt32 | |
ConnectionId Binary |
Event ID 3008: Access Allowed.
#Description
Access Allowed.
Message #
Fields #
| Name | Description |
|---|---|
ServerNameLength UInt16 | |
ServerName UnicodeString | |
ClientSocketAddressLength UInt32 | |
ClientSocketAddress Binary | |
SupportedHashAlgsStrLength UInt16 | |
SupportedHashAlgsStr UnicodeString | |
CertChainPropertiesStrLength UInt16 | |
CertChainPropertiesStr UnicodeString | |
DenySidsStrLength UInt16 | |
DenySidsStr UnicodeString | |
AllowSidsStrLength UInt16 | |
AllowSidsStr UnicodeString | |
ConnectionIdSize UInt32 | |
ConnectionId Binary |
Event ID 3009: An error occurred while checking client certificate chain access during mutual authentication.
#Description
An error occurred while checking client certificate chain access during mutual authentication. Win32 error code: Error.
Message #
Fields #
| Name | Description |
|---|---|
Error UInt32 | |
ServerNameLength UInt16 | |
ServerName UnicodeString | |
ClientSocketAddressLength UInt32 | |
ClientSocketAddress Binary | |
ConnectionIdSize UInt32 | |
ConnectionId Binary |
Event ID 3010: An administrator attempted to assign an alternative SMB server listener port Port, but it is either in the 0?
#Description
An administrator attempted to assign an alternative SMB server listener port Port, but it is either in the 0―1024 reserved range or it is already assigned to another process. Use NETSTAT -abno to list all listening ports and their processes in use on this computer.
Message #
Fields #
| Name | Description |
|---|---|
Port UInt16 |
Event ID 3011: The SMB server service created an endpoint with the following listener rule entry settings.
#Description
The SMB server service created an endpoint with the following listener rule entry settings.
Message #
Fields #
| Name | Description |
|---|---|
TransportNameLength UInt16 | |
TransportName UnicodeString | |
Port UInt16 | |
TransportType UInt32 | |
SrvInstances UInt32 | |
Status HexInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"event_id": 3011,
"level": 4,
"task": 3062,
"opcode": 0,
"time_created": "2026-04-18T03:03:30.6025061+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-SMBServer"
},
"event_data": {
"TransportName": "\\Device\\NetbiosSmb",
"SrvInstances": "15",
"Status": "0x0",
"Port": "445",
"TransportNameLength": "18",
"TransportType": "1"
}
}
Event ID 3012: The SMB server service failed to create an endpoint with the following listener rule entry settings.
#Description
The SMB server service failed to create an endpoint with the following listener rule entry settings.
Message #
Fields #
| Name | Description |
|---|---|
TransportNameLength UInt16 | |
TransportName UnicodeString | |
Port UInt16 | |
TransportType UInt32 | |
SrvInstances UInt32 | |
Status HexInt32 | NTSTATUS reference |
Event ID 3013: An administrator created an alternative SMB server listener port rule entry.
#Event ID 3014: An administrator updated an existing alterative SMB server listener port rule entry.
#Event ID 3015: An administrator removed an existing alternative SMB server listener port rule entry.
#Event ID 3016: The SMB server service failed to enable an implicit loopback interface for interface Interface with NTSTATUS Status.
#Description
The SMB server service failed to enable an implicit loopback interface for interface Interface with NTSTATUS Status.
Message #
Fields #
| Name | Description |
|---|---|
Interface UInt32 | |
Status HexInt32 | NTSTATUS reference |
Event ID 3017: The SMB server service failed to disable an implicit loopback interface for interface Interface with NTSTATUS Status.
#Description
The SMB server service failed to disable an implicit loopback interface for interface Interface with NTSTATUS Status.
Message #
Fields #
| Name | Description |
|---|---|
Interface UInt32 | |
Status HexInt32 | NTSTATUS reference |
Event ID 3018: The inbound ProtocolType firewall rule already exists for port Port.
#Event ID 3019: The inbound ProtocolType firewall rule failed to be created for port Port.
#Event ID 3020: The inbound ProtocolType firewall rule was successfully created for port Port.
#Event ID 3021: The SMB server observed that the client doesn't support signing.
#Event ID 3022: The SMB server observed that the client doesn't support encryption.
#Event ID 3023: The SMB client was logged on as Guest account.
#Event ID 3024: The SMB server observed that the client did not send an SPN during authentication, indicating that the client does not support Extended Protection ...
#Description
The SMB server observed that the client did not send an SPN during authentication, indicating that the client does not support Extended Protection for Authentication (EPA) or that support for EPA is disabled. Client name: ClientName SPN Query Status: Status SPN Validation Policy: SPNValidationPolicy
Message #
Fields #
| Name | Description |
|---|---|
ClientNameLength UInt16 | |
ClientName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
SPNValidationPolicy UInt32 |
Event ID 3024: The SMB server observed that the client did not send an SPN during authentication, indicating that the client does not support Extended Protection for Authentication (EPA) or that support for EPA i...
#Fields #
| Name | Description |
|---|---|
ClientNameLength UInt16 | |
ClientName UnicodeString | |
Status HexInt32 | NTSTATUS reference |
SPNValidationPolicy UInt32 |
Event ID 3025: The SMB server observed that the client sent an unrecognized SPN during authentication.
#Event ID 3025: The SMB server observed that the client sent an unrecognized SPN during authentication
#Description
The SMB server observed that the client sent an unrecognized SPN during authentication.
Fields #
| Name | Description |
|---|---|
ClientNameLength UInt16 | |
ClientName UnicodeString | |
SPN UnicodeString | |
ServiceClassIsValid Boolean | |
PrincipalNameIsValid Boolean | |
SPNValidationPolicy UInt32 |
Event ID 3026: The SMB server observed that the client sent an empty SPN during authentication, which indicates the client is capable of sending an SPN but electe...
#Event ID 3026: The SMB server observed that the client sent an empty SPN during authentication, which indicates the client is capable of sending an SPN but elected not to supply one
#Description
The SMB server observed that the client sent an empty SPN during authentication, which indicates the client is capable of sending an SPN but elected not to supply one.
Fields #
| Name | Description |
|---|---|
ClientNameLength UInt16 | |
ClientName UnicodeString | |
SPNValidationPolicy UInt32 |
Event ID 3027: The SMBv1 server observed that the SMBv1 client does not have signing enabled.
#Event ID 3027: The SMBv1 server observed that the SMBv1 client does not have signing enabled
#Description
The SMBv1 server observed that the SMBv1 client does not have signing enabled.
Fields #
| Name | Description |
|---|---|
ClientNameLength UInt16 | |
ClientName UnicodeString | |
ServerRequiresSigning Boolean |
Event ID 4000: The SMB client connection to the share was established.
#Description
The SMB client connection to the share was established.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
ShareNameLength UInt16 | ||
ShareName UnicodeString | 3 detection rules | |
ClientAddressLength UInt32 | ||
ClientAddress Binary | 5 detection rules | |
ClientNameLength UInt16 | ||
ClientName UnicodeString | ||
SessionId UInt64 | ||
TreeId UInt32 | ||
ConnectionType UInt32 | ||
SigningUsed Boolean | 1 detection rule | |
EncyptionUsed Boolean | 1 detection rule | |
CompressionUsed Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"event_id": 4000,
"level": 4,
"task": 3076,
"opcode": 0,
"time_created": "2026-04-18T03:08:10.8656925+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-SMBServer"
},
"event_data": {
"ClientAddress": "0200F00F0A020A0B0000000000000000",
"SigningUsed": "true",
"ClientName": "\\\\10.2.10.11",
"ClientAddressLength": "16",
"ShareNameLength": "6",
"ClientNameLength": "12",
"TreeId": "13",
"ShareName": "ADMIN$",
"CompressionUsed": "false",
"ConnectionType": "1",
"EncyptionUsed": "false",
"SessionId": "21990232555529"
}
}
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Event ID 4000: The SMB client connection to the share was established
#Description
The SMB client connection to the share was established.
Fields #
| Name | Description | Rules |
|---|---|---|
ShareNameLength UInt16 | ||
ShareName UnicodeString | 3 detection rules | |
ClientAddressLength UInt32 | ||
ClientAddress Binary | 5 detection rules | |
ClientNameLength UInt16 | ||
ClientName UnicodeString | ||
SessionId UInt64 | ||
TreeId UInt32 | ||
ConnectionType UInt32 | ||
SigningUsed Boolean | 1 detection rule | |
EncyptionUsed Boolean | 1 detection rule | |
CompressionUsed Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SMBServer",
"event_id": 4000,
"level": 4,
"task": 3076,
"opcode": 0,
"time_created": "2026-04-18T03:08:10.8656925+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-SMBServer"
},
"event_data": {
"ClientAddress": "0200F00F0A020A0B0000000000000000",
"SigningUsed": "true",
"ClientName": "\\\\10.2.10.11",
"ClientAddressLength": "16",
"ShareNameLength": "6",
"ClientNameLength": "12",
"TreeId": "13",
"ShareName": "ADMIN$",
"CompressionUsed": "false",
"ConnectionType": "1",
"EncyptionUsed": "false",
"SessionId": "21990232555529"
}
}
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Event ID 40000: Packet (PacketSize bytes).
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID d48ce617-33a2-4bc3-a5c7-11aa4f29619e
Defined in srv2.sys, the binary that emits these events.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.4171, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.6584, captured 2026-06-02