Microsoft-Windows-TCPIP

624 events across 2 channels

Event	Title	Channel	Sample
1001	TCP: endpoint Endpoint (Family=AddressFamily, PID=Pid) created with status = …	Diagnostic	Y
1002	TCP: Tcb Tcb (local=LocalAddress remote=RemoteAddress) requested to connect.	Diagnostic	Y
1003	TCP: Inspect Connect has been completed on Tcb Tcb with status = Status.	Diagnostic	Y
1004	TCP: Tcb Tcb is going to output SYN with ISN = ISN, RcvWnd = RcvWnd, RcvWndScale …	Diagnostic	Y
1005	TCP: endpoint bind failed: address LocalAddressLength cannot be resolved …	Diagnostic	N
1006	TCP: endpoint (sockaddr=LocalAddressLength) bind failed: port-acquisition status …	Diagnostic	N
1007	TCP: endpoint (sockaddr=LocalAddressLength) bind failed: inspection status = …	Diagnostic	N
1008	TCP: endpoint (sockaddr=LocalAddressLength) bound.	Diagnostic	Y
1009	TCP: endpoint (sockaddr=LocalAddressLength) closed.	Diagnostic	Y
1010	TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: address family …	Diagnostic	N
1011	TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: compartment …	Diagnostic	N
1012	TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: inspection …	Diagnostic	N
1013	TCP: endpoint (Family=CompartmentId PID=Status) created.	Diagnostic	Y
1014	TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: Route …	Diagnostic	N
1015	TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: …	Diagnostic	N
1016	TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: client …	Diagnostic	N
1017	TCP: listener (local=LocalAddress remote=RemoteAddress) accept completed.	Diagnostic	Y
1018	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) …	Diagnostic	N
1019	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) …	Diagnostic	N
1020	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) …	Diagnostic	N
1021	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: …	Diagnostic	N
1022	TCP: Bypass rate limiting since flag is set on path Path (local=LocalAddress …	Diagnostic	N
1023	TCP: Charge rate limiting quota and set rate limiting flag for path Path …	Diagnostic	N
1024	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) deferred.	Diagnostic	N
1025	TCP: ConnectionRateLimitDepth rate-limiting paths ConnectionRateLimitBacklog …	Diagnostic	N
1026	TCP: Release and set rate limiting flag on path Path (local=LocalAddress …	Diagnostic	N
1027	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) released.	Diagnostic	N
1028	TCP: Clear rate limiting flag on path Path (local=LocalAddress …	Diagnostic	N
1029	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: …	Diagnostic	N
1030	TCP: connection (local=LocalAddressLength remote=RemoteAddressLength) connect …	Diagnostic	N
1031	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect …	Diagnostic	Y
1032	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) released due to …	Diagnostic	N
1033	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect completed.	Diagnostic	Y
1034	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect attempt …	Diagnostic	Y
1035	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: …	Diagnostic	N
1036	TCP: ApplySynOptions, failed to create session state with status = Status, TCB = …	Diagnostic	N
1037	TCP: ApplySynOptions, failed to update DF with status = Status, TCB = Tcb.	Diagnostic	N
1038	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) close issued.	Diagnostic	Y
1039	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) abort issued.	Diagnostic	Y
1040	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) abort completed.	Diagnostic	Y
1041	TCP: Injecting disconnect on a shutdown TCB failed.	Diagnostic	N
1042	TCP: connection disconnect Injected, length=Length.	Diagnostic	Y
1043	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) disconnect …	Diagnostic	Y
1044	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) shutdown initiated …	Diagnostic	Y
1045	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: …	Diagnostic	N
1046	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: …	Diagnostic	Y
1047	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: …	Diagnostic	N
1048	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: …	Diagnostic	N
1049	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: …	Diagnostic	N
1050	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: …	Diagnostic	N
1051	TCP: connection Tcb transition from OldState to NewState, SndNxt = SndNxt.	Diagnostic	Y
1052	TCP: Process with PID = ProcessId reserved NumberOfPorts ports starting at …	Diagnostic	N
1053	TCP: Process with PID = ProcessId failed to reserve NumberOfPorts ports starting …	Diagnostic	N
1054	TCP: Process with PID = ProcessId completed global port reservation of …	Diagnostic	N
1055	TCP: entering SYN attack resistance mode, Syn Attacks Detected = …	Diagnostic	N
1056	TCP: reasembly rate-limiting violated ReassemblyLimitViolations times since …	Diagnostic	N
1057	TCP: connection rate-limiting violated ConnectionRateLimitViolations times since …	Diagnostic	N
1058	TCP: land attack has dropped LandAttackSegmentsDropped packets since boot.	Diagnostic	N
1059	TCP: low memory state detected.	Diagnostic	N
1060	TCP: leaving low memory state.	Diagnostic	N
1061	TCP: address family AddressFamily added to interface InterfaceIndex.	Diagnostic	N
1062	TCP: address family AddressFamily removed from interface InterfaceIndex.	Diagnostic	N
1063	TCP: leaving SYN attack resistance mode, Syn Attacks Detected = …	Diagnostic	N
1064	TCP: Connection Tcb TimerType timer started.	Diagnostic	Y
1065	TCP: Connection Tcb stopping TimerType timer.	Diagnostic	Y
1066	TCP: Connection Tcb TimerType timer has expired.	Diagnostic	Y
1067	TCP: ISB changed to IsbSize.	Diagnostic	N
1068	TCP: moving RSS indirection table index TableEntry from processor …	Diagnostic	N
1069	TCP: connection Tcb: Timeout Event updated cwnd = Cwnd and updated ssthresh = …	Diagnostic	N
1070	TCP: connection Tcb: Rtt sample recorded RttSample.	Diagnostic	N
1071	TCP: connection Tcb: Cumulative ACK updated cwnd = Cwnd.	Diagnostic	N
1072	TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = …	Diagnostic	N
1073	TCP: connection Tcb: Sent data with number of bytes = NumBytes and Sequence …	Diagnostic	N
1074	TCP: connection Tcb: Received data with number of bytes = NumBytes.	Diagnostic	Y
1075	TCP: connection Tcb: ECN Echo updated cwnd = Cwnd and updated ssthresh = …	Diagnostic	N
1076	TCP: connection Tcb: Spurious timeout with SndUna = SndUna.	Diagnostic	N
1077	TCP: connection Tcb: Send Retransmit round with SndUna = SeqNo, Round = Round, …	Diagnostic	N
1078	TCP: connection Tcb: Entered loss recovery phase with SndUna = SndUna and SndMax …	Diagnostic	Y
1079	TCP: connection Tcb: Leaving loss recovery phase with SndUna = SndUna and SndMax …	Diagnostic	Y
1080	TCP: connection Tcb entering SACK mode with SndUna = SndUna.	Diagnostic	N
1081	TCP: connection Tcb leaving SACK mode with SndUna = SndUna.	Diagnostic	N
1082	TCP: connection Tcb entering Congestion Avoidance Phase with cwnd = Cwnd and …	Diagnostic	N
1084	TCP: connection Tcb entered BH, BH MSS BHMSS, original MSS OriginalMSS.	Diagnostic	N
1085	TCP: connection Tcb Exiting BH due to TraceString, BH mss BHMSS, Original MSS …	Diagnostic	N
1086	TCP: connection Tcb not entering BH due to TraceString.	Diagnostic	N
1087	TCP: connection Tcb spurious RTO detection initiated at SndUna.	Diagnostic	N
1088	TCP: connection Tcb spurious RTO detection terminated at SndUna.	Diagnostic	N
1089	TCP: active connect failed (family=Status) connect-complete inspection failed: …	Diagnostic	N
1090	TCP: TcpReleaseIndicationList: Nbl = NBL.	Diagnostic	Y
1091	TCP: connection Tcb posted an average of NumBytes bytes per send.	Diagnostic	N
1092	TCP: connection (local=LocalAddress remote=RemoteAddress) starting receive …	Diagnostic	Y
1093	TCP: connection (local=LocalAddress remote=RemoteAddress) ending receive window …	Diagnostic	Y
1094	TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter …	Diagnostic	N
1095	TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter …	Diagnostic	N
1096	TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter …	Diagnostic	N
1097	TCP: connection (local=LocalAddress remote=RemoteAddress) auto-tuner adjusted …	Diagnostic	N
1098	TCP: connection Tcb: Rtt resiliency detection complete with Rtt sample = …	Diagnostic	N
1099	TCP: connection Tcb: Connection State = TcbState, Offload State = OcbState.	Diagnostic	N
1100	TCP: SWS avoidance began on connection Tcb.	Diagnostic	Y
1101	TCP: SWS avoidance ended on connection Tcb.	Diagnostic	N
1102	TCP: connection Tcb send: Beginning zero-window probing with SndUna = SndUna.	Diagnostic	N
1103	TCP: connection Tcb send: Leaving zero-window probing with SndUna = SndUna.	Diagnostic	N
1104	TCP: Option OptionType is going to be set for connection Tcb.	Diagnostic	Y
1105	TCP: Socket Option SoOptionType is going to be set for connection Tcb.	Diagnostic	Y
1106	IP: Disconnecting interface InterfaceIndex, trace = TraceString.	Diagnostic	N
1107	TCPIP: Module ModuleNameString started.	Diagnostic	N
1108	TCPIP: Module ModuleNameString stopped.	Diagnostic	N
1109	TCPIP: Failure allocating AllocationObjectString.	Diagnostic	N
1110	TCP: Global parameters updated for Address Family AddressFamily: …	Diagnostic	N
1111	TCP: Connection Tcb Large Send Offload, Bytes in segment = BytesInSegment and …	Diagnostic	Y
1112	TCP: Connection Tcb status changed to Status.	Diagnostic	N
1113	TCP: Connection Tcb status = Status, Interface = Interface, PMax = PMax.	Diagnostic	N
1114	IP: DAD successful for IP address = IPv4Address IPProtocol IPv6Address on …	Diagnostic	N
1115	IP: DAD failed for IP address = IPv4Address IPProtocol IPv6Address on interface …	Diagnostic	N
1116	IP: DAD started for IP address = IPv4Address IPProtocol IPv6Address on interface …	Diagnostic	N
1117	TCP: listener (sockaddr=SocketAddress PID=ProcessId) activation failed: address …	Diagnostic	N
1118	TCP: listener Listener (family=AddressFamily PID=ProcessId) activation failed: …	Diagnostic	N
1119	TCP: listener Listener (family=AddressFamily PID=ProcessId) activation failed: …	Diagnostic	N
1120	TCP: listener Listener (sockaddr=SocketAddress) activation failed: inspection …	Diagnostic	N
1121	TCP: listener Listener (sockaddr=SocketAddress) bind failed: port-acquisition …	Diagnostic	N
1122	TCP: listener Listener (family=AddressFamily PID=ProcessId) bind failed: address …	Diagnostic	N
1123	TCP: listener Listener (sockaddr=SocketAddress) activated.	Diagnostic	N
1124	TCP: listener Listener (sockaddr=SocketAddress) unbound.	Diagnostic	N
1127	IP: IP address = IPv4Address IPProtocol IPv6Address added on interface = …	Diagnostic	N
1128	IP: IP address = IPv4Address IPProtocol IPv6Address deleted on interface = …	Diagnostic	N
1130	Framing: Interface operation status change.	Diagnostic	N
1136	Framing: NDIS pause event on interface InterfaceIndex.	Diagnostic	N
1137	Framing: NDIS restart event on interface InterfaceIndex.	Diagnostic	N
1138	IP: IP address = IPv4Address IPProtocol IPv6Address state changed to Preferred.	Diagnostic	N
1139	IP: IP address = IPv4Address IPProtocol IPv6Address state changed to …	Diagnostic	N
1144	IP: Interface Interface property change.	Diagnostic	N
1145	IP: Route Route created on interface Interface.	Diagnostic	N
1146	IP: Route Route deleted on interface Interface, Protocol = DestinationPrefix, …	Diagnostic	N
1147	IP: Route Route property change.	Diagnostic	N
1148	IP: Neighbor unreachable.	Diagnostic	N
1149	IP: Neighbor reachable.	Diagnostic	N
1150	TCP: CTCP DataTransferTimeout event.	Diagnostic	N
1151	TCP: CTCP Cumulative Ack event Connection Tcb, sequence = SeqNo, CWnd = Cwnd, …	Diagnostic	N
1152	TCP: CTCP Duplicate Ack event.	Diagnostic	N
1153	TCP: CTCP Send event.	Diagnostic	N
1154	TCP: CTCP ECN event.	Diagnostic	N
1155	TCP: CTCP Spurious timeout event.	Diagnostic	N
1156	TCP: connection Tcb, delivery Delivery, Request Request posted for NumBytes …	Diagnostic	Y
1157	TCP: connection Tcb delivery Delivery indicated NumBytes bytes accepted Length …	Diagnostic	Y
1158	TCP: connection Tcb delivery Delivery satisfied NumBytes bytes Length requested.	Diagnostic	Y
1159	TCP: connection Tcb send Injected NumBytes bytes at SndNxt.	Diagnostic	Y
1160	TCP: connection Tcb send transmitted NumBytes bytes at SndNxt.	Diagnostic	Y
1161	TCP: connection Tcb send advance NumBytes bytes at SndNxt.	Diagnostic	Y
1162	TCP: CTcp: Connection Tcb Delay window has not kicked in.	Diagnostic	N
1163	TCP: CTcp: Allocated blocks: AssignedBlocks; Assigned blocks: AllocatedBlocks.	Diagnostic	N
1164	TCP: CTcp: Connection Tcb, DWnd = DWnd (Prev = PrevDWnd), BaseRtt = BaseRtt, …	Diagnostic	N
1165	TCP: CTcp: Gamma Autotuning: Connection Tcb Updated Gamma Gamma, Average backlog …	Diagnostic	N
1166	TCP: connection Tcb SRTT measurement started (seq = SeqNum, tick = Tick).	Diagnostic	N
1167	TCP: connection Tcb SRTT measurement complete (tick = Tick, sample = RttSample …	Diagnostic	Y
1168	TCP: connection Tcb: SRTT measurement cancelled.	Diagnostic	Y
1169	UDP: endpoint Endpoint (LocalAddress = LocalSockAddr, RemoteAddress = …	Diagnostic	Y
1170	UDP: endpoint Endpoint (LocalAddress = LocalSockAddr, RemoteAddress = …	Diagnostic	Y
1171	TCP: connection Tcb delivery Delivery flushing NumBytes bytes Length requested …	Diagnostic	Y
1172	TCP: Injecting receive on a shutdown TCB failed.	Diagnostic	N
1173	TCP: connection Tcb delivery Delivery injecting NumBytes bytes delta Length, …	Diagnostic	Y
1174	TCP: Injecting fin on a shutdown TCB failed.	Diagnostic	N
1175	TCP: connection Tcb delivery Delivery accepting NumBytes bytes.	Diagnostic	Y
1176	TCP: connection Tcb delivery Delivery delivering FIN.	Diagnostic	Y
1178	TCP: connection Tcb delivery Delivery pushing NumBytes bytes Length requested.	Diagnostic	N
1180	TCP: Injecting fin on TCB completed.	Diagnostic	Y
1181	TCP: connection Tcb delivery Delivery urgent boundary completing NumBytes bytes …	Diagnostic	N
1182	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress): initiating …	Diagnostic	N
1183	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: …	Diagnostic	N
1184	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connection …	Diagnostic	Y
1185	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connection …	Diagnostic	N
1186	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) retransmitting …	Diagnostic	Y
1187	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) retransmitting …	Diagnostic	N
1188	TCP: connection Tcb send keep-alive at SndUna = SndUna.	Diagnostic	Y
1189	TCP: connection Tcb, delivery Delivery: delivery state changed from …	Diagnostic	N
1190	TCP: connection Tcb delivery Delivery dropping data.	Diagnostic	N
1191	TCP: endpoint/connection PortAcquirer acquired port number PortNumber.	Diagnostic	Y
1192	TCP: connection PortAcquirer attempted to acquire weak reference on port number …	Diagnostic	Y
1193	TCP: endpoint/connection PortAcquirer released port number PortNumber.	Diagnostic	Y
1194	TCP: endpoint/connection PortAcquirer replaced base endpoint OriginalAcquirer …	Diagnostic	N
1195	TCP: Portpool assigned port number PortNumber with weak references due to port …	Diagnostic	N
1196	TCP: connection Tcb BH receive ACK for full size seq.	Diagnostic	Y
1197	TCP: connection Tcb flushed SACK state at SndUna = SndUna.	Diagnostic	N
1198	TCP: Connection Tcb entering reassembly at RcvNxt = SndUna.	Diagnostic	Y
1199	TCP: Connection Tcb leaving reassembly at RcvNxt = SndUna.	Diagnostic	Y
1200	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: Zero …	Diagnostic	N
1201	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: …	Diagnostic	N
1202	IP: Interface rundown: Index = IfIndex, Linkspeed = CurrLinkSpeed bps, …	Diagnostic	Y
1203	IP: Interface Index = IfIndex, Linkspeed changed to CurrLinkSpeed bps, …	Diagnostic	N
1204	TCP: Connection Tcb flushing reassembly state at RcvNxt = SndUna.	Diagnostic	N
1205	TCPIP: NBL Nbl fell off the receive fast path, Reason: Reason.	Diagnostic	Y
1206	TCPIP: NBL Nbl fell off the send fast path, Reason: Reason.	Diagnostic	Y
1207	TCP: WSD - TcpWsdEtwPoint Status: Status.	Diagnostic	N
1208	TCP: WSD - TcpWsdEtwPoint Status: Status.	Diagnostic	N
1209	TCP: WSD - TCB Tcb will use a highly restricted window scale factor due to a …	Diagnostic	N
1210	TCP: WSD - TCB Tcb will use a highly restricted window scale factor due to a …	Diagnostic	N
1211	TCP: WSD - Entry (Processor, Entry) moved from OldState to NewState due to …	Diagnostic	N
1212	TCP: WSD - Profile: Profile State: State Qualified: Qualified EreQualified: …	Diagnostic	N
1213	TCP: WSD - Enabled moved from OldEnabledState to NewEnabledState.	Diagnostic	N
1214	TCPIP: Transport (Protocol IPTransportProtocol, AddressFamily = AddressFamily) …	Diagnostic	Y
1215	TCPIP: Network layer (Protocol IPTransportProtocol, AddressFamily = …	Diagnostic	Y
1216	TCP: MPP NPP Evaluation PhysicalPages = PhysicalPages NonPagedPoolPages = …	Diagnostic	N
1217	TCP: MPP: Episode started.	Diagnostic	N
1218	TCP: MPP: Episode ended.	Diagnostic	N
1219	TCP: MPP: Epoch Epoch started.	Diagnostic	N
1220	TCP: MPP: Epoch Epoch ended.	Diagnostic	N
1221	TCP: Connection Tcb restarting Cwnd.	Diagnostic	N
1222	TCP: Connection Tcb adjust InitalCwnd.	Diagnostic	N
1223	TCP: Connection Tcb committed TemplateType = TemplateType.	Diagnostic	Y
1224	TCP: Connection Tcb template changed.	Diagnostic	Y
1225	TCP: connection Tcb: End of a round, SndRound = SndRound, Bytes sent = …	Diagnostic	N
1226	TCP: interface IfIndex: RSC state changed, IPV4 State = StateV4, IPV4 Failure …	Diagnostic	N
1227	TCP: connection Tcb: RSC SCU received.	Diagnostic	Y
1228	TCPIP: TCB Tcb does not take fast path, Cause: Cause.	Diagnostic	N
1229	TCP: Connection Tcb send queue is idle.	Diagnostic	Y
1230	RSS: Bind notification for AddressFamily on interface InterfaceIndex.	Diagnostic	N
1231	RSS: Bind notification for adapter AdapterIndex.	Diagnostic	N
1232	RSS: ReferenceAdded reference on adapter AdapterIndex.	Diagnostic	N
1233	RSS: adapter AdapterIndex with capabilities CapabilitiesFlags and …	Diagnostic	N
1234	RSS: adapter AdapterIndex processor group GroupNumber maximum processors …	Diagnostic	N
1235	RSS: assigning processor ProcessorIndex from adapter PreviousAdapterIndex to …	Diagnostic	N
1236	RSS: unassigning processor ProcessorIndex from adapter PreviousAdapterIndex.	Diagnostic	N
1237	RSS: adapter AdapterIndex reassigning indirection entry IndirectionIndex from …	Diagnostic	N
1238	RSS: adapter AdapterIndex removing processor ProcessorIndex from its indirection …	Diagnostic	N
1239	RSS: adapter AdapterIndex changing Setting to Value.	Diagnostic	N
1240	RSS: Failed to FailureDescription on IfIndex InterfaceIndex: Status.	Diagnostic	N
1241	RSS: bind completed successfully for AddressFamily on interface InterfaceIndex.	Diagnostic	N
1242	RSS: bind completed successfully for adapter AdapterIndex.	Diagnostic	N
1243	RSS: adapter AdapterIndex not supported.	Diagnostic	N
1244	RSS: adapter AdapterIndex indirection table initialized on group GroupNumber …	Diagnostic	N
1245	RSS: Rundown: interface InterfaceIndex with adapter AdapterIndex at port …	Diagnostic	Y
1246	RSS: Rundown: adapter AdapterIndex hash info HashInfo maximum processors …	Diagnostic	Y
1247	RSS: interface InterfaceIndex support: Capability.	Diagnostic	N
1248	NDKPI Create CQ: RequestContext RequestContext Adapter NdkAdapter CqDepth …	Diagnostic	N
1249	NDKPI Create Completion: RequestContext RequestContext Status Status …	Diagnostic	N
1250	NDKPI Close NdkObjectType: RequestContext RequestContext NdkObjectType …	Diagnostic	N
1251	NDKPI Close Completion: RequestContext RequestContext (CompletionType).	Diagnostic	N
1252	NDKPI Resize CQ: RequestContext RequestContext CQ NdkCq CqDepth CqDepth.	Diagnostic	N
1253	NDKPI Request Completion: RequestContext RequestContext Status Status …	Diagnostic	N
1254	NDKPI Arm CQ: CQ NdkCq ArmType.	Diagnostic	N
1255	NDKPI Result ResultIndex/ResultCount: CQ NdkCq RequestContext RequestContext …	Diagnostic	N
1256	NDKPI Create MR: RequestContext RequestContext PD NdkPd FastRegister …	Diagnostic	N
1257	NDKPI Flush: QP NdkQp.	Diagnostic	N
1258	NDKPI Send (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE …	Diagnostic	N
1259	NDKPI Receive (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE …	Diagnostic	N
1260	NDKPI Register MR: RequestContext RequestContext MR NdkMr MDL Mdl Length Length …	Diagnostic	N
1261	NDKPI Deregister MR: RequestContext RequestContext MR NdkObject.	Diagnostic	N
1262	NDKPI Initialize FastRegister MR: RequestContext RequestContext MR NdkMr …	Diagnostic	N
1263	NDKPI Modify SRQ: RequestContext RequestContext SRQ NdkSrq SrqDepth SrqDepth …	Diagnostic	N
1264	NDKPI Connect: RequestContext RequestContext Connector NdkConnector QP NdkQp …	Diagnostic	N
1265	NDKPI Connect: RequestContext RequestContext Connector NdkConnector QP NdkQp …	Diagnostic	N
1266	NDKPI CompleteConnect: RequestContext RequestContext Connector NdkConnector …	Diagnostic	N
1267	NDKPI Accept: RequestContext RequestContext Connector NdkConnector QP NdkQp IRD …	Diagnostic	N
1268	NDKPI Disconnect: RequestContext RequestContext Connector NdkObject.	Diagnostic	N
1269	NDKPI Listen: RequestContext RequestContext Listener NdkListener Address …	Diagnostic	N
1270	NDKPI Create MW: RequestContext RequestContext PD NdkObject.	Diagnostic	N
1271	NDKPI Create SRQ: RequestContext RequestContext PD NdkPd SrqDepth SrqDepth …	Diagnostic	N
1272	NDKPI Create QP: RequestContext RequestContext PD NdkPd ReceiveCQ ReceiveCq …	Diagnostic	N
1273	NDKPI Create QP: RequestContext RequestContext PD NdkPd ReceiveCQ ReceiveCq …	Diagnostic	N
1274	NDKPI Create PD: RequestContext RequestContext Adapter NdkObject.	Diagnostic	N
1275	NDKPI Create SharedEndpoint: RequestContext RequestContext Adapter NdkListener …	Diagnostic	N
1276	NDKPI Create Connector: RequestContext RequestContext Adapter NdkObject.	Diagnostic	N
1277	NDKPI Create Listener: RequestContext RequestContext Adapter NdkAdapter …	Diagnostic	N
1278	NDKPI Build LAM: RequestContext RequestContext Adapter NdkAdapter MDL Mdl Length …	Diagnostic	N
1279	NDKPI Release LAM: Adapter NdkAdapter LAMBuffer LAMBuffer.	Diagnostic	N
1280	NDKPI CQ Notification Callback: CqNotificationContext CqNotificationContext …	Diagnostic	N
1281	NDKPI SRQ Notification Callback: SrqNotificationContext SrqNotificationContext …	Diagnostic	N
1282	NDKPI Disconnect Event Callback: DisconnectEventContext DisconnectEventContext.	Diagnostic	N
1283	NDKPI Connect Event Callback: ConnectEventContext ConnectEventContext Connector …	Diagnostic	N
1284	NDKPI Got TokenType Token Token from NdkObjectType NdkObject.	Diagnostic	N
1285	NDKPI Got SockAddrType Address SockAddr from NdkObjectType NdkObject.	Diagnostic	N
1286	NDKPI SockAddrType Address query failure Status on NdkObjectType NdkObject.	Diagnostic	N
1287	NDKPI Reject: Connector NdkConnector PrivateDataLength PrivateDataLength Status …	Diagnostic	N
1288	NDKPI Get Connect Data: Connector NdkConnector IRD IRD ORD ORD PrivateDataLength …	Diagnostic	N
1289	NDKPI Work Request Inline Failure: RequestContext RequestContext QP NdkQp Status …	Diagnostic	N
1290	NDKPI Bind: RequestContext RequestContext QP NdkQp MR NdkMr MW NdkMw …	Diagnostic	N
1291	NDKPI FastRegister: RequestContext RequestContext QP NdkQp MR NdkMr …	Diagnostic	N
1292	NDKPI Invalidate: RequestContext RequestContext QP NdkQp NdkObjectType NdkObject …	Diagnostic	N
1293	NDKPI Read (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE …	Diagnostic	N
1294	NDKPI Write (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE …	Diagnostic	N
1295	NDKPI SRQ Receive (SGE SgeIndex/NumSge): RequestContext RequestContext SRQ …	Diagnostic	N
1296	NDKPI SRQ Work Request Inline Failure: RequestContext RequestContext SRQ NdkSrq …	Diagnostic	N
1297	NDKPI Open Adapter: InterfaceIndex InterfaceIndex Adapter NdkAdapter Status …	Diagnostic	N
1298	NDKPI Close Adapter (Enter): Adapter NdkAdapter.	Diagnostic	N
1299	NDKPI Close Adapter (Exit): Adapter NdkAdapter.	Diagnostic	N
1300	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) exists.	Diagnostic	Y
1301	NDKPI Interface Event: InterfaceIndex InterfaceIndex, NDK-Operational …	Diagnostic	N
1302	Network adapter Luid AdapterLuid received a wake packet matching pattern …	Diagnostic	N
1302	Network adapter Luid .	Operational	N
1303	Network adapter Luid AdapterLuid received a wake packet matching pattern …	Diagnostic	N
1303	Network adapter Luid .	Operational	N
1304	TCP: Connection Tcb: Silent Mode SilentModeEvent Context Context.	Diagnostic	N
1305	TCP: Connection Tcb notification channel request.	Diagnostic	N
1306	TCP: Connection Tcb query notification channel status request.	Diagnostic	N
1307	TCP: Connection Tcb notification channel request processed.	Diagnostic	N
1308	TCP: Connection Tcb notification channel signal event.	Diagnostic	N
1309	TCP: Connection Tcb notification channel detached.	Diagnostic	N
1310	TCP: Connection Tcb notification channel unlinked.	Diagnostic	N
1311	TCP: Connection Tcb notification channel wake pattern plumbing.	Diagnostic	N
1312	TCP: Connection Tcb notification channel wake pattern deplumbing.	Diagnostic	N
1313	TCPIP: Interface index InterfaceIndex wake pattern properties.	Diagnostic	N
1314	NDKPI Control CQ Interrupt Moderation: CQ NdkCq Interval ModerationInterval …	Diagnostic	N
1315	TCP: Connection Tcb notification channel request processing.	Diagnostic	N
1316	IP: IP address lifetime = IPv4Address IPProtocol IPv6Address on interface = …	Diagnostic	N
1317	TCP: Repartition event Event (Type) OldPartitionCount.	Diagnostic	N
1318	Component PowerStateTransition on processor IndicatingProcessor at Tick = …	Diagnostic	N
1319	Component timer rescheduled by processor Indicating Processor for processor …	Diagnostic	Y
1320	Component timer fired on processor Target Processor at Tick = Current Tick, was …	Diagnostic	Y
1321	IP: Connecting interface InterfaceIndex, trace = TraceString.	Diagnostic	N
1322	IP: Limited link connectivity set on interface InterfaceIndex, trace = …	Diagnostic	N
1323	IP: Limited link connectivity reset on interface InterfaceIndex, trace = …	Diagnostic	N
1324	IP: Neighbor with IpAddress = IP Address DlAddress = DL Address on Interface = …	Diagnostic	Y
1325	IP: Neighbor Event on Interface = Interface from SourceIpAddress = Source IP …	Diagnostic	Y
1326	IP: Source address PreferredSourceIPAddress is preferred over …	Diagnostic	N
1327	IP: Address pair (Preferred Source IP Address, Preferred Destination IP Address) …	Diagnostic	Y
1328	NDKPI ResultEx ResultIndex/ResultCount: CQ NdkCq RequestContext RequestContext …	Diagnostic	N
1329	NDKPI SendInvalidate (SGE SgeIndex/NumSge): RequestContext RequestContext QP …	Diagnostic	N
1330	TCP: connection Tcb: Cumulative Ack event, SeqNo = SeqNo, BytesAcked = …	Diagnostic	Y
1331	TCP: connection Tcb: CTCP Cumulative Ack event, SeqNo = SeqNo, BytesAcked = …	Diagnostic	N
1332	TCP: connection Tcb: TCP send event, SeqNo = SeqNo, BytesSent = BytesSent, CWnd …	Diagnostic	Y
1333	TCP: connection Tcb: TCP CTCP send event, SeqNo = SeqNo, BytesSent = BytesSent, …	Diagnostic	N
1334	UDP: Endpoint UdpEndpoint notification channel request.	Diagnostic	N
1335	UDP: Endpoint UdpEndpoint query notification channel status request.	Diagnostic	N
1336	UDP: Endpoint UdpEndpoint notification channel request processed.	Diagnostic	N
1337	UDP: Endpoint UdpEndpoint notification channel signal event.	Diagnostic	N
1338	UDP: Endpoint UdpEndpoint notification channel detached.	Diagnostic	N
1339	UDP: Endpoint UdpEndpoint notification channel unlinked.	Diagnostic	N
1340	UDP: Endpoint UdpEndpoint notification channel request processing.	Diagnostic	N
1341	TCP: connection Tcb: Rtt sample recorded RttSample SRTT SRTT RttVar RttVar.	Diagnostic	Y
1342	TCP: connection Tcb: Rtt resiliency detection complete with Rtt sample = …	Diagnostic	N
1343	TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = …	Diagnostic	Y
1344	TCP: CTCP Duplicate Ack event.	Diagnostic	N
1345	TCP: connection Tcb: Spurious timeout at Seq = SeqNo.	Diagnostic	N
1346	TCP: connection Tcb spurious RTO detection initiated at SeqNo.	Diagnostic	N
1347	TCP: connection Tcb spurious RTO detection terminated at SeqNo.	Diagnostic	N
1348	TCP: CTCP DataTransferTimeout event.	Diagnostic	N
1349	TCP: CTCP Spurious timeout event.	Diagnostic	N
1350	TCP: connection Tcb entering Congestion Avoidance Phase with cwnd = Cwnd and …	Diagnostic	Y
1351	TCP: connection Tcb: Send Retransmit round with SndUna = SndUna, Round = …	Diagnostic	Y
1352	TCP: Connection Tcb Summary: DataBytesOut DataBytesOut DataBytesIn DataBytesIn …	Diagnostic	N
1353	TCPIP: Message AllocationObjectString Param1 Param2 Param3 Param4.	Diagnostic	N
1354	TCP: Connection Tcb SACK updated SndUna SndUna SndMax SndMax SackCount SackCount …	Diagnostic	N
1355	TCP: TCB Tcb Requires address based pattern = RequireAddressCoalescing LocalPort …	Diagnostic	N
1356	TCP: Rtc Port Range Assignment.	Diagnostic	N
1357	TCPIP has failed a RequestType request from LocalAddress to RemoteAddress on …	Diagnostic	N
1358	IP: Interface configuration updated on interface InterfaceIndex property …	Diagnostic	N
1359	TCP: Connection Tcb notification channel unmark request.	Diagnostic	N
1360	TCPIP: A packet has been cloned for a raw listener.	Diagnostic	N
1361	TCPIP: A cloned packet has been dropped.	Diagnostic	N
1362	IP: Interface = Interface IpAddress = IPAddress processing WolEvent = WoLEvent …	Diagnostic	N
1363	IP: Interface = Interface WolHandle = WolHandle has DestinationIpAddress = …	Diagnostic	N
1364	TCP connection tuple inserted- TCB: Tcb LocalAddress: LocalAddress …	Diagnostic	N
1365	TCP connection tuple removed- TCB/TWTCB: Tcb LocalAddress: LocalAddress …	Diagnostic	N
1366	TCP port selection deferred for outbound connect- LocalAddress: LocalAddress.	Diagnostic	N
1367	Nbl Nbl OOB info (PathDirection): TcpIpChecksumNetBufferListInfo …	Diagnostic	Y
1368	Teredo Add -- PID: PID started listening on LocalAddress.	Diagnostic	N
1369	Teredo Remove -- PID: PID stopped listening on LocalAddress.	Diagnostic	N
1370	IP: RouteLookup - API: API DstAddr: DestinationAddress ConstrainSrcAddr: …	Diagnostic	Y
1371	IP: SourceAddrLookup - DstAddr: DestinationAddress ConstrainSrcAddr: …	Diagnostic	Y
1372	WFP-ALE: Partition Count=PartitionCount Partition Mask=PartitionMask: Partition …	Diagnostic	N
1373	WFP-ALE: HotAdd/Remove: Old Partiton Count=OldPartitionCount Old Partition …	Diagnostic	N
1374	WFP-ALE: RemoteEndPoint Insertion: AddrLen=AddressLength …	Diagnostic	N
1375	WFP-ALE: RemoteEndPoint Deletion: AddrLen=AddressLength RemoteAddr=RemoteAddress …	Diagnostic	N
1376	WFP-ALE: ALE: low memory state detected.	Diagnostic	N
1377	WFP-ALE: leaving low memory state.	Diagnostic	Y
1378	WFP-ALE: Dpc for cleanup initiated: LowMemoryEvent = LowMemoryEvent …	Diagnostic	N
1379	WFP: Dpc for cleanup QUEUED or RE-QUEUED: LowMemoryEvent = LowMemoryEvent …	Diagnostic	Y
1380	TCP: LEDBAT LedbatEvent: Connection Tcb, BaseDelayMs = BaseDelayMs, …	Diagnostic	N
1381	TCP: AssociateNameResContext Endpoint: EndpointObj Status: %16 …	Diagnostic	N
1382	TCP: InspectConnectWithNameResContext Connection: Tcb (local: LocalAddress …	Diagnostic	N
1383	IP: Route [DestinationPrefix: PrDestinationPrefix/PrDestinationPrefixLength …	Diagnostic	N
1384	IP: Route [DestinationPrefix: DestinationPrefix/DestinationPrefixLength NextHop: …	Diagnostic	N
1385	TCP: Tail Loss Probe Send Connection = Tcb SndUna = SndUna, SndMax = SndMax, …	Diagnostic	Y
1386	TCP: Tail Loss Probe Event Connection = Tcb, Event = TlpEvent.	Diagnostic	Y
1387	TCP: RACK Event Connection = Tcb, Event = RackEvent, MinRTT = RackMinRtt, …	Diagnostic	Y
1388	TCP: Fastopen state changed for connection = Tcb from OldState = OldState to …	Diagnostic	N
1389	UDP: endpoint (family=AddressFamily pid=ProcessId) create failed: address family …	Diagnostic	N
1390	UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) create failed: …	Diagnostic	N
1391	UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) created.	Diagnostic	Y
1392	UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) create failed: …	Diagnostic	N
1393	UDP: endpoint Endpoint bind failed: address LocalAddress cannot be resolved, …	Diagnostic	N
1394	UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: port-acquisition …	Diagnostic	N
1395	UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: inspection status = …	Diagnostic	N
1396	UDP: endpoint Endpoint (sockaddr=LocalAddress) bound.	Diagnostic	Y
1397	UDP: endpoint Endpoint (sockaddr=LocalAddress) closed.	Diagnostic	Y
1398	UDP: endpoint Endpoint closed.	Diagnostic	Y
1399	UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: …	Diagnostic	N
1400	UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: …	Diagnostic	N
1401	UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: …	Diagnostic	N
1402	UDP: endpoint {Endpoint} too many packets queued for the pending join path.	Diagnostic	N
1403	UDP: address family AddressFamilyadded to interface InterfaceIndex.	Diagnostic	N
1404	UDP: address family AddressFamilyremoved from interface InterfaceIndex.	Diagnostic	N
1405	UDP: Failure initializing transport protocol, status = Status.	Diagnostic	N
1406	UDP: Failure starting NLNPI client, status = Status.	Diagnostic	N
1407	UDP: Failure initializing NSI support, status = Status.	Diagnostic	N
1408	UDP: Failure starting TLNPI provider, status = Status.	Diagnostic	N
1409	UDP: Failure initializing QoS support, status = Status.	Diagnostic	N
1410	UDP: Failure starting FailedQueueString, status = Status.	Diagnostic	N
1411	UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: …	Diagnostic	N
1412	UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: …	Diagnostic	N
1413	UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: …	Diagnostic	N
1414	UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: …	Diagnostic	N
1415	TCP: Early Retransmission, FACK or RACK, Connection = Tcb, SndUna = SndUna, …	Diagnostic	Y
1416	TCP: Ignoring fastopen SYN option due to limit on concurrent SYN_RCVD fastopen …	Diagnostic	N
1417	TCP: Failed to update fastopen key state, Location = Location, Status = Status.	Diagnostic	N
1418	TCP: Fast Retransmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = …	Diagnostic	Y
1419	TCP: SACK Retransmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = …	Diagnostic	Y
1420	TCP: Limited Transmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt …	Diagnostic	Y
1421	TCP: SACK Retransmit Additional Send, Connection = Tcb, BytesToSend = …	Diagnostic	Y
1422	IPTransportProtocol: PathDirectionmessage.	Diagnostic	Y
1423	IPTransportProtocol: PathDirectionpath drop.	Diagnostic	Y
1424	IPTransportProtocol: Echo timeout.	Diagnostic	N
1425	Component Timer state changed to CurrentState by Processor Processor Usage = …	Diagnostic	N
1426	TCP: connection Tcb send complete NumBytes bytes at SndNxt (Injected).	Diagnostic	Y
1427	IP: Compartment creation.	Diagnostic	N
1428	IP: Compartment deletion.	Diagnostic	N
1429	TCP: connection Tcb: Cumulative Ack event, SeqNo = SeqNo, BytesAcked = …	Diagnostic	Y
1430	TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = …	Diagnostic	Y
1431	IP: Compartment cleanup.	Diagnostic	N
1432	IP: Interface network category state change.	Diagnostic	N
1433	IP: Interface creation.	Diagnostic	N
1434	IP: Interface deletion.	Diagnostic	N
1435	IP: Interface cleanup.	Diagnostic	N
1436	IP: SubInterface creation.	Diagnostic	N
1437	IP: SubInterface deletion.	Diagnostic	N
1438	IP: SubInterface cleanup.	Diagnostic	N
1439	IP: Interface change Notification.	Diagnostic	N
1440	IP: Interface internet connectivity status change.	Diagnostic	N
1441	IP: Address change notification.	Diagnostic	N
1442	IP: Route change notification.	Diagnostic	N
1443	IP: Neighbor change notification.	Diagnostic	N
1444	IP: Address DAD state change.	Diagnostic	N
1445	IP: Route Dead Gateway Detection state change.	Diagnostic	N
1446	IP: Disconnecting TCP connections with Address = Address, Interface = IfIndex, …	Diagnostic	N
1447	TCP: connection Tcb: Sending paced chunk of QuantizedAllowance bytes with CWnd = …	Diagnostic	N
1448	Fallback: Context = Fallback, Feature = Feature, TraceReason = Reason, …	Diagnostic	N
1449	TCPIP: TCB Tcb using fast loopback.	Diagnostic	N
1450	IP: Router information change notification.	Diagnostic	N
1451	IP: Event.	Diagnostic	N
1452	IP: Route rundown.	Diagnostic	Y
1453	TCP: CUBIC ECN event.	Diagnostic	N
1454	INETINSPECT: Owner = Owner, InspectHandle = InspectHandle, InspectType = …	Diagnostic	Y
1455	INETINSPECT: Owner = Owner, InspectHandle = InspectHandle, InspectType = …	Diagnostic	Y
1456	FallbackCheck: Ctx = Fallback, Feature = Feature, Failed = Failed, Succeeeded = …	Diagnostic	N
1457	FallbackUpdate: Ctx = Fallback, Feature = Feature, Failed = Failed, Succeeeded = …	Diagnostic	N
1458	Fallback: Permanently disabling feature, Ctx = Fallback, Feature = Feature, …	Diagnostic	N
1459	Fallback: Enabling feature for this boot session, Ctx = Fallback, Feature = …	Diagnostic	N
1460	Fallback: Feature previously disabled, Ctx = Fallback, Feature = Feature, …	Diagnostic	N
1461	TCP Fastopen fallback update: Tcb = Tcb, FastopenState = FastopenState, …	Diagnostic	N
1462	Disabling feature until connectivity is established: CompartmentId …	Diagnostic	N
1463	Disabling Feature for loopback connection.	Diagnostic	N
1464	Disabling TCP Fastopen for BaseEndpoint = BaseEndpoint because an incompatible …	Diagnostic	N
1465	IP: Setting source constraint for route lookup - Compartment: Compartment …	Diagnostic	Y
1466	WFP-ALE: RemoteEndPoint Insertion: (local=LocalAddress remote=RemoteAddress) …	Diagnostic	Y
1467	WFP-ALE: RemoteEndPoint Deletion: (local=LocalAddress remote=RemoteAddress) …	Diagnostic	Y
1468	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) system abort.	Diagnostic	N
1469	Disabling Feature due to no next hop.	Diagnostic	N
1470	TCP: endpoint (sockaddr=LocalAddressLength) bind failed: wake status = …	Diagnostic	N
1471	UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: wake status = …	Diagnostic	N
1472	Acquire wake port Port, type=AcquireType, family=AddressFamily, IF=Interface, …	Diagnostic	N
1473	TCP: Connection Tcb reached max SACK queue length.	Diagnostic	N
1474	TCP: Connection Tcb requested fast open.	Diagnostic	N
1475	TCP: CUBIC Hystart state change event.	Diagnostic	Y
1476	IP: Transmitting loopback Nbl Nbl.	Diagnostic	Y
1477	TCP: Connection Tcb Summary: DataBytesOut DataBytesOut DataBytesIn DataBytesIn …	Diagnostic	Y
1478	TCPIP: Framing layer PathDirection (AddressFamily=AddressFamily) dropped …	Diagnostic	N
1479	TCP: Connection Tcb Transport (Protocol IPTransportProtocol, AddressFamily = …	Diagnostic	Y
1480	TCP connection failed with Status = Status, Local = LocalSockAddr, Remote = …	Diagnostic	Y
1481	TCP: Connection Tcb PRR send SackIsLostSeq SackIsLostSeq SackInFlight …	Operational	N
1482	UDP: Endpoint Endpoint segment message.	Diagnostic	Y
1483	UDP: Endpoint Endpoint segmentation offload unavailable.	Diagnostic	N
1484	TCPIP: Framing layer interface IfIndex (AddressFamily = AddressFamily) failed to …	Diagnostic	N
1485	TCPIP: OID request from framing layer interface IfIndex (AddressFamily = …	Diagnostic	N
1486	TCPIP received a status indication on interface IfIndex.	Diagnostic	N
1487	IP: Failed to set socket option.	Diagnostic	Y
1488	IP: Failed to set socket IOCTL.	Diagnostic	N
1489	Failed to process multicast RequestType request.	Diagnostic	N
1490	Processed multicast RequestType request successfully.	Diagnostic	N
1491	MessageType.	Diagnostic	N
1492	MessageType.	Diagnostic	N
1493	Invalid ECN codepoints in reassembly.	Diagnostic	N
1494	Reassembly failure: packets do not add up correctly.	Diagnostic	N
1495	Reassembly failure: failed to restore IPSec packet history.	Diagnostic	N
1496	Could not transfer FragmentContextDirection.	Diagnostic	N
1497	Attempting to GroupChangeType the multicast group at FL.	Diagnostic	N
1498	Failed to update address list at FL.	Diagnostic	N
1499	Too many DAD failures, so will not create temporary address.	Diagnostic	N
1500	Failed to address interface; deleting it.	Diagnostic	N
1501	Failed to reach default gateway after reconnect; cleaning settings.	Diagnostic	N
1502	Failed to sync interface with registry.	Diagnostic	N
1503	Failed to Release an active reference on the interface.	Diagnostic	N
1504	Redirect path hijack for destination IPv4DestinationAddress IPv4NextHop from …	Diagnostic	N
1505	Redirect path rate limit for IPv6 source address IPv6Address.	Diagnostic	N
1506	Dropped AddressFamily fragment.	Diagnostic	N
1507	Reassembly timeout.	Diagnostic	N
1508	Invalid IP option.	Diagnostic	N
1509	Invalid IP hop-by-hop option.	Diagnostic	N
1510	Invalid IP hop-by-hop option.	Diagnostic	N
1511	Invalid IP routing header option.	Diagnostic	N
1512	Invalid IP routing header option.	Diagnostic	N
1513	This option cannot be specified by the user	Diagnostic	N
1514	TCP: interface IfIndex: received potential RSC status indication.	Diagnostic	N
1515	UDP: endpoint Endpoint: URO SCU received.	Diagnostic	N
1516	TCP software RSC global disabled mask = TcpRscDisabledMask, UDP software URO …	Diagnostic	Y
1517	UDP: Global parameters updated for Address Family AddressFamily: DisableUro = …	Diagnostic	N
1518	IP: IPSNPI client rundown.	Diagnostic	Y
1519	TCPIP: Process with PID=ProcessId, ProcessSeqNum=ProcessSequenceNumber acquired …	Diagnostic	N
1520	Illegal tunnel.	Diagnostic	N
1521	Framing: Interface change in progress.	Diagnostic	N
1522	Framing: Isolation is not supported on this network adapter.	Diagnostic	N
1523	Framing: Failed to set pattern.	Diagnostic	N
1524	Framing: Interface management request.	Diagnostic	Y
1525	Framing: WOL capabilities update in progress.	Diagnostic	N
1526	Framing: A PNP event has been indicated.	Diagnostic	N
1527	Framing: interface rundown: Interface = IfIndex, Luid = IfLuid, Address family = …	Diagnostic	Y
1528	RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = …	Diagnostic	N
1529	RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = …	Diagnostic	N
1530	RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = …	Diagnostic	N
1531	RAW: endpoint Endpoint (Family = AddressFamily, Proto = IPTransportProtocol, …	Diagnostic	N
1532	RAW: endpoint (Family = AddressFamily, Proto = IPTransportProtocol, Compartment …	Diagnostic	N
1533	RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = …	Diagnostic	N
1534	RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = …	Diagnostic	N
1535	RAW: endpoint Endpoint closed.	Diagnostic	N
1536	TCPIP: Error processing router advertisement on interface index IfIndex - …	Diagnostic	N
1537	TCPIP: Error processing router advertisement on interface index IfIndex - Prefix …	Diagnostic	N
1538	TCPIP: An ARP request was dropped on interface IfIndex.	Diagnostic	N
1539	TCPIP: An ARP reply was dropped on interface IfIndex.	Diagnostic	N
1540	TCPIP: No handler found for an AddressFamily packet with upper layer protocol …	Diagnostic	N
1541	TCPIP: Handler for upper layer protocol IPTransportProtocol for an AddressFamily …	Diagnostic	Y
1542	IP: neighbor rundown: Interface = IfIndex, Compartment = CompartmentId, …	Diagnostic	Y
1543	TCPIP: An ARP request was dropped on interface IfIndex.	Diagnostic	N
1544	Endpoint Endpoint socket option set with level Level, name Name, value Value.	Diagnostic	Y
1545	TCP: connection = Tcb RACK timeout expired.	Diagnostic	N
1546	TCP: connection = Tcb armed RACK timer.	Diagnostic	Y
1547	TCP: connection = Tcb received a SACK block.	Diagnostic	Y
1548	TCP: connection = Tcb received a SACK.	Diagnostic	Y
1549	TCP: connection = Tcb enabled send tracker.	Diagnostic	Y
1550	TCP: connection = Tcb send tracker acked a transmit.	Diagnostic	Y
1551	TCP: connection = Tcb send tracker enqueued a transmit.	Diagnostic	Y
1552	TCP: connection = Tcb send tracker marked a transmit as lost.	Diagnostic	Y
1553	TCP: accept redirection: original listener = OriginalListener, redirected …	Diagnostic	Y
1554	TCP: connection = Tcb dropped a SACK block due to SACK limit reached.	Diagnostic	N
1555	TCP: connection Tcb terminated by NSI.	Diagnostic	N
1556	TCP: connection = Tcb rate-based pacing timeout expired.	Diagnostic	N
1557	TCP RLedbat connection = Tcb.	Diagnostic	N
1558	UDP: endpoint Endpoint rebind initiated: current address = CurrentLocalAddress, …	Diagnostic	N
1559	UDP: endpoint Endpoint rebind failed: current address = CurrentLocalAddress, …	Diagnostic	N
1560	TCP: endpoint Endpoint rebind initiated: current address = CurrentLocalAddress, …	Diagnostic	N
1561	TCP: endpoint Endpoint rebind failed: current address = CurrentLocalAddress, …	Diagnostic	N
1562	TCP: endpoint (PID=ProcessId ProcessSeqNum=ProcessStartKey) create failed: …	Diagnostic	N
1563	UDP: endpoint (PID=ProcessId ProcessSeqNum=ProcessStartKey) create failed: …	Diagnostic	N
1564	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId …	Diagnostic	N
1565	TCP: Congestion state changed for connection = Tcb from OldState = OldState to …	Diagnostic	N
1566	TCP: connection = Tcb detected reordering.	Diagnostic	N
1577	TCP: connection = Tcb updated reownd.	Diagnostic	N
1578	IP: Injecting NBL Nbl on send path.	Diagnostic	N
1579	IP: Injecting NBL Nbl on raw send path.	Diagnostic	N
1580	IP: Injecting NBL Nbl on receive path.	Diagnostic	N
1581	IP: Injecting NBL Nbl on forward path.	Diagnostic	N
1582	IP: Indication filtered because destination interface IfIndex is not contained …	Diagnostic	N
1583	BBR2: TCB Tcb bbr_bw bbr_bw min_rtt_us min_rtt_us mode mode cycle_idx cycle_idx …	Diagnostic	N
1584	TCP: connection = Tcb send tracker marked a transmit as rexmit.	Diagnostic	N
1585	TCP: connection = Tcb send tracker update RACK info.	Diagnostic	Y
1586	IP: Prefix sharing now PrefixSharing on Interface = Interface, Compartment = …	Diagnostic	N
1587	TCP: connection Tcb received a careful ACK.	Diagnostic	N
1588	IP: Forwarding tag on Interface = Interface, Compartment = CompartmentId, Family …	Diagnostic	N
1589	TCP: AF AddressFamily, RssEnabled = RssEnabled .	Diagnostic	Y
1590	TCP: connection = Tcb send completion failed.	Diagnostic	N
1591	TCPIP: Alloc hooks setup: Status = Status.	Diagnostic	N
1592	IP: Neighbor with IpAddress = IPAddress DlAddress = DLAddress on Interface = …	Diagnostic	N
1593	TCP: Global timer fired, Processor = Processor, Tick = Tick.	Diagnostic	N
1594	TCP: Global timer armed, NextToExpire = NextToExpire, Period = Period.	Diagnostic	N
1595	TCP: Global timer cancelled	Diagnostic	N
1596	TCP: Updating Fastopen Key	Diagnostic	N
1597	TCP: paused receive buffer growth for high memory usage, AF = AddressFamily, TCB …	Diagnostic	N
1598	IP: Autoconfigured address creation failed due to autoconfiguration limit, …	Diagnostic	N
1599	IP: Autoconfigured route creation failed due to autoconfiguration limit, …	Diagnostic	N
1600	IP: Policy based routing failed - Compartment: Compartment DstAddr: …	Diagnostic	N
1601	TCP: connection Tcb in NewState received NBL NBL in FastPath = FastPath Seq = …	Diagnostic	Y
1602	TCP: connection Tcb process fast RX batch SegmentCount = SegmentCount NumBytes = …	Diagnostic	Y
1603	TCP: connection Tcb in State Injected disconnect DataLength=DataLength.	Diagnostic	N
1604	NDKPI Disconnect Event CallbackEx: DisconnectEventContext DisconnectEventContext …	Diagnostic	N
1605	NDKPI AcceptEx: RequestContext RequestContext Connector NdkConnector QP NdkQp …	Diagnostic	N
1606	NDKPI CompleteConnectEx: RequestContext RequestContext Connector NdkConnector …	Diagnostic	N
1607	NDKPI Open Adapter Version Override: IF_INDEX IF_INDEX …	Diagnostic	N
1608	Fl Reload Registry Config: Override Status: OverrideStatus …	Diagnostic	N
1609	NDKPI Open Adapter: Unexpected version returned by provider, IF_INDEX IF_INDEX …	Diagnostic	N
1610	TCPIP: Disconnected Standby traffic.	Diagnostic	N
1611	TCPIP: Disconnected Standby (DS) transition detected.	Diagnostic	N
1612	ResetResolve API call: ProcessName API.	Diagnostic	N
1613	USO global disabled mask = UdpUsoDisabledMask.	Operational	Y
1614	Framing: SW URO SwUroEnabled, HW URO HwUroEnabled.	Diagnostic	N
1615	Tcpip Power Policy set to: PowerPolicy.	Diagnostic	N
1616	Router Solicitation sent.	Diagnostic	N
1617	Router Solicitation requested on dormant interface.	Diagnostic	N
1618	IP: Route lifetime refresh.	Diagnostic	Y
1619	IP: Constraint computation (unused) - Source address PreferredSourceIPAddress is …	Diagnostic	N
1620	WFP-ALE: RemoteEndPoint Cleanup: (local=LocalAddress remote=RemoteAddress) …	Diagnostic	Y
1621	FL: Virtual interface creation.	Diagnostic	N
1622	FL: Virtual interface deletion.	Diagnostic	N
1623	Tcpip Power Policy Standby-to-Full-Power transition detected.	Diagnostic	N
1624	TCP: connection Tcb: flow label refreshed, old = OldFlowLabel new = …	Diagnostic	N
1625	TCP: Connection Tcb send idle triggered.	Diagnostic	Y
1626	TCP: connection Tcb: bytes limited by sender = SenderLimitedBytes receiver = …	Diagnostic	Y
1627	UDP: ChangeReason scheduled HW URO to be NewUroState on interface IfLuid.	Diagnostic	N
1628	UDP: ChangeReason NewUroState HW URO on interface IfLuid.	Diagnostic	N
1629	FL: FLSNPI client attach.	Diagnostic	N
1630	FL: FLSNPI client detach.	Diagnostic	N
1631	FL: FLSNPI client interface attach.	Diagnostic	N
1632	FL: FLSNPI client interface detach.	Diagnostic	N
1633	FL: FLSNPI datapath failure.	Diagnostic	N
1634	FL: FLSNPI client silent drop.	Diagnostic	N
1635	FL: FLSNPI indication stats.	Diagnostic	N
1636	TCPIP: Current Power Policy : PowerPolicy.	Diagnostic	Y
1637	TCP: connection Tcb send acked NumBytes bytes starting from SndNxt ActivityID = …	Diagnostic	Y
1638	IP: Event.	Diagnostic	N
1638	IP:	Operational	N
1639	IP: Destination cache invalidated.	Diagnostic	N
1639	IP: Destination cache invalidated	Operational	N
1640	FL: Virtual interface set failed.	Diagnostic	N
1640	FL: Virtual interface set failed	Operational	N
1641	FL: Virtual interface get failed.	Diagnostic	N
1641	FL: Virtual interface get failed	Operational	N
1642	IP: Received Prefix Option in Router Advertisement.	Diagnostic	N
1642	IP: Received Prefix Option in Router Advertisement	Operational	N

Event ID 1001: TCP: endpoint Endpoint (Family=AddressFamily, PID=Pid) created with status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpEndpointCreation

Description

TCP: endpoint Endpoint (Family=AddressFamily, PID=Pid) created with status = Status.

Message #

TCP: endpoint %2 (Family=%3, PID=%4) created with status = %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`Endpoint` Pointer
`AddressFamily` UInt32
`Pid` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1001",
    "version": "0",
    "level": "4",
    "task": "1001",
    "opcode": "0",
    "keywords": 9223372036854776832,
    "time_created": "2026-03-16T00:21:40.064345500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15f74b50-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "7552"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Status": "0x0",
    "Endpoint": "0xFFFF980A15F74B50",
    "AddressFamily": "      23",
    "Pid": "    3688"
  },
  "message": ""
}

Event ID 1002: TCP: Tcb Tcb (local=LocalAddress remote=RemoteAddress) requested to connect.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpRequestConnect

Description

TCP: Tcb Tcb (local=LocalAddress remote=RemoteAddress) requested to connect.

Message #

TCP: Tcb %1 (local=%3 remote=%5) requested to connect.

Fields #

Name	Description
`Tcb` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`NewState` UInt32
`RexmitCount` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1002",
    "version": "0",
    "level": "4",
    "task": "1002",
    "opcode": "0",
    "keywords": 9223372054034646144,
    "time_created": "2026-03-16T00:21:40.119471500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "12888"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:52999",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "13.89.179.13:443",
    "NewState": "       0",
    "RexmitCount": "       0"
  },
  "message": ""
}

Event ID 1003: TCP: Inspect Connect has been completed on Tcb Tcb with status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpInspectConnectComplete

Description

TCP: Inspect Connect has been completed on Tcb Tcb with status = Status.

Message #

TCP: Inspect Connect has been completed on Tcb %1 with status = %2.

Fields #

Name	Description
`Tcb` Pointer
`Status` UInt32	NTSTATUS reference
`AddressFamily` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1003",
    "version": "0",
    "level": "4",
    "task": "1003",
    "opcode": "0",
    "keywords": 9223372054034646144,
    "time_created": "2026-03-16T00:21:40.119557300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "12888"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "Status": "0x0",
    "AddressFamily": "       0"
  },
  "message": ""
}

Event ID 1004: TCP: Tcb Tcb is going to output SYN with ISN = ISN, RcvWnd = RcvWnd, RcvWndScale = RcvWndScale.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpTcbSynSend

Description

TCP: Tcb Tcb is going to output SYN with ISN = ISN, RcvWnd = RcvWnd, RcvWndScale = RcvWndScale.

Message #

TCP: Tcb %1 is going to output SYN with ISN = %2, RcvWnd = %3, RcvWndScale = %4.

Fields #

Name	Description
`Tcb` Pointer
`ISN` UInt32
`RcvWnd` UInt32
`RcvWndScale` UInt8

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1004",
    "version": "0",
    "level": "4",
    "task": "1004",
    "opcode": "0",
    "keywords": 9223372058329612416,
    "time_created": "2026-03-16T00:21:40.119603700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "12888"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "ISN": "155000287",
    "RcvWnd": "   64240",
    "RcvWndScale": "8"
  },
  "message": ""
}

Event ID 1005: TCP: endpoint bind failed: address LocalAddressLength cannot be resolved (LocalAddress).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBindEndpointResolutionFailure

Description

TCP: endpoint bind failed: address LocalAddressLength cannot be resolved (LocalAddress).

Message #

TCP: endpoint bind failed: address %2 cannot be resolved (%3).

Fields #

Name	Description
`Endpoint` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference

Event ID 1006: TCP: endpoint (sockaddr=LocalAddressLength) bind failed: port-acquisition status = LocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBindEndpointPortFailure

Description

TCP: endpoint (sockaddr=LocalAddressLength) bind failed: port-acquisition status = LocalAddress.

Message #

TCP: endpoint (sockaddr=%2) bind failed: port-acquisition status = %3.

Fields #

Name	Description
`Endpoint` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference

Event ID 1007: TCP: endpoint (sockaddr=LocalAddressLength) bind failed: inspection status = LocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBindEndpointInspectionFailure

Description

TCP: endpoint (sockaddr=LocalAddressLength) bind failed: inspection status = LocalAddress.

Message #

TCP: endpoint (sockaddr=%2) bind failed: inspection status = %3.

Fields #

Name	Description
`Endpoint` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference

Event ID 1008: TCP: endpoint (sockaddr=LocalAddressLength) bound.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpBindEndpointComplete

Description

TCP: endpoint (sockaddr=LocalAddressLength) bound.

Message #

TCP: endpoint (sockaddr=%2) bound.

Fields #

Name	Description
`Endpoint` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1008",
    "version": "1",
    "level": "4",
    "task": "1008",
    "opcode": "0",
    "keywords": 9223372036854776841,
    "time_created": "2026-03-16T00:21:40.119123100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0da8a910-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "12888"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A0DA8A910",
    "LocalAddressLength": "      16",
    "LocalAddress": "0.0.0.0:52999",
    "Status": "0x0"
  },
  "message": ""
}

Event ID 1009: TCP: endpoint (sockaddr=LocalAddressLength) closed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpCloseEndpoint

Description

TCP: endpoint (sockaddr=LocalAddressLength) closed.

Message #

TCP: endpoint (sockaddr=%2) closed.

Fields #

Name	Description
`Endpoint` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1009",
    "version": "1",
    "level": "4",
    "task": "1009",
    "opcode": "0",
    "keywords": 9223372105574253569,
    "time_created": "2026-03-16T00:21:40.064514900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15f74b50-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "7552"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A15F74B50",
    "LocalAddressLength": "      28",
    "LocalAddress": "::",
    "Status": "0x0"
  },
  "message": ""
}

Event ID 1010: TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: address family not attached.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateEndpointAfFailure

Description

TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: address family not attached.

Message #

TCP: endpoint (Family=%6 PID=%4) create failed: address family not attached.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1011: TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: compartment CompartmentId not found.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateEndpointCompartmentFailure

Description

TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: compartment CompartmentId not found.

Message #

TCP: endpoint (Family=%6 PID=%4) create failed: compartment %5 not found.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1012: TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: inspection status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateEndpointInspectionFailure

Description

TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: inspection status Status.

Message #

TCP: endpoint (Family=%6 PID=%4) create failed: inspection status %3.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1013: TCP: endpoint (Family=CompartmentId PID=Status) created.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpCreateEndpointComplete

Description

TCP: endpoint (Family=CompartmentId PID=Status) created.

Message #

TCP: endpoint (Family=%6 PID=%4) created.

Fields #

Name	Description
`Endpoint` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1013",
    "version": "2",
    "level": "4",
    "task": "1013",
    "opcode": "0",
    "keywords": 9223372036854776833,
    "time_created": "2026-03-16T00:21:40.064333400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15f74b50-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "7552"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A15F74B50",
    "LocalAddressLength": "       0",
    "LocalAddress": "",
    "Status": "0x0",
    "ProcessId": "    3688",
    "CompartmentId": "       1",
    "AddressFamily": "      23",
    "ProcessStartKey": "2814749767106643"
  },
  "message": ""
}

Event ID 1014: TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: Route lookup status = Status, TCB = Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAccpetListenerRouteLookupFailure

Description

TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: Route lookup status = Status, TCB = Tcb.

Message #

TCP: listener (local=%2 remote=%4) accept failed: Route lookup status = %5, TCB = %8.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1015: TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: connection insertion.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAcceptListenerInsertionFailure

Description

TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: connection insertion. Duplicate TCB = Tcb.

Message #

TCP: listener (local=%3 remote=%5) accept failed: connection insertion. Duplicate TCB = %1.

Fields #

Name	Description
`Tcb` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`NewState` UInt32
`RexmitCount` UInt32

Event ID 1016: TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: client rejection status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAcceptListenerRejected

Description

TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: client rejection status = Status.

Message #

TCP: listener (local=%2 remote=%4) accept failed: client rejection status = %5.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1017: TCP: listener (local=LocalAddress remote=RemoteAddress) accept completed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpAcceptListenerComplete

Description

TCP: listener (local=LocalAddress remote=RemoteAddress) accept completed. TCB = Tcb. PID = ProcessId.

Message #

TCP: listener (local=%2 remote=%4) accept completed. TCB = %8. PID = %6.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1017",
    "version": "1",
    "level": "4",
    "task": "1017",
    "opcode": "0",
    "keywords": 9223372054034646150,
    "time_created": "2026-03-16T00:21:38.720229400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::ffff:10.2.10.21]:5985",
    "RemoteAddressLength": "      28",
    "RemoteAddress": "[::ffff:10.2.10.11]:51201",
    "Status": "0x0",
    "ProcessId": "       4",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A0EEE7560",
    "ProcessStartKey": "2814749767106561"
  },
  "message": ""
}

Event ID 1018: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) connect failed: address family not attached.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailedAf

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) connect failed: address family not attached.

Message #

TCP: connection %8 (local=%2 remote=%4 PID=%6) connect failed: address family not attached.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1019: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) connect failed: compartment Compartment not found.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailedCompartment

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) connect failed: compartment Compartment not found.

Message #

TCP: connection %8 (local=%2 remote=%4 PID=%6) connect failed: compartment %7 not found.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1020: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) connect failed: inspection status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailedInspect

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) connect failed: inspection status = Status.

Message #

TCP: connection %8 (local=%2 remote=%4 PID=%6) connect failed: inspection status = %5.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1021: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: route lookup status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailedRoute

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: route lookup status = Status.

Message #

TCP: connection %8 (local=%2 remote=%4) connect failed: route lookup status = %5.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1022: TCP: Bypass rate limiting since flag is set on path Path (local=LocalAddress remote=RemoteAddress).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbSkipRateLimit

Description

TCP: Bypass rate limiting since flag is set on path Path (local=LocalAddress remote=RemoteAddress).

Message #

TCP: Bypass rate limiting since flag is set on path %5 (local=%2 remote=%4)

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Path` Pointer

Event ID 1023: TCP: Charge rate limiting quota and set rate limiting flag for path Path (local=LocalAddress remote=RemoteAddress).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbPassRateLimit

Description

TCP: Charge rate limiting quota and set rate limiting flag for path Path (local=LocalAddress remote=RemoteAddress).

Message #

TCP: Charge rate limiting quota and set rate limiting flag for path %5 (local=%2 remote=%4)

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Path` Pointer

Event ID 1024: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) deferred.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbCheckRateLimit

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) deferred.

Message #

TCP: connection %8 (local=%2 remote=%4) deferred.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1025: TCP: ConnectionRateLimitDepth rate-limiting paths ConnectionRateLimitBacklog backlogged connections.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSecurityRateLimit

Description

TCP: ConnectionRateLimitDepth rate-limiting paths ConnectionRateLimitBacklog backlogged connections.

Message #

TCP: %6 rate-limiting paths %3 backlogged connections.

Fields #

Name	Description
`SynAttacksDetected` UInt32
`ReassemblyLimitViolations` UInt32
`ConnectionRateLimitBacklog` UInt32
`ConnectionRateLimitViolations` UInt32
`LandAttackSegmentsDropped` UInt32
`ConnectionRateLimitDepth` UInt32

Event ID 1026: TCP: Release and set rate limiting flag on path Path (local=LocalAddress remote=RemoteAddress).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRateLimitPathRelease

Description

TCP: Release and set rate limiting flag on path Path (local=LocalAddress remote=RemoteAddress).

Message #

TCP: Release and set rate limiting flag on path %5 (local=%2 remote=%4)

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Path` Pointer

Event ID 1027: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) released.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbRateLimitRelease

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) released.

Message #

TCP: connection %8 (local=%2 remote=%4) released.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1028: TCP: Clear rate limiting flag on path Path (local=LocalAddress remote=RemoteAddress) since connection is cancelled.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRateLimitPathCancel

Description

TCP: Clear rate limiting flag on path Path (local=LocalAddress remote=RemoteAddress) since connection is cancelled.

Message #

TCP: Clear rate limiting flag on path %5 (local=%2 remote=%4) since connection is cancelled.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Path` Pointer

Event ID 1029: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: connection cancelled.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbCancel

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: connection cancelled.

Message #

TCP: connection %8 (local=%2 remote=%4) connect failed: connection cancelled.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1030: TCP: connection (local=LocalAddressLength remote=RemoteAddressLength) connect failed: connection insertion status = RemoteAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailInsertion

Description

TCP: connection (local=LocalAddressLength remote=RemoteAddressLength) connect failed: connection insertion status = RemoteAddress.

Message #

TCP: connection (local=%2 remote=%4) connect failed: connection insertion status = %5.

Fields #

Name	Description
`Tcb` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`NewState` UInt32
`RexmitCount` UInt32

Event ID 1031: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect proceeding.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpConnectTcbProceeding

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect proceeding.

Message #

TCP: connection %8 (local=%2 remote=%4) connect proceeding.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1031",
    "version": "1",
    "level": "4",
    "task": "1031",
    "opcode": "0",
    "keywords": 9223372054034646148,
    "time_created": "2026-03-16T00:21:40.119618200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "12888"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:52999",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "13.89.179.13:443",
    "Status": "0x0",
    "ProcessId": "       0",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A15CE6AE0",
    "ProcessStartKey": "0"
  },
  "message": ""
}

Event ID 1032: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) released due to cancel.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbRateLimitCancel

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) released due to cancel.

Message #

TCP: connection %8 (local=%2 remote=%4) released due to cancel.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1033: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect completed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpConnectTcbComplete

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect completed. PID = ProcessId.

Message #

TCP: connection %8 (local=%2 remote=%4) connect completed. PID = %6.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1033",
    "version": "1",
    "level": "4",
    "task": "1033",
    "opcode": "0",
    "keywords": 9223372054034646148,
    "time_created": "2026-03-16T00:21:40.246461800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:52999",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "13.89.179.13:443",
    "Status": "0x0",
    "ProcessId": "    3688",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A15CE6AE0",
    "ProcessStartKey": "2814749767106643"
  },
  "message": ""
}

Event ID 1034: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect attempt failed with status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Error
Task: TcpConnectTcbFailure

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect attempt failed with status = Status.

Message #

TCP: connection %8 (local=%2 remote=%4) connect attempt failed with status = %5.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1034",
    "version": "1",
    "level": "2",
    "task": "1034",
    "opcode": "0",
    "keywords": 9223372054034646148,
    "time_created": "2026-03-15T23:27:04.870761200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{009c52a0-d780-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3912",
      "thread_id": "13412"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::1]:51202",
    "RemoteAddressLength": "      28",
    "RemoteAddress": "[::1]:389",
    "Status": "0xC0000120",
    "ProcessId": "    3912",
    "Compartment": "       0",
    "Tcb": "0xFFFFD780009C52A0",
    "ProcessStartKey": "3940649673949252"
  },
  "message": ""
}

Event ID 1035: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: connect-complete inspect status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailInspectConnectComplete

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: connect-complete inspect status = Status.

Message #

TCP: connection %8 (local=%2 remote=%4) connect failed: connect-complete inspect status = %5.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1036: TCP: ApplySynOptions, failed to create session state with status = Status, TCB = Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailSessionState

Description

TCP: ApplySynOptions, failed to create session state with status = Status, TCB = Tcb.

Message #

TCP: ApplySynOptions, failed to create session state with status = %5, TCB = %8.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1037: TCP: ApplySynOptions, failed to update DF with status = Status, TCB = Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailDontFragment

Description

TCP: ApplySynOptions, failed to update DF with status = Status, TCB = Tcb.

Message #

TCP: ApplySynOptions, failed to update DF with status = %5, TCB = %8.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1038: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) close issued.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpCloseTcbRequest

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) close issued.

Message #

TCP: connection %8 (local=%2 remote=%4) close issued.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1038",
    "version": "1",
    "level": "4",
    "task": "1038",
    "opcode": "0",
    "keywords": 9223372105574253572,
    "time_created": "2026-03-16T00:21:38.733239500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7444"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::ffff:10.2.10.21]:5985",
    "RemoteAddressLength": "      28",
    "RemoteAddress": "[::ffff:10.2.10.11]:51201",
    "Status": "0x0",
    "ProcessId": "       0",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A0EEE7560",
    "ProcessStartKey": "0"
  },
  "message": ""
}

Event ID 1039: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) abort issued.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpAbortTcbRequest

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) abort issued.

Message #

TCP: connection %8 (local=%2 remote=%4) abort issued.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1039",
    "version": "1",
    "level": "4",
    "task": "1039",
    "opcode": "0",
    "keywords": 9223372105574253700,
    "time_created": "2026-03-16T00:22:37.889609500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0e584560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:52990",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "52.159.108.190:443",
    "Status": "0x0",
    "ProcessId": "       0",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A0E584560",
    "ProcessStartKey": "0"
  },
  "message": ""
}

Event ID 1040: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) abort completed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpAbortTcbComplete

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) abort completed.

Message #

TCP: connection %8 (local=%2 remote=%4) abort completed.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1040",
    "version": "1",
    "level": "4",
    "task": "1040",
    "opcode": "0",
    "keywords": 9223372105574253700,
    "time_created": "2026-03-16T00:22:37.890003800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0e584560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:52990",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "52.159.108.190:443",
    "Status": "0x0",
    "ProcessId": "       0",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A0E584560",
    "ProcessStartKey": "0"
  },
  "message": ""
}

Event ID 1041: TCP: Injecting disconnect on a shutdown TCB failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDisconnectTcbInjectFailed

Description

TCP: Injecting disconnect on a shutdown TCB failed. TCB = Tcb.

Message #

TCP: Injecting disconnect on a shutdown TCB failed. TCB = %1.

Fields #

Name	Description
`Tcb` Pointer
`Delivery` Pointer
`Request` Pointer
`NumBytes` Pointer
`RequestFlags` UInt32
`Length` Pointer
`RequestStatus` UInt32
`IsUrgentDelivery` UInt32
`FullySatisfiedORDelayedPush` UInt32
`RcvNxt` UInt32

Event ID 1042: TCP: connection disconnect Injected, length=Length.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDisconnectTcbRequest

Description

TCP: connection disconnect Injected, length=Length.

Message #

TCP: connection disconnect %3, length=%1.

Fields #

Name	Description
`Length` Pointer
`Timeout` UInt64
`Injected` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1042",
    "version": "0",
    "level": "4",
    "task": "1042",
    "opcode": "0",
    "keywords": 9223372105574253700,
    "time_created": "2026-03-16T00:21:38.732224500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7444"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Length": "0x0",
    "Timeout": "0x0",
    "Injected": "issued"
  },
  "message": ""
}

Event ID 1043: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) disconnect completed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDisconnectTcbComplete

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) disconnect completed.

Message #

TCP: connection %8 (local=%2 remote=%4) disconnect completed.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64
`Inspect` Boolean

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1043",
    "version": "1",
    "level": "4",
    "task": "1043",
    "opcode": "0",
    "keywords": 9223372105574253700,
    "time_created": "2026-03-16T00:21:38.732982900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::ffff:10.2.10.21]:5985",
    "RemoteAddressLength": "      28",
    "RemoteAddress": "[::ffff:10.2.10.11]:51201",
    "Status": "0x0",
    "ProcessId": "       0",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A0EEE7560",
    "ProcessStartKey": "0"
  },
  "message": ""
}

Event ID 1044: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) shutdown initiated (Status).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpShutdownTcb

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) shutdown initiated (Status). PID = ProcessId.

Message #

TCP: connection %8 (local=%2 remote=%4) shutdown initiated (%5). PID = %6.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1044",
    "version": "1",
    "level": "4",
    "task": "1044",
    "opcode": "0",
    "keywords": 9223372105574253700,
    "time_created": "2026-03-16T00:21:38.733255900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7444"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::ffff:10.2.10.21]:5985",
    "RemoteAddressLength": "      28",
    "RemoteAddress": "[::ffff:10.2.10.11]:51201",
    "Status": "0xC0000241",
    "ProcessId": "       4",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A0EEE7560",
    "ProcessStartKey": "2814749767106561"
  },
  "message": ""
}

Event ID 1045: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: connect-request timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbTimeout

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: connect-request timeout expired.

Message #

TCP: connection %8 (local=%2 remote=%4) connect failed: connect-request timeout expired.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1046: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: retransmission timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDisconnectTcbRtoTimeout

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: retransmission timeout expired.

Message #

TCP: connection %8 (local=%2 remote=%4) terminating: retransmission timeout expired.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1046",
    "version": "1",
    "level": "4",
    "task": "1046",
    "opcode": "0",
    "keywords": 9223372105574253700,
    "time_created": "2026-03-15T23:32:02.749394100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{f9ca95f0-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.11:51269",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "10.2.10.21:389",
    "Status": "0x0",
    "ProcessId": "       0",
    "Compartment": "       0",
    "Tcb": "0xFFFFD78FF9CA95F0",
    "ProcessStartKey": "0"
  },
  "message": ""
}

Event ID 1047: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: keep-alive timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDisconnectTcbKeepaliveTimeout

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: keep-alive timeout expired.

Message #

TCP: connection %8 (local=%2 remote=%4) terminating: keep-alive timeout expired.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1048: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: disconnect timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDisconnectTcbTimeout

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: disconnect timeout expired.

Message #

TCP: connection %8 (local=%2 remote=%4) terminating: disconnect timeout expired.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1049: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: extended statistics status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbEstatsFailed

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: extended statistics status = Status.

Message #

TCP: connection %8 (local=%2 remote=%4) connect failed: extended statistics status = %5.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1050: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: port-acquisition status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectFailedPortAcquire

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: port-acquisition status = Status.

Message #

TCP: connection %8 (local=%2 remote=%4) connect failed: port-acquisition status = %5.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1051: TCP: connection Tcb transition from OldState to NewState, SndNxt = SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpTcbStateChange

Description

TCP: connection Tcb transition from OldState to NewState, SndNxt = SndNxt.

Message #

TCP: connection %4 transition from %1 to %2, SndNxt = %3.

Fields #

Name	Description
`OldState` UInt32
`NewState` UInt32
`SndNxt` UInt32
`Tcb` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1051",
    "version": "0",
    "level": "4",
    "task": "1051",
    "opcode": "0",
    "keywords": 9223372036854776836,
    "time_created": "2026-03-16T00:21:38.719167800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0ef4b580-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "OldState": "       1",
    "NewState": "       3",
    "SndNxt": "       0",
    "Tcb": "0xFFFF980A0EEE7560"
  },
  "message": ""
}

Event ID 1052: TCP: Process with PID = ProcessId reserved NumberOfPorts ports starting at StartPort.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpEndpointAcquirePortReservation

Description

TCP: Process with PID = ProcessId reserved NumberOfPorts ports starting at StartPort.

Message #

TCP: Process with PID = %1 reserved %4 ports starting at %3.

Fields #

Name	Description
`ProcessId` UInt32
`Status` UInt32	NTSTATUS reference
`StartPort` UInt16
`NumberOfPorts` UInt16
`ProcessStartKey` UInt64

Event ID 1053: TCP: Process with PID = ProcessId failed to reserve NumberOfPorts ports starting at StartPort with status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpEndpointFailedPortReservation

Description

TCP: Process with PID = ProcessId failed to reserve NumberOfPorts ports starting at StartPort with status = Status.

Message #

TCP: Process with PID = %1 failed to reserve %4 ports starting at %3 with status = %2.

Fields #

Name	Description
`ProcessId` UInt32
`Status` UInt32	NTSTATUS reference
`StartPort` UInt16
`NumberOfPorts` UInt16
`ProcessStartKey` UInt64

Event ID 1054: TCP: Process with PID = ProcessId completed global port reservation of NumberOfPorts ports starting at StartPort with status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalPortReservation

Description

TCP: Process with PID = ProcessId completed global port reservation of NumberOfPorts ports starting at StartPort with status = Status.

Message #

TCP: Process with PID = %1 completed global port reservation of %4 ports starting at %3 with status = %2.

Fields #

Name	Description
`ProcessId` UInt32
`Status` UInt32	NTSTATUS reference
`StartPort` UInt16
`NumberOfPorts` UInt16
`ProcessStartKey` UInt64

Event ID 1055: TCP: entering SYN attack resistance mode, Syn Attacks Detected = SynAttacksDetected.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalSynAttackEntry

Description

TCP: entering SYN attack resistance mode, Syn Attacks Detected = SynAttacksDetected.

Message #

TCP: entering SYN attack resistance mode, Syn Attacks Detected = %1.

Fields #

Name	Description
`SynAttacksDetected` UInt32
`ReassemblyLimitViolations` UInt32
`ConnectionRateLimitBacklog` UInt32
`ConnectionRateLimitViolations` UInt32
`LandAttackSegmentsDropped` UInt32
`ConnectionRateLimitDepth` UInt32

Event ID 1056: TCP: reasembly rate-limiting violated ReassemblyLimitViolations times since boot.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalReassemblyLimitViolation

Description

TCP: reasembly rate-limiting violated ReassemblyLimitViolations times since boot.

Message #

TCP: reasembly rate-limiting violated %2 times since boot.

Fields #

Name	Description
`SynAttacksDetected` UInt32
`ReassemblyLimitViolations` UInt32
`ConnectionRateLimitBacklog` UInt32
`ConnectionRateLimitViolations` UInt32
`LandAttackSegmentsDropped` UInt32
`ConnectionRateLimitDepth` UInt32

Event ID 1057: TCP: connection rate-limiting violated ConnectionRateLimitViolations times since boot.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalConnectionRateLimitViolation

Description

TCP: connection rate-limiting violated ConnectionRateLimitViolations times since boot.

Message #

TCP: connection rate-limiting violated %4 times since boot.

Fields #

Name	Description
`SynAttacksDetected` UInt32
`ReassemblyLimitViolations` UInt32
`ConnectionRateLimitBacklog` UInt32
`ConnectionRateLimitViolations` UInt32
`LandAttackSegmentsDropped` UInt32
`ConnectionRateLimitDepth` UInt32

Event ID 1058: TCP: land attack has dropped LandAttackSegmentsDropped packets since boot.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalLandAttackSegmentDrop

Description

TCP: land attack has dropped LandAttackSegmentsDropped packets since boot.

Message #

TCP: land attack has dropped %5 packets since boot.

Fields #

Name	Description
`SynAttacksDetected` UInt32
`ReassemblyLimitViolations` UInt32
`ConnectionRateLimitBacklog` UInt32
`ConnectionRateLimitViolations` UInt32
`LandAttackSegmentsDropped` UInt32
`ConnectionRateLimitDepth` UInt32

Event ID 1059: TCP: low memory state detected.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalIsbBeginThrottle

Description

TCP: low memory state detected. LowMemoryEvent =LowMemoryEvent LowPagedPoolEvent = LowPagedPoolEvent.

Message #

TCP: low memory state detected. LowMemoryEvent =%3 LowPagedPoolEvent = %4.

Fields #

Name	Description
`HighMemoryEvent` UInt32
`HighPagedPoolEvent` UInt32
`LowMemoryEvent` UInt32
`LowPagedPoolEvent` UInt32

Event ID 1060: TCP: leaving low memory state.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalIsbEndThrottle

Description

TCP: leaving low memory state. HighMemoryEvent = HighMemoryEvent HighPagedPoolEvent = HighPagedPoolEvent.

Message #

TCP: leaving low memory state. HighMemoryEvent = %1 HighPagedPoolEvent = %2.

Fields #

Name	Description
`HighMemoryEvent` UInt32
`HighPagedPoolEvent` UInt32
`LowMemoryEvent` UInt32
`LowPagedPoolEvent` UInt32

Event ID 1061: TCP: address family AddressFamily added to interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalAddInterface

Description

TCP: address family AddressFamily added to interface InterfaceIndex.

Message #

TCP: address family %2 added to interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32
`AddressFamily` UInt32

Event ID 1062: TCP: address family AddressFamily removed from interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalDeleteInterface

Description

TCP: address family AddressFamily removed from interface InterfaceIndex.

Message #

TCP: address family %2 removed from interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32
`AddressFamily` UInt32

Event ID 1063: TCP: leaving SYN attack resistance mode, Syn Attacks Detected = SynAttacksDetected.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalSynAttackExit

Description

TCP: leaving SYN attack resistance mode, Syn Attacks Detected = SynAttacksDetected.

Message #

TCP: leaving SYN attack resistance mode, Syn Attacks Detected = %1.

Fields #

Name	Description
`SynAttacksDetected` UInt32
`ReassemblyLimitViolations` UInt32
`ConnectionRateLimitBacklog` UInt32
`ConnectionRateLimitViolations` UInt32
`LandAttackSegmentsDropped` UInt32
`ConnectionRateLimitDepth` UInt32

Event ID 1064: TCP: Connection Tcb TimerType timer started.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpTcbStartTimer

Description

TCP: Connection Tcb TimerType timer started. Scheduled to expire in WaitTimeMilliseconds ms.

Message #

TCP: Connection %1 %2 timer started. Scheduled to expire in %3 ms.

Fields #

Name	Description
`Tcb` Pointer
`TimerType` UInt32
`WaitTimeMilliseconds` UInt32
`Processor` UInt32
`LastInterruptTime` UInt64
`LastMicroseconds` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1064",
    "version": "1",
    "level": "5",
    "task": "1064",
    "opcode": "0",
    "keywords": 9223372036854776836,
    "time_created": "2026-03-16T00:21:34.388854500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "TimerType": "       0",
    "WaitTimeMilliseconds": "     201",
    "Processor": "       9",
    "LastInterruptTime": "577532689097",
    "LastMicroseconds": "57753289800",
    "CachedKQPCValues": "577532898003",
    "CachedFrequencyValues": "10000000"
  },
  "message": ""
}

Event ID 1065: TCP: Connection Tcb stopping TimerType timer.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpTcbStopTimer

Description

TCP: Connection Tcb stopping TimerType timer.

Message #

TCP: Connection %1 stopping %2 timer.

Fields #

Name	Description
`Tcb` Pointer
`TimerType` UInt32
`WaitTimeMilliseconds` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1065",
    "version": "0",
    "level": "5",
    "task": "1065",
    "opcode": "0",
    "keywords": 9223372036854776836,
    "time_created": "2026-03-16T00:21:34.388747900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "TimerType": "       7",
    "WaitTimeMilliseconds": "       0"
  },
  "message": ""
}

Event ID 1066: TCP: Connection Tcb TimerType timer has expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpTcbExpireTimer

Description

TCP: Connection Tcb TimerType timer has expired.

Message #

TCP: Connection %1 %2 timer has expired.

Fields #

Name	Description
`Tcb` Pointer
`TimerType` UInt32
`WaitTimeMilliseconds` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1066",
    "version": "0",
    "level": "5",
    "task": "1066",
    "opcode": "0",
    "keywords": 9223372036854776836,
    "time_created": "2026-03-16T00:21:34.715526000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "TimerType": "       2",
    "WaitTimeMilliseconds": "       0"
  },
  "message": ""
}

Event ID 1067: TCP: ISB changed to IsbSize.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpTcbChangeIsb

Description

TCP: ISB changed to IsbSize. CWnd = Cwnd SndWnd = SndWnd SendAvailable = SendAvailable SSThresh = SSThresh.

Message #

TCP: ISB changed to %1. CWnd = %2 SndWnd = %3 SendAvailable = %4 SSThresh = %5.

Fields #

Name	Description
`IsbSize` UInt32
`Cwnd` UInt32
`SndWnd` UInt32
`SendAvailable` UInt32
`SSThresh` UInt32

Event ID 1068: TCP: moving RSS indirection table index TableEntry from processor SourceProcessor to processor DestinationProcessor.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRssTableChange

Description

TCP: moving RSS indirection table index TableEntry from processor SourceProcessor to processor DestinationProcessor.

Message #

TCP: moving RSS indirection table index %6 from processor %1 to processor %3.

Fields #

Name	Description
`SourceProcessor` UInt32
`SourceActivity` UInt32
`DestinationProcessor` UInt32
`DestinationActivity` UInt32
`PartitionMovesRemaining` UInt32
`TableEntry` UInt8

Event ID 1069: TCP: connection Tcb: Timeout Event updated cwnd = Cwnd and updated ssthresh = SSThresh.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferTimeout

Description

TCP: connection Tcb: Timeout Event updated cwnd = Cwnd and updated ssthresh = SSThresh.

Message #

TCP: connection %1: Timeout Event updated cwnd = %2 and updated ssthresh = %3.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1070: TCP: connection Tcb: Rtt sample recorded RttSample.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferRttSample

Description

TCP: connection Tcb: Rtt sample recorded RttSample.

Message #

TCP: connection %1:  Rtt sample recorded %4.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1071: TCP: connection Tcb: Cumulative ACK updated cwnd = Cwnd.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferCumAck

Description

TCP: connection Tcb: Cumulative ACK updated cwnd = Cwnd.

Message #

TCP: connection %1: Cumulative ACK updated cwnd = %2.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1072: TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = SSThresh.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferDupAck

Description

TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = SSThresh.

Message #

TCP: connection %1: Duplicate ACK updated cwnd = %2 and updated ssthresh = %3.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1073: TCP: connection Tcb: Sent data with number of bytes = NumBytes and Sequence number = SeqNo.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferSend

Description

TCP: connection Tcb: Sent data with number of bytes = NumBytes and Sequence number = SeqNo.

Message #

TCP: connection %1: Sent data with number of bytes = %5 and Sequence number = %6.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1074: TCP: connection Tcb: Received data with number of bytes = NumBytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpDataTransferReceive

Description

TCP: connection Tcb: Received data with number of bytes = NumBytes. ThSeq = SeqNo.

Message #

TCP: connection %1: Received data with number of bytes = %2. ThSeq = %3.

Fields #

Name	Description
`Tcb` Pointer
`NumBytes` UInt32
`SeqNo` UInt32
`NumPkt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1074",
    "version": "0",
    "level": "4",
    "task": "1074",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:34.390777500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4248",
      "thread_id": "4684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "NumBytes": "       6",
    "SeqNo": "3537939053"
  },
  "message": ""
}

Event ID 1075: TCP: connection Tcb: ECN Echo updated cwnd = Cwnd and updated ssthresh = SSThresh.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferEcn

Description

TCP: connection Tcb: ECN Echo updated cwnd = Cwnd and updated ssthresh = SSThresh. SndUna = SndUna, Mss = Mss, ThAck = ThAck.

Message #

TCP: connection %1: ECN Echo updated cwnd = %2 and updated ssthresh = %3. SndUna = %4, Mss = %5, ThAck = %6.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`SndUna` UInt32
`Mss` UInt32
`ThAck` UInt32
`DWnd` UInt32
`BaseRtt` UInt32

Event ID 1076: TCP: connection Tcb: Spurious timeout with SndUna = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferSpuriousTimeout

Description

TCP: connection Tcb: Spurious timeout with SndUna = SndUna.

Message #

TCP: connection %1: Spurious timeout with SndUna = %7.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1077: TCP: connection Tcb: Send Retransmit round with SndUna = SeqNo, Round = Round, SRTT = SRTT, RTO = RTO.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferRetransmitRound

Description

TCP: connection Tcb: Send Retransmit round with SndUna = SeqNo, Round = Round, SRTT = SRTT, RTO = RTO.

Message #

TCP: connection %1: Send Retransmit round with SndUna = %6, Round = %8, SRTT = %9, RTO = %10.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1078: TCP: connection Tcb: Entered loss recovery phase with SndUna = SndUna and SndMax = SndMax.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpLossRecoveryEntry

Description

TCP: connection Tcb: Entered loss recovery phase with SndUna = SndUna and SndMax = SndMax.

Message #

TCP: connection %1: Entered loss recovery phase with SndUna = %2 and SndMax = %3.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1078",
    "version": "0",
    "level": "4",
    "task": "1078",
    "opcode": "0",
    "keywords": 9223372045444710528,
    "time_created": "2026-03-16T00:21:40.489867400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "SndUna": "155002622",
    "SndMax": "155007102"
  },
  "message": ""
}

Event ID 1079: TCP: connection Tcb: Leaving loss recovery phase with SndUna = SndUna and SndMax = SndMax.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpLossRecoveryExit

Description

TCP: connection Tcb: Leaving loss recovery phase with SndUna = SndUna and SndMax = SndMax.

Message #

TCP: connection %1: Leaving loss recovery phase with SndUna = %2 and SndMax = %3.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1079",
    "version": "0",
    "level": "4",
    "task": "1079",
    "opcode": "0",
    "keywords": 9223372045444710528,
    "time_created": "2026-03-16T00:21:40.494494300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6656"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "SndUna": "155007102",
    "SndMax": "155007102"
  },
  "message": ""
}

Event ID 1080: TCP: connection Tcb entering SACK mode with SndUna = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpLossRecoverySackEntry

Description

TCP: connection Tcb entering SACK mode with SndUna = SndUna.

Message #

TCP: connection %1 entering SACK mode with SndUna = %2.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32
`Reason` UnicodeString
`IsSack` UInt32

Event ID 1081: TCP: connection Tcb leaving SACK mode with SndUna = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpLossRecoverySackExit

Description

TCP: connection Tcb leaving SACK mode with SndUna = SndUna.

Message #

TCP: connection %1 leaving SACK mode with SndUna = %2.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32
`Reason` UnicodeString
`IsSack` UInt32

Event ID 1082: TCP: connection Tcb entering Congestion Avoidance Phase with cwnd = Cwnd and ssthresh = SSThresh.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSlowStartToCongestionAvoidance

Description

TCP: connection Tcb entering Congestion Avoidance Phase with cwnd = Cwnd and ssthresh = SSThresh.

Message #

TCP: connection %1 entering Congestion Avoidance Phase with cwnd = %2 and ssthresh = %3.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1084: TCP: connection Tcb entered BH, BH MSS BHMSS, original MSS OriginalMSS.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBlackHoleDetectionEntry

Description

TCP: connection Tcb entered BH, BH MSS BHMSS, original MSS OriginalMSS.

Message #

TCP: connection %1 entered BH, BH MSS %2, original MSS %3.

Fields #

Name	Description
`Tcb` Pointer
`BHMSS` UInt32
`OriginalMSS` UInt32
`TraceString` UnicodeString

Event ID 1085: TCP: connection Tcb Exiting BH due to TraceString, BH mss BHMSS, Original MSS OriginalMSS.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBlackHoleDetectionExit

Description

TCP: connection Tcb Exiting BH due to TraceString, BH mss BHMSS, Original MSS OriginalMSS.

Message #

TCP: connection %1 Exiting BH due to %4, BH mss %2, Original MSS %3.

Fields #

Name	Description
`Tcb` Pointer
`BHMSS` UInt32
`OriginalMSS` UInt32
`TraceString` UnicodeString

Event ID 1086: TCP: connection Tcb not entering BH due to TraceString.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBlackHoleDetectionFailed

Description

TCP: connection Tcb not entering BH due to TraceString.

Message #

TCP: connection %1 not entering BH due to %4.

Fields #

Name	Description
`Tcb` Pointer
`BHMSS` UInt32
`OriginalMSS` UInt32
`TraceString` UnicodeString

Event ID 1087: TCP: connection Tcb spurious RTO detection initiated at SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSpuriousRtoDetectionBegin

Description

TCP: connection Tcb spurious RTO detection initiated at SndUna.

Message #

TCP: connection %1 spurious RTO detection initiated at %7.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1088: TCP: connection Tcb spurious RTO detection terminated at SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSpuriousRtoDetectionEnd

Description

TCP: connection Tcb spurious RTO detection terminated at SndUna.

Message #

TCP: connection %1 spurious RTO detection terminated at %7.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1089: TCP: active connect failed (family=Status) connect-complete inspection failed: status = AddressFamily.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailedActiveConnect

Description

TCP: active connect failed (family=Status) connect-complete inspection failed: status = AddressFamily.

Message #

TCP: active connect failed (family=%2) connect-complete inspection failed: status = %3.

Fields #

Name	Description
`Tcb` Pointer
`Status` UInt32	NTSTATUS reference
`AddressFamily` UInt32

Event ID 1090: TCP: TcpReleaseIndicationList: Nbl = NBL.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpReleaseIndication

Description

TCP: TcpReleaseIndicationList: Nbl = NBL.

Message #

TCP: TcpReleaseIndicationList: Nbl = %1.

Fields #

Name	Description
`NBL` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1090",
    "version": "0",
    "level": "5",
    "task": "1090",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:34.509548500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "NBL": "0xFFFF980A0EE312B0"
  },
  "message": ""
}

Event ID 1091: TCP: connection Tcb posted an average of NumBytes bytes per send.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAppSendBufferSize

Description

TCP: connection Tcb posted an average of NumBytes bytes per send.

Message #

TCP: connection %1 posted an average of %5 bytes per send.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1092: TCP: connection (local=LocalAddress remote=RemoteAddress) starting receive window auto-tuning.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpAutoTuningBegin

Description

TCP: connection (local=LocalAddress remote=RemoteAddress) starting receive window auto-tuning.

Message #

TCP: connection (local=%2 remote=%4) starting receive window auto-tuning.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`BufferSize` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1092",
    "version": "0",
    "level": "5",
    "task": "1092",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:40.316699400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:52999",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "13.89.179.13:443",
    "BufferSize": "       0"
  },
  "message": ""
}

Event ID 1093: TCP: connection (local=LocalAddress remote=RemoteAddress) ending receive window auto-tuning.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpAutoTuningEnd

Description

TCP: connection (local=LocalAddress remote=RemoteAddress) ending receive window auto-tuning.

Message #

TCP: connection (local=%2 remote=%4) ending receive window auto-tuning.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`BufferSize` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1093",
    "version": "0",
    "level": "5",
    "task": "1093",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:22:31.341328500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0e7ae010-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::ffff:10.2.10.21]:5985",
    "RemoteAddressLength": "      28",
    "RemoteAddress": "[::ffff:10.2.10.11]:51208",
    "BufferSize": "       0"
  },
  "message": ""
}

Event ID 1094: TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter auto-tuning because fine-grained RTT estimation could not be started.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAutoTuningFailedRttEstimation

Description

TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter auto-tuning because fine-grained RTT estimation could not be started.

Message #

TCP: connection (local=%2 remote=%4) failed to enter auto-tuning because fine-grained RTT estimation could not be started.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`BufferSize` UInt32

Event ID 1095: TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter auto-tuning because receiver bandwidth estimation could not be started.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAutoTuningFailedBandwidthEstimation

Description

TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter auto-tuning because receiver bandwidth estimation could not be started.

Message #

TCP: connection (local=%2 remote=%4) failed to enter auto-tuning because receiver bandwidth estimation could not be started.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`BufferSize` UInt32

Event ID 1096: TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter auto-tuning because of receive window tuning allocation failure.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAutoTuningFailedAllocationFailure

Description

TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter auto-tuning because of receive window tuning allocation failure.

Message #

TCP: connection (local=%2 remote=%4) failed to enter auto-tuning because of receive window tuning allocation failure.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`BufferSize` UInt32

Event ID 1097: TCP: connection (local=LocalAddress remote=RemoteAddress) auto-tuner adjusted receive buffer size to BufferSize bytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAutoTuningChangeRcvBufferSize

Description

TCP: connection (local=LocalAddress remote=RemoteAddress) auto-tuner adjusted receive buffer size to BufferSize bytes.

Message #

TCP: connection (local=%2 remote=%4) auto-tuner adjusted receive buffer size to %5 bytes.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`BufferSize` UInt32

Event ID 1098: TCP: connection Tcb: Rtt resiliency detection complete with Rtt sample = RttSample and new SRTT = SRTT.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRttResiliencyDetection

Description

TCP: connection Tcb: Rtt resiliency detection complete with Rtt sample = RttSample and new SRTT = SRTT.

Message #

TCP: connection %1: Rtt resiliency detection complete with Rtt sample = %4 and new SRTT = %9.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1099: TCP: connection Tcb: Connection State = TcbState, Offload State = OcbState.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectionOffloadStateChange

Description

TCP: connection Tcb: Connection State = TcbState, Offload State = OcbState. SndNxt = SndNxt, RcvNxt = RcvNxt. NdisStatus = Status.

Message #

TCP: connection %5: Connection State = %1, Offload State = %2. SndNxt = %3, RcvNxt = %4. NdisStatus = %6.

Fields #

Name	Description
`TcbState` UInt32
`OcbState` UInt32
`SndNxt` UInt32
`RcvNxt` UInt32
`Tcb` Pointer
`Status` UInt32	NTSTATUS reference

Event ID 1100: TCP: SWS avoidance began on connection Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpSwsAvoidanceBegin

Description

TCP: SWS avoidance began on connection Tcb. Timer set for TimerValue ms. BytesToSend = BytesToSend, SendAvailable = SendAvailable, Cwnd = Cwnd, MaxSndWnd = MaxSndWnd.

Message #

TCP: SWS avoidance began on connection %1. Timer set for %2 ms. BytesToSend = %3, SendAvailable = %4, Cwnd = %5, MaxSndWnd = %6.

Fields #

Name	Description
`Tcb` Pointer
`TimerValue` UInt32
`BytesToSend` Pointer
`SendAvailable` UInt32
`Cwnd` UInt32
`MaxSndWnd` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1100",
    "version": "0",
    "level": "4",
    "task": "1100",
    "opcode": "0",
    "keywords": 9223372041149743232,
    "time_created": "2026-03-16T00:23:27.100938500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{170d1290-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "10580"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A170D1290",
    "TimerValue": "    5000",
    "BytesToSend": "0x10E0",
    "SendAvailable": "   18500",
    "Cwnd": "   14786",
    "MaxSndWnd": "0x400000"
  },
  "message": ""
}

Event ID 1101: TCP: SWS avoidance ended on connection Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSwsAvoidanceEnd

Description

TCP: SWS avoidance ended on connection Tcb.

Message #

TCP: SWS avoidance ended on connection %1.

Fields #

Name	Description
`Tcb` Pointer
`TimerValue` UInt32
`BytesToSend` Pointer
`SendAvailable` UInt32
`Cwnd` UInt32
`MaxSndWnd` Pointer

Event ID 1102: TCP: connection Tcb send: Beginning zero-window probing with SndUna = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpZeroWindowProbingBegin

Description

TCP: connection Tcb send: Beginning zero-window probing with SndUna = SndUna.

Message #

TCP: connection %1 send: Beginning zero-window probing with SndUna = %2.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32

Event ID 1103: TCP: connection Tcb send: Leaving zero-window probing with SndUna = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpZeroWindowProbingEnd

Description

TCP: connection Tcb send: Leaving zero-window probing with SndUna = SndUna.

Message #

TCP: connection %1 send: Leaving zero-window probing with SndUna = %2.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32

Event ID 1104: TCP: Option OptionType is going to be set for connection Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpSetTcpOption

Description

TCP: Option OptionType is going to be set for connection Tcb.

Message #

TCP: Option %2 is going to be set for connection %1.

Fields #

Name	Description
`Tcb` Pointer
`OptionType` UInt32
`SoOptionType` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1104",
    "version": "0",
    "level": "4",
    "task": "1104",
    "opcode": "0",
    "keywords": 9223372311732683780,
    "time_created": "2026-03-16T00:23:28.314606700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0e584560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "1356",
      "thread_id": "4456"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0E584560",
    "OptionType": "       1",
    "SoOptionType": "       0"
  },
  "message": ""
}

Event ID 1105: TCP: Socket Option SoOptionType is going to be set for connection Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpSetTcpSoOption

Description

TCP: Socket Option SoOptionType is going to be set for connection Tcb.

Message #

TCP: Socket Option %3 is going to be set for connection %1.

Fields #

Name	Description
`Tcb` Pointer
`OptionType` UInt32
`SoOptionType` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1105",
    "version": "0",
    "level": "4",
    "task": "1105",
    "opcode": "0",
    "keywords": 9223372311732683780,
    "time_created": "2026-03-16T00:23:28.314680700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0e584560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "1356",
      "thread_id": "4456"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0E584560",
    "OptionType": "       0",
    "SoOptionType": "       8"
  },
  "message": ""
}

Event ID 1106: IP: Disconnecting interface InterfaceIndex, trace = TraceString.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpMediaDisconnect

Description

IP: Disconnecting interface InterfaceIndex, trace = TraceString.

Message #

IP: Disconnecting interface %1, trace = %2.

Fields #

Name	Description
`InterfaceIndex` UInt32
`TraceString` AnsiString
`CompartmentId` UInt32

Event ID 1107: TCPIP: Module ModuleNameString started.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpModuleStarted

Description

TCPIP: Module ModuleNameString started.

Message #

TCPIP: Module %1 started.

Fields #

Name	Description
`ModuleNameString` UnicodeString

Event ID 1108: TCPIP: Module ModuleNameString stopped.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpModuleStopped

Description

TCPIP: Module ModuleNameString stopped.

Message #

TCPIP: Module %1 stopped.

Fields #

Name	Description
`ModuleNameString` UnicodeString

Event ID 1109: TCPIP: Failure allocating AllocationObjectString.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpMemoryFailures

Description

TCPIP: Failure allocating AllocationObjectString.

Message #

TCPIP: Failure allocating %1.

Fields #

Name	Description
`AllocationObjectString` UnicodeString

Event ID 1110: TCP: Global parameters updated for Address Family AddressFamily: EnablePMtuDiscovery = EnablePMTUDiscovery, UseRfc1122UrgentPointer = TcpUseRFC1122UrgentPointer, DisableTaskOffload = DisableTaskOff...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalParameters

Description

TCP: Global parameters updated for Address Family AddressFamily: EnablePMtuDiscovery = EnablePMTUDiscovery, UseRfc1122UrgentPointer = TcpUseRFC1122UrgentPointer, DisableTaskOffload = DisableTaskOffload, DisableTcpChimneyOffload = EnablePMTUBHDetect, DisableRss = DisableTcpChimneyOffload, EnablePMtuBHDetect = DisableRss, EcnCapability = EcnCapability, MaxDataRetransmissions = TcpMaxDataRetransmissions, KeepAliveTime = KeepAliveTime, KeepAliveInterval = KeepAliveInterval, TimedWaitDelay = TcpTimedWaitDelay, SillyWindowTimeout = SillyWindowTimeout, FinWait2Timeout = TcpFinWait2Delay, CongestionAlgorithm = CongestionAlgorithm, UseRfc1323Timestamps = Tcp1323Opts, AutoTuningLevelLocal = AutoTuningLevelLocal, AutoTuningLevelGroupPolicy = AutoTuningLevelGroupPolicy.

Message #

TCP: Global parameters updated for Address Family %1: EnablePMtuDiscovery = %2, UseRfc1122UrgentPointer = %3, DisableTaskOffload = %4, DisableTcpChimneyOffload = %5, DisableRss = %6, EnablePMtuBHDetect = %7, EcnCapability = %8, MaxDataRetransmissions = %9, KeepAliveTime = %10, KeepAliveInterval = %11, TimedWaitDelay = %12, SillyWindowTimeout = %13, FinWait2Timeout = %14, CongestionAlgorithm = %15, UseRfc1323Timestamps = %16, AutoTuningLevelLocal = %17, AutoTuningLevelGroupPolicy = %18.

Fields #

Name	Description
`AddressFamily` UInt32
`EnablePMTUDiscovery` UInt8
`TcpUseRFC1122UrgentPointer` UInt8
`DisableTaskOffload` UInt8
`EnablePMTUBHDetect` UInt8
`DisableTcpChimneyOffload` UInt8
`DisableRss` UInt8
`EcnCapability` UInt8
`TcpMaxDataRetransmissions` UInt8
`KeepAliveTime` UInt32
`KeepAliveInterval` UInt32
`TcpTimedWaitDelay` UInt32
`SillyWindowTimeout` UInt32
`TcpFinWait2Delay` UInt32
`CongestionAlgorithm` UInt8
`Tcp1323Opts` UInt8
`AutoTuningLevelLocal` UInt32
`AutoTuningLevelGroupPolicy` UInt32

Event ID 1111: TCP: Connection Tcb Large Send Offload, Bytes in segment = BytesInSegment and Bytes remaining = BytesRemaining.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpLso

Description

TCP: Connection Tcb Large Send Offload, Bytes in segment = BytesInSegment and Bytes remaining = BytesRemaining.

Message #

TCP: Connection %1 Large Send Offload, Bytes in segment = %2 and Bytes remaining = %3.

Fields #

Name	Description
`Tcb` Pointer
`BytesInSegment` UInt32
`BytesRemaining` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1111",
    "version": "0",
    "level": "5",
    "task": "1111",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.415610100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6972"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "BytesInSegment": "    1492",
    "BytesRemaining": "       0"
  },
  "message": ""
}

Event ID 1112: TCP: Connection Tcb status changed to Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectionOffloadStatus

Description

TCP: Connection Tcb status changed to Status.

Message #

TCP: Connection %1 status changed to %2.

Fields #

Name	Description
`Tcb` Pointer
`Status` UInt32	NTSTATUS reference
`Interface` UInt32
`PMax` UInt32

Event ID 1113: TCP: Connection Tcb status = Status, Interface = Interface, PMax = PMax.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectionOffloadPmax

Description

TCP: Connection Tcb status = Status, Interface = Interface, PMax = PMax.

Message #

TCP: Connection %1 status = %2, Interface = %3, PMax = %4.

Fields #

Name	Description
`Tcb` Pointer
`Status` UInt32	NTSTATUS reference
`Interface` UInt32
`PMax` UInt32

Event ID 1114: IP: DAD successful for IP address = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpDadSuccessful

Description

IP: DAD successful for IP address = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol.

Message #

IP: DAD successful for IP address = %7 %9 %8 on interface = %1, protocol = %2.

Fields #

Name	Description
`Interface` UInt32
`Protocol` AnsiString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DadState` UInt32
`DlAddrLength` UInt32
`DLAddress` Binary
`IpAddrLength` UInt32
`IPv4Address` UInt32
`IPv6Address` Binary
`IPProtocol` UInt32
`CompartmentId` UInt32

Event ID 1115: IP: DAD failed for IP address = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol, DL address of packet = DLAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpDadFailed

Description

IP: DAD failed for IP address = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol, DL address of packet = DLAddress.

Message #

IP: DAD failed for IP address = %7 %9 %8 on interface = %1, protocol = %2, DL address of packet = %5.

Fields #

Name	Description
`Interface` UInt32
`Protocol` AnsiString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DadState` UInt32
`DlAddrLength` UInt32
`DLAddress` Binary
`IpAddrLength` UInt32
`IPv4Address` UInt32
`IPv6Address` Binary
`IPProtocol` UInt32
`CompartmentId` UInt32

Event ID 1116: IP: DAD started for IP address = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpDadStarted

Description

IP: DAD started for IP address = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol.

Message #

IP: DAD started for IP address = %7 %9 %8 on interface = %1, protocol = %2.

Fields #

Name	Description
`Interface` UInt32
`Protocol` AnsiString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DadState` UInt32
`DlAddrLength` UInt32
`DLAddress` Binary
`IpAddrLength` UInt32
`IPv4Address` UInt32
`IPv6Address` Binary
`IPProtocol` UInt32
`CompartmentId` UInt32

Event ID 1117: TCP: listener (sockaddr=SocketAddress PID=ProcessId) activation failed: address family not attached.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerActivationFailedAf

Description

TCP: listener (sockaddr=SocketAddress PID=ProcessId) activation failed: address family not attached.

Message #

TCP: listener (sockaddr=%3 PID=%5) activation failed: address family not attached.

Fields #

Name	Description
`Listener` Pointer
`AddressLength` UInt32
`SocketAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1118: TCP: listener Listener (family=AddressFamily PID=ProcessId) activation failed: compartment CompartmentId not found.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerActivationFailedCompartment

Description

TCP: listener Listener (family=AddressFamily PID=ProcessId) activation failed: compartment CompartmentId not found. Status=Status.

Message #

TCP: listener %1 (family=%7 PID=%5) activation failed: compartment %6 not found. Status=%4.

Fields #

Name	Description
`Listener` Pointer
`AddressLength` UInt32
`SocketAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1119: TCP: listener Listener (family=AddressFamily PID=ProcessId) activation failed: inspection status=Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerActivationFailedInspection1

Description

TCP: listener Listener (family=AddressFamily PID=ProcessId) activation failed: inspection status=Status.

Message #

TCP: listener %1 (family=%7 PID=%5) activation failed: inspection status=%4.

Fields #

Name	Description
`Listener` Pointer
`AddressLength` UInt32
`SocketAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1120: TCP: listener Listener (sockaddr=SocketAddress) activation failed: inspection status=Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerActivationFailedInspection2

Description

TCP: listener Listener (sockaddr=SocketAddress) activation failed: inspection status=Status.

Message #

TCP: listener %1 (sockaddr=%3) activation failed: inspection status=%4.

Fields #

Name	Description
`Listener` Pointer
`AddressLength` UInt32
`SocketAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1121: TCP: listener Listener (sockaddr=SocketAddress) bind failed: port-acquisition status=Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerBindFailedResolution

Description

TCP: listener Listener (sockaddr=SocketAddress) bind failed: port-acquisition status=Status.

Message #

TCP: listener %1 (sockaddr=%3) bind failed: port-acquisition status=%4.

Fields #

Name	Description
`Listener` Pointer
`AddressLength` UInt32
`SocketAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1122: TCP: listener Listener (family=AddressFamily PID=ProcessId) bind failed: address SocketAddress cannot be resolved (Status=Status).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerBindFailedPort

Description

TCP: listener Listener (family=AddressFamily PID=ProcessId) bind failed: address SocketAddress cannot be resolved (Status=Status).

Message #

TCP: listener %1 (family=%7 PID=%5) bind failed: address %3 cannot be resolved (Status=%4).

Fields #

Name	Description
`Listener` Pointer
`AddressLength` UInt32
`SocketAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1123: TCP: listener Listener (sockaddr=SocketAddress) activated.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerActivated

Description

TCP: listener Listener (sockaddr=SocketAddress) activated.

Message #

TCP: listener %1 (sockaddr=%3) activated.

Fields #

Name	Description
`Listener` Pointer
`AddressLength` UInt32
`SocketAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1124: TCP: listener Listener (sockaddr=SocketAddress) unbound.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerUnbound

Description

TCP: listener Listener (sockaddr=SocketAddress) unbound.

Message #

TCP: listener %1 (sockaddr=%3) unbound.

Fields #

Name	Description
`Listener` Pointer
`AddressLength` UInt32
`SocketAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1127: IP: IP address = IPv4Address IPProtocol IPv6Address added on interface = Interface, Protocol = Protocol.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressAdded

Description

IP: IP address = IPv4Address IPProtocol IPv6Address added on interface = Interface, Protocol = Protocol.

Message #

IP: IP address = %7 %9 %8 added on interface = %1, Protocol = %2.

Fields #

Name	Description
`Interface` UInt32
`Protocol` AnsiString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DadState` UInt32
`DlAddrLength` UInt32
`DLAddress` Binary
`IpAddrLength` UInt32
`IPv4Address` UInt32
`IPv6Address` Binary
`IPProtocol` UInt32
`CompartmentId` UInt32
`PrefixOrigin` UInt32
`SuffixOrigin` UInt32

Event ID 1128: IP: IP address = IPv4Address IPProtocol IPv6Address deleted on interface = Interface, Protocol = Protocol.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressDeleted

Description

IP: IP address = IPv4Address IPProtocol IPv6Address deleted on interface = Interface, Protocol = Protocol.

Message #

IP: IP address = %7 %9 %8 deleted on interface = %1, Protocol = %2.

Fields #

Name	Description
`Interface` UInt32
`Protocol` AnsiString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DadState` UInt32
`DlAddrLength` UInt32
`DLAddress` Binary
`IpAddrLength` UInt32
`IPv4Address` UInt32
`IPv6Address` Binary
`IPProtocol` UInt32
`CompartmentId` UInt32

Event ID 1130: Framing: Interface operation status change.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FramingIfOperStatus

Description

Framing: Interface Interface Operational Status = OperationalStatus, Operational Status Flags = Status.

Message #

Framing: Interface %1 Operational Status = %2, Operational Status Flags = %3.

Fields #

Name	Description
`Interface` UInt32
`OperationalStatus` UInt32
`Status` UInt64	NTSTATUS reference
`CompartmentId` UInt32

Event ID 1136: Framing: NDIS pause event on interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FramingNdisPause

Description

Framing: NDIS pause event on interface InterfaceIndex.

Message #

Framing: NDIS pause event on interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32
`TraceString` AnsiString
`CompartmentId` UInt32

Event ID 1137: Framing: NDIS restart event on interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FramingNdisRestart

Description

Framing: NDIS restart event on interface InterfaceIndex.

Message #

Framing: NDIS restart event on interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32
`TraceString` AnsiString
`CompartmentId` UInt32

Event ID 1138: IP: IP address = IPv4Address IPProtocol IPv6Address state changed to Preferred.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressStatePreferred

Description

IP: IP address = IPv4Address IPProtocol IPv6Address state changed to Preferred. Interface = Interface.

Message #

IP: IP address = %7 %9 %8 state changed to Preferred. Interface = %1.

Fields #

Name	Description
`Interface` UInt32
`Protocol` AnsiString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DadState` UInt32
`DlAddrLength` UInt32
`DLAddress` Binary
`IpAddrLength` UInt32
`IPv4Address` UInt32
`IPv6Address` Binary
`IPProtocol` UInt32

Event ID 1139: IP: IP address = IPv4Address IPProtocol IPv6Address state changed to Non-preferred.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressStateNonPreferred

Description

IP: IP address = IPv4Address IPProtocol IPv6Address state changed to Non-preferred. Interface = Interface. DadState = DadState.

Message #

IP: IP address = %7 %9 %8 state changed to Non-preferred. Interface = %1. DadState = %3.

Fields #

Name	Description
`Interface` UInt32
`Protocol` AnsiString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DadState` UInt32
`DlAddrLength` UInt32
`DLAddress` Binary
`IpAddrLength` UInt32
`IPv4Address` UInt32
`IPv6Address` Binary
`IPProtocol` UInt32

Event ID 1144: IP: Interface Interface property change.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfacePropertyChange

Description

IP: Interface Interface property change. Advertise= Advertise, AdvertiseDefaultRoute = AdvertiseDefaultRoute, Forward = Forward, ForwardMulticast = ForwardMulticast, UseNud = UseNud, AdvertisingEnabled = AdvertisingEnabled.

Message #

IP: Interface %1 property change. Advertise= %2, AdvertiseDefaultRoute = %3, Forward = %4, ForwardMulticast = %5, UseNud = %6, AdvertisingEnabled = %7.

Fields #

Name	Description
`Interface` UInt32
`Advertise` UInt32
`AdvertiseDefaultRoute` UInt32
`Forward` UInt32
`ForwardMulticast` UInt32
`UseNud` UInt32
`AdvertisingEnabled` UInt32
`WeakHostSend` UInt32
`WeakHostReceive` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`StrictSourceForwarding` UInt32

Event ID 1145: IP: Route Route created on interface Interface.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouteCreated

Description

IP: Route Route created on interface Interface. Protocol = DestinationPrefix, DestinationPrefix = IPUnicastroutedeletionreason %18 NextHopAddress /NextHopAddressLength, Nexthop = %17 %18 DestinationPrefixLength, ValidLifetime = ValidLifetime, PreferredLifetime = PreferredLifetime.

Message #

IP: Route %1 created on interface %2. Protocol = %5, DestinationPrefix = %16 %18 %7 /%6, Nexthop = %17 %18 %8, ValidLifetime = %9, PreferredLifetime = %10.

Fields #

Name	Description
`Route` Pointer
`Interface` UInt32
`CompartmentId` UInt32
`DestinationPrefixAddressLength` UInt32
`DestinationPrefix` Binary
`NextHopAddressLength` UInt32
`NextHopAddress` Binary
`DestinationPrefixLength` UInt32
`ValidLifetime` UInt64
`PreferredLifetime` UInt64
`Metric` UInt32
`Loopback` UInt32
`AutoconfigureAddress` UInt32
`Publish` UInt32
`Immortal` UInt32
`IPUnicastroutedeletionreason` UInt32

Event ID 1146: IP: Route Route deleted on interface Interface, Protocol = DestinationPrefix, DestinationPrefix = IPUnicastroutedeletionreason %18 NextHopAddress /NextHopAddressLength, Nexthop = %17 %18 Destinatio...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouteDeleted

Description

IP: Route Route deleted on interface Interface, Protocol = DestinationPrefix, DestinationPrefix = IPUnicastroutedeletionreason %18 NextHopAddress /NextHopAddressLength, Nexthop = %17 %18 DestinationPrefixLength, ValidLifetime = ValidLifetime, PreferredLifetime = PreferredLifetime, Reason = %19.

Message #

IP: Route %1 deleted on interface %2, Protocol = %5, DestinationPrefix = %16 %18 %7 /%6, Nexthop = %17 %18 %8, ValidLifetime = %9, PreferredLifetime = %10, Reason = %19.

Fields #

Name	Description
`Route` Pointer
`Interface` UInt32
`CompartmentId` UInt32
`DestinationPrefixAddressLength` UInt32
`DestinationPrefix` Binary
`NextHopAddressLength` UInt32
`NextHopAddress` Binary
`DestinationPrefixLength` UInt32
`ValidLifetime` UInt64
`PreferredLifetime` UInt64
`Metric` UInt32
`Loopback` UInt32
`AutoconfigureAddress` UInt32
`Publish` UInt32
`Immortal` UInt32
`IPUnicastroutedeletionreason` UInt32

Event ID 1147: IP: Route Route property change.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRoutePropertyChange

Description

IP: Route Route property change. Interface = Interface, Compartment = CompartmentId, DestinationPrefix = DestinationPrefix/DestinationPrefixLength, Nexthop = NextHopAddress. Properties: ValidLifetime = ValidLifetime, PreferredLifetime = PreferredLifetime, Metric = Metric, Loopback = Loopback, AutoconfigureAddress = AutoconfigureAddress, Publish = Publish, Immortal = Immortal.

Message #

IP: Route %1 property change. Interface = %2, Protocol = %5, DestinationPrefix = %16 %18 %7 /%6, Nexthop = %17 %18 %8. Properties: ValidLifetime = %9, PreferredLifetime = %10, Metric = %11, Loopback = %12, AutoconfigureAddress = %13, Publish = %14, Immortal = %15.

Fields #

Name	Description
`Route` Pointer
`Interface` UInt32
`CompartmentId` UInt32
`DestinationPrefixAddressLength` UInt32
`DestinationPrefix` Binary
`NextHopAddressLength` UInt32
`NextHopAddress` Binary
`DestinationPrefixLength` UInt32
`ValidLifetime` UInt64
`PreferredLifetime` UInt64
`Metric` UInt32
`Loopback` UInt32
`AutoconfigureAddress` UInt32
`Publish` UInt32
`Immortal` UInt32
`IPUnicastroutedeletionreason` UInt32

Event ID 1148: IP: Neighbor unreachable.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpNeighborUnreachable

Description

IP: Neighbor unreachable. Interface Interface, IP address = IPv4Address IPProtocol IPv6Address.

Message #

IP: Neighbor unreachable. Interface %1, IP address = %5 %7 %6.

Fields #

Name	Description
`Interface` UInt32
`DlAddrLength` UInt32
`DlAddress` Binary
`IpAddrLength` UInt32
`IPv4Address` UInt32
`IPv6Address` Binary
`IPProtocol` UInt32

Event ID 1149: IP: Neighbor reachable.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpNeighborReachable

Description

IP: Neighbor reachable. Interface Interface, IP address = IPv4Address IPProtocol IPv6Address, DlAddress = DlAddress.

Message #

IP: Neighbor reachable. Interface %1, IP address = %5 %7 %6, DlAddress = %3.

Fields #

Name	Description
`Interface` UInt32
`DlAddrLength` UInt32
`DlAddress` Binary
`IpAddrLength` UInt32
`IPv4Address` UInt32
`IPv6Address` Binary
`IPProtocol` UInt32

Event ID 1150: TCP: CTCP DataTransferTimeout event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferTimeout

Description

TCP: CTCP DataTransferTimeout event. Connection Tcb, CWnd = Cwnd, SsThresh = SSThresh.

Message #

TCP: CTCP DataTransferTimeout event. Connection %1, CWnd = %2, SsThresh = %3.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1151: TCP: CTCP Cumulative Ack event Connection Tcb, sequence = SeqNo, CWnd = Cwnd, DWnd = DWnd, BaseRtt = BaseRtt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferCumAck

Description

TCP: CTCP Cumulative Ack event Connection Tcb, sequence = SeqNo, CWnd = Cwnd, DWnd = DWnd, BaseRtt = BaseRtt.

Message #

TCP: CTCP Cumulative Ack event Connection %1, sequence = %6, CWnd = %2, DWnd = %11, BaseRtt = %12.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1152: TCP: CTCP Duplicate Ack event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferDupAck

Description

TCP: CTCP Duplicate Ack event. Connection Tcb, sequence = SeqNo, SndUna = SndUna, CWnd = Cwnd, DWnd = DWnd, BaseRtt = BaseRtt, DupAckCount = DupAckCount.

Message #

TCP: CTCP Duplicate Ack event. Connection %1, sequence = %6, SndUna = %7, CWnd = %2, DWnd = %11, BaseRtt = %12, DupAckCount = %13.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1153: TCP: CTCP Send event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferSend

Description

TCP: CTCP Send event. Connection Tcb, sequence = SeqNo, length = NumBytes.

Message #

TCP: CTCP Send event. Connection %1, sequence = %6, length = %5.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1154: TCP: CTCP ECN event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferEcn

Description

TCP: CTCP ECN event. Connection Tcb, CWnd Cwnd, SndUna = SndUna, Mss = Mss, DWnd = DWnd, BaseRtt = BaseRtt.

Message #

TCP: CTCP ECN event. Connection %1, CWnd %2, SndUna = %4, Mss = %5, DWnd = %7, BaseRtt = %8.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`SndUna` UInt32
`Mss` UInt32
`ThAck` UInt32
`DWnd` UInt32
`BaseRtt` UInt32

Event ID 1155: TCP: CTCP Spurious timeout event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferSpuriousTimeout

Description

TCP: CTCP Spurious timeout event. Connection Tcb, CWnd = Cwnd, SsThresh = SSThresh.

Message #

TCP: CTCP Spurious timeout event. Connection %1, CWnd = %2, SsThresh = %3.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`RttSample` UInt32
`NumBytes` UInt32
`SeqNo` UInt32
`SndUna` UInt32
`Round` UInt32
`SRTT` UInt32
`RTO` UInt32
`DWnd` UInt32
`BaseRtt` UInt32
`DupAckCount` UInt32

Event ID 1156: TCP: connection Tcb, delivery Delivery, Request Request posted for NumBytes bytes, flags = RequestFlags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpReceiveRequest

Description

TCP: connection Tcb, delivery Delivery, Request Request posted for NumBytes bytes, flags = RequestFlags. RcvNxt = RcvNxt.

Message #

TCP: connection %1, delivery %2, Request %3  posted for %4 bytes, flags = %5. RcvNxt = %10.

Fields #

Name	Description
`Tcb` Pointer
`Delivery` Pointer
`Request` Pointer
`NumBytes` Pointer
`RequestFlags` UInt32
`Length` Pointer
`RequestStatus` UInt32
`IsUrgentDelivery` UInt32
`FullySatisfiedORDelayedPush` UInt32
`RcvNxt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1156",
    "version": "0",
    "level": "4",
    "task": "1156",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:34.389030100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Delivery": "0xFFFF980A1018B790",
    "Request": "0xFFFF980A15EC82E0",
    "NumBytes": "0x6",
    "RequestFlags": "       0",
    "Length": "0x0",
    "RequestStatus": "0x0",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       0",
    "RcvNxt": "3537939053"
  },
  "message": ""
}

Event ID 1157: TCP: connection Tcb delivery Delivery indicated NumBytes bytes accepted Length bytes, status = RequestStatus.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpDeliveryIndicated

Description

TCP: connection Tcb delivery Delivery indicated NumBytes bytes accepted Length bytes, status = RequestStatus. RcvNxt = RcvNxt.

Message #

TCP: connection %1 delivery %2 indicated %4 bytes accepted %6 bytes, status = %7. RcvNxt = %10.

Fields #

Name	Description
`Tcb` Pointer
`Delivery` Pointer
`Request` Pointer
`NumBytes` Pointer
`RequestFlags` UInt32
`Length` Pointer
`RequestStatus` UInt32
`IsUrgentDelivery` UInt32
`FullySatisfiedORDelayedPush` UInt32
`RcvNxt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1157",
    "version": "0",
    "level": "4",
    "task": "1157",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:34.418359700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "8632"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Delivery": "0xFFFF980A1018B790",
    "Request": "0x0",
    "NumBytes": "0x6",
    "RequestFlags": "       0",
    "Length": "0x0",
    "RequestStatus": "0xC000021B",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       0",
    "RcvNxt": "3537939065"
  },
  "message": ""
}

Event ID 1158: TCP: connection Tcb delivery Delivery satisfied NumBytes bytes Length requested.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDeliverySatisfied

Description

TCP: connection Tcb delivery Delivery satisfied NumBytes bytes Length requested. IsFullySatisfied = FullySatisfiedORDelayedPush. RcvNxt = RcvNxt.

Message #

TCP: connection %1 delivery %2 satisfied %4 bytes %6 requested. IsFullySatisfied = %9. RcvNxt = %10.

Fields #

Name	Description
`Tcb` Pointer
`Delivery` Pointer
`Request` Pointer
`NumBytes` Pointer
`RequestFlags` UInt32
`Length` Pointer
`RequestStatus` UInt32
`IsUrgentDelivery` UInt32
`FullySatisfiedORDelayedPush` UInt32
`RcvNxt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1158",
    "version": "0",
    "level": "4",
    "task": "1158",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:34.390668300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4248",
      "thread_id": "4684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Delivery": "0xFFFF980A1018B790",
    "Request": "0xFFFF980A15EC82E0",
    "NumBytes": "0x6",
    "RequestFlags": "       0",
    "Length": "0x6",
    "RequestStatus": "0x0",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       1",
    "RcvNxt": "3537939053"
  },
  "message": ""
}

Event ID 1159: TCP: connection Tcb send Injected NumBytes bytes at SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpSendPosted

Description

TCP: connection Tcb send Injected NumBytes bytes at SndNxt.

Message #

TCP: connection %1 send %2 %3 bytes at %4.

Fields #

Name	Description
`Tcb` Pointer
`Injected` UnicodeString
`NumBytes` UInt32
`SndNxt` UInt32
`SendAvailable` UInt32
`ActivityID` Pointer
`SndLimBytesSnd` UInt64
`SndLimBytesRwin` UInt64
`SndLimBytesCwnd` UInt64
`CWnd` UInt32
`SRtt` UInt32
`LossRecoveryEpisodes` UInt32
`RtoEpisodes` UInt32
`PtoEpisodes` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1159",
    "version": "0",
    "level": "4",
    "task": "1159",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.388647300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Injected": "posted",
    "NumBytes": "    1303",
    "SndNxt": "2307521250"
  },
  "message": ""
}

Event ID 1160: TCP: connection Tcb send transmitted NumBytes bytes at SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpSendTransmitted

Description

TCP: connection Tcb send transmitted NumBytes bytes at SndNxt.

Message #

TCP: connection %1 send transmitted %3 bytes at %4.

Fields #

Name	Description
`Tcb` Pointer
`Injected` UnicodeString
`NumBytes` UInt32
`SndNxt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1160",
    "version": "0",
    "level": "5",
    "task": "1160",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.388761700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Injected": "",
    "NumBytes": "    1303",
    "SndNxt": "2307521250"
  },
  "message": ""
}

Event ID 1161: TCP: connection Tcb send advance NumBytes bytes at SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpSendAdvance

Description

TCP: connection Tcb send advance NumBytes bytes at SndNxt.

Message #

TCP: connection %1 send advance %3 bytes at %4.

Fields #

Name	Description
`Tcb` Pointer
`Injected` UnicodeString
`NumBytes` UInt32
`SndNxt` UInt32
`SendAvailable` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1161",
    "version": "0",
    "level": "5",
    "task": "1161",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.390443300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4248",
      "thread_id": "4684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Injected": "",
    "NumBytes": "    1303",
    "SndNxt": "2307521250"
  },
  "message": ""
}

Event ID 1162: TCP: CTcp: Connection Tcb Delay window has not kicked in.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCTcpDelayWndwInactive

Description

TCP: CTcp: Connection Tcb Delay window has not kicked in.

Message #

TCP: CTcp: Connection %1 Delay window has not kicked in.

Fields #

Name	Description
`Tcb` Pointer
`Status` UInt32	NTSTATUS reference
`AddressFamily` UInt32

Event ID 1163: TCP: CTcp: Allocated blocks: AssignedBlocks; Assigned blocks: AllocatedBlocks.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCTcpAssignedBlocks

Description

TCP: CTcp: Allocated blocks: AssignedBlocks; Assigned blocks: AllocatedBlocks.

Message #

TCP: CTcp: Allocated blocks: %1; Assigned blocks: %2.

Fields #

Name	Description
`AssignedBlocks` UInt32
`AllocatedBlocks` UInt32

Event ID 1164: TCP: CTcp: Connection Tcb, DWnd = DWnd (Prev = PrevDWnd), BaseRtt = BaseRtt, AverageRtt = AvgRtt, CWnd =Cwnd, DiffWnd = DiffWnd, DWnd increment = DwndIncrement.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCTcpCongestionWndw

Description

TCP: CTcp: Connection Tcb, DWnd = DWnd (Prev = PrevDWnd), BaseRtt = BaseRtt, AverageRtt = AvgRtt, CWnd =Cwnd, DiffWnd = DiffWnd, DWnd increment = DwndIncrement.

Message #

TCP: CTcp: Connection %1, DWnd = %2 (Prev = %3), BaseRtt = %4, AverageRtt = %5, CWnd =%6, DiffWnd = %7, DWnd increment = %8.

Fields #

Name	Description
`Tcb` Pointer
`DWnd` UInt32
`PrevDWnd` UInt32
`BaseRtt` UInt32
`AvgRtt` UInt32
`Cwnd` UInt32
`DiffWnd` UInt32
`DwndIncrement` UInt32

Event ID 1165: TCP: CTcp: Gamma Autotuning: Connection Tcb Updated Gamma Gamma, Average backlog AverageBacklog, Average backlog across LFPs AverageBacklogAcrossLFP.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCTcpGamma

Description

TCP: CTcp: Gamma Autotuning: Connection Tcb Updated Gamma Gamma, Average backlog AverageBacklog, Average backlog across LFPs AverageBacklogAcrossLFP.

Message #

TCP: CTcp: Gamma Autotuning: Connection %1 Updated Gamma %2, Average backlog %3, Average backlog across LFPs %4.

Fields #

Name	Description
`Tcb` Pointer
`Gamma` UInt32
`AverageBacklog` UInt32
`AverageBacklogAcrossLFP` UInt32

Event ID 1166: TCP: connection Tcb SRTT measurement started (seq = SeqNum, tick = Tick).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSrttMeasurementStarted

Description

TCP: connection Tcb SRTT measurement started (seq = SeqNum, tick = Tick).

Message #

TCP: connection %1 SRTT measurement started (seq = %2, tick = %3).

Fields #

Name	Description
`Tcb` Pointer
`SeqNum` UInt32
`Tick` UInt32
`RttSample` UInt32
`NewSrtt` UInt32

Event ID 1167: TCP: connection Tcb SRTT measurement complete (tick = Tick, sample = RttSample ms, new srtt = NewSrtt ms).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpSrttMeasurementComplete

Description

TCP: connection Tcb SRTT measurement complete (tick = Tick, sample = RttSample ms, new srtt = NewSrtt ms).

Message #

TCP: connection %1 SRTT measurement complete (tick = %3, sample = %4 ms, new srtt = %5 ms).

Fields #

Name	Description
`Tcb` Pointer
`SeqNum` UInt32
`Tick` UInt32
`RttSample` UInt32
`NewSrtt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1167",
    "version": "0",
    "level": "4",
    "task": "1167",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:26:13.268231300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{ff7af7e0-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4200",
      "thread_id": "7084"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFF7AF7E0",
    "SeqNum": "       0",
    "Tick": "66907815",
    "RttSample": "       0",
    "NewSrtt": "       0"
  },
  "message": ""
}

Event ID 1168: TCP: connection Tcb: SRTT measurement cancelled.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpSrttMeasurementCancelled

Description

TCP: connection Tcb: SRTT measurement cancelled.

Message #

TCP: connection %1: SRTT measurement cancelled.

Fields #

Name	Description
`Tcb` Pointer
`SeqNum` UInt32
`Tick` UInt32
`RttSample` UInt32
`NewSrtt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1168",
    "version": "0",
    "level": "5",
    "task": "1168",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:27:12.440661100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{fd182260-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFD182260",
    "SeqNum": "       0",
    "Tick": "       0",
    "RttSample": "       0",
    "NewSrtt": "       0"
  },
  "message": ""
}

Event ID 1169: UDP: endpoint Endpoint (LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) sending NumMessages messages and a total of NumBytes bytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: UdpEndpointSendMessages

Description

UDP: endpoint Endpoint (LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) sending NumMessages messages and a total of NumBytes bytes. PID = Pid.

Message #

UDP: endpoint %1 (LocalAddress = %5, RemoteAddress = %7) sending %2 messages and a total of %3 bytes. PID = %8.

Fields #

Name	Description
`Endpoint` Pointer
`NumMessages` UInt32
`NumBytes` UInt32
`LocalSockAddrLength` UInt32
`LocalSockAddr` Binary
`RemoteSockAddrLength` UInt32
`RemoteSockAddr` Binary
`Pid` UInt32
`ProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1169",
    "version": "0",
    "level": "4",
    "task": "1169",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.078234200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11735e80-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A11735E80",
    "NumMessages": "       1",
    "NumBytes": "      63",
    "LocalSockAddrLength": "      28",
    "LocalSockAddr": "[::ffff:0:0]:53893",
    "RemoteSockAddrLength": "      28",
    "RemoteSockAddr": "[::ffff:10.2.10.11]:53",
    "Pid": "     228"
  },
  "message": ""
}

Event ID 1170: UDP: endpoint Endpoint (LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) delivering NumBytes bytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: UdpEndpointReceiveMessages

Description

UDP: endpoint Endpoint (LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) delivering NumBytes bytes. PID = Pid.

Message #

UDP: endpoint %1 (LocalAddress = %5, RemoteAddress = %7) delivering %3 bytes. PID = %8.

Fields #

Name	Description
`Endpoint` Pointer
`NumMessages` UInt32
`NumBytes` UInt32
`LocalSockAddrLength` UInt32
`LocalSockAddr` Binary
`RemoteSockAddrLength` UInt32
`RemoteSockAddr` Binary
`Pid` UInt32
`ProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1170",
    "version": "0",
    "level": "4",
    "task": "1170",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:40.117082900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11735e80-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A11735E80",
    "NumMessages": "       0",
    "NumBytes": "     186",
    "LocalSockAddrLength": "      28",
    "LocalSockAddr": "[::ffff:10.2.10.21]:53893",
    "RemoteSockAddrLength": "      28",
    "RemoteSockAddr": "[::ffff:10.2.10.11]:53",
    "Pid": "     228"
  },
  "message": ""
}

Event ID 1171: TCP: connection Tcb delivery Delivery flushing NumBytes bytes Length requested status = RequestStatus.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpDeliveryFlush

Description

TCP: connection Tcb delivery Delivery flushing NumBytes bytes Length requested status = RequestStatus.

Message #

TCP: connection %1 delivery %2 flushing %4 bytes %6 requested status = %7.

Fields #

Name	Description
`Tcb` Pointer
`Delivery` Pointer
`Request` Pointer
`NumBytes` Pointer
`RequestFlags` UInt32
`Length` Pointer
`RequestStatus` UInt32
`IsUrgentDelivery` UInt32
`FullySatisfiedORDelayedPush` UInt32
`RcvNxt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1171",
    "version": "0",
    "level": "5",
    "task": "1171",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:40.593480400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "7552"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "Delivery": "0xFFFF980A15CE6D10",
    "Request": "0xFFFF980A11C13950",
    "NumBytes": "0x0",
    "RequestFlags": "       0",
    "Length": "0x2000",
    "RequestStatus": "0xC0000120",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       0",
    "RcvNxt": "       0"
  },
  "message": ""
}

Event ID 1172: TCP: Injecting receive on a shutdown TCB failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpTcbInjectRcvFailure

Description

TCP: Injecting receive on a shutdown TCB failed. TCB = Tcb.

Message #

TCP: Injecting receive on a shutdown TCB failed. TCB = %1.

Fields #

Name	Description
`Tcb` Pointer
`Delivery` Pointer
`Request` Pointer
`NumBytes` Pointer
`RequestFlags` UInt32
`Length` Pointer
`RequestStatus` UInt32
`IsUrgentDelivery` UInt32
`FullySatisfiedORDelayedPush` UInt32
`RcvNxt` UInt32

Event ID 1173: TCP: connection Tcb delivery Delivery injecting NumBytes bytes delta Length, IsUrgentDelivery = IsUrgentDelivery.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpDeliveryInjectingData

Description

TCP: connection Tcb delivery Delivery injecting NumBytes bytes delta Length, IsUrgentDelivery = IsUrgentDelivery.

Message #

TCP: connection %1 delivery %2 injecting %4 bytes delta %6, IsUrgentDelivery = %8.

Fields #

Name	Description
`Tcb` Pointer
`Delivery` Pointer
`Request` Pointer
`NumBytes` Pointer
`RequestFlags` UInt32
`Length` Pointer
`RequestStatus` UInt32
`IsUrgentDelivery` UInt32
`FullySatisfiedORDelayedPush` UInt32
`RcvNxt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1173",
    "version": "0",
    "level": "5",
    "task": "1173",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:23:28.315732300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0e584560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7644"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0E584560",
    "Delivery": "0xFFFF980A0E584790",
    "Request": "0x0",
    "NumBytes": "0x0",
    "RequestFlags": "       0",
    "Length": "0x70",
    "RequestStatus": "0x0",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       0",
    "RcvNxt": "       0"
  },
  "message": ""
}

Event ID 1174: TCP: Injecting fin on a shutdown TCB failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpTcbInjectFinFailure

Description

TCP: Injecting fin on a shutdown TCB failed. TCB = Tcb.

Message #

TCP: Injecting fin on a shutdown TCB failed. TCB = %1.

Fields #

Name	Description
`Tcb` Pointer
`Delivery` Pointer
`Request` Pointer
`NumBytes` Pointer
`RequestFlags` UInt32
`Length` Pointer
`RequestStatus` UInt32
`IsUrgentDelivery` UInt32
`FullySatisfiedORDelayedPush` UInt32
`RcvNxt` UInt32

Event ID 1175: TCP: connection Tcb delivery Delivery accepting NumBytes bytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpDeliveryAccept

Description

TCP: connection Tcb delivery Delivery accepting NumBytes bytes. RcvNxt = RcvNxt.

Message #

TCP: connection %1 delivery %2 accepting %4 bytes. RcvNxt = %10.

Fields #

Name	Description
`Tcb` Pointer
`Delivery` Pointer
`Request` Pointer
`NumBytes` Pointer
`RequestFlags` UInt32
`Length` Pointer
`RequestStatus` UInt32
`IsUrgentDelivery` UInt32
`FullySatisfiedORDelayedPush` UInt32
`RcvNxt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1175",
    "version": "0",
    "level": "5",
    "task": "1175",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:22:29.058226900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Delivery": "0xFFFF980A1018B790",
    "Request": "0x0",
    "NumBytes": "0x6",
    "RequestFlags": "       0",
    "Length": "0x0",
    "RequestStatus": "0x0",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       0",
    "RcvNxt": "3537945353"
  },
  "message": ""
}

Event ID 1176: TCP: connection Tcb delivery Delivery delivering FIN.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDeliveryFin

Description

TCP: connection Tcb delivery Delivery delivering FIN. RcvNxt = RcvNxt.

Message #

TCP: connection %1 delivery %2 delivering FIN. RcvNxt = %10.

Fields #

Name	Description
`Tcb` Pointer
`Delivery` Pointer
`Request` Pointer
`NumBytes` Pointer
`RequestFlags` UInt32
`Length` Pointer
`RequestStatus` UInt32
`IsUrgentDelivery` UInt32
`FullySatisfiedORDelayedPush` UInt32
`RcvNxt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1176",
    "version": "0",
    "level": "4",
    "task": "1176",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:38.731999900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0EEE7560",
    "Delivery": "0xFFFF980A0EEE7790",
    "Request": "0x0",
    "NumBytes": "0x0",
    "RequestFlags": "       0",
    "Length": "0x0",
    "RequestStatus": "0x0",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       0",
    "RcvNxt": "2633618840"
  },
  "message": ""
}

Event ID 1178: TCP: connection Tcb delivery Delivery pushing NumBytes bytes Length requested.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDeliveryPush

Description

TCP: connection Tcb delivery Delivery pushing NumBytes bytes Length requested. Delayed push = FullySatisfiedORDelayedPush.

Message #

TCP: connection %1 delivery %2 pushing %4 bytes %6 requested. Delayed push = %9.

Fields #

Name	Description
`Tcb` Pointer
`Delivery` Pointer
`Request` Pointer
`NumBytes` Pointer
`RequestFlags` UInt32
`Length` Pointer
`RequestStatus` UInt32
`IsUrgentDelivery` UInt32
`FullySatisfiedORDelayedPush` UInt32
`RcvNxt` UInt32

Event ID 1180: TCP: Injecting fin on TCB completed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpTcbInjectFinComplete

Description

TCP: Injecting fin on TCB completed. TCB = Tcb, Processor = NumBytes.

Message #

TCP: Injecting fin on TCB completed. TCB = %1, Processor = %4.

Fields #

Name	Description
`Tcb` Pointer
`Delivery` Pointer
`Request` Pointer
`NumBytes` Pointer
`RequestFlags` UInt32
`Length` Pointer
`RequestStatus` UInt32
`IsUrgentDelivery` UInt32
`FullySatisfiedORDelayedPush` UInt32
`RcvNxt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1180",
    "version": "0",
    "level": "5",
    "task": "1180",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:23:59.852963300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{14cde010-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "13080"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A14CDE010",
    "Delivery": "0x0",
    "Request": "0x0",
    "NumBytes": "0xD",
    "RequestFlags": "       0",
    "Length": "0x0",
    "RequestStatus": "0x0",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       0",
    "RcvNxt": "       0"
  },
  "message": ""
}

Event ID 1181: TCP: connection Tcb delivery Delivery urgent boundary completing NumBytes bytes Length requested.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDeliveryCompleting

Description

TCP: connection Tcb delivery Delivery urgent boundary completing NumBytes bytes Length requested.

Message #

TCP: connection %1 delivery %2 urgent boundary completing %4 bytes %6 requested.

Fields #

Name	Description
`Tcb` Pointer
`Delivery` Pointer
`Request` Pointer
`NumBytes` Pointer
`RequestFlags` UInt32
`Length` Pointer
`RequestStatus` UInt32
`IsUrgentDelivery` UInt32
`FullySatisfiedORDelayedPush` UInt32
`RcvNxt` UInt32

Event ID 1182: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress): initiating SYN/RST validation.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpInitiateSynRstValidation

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress): initiating SYN/RST validation.

Message #

TCP: connection %1 (local=%3 remote=%5): initiating SYN/RST validation.

Fields #

Name	Description
`Tcb` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`NewState` UInt32
`RexmitCount` UInt32

Event ID 1183: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: received RST.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailedRcvdRst

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: received RST.

Message #

TCP: connection %1 (local=%3 remote=%5) connect failed: received RST.

Fields #

Name	Description
`Tcb` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`NewState` UInt32
`RexmitCount` UInt32

Event ID 1184: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connection terminated: received RST.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpConnectionTerminatedRcvdRst

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connection terminated: received RST.

Message #

TCP: connection %1 (local=%3 remote=%5) connection terminated: received RST.

Fields #

Name	Description
`Tcb` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`NewState` UInt32
`RexmitCount` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1184",
    "version": "0",
    "level": "4",
    "task": "1184",
    "opcode": "0",
    "keywords": 9223372062624579712,
    "time_created": "2026-03-16T00:23:11.140010200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11ae9ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A11AE9AE0",
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:53002",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "10.2.10.11:445",
    "NewState": "       0",
    "RexmitCount": "       0"
  },
  "message": ""
}

Event ID 1185: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connection terminated: received SYN in state NewState.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectionTerminatedRcvdSyn

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connection terminated: received SYN in state NewState.

Message #

TCP: connection %1 (local=%3 remote=%5) connection terminated: received SYN in state %6.

Fields #

Name	Description
`Tcb` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`NewState` UInt32
`RexmitCount` UInt32

Event ID 1186: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) retransmitting connect attempt, RexmitCount = RexmitCount.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpConnectRestransmit

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) retransmitting connect attempt, RexmitCount = RexmitCount.

Message #

TCP: connection %1 (local=%3 remote=%5) retransmitting connect attempt, RexmitCount = %7.

Fields #

Name	Description
`Tcb` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`NewState` UInt32
`RexmitCount` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1186",
    "version": "0",
    "level": "4",
    "task": "1186",
    "opcode": "0",
    "keywords": 9223372058329612416,
    "time_created": "2026-03-15T23:31:42.716275300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{f9ca95f0-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FF9CA95F0",
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.11:51269",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "10.2.10.21:389",
    "NewState": "       0",
    "RexmitCount": "       1"
  },
  "message": ""
}

Event ID 1187: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) retransmitting data, RexmitCount = RexmitCount.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferRestransmit

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) retransmitting data, RexmitCount = RexmitCount.

Message #

TCP: connection %1 (local=%3 remote=%5) retransmitting data, RexmitCount = %7.

Fields #

Name	Description
`Tcb` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`NewState` UInt32
`RexmitCount` UInt32

Event ID 1188: TCP: connection Tcb send keep-alive at SndUna = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpConnectionKeepAlive

Description

TCP: connection Tcb send keep-alive at SndUna = SndUna.

Message #

TCP: connection %1 send keep-alive at SndUna = %2.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1188",
    "version": "0",
    "level": "4",
    "task": "1188",
    "opcode": "0",
    "keywords": 9223372058329612416,
    "time_created": "2026-03-16T00:21:53.057881700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0e584560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0E584560",
    "SndUna": "2262383926",
    "SndMax": "       0"
  },
  "message": ""
}

Event ID 1189: TCP: connection Tcb, delivery Delivery: delivery state changed from OldDeliveryState to NewDeliveryState.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDeliveryStateChange

Description

TCP: connection Tcb, delivery Delivery: delivery state changed from OldDeliveryState to NewDeliveryState.

Message #

TCP: connection %1, delivery %2: delivery state changed from %3 to %4.

Fields #

Name	Description
`Tcb` Pointer
`Delivery` Pointer
`OldDeliveryState` UInt32
`NewDeliveryState` UInt32

Event ID 1190: TCP: connection Tcb delivery Delivery dropping data.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDeliveryDataDropped

Description

TCP: connection Tcb delivery Delivery dropping data. TotalBytesEnqueued = NumBytes. Length = Length. RcvNxt = RcvNxt.

Message #

TCP: connection %1 delivery %2 dropping data. TotalBytesEnqueued = %4. Length = %6. RcvNxt = %10.

Fields #

Name	Description
`Tcb` Pointer
`Delivery` Pointer
`Request` Pointer
`NumBytes` Pointer
`RequestFlags` UInt32
`Length` Pointer
`RequestStatus` UInt32
`IsUrgentDelivery` UInt32
`FullySatisfiedORDelayedPush` UInt32
`RcvNxt` UInt32

Event ID 1191: TCP: endpoint/connection PortAcquirer acquired port number PortNumber.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpAcquirePort

Description

TCP: endpoint/connection PortAcquirer acquired port number PortNumber.

Message #

TCP: endpoint/connection %1 acquired port number %2.

Fields #

Name	Description
`PortAcquirer` Pointer
`PortNumber` UInt16
`WeakReference` UInt32
`OriginalAcquirer` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1191",
    "version": "0",
    "level": "4",
    "task": "1191",
    "opcode": "0",
    "keywords": 9223372054034644992,
    "time_created": "2026-03-16T00:21:40.119043200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0da8a910-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "12888"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PortAcquirer": "0xFFFF980A0DA8A910",
    "PortNumber": "52999",
    "WeakReference": "       0",
    "OriginalAcquirer": "0x0"
  },
  "message": ""
}

Event ID 1192: TCP: connection PortAcquirer attempted to acquire weak reference on port number PortNumber inherited from endpoint OriginalAcquirer.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpAcquireWeakRefPort

Description

TCP: connection PortAcquirer attempted to acquire weak reference on port number PortNumber inherited from endpoint OriginalAcquirer. Successful = WeakReference.

Message #

TCP: connection %1 attempted to acquire weak reference on port number %2 inherited from endpoint %4. Successful = %3.

Fields #

Name	Description
`PortAcquirer` Pointer
`PortNumber` UInt16
`WeakReference` UInt32
`OriginalAcquirer` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1192",
    "version": "0",
    "level": "4",
    "task": "1192",
    "opcode": "0",
    "keywords": 9223372054034644992,
    "time_created": "2026-03-16T00:21:38.719220200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PortAcquirer": "0xFFFF980A0EEE7560",
    "PortNumber": "5985",
    "WeakReference": "       1",
    "OriginalAcquirer": "0xFFFF980A0EF4B580"
  },
  "message": ""
}

Event ID 1193: TCP: endpoint/connection PortAcquirer released port number PortNumber.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpReleasePort

Description

TCP: endpoint/connection PortAcquirer released port number PortNumber. WeakReference = WeakReference.

Message #

TCP: endpoint/connection %1 released port number %2. WeakReference = %3.

Fields #

Name	Description
`PortAcquirer` Pointer
`PortNumber` UInt16
`WeakReference` UInt32
`OriginalAcquirer` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1193",
    "version": "0",
    "level": "4",
    "task": "1193",
    "opcode": "0",
    "keywords": 9223372054034644992,
    "time_created": "2026-03-16T00:21:38.733428000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7444"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PortAcquirer": "0xFFFF980A0EEE7560",
    "PortNumber": "5985",
    "WeakReference": "       1",
    "OriginalAcquirer": "0x0"
  },
  "message": ""
}

Event ID 1194: TCP: endpoint/connection PortAcquirer replaced base endpoint OriginalAcquirer and acquired reference to port number PortNumber.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpReplacePort

Description

TCP: endpoint/connection PortAcquirer replaced base endpoint OriginalAcquirer and acquired reference to port number PortNumber.

Message #

TCP: endpoint/connection %1 replaced base endpoint %4 and acquired reference to port number %2.

Fields #

Name	Description
`PortAcquirer` Pointer
`PortNumber` UInt16
`WeakReference` UInt32
`OriginalAcquirer` Pointer

Event ID 1195: TCP: Portpool assigned port number PortNumber with weak references due to port exhaustion.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAssignedWeakReferencePort

Description

TCP: Portpool assigned port number PortNumber with weak references due to port exhaustion.

Message #

TCP: Portpool assigned port number %2 with weak references due to port exhaustion.

Fields #

Name	Description
`PortAcquirer` Pointer
`PortNumber` UInt16
`WeakReference` UInt32
`OriginalAcquirer` Pointer

Event ID 1196: TCP: connection Tcb BH receive ACK for full size seq.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpBhDetectFullSizeAck

Description

TCP: connection Tcb BH receive ACK for full size seq. Seq = SndUna. IsSack = IsSack.

Message #

TCP: connection %1 BH receive ACK for full size seq. Seq = %2. IsSack = %5.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32
`Reason` UnicodeString
`IsSack` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1196",
    "version": "0",
    "level": "4",
    "task": "1196",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:23:27.217663000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{170d1290-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A170D1290",
    "SndUna": "1228953133",
    "SndMax": "       0",
    "Reason": "NULL",
    "IsSack": "       0"
  },
  "message": ""
}

Event ID 1197: TCP: connection Tcb flushed SACK state at SndUna = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFlushSack

Description

TCP: connection Tcb flushed SACK state at SndUna = SndUna. Reason: Reason.

Message #

TCP: connection %1 flushed SACK state at SndUna = %2. Reason: %4.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32
`Reason` UnicodeString
`IsSack` UInt32

Event ID 1198: TCP: Connection Tcb entering reassembly at RcvNxt = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpReassemblyEntry

Description

TCP: Connection Tcb entering reassembly at RcvNxt = SndUna.

Message #

TCP: Connection %1 entering reassembly at RcvNxt = %2.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1198",
    "version": "0",
    "level": "5",
    "task": "1198",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:23:59.839186900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{14cde010-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A14CDE010",
    "SndUna": "3358248696",
    "SndMax": "       0"
  },
  "message": ""
}

Event ID 1199: TCP: Connection Tcb leaving reassembly at RcvNxt = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpReassemblyExit

Description

TCP: Connection Tcb leaving reassembly at RcvNxt = SndUna.

Message #

TCP: Connection %1 leaving reassembly at RcvNxt = %2.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1199",
    "version": "0",
    "level": "5",
    "task": "1199",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:23:59.839225300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{14cde010-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A14CDE010",
    "SndUna": "3358248696",
    "SndMax": "       0"
  },
  "message": ""
}

Event ID 1200: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: Zero window probe timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDisconnectTcbZeroWindowTimeout

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: Zero window probe timeout expired.

Message #

TCP: connection %8 (local=%2 remote=%4) terminating: Zero window probe timeout expired.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1201: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: FIN-WAIT-2 timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDisconnectTcbFinWait2Timeout

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: FIN-WAIT-2 timeout expired.

Message #

TCP: connection %8 (local=%2 remote=%4) terminating: FIN-WAIT-2 timeout expired.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1202: IP: Interface rundown: Index = IfIndex, Linkspeed = CurrLinkSpeed bps, PhysicalMediumType = PhysicalMediumType, IP Address = IPv4 Address IPProtocol IPv6 Address.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: InterfaceRundown

Description

IP: Interface rundown: Index = IfIndex, Linkspeed = CurrLinkSpeed bps, PhysicalMediumType = PhysicalMediumType, IP Address = IPv4 Address IPProtocol IPv6 Address.

Message #

IP: Interface rundown: Index = %1, Linkspeed = %2 bps, PhysicalMediumType = %7, IP Address = %4 %3 %6.

Fields #

Name	Description
`IfIndex` UInt32
`CurrLinkSpeed` UInt64
`IPProtocol` UInt32
`IPv4Address` UInt32
`IpAddrLength` UInt32
`IPv6Address` Binary
`PhysicalMediumType` UInt32
`CompartmentId` UInt32
`OldLinkSpeed` UInt64
`NetworkCategory` UInt32
`Metric` UInt32
`Connected` UInt32
`InternetConnectivityStatus` UInt32
`Flags` UInt64
`IsolationId` UInt32
`NlMtu` UInt32
`ForwardingTag` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1202",
    "version": "4",
    "level": "4",
    "task": "1202",
    "opcode": "0",
    "keywords": 9223372586610589840,
    "time_created": "2026-03-15T23:26:13.264840100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "15176",
      "thread_id": "13152"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IfIndex": "       1",
    "CurrLinkSpeed": "0",
    "IPProtocol": "       4",
    "IPv4 Address": "127.0.0.1",
    "IpAddrLength": "       0",
    "IPv6 Address": "",
    "PhysicalMediumType": "       0",
    "CompartmentId": "       1",
    "OldLinkSpeed": "0",
    "NetworkCategory": "       0",
    "Metric": "      75",
    "Connected": "       1",
    "InternetConnectivityStatus": "4294967295",
    "Flags": "0x10262102300",
    "IsolationId": "       0"
  },
  "message": ""
}

Event ID 1203: IP: Interface Index = IfIndex, Linkspeed changed to CurrLinkSpeed bps, PhysicalMediumType = PhysicalMediumType.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceSpeedChange

Description

IP: Interface Index = IfIndex, Linkspeed changed to CurrLinkSpeed bps, PhysicalMediumType = PhysicalMediumType.

Message #

IP: Interface Index = %1, Linkspeed changed to %2 bps, PhysicalMediumType = %7.

Fields #

Name	Description
`IfIndex` UInt32
`CurrLinkSpeed` UInt64
`IPProtocol` UInt32
`IPv4Address` UInt32
`IpAddrLength` UInt32
`IPv6Address` Binary
`PhysicalMediumType` UInt32
`CompartmentId` UInt32
`OldLinkSpeed` UInt64
`ReceiveLinkSpeed` UInt64
`MediaConnectState` UInt32

Event ID 1204: TCP: Connection Tcb flushing reassembly state at RcvNxt = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpReassemblyFlush

Description

TCP: Connection Tcb flushing reassembly state at RcvNxt = SndUna. Reason = Reason.

Message #

TCP: Connection %1 flushing reassembly state at RcvNxt = %2. Reason = %4.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32
`Reason` UnicodeString
`IsSack` UInt32

Event ID 1205: TCPIP: NBL Nbl fell off the receive fast path, Reason: Reason.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpipReceiveSlowPath

Description

TCPIP: NBL Nbl fell off the receive fast path, Reason: Reason. Protocol = IPTransportProtocol, Family = AddressFamily, Number of NBLs = NblCount. SourceAddress = Source IPv4 Address IPProtocol IPv6 Source Address. DestAddress = Dest IPv4 Address IPProtocol IPv6 Dest Address.

Message #

TCPIP: NBL %1 fell off the receive fast path, Reason: %10. Protocol = %2, Family = %3, Number of NBLs = %11. SourceAddress = %4 %12 %7. DestAddress = %5 %12 %9.

Fields #

Name	Description
`Nbl` Pointer
`IPTransportProtocol` UInt32
`AddressFamily` UInt32
`SourceIPv4Address` UInt32
`DestIPv4Address` UInt32
`IPv6SourceIpAddrLength` UInt32
`IPv6SourceAddress` Binary
`IPv6DestIpAddrLength` UInt32
`IPv6DestAddress` Binary
`Reason` UInt32
`NblCount` UInt32
`IPProtocol` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1205",
    "version": "0",
    "level": "5",
    "task": "1205",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:38.718814700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Nbl": "0xFFFF980A1D7C5570",
    "IPTransportProtocol": "       6",
    "AddressFamily": "       2",
    "Source IPv4 Address": "10.2.10.11",
    "Dest IPv4 Address": "10.2.10.21",
    "IPv6SourceIpAddrLength": "       0",
    "IPv6 Source Address": "",
    "IPv6DestIpAddrLength": "       0",
    "IPv6 Dest Address": "",
    "Reason": "      17",
    "NblCount": "       1",
    "IPProtocol": "       4"
  },
  "message": ""
}

Event ID 1206: TCPIP: NBL Nbl fell off the send fast path, Reason: Reason.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpipSendSlowPath

Description

TCPIP: NBL Nbl fell off the send fast path, Reason: Reason. Protocol = IPTransportProtocol, Family = AddressFamily, Number of NBLs = NblCount. SourceAddress = Source IPv4 Address IPProtocol IPv6 Source Address. DestAddress = Dest IPv4 Address IPProtocol IPv6 Dest Address.

Message #

TCPIP: NBL %1 fell off the send fast path, Reason: %10. Protocol = %2, Family = %3, Number of NBLs = %11. SourceAddress = %4 %12 %7. DestAddress = %5 %12 %9.

Fields #

Name	Description
`Nbl` Pointer
`IPTransportProtocol` UInt32
`AddressFamily` UInt32
`SourceIPv4Address` UInt32
`DestIPv4Address` UInt32
`IPv6SourceIpAddrLength` UInt32
`IPv6SourceAddress` Binary
`IPv6DestIpAddrLength` UInt32
`IPv6DestAddress` Binary
`Reason` UInt32
`NblCount` UInt32
`IPProtocol` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1206",
    "version": "0",
    "level": "5",
    "task": "1206",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.388870500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Nbl": "0xFFFF980A11CCA4F0",
    "IPTransportProtocol": "       6",
    "AddressFamily": "       2",
    "Source IPv4 Address": "10.2.10.21",
    "Dest IPv4 Address": "10.2.20.41",
    "IPv6SourceIpAddrLength": "       0",
    "IPv6 Source Address": "",
    "IPv6DestIpAddrLength": "       0",
    "IPv6 Dest Address": "",
    "Reason": "      11",
    "NblCount": "       1",
    "IPProtocol": "       4"
  },
  "message": ""
}

Event ID 1207: TCP: WSD - TcpWsdEtwPoint Status: Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpWsdInitializationErrors

Description

TCP: WSD - TcpWsdEtwPoint Status: Status.

Message #

TCP: WSD - %1 Status: %2.

Fields #

Name	Description
`TcpWsdEtwPoint` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1208: TCP: WSD - TcpWsdEtwPoint Status: Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpWsdInitializationInformation

Description

TCP: WSD - TcpWsdEtwPoint Status: Status.

Message #

TCP: WSD - %1 Status: %2.

Fields #

Name	Description
`TcpWsdEtwPoint` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1209: TCP: WSD - TCB Tcb will use a highly restricted window scale factor due to a TcpWsdEtwPoint.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpWsdWsRestrictedProfile

Description

TCP: WSD - TCB Tcb will use a highly restricted window scale factor due to a TcpWsdEtwPoint.

Message #

TCP: WSD - TCB %2 will use a highly restricted window scale factor due to a %1.

Fields #

Name	Description
`TcpWsdEtwPoint` UInt32
`Tcb` Pointer

Event ID 1210: TCP: WSD - TCB Tcb will use a highly restricted window scale factor due to a TcpWsdEtwPoint.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpWsdWsRestrictedDestination

Description

TCP: WSD - TCB Tcb will use a highly restricted window scale factor due to a TcpWsdEtwPoint.

Message #

TCP: WSD - TCB %2 will use a highly restricted window scale factor due to a %1.

Fields #

Name	Description
`TcpWsdEtwPoint` UInt32
`Tcb` Pointer

Event ID 1211: TCP: WSD - Entry (Processor, Entry) moved from OldState to NewState due to TcpWsdEtwPoint.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpWsdCacheEntryStateChange

Description

TCP: WSD - Entry (Processor, Entry) moved from OldState to NewState due to TcpWsdEtwPoint.

Message #

TCP: WSD - Entry (%2, %3) moved from %4 to %5 due to %1.

Fields #

Name	Description
`TcpWsdEtwPoint` UInt32
`Processor` UInt32
`Entry` UInt32
`OldState` UInt32
`NewState` UInt32
`ProbeCount` UInt32
`ProbeCountWs` UInt32

Event ID 1212: TCP: WSD - Profile: Profile State: State Qualified: Qualified EreQualified: EreQualified.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpWsdProfileStateChange

Description

TCP: WSD - Profile: Profile State: State Qualified: Qualified EreQualified: EreQualified.

Message #

TCP: WSD - Profile: %1 State: %2 Qualified: %3 EreQualified: %4.

Fields #

Name	Description
`Profile` UInt32
`State` UInt32
`Qualified` UInt32
`EreQualified` UInt32

Event ID 1213: TCP: WSD - Enabled moved from OldEnabledState to NewEnabledState.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpWsdStateChange

Description

TCP: WSD - Enabled moved from OldEnabledState to NewEnabledState. Threshold moved from OldThreshold to NewThreshold.

Message #

TCP: WSD - Enabled moved from %1 to %2. Threshold moved from  %3 to %4.

Fields #

Name	Description
`OldEnabledState` UInt32
`NewEnabledState` UInt32
`OldThreshold` UInt32
`NewThreshold` UInt32

Event ID 1214: TCPIP: Transport (Protocol IPTransportProtocol, AddressFamily = AddressFamily) dropped PacketCount packet(s) with Local = LocalSockAddr, Remote = RemoteSockAddr.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpipTransportPacketDrops

Description

TCPIP: Transport (Protocol IPTransportProtocol, AddressFamily = AddressFamily) dropped PacketCount packet(s) with Local = LocalSockAddr, Remote = RemoteSockAddr. Reason = Reason.

Message #

TCPIP: Transport (Protocol %1, AddressFamily = %2) dropped %8 packet(s) with Local = %4, Remote = %6. Reason = %7.

Fields #

Name	Description
`IPTransportProtocol` UInt32
`AddressFamily` UInt32
`LocalSockAddrLength` UInt32
`LocalSockAddr` Binary
`RemoteSockAddrLength` UInt32
`RemoteSockAddr` Binary
`Reason` UInt32
`PacketCount` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1214",
    "version": "0",
    "level": "4",
    "task": "1214",
    "opcode": "0",
    "keywords": 9223373694712152192,
    "time_created": "2026-03-16T00:21:38.733034500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IPTransportProtocol": "       6",
    "AddressFamily": "       2",
    "LocalSockAddrLength": "      16",
    "LocalSockAddr": "10.2.10.21:5985",
    "RemoteSockAddrLength": "      16",
    "RemoteSockAddr": "10.2.10.11:51201",
    "Reason": "      20",
    "PacketCount": "       1"
  },
  "message": ""
}

Event ID 1215: TCPIP: Network layer (Protocol IPTransportProtocol, AddressFamily = AddressFamily) dropped PacketCount packet(s).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpipNetworkPacketDrops

Description

TCPIP: Network layer (Protocol IPTransportProtocol, AddressFamily = AddressFamily) dropped PacketCount packet(s). SourceAddress = Source IPv4 Address IPProtocol IPv6 Source Address. DestAddress = Dest IPv4 Address IPProtocol IPv6 Dest Address. Reason = Reason.

Message #

TCPIP: Network layer (Protocol %1, AddressFamily = %2) dropped %10 packet(s). SourceAddress = %3 %11 %6. DestAddress = %4 %11 %8. Reason = %9.

Fields #

Name	Description
`IPTransportProtocol` UInt32
`AddressFamily` UInt32
`SourceIPv4Address` UInt32
`DestIPv4Address` UInt32
`IPv6SourceIpAddrLength` UInt32
`IPv6SourceAddress` Binary
`IPv6DestIpAddrLength` UInt32
`IPv6DestAddress` Binary
`Reason` UInt32
`PacketCount` UInt32
`IPProtocol` UInt32
`SourceAddressLength` UInt32
`SourceAddress` Binary
`DestAddressLength` UInt32
`DestAddress` Binary
`IfIndex` UInt32
`PathDirection` UInt32
`Nbl` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1215",
    "version": "1",
    "level": "4",
    "task": "1215",
    "opcode": "0",
    "keywords": 9223373699007119488,
    "time_created": "2026-03-15T23:27:04.761762100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "3912",
      "thread_id": "13412"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IPTransportProtocol": "       6",
    "AddressFamily": "      23",
    "Source IPv4 Address": "0.0.0.0",
    "Dest IPv4 Address": "0.0.0.0",
    "IPv6SourceIpAddrLength": "      16",
    "IPv6 Source Address": "::1",
    "IPv6DestIpAddrLength": "      16",
    "IPv6 Dest Address": "::1",
    "Reason": "     256",
    "PacketCount": "       1",
    "IPProtocol": "       6",
    "SourceAddressLength": "      28",
    "SourceAddress": "::1",
    "DestAddressLength": "      28",
    "DestAddress": "::1",
    "IfIndex": "       1",
    "PathDirection": "       1"
  },
  "message": ""
}

Event ID 1216: TCP: MPP NPP Evaluation PhysicalPages = PhysicalPages NonPagedPoolPages = NonPagedPoolPages Current = CurrentWatermark Peak = PeakWatermark Low = HighWatermark High = LowWatermark.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpMppNppEvaluation

Description

TCP: MPP NPP Evaluation PhysicalPages = PhysicalPages NonPagedPoolPages = NonPagedPoolPages Current = CurrentWatermark Peak = PeakWatermark Low = HighWatermark High = LowWatermark.

Message #

TCP: MPP NPP Evaluation PhysicalPages = %1 NonPagedPoolPages = %2 Current = %3 Peak = %4 Low = %5 High = %6.

Fields #

Name	Description
`PhysicalPages` UInt32
`NonPagedPoolPages` UInt32
`CurrentWatermark` UInt32
`PeakWatermark` UInt32
`HighWatermark` UInt32
`LowWatermark` UInt32

Event ID 1217: TCP: MPP: Episode started.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpMppStartEpisode

Description

TCP: MPP: Episode started. LowNppEventState = LowNppEventState HighNppEventState = HighNppEventState EpisodeStartTick = EpisodeStartTick EpisodeStopTick = EpisodeStopTick Current = CurrentWatermark Low = LowWatermark Reentry = ReentryWatermark.

Message #

TCP: MPP: Episode started. LowNppEventState = %1 HighNppEventState = %2 EpisodeStartTick = %3 EpisodeStopTick = %4 Current = %5 Low = %6 Reentry = %7.

Fields #

Name	Description
`LowNppEventState` UInt32
`HighNppEventState` UInt32
`EpisodeStartTick` UInt64
`EpisodeStopTick` UInt64
`CurrentWatermark` UInt32
`LowWatermark` UInt32
`ReentryWatermark` UInt32

Event ID 1218: TCP: MPP: Episode ended.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpMppStopEpisode

Description

TCP: MPP: Episode ended. LowNppEventState = LowNppEventState HighNppEventState = HighNppEventState EpisodeStartTick = EpisodeStartTick EpisodeStopTick = EpisodeStopTick Reentry = ReentryWatermark.

Message #

TCP: MPP: Episode ended. LowNppEventState = %1 HighNppEventState = %2 EpisodeStartTick = %3 EpisodeStopTick = %4 Reentry = %5.

Fields #

Name	Description
`LowNppEventState` UInt32
`HighNppEventState` UInt32
`EpisodeStartTick` UInt64
`EpisodeStopTick` UInt64
`ReentryWatermark` UInt32

Event ID 1219: TCP: MPP: Epoch Epoch started.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpMppStartEpoch

Description

TCP: MPP: Epoch Epoch started. LowNppEventState = LowNppEventState HighNppEventState = HighNppEventState EpochStartTick = EpochStartTick EpochStopTick = EpochStopTick SynDropRate = OldSynDropRate -> NewSynDropRate TcbKillRate = OldTcbKillRate -> NewTcbKillRate CurrentWatermark = CurrentWatermark.

Message #

TCP: MPP: Epoch %1 started. LowNppEventState = %2 HighNppEventState = %3 EpochStartTick = %4 EpochStopTick = %5 SynDropRate = %6 -> %7 TcbKillRate = %8 -> %9 CurrentWatermark = %10.

Fields #

Name	Description
`Epoch` UInt32
`LowNppEventState` UInt32
`HighNppEventState` UInt32
`EpochStartTick` UInt64
`EpochStopTick` UInt64
`OldSynDropRate` UInt32
`NewSynDropRate` UInt32
`OldTcbKillRate` UInt32
`NewTcbKillRate` UInt32
`CurrentWatermark` UInt32

Event ID 1220: TCP: MPP: Epoch Epoch ended.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpMppStopEpoch

Description

TCP: MPP: Epoch Epoch ended. LowNppEventState = LowNppEventState HighNppEventState = HighNppEventState EpochStartTick = EpochStartTick EpochStopTick = EpochStopTick SynDropRate = SynDropRate TcbKillRate = TcbKillRate Current = CurrentWatermark.

Message #

TCP: MPP: Epoch %1 ended. LowNppEventState = %2 HighNppEventState = %3 EpochStartTick = %4 EpochStopTick = %5 SynDropRate = %6 TcbKillRate = %7 Current = %8.

Fields #

Name	Description
`Epoch` UInt32
`LowNppEventState` UInt32
`HighNppEventState` UInt32
`EpochStartTick` UInt64
`EpochStopTick` UInt64
`SynDropRate` UInt32
`TcbKillRate` UInt32
`CurrentWatermark` UInt32

Event ID 1221: TCP: Connection Tcb restarting Cwnd.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCwndRestart

Description

TCP: Connection Tcb restarting Cwnd. Old Cwnd = OldCwnd, New Cwnd = NewCwnd, Processor = Processor, CurrentTick = CurrentTick, IdleTick = IdleTick, Rto = Rto.

Message #

TCP: Connection %1 restarting Cwnd. Old Cwnd = %2, New Cwnd = %3, Processor = %4, CurrentTick = %5, IdleTick = %6, Rto = %7.

Fields #

Name	Description
`Tcb` Pointer
`OldCwnd` UInt32
`NewCwnd` UInt32
`Processor` UInt32
`CurrentTick` UInt32
`IdleTick` UInt32
`Rto` UInt32

Event ID 1222: TCP: Connection Tcb adjust InitalCwnd.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpInitialCwndAdjusted

Description

TCP: Connection Tcb adjust InitalCwnd. Cwnd = OldCwnd, New Initial Cwnd = NewCwnd MSS.

Message #

TCP: Connection %1 adjust InitalCwnd. Cwnd = %2, New Initial Cwnd = %3 MSS.

Fields #

Name	Description
`Tcb` Pointer
`OldCwnd` UInt32
`NewCwnd` UInt32
`Processor` UInt32
`CurrentTick` UInt32
`IdleTick` UInt32
`Rto` UInt32

Event ID 1223: TCP: Connection Tcb committed TemplateType = TemplateType.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpTemplateParameters

Description

TCP: Connection Tcb committed TemplateType = TemplateType. MinRto = MinRto msec, EnableCwndRestart = EnableCwndRestart, InitialCwnd = InitialCwnd MSS, CongestionAlgorithm = CongestionAlgorithm, MaxDataRetransmissions = MaxDataRetransmissions, DelayedAckTicks = DelayedAckTicks msec, DelayedAckFrequency = DelayedAckFrequency, RACK enabled = Rack, Tail Loss Probe enabled = TailLossProbe.

Message #

TCP: Connection %1 committed TemplateType = %2. MinRto = %3 msec, EnableCwndRestart = %4, InitialCwnd = %5 MSS, CongestionAlgorithm = %6, MaxDataRetransmissions = %7, DelayedAckTicks = %8 msec, DelayedAckFrequency = %9, RACK enabled = %10, Tail Loss Probe enabled = %11.

Fields #

Name	Description
`Tcb` Pointer
`TemplateType` UInt32
`MinRto` UInt32
`EnableCwndRestart` UInt32
`InitialCwnd` UInt32
`CongestionAlgorithm` UInt32
`MaxDataRetransmissions` UInt32
`DelayedAckTicks` UInt32
`DelayedAckFrequency` UInt32
`Rack` UInt32
`TailLossProbe` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1223",
    "version": "0",
    "level": "4",
    "task": "1223",
    "opcode": "0",
    "keywords": 9223372586610589696,
    "time_created": "2026-03-16T00:21:38.719984100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0EEE7560",
    "TemplateType": "       0",
    "MinRto": "     300",
    "EnableCwndRestart": "       0",
    "InitialCwnd": "      10",
    "CongestionAlgorithm": "       5",
    "MaxDataRetransmissions": "       5",
    "DelayedAckTicks": "      40",
    "DelayedAckFrequency": "       2",
    "Rack": "       1",
    "TailLossProbe": "       1"
  },
  "message": ""
}

Event ID 1224: TCP: Connection Tcb template changed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpTemplateChanged

Description

TCP: Connection Tcb template changed. New template=TemplateType. Context=Context.

Message #

TCP: Connection %1 template changed. New template=%2. Context=%3.

Fields #

Name	Description
`Tcb` Pointer
`TemplateType` UInt32
`Context` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1224",
    "version": "0",
    "level": "5",
    "task": "1224",
    "opcode": "0",
    "keywords": 9223372586610589696,
    "time_created": "2026-03-16T00:21:38.719121800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0EEE7560",
    "TemplateType": "       0",
    "Context": "Initializing Template Accept TCB"
  },
  "message": ""
}

Event ID 1225: TCP: connection Tcb: End of a round, SndRound = SndRound, Bytes sent = EcnTotalByteCount.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferEcnAlpha

Description

TCP: connection Tcb: End of a round, SndRound = SndRound, Bytes sent = EcnTotalByteCount. Bytes marked = EcnTotalMarkedCount, ThAck = ThAck, updated EcnAlpha = EcnAlpha.

Message #

TCP: connection %1: End of a round, SndRound = %2, Bytes sent = %3. Bytes marked = %4, ThAck = %5, updated EcnAlpha = %6.

Fields #

Name	Description
`Tcb` Pointer
`SndRound` UInt32
`EcnTotalByteCount` UInt32
`EcnTotalMarkedCount` UInt32
`ThAck` UInt32
`EcnAlpha` UInt32

Event ID 1226: TCP: interface IfIndex: RSC state changed, IPV4 State = StateV4, IPV4 Failure Reason = FailureReasonV4, IPV6 State = StateV6, IPV6 Failure Reason = FailureReasonV6, Event = Event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpInterfaceRscStateChange

Description

TCP: interface IfIndex: RSC state changed, IPV4 State = StateV4, IPV4 Failure Reason = FailureReasonV4, IPV6 State = StateV6, IPV6 Failure Reason = FailureReasonV6, Event = Event.

Message #

TCP: interface %1: RSC state changed, IPV4 State = %2, IPV4 Failure Reason = %3, IPV6 State = %4, IPV6 Failure Reason = %5, Event = %6.

Fields #

Name	Description
`IfIndex` UInt32
`StateV4` UInt32
`FailureReasonV4` UInt32
`StateV6` UInt32
`FailureReasonV6` UInt32
`Event` UInt32

Event ID 1227: TCP: connection Tcb: RSC SCU received.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpRscNblOobInfo

Description

TCP: connection Tcb: RSC SCU received. CoalescedSegCount = CoalescedSegCount, DupAckCount = DupAckCount, RscTcpTimestampDelta = RscTcpTimestampDelta, HeaderFlags = HeaderFlags, EcnCePresent = EcnCePresent.

Message #

TCP: connection %1: RSC SCU received. CoalescedSegCount = %2, DupAckCount = %3, RscTcpTimestampDelta = %4, HeaderFlags = %5, EcnCePresent = %6.

Fields #

Name	Description
`Tcb` Pointer
`CoalescedSegCount` UInt16
`DupAckCount` UInt16
`RscTcpTimestampDelta` UInt32
`HeaderFlags` UInt16
`EcnCePresent` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1227",
    "version": "0",
    "level": "5",
    "task": "1227",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:36.016716200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{10708010-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A10708010",
    "CoalescedSegCount": "2",
    "DupAckCount": "0",
    "RscTcpTimestampDelta": "       0",
    "HeaderFlags": "24",
    "EcnCePresent": "       0"
  },
  "message": ""
}

Event ID 1228: TCPIP: TCB Tcb does not take fast path, Cause: Cause.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpLoopbackFastPathFailReason

Description

TCPIP: TCB Tcb does not take fast path, Cause: Cause.

Message #

TCPIP: TCB %1 does not take fast path, Cause: %2.

Fields #

Name	Description
`Tcb` Pointer
`Cause` UInt32

Event ID 1229: TCP: Connection Tcb send queue is idle.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpCwndRestart

Description

TCP: Connection Tcb send queue is idle. Cwnd = OldCwnd, Processor = Processor, CurrentTick = CurrentTick, IdleTick = IdleTick.

Message #

TCP: Connection %1 send queue is idle. Cwnd = %2, Processor = %4, CurrentTick = %5, IdleTick = %6.

Fields #

Name	Description
`Tcb` Pointer
`OldCwnd` UInt32
`NewCwnd` UInt32
`Processor` UInt32
`CurrentTick` UInt32
`IdleTick` UInt32
`Rto` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1229",
    "version": "0",
    "level": "4",
    "task": "1221",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.390542000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4248",
      "thread_id": "4684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "OldCwnd": " 2110976",
    "NewCwnd": "       0",
    "Processor": "       8",
    "CurrentTick": "57753291",
    "IdleTick": "57753291",
    "Rto": "       0"
  },
  "message": ""
}

Event ID 1230: RSS: Bind notification for AddressFamily on interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssBindingChange

Description

RSS: Bind notification for AddressFamily on interface InterfaceIndex.

Message #

RSS: %3 notification for %2 on interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32
`AddressFamily` UInt16
`Bind` UInt32

Event ID 1231: RSS: Bind notification for adapter AdapterIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssPortChange

Description

RSS: Bind notification for adapter AdapterIndex.

Message #

RSS: %4 notification for adapter %1.

Fields #

Name	Description
`AdapterIndex` UInt32
`InterfaceIndex` UInt32
`PortNumber` UInt32
`Bind` UInt32

Event ID 1232: RSS: ReferenceAdded reference on adapter AdapterIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssPortReference

Description

RSS: ReferenceAdded reference on adapter AdapterIndex.

Message #

RSS: %4 reference on adapter %1.

Fields #

Name	Description
`AdapterIndex` UInt32
`ExistingInterfaceIndex` UInt32
`ExistingPortNumber` UInt32
`ReferenceAdded` UInt8

Event ID 1233: RSS: adapter AdapterIndex with capabilities CapabilitiesFlags and NumberOfReceiveQueues receive queues.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssPortCapabilities

Description

RSS: adapter AdapterIndex with capabilities CapabilitiesFlags and NumberOfReceiveQueues receive queues.

Message #

RSS: adapter %1 with capabilities %2 and %4 receive queues.

Fields #

Name	Description
`AdapterIndex` UInt32
`CapabilitiesFlags` UInt32
`NumberOfInterruptMessages` UInt32
`NumberOfReceiveQueues` UInt32

Event ID 1234: RSS: adapter AdapterIndex processor group GroupNumber maximum processors MaximumProcessors processor affinity GroupAffinity.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssPortProcessors

Description

RSS: adapter AdapterIndex processor group GroupNumber maximum processors MaximumProcessors processor affinity GroupAffinity.

Message #

RSS: adapter %1 processor group %2 maximum processors %3 processor affinity %4.

Fields #

Name	Description
`AdapterIndex` UInt32
`GroupNumber` UInt16
`MaximumProcessors` UInt32
`GroupAffinity` UInt64
`AvailableProcessorsSize` UInt32
`AvailableProcessors` Binary

Event ID 1235: RSS: assigning processor ProcessorIndex from adapter PreviousAdapterIndex to NewAdapterIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssProcessorAssignment

Description

RSS: assigning processor ProcessorIndex from adapter PreviousAdapterIndex to NewAdapterIndex.

Message #

RSS: assigning processor %2 from adapter %3 to %1.

Fields #

Name	Description
`NewAdapterIndex` UInt32
`ProcessorIndex` UInt32
`PreviousAdapterIndex` UInt32
`TriggeringProcessorIndex` UInt32

Event ID 1236: RSS: unassigning processor ProcessorIndex from adapter PreviousAdapterIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssProcessorUnassignment

Description

RSS: unassigning processor ProcessorIndex from adapter PreviousAdapterIndex.

Message #

RSS: unassigning processor %2 from adapter %1.

Fields #

Name	Description
`PreviousAdapterIndex` UInt32
`ProcessorIndex` UInt32

Event ID 1237: RSS: adapter AdapterIndex reassigning indirection entry IndirectionIndex from processor OldProcessorIndex to NewProcessorIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssIndirectionChange

Description

RSS: adapter AdapterIndex reassigning indirection entry IndirectionIndex from processor OldProcessorIndex to NewProcessorIndex.

Message #

RSS: adapter %1 reassigning indirection entry %2 from processor %3 to %4.

Fields #

Name	Description
`AdapterIndex` UInt32
`IndirectionIndex` UInt16
`OldProcessorIndex` UInt32
`NewProcessorIndex` UInt32

Event ID 1238: RSS: adapter AdapterIndex removing processor ProcessorIndex from its indirection table.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssProcessorConsolidation

Description

RSS: adapter AdapterIndex removing processor ProcessorIndex from its indirection table.

Message #

RSS: adapter %1 removing processor %2 from its indirection table.

Fields #

Name	Description
`AdapterIndex` UInt32
`ProcessorIndex` UInt8

Event ID 1239: RSS: adapter AdapterIndex changing Setting to Value.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssConfigurationChange

Description

RSS: adapter AdapterIndex changing Setting to Value.

Message #

RSS: adapter %1 changing %2 to %3.

Fields #

Name	Description
`AdapterIndex` UInt32
`Setting` UInt32
`Value` UInt32

Event ID 1240: RSS: Failed to FailureDescription on IfIndex InterfaceIndex: Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssFailure

Description

RSS: Failed to FailureDescription on IfIndex InterfaceIndex: Status.

Message #

RSS: Failed to %2 on IfIndex %1: %3

Fields #

Name	Description
`InterfaceIndex` UInt32
`FailureDescription` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1241: RSS: bind completed successfully for AddressFamily on interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssBindingBindComplete

Description

RSS: bind completed successfully for AddressFamily on interface InterfaceIndex.

Message #

RSS: bind completed successfully for %2 on interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32
`AddressFamily` UInt16

Event ID 1242: RSS: bind completed successfully for adapter AdapterIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssPortBindComplete

Description

RSS: bind completed successfully for adapter AdapterIndex.

Message #

RSS: bind completed successfully for adapter %1.

Fields #

Name	Description
`AdapterIndex` UInt32

Event ID 1243: RSS: adapter AdapterIndex not supported.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssPortNotSupported

Description

RSS: adapter AdapterIndex not supported.

Message #

RSS: adapter %1 not supported.

Fields #

Name	Description
`AdapterIndex` UInt32

Event ID 1244: RSS: adapter AdapterIndex indirection table initialized on group GroupNumber with processor set ActiveAffinity.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssInitializeIndirectionTable

Description

RSS: adapter AdapterIndex indirection table initialized on group GroupNumber with processor set ActiveAffinity.

Message #

RSS: adapter %1 indirection table initialized on group %4 with processor set %5.

Fields #

Name	Description
`AdapterIndex` UInt32
`IndirectionTableSize` UInt32
`IndirectionTable` Binary
`GroupNumber` UInt16
`ActiveAffinity` UInt64

Event ID 1245: RSS: Rundown: interface InterfaceIndex with adapter AdapterIndex at port PortNumber.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: RssBindingRundown

Description

RSS: Rundown: interface InterfaceIndex with adapter AdapterIndex at port PortNumber.

Message #

RSS: Rundown: interface %1 with adapter %2 at port %3.

Fields #

Name	Description
`InterfaceIndex` UInt32
`AdapterIndex` UInt32
`PortNumber` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1245",
    "version": "0",
    "level": "4",
    "task": "1245",
    "opcode": "0",
    "keywords": 9223372586610591888,
    "time_created": "2026-03-16T00:21:34.295777000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{517fdda0-f803-ffff-0600-000000000000}"
    },
    "execution": {
      "process_id": "9132",
      "thread_id": "4236"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "InterfaceIndex": "       6",
    "AdapterIndex": "       6",
    "PortNumber": "       0"
  },
  "message": ""
}

Event ID 1246: RSS: Rundown: adapter AdapterIndex hash info HashInfo maximum processors MaximumProcessors group GroupNumber affinity GroupAffinity active processors ActiveAffinity active mode: ActiveMode.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: RssPortRundown

Description

RSS: Rundown: adapter AdapterIndex hash info HashInfo maximum processors MaximumProcessors group GroupNumber affinity GroupAffinity active processors ActiveAffinity active mode: ActiveMode.

Message #

RSS: Rundown: adapter %1 hash info %2 maximum processors %3 group %4 affinity %5 active processors %6 active mode: %7.

Fields #

Name	Description
`AdapterIndex` UInt32
`HashInfo` UInt32
`MaximumProcessors` UInt32
`GroupNumber` UInt16
`GroupAffinity` UInt64
`ActiveAffinity` UInt64
`ActiveMode` UInt32
`IndirectionTableSize` UInt32
`IndirectionTable` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1246",
    "version": "0",
    "level": "4",
    "task": "1246",
    "opcode": "0",
    "keywords": 9223372586610591888,
    "time_created": "2026-03-15T23:26:13.264909200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0f1f9564-f803-ffff-0400-000000000000}"
    },
    "execution": {
      "process_id": "15176",
      "thread_id": "13152"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AdapterIndex": "       4",
    "HashInfo": "0xD701",
    "MaximumProcessors": "      14",
    "GroupNumber": "0",
    "GroupAffinity": "0x3FFF",
    "ActiveAffinity": "0x3FFF",
    "ActiveMode": "    1002",
    "IndirectionTableSize": "     128",
    "IndirectionTable": "0x000102030405060708090A0B0C0D000102030405060708090A0B0C0D000102030405060708090A0B0C0D000102030405060708090A0B0C0D000102030405060708090A0B0C0D000102030405060708090A0B0C0D000102030405060708090A0B0C0D000102030405060708090A0B0C0D000102030405060708090A0B0C0D0001"
  },
  "message": ""
}

Event ID 1247: RSS: interface InterfaceIndex support: Capability.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssBindingCapability

Description

RSS: interface InterfaceIndex support: Capability.

Message #

RSS: interface %1 support: %2.

Fields #

Name	Description
`InterfaceIndex` UInt32
`Capability` UInt32

Event ID 1248: NDKPI Create CQ: RequestContext RequestContext Adapter NdkAdapter CqDepth CqDepth CqNotificationContext CqNotificationContext AffinityMask AffinityMask AffinityGroup AffinityGroup.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Cq

Description

NDKPI Create CQ: RequestContext RequestContext Adapter NdkAdapter CqDepth CqDepth CqNotificationContext CqNotificationContext AffinityMask AffinityMask AffinityGroup AffinityGroup.

Message #

NDKPI Create CQ: RequestContext %6 Adapter %1 CqDepth %2 CqNotificationContext %3 AffinityMask %4 AffinityGroup %5

Fields #

Name	Description
`NdkAdapter` Pointer
`CqDepth` UInt32
`CqNotificationContext` Pointer
`AffinityMask` UInt64
`AffinityGroup` UInt16
`RequestContext` Pointer

Event ID 1249: NDKPI Create Completion: RequestContext RequestContext Status Status (CompletionType) NdkObjectType NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Completion

Description

NDKPI Create Completion: RequestContext RequestContext Status Status (CompletionType) NdkObjectType NdkObject.

Message #

NDKPI Create Completion: RequestContext %1 Status %2 (%4) %5 %3

Fields #

Name	Description
`RequestContext` Pointer
`Status` UInt32	NTSTATUS reference
`NdkObject` Pointer
`CompletionType` UInt32
`NdkObjectType` UInt32

Event ID 1250: NDKPI Close NdkObjectType: RequestContext RequestContext NdkObjectType NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Close_Obj

Description

NDKPI Close NdkObjectType: RequestContext RequestContext NdkObjectType NdkObject.

Message #

NDKPI Close %2: RequestContext %3 %2 %1

Fields #

Name	Description
`NdkObject` Pointer
`NdkObjectType` UInt32
`RequestContext` Pointer

Event ID 1251: NDKPI Close Completion: RequestContext RequestContext (CompletionType).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Close_Completion

Description

NDKPI Close Completion: RequestContext RequestContext (CompletionType).

Message #

NDKPI Close Completion: RequestContext %1 (%2)

Fields #

Name	Description
`RequestContext` Pointer
`CompletionType` UInt32

Event ID 1252: NDKPI Resize CQ: RequestContext RequestContext CQ NdkCq CqDepth CqDepth.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Resize_Cq

Description

NDKPI Resize CQ: RequestContext RequestContext CQ NdkCq CqDepth CqDepth.

Message #

NDKPI Resize CQ: RequestContext %3 CQ %1 CqDepth %2

Fields #

Name	Description
`NdkCq` Pointer
`CqDepth` UInt32
`RequestContext` Pointer

Event ID 1253: NDKPI Request Completion: RequestContext RequestContext Status Status (CompletionType).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Request_Completion

Description

NDKPI Request Completion: RequestContext RequestContext Status Status (CompletionType).

Message #

NDKPI Request Completion: RequestContext %1 Status %2 (%3)

Fields #

Name	Description
`RequestContext` Pointer
`Status` UInt32	NTSTATUS reference
`CompletionType` UInt32

Event ID 1254: NDKPI Arm CQ: CQ NdkCq ArmType.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Arm_Cq

Description

NDKPI Arm CQ: CQ NdkCq ArmType.

Message #

NDKPI Arm CQ: CQ %1 %2

Fields #

Name	Description
`NdkCq` Pointer
`ArmType` UInt32

Event ID 1255: NDKPI Result ResultIndex/ResultCount: CQ NdkCq RequestContext RequestContext Status Status BytesTransferred BytesTransferred QpContext QpContext.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Cq_Result

Description

NDKPI Result ResultIndex/ResultCount: CQ NdkCq RequestContext RequestContext Status Status BytesTransferred BytesTransferred QpContext QpContext.

Message #

NDKPI Result %6/%7: CQ %1 RequestContext %5 Status %2 BytesTransferred %3 QpContext %4

Fields #

Name	Description
`NdkCq` Pointer
`Status` UInt32	NTSTATUS reference
`BytesTransferred` UInt32
`QpContext` Pointer
`RequestContext` Pointer
`ResultIndex` Int32
`ResultCount` Int32

Event ID 1256: NDKPI Create MR: RequestContext RequestContext PD NdkPd FastRegister FastRegister.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Mr

Description

NDKPI Create MR: RequestContext RequestContext PD NdkPd FastRegister FastRegister.

Message #

NDKPI Create MR: RequestContext %3 PD %1 FastRegister %2

Fields #

Name	Description
`NdkPd` Pointer
`FastRegister` UInt32
`RequestContext` Pointer

Event ID 1257: NDKPI Flush: QP NdkQp.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Flush

Description

NDKPI Flush: QP NdkQp.

Message #

NDKPI Flush: QP %1

Fields #

Name	Description
`NdkQp` Pointer

Event ID 1258: NDKPI Send (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken Flags Flags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Send

Description

NDKPI Send (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken Flags Flags.

Message #

NDKPI Send (SGE %8/%6): RequestContext %2 QP %1 SGE %3/%4/%5 Flags %7

Fields #

Name	Description
`NdkQp` Pointer
`RequestContext` Pointer
`SgeAddress` Pointer
`SgeLength` UInt32
`SgeMemoryRegionToken` UInt32
`NumSge` Int32
`Flags` UInt32
`SgeIndex` Int32

Event ID 1259: NDKPI Receive (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Receive

Description

NDKPI Receive (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken.

Message #

NDKPI Receive (SGE %8/%6): RequestContext %2 QP %1 SGE %3/%4/%5

Fields #

Name	Description
`NdkQp` Pointer
`RequestContext` Pointer
`SgeAddress` Pointer
`SgeLength` UInt32
`SgeMemoryRegionToken` UInt32
`NumSge` Int32
`Flags` UInt32
`SgeIndex` Int32

Event ID 1260: NDKPI Register MR: RequestContext RequestContext MR NdkMr MDL Mdl Length Length Flags Flags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Register_Mr

Description

NDKPI Register MR: RequestContext RequestContext MR NdkMr MDL Mdl Length Length Flags Flags.

Message #

NDKPI Register MR: RequestContext %5 MR %1 MDL %2 Length %3 Flags %4

Fields #

Name	Description
`NdkMr` Pointer
`Mdl` Pointer
`Length` UInt64
`Flags` UInt32
`RequestContext` Pointer

Event ID 1261: NDKPI Deregister MR: RequestContext RequestContext MR NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Deregister_Mr

Description

NDKPI Deregister MR: RequestContext RequestContext MR NdkObject.

Message #

NDKPI Deregister MR: RequestContext %2 MR %1

Fields #

Name	Description
`NdkObject` Pointer
`RequestContext` Pointer

Event ID 1262: NDKPI Initialize FastRegister MR: RequestContext RequestContext MR NdkMr AdapterPageCount AdapterPageCount RemoteAccess RemoteAccess.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Initialize_Fast_Register_Mr

Description

NDKPI Initialize FastRegister MR: RequestContext RequestContext MR NdkMr AdapterPageCount AdapterPageCount RemoteAccess RemoteAccess.

Message #

NDKPI Initialize FastRegister MR: RequestContext %4 MR %1 AdapterPageCount %2 RemoteAccess %3

Fields #

Name	Description
`NdkMr` Pointer
`AdapterPageCount` UInt32
`RemoteAccess` UInt32
`RequestContext` Pointer

Event ID 1263: NDKPI Modify SRQ: RequestContext RequestContext SRQ NdkSrq SrqDepth SrqDepth NotifyThreshold NotifyThreshold.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Modify_Srq

Description

NDKPI Modify SRQ: RequestContext RequestContext SRQ NdkSrq SrqDepth SrqDepth NotifyThreshold NotifyThreshold.

Message #

NDKPI Modify SRQ: RequestContext %4 SRQ %1 SrqDepth %2 NotifyThreshold %3

Fields #

Name	Description
`NdkSrq` Pointer
`SrqDepth` UInt32
`NotifyThreshold` UInt32
`RequestContext` Pointer

Event ID 1264: NDKPI Connect: RequestContext RequestContext Connector NdkConnector QP NdkQp SrcAddress SrcSockAddr DestAddress DestSockAddr IRD IRD ORD ORD PrivateDataLength PrivateDataLength.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Connect

Description

NDKPI Connect: RequestContext RequestContext Connector NdkConnector QP NdkQp SrcAddress SrcSockAddr DestAddress DestSockAddr IRD IRD ORD ORD PrivateDataLength PrivateDataLength.

Message #

NDKPI Connect: RequestContext %9 Connector %1 QP %2 SrcAddress %4 DestAddress %6 IRD %7 ORD %8 PrivateDataLength %11

Fields #

Name	Description
`NdkConnector` Pointer
`NdkQp` Pointer
`SrcSockAddrLength` UInt32
`SrcSockAddr` Binary
`DestSockAddrLength` UInt32
`DestSockAddr` Binary
`IRD` UInt32
`ORD` UInt32
`RequestContext` Pointer
`NdkSharedEndpoint` Pointer
`PrivateDataLength` UInt32

Event ID 1265: NDKPI Connect: RequestContext RequestContext Connector NdkConnector QP NdkQp SharedEndpoint NdkSharedEndpoint DestAddress DestSockAddr IRD IRD ORD ORD PrivateDataLength PrivateDataLength.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Connect_Shared_Endpoint

Description

NDKPI Connect: RequestContext RequestContext Connector NdkConnector QP NdkQp SharedEndpoint NdkSharedEndpoint DestAddress DestSockAddr IRD IRD ORD ORD PrivateDataLength PrivateDataLength.

Message #

NDKPI Connect: RequestContext %9 Connector %1 QP %2 SharedEndpoint %10 DestAddress %6 IRD %7 ORD %8 PrivateDataLength %11

Fields #

Name	Description
`NdkConnector` Pointer
`NdkQp` Pointer
`SrcSockAddrLength` UInt32
`SrcSockAddr` Binary
`DestSockAddrLength` UInt32
`DestSockAddr` Binary
`IRD` UInt32
`ORD` UInt32
`RequestContext` Pointer
`NdkSharedEndpoint` Pointer
`PrivateDataLength` UInt32

Event ID 1266: NDKPI CompleteConnect: RequestContext RequestContext Connector NdkConnector DisconnectEventContext DisconnectEventContext.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Complete_Connect

Description

NDKPI CompleteConnect: RequestContext RequestContext Connector NdkConnector DisconnectEventContext DisconnectEventContext.

Message #

NDKPI CompleteConnect: RequestContext %3 Connector %1 DisconnectEventContext %2

Fields #

Name	Description
`NdkConnector` Pointer
`DisconnectEventContext` Pointer
`RequestContext` Pointer

Event ID 1267: NDKPI Accept: RequestContext RequestContext Connector NdkConnector QP NdkQp IRD IRD ORD ORD PrivateDataLength PrivateDataLength DisconnectEventContext DisconnectEventContext.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Accept

Description

NDKPI Accept: RequestContext RequestContext Connector NdkConnector QP NdkQp IRD IRD ORD ORD PrivateDataLength PrivateDataLength DisconnectEventContext DisconnectEventContext.

Message #

NDKPI Accept: RequestContext %6 Connector %1 QP %2 IRD %3 ORD %4 PrivateDataLength %7 DisconnectEventContext %5

Fields #

Name	Description
`NdkConnector` Pointer
`NdkQp` Pointer
`IRD` UInt32
`ORD` UInt32
`DisconnectEventContext` Pointer
`RequestContext` Pointer
`PrivateDataLength` UInt32

Event ID 1268: NDKPI Disconnect: RequestContext RequestContext Connector NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Disconnect

Description

NDKPI Disconnect: RequestContext RequestContext Connector NdkObject.

Message #

NDKPI Disconnect: RequestContext %2 Connector %1

Fields #

Name	Description
`NdkObject` Pointer
`RequestContext` Pointer

Event ID 1269: NDKPI Listen: RequestContext RequestContext Listener NdkListener Address SockAddr.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Listen

Description

NDKPI Listen: RequestContext RequestContext Listener NdkListener Address SockAddr.

Message #

NDKPI Listen: RequestContext %4 Listener %1 Address %3

Fields #

Name	Description
`NdkListener` Pointer
`SockAddrLength` UInt32
`SockAddr` Binary
`RequestContext` Pointer

Event ID 1270: NDKPI Create MW: RequestContext RequestContext PD NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Mw

Description

NDKPI Create MW: RequestContext RequestContext PD NdkObject.

Message #

NDKPI Create MW: RequestContext %2 PD %1

Fields #

Name	Description
`NdkObject` Pointer
`RequestContext` Pointer

Event ID 1271: NDKPI Create SRQ: RequestContext RequestContext PD NdkPd SrqDepth SrqDepth MaxReceiveRequestSge MaxReceiveRequestSge NotifyThreshold NotifyThreshold SrqNotificationContext SrqNotificationContext Af...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Srq

Description

NDKPI Create SRQ: RequestContext RequestContext PD NdkPd SrqDepth SrqDepth MaxReceiveRequestSge MaxReceiveRequestSge NotifyThreshold NotifyThreshold SrqNotificationContext SrqNotificationContext AffinityMask AffinityMask AffinityGroup AffinityGroup.

Message #

NDKPI Create SRQ: RequestContext %8 PD %1 SrqDepth %2 MaxReceiveRequestSge %3 NotifyThreshold %4 SrqNotificationContext %5 AffinityMask %6 AffinityGroup %7

Fields #

Name	Description
`NdkPd` Pointer
`SrqDepth` UInt32
`MaxReceiveRequestSge` UInt32
`NotifyThreshold` UInt32
`SrqNotificationContext` Pointer
`AffinityMask` UInt64
`AffinityGroup` UInt16
`RequestContext` Pointer

Event ID 1272: NDKPI Create QP: RequestContext RequestContext PD NdkPd ReceiveCQ ReceiveCq InitiatorCQ InitiatorCq QPContext QPContext ReceiveQueueDepth ReceiveQueueDepth InitiatorQueueDepth InitiatorQueueDepth M...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Qp

Description

NDKPI Create QP: RequestContext RequestContext PD NdkPd ReceiveCQ ReceiveCq InitiatorCQ InitiatorCq QPContext QPContext ReceiveQueueDepth ReceiveQueueDepth InitiatorQueueDepth InitiatorQueueDepth MaxReceiveRequestSge MaxReceiveRequestSge MaxInitiatorRequestSge MaxInitiatorRequestSge.

Message #

NDKPI Create QP: RequestContext %9 PD %1 ReceiveCQ %2 InitiatorCQ %3 QPContext %4 ReceiveQueueDepth %5 InitiatorQueueDepth %6 MaxReceiveRequestSge %7 MaxInitiatorRequestSge %8

Fields #

Name	Description
`NdkPd` Pointer
`ReceiveCq` Pointer
`InitiatorCq` Pointer
`QPContext` Pointer
`ReceiveQueueDepth` UInt32
`InitiatorQueueDepth` UInt32
`MaxReceiveRequestSge` UInt32
`MaxInitiatorRequestSge` UInt32
`RequestContext` Pointer
`NdkSrq` Pointer

Event ID 1273: NDKPI Create QP: RequestContext RequestContext PD NdkPd ReceiveCQ ReceiveCq InitiatorCQ InitiatorCq SRQ NdkSrq QPContext QPContext InitiatorQueueDepth InitiatorQueueDepth MaxInitiatorRequestSge Max...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Qp_Srq

Description

NDKPI Create QP: RequestContext RequestContext PD NdkPd ReceiveCQ ReceiveCq InitiatorCQ InitiatorCq SRQ NdkSrq QPContext QPContext InitiatorQueueDepth InitiatorQueueDepth MaxInitiatorRequestSge MaxInitiatorRequestSge.

Message #

NDKPI Create QP: RequestContext %9 PD %1 ReceiveCQ %2 InitiatorCQ %3 SRQ %10 QPContext %4 InitiatorQueueDepth %6 MaxInitiatorRequestSge %8

Fields #

Name	Description
`NdkPd` Pointer
`ReceiveCq` Pointer
`InitiatorCq` Pointer
`QPContext` Pointer
`ReceiveQueueDepth` UInt32
`InitiatorQueueDepth` UInt32
`MaxReceiveRequestSge` UInt32
`MaxInitiatorRequestSge` UInt32
`RequestContext` Pointer
`NdkSrq` Pointer

Event ID 1274: NDKPI Create PD: RequestContext RequestContext Adapter NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Pd

Description

NDKPI Create PD: RequestContext RequestContext Adapter NdkObject.

Message #

NDKPI Create PD: RequestContext %2 Adapter %1

Fields #

Name	Description
`NdkObject` Pointer
`RequestContext` Pointer

Event ID 1275: NDKPI Create SharedEndpoint: RequestContext RequestContext Adapter NdkListener Address SockAddr.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Shared_Endpoint

Description

NDKPI Create SharedEndpoint: RequestContext RequestContext Adapter NdkListener Address SockAddr.

Message #

NDKPI Create SharedEndpoint: RequestContext %4 Adapter %1 Address %3

Fields #

Name	Description
`NdkListener` Pointer
`SockAddrLength` UInt32
`SockAddr` Binary
`RequestContext` Pointer

Event ID 1276: NDKPI Create Connector: RequestContext RequestContext Adapter NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Connector

Description

NDKPI Create Connector: RequestContext RequestContext Adapter NdkObject.

Message #

NDKPI Create Connector: RequestContext %2 Adapter %1

Fields #

Name	Description
`NdkObject` Pointer
`RequestContext` Pointer

Event ID 1277: NDKPI Create Listener: RequestContext RequestContext Adapter NdkAdapter ConnectEventContext ConnectEventContext.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Listener

Description

NDKPI Create Listener: RequestContext RequestContext Adapter NdkAdapter ConnectEventContext ConnectEventContext.

Message #

NDKPI Create Listener: RequestContext %3 Adapter %1 ConnectEventContext %2

Fields #

Name	Description
`NdkAdapter` Pointer
`ConnectEventContext` Pointer
`RequestContext` Pointer

Event ID 1278: NDKPI Build LAM: RequestContext RequestContext Adapter NdkAdapter MDL Mdl Length Length LAMBuffer LAMBuffer LAMBufferSize LAMBufferSize.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Build_Lam

Description

NDKPI Build LAM: RequestContext RequestContext Adapter NdkAdapter MDL Mdl Length Length LAMBuffer LAMBuffer LAMBufferSize LAMBufferSize.

Message #

NDKPI Build LAM: RequestContext %4 Adapter %1 MDL %2 Length %3 LAMBuffer %5 LAMBufferSize %6

Fields #

Name	Description
`NdkAdapter` Pointer
`Mdl` Pointer
`Length` UInt64
`RequestContext` Pointer
`LAMBuffer` Pointer
`LAMBufferSize` UInt32

Event ID 1279: NDKPI Release LAM: Adapter NdkAdapter LAMBuffer LAMBuffer.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Release_Lam

Description

NDKPI Release LAM: Adapter NdkAdapter LAMBuffer LAMBuffer.

Message #

NDKPI Release LAM: Adapter %1 LAMBuffer %2

Fields #

Name	Description
`NdkAdapter` Pointer
`LAMBuffer` Pointer

Event ID 1280: NDKPI CQ Notification Callback: CqNotificationContext CqNotificationContext CqStatus CqStatus.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Cq_Notification_Callback

Description

NDKPI CQ Notification Callback: CqNotificationContext CqNotificationContext CqStatus CqStatus.

Message #

NDKPI CQ Notification Callback: CqNotificationContext %1 CqStatus %2

Fields #

Name	Description
`CqNotificationContext` Pointer
`CqStatus` UInt32

Event ID 1281: NDKPI SRQ Notification Callback: SrqNotificationContext SrqNotificationContext SrqStatus SrqStatus.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Srq_Notification_Callback

Description

NDKPI SRQ Notification Callback: SrqNotificationContext SrqNotificationContext SrqStatus SrqStatus.

Message #

NDKPI SRQ Notification Callback: SrqNotificationContext %1 SrqStatus %2

Fields #

Name	Description
`SrqNotificationContext` Pointer
`SrqStatus` UInt32

Event ID 1282: NDKPI Disconnect Event Callback: DisconnectEventContext DisconnectEventContext.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Disconnect_Event_Callback

Description

NDKPI Disconnect Event Callback: DisconnectEventContext DisconnectEventContext.

Message #

NDKPI Disconnect Event Callback: DisconnectEventContext %1

Fields #

Name	Description
`DisconnectEventContext` Pointer

Event ID 1283: NDKPI Connect Event Callback: ConnectEventContext ConnectEventContext Connector NdkConnector.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Connect_Event_Callback

Description

NDKPI Connect Event Callback: ConnectEventContext ConnectEventContext Connector NdkConnector.

Message #

NDKPI Connect Event Callback: ConnectEventContext %1 Connector %2

Fields #

Name	Description
`ConnectEventContext` Pointer
`NdkConnector` Pointer

Event ID 1284: NDKPI Got TokenType Token Token from NdkObjectType NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Get_Token

Description

NDKPI Got TokenType Token Token from NdkObjectType NdkObject.

Message #

NDKPI Got %3 Token %4 from %2 %1

Fields #

Name	Description
`NdkObject` Pointer
`NdkObjectType` UInt32
`TokenType` UInt32
`Token` UInt32

Event ID 1285: NDKPI Got SockAddrType Address SockAddr from NdkObjectType NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Get_Sockaddr

Description

NDKPI Got SockAddrType Address SockAddr from NdkObjectType NdkObject.

Message #

NDKPI Got %3 Address %5 from %2 %1

Fields #

Name	Description
`NdkObject` Pointer
`NdkObjectType` UInt32
`SockAddrType` UInt32
`SockAddrLength` UInt32
`SockAddr` Binary

Event ID 1286: NDKPI SockAddrType Address query failure Status on NdkObjectType NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Get_Sockaddr_Failure

Description

NDKPI SockAddrType Address query failure Status on NdkObjectType NdkObject.

Message #

NDKPI %3 Address query failure %4 on %2 %1

Fields #

Name	Description
`NdkObject` Pointer
`NdkObjectType` UInt32
`SockAddrType` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1287: NDKPI Reject: Connector NdkConnector PrivateDataLength PrivateDataLength Status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Reject

Description

NDKPI Reject: Connector NdkConnector PrivateDataLength PrivateDataLength Status Status.

Message #

NDKPI Reject: Connector %1 PrivateDataLength %2 Status %3

Fields #

Name	Description
`NdkConnector` Pointer
`PrivateDataLength` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1288: NDKPI Get Connect Data: Connector NdkConnector IRD IRD ORD ORD PrivateDataLength PrivateDataLength Status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Get_Connect_Data

Description

NDKPI Get Connect Data: Connector NdkConnector IRD IRD ORD ORD PrivateDataLength PrivateDataLength Status Status.

Message #

NDKPI Get Connect Data: Connector %1 IRD %2 ORD %3 PrivateDataLength %4 Status %5

Fields #

Name	Description
`NdkConnector` Pointer
`IRD` UInt32
`ORD` UInt32
`PrivateDataLength` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1289: NDKPI Work Request Inline Failure: RequestContext RequestContext QP NdkQp Status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Work_Request_Inline_Failure

Description

NDKPI Work Request Inline Failure: RequestContext RequestContext QP NdkQp Status Status.

Message #

NDKPI Work Request Inline Failure: RequestContext %2 QP %1 Status %3

Fields #

Name	Description
`NdkQp` Pointer
`RequestContext` Pointer
`Status` UInt32	NTSTATUS reference

Event ID 1290: NDKPI Bind: RequestContext RequestContext QP NdkQp MR NdkMr MW NdkMw VirtualAddress VirtualAddress Length Length Flags Flags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Bind

Description

NDKPI Bind: RequestContext RequestContext QP NdkQp MR NdkMr MW NdkMw VirtualAddress VirtualAddress Length Length Flags Flags.

Message #

NDKPI Bind: RequestContext %2 QP %1 MR %3 MW %4 VirtualAddress %5 Length %6 Flags %7

Fields #

Name	Description
`NdkQp` Pointer
`RequestContext` Pointer
`NdkMr` Pointer
`NdkMw` Pointer
`VirtualAddress` Pointer
`Length` UInt64
`Flags` UInt32

Event ID 1291: NDKPI FastRegister: RequestContext RequestContext QP NdkQp MR NdkMr AdapterPageCount AdapterPageCount AdapterPageArray AdapterPageArray FBO FBO Length Length BaseVirtualAddress BaseVirtualAddress F...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Fast_Register

Description

NDKPI FastRegister: RequestContext RequestContext QP NdkQp MR NdkMr AdapterPageCount AdapterPageCount AdapterPageArray AdapterPageArray FBO FBO Length Length BaseVirtualAddress BaseVirtualAddress Flags Flags.

Message #

NDKPI FastRegister: RequestContext %2 QP %1 MR %3 AdapterPageCount %4 AdapterPageArray %5 FBO %6 Length %7 BaseVirtualAddress %8 Flags %9

Fields #

Name	Description
`NdkQp` Pointer
`RequestContext` Pointer
`NdkMr` Pointer
`AdapterPageCount` UInt32
`AdapterPageArray` Pointer
`FBO` UInt32
`Length` UInt64
`BaseVirtualAddress` Pointer
`Flags` UInt32

Event ID 1292: NDKPI Invalidate: RequestContext RequestContext QP NdkQp NdkObjectType NdkObject Flags Flags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Invalidate

Description

NDKPI Invalidate: RequestContext RequestContext QP NdkQp NdkObjectType NdkObject Flags Flags.

Message #

NDKPI Invalidate: RequestContext %2 QP %1 %4 %3 Flags %5

Fields #

Name	Description
`NdkQp` Pointer
`RequestContext` Pointer
`NdkObject` Pointer
`NdkObjectType` UInt32
`Flags` UInt32

Event ID 1293: NDKPI Read (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken RemoteAddress RemoteAddress RemoteToken RemoteToken Flags Flags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Read

Description

NDKPI Read (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken RemoteAddress RemoteAddress RemoteToken RemoteToken Flags Flags.

Message #

NDKPI Read (SGE %8/%6): RequestContext %2 QP %1 SGE %3/%4/%5 RemoteAddress %9 RemoteToken %10 Flags %7

Fields #

Name	Description
`NdkQp` Pointer
`RequestContext` Pointer
`SgeAddress` Pointer
`SgeLength` UInt32
`SgeMemoryRegionToken` UInt32
`NumSge` Int32
`Flags` UInt32
`SgeIndex` Int32
`RemoteAddress` UInt64
`RemoteToken` UInt32

Event ID 1294: NDKPI Write (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken RemoteAddress RemoteAddress RemoteToken RemoteToken Flags Flags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Write

Description

NDKPI Write (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken RemoteAddress RemoteAddress RemoteToken RemoteToken Flags Flags.

Message #

NDKPI Write (SGE %8/%6): RequestContext %2 QP %1 SGE %3/%4/%5 RemoteAddress %9 RemoteToken %10 Flags %7

Fields #

Name	Description
`NdkQp` Pointer
`RequestContext` Pointer
`SgeAddress` Pointer
`SgeLength` UInt32
`SgeMemoryRegionToken` UInt32
`NumSge` Int32
`Flags` UInt32
`SgeIndex` Int32
`RemoteAddress` UInt64
`RemoteToken` UInt32

Event ID 1295: NDKPI SRQ Receive (SGE SgeIndex/NumSge): RequestContext RequestContext SRQ NdkSrq SGE SgeAddress/SgeLength/SgeMemoryRegionToken.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_SrqReceive

Description

NDKPI SRQ Receive (SGE SgeIndex/NumSge): RequestContext RequestContext SRQ NdkSrq SGE SgeAddress/SgeLength/SgeMemoryRegionToken.

Message #

NDKPI SRQ Receive (SGE %8/%6): RequestContext %2 SRQ %1 SGE %3/%4/%5

Fields #

Name	Description
`NdkSrq` Pointer
`RequestContext` Pointer
`SgeAddress` Pointer
`SgeLength` UInt32
`SgeMemoryRegionToken` UInt32
`NumSge` Int32
`Flags` UInt32
`SgeIndex` Int32

Event ID 1296: NDKPI SRQ Work Request Inline Failure: RequestContext RequestContext SRQ NdkSrq Status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Srq_Work_Request_Inline_Failure

Description

NDKPI SRQ Work Request Inline Failure: RequestContext RequestContext SRQ NdkSrq Status Status.

Message #

NDKPI SRQ Work Request Inline Failure: RequestContext %2 SRQ %1 Status %3

Fields #

Name	Description
`NdkSrq` Pointer
`RequestContext` Pointer
`Status` UInt32	NTSTATUS reference

Event ID 1297: NDKPI Open Adapter: InterfaceIndex InterfaceIndex Adapter NdkAdapter Status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Open_Adapter

Description

NDKPI Open Adapter: InterfaceIndex InterfaceIndex Adapter NdkAdapter Status Status.

Message #

NDKPI Open Adapter: InterfaceIndex %1 Adapter %2 Status %3

Fields #

Name	Description
`InterfaceIndex` UInt32
`NdkAdapter` Pointer
`Status` UInt32	NTSTATUS reference

Event ID 1298: NDKPI Close Adapter (Enter): Adapter NdkAdapter.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Close_Adapter_Enter

Description

NDKPI Close Adapter (Enter): Adapter NdkAdapter.

Message #

NDKPI Close Adapter (Enter): Adapter %1

Fields #

Name	Description
`NdkAdapter` Pointer

Event ID 1299: NDKPI Close Adapter (Exit): Adapter NdkAdapter.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Close_Adapter_Exit

Description

NDKPI Close Adapter (Exit): Adapter NdkAdapter.

Message #

NDKPI Close Adapter (Exit): Adapter %1

Fields #

Name	Description
`NdkAdapter` Pointer

Event ID 1300: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) exists.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpConnectionRundown

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) exists. State = State. PID = Pid.

Message #

TCP: connection %1 (local=%3 remote=%5) exists. State = %6. PID = %7.

Fields #

Name	Description
`Tcb` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`State` UInt32
`Pid` UInt32
`ProcessStartKey` UInt64
`SendTrackerEnabled` UInt32
`RcvBufSet` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1300",
    "version": "2",
    "level": "4",
    "task": "1300",
    "opcode": "0",
    "keywords": 9223372054034646148,
    "time_created": "2026-03-16T00:21:34.294712000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1cf5fec0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "9132",
      "thread_id": "4236"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1CF5FEC0",
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:52992",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "10.2.10.11:49669",
    "State": "      10",
    "Pid": "       0",
    "ProcessStartKey": "0",
    "SendTrackerEnabled": "       0"
  },
  "message": ""
}

Event ID 1301: NDKPI Interface Event: InterfaceIndex InterfaceIndex, NDK-Operational NDKOperational, EventDescription (StatusCode).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Interface_Event

Description

NDKPI Interface Event: InterfaceIndex InterfaceIndex, NDK-Operational NDKOperational, EventDescription (StatusCode).

Message #

NDKPI Interface Event: InterfaceIndex %1, NDK-Operational %3, %2 (%4)

Fields #

Name	Description
`InterfaceIndex` UInt32
`EventDescription` UInt32
`NDKOperational` UInt32
`StatusCode` UInt32	NTSTATUS reference

Event ID 1302: Network adapter Luid AdapterLuid received a wake packet matching pattern PatternFriendlyName.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipWakePacketIndicated

Description

Network adapter Luid AdapterLuid received a wake packet matching pattern PatternFriendlyName. Protocol: Protocol. Destination MAC address: DestDLAddress. Source: SrcAddress : SrcPort, Destination: DestAddress : DestPort.

Message #

Network adapter Luid %1 received a wake packet matching pattern %2. Protocol: %8. Destination MAC address: %5. Source: %6 : %9, Destination: %7 : %10.

Fields #

Name	Description
`AdapterLuid` UInt64
`PatternFriendlyName` UnicodeString
`DlAddrLength` UInt32
`SrcDLAddress` Binary
`DestDLAddress` Binary
`SrcAddress` UInt32
`DestAddress` UInt32
`Protocol` UInt32	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`SrcPort` UInt16
`DestPort` UInt16

Event ID 1302: Network adapter Luid .

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: TcpipWakePacketIndicated

Description

Network adapter Luid received a wake packet matching pattern . Protocol: . Destination MAC address: . Source: : , Destination: : .

Message #

Network adapter Luid %1 received a wake packet matching pattern %2. Protocol: %8. Destination MAC address: %5. Source: %6 : %9, Destination: %7 : %10.

Fields #

Name	Description
`AdapterLuid` UInt64
`PatternFriendlyName` UnicodeString
`DlAddrLength` UInt32
`SrcDLAddress` Binary
`DestDLAddress` Binary
`SrcAddress` UInt32
`DestAddress` UInt32
`Protocol` UInt32	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`SrcPort` UInt16
`DestPort` UInt16

Event ID 1303: Network adapter Luid AdapterLuid received a wake packet matching pattern PatternFriendlyName.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipWakePacketIndicated

Description

Message #

Network adapter Luid %1 received a wake packet matching pattern %2. Protocol: %9. Destination MAC address: %5. Source: %7 : %10, Destination %8 : %11.

Fields #

Name	Description
`AdapterLuid` UInt64
`PatternFriendlyName` UnicodeString
`DlAddrLength` UInt32
`SrcDLAddress` Binary
`DestDLAddress` Binary
`IpAddrLength` UInt32
`SrcAddress` Binary
`DestAddress` Binary
`Protocol` UInt32	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`SrcPort` UInt16
`DestPort` UInt16

Event ID 1303: Network adapter Luid .

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: TcpipWakePacketIndicated

Description

Network adapter Luid received a wake packet matching pattern . Protocol: . Destination MAC address: . Source: : , Destination : .

Message #

Network adapter Luid %1 received a wake packet matching pattern %2. Protocol: %9. Destination MAC address: %5. Source: %7 : %10, Destination %8 : %11.

Fields #

Name	Description
`AdapterLuid` UInt64
`PatternFriendlyName` UnicodeString
`DlAddrLength` UInt32
`SrcDLAddress` Binary
`DestDLAddress` Binary
`IpAddrLength` UInt32
`SrcAddress` Binary
`DestAddress` Binary
`Protocol` UInt32	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`SrcPort` UInt16
`DestPort` UInt16

Event ID 1304: TCP: Connection Tcb: Silent Mode SilentModeEvent Context Context.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipSilentMode

Description

TCP: Connection Tcb: Silent Mode SilentModeEvent Context Context.

Message #

TCP: Connection %1: Silent Mode %2 Context %3

Fields #

Name	Description
`Tcb` Pointer
`SilentModeEvent` UInt32
`Context` Pointer

Event ID 1305: TCP: Connection Tcb notification channel request.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateNotificationChannelRequest

Description

TCP: Connection Tcb notification channel request. NcmContext = NcmContext, TCB State = State, PID = Pid, IsLoopback = IsLoopback, Status = Status.

Message #

TCP: Connection %1 notification channel request. NcmContext = %2, TCB State = %3, PID = %4, IsLoopback = %5, Status = %7.

Fields #

Name	Description
`Tcb` Pointer
`NcmContext` Pointer
`State` UInt32
`Pid` UInt32
`IsLoopback` UInt32
`ChannelStatus` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1306: TCP: Connection Tcb query notification channel status request.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpQueryNotificationChannelStatusRequest

Description

TCP: Connection Tcb query notification channel status request. NcmContext = NcmContext, PID = Pid, Channel Status = ChannelStatus, Status = Status.

Message #

TCP: Connection %1 query notification channel status request. NcmContext = %2, PID = %4, Channel Status = %6, Status = %7.

Fields #

Name	Description
`Tcb` Pointer
`NcmContext` Pointer
`State` UInt32
`Pid` UInt32
`IsLoopback` UInt32
`ChannelStatus` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1307: TCP: Connection Tcb notification channel request processed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateNotificationChannelRequestProcessed

Description

TCP: Connection Tcb notification channel request processed. NcmContext = NcmContext, PID = Pid, Status = Status PushNotificationId = PushNotificationGuid.

Message #

TCP: Connection %1 notification channel request processed. NcmContext = %2, PID = %3, Status = %4 PushNotificationId = %5.

Fields #

Name	Description
`Tcb` Pointer
`NcmContext` Pointer
`Pid` UInt32
`Status` UInt32	NTSTATUS reference
`PushNotificationGuid` GUID

Event ID 1308: TCP: Connection Tcb notification channel signal event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSignalNotificationChannelEvent

Description

TCP: Connection Tcb notification channel signal event. NcmContext = NcmContext, PID = Pid, RcvNxt = RcvNxt, Delivered Data = Delivered, Indicated Data = Indicated, FinalEvent = FinalEvent.

Message #

TCP: Connection %1 notification channel signal event. NcmContext = %2, PID = %3, RcvNxt = %4, Delivered Data = %5, Indicated Data = %6, FinalEvent = %7.

Fields #

Name	Description
`Tcb` Pointer
`NcmContext` Pointer
`Pid` UInt32
`RcvNxt` UInt32
`Delivered` UInt32
`Indicated` UInt32
`FinalEvent` UInt32

Event ID 1309: TCP: Connection Tcb notification channel detached.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDetachNotificationChannel

Description

TCP: Connection Tcb notification channel detached. NcmContext = NcmContext, TCB State = State. Cleanup NcmContext = IsLoopback.

Message #

TCP: Connection %1 notification channel detached. NcmContext = %2, TCB State = %3. Cleanup NcmContext = %5

Fields #

Name	Description
`Tcb` Pointer
`NcmContext` Pointer
`State` UInt32
`Pid` UInt32
`IsLoopback` UInt32
`ChannelStatus` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1310: TCP: Connection Tcb notification channel unlinked.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpUnlinkNotificationChannel

Description

TCP: Connection Tcb notification channel unlinked. TCB State = State.

Message #

TCP: Connection %1 notification channel unlinked. TCB State = %3.

Fields #

Name	Description
`Tcb` Pointer
`NcmContext` Pointer
`State` UInt32
`Pid` UInt32
`IsLoopback` UInt32
`ChannelStatus` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1311: TCP: Connection Tcb notification channel wake pattern plumbing.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpPlumbWakePattern

Description

TCP: Connection Tcb notification channel wake pattern plumbing. SystemReserved = SystemReserved, Wake-on-Lan Handle = WolHandle, Status = Status.

Message #

TCP: Connection %1 notification channel wake pattern plumbing. SystemReserved = %2, Wake-on-Lan Handle = %3, Status = %4.

Fields #

Name	Description
`Tcb` Pointer
`SystemReserved` UInt32
`WolHandle` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1312: TCP: Connection Tcb notification channel wake pattern deplumbing.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDeplumbWakePattern

Description

TCP: Connection Tcb notification channel wake pattern deplumbing. Wake-on-Lan Handle = WolHandle, Status = Status.

Message #

TCP: Connection %1 notification channel wake pattern deplumbing. Wake-on-Lan Handle = %3, Status = %4.

Fields #

Name	Description
`Tcb` Pointer
`SystemReserved` UInt32
`WolHandle` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1313: TCPIP: Interface index InterfaceIndex wake pattern properties.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipPlumbWakePatternOnInterface

Description

TCPIP: Interface index InterfaceIndex wake pattern properties. AOAC capable = AoAcCapable, Bitmap pattern supported = BitmapPatternSupported, ARP/ND offload supported = ARPNDOffloadSupported, IP address = IPv4Address IPProtocol IPv6Address wake ready = IPAddressWakeReady, Wol handle = WolHandle, pattern priority = PhysicalMediumType, interface medium = IpAddrLength, Status = Status, Has been AOAC capable = HasBeenAoAcCapable.

Message #

TCPIP: Interface index %1 wake pattern properties. AOAC capable = %2, Bitmap pattern supported = %3, ARP/ND offload supported = %4, IP address = %9 %11 %10 wake ready = %5, pattern priority = %6, interface medium = %7, Status = %12.

Fields #

Name	Description
`InterfaceIndex` UInt32
`AoAcCapable` UInt32
`BitmapPatternSupported` UInt32
`ARPNDOffloadSupported` UInt32
`IPAddressWakeReady` UInt32
`PatternPriority` UInt32
`PhysicalMediumType` UInt32
`IpAddrLength` UInt32
`IPv4Address` UInt32
`IPv6Address` Binary
`IPProtocol` UInt32
`Status` UInt32	NTSTATUS reference
`HasBeenAoAcCapable` UInt32
`WolHandle` UInt32

Event ID 1314: NDKPI Control CQ Interrupt Moderation: CQ NdkCq Interval ModerationInterval Count ModerationCount Status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Control_Cq_Im

Description

NDKPI Control CQ Interrupt Moderation: CQ NdkCq Interval ModerationInterval Count ModerationCount Status Status.

Message #

NDKPI Control CQ Interrupt Moderation: CQ %1 Interval %2 Count %3 Status %4

Fields #

Name	Description
`NdkCq` Pointer
`ModerationInterval` UInt32
`ModerationCount` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1315: TCP: Connection Tcb notification channel request processing.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateNotificationChannelRequestProcessing

Description

TCP: Connection notification channel request processing. IsRedirected = , WfpFailure = , Status = , WaitStatus = , Local IP address = , Remote IP address = Local Port = , Remote Port = .

Message #

TCP: Connection %1 notification channel request processing. IsRedirected = %2, WfpFailure = %3, Status = %4, WaitStatus = %5, Local IP address = %7 %9 %8, Remote IP address = %10 %9 %11 Local Port = %12, Remote Port = %13.

Fields #

Name	Description
`Tcb` Pointer
`IsRedirected` UInt32
`WfpFailure` UInt32
`Status` UInt32	NTSTATUS reference
`WaitStatus` UInt32
`IpAddrLength` UInt32
`LocalIPv4Address` UInt32
`LocalIPv6Address` Binary
`IPProtocol` UInt32
`RemoteIPv4Address` UInt32
`RemoteIPv6Address` Binary
`SrcPort` UInt16
`DestPort` UInt16

Event ID 1316: IP: IP address lifetime = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol, CurrentTime = CurrentTime Old BaseTime = OldBaseTime Old ValidTime = OldValidTime New Bas...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipIpAddressLifetime

Description

IP: IP address lifetime = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol, CurrentTime = CurrentTime Old BaseTime = OldBaseTime Old ValidTime = OldValidTime New BaseTime = NewBaseTime New ValidTime = NewValidTime.

Message #

IP: IP address lifetime = %4 %6 %5 on interface = %1, protocol = %2, CurrentTime = %7 Old BaseTime = %8 Old ValidTime = %9 New BaseTime = %11 New ValidTime = %12.

Fields #

Name	Description
`Interface` UInt32
`Protocol` AnsiString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`IpAddrLength` UInt32
`IPv4Address` UInt32
`IPv6Address` Binary
`IPProtocol` UInt32
`CurrentTime` UInt32
`OldBaseTime` UInt32
`OldValidTime` UInt32
`OldPreferredTime` UInt32
`NewBaseTime` UInt32
`NewValidTime` UInt32
`NewPreferredTime` UInt32
`InterfaceGuid` GUID
`IpAddressLifetimeChangeReason` UInt32

Event ID 1317: TCP: Repartition event Event (Type) OldPartitionCount.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRepartitionEvent

Description

TCP: Repartition event Event (Type) OldPartitionCount.

Message #

TCP: Repartition event %1 (%2) %5.

Fields #

Name	Description
`Event` Pointer
`Type` UInt32
`Processor` UInt32
`PowerSource` UInt32
`OldPartitionCount` UInt32
`NewPartitionCount` UInt32
`Progress` UInt32

Event ID 1318: Component PowerStateTransition on processor IndicatingProcessor at Tick = CurrentTick Time = CurrentTime.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipPowerStateTransitionEvent

Description

Component PowerStateTransition on processor IndicatingProcessor at Tick = CurrentTick Time = CurrentTime.

Message #

%1 %2 on processor %3 at Tick = %4 Time = %5.

Fields #

Name	Description
`Component` UInt32
`PowerStateTransition` UInt32
`IndicatingProcessor` UInt32
`CurrentTick` UInt32
`CurrentTime` UInt64

Event ID 1319: Component timer rescheduled by processor Indicating Processor for processor Target Processor at Tick = Current Tick to Tick = Next Expiration Tick, OldScheduledExpiration = Old Scheduled Expiration...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpipTimerDpcRescheduleEvent

Description

Component timer rescheduled by processor Indicating Processor for processor Target Processor at Tick = Current Tick to Tick = Next Expiration Tick, OldScheduledExpiration = Old Scheduled Expiration NewScheduledExpiration = New Scheduled Expiration DueTime = Due Time Aperiodic = Aperiodic.

Message #

%1 timer rescheduled by processor %2 for processor %3 at Tick = %4 to Tick = %5, OldScheduledExpiration = %6 NewScheduledExpiration = %7 DueTime = %8 Aperiodic = %9.

Fields #

Name	Description
`Component` UInt32
`IndicatingProcessor` UInt32
`TargetProcessor` UInt32
`CurrentTick` UInt32
`NextExpirationTick` UInt32
`DueTime` Int64
`Aperiodic` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1319",
    "version": "0",
    "level": "5",
    "task": "1460",
    "opcode": "0",
    "keywords": 9223372586610589696,
    "time_created": "2026-03-16T00:21:34.388840200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Component": "       1",
    "Indicating Processor": "       9",
    "Target Processor": "      10",
    "Current Tick": "57753289",
    "Next Expiration Tick": "57753299",
    "Old Scheduled Expiration": "577539799250",
    "New Scheduled Expiration": "577532789097",
    "Due Time": "-100000",
    "Aperiodic": "       1"
  },
  "message": ""
}

Event ID 1320: Component timer fired on processor Target Processor at Tick = Current Tick, was scheduled for = Next Expiration.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpipTimerDpcFiredEvent

Description

Component timer fired on processor Target Processor at Tick = Current Tick, was scheduled for = Next Expiration.

Message #

%1 timer fired on processor %2 at Tick = %3, was scheduled for = %4.

Fields #

Name	Description
`Component` UInt32
`TargetProcessor` UInt32
`CurrentTick` UInt32
`NextExpiration` UInt32
`ExternalTrigger` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1320",
    "version": "0",
    "level": "5",
    "task": "1461",
    "opcode": "0",
    "keywords": 9223372586610589696,
    "time_created": "2026-03-16T00:21:34.401656600+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Component": "       1",
    "Target Processor": "      10",
    "Current Tick": "57753302",
    "Next Expiration": "57753299",
    "Current Interrupt Time": "577532821643",
    "Scheduled Expiration Time": "577532789097",
    "External Trigger": "       0"
  },
  "message": ""
}

Event ID 1321: IP: Connecting interface InterfaceIndex, trace = TraceString.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipMediaConnect

Description

IP: Connecting interface InterfaceIndex, trace = TraceString.

Message #

IP: Connecting interface %1, trace = %2.

Fields #

Name	Description
`InterfaceIndex` UInt32
`TraceString` AnsiString
`CompartmentId` UInt32

Event ID 1322: IP: Limited link connectivity set on interface InterfaceIndex, trace = TraceString.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipLimitedLinkConnectivity

Description

IP: Limited link connectivity set on interface InterfaceIndex, trace = TraceString.

Message #

IP: Limited link connectivity set on interface %1, trace = %2.

Fields #

Name	Description
`InterfaceIndex` UInt32
`TraceString` AnsiString
`CompartmentId` UInt32

Event ID 1323: IP: Limited link connectivity reset on interface InterfaceIndex, trace = TraceString.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipLimitedLinkConnectivity

Description

IP: Limited link connectivity reset on interface InterfaceIndex, trace = TraceString.

Message #

IP: Limited link connectivity reset on interface %1, trace = %2.

Fields #

Name	Description
`InterfaceIndex` UInt32
`TraceString` AnsiString
`CompartmentId` UInt32

Event ID 1324: IP: Neighbor with IpAddress = IP Address DlAddress = DL Address on Interface = Interface changed state from Old Neighbor State to New Neighbor State due to Event = Neighbor Event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: IpNeighborState

Description

IP: Neighbor with IpAddress = IP Address DlAddress = DL Address on Interface = Interface changed state from Old Neighbor State to New Neighbor State due to Event = Neighbor Event.

Message #

IP: Neighbor with IpAddress = %3 DlAddress = %5 on Interface = %1 changed state from %6 to %7 due to Event = %8.

Fields #

Name	Description
`Interface` UInt32
`IpAddrLength` UInt32
`IPAddress` Binary
`DlAddrLength` UInt32
`DLAddress` Binary
`OldNeighborState` UInt32
`NewNeighborState` UInt32
`NeighborEvent` UInt32
`CompartmentId` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1324",
    "version": "1",
    "level": "4",
    "task": "1324",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:22:30.711141200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Interface": "       6",
    "IpAddrLength": "      16",
    "IP Address": "10.2.10.11",
    "DlAddrLength": "       6",
    "DL Address": "0xBC241141F258",
    "Old Neighbor State": "       5",
    "New Neighbor State": "       2",
    "Neighbor Event": "       9",
    "CompartmentId": "       1"
  },
  "message": ""
}

Event ID 1325: IP: Neighbor Event on Interface = Interface from SourceIpAddress = Source IP Address for TargetIpAddress = Target IP Address.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: IpNeighborDiscovery

Description

IP: Neighbor Event on Interface = Interface from SourceIpAddress = Source IP Address for TargetIpAddress = Target IP Address.

Message #

IP: %5 on Interface = %1 from SourceIpAddress = %3 for TargetIpAddress = %4.

Fields #

Name	Description
`Interface` UInt32
`IpAddrLength` UInt32
`SourceIPAddress` Binary
`TargetIPAddress` Binary
`NeighborEvent` UInt32
`CompartmentId` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1325",
    "version": "1",
    "level": "5",
    "task": "1325",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:59.242716700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Interface": "       6",
    "IpAddrLength": "      16",
    "Source IP Address": "10.2.10.254",
    "Target IP Address": "10.2.10.21",
    "Neighbor Event": "      12",
    "CompartmentId": "       1"
  },
  "message": ""
}

Event ID 1326: IP: Source address PreferredSourceIPAddress is preferred over NonPreferredSourceIPAddress for Destination DestinationIPAddress in Compartment CompartmentId, Reason: RuleName.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSourceAddressSelection

Description

IP: Source address PreferredSourceIPAddress is preferred over NonPreferredSourceIPAddress for Destination DestinationIPAddress in Compartment CompartmentId, Reason: RuleName (Rule Rule.RuleExtension).

Message #

IP: Source address %2 is preferred over %3 for Destination %4 in Compartment %5, Reason: %8 (Rule %6.%7).

Fields #

Name	Description
`IpAddrLength` UInt32
`PreferredSourceIPAddress` Binary
`NonPreferredSourceIPAddress` Binary
`DestinationIPAddress` Binary
`CompartmentId` UInt32
`Rule` UInt32
`RuleExtension` UInt32
`RuleName` UInt32

Event ID 1327: IP: Address pair (Preferred Source IP Address, Preferred Destination IP Address) is preferred over (Non-Preferred Source IP Address, Non-Preferred Destination IP Address) by SortOptions = Sort Opti...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: IpSortedAddressPairs

Description

IP: Address pair (Preferred Source IP Address, Preferred Destination IP Address) is preferred over (Non-Preferred Source IP Address, Non-Preferred Destination IP Address) by SortOptions = Sort Option, Rule = Rule Type Rule Major.Rule Minor.

Message #

IP: Address pair (%2, %3) is preferred over (%4, %5) by SortOptions = %6, Rule = %7 %8.%9.

Fields #

Name	Description
`IpAddrLength` UInt32
`PreferredSourceIPAddress` Binary
`PreferredDestinationIPAddress` Binary
`NonPreferredSourceIPAddress` Binary
`NonPreferredDestinationIPAddress` Binary
`SortOption` UInt32
`RuleType` AnsiString
`RuleMajor` UInt32
`RuleMinor` UInt32
`RuleName` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1327",
    "version": "1",
    "level": "5",
    "task": "1327",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:23:59.745142800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "1992",
      "thread_id": "6452"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IpAddrLength": "      28",
    "Preferred Source IP Address": "::ffff:10.2.10.21",
    "Preferred Destination IP Address": "::ffff:192.228.79.201",
    "Non-Preferred Source IP Address": "::",
    "Non-Preferred Destination IP Address": "2001:478:65::53",
    "Sort Option": "       0",
    "Rule Type": "D",
    "Rule Major": "       1",
    "Rule Minor": "       0",
    "RuleName": "      16"
  },
  "message": ""
}

Event ID 1328: NDKPI ResultEx ResultIndex/ResultCount: CQ NdkCq RequestContext RequestContext Status Status BytesTransferred BytesTransferred QpContext QpContext Type Type TypeSpecific TypeSpecificCompletionOutput.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Cq_Result_Ex

Description

NDKPI ResultEx ResultIndex/ResultCount: CQ NdkCq RequestContext RequestContext Status Status BytesTransferred BytesTransferred QpContext QpContext Type Type TypeSpecific TypeSpecificCompletionOutput.

Message #

NDKPI ResultEx %6/%7: CQ %1 RequestContext %5 Status %2 BytesTransferred %3 QpContext %4 Type %8 TypeSpecific %9

Fields #

Name	Description
`NdkCq` Pointer
`Status` UInt32	NTSTATUS reference
`BytesTransferred` UInt32
`QpContext` Pointer
`RequestContext` Pointer
`ResultIndex` Int32
`ResultCount` Int32
`Type` UInt32
`TypeSpecificCompletionOutput` UInt64
`ProviderErrorCode` UInt32

Event ID 1329: NDKPI SendInvalidate (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken RemoteToken RemoteToken Flags Flags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Send_Invalidate

Description

NDKPI SendInvalidate (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken RemoteToken RemoteToken Flags Flags.

Message #

NDKPI SendInvalidate (SGE %8/%6): RequestContext %2 QP %1 SGE %3/%4/%5 RemoteToken %9 Flags %7

Fields #

Name	Description
`NdkQp` Pointer
`RequestContext` Pointer
`SgeAddress` Pointer
`SgeLength` UInt32
`SgeMemoryRegionToken` UInt32
`NumSge` Int32
`Flags` UInt32
`SgeIndex` Int32
`RemoteToken` UInt32

Event ID 1330: TCP: connection Tcb: Cumulative Ack event, SeqNo = SeqNo, BytesAcked = BytesAcked, CWnd = Cwnd, SndWnd =SndWnd.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpDataTransferCumAck

Description

TCP: connection Tcb: Cumulative Ack event, SeqNo = SeqNo, BytesAcked = BytesAcked, CWnd = Cwnd, SndWnd =SndWnd.

Message #

TCP: connection %1: Cumulative Ack event, SeqNo = %5, BytesAcked = %4, CWnd = %2, SndWnd =%3.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SndWnd` UInt32
`BytesAcked` UInt32
`SeqNo` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1330",
    "version": "0",
    "level": "4",
    "task": "1071",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.390572700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4248",
      "thread_id": "4684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Cwnd": " 2110976",
    "SndWnd": " 2110976",
    "BytesAcked": "    1303",
    "SeqNo": "2307521250"
  },
  "message": ""
}

Event ID 1331: TCP: connection Tcb: CTCP Cumulative Ack event, SeqNo = SeqNo, BytesAcked = BytesAcked, CWnd = Cwnd, SndWnd =SndWnd.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferCumAck

Description

TCP: connection Tcb: CTCP Cumulative Ack event, SeqNo = SeqNo, BytesAcked = BytesAcked, CWnd = Cwnd, SndWnd =SndWnd.

Message #

TCP: connection %1: CTCP Cumulative Ack event, SeqNo = %5, BytesAcked = %4, CWnd = %2, SndWnd =%3.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SndWnd` UInt32
`BytesAcked` UInt32
`SeqNo` UInt32

Event ID 1332: TCP: connection Tcb: TCP send event, SeqNo = SeqNo, BytesSent = BytesSent, CWnd = Cwnd, SndWnd = SndWnd, SRtt = SRtt, RttVar = RttVar, RTO = RTO.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpDataTransferSend

Description

TCP: connection Tcb: TCP send event, SeqNo = SeqNo, BytesSent = BytesSent, CWnd = Cwnd, SndWnd = SndWnd, SRtt = SRtt, RttVar = RttVar, RTO = RTO.

Message #

TCP: connection %1: TCP send event, SeqNo = %5, BytesSent = %4, CWnd = %2, SndWnd = %3, SRtt = %6, RttVar = %7, RTO = %8

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SndWnd` UInt32
`BytesSent` UInt32
`SeqNo` UInt32
`SRtt` UInt32
`RttVar` UInt32
`RTO` UInt32
`RcvWnd` UInt32
`PacingRate` UInt32
`TcpState` UInt32
`CongestionState` UInt32
`SndUna` UInt32
`SndMax` UInt32
`RecoveryMax` UInt32
`RcvBufSet` UInt32
`MaxRcvBuf` UInt32
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1332",
    "version": "1",
    "level": "4",
    "task": "1073",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:26:13.266633700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{ff7af7e0-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFF7AF7E0",
    "Cwnd": " 1705088",
    "SndWnd": " 1705088",
    "BytesSent": "       0",
    "SeqNo": "644684595",
    "SRtt": "     596",
    "RttVar": "     279",
    "RTO": "      60",
    "RcvWnd": "  261882"
  },
  "message": ""
}

Event ID 1333: TCP: connection Tcb: TCP CTCP send event, SeqNo = SeqNo, BytesSent = BytesSent, CWnd = Cwnd, SndWnd = SndWnd, SRtt = SRtt, RttVar = RttVar, RTO = RTO.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferSend

Description

TCP: connection Tcb: TCP CTCP send event, SeqNo = SeqNo, BytesSent = BytesSent, CWnd = Cwnd, SndWnd = SndWnd, SRtt = SRtt, RttVar = RttVar, RTO = RTO.

Message #

TCP: connection %1: TCP CTCP send event, SeqNo = %5, BytesSent = %4, CWnd = %2, SndWnd = %3, SRtt = %6, RttVar = %7, RTO = %8.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SndWnd` UInt32
`BytesSent` UInt32
`SeqNo` UInt32
`SRtt` UInt32
`RttVar` UInt32
`RTO` UInt32
`RcvWnd` UInt32

Event ID 1334: UDP: Endpoint UdpEndpoint notification channel request.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpCreateNotificationChannelRequest

Description

UDP: Endpoint UdpEndpoint notification channel request. NcmContext = NcmContext, Endpoint State = Activated, PID = Pid, IsLoopback = IsLoopback, Status = Status.

Message #

UDP: Endpoint %1 notification channel request. NcmContext = %2, Endpoint State = %3, PID = %4, IsLoopback = %5, Status = %7.

Fields #

Name	Description
`UdpEndpoint` Pointer
`NcmContext` Pointer
`Activated` UInt32
`Pid` UInt32
`IsLoopback` UInt32
`ChannelStatus` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1335: UDP: Endpoint UdpEndpoint query notification channel status request.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpQueryNotificationChannelStatusRequest

Description

UDP: Endpoint UdpEndpoint query notification channel status request. NcmContext = NcmContext, Endpoint State = Activated, PID = Pid, Channel Status = ChannelStatus, Status = Status.

Message #

UDP: Endpoint %1 query notification channel status request. NcmContext = %2, Endpoint State = %3, PID = %4, Channel Status = %6, Status = %7.

Fields #

Name	Description
`UdpEndpoint` Pointer
`NcmContext` Pointer
`Activated` UInt32
`Pid` UInt32
`IsLoopback` UInt32
`ChannelStatus` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1336: UDP: Endpoint UdpEndpoint notification channel request processed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpCreateNotificationChannelRequestProcessed

Description

UDP: Endpoint UdpEndpoint notification channel request processed. NcmContext = NcmContext, PID = Pid, Status = Status PushNotificationId = PushNotificationGuid.

Message #

UDP: Endpoint %1 notification channel request processed. NcmContext = %2, PID = %3, Status = %4 PushNotificationId = %5.

Fields #

Name	Description
`UdpEndpoint` Pointer
`NcmContext` Pointer
`Pid` UInt32
`Status` UInt32	NTSTATUS reference
`PushNotificationGuid` GUID

Event ID 1337: UDP: Endpoint UdpEndpoint notification channel signal event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSignalNotificationChannelEvent

Description

UDP: Endpoint UdpEndpoint notification channel signal event. NcmContext = NcmContext, PID = Pid, Delivered Data = Delivered FinalEvent = FinalEvent.

Message #

UDP: Endpoint %1 notification channel signal event. NcmContext = %2, PID = %3, Delivered Data = %4 FinalEvent = %5.

Fields #

Name	Description
`UdpEndpoint` Pointer
`NcmContext` Pointer
`Pid` UInt32
`Delivered` UInt32
`FinalEvent` UInt32

Event ID 1338: UDP: Endpoint UdpEndpoint notification channel detached.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpDetachNotificationChannel

Description

UDP: Endpoint UdpEndpoint notification channel detached. NcmContext = NcmContext, Endpoint State = Activated.

Message #

UDP: Endpoint %1 notification channel detached. NcmContext = %2, Endpoint State = %3.

Fields #

Name	Description
`UdpEndpoint` Pointer
`NcmContext` Pointer
`Activated` UInt32
`Pid` UInt32
`IsLoopback` UInt32
`ChannelStatus` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1339: UDP: Endpoint UdpEndpoint notification channel unlinked.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpUnlinkNotificationChannel

Description

UDP: Endpoint UdpEndpoint notification channel unlinked. Endpoint State = Activated.

Message #

UDP: Endpoint %1 notification channel unlinked. Endpoint State = %3.

Fields #

Name	Description
`UdpEndpoint` Pointer
`NcmContext` Pointer
`Activated` UInt32
`Pid` UInt32
`IsLoopback` UInt32
`ChannelStatus` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1340: UDP: Endpoint UdpEndpoint notification channel request processing.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpCreateNotificationChannelRequestProcessing

Description

UDP: Endpoint UdpEndpoint notification channel request processing. Local IP address = LocalIPv4Address IPProtocol LocalIPv6Address, Local Port = SrcPort.

Message #

UDP: Endpoint %1 notification channel request processing. Local IP address = %3 %5 %4, Local Port = %6.

Fields #

Name	Description
`UdpEndpoint` Pointer
`IpAddrLength` UInt32
`LocalIPv4Address` UInt32
`LocalIPv6Address` Binary
`IPProtocol` UInt32
`SrcPort` UInt16

Event ID 1341: TCP: connection Tcb: Rtt sample recorded RttSample SRTT SRTT RttVar RttVar.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpDataTransferRttSample

Description

TCP: connection Tcb: Rtt sample recorded RttSample SRTT SRTT RttVar RttVar.

Message #

TCP: connection %1:  Rtt sample recorded %2 SRTT %4 RttVar %3.

Fields #

Name	Description
`Tcb` Pointer
`RttSample` UInt32
`RttVar` UInt32
`SRTT` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1341",
    "version": "0",
    "level": "5",
    "task": "1070",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.390489700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4248",
      "thread_id": "4684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "RttSample": "    1632",
    "RttVar": "     544",
    "SRTT": "    1626"
  },
  "message": ""
}

Event ID 1342: TCP: connection Tcb: Rtt resiliency detection complete with Rtt sample = RttSample and new SRTT = SRTT.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRttResiliencyDetection

Description

TCP: connection Tcb: Rtt resiliency detection complete with Rtt sample = RttSample and new SRTT = SRTT.

Message #

TCP: connection %1: Rtt resiliency detection complete with Rtt sample = %2 and new SRTT = %4.

Fields #

Name	Description
`Tcb` Pointer
`RttSample` UInt32
`RttVar` UInt32
`SRTT` UInt32

Event ID 1343: TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = SSThresh DupAckCount = DupAckCount SndUna = SeqNo.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDataTransferDupAck

Description

TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = SSThresh DupAckCount = DupAckCount SndUna = SeqNo.

Message #

TCP: connection %1: Duplicate ACK updated cwnd = %2 and updated ssthresh = %3 DupAckCount = %4 SndUna = %5.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`DupAckCount` UInt32
`SeqNo` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1343",
    "version": "0",
    "level": "4",
    "task": "1072",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:40.488225900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "Cwnd": "   16734",
    "SSThresh": "4294967295",
    "DupAckCount": "       1",
    "SeqNo": "155002622"
  },
  "message": ""
}

Event ID 1344: TCP: CTCP Duplicate Ack event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferDupAck

Description

TCP: CTCP Duplicate Ack event. Connection Tcb, SndUna = SeqNo, CWnd = Cwnd, DupAckCount = DupAckCount.

Message #

TCP: CTCP Duplicate Ack event. Connection %1, SndUna = %5, CWnd = %2, DupAckCount = %4.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`DupAckCount` UInt32
`SeqNo` UInt32

Event ID 1345: TCP: connection Tcb: Spurious timeout at Seq = SeqNo.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferSpuriousTimeout

Description

TCP: connection Tcb: Spurious timeout at Seq = SeqNo.

Message #

TCP: connection %1: Spurious timeout at Seq = %2.

Fields #

Name	Description
`Tcb` Pointer
`SeqNo` UInt32

Event ID 1346: TCP: connection Tcb spurious RTO detection initiated at SeqNo.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSpuriousRtoDetectionBegin

Description

TCP: connection Tcb spurious RTO detection initiated at SeqNo.

Message #

TCP: connection %1 spurious RTO detection initiated at %2.

Fields #

Name	Description
`Tcb` Pointer
`SeqNo` UInt32

Event ID 1347: TCP: connection Tcb spurious RTO detection terminated at SeqNo.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSpuriousRtoDetectionEnd

Description

TCP: connection Tcb spurious RTO detection terminated at SeqNo.

Message #

TCP: connection %1 spurious RTO detection terminated at %2.

Fields #

Name	Description
`Tcb` Pointer
`SeqNo` UInt32

Event ID 1348: TCP: CTCP DataTransferTimeout event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferTimeout

Description

TCP: CTCP DataTransferTimeout event. Connection Tcb, CWnd = Cwnd, SsThresh = SSThresh.

Message #

TCP: CTCP DataTransferTimeout event. Connection %1, CWnd = %2, SsThresh = %3.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32

Event ID 1349: TCP: CTCP Spurious timeout event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferSpuriousTimeout

Description

TCP: CTCP Spurious timeout event. Connection Tcb, CWnd = Cwnd, SsThresh = SSThresh.

Message #

TCP: CTCP Spurious timeout event. Connection %1, CWnd = %2, SsThresh = %3.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32

Event ID 1350: TCP: connection Tcb entering Congestion Avoidance Phase with cwnd = Cwnd and ssthresh = SSThresh.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpSlowStartToCongestionAvoidance

Description

TCP: connection Tcb entering Congestion Avoidance Phase with cwnd = Cwnd and ssthresh = SSThresh.

Message #

TCP: connection %1 entering Congestion Avoidance Phase with cwnd = %2 and ssthresh = %3.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1350",
    "version": "0",
    "level": "4",
    "task": "1082",
    "opcode": "0",
    "keywords": 9223372045444710528,
    "time_created": "2026-03-15T23:27:12.440659500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{fd182260-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFD182260",
    "Cwnd": "   15414",
    "SSThresh": "   15414"
  },
  "message": ""
}

Event ID 1351: TCP: connection Tcb: Send Retransmit round with SndUna = SndUna, Round = RexmitCount, SRTT = SRTT, RTO = RTO.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpDataTransferRetransmitRound

Description

TCP: connection Tcb: Send Retransmit round with SndUna = SndUna, Round = RexmitCount, SRTT = SRTT, RTO = RTO.

Message #

TCP: connection %1: Send Retransmit round with SndUna = %2, Round = %3, SRTT = %4, RTO = %5.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`RexmitCount` UInt32
`SRTT` UInt32
`RTO` UInt32
`SndMax` UInt32
`RecoveryMax` UInt32
`TcpState` UInt32
`CongestionState` UInt32
`Frto` UInt32
`TotalRT` UInt32
`MaxRT` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1351",
    "version": "0",
    "level": "4",
    "task": "1077",
    "opcode": "0",
    "keywords": 9223372041149743232,
    "time_created": "2026-03-15T23:31:42.716273800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{f9ca95f0-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FF9CA95F0",
    "SndUna": "2098991634",
    "RexmitCount": "       1",
    "SRTT": "    3000",
    "RTO": "    2000"
  },
  "message": ""
}

Event ID 1352: TCP: Connection Tcb Summary: DataBytesOut DataBytesOut DataBytesIn DataBytesIn DataSegmentsOut DataSegmentsOut DataSegmentsIn DataSegmentsIn SegmentsOut SegmentsOut SegmentsIn SegmentsIn NonRecovDa...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectionSummary
Opcode: Info

Description

Message #

TCP: Connection %1 Summary: DataBytesOut %2 DataBytesIn %3 DataSegmentsOut %4 DataSegmentsIn %5 SegmentsOut %6 SegmentsIn %7 NonRecovDa \   %8 NonRecovDaEpisodes %9 DupAcksIn %10 BytesRetrans %11 Timeouts %12 SpuriousRtoDetections %13 FastRetran %14 MaxSsthresh %15 MaxSsCwnd %16 \   MaxCaCwnd %17 SndLimTransRwin %18 SndLimTimeRwin %19 SndLimBytesRwin %20 SndLimTransCwnd %21 SndLimTimeCwnd %22 SndLimBytesCwnd %23 \   SndLimTransSnd %24 SndLimTimeSnd %25 SndLimBytesSnd %26.

Fields #

Name	Description
`Tcb` Pointer
`DataBytesOut` UInt64
`DataBytesIn` UInt64
`DataSegmentsOut` UInt64
`DataSegmentsIn` UInt64
`SegmentsOut` UInt64
`SegmentsIn` UInt64
`NonRecovDa` UInt32
`NonRecovDaEpisodes` UInt32
`DupAcksIn` UInt32
`BytesRetrans` UInt32
`Timeouts` UInt32
`SpuriousRtoDetections` UInt32
`FastRetran` UInt32
`MaxSsthresh` UInt32
`MaxSsCwnd` UInt32
`MaxCaCwnd` UInt32
`SndLimTransRwin` UInt32
`SndLimTimeRwin` UInt32
`SndLimBytesRwin` UInt64
`SndLimTransCwnd` UInt32
`SndLimTimeCwnd` UInt32
`SndLimBytesCwnd` UInt64
`SndLimTransSnd` UInt32
`SndLimTimeRSnd` UInt32
`SndLimBytesRSnd` UInt64

Event ID 1353: TCPIP: Message AllocationObjectString Param1 Param2 Param3 Param4.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipGeneric

Description

TCPIP: Message AllocationObjectString Param1 Param2 Param3 Param4.

Message #

TCPIP: Message %1 %2 %3 %4 %5.

Fields #

Name	Description
`AllocationObjectString` UnicodeString
`Param1` Pointer
`Param2` Pointer
`Param3` UInt32
`Param4` UInt32

Event ID 1354: TCP: Connection Tcb SACK updated SndUna SndUna SndMax SndMax SackCount SackCount SackBytes SackBytes SackInFlight SackInFlight SackIsLost SackIsLost.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSackUpdate

Description

TCP: Connection Tcb SACK updated SndUna SndUna SndMax SndMax SackCount SackCount SackBytes SackBytes SackInFlight SackInFlight SackIsLost SackIsLost.

Message #

TCP: Connection %1 SACK updated SndUna %2 SndMax %3 SackCount %4 SackBytes %5 SackInFlight %6 SackIsLost %7.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32
`SackCount` UInt32
`SackBytes` UInt32
`SackInFlight` UInt32
`SackIsLost` UInt32

Event ID 1355: TCP: TCB Tcb Requires address based pattern = RequireAddressCoalescing LocalPort = LocalPort RtcPortRange = [RtcStartPort, RtcEndPort] Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpIsPatternCoalescingRequired

Description

TCP: TCB Tcb Requires address based pattern = RequireAddressCoalescing LocalPort = LocalPort RtcPortRange = [RtcStartPort, RtcEndPort] Status = Status.

Message #

TCP: TCB %1 Requires address based pattern = %2 LocalPort = %3 RtcPortRange = [%4, %5] Status = %6.

Fields #

Name	Description
`Tcb` Pointer
`RequireAddressCoalescing` UInt32
`LocalPort` UInt16
`RtcStartPort` UInt16
`RtcEndPort` UInt16
`Status` UInt32	NTSTATUS reference

Event ID 1356: TCP: Rtc Port Range Assignment.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRtcPortRangeAssignment

Description

TCP: Rtc Port Range Assignment. Allocated = AssignedFromRtcRange, Port = Port.

Message #

TCP: Rtc Port Range Assignment. Allocated = %1, Port = %2.

Fields #

Name	Description
`AssignedFromRtcRange` UInt32
`Port` UInt16

Event ID 1357: TCPIP has failed a RequestType request from LocalAddress to RemoteAddress on endpoint TcbOrEndpoint owned by process ProcessId with Status since network interface InterfaceIndex is in low-power mode.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipAoacFailFast

Description

TCPIP has failed a RequestType request from LocalAddress to RemoteAddress on endpoint TcbOrEndpoint owned by process ProcessId with Status since network interface InterfaceIndex is in low-power mode.

Message #

TCPIP has failed a %1 request from %4 to %6 on endpoint %2 owned by process %8 with %7 since network interface %9 is in low-power mode.

Fields #

Name	Description
`RequestType` UInt32
`TcbOrEndpoint` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`InterfaceIndex` UInt32
`ProcessStartKey` UInt64

Event ID 1358: IP: Interface configuration updated on interface InterfaceIndex property Property value Value event InterfaceUpdateEvent.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipUpdateInterfaceConfigFlags

Description

IP: Interface configuration updated on interface InterfaceIndex property Property value Value event InterfaceUpdateEvent.

Message #

IP: Interface configuration updated on interface %1 property %2 value %3 event %4.

Fields #

Name	Description
`InterfaceIndex` UInt32
`Property` AnsiString
`Value` UInt32
`InterfaceUpdateEvent` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32

Event ID 1359: TCP: Connection Tcb notification channel unmark request.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateNotificationChannelUnmarkRequest

Description

TCP: Connection Tcb notification channel unmark request. NcmContext = NcmContext, TCB State = State, PID = Pid, IsLoopback = IsLoopback, IsShutdown = IsShutdown, Status = Status.

Message #

TCP: Connection %1 notification channel unmark request. NcmContext = %2, TCB State = %3, PID = %4, IsLoopback = %5, IsShutdown = %6, Status = %7.

Fields #

Name	Description
`Tcb` Pointer
`NcmContext` Pointer
`State` UInt32
`Pid` UInt32
`IsLoopback` UInt32
`IsShutdown` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1360: TCPIP: A packet has been cloned for a raw listener.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipNblClonedForRaw

Description

TCPIP: A packet has been cloned for a raw listener. NBL ClonedNbl cloned from NBL Nbl. Protocol = IPTransportProtocol, Family = AddressFamily.

Message #

TCPIP: A packet has been cloned for a raw listener. NBL %2 cloned from NBL %1. Protocol = %3, Family = %4.

Fields #

Name	Description
`Nbl` Pointer
`ClonedNbl` Pointer
`IPTransportProtocol` UInt32
`AddressFamily` UInt32

Event ID 1361: TCPIP: A cloned packet has been dropped.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipCloneDropped

Description

TCPIP: A cloned packet has been dropped. NBL ClonedNbl cloned from NBL Nbl. Family = AddressFamily.

Message #

TCPIP: A cloned packet has been dropped. NBL %2 cloned from NBL %1. Family = %3.

Fields #

Name	Description
`Nbl` Pointer
`ClonedNbl` Pointer
`AddressFamily` UInt32

Event ID 1362: IP: Interface = Interface IpAddress = IPAddress processing WolEvent = WoLEvent with Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressWolStateChange

Description

IP: Interface = Interface IpAddress = IPAddress processing WolEvent = WoLEvent with Status = Status.

Message #

IP: Interface = %1 IpAddress = %3 processing WolEvent = %4 with Status = %5.

Fields #

Name	Description
`Interface` UInt32
`IpAddrLength` UInt32
`IPAddress` Binary
`WoLEvent` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1363: IP: Interface = Interface WolHandle = WolHandle has DestinationIpAddress = DestinationIPAddress TargetIpAddress1 = TargetIPAddress1 TargetIpAddress2 = TargetIPAddress2 Flags = Flags while processin...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpWolContextChange

Description

IP: Interface = Interface WolHandle = WolHandle has DestinationIpAddress = DestinationIPAddress TargetIpAddress1 = TargetIPAddress1 TargetIpAddress2 = TargetIPAddress2 Flags = Flags while processing WolEvent = WoLEvent with Status = Status.

Message #

IP: Interface = %1 WolHandle = %3 has DestinationIpAddress = %4 TargetIpAddress1 = %5 TargetIpAddress2 = %6 Flags = %7 while processing WolEvent = %8 with Status = %9.

Fields #

Name	Description
`Interface` UInt32
`IpAddrLength` UInt32
`WolHandle` UInt32
`DestinationIPAddress` Binary
`TargetIPAddress1` Binary
`TargetIPAddress2` Binary
`Flags` UInt32
`WoLEvent` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1364: TCP connection tuple inserted- TCB: Tcb LocalAddress: LocalAddress RemoteAddress: RemoteAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpInsertConnectionTuple

Description

TCP connection tuple inserted- TCB: Tcb LocalAddress: LocalAddress RemoteAddress: RemoteAddress.

Message #

TCP connection tuple inserted- TCB: %1 LocalAddress: %3 RemoteAddress: %5

Fields #

Name	Description
`Tcb` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`NewState` UInt32
`RexmitCount` UInt32

Event ID 1365: TCP connection tuple removed- TCB/TWTCB: Tcb LocalAddress: LocalAddress RemoteAddress: RemoteAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRemoveConnectionTuple

Description

TCP connection tuple removed- TCB/TWTCB: Tcb LocalAddress: LocalAddress RemoteAddress: RemoteAddress.

Message #

TCP connection tuple removed- TCB/TWTCB: %1 LocalAddress: %3 RemoteAddress: %5

Fields #

Name	Description
`Tcb` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`NewState` UInt32
`RexmitCount` UInt32

Event ID 1366: TCP port selection deferred for outbound connect- LocalAddress: LocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDeferPortSelection

Description

TCP port selection deferred for outbound connect- LocalAddress: LocalAddress.

Message #

TCP port selection deferred for outbound connect- LocalAddress: %2

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference

Event ID 1367: Nbl Nbl OOB info (PathDirection): TcpIpChecksumNetBufferListInfo TcpIpChecksumNetBufferListInfo, TcpLargeSendNetBufferListInfo TcpLargeSendNetBufferListInfo, Ieee8021QNetBufferListInfo Ieee8021QNet...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: TcpIpPerPacket
Task: TcpipNblOob
Opcode: Info

Description

Nbl Nbl OOB info (PathDirection): TcpIpChecksumNetBufferListInfo TcpIpChecksumNetBufferListInfo, TcpLargeSendNetBufferListInfo TcpLargeSendNetBufferListInfo, Ieee8021QNetBufferListInfo Ieee8021QNetBufferListInfo, NetBufferListHashValue NetBufferListHashValue, NetBufferListHashInfo NetBufferListHashInfo, VirtualSubnetInfo VirtualSubnetInfo, UdpSegmentationOffloadInfo/TcpRecvSegCoalesceInfo TcpRecvSegCoalesceInfo, NrtNameResolutionId/UdpRecvSegCoalesceOffloadInfo NrtNameResolutionInfo

Message #

Nbl %1 OOB info (%2): TcpIpChecksumNetBufferListInfo %3, TcpLargeSendNetBufferListInfo %4, Ieee8021QNetBufferListInfo %5, NetBufferListHashValue %6, NetBufferListHashInfo %7, VirtualSubnetInfo %8, TcpRecvSegCoalesceInfo %9

Fields #

Name	Description
`Nbl` Pointer
`PathDirection` UInt32
`TcpIpChecksumNetBufferListInfo` Pointer
`TcpLargeSendNetBufferListInfo` Pointer
`Ieee8021QNetBufferListInfo` Pointer
`NetBufferListHashValue` Pointer
`NetBufferListHashInfo` Pointer
`VirtualSubnetInfo` Pointer
`TcpRecvSegCoalesceInfo` Pointer
`NrtNameResolutionInfo` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1367",
    "version": "1",
    "level": "17",
    "task": "1367",
    "opcode": "0",
    "keywords": 9223372049739677696,
    "time_created": "2026-03-16T00:21:34.388895400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Nbl": "0xFFFF980A11CCA4F0",
    "PathDirection": "       0",
    "TcpIpChecksumNetBufferListInfo": "0x220015",
    "TcpLargeSendNetBufferListInfo": "0x0",
    "Ieee8021QNetBufferListInfo": "0x0",
    "NetBufferListHashValue": "0xF92BBC40",
    "NetBufferListHashInfo": "0x0",
    "VirtualSubnetInfo": "0x0",
    "TcpRecvSegCoalesceInfo": "0x0",
    "NrtNameResolutionInfo": "0x0"
  },
  "message": ""
}

Event ID 1368: Teredo Add -- PID: PID started listening on LocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipTeredoOpen

Description

Teredo Add -- PID: PID started listening on LocalAddress. AddressType AddressType. ScopeLevel ScopeLevel. Port Port. EndpointRecord EndpointRecord.

Message #

Teredo Add -- PID: %1 started listening on %3. AddressType %4. ScopeLevel %5. Port %6. EndpointRecord %7.

Fields #

Name	Description
`PID` UInt64
`LocalAddressLength` UInt32
`LocalAddress` Binary
`AddressType` UInt32
`ScopeLevel` UInt32
`Port` UInt32
`EndpointRecord` Pointer

Event ID 1369: Teredo Remove -- PID: PID stopped listening on LocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipTeredoClose

Description

Teredo Remove -- PID: PID stopped listening on LocalAddress. AddressType AddressType. ScopeLevel ScopeLevel. Port Port. EndpointRecord EndpointRecord.

Message #

Teredo Remove -- PID: %1 stopped listening on %3. AddressType %4. ScopeLevel %5. Port %6. EndpointRecord %7.

Fields #

Name	Description
`PID` UInt64
`LocalAddressLength` UInt32
`LocalAddress` Binary
`AddressType` UInt32
`ScopeLevel` UInt32
`Port` UInt32
`EndpointRecord` Pointer

Event ID 1370: IP: RouteLookup - API: API DstAddr: DestinationAddress ConstrainSrcAddr: ConstrainSourceAddress ConstrainIfIndex: ConstrainInterfaceIndex ConstraintOveridden: ConstraintOverridden ReturnConstrained...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpipRouteLookup

Description

IP: RouteLookup - API: API DstAddr: DestinationAddress ConstrainSrcAddr: ConstrainSourceAddress ConstrainIfIndex: ConstrainInterfaceIndex ConstraintOveridden: ConstraintOverridden ReturnConstrained: ReturnConstrained OutgoingIfIndex: OutgoingInterfaceIndex NextHopAddr: NextHopAddress Status: Status.

Message #

IP: RouteLookup - API: %1 DstAddr: %3 ConstrainSrcAddr: %4 ConstrainIfIndex: %5 ConstraintOveridden: %6 ReturnConstrained: %7 OutgoingIfIndex: %8 NextHopAddr: %9 Status: %10

Fields #

Name	Description
`API` AnsiString
`IpAddrLength` UInt32
`DestinationAddress` Binary
`ConstrainSourceAddress` Binary
`ConstrainInterfaceIndex` UInt32
`ConstrainForwardingTag` UInt32
`ConstraintOverridden` UInt32
`ReturnConstrained` UInt32
`OutgoingInterfaceIndex` UInt32
`NextHopAddress` Binary
`Status` UInt32	NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1370",
    "version": "0",
    "level": "5",
    "task": "1370",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-15T23:26:13.698249300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "1868",
      "thread_id": "2740"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "API": "IppFindPath",
    "IpAddrLength": "      16",
    "DestinationAddress": "127.0.0.1",
    "ConstrainSourceAddress": "0.0.0.0",
    "ConstrainInterfaceIndex": "       0",
    "ConstraintOverridden": "       0",
    "ReturnConstrained": "       0",
    "OutgoingInterfaceIndex": "       1",
    "NextHopAddress": "127.0.0.1",
    "Status": "0x0"
  },
  "message": ""
}

Event ID 1371: IP: SourceAddrLookup - DstAddr: DestinationAddress ConstrainSrcAddr: ConstrainSourceAddress ConstrainIfIndex: ConstrainInterfaceIndex OutgoingIfIndex: OutgoingInterfaceIndex ReturnConstrained: Retu...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpipSrcAddrLookup

Description

IP: SourceAddrLookup - DstAddr: DestinationAddress ConstrainSrcAddr: ConstrainSourceAddress ConstrainIfIndex: ConstrainInterfaceIndex OutgoingIfIndex: OutgoingInterfaceIndex ReturnConstrained: ReturnConstrained SelectedSrcAddr: SelectedSourceAddress.

Message #

IP: SourceAddrLookup - DstAddr: %2 ConstrainSrcAddr: %3 ConstrainIfIndex: %4 OutgoingIfIndex: %5 ReturnConstrained: %6 SelectedSrcAddr: %7

Fields #

Name	Description
`IpAddrLength` UInt32
`DestinationAddress` Binary
`ConstrainSourceAddress` Binary
`ConstrainInterfaceIndex` UInt32
`OutgoingInterfaceIndex` UInt32
`ReturnConstrained` UInt32
`SelectedSourceAddress` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1371",
    "version": "0",
    "level": "5",
    "task": "1371",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:40.067796000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "7552"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IpAddrLength": "      16",
    "DestinationAddress": "0.0.0.0",
    "ConstrainSourceAddress": "0.0.0.0",
    "ConstrainInterfaceIndex": "       0",
    "OutgoingInterfaceIndex": "       6",
    "ReturnConstrained": "       0",
    "SelectedSourceAddress": "10.2.10.21"
  },
  "message": ""
}

Event ID 1372: WFP-ALE: Partition Count=PartitionCount Partition Mask=PartitionMask: Partition Id=%d Partition NumEntries = NumEntries.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Partition

Description

WFP-ALE: Partition Count=PartitionCount Partition Mask=PartitionMask: Partition Id=%d Partition NumEntries = NumEntries.

Message #

WFP-ALE: Partition Count=%1 Partition Mask=%2: Partition Id=%d Partition NumEntries = %4.

Fields #

Name	Description
`PartitionCount` UInt64
`PartitionMask` UInt64
`PartitionId` UInt64
`NumEntries` UInt64

Event ID 1373: WFP-ALE: HotAdd/Remove: Old Partiton Count=OldPartitionCount Old Partition Mask=OldPartitionMask New Partiton Count=OldPartitionCount New Partition Mask=OldPartitionMask.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Partition

Description

WFP-ALE: HotAdd/Remove: Old Partiton Count=OldPartitionCount Old Partition Mask=OldPartitionMask New Partiton Count=OldPartitionCount New Partition Mask=OldPartitionMask.

Message #

WFP-ALE: HotAdd/Remove: Old Partiton Count=%1 Old Partition Mask=%2 New Partiton Count=%1 New Partition Mask=%2.

Fields #

Name	Description
`OldPartitionCount` UInt64
`OldPartitionMask` UInt64
`NewPartitionCount` UInt64
`NewPartitionMask` UInt64

Event ID 1374: WFP-ALE: RemoteEndPoint Insertion: AddrLen=AddressLength RemoteAddr=RemoteAddress RemotePort=RemotePort LocalAddr=LocalAddress LocalPort=LocalPort PartitionId=PartitionId PartitionNumEntries=NumEnt...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RemoteEndpoint

Description

WFP-ALE: RemoteEndPoint Insertion: AddrLen=AddressLength RemoteAddr=RemoteAddress RemotePort=RemotePort LocalAddr=LocalAddress LocalPort=LocalPort PartitionId=PartitionId PartitionNumEntries=NumEntries.

Message #

WFP-ALE: RemoteEndPoint Insertion: AddrLen=%1 RemoteAddr=%2 RemotePort=%3 LocalAddr=%4 LocalPort=%5 PartitionId=%6 PartitionNumEntries=%7

Fields #

Name	Description
`AddressLength` UInt32
`RemoteAddress` Binary
`RemotePort` UInt64
`LocalAddress` Binary
`LocalPort` UInt16
`PartitionId` UInt64
`NumEntries` UInt64

Event ID 1375: WFP-ALE: RemoteEndPoint Deletion: AddrLen=AddressLength RemoteAddr=RemoteAddress RemotePort=RemotePort LocalAddr=LocalAddress LocalPort=LocalPort PartitionId=PartitionId PartitionNumEntries=NumEntr...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RemoteEndpoint

Description

WFP-ALE: RemoteEndPoint Deletion: AddrLen=AddressLength RemoteAddr=RemoteAddress RemotePort=RemotePort LocalAddr=LocalAddress LocalPort=LocalPort PartitionId=PartitionId PartitionNumEntries=NumEntries.

Message #

WFP-ALE: RemoteEndPoint Deletion: AddrLen=%1 RemoteAddr=%2 RemotePort=%3 LocalAddr=%4 LocalPort=%5 PartitionId=%6 PartitionNumEntries=%7

Fields #

Name	Description
`AddressLength` UInt32
`RemoteAddress` Binary
`RemotePort` UInt64
`LocalAddress` Binary
`LocalPort` UInt16
`PartitionId` UInt64
`NumEntries` UInt64

Event ID 1376: WFP-ALE: ALE: low memory state detected.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Memory

Description

WFP-ALE: ALE: low memory state detected. LowMemoryEvent = LowMemoryEvent LowNonPagedPoolEvent = LowNonPagedPoolEvent.

Message #

WFP-ALE: ALE: low memory state detected. LowMemoryEvent = %3 LowNonPagedPoolEvent = %4.

Fields #

Name	Description
`HighMemoryEvent` UInt32
`HighNonPagedPoolEvent` UInt32
`LowMemoryEvent` UInt32
`LowNonPagedPoolEvent` UInt32

Event ID 1377: WFP-ALE: leaving low memory state.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: Memory

Description

WFP-ALE: leaving low memory state. HighMemoryEvent = HighMemoryEvent HighNonPagedPoolEvent = HighNonPagedPoolEvent.

Message #

WFP-ALE: leaving low memory state. HighMemoryEvent = %1 HighNonPagedPoolEvent = %2.

Fields #

Name	Description
`HighMemoryEvent` UInt32
`HighNonPagedPoolEvent` UInt32
`LowMemoryEvent` UInt32
`LowNonPagedPoolEvent` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1377",
    "version": "0",
    "level": "4",
    "task": "1373",
    "opcode": "0",
    "keywords": 9223372036854841344,
    "time_created": "2026-03-15T23:26:23.462874700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "HighMemoryEvent": "       1",
    "HighNonPagedPoolEvent": "       1",
    "LowMemoryEvent": "       0",
    "LowNonPagedPoolEvent": "       0"
  },
  "message": ""
}

Event ID 1378: WFP-ALE: Dpc for cleanup initiated: LowMemoryEvent = LowMemoryEvent LowNonPagedPoolEvent = LowNonPagedPoolEvent.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Memory

Description

WFP-ALE: Dpc for cleanup initiated: LowMemoryEvent = LowMemoryEvent LowNonPagedPoolEvent = LowNonPagedPoolEvent.

Message #

WFP-ALE: Dpc for cleanup initiated: LowMemoryEvent = %3 LowNonPagedPoolEvent = %4.

Fields #

Name	Description
`HighMemoryEvent` UInt32
`HighNonPagedPoolEvent` UInt32
`LowMemoryEvent` UInt32
`LowNonPagedPoolEvent` UInt32

Event ID 1379: WFP: Dpc for cleanup QUEUED or RE-QUEUED: LowMemoryEvent = LowMemoryEvent LowNonPagedPoolEvent = LowNonPagedPoolEvent.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: Memory

Description

WFP: Dpc for cleanup QUEUED or RE-QUEUED: LowMemoryEvent = LowMemoryEvent LowNonPagedPoolEvent = LowNonPagedPoolEvent.

Message #

WFP: Dpc for cleanup QUEUED or RE-QUEUED: LowMemoryEvent = %3 LowNonPagedPoolEvent = %4.

Fields #

Name	Description
`HighMemoryEvent` UInt32
`HighNonPagedPoolEvent` UInt32
`LowMemoryEvent` UInt32
`LowNonPagedPoolEvent` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1379",
    "version": "0",
    "level": "5",
    "task": "1373",
    "opcode": "0",
    "keywords": 9223372036854841344,
    "time_created": "2026-03-16T00:21:40.078370400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "HighMemoryEvent": "       1",
    "HighNonPagedPoolEvent": "       1",
    "LowMemoryEvent": "       0",
    "LowNonPagedPoolEvent": "       0"
  },
  "message": ""
}

Event ID 1380: TCP: LEDBAT LedbatEvent: Connection Tcb, BaseDelayMs = BaseDelayMs, CurrentDelayMs = CurrentDelayMs, CWnd = Cwnd, SsThresh = SsThresh, SndWnd = SndWnd, DelayBasedCwndFactor DelayBasedCwndFactorPerc...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpLedbatState

Description

TCP: LEDBAT LedbatEvent: Connection Tcb, BaseDelayMs = BaseDelayMs, CurrentDelayMs = CurrentDelayMs, CWnd = Cwnd, SsThresh = SsThresh, SndWnd = SndWnd, DelayBasedCwndFactor DelayBasedCwndFactorPercent%, RemainingTimeMs = RemainingTimeMs.

Message #

TCP: LEDBAT %2: Connection %1, BaseDelayMs = %6, CurrentDelayMs = %7, CWnd = %3, SsThresh = %4, SndWnd = %5, DelayBasedCwndFactor %9%%, RemainingTimeMs = %8.

Fields #

Name	Description
`Tcb` Pointer
`LedbatEvent` UInt32
`Cwnd` UInt32
`SsThresh` UInt32
`SndWnd` UInt32
`BaseDelayMs` UInt16
`CurrentDelayMs` UInt16
`RemainingTimeMs` UInt32
`DelayBasedCwndFactorPercent` Int32

Event ID 1381: TCP: AssociateNameResContext Endpoint: EndpointObj Status: %16 NameResolutionContext: IsConnectionObj DnsName: NameResContext InterfaceIndex: Status IPAddrCount: %5 IPAddrs: %7 %9 %11 %...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAssociateNameResContext

Description

TCP: AssociateNameResContext Endpoint: EndpointObj Status: %16 NameResolutionContext: IsConnectionObj DnsName: NameResContext InterfaceIndex: Status IPAddrCount: %5 IPAddrs: %7 %9 %11 %13 %15.

Message #

TCP: AssociateNameResContext Endpoint: %1 Status: %16 NameResolutionContext: %2 DnsName: %3 InterfaceIndex: %4 IPAddrCount: %5 IPAddrs: %7 %9 %11 %13 %15

Fields #

Name	Description
`EndpointObj` Pointer
`IsConnectionObj` UInt32
`NameResContext` Pointer
`Status` UInt32	NTSTATUS reference

Event ID 1382: TCP: InspectConnectWithNameResContext Connection: Tcb (local: LocalAddress remote: RemoteAddress) NameResolutionContext: NameResContext DnsName: DnsName Status: Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpInspectConnectWithNameResContext

Description

TCP: InspectConnectWithNameResContext Connection: Tcb (local: LocalAddress remote: RemoteAddress) NameResolutionContext: NameResContext DnsName: DnsName Status: Status.

Message #

TCP: InspectConnectWithNameResContext Connection: %5 (local: %2 remote: %4) NameResolutionContext: %6 DnsName: %7 Status: %8.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Tcb` Pointer
`NameResContext` Pointer
`DnsName` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1383: IP: Route [DestinationPrefix: PrDestinationPrefix/PrDestinationPrefixLength NextHop: PrNextHopAddress InterfaceIndex: PrInterfaceIndex InterfaceMetric: PrInterfaceMetric RouteMetric: PrRouteMetric]...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouteSelection

Description

IP: Route [DestinationPrefix: PrDestinationPrefix/PrDestinationPrefixLength NextHop: PrNextHopAddress InterfaceIndex: PrInterfaceIndex InterfaceMetric: PrInterfaceMetric RouteMetric: PrRouteMetric] is preferred over Route [DestinationPrefix: NonPrDestinationPrefix/NonPrDestinationPrefixLength NextHop: NonPrNextHopAddress InterfaceIndex: NonPrInterfaceIndex InterfaceMetric: NonPrInterfaceMetric RouteMetric: NonPrRouteMetric] for Destination: DestinationAddress in Compartment: CompartmentId, Reason: PreferenceReason.

Message #

IP: Route [DestinationPrefix: %6/%4 NextHop: %8 InterfaceIndex: %9 InterfaceMetric: %10 RouteMetric: %11] is preferred over Route [DestinationPrefix: %14/%12 NextHop: %16 InterfaceIndex: %17 InterfaceMetric: %18 RouteMetric: %19] for Destination: %3 in Compartment: %1, Reason: %20.

Fields #

Name	Description
`CompartmentId` UInt32
`DestinationAddressLength` UInt32
`DestinationAddress` Binary
`PrDestinationPrefixLength` UInt32
`PrDestinationPrefixAddressLength` UInt32
`PrDestinationPrefix` Binary
`PrNextHopAddressLength` UInt32
`PrNextHopAddress` Binary
`PrInterfaceIndex` UInt32
`PrInterfaceMetric` UInt32
`PrRouteMetric` UInt32
`NonPrDestinationPrefixLength` UInt32
`NonPrDestinationPrefixAddressLength` UInt32
`NonPrDestinationPrefix` Binary
`NonPrNextHopAddressLength` UInt32
`NonPrNextHopAddress` Binary
`NonPrInterfaceIndex` UInt32
`NonPrInterfaceMetric` UInt32
`NonPrRouteMetric` UInt32
`PreferenceReason` UInt32

Event ID 1384: IP: Route [DestinationPrefix: DestinationPrefix/DestinationPrefixLength NextHop: NextHopAddress InterfaceIndex: InterfaceIndex RouteMetric: RouteMetric] is blocked for Destination: DestinationAddre...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouteBlocked

Description

IP: Route [DestinationPrefix: / NextHop: InterfaceIndex: RouteMetric: ] is blocked for Destination: ConstrainInterfaceIndex: ConstrainScopeZone: in Compartment: , Reason: .

Message #

IP: Route [DestinationPrefix: %6/%4 NextHop: %8 InterfaceIndex: %9 RouteMetric: %10] is blocked for Destination: %3 ConstrainInterfaceIndex: %11 ConstrainScopeZone: %12 in Compartment: %1, Reason: %13.

Fields #

Name	Description
`CompartmentId` UInt32
`DestinationAddressLength` UInt32
`DestinationAddress` Binary
`DestinationPrefixLength` UInt32
`DestinationPrefixAddressLength` UInt32
`DestinationPrefix` Binary
`NextHopAddressLength` UInt32
`NextHopAddress` Binary
`InterfaceIndex` UInt32
`RouteMetric` UInt32
`ConstrainInterfaceIndex` UInt32
`ConstrainScope` UInt32
`BlockReason` UInt32

Event ID 1385: TCP: Tail Loss Probe Send Connection = Tcb SndUna = SndUna, SndMax = SndMax, SendAvailable = SendAvailable, TailProbeSeq = TailProbeSeq, TailProbeLast = TailProbeLast, ControlsToSend = ControlsToSe...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpTailLossProbe

Description

TCP: Tail Loss Probe Send Connection = Tcb SndUna = SndUna, SndMax = SndMax, SendAvailable = SendAvailable, TailProbeSeq = TailProbeSeq, TailProbeLast = TailProbeLast, ControlsToSend = ControlsToSend, ThFlags = ThFlags.

Message #

TCP: Tail Loss Probe Send Connection = %1 SndUna = %2, SndMax = %3, SendAvailable = %4, TailProbeSeq = %5, TailProbeLast = %6, ControlsToSend = %7, ThFlags = %8.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32
`SendAvailable` UInt32
`TailProbeSeq` UInt32
`TailProbeLast` UInt32
`ControlsToSend` UInt32
`ThFlags` UInt8

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1385",
    "version": "0",
    "level": "4",
    "task": "1380",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.721122900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "SndUna": "2308839694",
    "SndMax": "2308842691",
    "SendAvailable": "    2997",
    "TailProbeSeq": "2308841231",
    "TailProbeLast": "2308842691",
    "ControlsToSend": "       0",
    "ThFlags": "16"
  },
  "message": ""
}

Event ID 1386: TCP: Tail Loss Probe Event Connection = Tcb, Event = TlpEvent.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpTailLossProbe

Description

TCP: Tail Loss Probe Event Connection = Tcb, Event = TlpEvent.

Message #

TCP: Tail Loss Probe Event Connection = %1, Event = %2.

Fields #

Name	Description
`Tcb` Pointer
`TlpEvent` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1386",
    "version": "0",
    "level": "4",
    "task": "1380",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.388823900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "TlpEvent": "       1"
  },
  "message": ""
}

Event ID 1387: TCP: RACK Event Connection = Tcb, Event = RackEvent, MinRTT = RackMinRtt, ReoWind = RackReoWind, TimeSlotDeltaMin = RackTimeSlotDeltaMin, SeqNum = SequenceNumber, Timestamp = Timestamp, RttSample =...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpRack

Description

TCP: RACK Event Connection = Tcb, Event = RackEvent, MinRTT = RackMinRtt, ReoWind = RackReoWind, TimeSlotDeltaMin = RackTimeSlotDeltaMin, SeqNum = SequenceNumber, Timestamp = Timestamp, RttSample = RttSample.

Message #

TCP: RACK Event Connection = %1, Event = %2, MinRTT = %3, ReoWind = %4, TimeSlotDeltaMin = %5, SeqNum = %6, Timestamp = %7, RttSample = %8.

Fields #

Name	Description
`Tcb` Pointer
`RackEvent` UInt32
`RackMinRtt` UInt32
`RackReoWind` UInt32
`RackTimeSlotDeltaMin` UInt32
`SequenceNumber` UInt32
`Timestamp` UInt32
`RttSample` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1387",
    "version": "0",
    "level": "4",
    "task": "1381",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:26:14.411027300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{f6654220-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "10828",
      "thread_id": "9684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FF6654220",
    "RackEvent": "       1",
    "RackMinRtt": "     751",
    "RackReoWind": "       0",
    "RackTimeSlotDeltaMin": "       0",
    "SequenceNumber": "2723729970",
    "Timestamp": "4090263552",
    "RttSample": "     751"
  },
  "message": ""
}

Event ID 1388: TCP: Fastopen state changed for connection = Tcb from OldState = OldState to NewState = NewState.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFastopenStateChange

Description

TCP: Fastopen state changed for connection = Tcb from OldState = OldState to NewState = NewState.

Message #

TCP: Fastopen state changed for connection = %1 from OldState = %2 to NewState = %3.

Fields #

Name	Description
`Tcb` Pointer
`OldState` UInt32
`NewState` UInt32

Event ID 1389: UDP: endpoint (family=AddressFamily pid=ProcessId) create failed: address family not attached.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpCreateEndpointAfFailure

Description

UDP: endpoint (family=AddressFamily pid=ProcessId) create failed: address family not attached.

Message #

UDP: endpoint (family=%5 pid=%3) create failed: address family not attached.

Fields #

Name	Description
`Endpoint` Pointer
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1390: UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) create failed: compartment CompartmentId not found.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpCreateEndpointCompartmentFailure

Description

UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) create failed: compartment CompartmentId not found.

Message #

UDP: endpoint %1 (family=%5 pid=%3) create failed: compartment %4 not found.

Fields #

Name	Description
`Endpoint` Pointer
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1391: UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) created.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: UdpCreateEndpointComplete

Description

UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) created.

Message #

UDP: endpoint %1 (family=%5 pid=%3) created.

Fields #

Name	Description
`Endpoint` Pointer
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1391",
    "version": "1",
    "level": "4",
    "task": "1385",
    "opcode": "0",
    "keywords": 9223372036854776833,
    "time_created": "2026-03-16T00:21:40.077667700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11735e80-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A11735E80",
    "Status": "0x0",
    "ProcessId": "     228",
    "CompartmentId": "       1",
    "AddressFamily": "      23",
    "ProcessStartKey": "2814749767106594"
  },
  "message": ""
}

Event ID 1392: UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) create failed: inspection status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpCreateEndpointInspectionFailure

Description

UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) create failed: inspection status = Status.

Message #

UDP: endpoint %1 (family=%5 pid=%3) create failed: inspection status = %2

Fields #

Name	Description
`Endpoint` Pointer
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1393: UDP: endpoint Endpoint bind failed: address LocalAddress cannot be resolved, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpBindEndpointResolutionFailure

Description

UDP: endpoint Endpoint bind failed: address LocalAddress cannot be resolved, status = Status.

Message #

UDP: endpoint %4 bind failed: address %2 cannot be resolved, status = %3

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference
`Endpoint` Pointer

Event ID 1394: UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: port-acquisition status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpBindEndpointPortFailure

Description

UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: port-acquisition status = Status.

Message #

UDP: endpoint %4 (sockaddr=%2) bind failed: port-acquisition status = %3

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference
`Endpoint` Pointer

Event ID 1395: UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: inspection status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpBindEndpointInspectionFailure

Description

UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: inspection status = Status.

Message #

UDP: endpoint %4 (sockaddr=%2) bind failed: inspection status = %3

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference
`Endpoint` Pointer

Event ID 1396: UDP: endpoint Endpoint (sockaddr=LocalAddress) bound.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: UdpBindEndpointComplete

Description

UDP: endpoint Endpoint (sockaddr=LocalAddress) bound.

Message #

UDP: endpoint %4 (sockaddr=%2) bound.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference
`Endpoint` Pointer
`Pid` UInt32
`ProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1396",
    "version": "0",
    "level": "4",
    "task": "1390",
    "opcode": "0",
    "keywords": 9223372036854776841,
    "time_created": "2026-03-16T00:21:40.078017600+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11735e80-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::]:53893",
    "Status": "0x0",
    "Endpoint": "0xFFFF980A11735E80"
  },
  "message": ""
}

Event ID 1397: UDP: endpoint Endpoint (sockaddr=LocalAddress) closed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: UdpCloseEndpointBound

Description

UDP: endpoint Endpoint (sockaddr=LocalAddress) closed.

Message #

UDP: endpoint %4 (sockaddr=%2) closed.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference
`Endpoint` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1397",
    "version": "0",
    "level": "4",
    "task": "1391",
    "opcode": "0",
    "keywords": 9223372105574253569,
    "time_created": "2026-03-16T00:21:40.117474200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11735e80-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "2612"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::]:53893",
    "Status": "0x0",
    "Endpoint": "0xFFFF980A11735E80"
  },
  "message": ""
}

Event ID 1398: UDP: endpoint Endpoint closed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: UdpCloseEndpointUnBound

Description

UDP: endpoint Endpoint closed.

Message #

UDP: endpoint %4 closed.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference
`Endpoint` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1398",
    "version": "0",
    "level": "4",
    "task": "1392",
    "opcode": "0",
    "keywords": 9223372105574253569,
    "time_created": "2026-03-16T00:21:40.118277500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11737aa0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "10580"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "       0",
    "LocalAddress": "",
    "Status": "0x0",
    "Endpoint": "0xFFFF980A11737AA0"
  },
  "message": ""
}

Event ID 1399: UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: address resolution status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSendMessagesResolutionFailure

Description

UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: address resolution status = Status.

Message #

UDP: endpoint %1 (sockaddr=%3) send messages %5: address resolution status = %6

Fields #

Name	Description
`Endpoint` Pointer
`EndpointAddressLength` UInt32
`EndpointAddress` Binary
`SendAddressLength` UInt32
`SendAddress` Binary
`Status` UInt32	NTSTATUS reference

Event ID 1400: UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: address validation failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSendMessagesValidationFailure

Description

UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: address validation failed.

Message #

UDP: endpoint %1 (sockaddr=%3) send messages %5: address validation failed.

Fields #

Name	Description
`Endpoint` Pointer
`EndpointAddressLength` UInt32
`EndpointAddress` Binary
`SendAddressLength` UInt32
`SendAddress` Binary
`Status` UInt32	NTSTATUS reference

Event ID 1401: UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: source-address selection status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSendMessagesSrcAddrSelectionFailure

Description

UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: source-address selection status = Status.

Message #

UDP: endpoint %1 (sockaddr=%3) send messages %5: source-address selection status = %6

Fields #

Name	Description
`Endpoint` Pointer
`EndpointAddressLength` UInt32
`EndpointAddress` Binary
`SendAddressLength` UInt32
`SendAddress` Binary
`Status` UInt32	NTSTATUS reference

Event ID 1402: UDP: endpoint {Endpoint} too many packets queued for the pending join path.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic

Description

UDP: endpoint {Endpoint} too many packets queued for the pending join path.

Message #

UDP: endpoint {Endpoint} too many packets queued for the pending join path.

Fields #

Name	Description
`Endpoint`

Event ID 1403: UDP: address family AddressFamilyadded to interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpGlobalAddInterface

Description

UDP: address family AddressFamilyadded to interface InterfaceIndex.

Message #

UDP: address family %2added to interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32
`AddressFamily` UInt32

Event ID 1404: UDP: address family AddressFamilyremoved from interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpGlobalDeleteInterface

Description

UDP: address family AddressFamilyremoved from interface InterfaceIndex.

Message #

UDP: address family %2removed from interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32
`AddressFamily` UInt32

Event ID 1405: UDP: Failure initializing transport protocol, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpStartInetModuleFailure

Description

UDP: Failure initializing transport protocol, status = Status.

Message #

UDP: Failure initializing transport protocol, status = %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 1406: UDP: Failure starting NLNPI client, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpStartNlnpiClientFailure

Description

UDP: Failure starting NLNPI client, status = Status.

Message #

UDP: Failure starting NLNPI client, status = %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 1407: UDP: Failure initializing NSI support, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpStartNsiProviderFailure

Description

UDP: Failure initializing NSI support, status = Status.

Message #

UDP: Failure initializing NSI support, status = %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 1408: UDP: Failure starting TLNPI provider, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpStartTlnpiProviderFailure

Description

UDP: Failure starting TLNPI provider, status = Status.

Message #

UDP: Failure starting TLNPI provider, status = %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 1409: UDP: Failure initializing QoS support, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpStartQosClientFailure

Description

UDP: Failure initializing QoS support, status = Status.

Message #

UDP: Failure initializing QoS support, status = %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 1410: UDP: Failure starting FailedQueueString, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpStartEndpointModuleFailure

Description

UDP: Failure starting FailedQueueString, status = Status.

Message #

UDP: Failure starting %1, status = %2

Fields #

Name	Description
`FailedQueueString` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1411: UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: could not allocate send context.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSendMessagesSendContextResourceFailure

Description

UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: could not allocate send context.

Message #

UDP: endpoint %1 (sockaddr=%3) send messages %5: could not allocate send context.

Fields #

Name	Description
`Endpoint` Pointer
`EndpointAddressLength` UInt32
`EndpointAddress` Binary
`SendAddressLength` UInt32
`SendAddress` Binary
`Status` UInt32	NTSTATUS reference

Event ID 1412: UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: path af failure, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSendMessagesPathAfFailure

Description

UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: path af failure, status = Status.

Message #

UDP: endpoint %1 (sockaddr=%3) send messages %5: path af failure, status = %6

Fields #

Name	Description
`Endpoint` Pointer
`EndpointAddressLength` UInt32
`EndpointAddress` Binary
`SendAddressLength` UInt32
`SendAddress` Binary
`Status` UInt32	NTSTATUS reference

Event ID 1413: UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: path missing next hop failure.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSendMessagesPathNextHopMissingFailure

Description

UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: path missing next hop failure.

Message #

UDP: endpoint %1 (sockaddr=%3) send messages %5: path missing next hop failure.

Fields #

Name	Description
`Endpoint` Pointer
`EndpointAddressLength` UInt32
`EndpointAddress` Binary
`SendAddressLength` UInt32
`SendAddress` Binary
`Status` UInt32	NTSTATUS reference

Event ID 1414: UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: path next hop address failure.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSendMessagesPathNextHopAddrFailure

Description

UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: path next hop address failure.

Message #

UDP: endpoint %1 (sockaddr=%3) send messages %5: path next hop address failure.

Fields #

Name	Description
`Endpoint` Pointer
`EndpointAddressLength` UInt32
`EndpointAddress` Binary
`SendAddressLength` UInt32
`SendAddress` Binary
`Status` UInt32	NTSTATUS reference

Event ID 1415: TCP: Early Retransmission, FACK or RACK, Connection = Tcb, SndUna = SndUna, SackIsLostSeq = SackIsLostSeq, DupAckCount = DupAckCount.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpEarlyRetransmit

Description

TCP: Early Retransmission, FACK or RACK, Connection = Tcb, SndUna = SndUna, SackIsLostSeq = SackIsLostSeq, DupAckCount = DupAckCount.

Message #

TCP: Early Retransmission, FACK or RACK, Connection = %1, SndUna = %2, SackIsLostSeq = %3, DupAckCount = %4

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SackIsLostSeq` UInt32
`DupAckCount` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1415",
    "version": "0",
    "level": "4",
    "task": "1409",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:27:12.440656500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{fd182260-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFD182260",
    "SndUna": "4068749001",
    "SackIsLostSeq": "       0",
    "DupAckCount": "       1"
  },
  "message": ""
}

Event ID 1416: TCP: Ignoring fastopen SYN option due to limit on concurrent SYN_RCVD fastopen connections, Connection = Tcb, SynRcvdLimit = SynRcvdLimit.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFastopenSynRcvdLimit

Description

TCP: Ignoring fastopen SYN option due to limit on concurrent SYN_RCVD fastopen connections, Connection = Tcb, SynRcvdLimit = SynRcvdLimit.

Message #

TCP: Ignoring fastopen SYN option due to limit on concurrent SYN_RCVD fastopen connections, Connection = %1, SynRcvdLimit = %2

Fields #

Name	Description
`Tcb` Pointer
`SynRcvdLimit` UInt32

Event ID 1417: TCP: Failed to update fastopen key state, Location = Location, Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFastopenKeyUpdateFailure

Description

TCP: Failed to update fastopen key state, Location = Location, Status = Status. Server-side fastopen will be disabled.

Message #

TCP: Failed to update fastopen key state, Location = %1, Status = %2. Server-side fastopen will be disabled

Fields #

Name	Description
`Location` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1418: TCP: Fast Retransmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpLossRecoverySend

Description

TCP: Fast Retransmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Message #

TCP: Fast Retransmit Send, Connection = %1, BytesToSend = %2, SndNxt = %3

Fields #

Name	Description
`Tcb` Pointer
`BytesToSend` UInt32
`SndNxt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1418",
    "version": "0",
    "level": "4",
    "task": "1412",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.489901200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "BytesToSend": "    1440",
    "SndNxt": "155002622"
  },
  "message": ""
}

Event ID 1419: TCP: SACK Retransmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpLossRecoverySend

Description

TCP: SACK Retransmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Message #

TCP: SACK Retransmit Send, Connection = %1, BytesToSend = %2, SndNxt = %3

Fields #

Name	Description
`Tcb` Pointer
`BytesToSend` UInt32
`SndNxt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1419",
    "version": "0",
    "level": "4",
    "task": "1412",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.490433800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "BytesToSend": "      38",
    "SndNxt": "155004100"
  },
  "message": ""
}

Event ID 1420: TCP: Limited Transmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpLossRecoverySend

Description

TCP: Limited Transmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Message #

TCP: Limited Transmit Send, Connection = %1, BytesToSend = %2, SndNxt = %3

Fields #

Name	Description
`Tcb` Pointer
`BytesToSend` UInt32
`SndNxt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1420",
    "version": "0",
    "level": "4",
    "task": "1412",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:23:27.162052500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{170d1290-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A170D1290",
    "BytesToSend": "    1440",
    "SndNxt": "1228953133"
  },
  "message": ""
}

Event ID 1421: TCP: SACK Retransmit Additional Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpLossRecoverySend

Description

TCP: SACK Retransmit Additional Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Message #

TCP: SACK Retransmit Additional Send, Connection = %1, BytesToSend = %2, SndNxt = %3

Fields #

Name	Description
`Tcb` Pointer
`BytesToSend` UInt32
`SndNxt` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1421",
    "version": "0",
    "level": "4",
    "task": "1412",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:23:27.167320000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{170d1290-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A170D1290",
    "BytesToSend": "    1440",
    "SndNxt": "1228956013"
  },
  "message": ""
}

Event ID 1422: IPTransportProtocol: PathDirectionmessage.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: IcmpSendRecv

Description

IPTransportProtocol: PathDirectionmessage. Type = IcmpType, Code = IcmpCode, CompartmentId = CompartmentId, SourceAddress = SourceAddress, DestAddress = DestAddress.

Message #

%1: %2message. Type = %3, Code = %4, CompartmentId = %5, SourceAddress = %7, DestAddress = %9

Fields #

Name	Description
`IPTransportProtocol` UInt32
`PathDirection` UInt32
`IcmpType` UInt32
`IcmpCode` UInt32
`CompartmentId` UInt32
`SourceAddressLength` UInt32
`SourceAddress` Binary
`DestAddressLength` UInt32
`DestAddress` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1422",
    "version": "0",
    "level": "4",
    "task": "1413",
    "opcode": "0",
    "keywords": 9223372586610589696,
    "time_created": "2026-03-16T00:21:40.180500700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IPTransportProtocol": "       1",
    "PathDirection": "       0",
    "IcmpType": "       3",
    "IcmpCode": "       3",
    "CompartmentId": "       1",
    "SourceAddressLength": "      16",
    "SourceAddress": "10.2.10.21",
    "DestAddressLength": "      16",
    "DestAddress": "8.8.8.8"
  },
  "message": ""
}

Event ID 1423: IPTransportProtocol: PathDirectionpath drop.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: IcmpPacketDrops

Description

IPTransportProtocol: PathDirectionpath drop. Type = IcmpType, Code = IcmpCode, Reason = DropReason, Status = Status, CompartmentId = CompartmentId, SourceAddress = SourceAddress, DestAddress = DestAddress.

Message #

%1: %2path drop. Type = %3, Code = %4, Reason = %5, Status = %6, CompartmentId = %7, SourceAddress = %9, DestAddress = %11

Fields #

Name	Description
`IPTransportProtocol` UInt32
`PathDirection` UInt32
`IcmpType` UInt32
`IcmpCode` UInt32
`DropReason` UInt32
`Status` UInt32	NTSTATUS reference
`CompartmentId` UInt32
`SourceAddressLength` UInt32
`SourceAddress` Binary
`DestAddressLength` UInt32
`DestAddress` Binary
`IfIndex` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1423",
    "version": "1",
    "level": "4",
    "task": "1414",
    "opcode": "0",
    "keywords": 9223373136366403712,
    "time_created": "2026-03-15T23:30:50.067428800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "10828",
      "thread_id": "12980"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IPTransportProtocol": "       1",
    "PathDirection": "       0",
    "IcmpType": "       3",
    "IcmpCode": "       3",
    "DropReason": "      12",
    "Status": "0xC000021B",
    "CompartmentId": "       1",
    "SourceAddressLength": "      16",
    "SourceAddress": "10.2.10.11",
    "DestAddressLength": "      16",
    "DestAddress": "10.2.10.21",
    "IfIndex": "       4"
  },
  "message": ""
}

Event ID 1424: IPTransportProtocol: Echo timeout.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IcmpEchoTimeout

Description

IPTransportProtocol: Echo timeout. Status = IcmpCode.

Message #

%1: Echo timeout. Status = %4

Fields #

Name	Description
`IPTransportProtocol` UInt32
`PathDirection` UInt32
`IcmpType` UInt32
`IcmpCode` UInt32
`DropReason` UInt32
`Status` UInt32	NTSTATUS reference
`CompartmentId` UInt32
`SourceAddressLength` UInt32
`SourceAddress` Binary
`DestAddressLength` UInt32
`DestAddress` Binary

Event ID 1425: Component Timer state changed to CurrentState by Processor Processor Usage = ProcessorUsage at Tick = CurrentTick.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipTimerStateChange

Description

Component Timer state changed to CurrentState by Processor Processor Usage = ProcessorUsage at Tick = CurrentTick.

Message #

%1 Timer state changed to %3 by Processor %2 Usage = %4 at Tick = %5

Fields #

Name	Description
`Component` UInt32
`Processor` UInt32
`CurrentState` UInt32
`ProcessorUsage` UInt32
`CurrentTick` UInt32

Event ID 1426: TCP: connection Tcb send complete NumBytes bytes at SndNxt (Injected).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpSendComplete

Description

TCP: connection Tcb send complete NumBytes bytes at SndNxt (Injected).

Message #

TCP: connection %1 send complete %3 bytes at %4 (%2).

Fields #

Name	Description
`Tcb` Pointer
`Injected` UnicodeString
`NumBytes` UInt32
`SndNxt` UInt32
`ActivityID` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1426",
    "version": "0",
    "level": "5",
    "task": "1417",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.390792600+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4248",
      "thread_id": "4684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Injected": "normal",
    "NumBytes": "    1303",
    "SndNxt": "2307521250"
  },
  "message": ""
}

Event ID 1427: IP: Compartment creation.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpCompartmentCreation

Description

IP: Compartment creation. Compartment = CompartmentId, Protocol = AddressFamily, Private = Private, Status = Status.

Message #

IP: Compartment creation. Compartment = %1, Protocol = %2, Private = %3, Status = %4.

Fields #

Name	Description
`CompartmentId` UInt32
`AddressFamily` UInt32
`Private` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1428: IP: Compartment deletion.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpCompartmentDeletion

Description

IP: Compartment deletion. Compartment = CompartmentId, Protocol = AddressFamily.

Message #

IP: Compartment deletion. Compartment = %1, Protocol = %2.

Fields #

Name	Description
`CompartmentId` UInt32
`AddressFamily` UInt32
`Private` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1429: TCP: connection Tcb: Cumulative Ack event, SeqNo = SeqNo, BytesAcked = BytesAcked, CWnd = Cwnd, SndWnd = SndWnd, InRecovery = InRecovery, TimeSinceLastLossMS = TimeSinceLastLossMS, CubicCwnd...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpCubicDataTransferCumAck

Description

TCP: connection : Cumulative Ack event, SeqNo = , BytesAcked = , CWnd = , SndWnd = , InRecovery = , TimeSinceLastLossMS = , CubicCwnd = , AimdCwnd = , K = , Wmax = , LastWmax = , MaxSndWnd = .

Message #

TCP: connection %1: Cumulative Ack event, SeqNo = %5, BytesAcked = %4, CWnd = %2, SndWnd = %3, InRecovery = %6, TimeSinceLastLossMS = %7, CubicCwnd = %8, AimdCwnd = %9, K = %10, Wmax = %11, LastWmax = %12, MaxSndWnd = %13.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SndWnd` UInt32
`BytesAcked` UInt32
`SeqNo` UInt32
`InRecovery` UInt8
`TimeSinceLastLossMS` UInt64
`CubicCwnd` UInt64
`AimdCwnd` UInt32
`K` UInt64
`Wmax` UInt32
`LastWmax` UInt32
`MaxSndWnd` UInt32
`IsLimitedSlowStart` UInt8

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1429",
    "version": "1",
    "level": "4",
    "task": "1420",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:36.015001500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{10708010-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A10708010",
    "Cwnd": "   27376",
    "SndWnd": "  262656",
    "BytesAcked": "       0",
    "SeqNo": "3807647817",
    "InRecovery": "0",
    "TimeSinceLastLossMS": "0",
    "CubicCwnd": "0",
    "AimdCwnd": "       0",
    "K": "0",
    "Wmax": "       0",
    "LastWmax": "       0",
    "MaxSndWnd": "  262656",
    "IsLimitedSlowStart": "0"
  },
  "message": ""
}

Event ID 1430: TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = SSThresh DupAckCount = DupAckCount SndUna = SeqNo CwrMax = CwrMax.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpCubicDataTransferDupAck

Description

TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = SSThresh DupAckCount = DupAckCount SndUna = SeqNo CwrMax = CwrMax.

Message #

TCP: connection %1: Duplicate ACK updated cwnd = %2 and updated ssthresh = %3 DupAckCount = %4 SndUna = %5 CwrMax = %6.

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`DupAckCount` UInt32
`SeqNo` UInt32
`CwrMax` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1430",
    "version": "0",
    "level": "4",
    "task": "1421",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-15T23:27:12.440654900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{fd182260-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFD182260",
    "Cwnd": "   22020",
    "SSThresh": "   16760",
    "DupAckCount": "       1",
    "SeqNo": "4068749001",
    "CwrMax": "4068749000"
  },
  "message": ""
}

Event ID 1431: IP: Compartment cleanup.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpCompartmentCleanup

Description

IP: Compartment cleanup. Compartment = CompartmentId, Protocol = AddressFamily.

Message #

IP: Compartment cleanup. Compartment = %1, Protocol = %2.

Fields #

Name	Description
`CompartmentId` UInt32
`AddressFamily` UInt32
`Private` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1432: IP: Interface network category state change.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpUpdateInterfaceNetworkCategoryState

Description

IP: Interface network category state change. Interface = IfIndex, Compartment = CompartmentId , Protocol = AddressFamily, NetworkCategory = NetworkCategory, DomainNetworkLocation = DomainNetworkLocation, DomainType = DomainType, Signature = NetworkSignature.

Message #

IP: Interface network category state change. Interface = %1, Compartment = %2 , Protocol = %3, NetworkCategory = %4, DomainNetworkLocation = %5, DomainType = %6, Signature = %7.

Fields #

Name	Description
`IfIndex` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`NetworkCategory` UInt32
`DomainNetworkLocation` UInt32
`DomainType` UInt32
`NetworkSignature` GUID

Event ID 1433: IP: Interface creation.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceCreation

Description

IP: Interface creation. Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily, PhysicalMediumType = PhysicalMediumType, Status = Status.

Message #

IP: Interface creation. Interface = %1, Compartment = %2, Protocol = %3, PhysicalMediumType = %4, Status = %5.

Fields #

Name	Description
`IfIndex` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`PhysicalMediumType` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1434: IP: Interface deletion.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceDeletion

Description

IP: Interface deletion. Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily.

Message #

IP: Interface deletion. Interface = %1, Compartment = %2, Protocol = %3.

Fields #

Name	Description
`IfIndex` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`PhysicalMediumType` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1435: IP: Interface cleanup.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceCleanup

Description

IP: Interface cleanup. Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily.

Message #

IP: Interface cleanup. Interface = %1, Compartment = %2, Protocol = %3.

Fields #

Name	Description
`IfIndex` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`PhysicalMediumType` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1436: IP: SubInterface creation.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSubInterfaceCreation

Description

IP: SubInterface creation. SubInterface = SubIfIndex, Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily, Status = Status.

Message #

IP: SubInterface creation. SubInterface = %1, Interface = %2, Compartment = %3, Protocol = %4, Status = %5.

Fields #

Name	Description
`SubIfIndex` UInt32
`IfIndex` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1437: IP: SubInterface deletion.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSubInterfaceDeletion

Description

IP: SubInterface deletion. SubInterface = SubIfIndex, Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily.

Message #

IP: SubInterface deletion. SubInterface = %1, Interface = %2, Compartment = %3, Protocol = %4.

Fields #

Name	Description
`SubIfIndex` UInt32
`IfIndex` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1438: IP: SubInterface cleanup.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSubInterfaceCleanup

Description

IP: SubInterface cleanup. SubInterface = SubIfIndex, Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily.

Message #

IP: SubInterface cleanup. SubInterface = %1, Interface = %2, Compartment = %3, Protocol = %4.

Fields #

Name	Description
`SubIfIndex` UInt32
`IfIndex` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1439: IP: Interface change Notification.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceChangeNotification

Description

IP: Interface change Notification. Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily, Reason = Reason.

Message #

IP: Interface change Notification. Interface = %1, Compartment = %2, Protocol = %3, Reason = %4.

Fields #

Name	Description
`IfIndex` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`Reason` UInt32
`State` UInt32
`NotificationType` UInt32

Event ID 1440: IP: Interface internet connectivity status change.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceInternetConnectivityStatus

Description

IP: Interface internet connectivity status change. Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily, OldConnectivityStatus = OldConnectivityStatus, NewConnectivityStatus = NewConnectivityStatus.

Message #

IP: Interface internet connectivity status change. Interface = %1, Compartment = %2, Protocol = %3, OldConnectivityStatus = %4, NewConnectivityStatus = %5.

Fields #

Name	Description
`IfIndex` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`OldConnectivityStatus` UInt32
`NewConnectivityStatus` UInt32

Event ID 1441: IP: Address change notification.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressChangeNotification

Description

IP: Address change notification. Address = SourceAddress, Interface = IfIndex, Compartment = CompartmentId, Protocol = Protocol, Reason = Reason.

Message #

IP: Address change notification. Address = %2, Interface = %3, Compartment = %4, Protocol = %5, Reason = %6.

Fields #

Name	Description
`SourceAddressLength` UInt32
`SourceAddress` Binary
`IfIndex` UInt32
`CompartmentId` UInt32
`Protocol` AnsiString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Reason` UInt32
`State` UInt32
`NotificationType` UInt32
`DadState` UInt32

Event ID 1442: IP: Route change notification.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouteChangeNotification

Description

IP: Route change notification. DestinationPrefix = DestinationPrefix/DestinationPrefixLength, NextHop = NextHopAddress, Interface = IfIndex, Compartment = CompartmentId, NotifyFlags = NotifyFlags.

Message #

IP: Route change notification. DestinationPrefix = %2/%5, NextHop = %4, Interface = %7, Compartment = %6, NotifyFlags = %8.

Fields #

Name	Description
`DestinationPrefixAddressLength` UInt32
`DestinationPrefix` Binary
`NextHopAddressLength` UInt32
`NextHopAddress` Binary
`DestinationPrefixLength` UInt32
`CompartmentId` UInt32
`IfIndex` UInt32
`NotifyFlags` UInt64
`State` UInt32
`NotificationType` UInt32

Event ID 1443: IP: Neighbor change notification.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpNeighborChangeNotification

Description

IP: Neighbor change notification. IpAddress = IPAddress, DlAddress = DLAddress, Interface = IfIndex, Compartment = CompartmentId, State = NeighborState, Reason = Reason.

Message #

IP: Neighbor change notification. IpAddress = %2, DlAddress = %4, Interface = %5, Compartment = %6, State = %7, Reason = %8.

Fields #

Name	Description
`IpAddrLength` UInt32
`IPAddress` Binary
`DlAddrLength` UInt32
`DLAddress` Binary
`IfIndex` UInt32
`CompartmentId` UInt32
`NeighborState` UInt32
`Reason` UInt32
`NotificationState` UInt32
`NotificationType` UInt32

Event ID 1444: IP: Address DAD state change.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressDadStateChange

Description

IP: Address DAD state change. Address = SourceAddress, Interface = IfIndex, Compartment = CompartmentId, OldState = OldDadState, NewState = NewDadState, Reason = Reason.

Message #

IP: Address DAD state change. Address = %2, Interface = %3, Compartment = %4, OldState = %5, NewState = %6, Reason = %7.

Fields #

Name	Description
`SourceAddressLength` UInt32
`SourceAddress` Binary
`IfIndex` UInt32
`CompartmentId` UInt32
`OldDadState` UInt32
`NewDadState` UInt32
`Reason` UInt32

Event ID 1445: IP: Route Dead Gateway Detection state change.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouteDGDStateChange

Description

IP: Route Dead Gateway Detection state change. DestinationPrefix = DestinationPrefix/DestinationPrefixLength, NextHop = NextHopAddress, Interface = IfIndex, Compartment = CompartmentId, OldState = OldState, NewState = NewState, OldProbeCount = OldProbeCount, NewProbeCount = NewProbeCount, OldUnreachablePaths = OldUnreachablePaths, NewUnreachablePaths = NewUnreachablePaths, OldMovedPaths = OldMovedPaths, NewMovedPaths = NewMovedPaths, TotalPaths = TotalPaths, OldStateChangeTick = OldStateChangeTick, NewStateChangeTick = NewStateChangeTick, DgdNeedsReset = DgdNeedsReset, Reason = Reason.

Message #

IP: Route Dead Gateway Detection state change. DestinationPrefix = %2/%5, NextHop = %4, Interface = %7, Compartment = %6, OldState = %8, NewState = %9, OldProbeCount = %10, NewProbeCount = %11, OldUnreachablePaths = %12, NewUnreachablePaths = %13, OldMovedPaths = %14, NewMovedPaths = %15, TotalPaths = %16, OldStateChangeTick = %17, NewStateChangeTick = %18, DgdNeedsReset = %19, Reason = %20.

Fields #

Name	Description
`DestinationPrefixAddressLength` UInt32
`DestinationPrefix` Binary
`NextHopAddressLength` UInt32
`NextHopAddress` Binary
`DestinationPrefixLength` UInt32
`CompartmentId` UInt32
`IfIndex` UInt32
`OldState` UInt32
`NewState` UInt32
`OldProbeCount` UInt32
`NewProbeCount` UInt32
`OldUnreachablePaths` UInt32
`NewUnreachablePaths` UInt32
`OldMovedPaths` UInt32
`NewMovedPaths` UInt32
`TotalPaths` UInt32
`OldStateChangeTick` UInt32
`NewStateChangeTick` UInt32
`DgdNeedsReset` UInt32
`Reason` UInt32

Event ID 1446: IP: Disconnecting TCP connections with Address = Address, Interface = IfIndex, Compartment = CompartmentId, SkipLocal = SkipLocal, SkipOnLink = SkipOnLink.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceDisconnect

Description

IP: Disconnecting TCP connections with Address = Address, Interface = IfIndex, Compartment = CompartmentId, SkipLocal = SkipLocal, SkipOnLink = SkipOnLink.

Message #

IP: Disconnecting TCP connections with Address = %2, Interface = %3, Compartment = %4, SkipLocal = %5, SkipOnLink = %6.

Fields #

Name	Description
`AddressLength` UInt32
`Address` Binary
`IfIndex` UInt32
`CompartmentId` UInt32
`SkipLocal` UInt32
`SkipOnLink` UInt32

Event ID 1447: TCP: connection Tcb: Sending paced chunk of QuantizedAllowance bytes with CWnd = Cwnd, SndWnd = SndWnd, BytesAvailable = BytesAvailable, BytesOutstanding = BytesOutstanding.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpPacingSend

Description

TCP: connection Tcb: Sending paced chunk of QuantizedAllowance bytes with CWnd = Cwnd, SndWnd = SndWnd, BytesAvailable = BytesAvailable, BytesOutstanding = BytesOutstanding.

Message #

TCP: connection %1: Sending paced chunk of %6 bytes with CWnd = %2, SndWnd = %3, BytesAvailable = %4, BytesOutstanding = %5

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SndWnd` UInt32
`BytesAvailable` UInt32
`BytesOutstanding` UInt32
`QuantizedAllowance` UInt32
`Allowance` UInt32
`OriginalBytesToSend` UInt32

Event ID 1448: Fallback: Context = Fallback, Feature = Feature, TraceReason = Reason, Confidence = Confidence, Successes = Successes, Failures = Failures.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallback

Description

Fallback: Context = Fallback, Feature = Feature, TraceReason = Reason, Confidence = Confidence, Successes = Successes, Failures = Failures.

Message #

Fallback: Context = %1, Feature = %2, TraceReason = %3, Confidence = %4, Successes = %5, Failures = %6

Fields #

Name	Description
`Fallback` Pointer
`Feature` UInt32
`Reason` UInt32
`Confidence` Int32
`Successes` UInt32
`Failures` UInt32

Event ID 1449: TCPIP: TCB Tcb using fast loopback.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpLoopbackFastPathSuccess

Description

TCPIP: TCB Tcb using fast loopback.

Message #

TCPIP: TCB %1 using fast loopback

Fields #

Name	Description
`Tcb` Pointer

Event ID 1450: IP: Router information change notification.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouterInformationChangeNotification

Description

IP: Router information change notification. Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily, Reason = Reason.

Message #

IP: Router information change notification. Interface = %1, Compartment = %2, Protocol = %3, Reason = %4.

Fields #

Name	Description
`IfIndex` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`Reason` UInt32

Event ID 1451: IP: Event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRaDnsEvent

Description

IP: Event. Interface = Interface, Compartment = CompartmentId, RouterAddress = RouterAddress, DNS Server/Suffix: DNSServerAddress DNSSuffix, Lifetime = Lifetime.

Message #

IP: %1. Interface = %2, Compartment = %3, RouterAddress = %5, DNS Server/Suffix: %7 %8, Lifetime = %9.

Fields #

Name	Description
`Event` UInt32
`Interface` UInt32
`CompartmentId` UInt32
`RouterAddrLength` UInt32
`RouterAddress` Binary
`DnsAddrLength` UInt32
`DNSServerAddress` Binary
`DNSSuffix` AnsiString
`Lifetime` UInt32

Event ID 1452: IP: Route rundown.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: IpRouteRundown

Description

IP: Route rundown. Interface = Interface, Compartment = Compartment, Prefix = DestinationPrefix/DestinationPrefixLength, NextHop = NextHopAddress, Metric = Metric, State = State, Origin = Origin, Age = Age, ValidLifetime = ValidLifetime, PreferredLifetime = PreferredLifetime, Flags = Flags.

Message #

IP: Route rundown. Interface = %1, Compartment = %2, Prefix = %4/%5, NextHop = %7, Metric = %8, State = %9, Origin = %10, Age = %11, ValidLifetime = %12, PreferredLifetime = %13, Flags = %14.

Fields #

Name	Description
`Interface` UInt32
`Compartment` UInt32
`DestinationPrefixAddressLength` UInt32
`DestinationPrefix` Binary
`DestinationPrefixLength` UInt32
`NextHopAddressLength` UInt32
`NextHopAddress` Binary
`Metric` UInt32
`State` UInt32
`Origin` UInt32
`Age` UInt64
`ValidLifetime` UInt64
`PreferredLifetime` UInt64
`Flags` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1452",
    "version": "0",
    "level": "4",
    "task": "1443",
    "opcode": "0",
    "keywords": 9223372586610589856,
    "time_created": "2026-03-16T00:21:34.295267700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "9132",
      "thread_id": "4236"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Interface": "       6",
    "Compartment": "       1",
    "DestinationPrefixAddressLength": "      16",
    "DestinationPrefix": "0.0.0.0",
    "DestinationPrefixLength": "       0",
    "NextHopAddressLength": "      16",
    "NextHopAddress": "10.2.10.254",
    "Metric": "     256",
    "State": "       0",
    "Origin": "       0",
    "Age": "0x1A11",
    "ValidLifetime": "0xFFFFFFFF",
    "PreferredLifetime": "0xFFFFFFFF",
    "Flags": "0x388"
  },
  "message": ""
}

Event ID 1453: TCP: CUBIC ECN event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCubicDataTransferEcn

Description

TCP: CUBIC ECN event. Connection Tcb, CWnd Cwnd, SSThresh = SSThresh, SndUna = SndUna.

Message #

TCP: CUBIC ECN event. Connection %1, CWnd %2, SSThresh = %3, SndUna = %4

Fields #

Name	Description
`Tcb` Pointer
`Cwnd` UInt32
`SSThresh` UInt32
`SndUna` UInt32

Event ID 1454: INETINSPECT: Owner = Owner, InspectHandle = InspectHandle, InspectType = InspectType, Action = InspectAction, Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: InetInspect

Description

INETINSPECT: Owner = Owner, InspectHandle = InspectHandle, InspectType = InspectType, Action = InspectAction, Status = Status.

Message #

INETINSPECT: Owner = %1, InspectHandle = %2, InspectType = %3, Action = %4, Status = %5

Fields #

Name	Description
`Owner` Pointer
`InspectHandle` Pointer
`InspectType` UInt32
`InspectAction` UInt32
`Status` UInt32	NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1454",
    "version": "0",
    "level": "4",
    "task": "1445",
    "opcode": "0",
    "keywords": 9223372036854775936,
    "time_created": "2026-03-16T00:21:34.388718700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Owner": "0xFFFF980A1018B560",
    "InspectHandle": "0xFFFF980A17030CE0",
    "InspectType": "       0",
    "InspectAction": "       1",
    "Status": "0x0"
  },
  "message": ""
}

Event ID 1455: INETINSPECT: Owner = Owner, InspectHandle = InspectHandle, InspectType = InspectType, Action = InspectPort, Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: InetInspect

Description

INETINSPECT: Owner = Owner, InspectHandle = InspectHandle, InspectType = InspectType, Action = InspectPort, Status = Status.

Message #

INETINSPECT: Owner = %1, InspectHandle = %2, InspectType = %3, Action = %4, Status = %5

Fields #

Name	Description
`Owner` Pointer
`InspectHandle` Pointer
`InspectType` UInt32
`InspectPort` UInt32
`Status` UInt32	NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1455",
    "version": "0",
    "level": "4",
    "task": "1445",
    "opcode": "0",
    "keywords": 9223372036854775936,
    "time_created": "2026-03-16T00:21:40.077855500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0b1c4090-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Owner": "0xFFFF980A0B1C4090",
    "InspectHandle": "0xFFFF980A13FE6CC0",
    "InspectType": "      17",
    "InspectPort": "       0",
    "Status": "0x0"
  },
  "message": ""
}

Event ID 1456: FallbackCheck: Ctx = Fallback, Feature = Feature, Failed = Failed, Succeeeded = Succeeded, InProbe = InProbe, PathsProbed = PathsProbed, Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallback

Description

FallbackCheck: Ctx = Fallback, Feature = Feature, Failed = Failed, Succeeeded = Succeeded, InProbe = InProbe, PathsProbed = PathsProbed, Status = Status.

Message #

FallbackCheck: Ctx = %1, Feature = %2, Failed = %3, Succeeeded = %4, InProbe = %5, PathsProbed = %6, Status = %7

Fields #

Name	Description
`Fallback` Pointer
`Feature` UInt32
`Failed` UInt32
`Succeeded` UInt32
`InProbe` UInt32
`PathsProbed` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1457: FallbackUpdate: Ctx = Fallback, Feature = Feature, Failed = Failed, Succeeeded = Succeeded, InProbe = InProbe, PathsProbed = PathsProbed, Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallback

Description

FallbackUpdate: Ctx = Fallback, Feature = Feature, Failed = Failed, Succeeeded = Succeeded, InProbe = InProbe, PathsProbed = PathsProbed, Status = Status.

Message #

FallbackUpdate: Ctx = %1, Feature = %2, Failed = %3, Succeeeded = %4, InProbe = %5, PathsProbed = %6, Status = %7

Fields #

Name	Description
`Fallback` Pointer
`Feature` UInt32
`Failed` UInt32
`Succeeded` UInt32
`InProbe` UInt32
`PathsProbed` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1458: Fallback: Permanently disabling feature, Ctx = Fallback, Feature = Feature, PathsProbed = PathsProbed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallback

Description

Fallback: Permanently disabling feature, Ctx = Fallback, Feature = Feature, PathsProbed = PathsProbed.

Message #

Fallback: Permanently disabling feature, Ctx = %1, Feature = %2, PathsProbed = %6

Fields #

Name	Description
`Fallback` Pointer
`Feature` UInt32
`Failed` UInt32
`Succeeded` UInt32
`InProbe` UInt32
`PathsProbed` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1459: Fallback: Enabling feature for this boot session, Ctx = Fallback, Feature = Feature, PathsProbed = PathsProbed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallback

Description

Fallback: Enabling feature for this boot session, Ctx = Fallback, Feature = Feature, PathsProbed = PathsProbed.

Message #

Fallback: Enabling feature for this boot session, Ctx = %1, Feature = %2, PathsProbed = %6

Fields #

Name	Description
`Fallback` Pointer
`Feature` UInt32
`Failed` UInt32
`Succeeded` UInt32
`InProbe` UInt32
`PathsProbed` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1460: Fallback: Feature previously disabled, Ctx = Fallback, Feature = Feature, PathsProbed = PathsProbed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallback

Description

Fallback: Feature previously disabled, Ctx = Fallback, Feature = Feature, PathsProbed = PathsProbed.

Message #

Fallback: Feature previously disabled, Ctx = %1, Feature = %2, PathsProbed = %6

Fields #

Name	Description
`Fallback` Pointer
`Feature` UInt32
`Failed` UInt32
`Succeeded` UInt32
`InProbe` UInt32
`PathsProbed` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1461: TCP Fastopen fallback update: Tcb = Tcb, FastopenState = FastopenState, DataBytesIn = DataBytesIn, ShutdownStatus = ShutdownStatus, ProbeStatus = ProbeStatus.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFastopenFallbackUpdate

Description

TCP Fastopen fallback update: Tcb = Tcb, FastopenState = FastopenState, DataBytesIn = DataBytesIn, ShutdownStatus = ShutdownStatus, ProbeStatus = ProbeStatus.

Message #

TCP Fastopen fallback update: Tcb = %1, FastopenState = %2, DataBytesIn = %3, ShutdownStatus = %4, ProbeStatus = %5

Fields #

Name	Description
`Tcb` Pointer
`FastopenState` UInt32
`DataBytesIn` UInt64
`ShutdownStatus` UInt32
`ProbeStatus` UInt32

Event ID 1462: Disabling feature until connectivity is established: CompartmentId =CompartmentId, IfIndex = IfIndex, Feature = Feature, ConnectivityStatus = ConnectivityStatus.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallbackNcsiNoConnectivity

Description

Disabling feature until connectivity is established: CompartmentId =CompartmentId, IfIndex = IfIndex, Feature = Feature, ConnectivityStatus = ConnectivityStatus.

Message #

Disabling feature until connectivity is established: CompartmentId =%1, IfIndex = %2, Feature = %3, ConnectivityStatus = %4

Fields #

Name	Description
`CompartmentId` UInt32
`IfIndex` UInt32
`Feature` UInt32
`ConnectivityStatus` UInt32

Event ID 1463: Disabling Feature for loopback connection.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallbackLoopback

Description

Disabling Feature for loopback connection.

Message #

Disabling %1 for loopback connection

Fields #

Name	Description
`Feature` UInt32

Event ID 1464: Disabling TCP Fastopen for BaseEndpoint = BaseEndpoint because an incompatible WFP callout is installed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFastopenIncompatCallout

Description

Disabling TCP Fastopen for BaseEndpoint = BaseEndpoint because an incompatible WFP callout is installed.

Message #

Disabling TCP Fastopen for BaseEndpoint = %1 because an incompatible WFP callout is installed

Fields #

Name	Description
`BaseEndpoint` Pointer

Event ID 1465: IP: Setting source constraint for route lookup - Compartment: Compartment DstAddr: DestinationAddress ConstrainSrcAddr: ConstrainSourceAddress ConstrainIfIndex: ConstrainInterfaceIndex ConstraintFl...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpipSourceConstraint

Description

IP: Setting source constraint for route lookup - Compartment: Compartment DstAddr: DestinationAddress ConstrainSrcAddr: ConstrainSourceAddress ConstrainIfIndex: ConstrainInterfaceIndex ConstraintFlags: ConstraintFlags.

Message #

IP: Setting source constraint for route lookup - Compartment: %1 DstAddr: %3 ConstrainSrcAddr: %5 ConstrainIfIndex: %6 ConstraintFlags: %7

Fields #

Name	Description
`Compartment` UInt32
`DestinationAddrLength` UInt32
`DestinationAddress` Binary
`ConstrainSourceAddrLength` UInt32
`ConstrainSourceAddress` Binary
`ConstrainInterfaceIndex` UInt32
`ConstraintFlags` UInt32
`TransportProtocol` UInt32
`IcmpType` UInt8
`IcmpCode` UInt8

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1465",
    "version": "0",
    "level": "5",
    "task": "1450",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:38.719138100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Compartment": "       1",
    "DestinationAddrLength": "      16",
    "DestinationAddress": "10.2.10.11",
    "ConstrainSourceAddrLength": "      16",
    "ConstrainSourceAddress": "10.2.10.21",
    "ConstrainInterfaceIndex": "       6",
    "ConstraintFlags": "0x1"
  },
  "message": ""
}

Event ID 1466: WFP-ALE: RemoteEndPoint Insertion: (local=LocalAddress remote=RemoteAddress) PartitionId=PartitionId PartitionNumEntries=NumEntries.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: RemoteEndpoint

Description

WFP-ALE: RemoteEndPoint Insertion: (local=LocalAddress remote=RemoteAddress) PartitionId=PartitionId PartitionNumEntries=NumEntries.

Message #

WFP-ALE: RemoteEndPoint Insertion: (local=%2 remote=%3) PartitionId=%4 PartitionNumEntries=%5

Fields #

Name	Description
`AddressLength` UInt32
`LocalAddress` Binary
`RemoteAddress` Binary
`PartitionId` UInt64
`NumEntries` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1466",
    "version": "0",
    "level": "4",
    "task": "1372",
    "opcode": "0",
    "keywords": 9223372036854808576,
    "time_created": "2026-03-16T00:21:40.078425500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AddressLength": "      16",
    "LocalAddress": "10.2.10.21:53893",
    "RemoteAddress": "10.2.10.11:53",
    "PartitionId": "4",
    "NumEntries": "4"
  },
  "message": ""
}

Event ID 1467: WFP-ALE: RemoteEndPoint Deletion: (local=LocalAddress remote=RemoteAddress) PartitionId=PartitionId PartitionNumEntries=NumEntries.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: RemoteEndpoint

Description

WFP-ALE: RemoteEndPoint Deletion: (local=LocalAddress remote=RemoteAddress) PartitionId=PartitionId PartitionNumEntries=NumEntries.

Message #

WFP-ALE: RemoteEndPoint Deletion: (local=%2 remote=%3) PartitionId=%4 PartitionNumEntries=%5

Fields #

Name	Description
`AddressLength` UInt32
`LocalAddress` Binary
`RemoteAddress` Binary
`PartitionId` UInt64
`NumEntries` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1467",
    "version": "0",
    "level": "4",
    "task": "1372",
    "opcode": "0",
    "keywords": 9223372036854808576,
    "time_created": "2026-03-16T00:21:40.078776800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AddressLength": "      16",
    "LocalAddress": "10.2.10.21",
    "RemoteAddress": "8.8.8.8:1",
    "PartitionId": "4",
    "NumEntries": "3"
  },
  "message": ""
}

Event ID 1468: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) system abort.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSystemAbortTcb

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) system abort. PID = ProcessId.

Message #

TCP: connection %8 (local=%2 remote=%4) system abort. PID = %6.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64
`Reason` UInt32

Event ID 1469: Disabling Feature due to no next hop.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallbackNoNextHop

Description

Disabling Feature due to no next hop.

Message #

Disabling %1 due to no next hop

Fields #

Name	Description
`Feature` UInt32

Event ID 1470: TCP: endpoint (sockaddr=LocalAddressLength) bind failed: wake status = LocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBindEndpointWakeFailure

Description

TCP: endpoint (sockaddr=LocalAddressLength) bind failed: wake status = LocalAddress.

Message #

TCP: endpoint (sockaddr=%2) bind failed: wake status = %3.

Fields #

Name	Description
`Endpoint` Pointer
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference

Event ID 1471: UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: wake status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpBindEndpointWakeFailure

Description

UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: wake status = Status.

Message #

UDP: endpoint %4 (sockaddr=%2) bind failed: wake status = %3

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference
`Endpoint` Pointer

Event ID 1472: Acquire wake port Port, type=AcquireType, family=AddressFamily, IF=Interface, compartment=Compartment.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: InetWakeAcquirePort

Description

Acquire wake port Port, type=AcquireType, family=AddressFamily, IF=Interface, compartment=Compartment.

Message #

Acquire wake port %2, type=%1, family=%3, IF=%4, compartment=%5

Fields #

Name	Description
`AcquireType` UInt32
`Port` UInt16
`AddressFamily` UInt32
`Interface` UInt32
`Compartment` UInt32

Event ID 1473: TCP: Connection Tcb reached max SACK queue length.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSackUpdateLimitReached

Description

TCP: Connection Tcb reached max SACK queue length.

Message #

TCP: Connection %1 reached max SACK queue length

Fields #

Name	Description
`Tcb` Pointer
`Location` UInt32

Event ID 1474: TCP: Connection Tcb requested fast open.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFastopenRequested

Description

TCP: Connection Tcb requested fast open.

Message #

TCP: Connection %1 requested fast open

Fields #

Name	Description
`Tcb` Pointer

Event ID 1475: TCP: CUBIC Hystart state change event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpCubicHystartStateChange

Description

TCP: CUBIC Hystart state change event. Connection Tcb, State State, CWnd Cwnd, SSThresh = SSThresh.

Message #

TCP: CUBIC Hystart state change event. Connection %1, State %2, CWnd %3, SSThresh = %4.

Fields #

Name	Description
`Tcb` Pointer
`State` UInt16
`Cwnd` UInt32
`SSThresh` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1475",
    "version": "0",
    "level": "4",
    "task": "1463",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.489856100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "State": "2",
    "Cwnd": "   16734",
    "SSThresh": "4294967295"
  },
  "message": ""
}

Event ID 1476: IP: Transmitting loopback Nbl Nbl.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: TcpIpPerPacket
Task: TcpipLoopbackPacketTransmit
Opcode: Info

Description

IP: Transmitting loopback Nbl Nbl. Interface=Interface, Compartment=Compartment, Src=SourceAddress, Dst=DestinationAddress, Proto=IPTransportProtocol.

Message #

IP: Transmitting loopback Nbl %1. Interface=%2, Compartment=%3, Src=%6, Dst=%5, Proto=%7.

Fields #

Name	Description
`Nbl` Pointer
`Interface` UInt32
`Compartment` UInt32
`AddressLength` UInt32
`DestinationAddress` Binary
`SourceAddress` Binary
`IPTransportProtocol` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1476",
    "version": "0",
    "level": "17",
    "task": "1464",
    "opcode": "0",
    "keywords": 9223372036858970112,
    "time_created": "2026-03-16T00:23:11.240868900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "11564"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Nbl": "0xFFFF980A1A0CE070",
    "Interface": "       6",
    "Compartment": "       1",
    "AddressLength": "      16",
    "DestinationAddress": "224.0.0.251:5353",
    "SourceAddress": "10.2.10.21:5353",
    "IPTransportProtocol": "      17"
  },
  "message": ""
}

Event ID 1477: TCP: Connection Tcb Summary: DataBytesOut DataBytesOut DataBytesIn DataBytesIn DataSegmentsOut DataSegmentsOut DataSegmentsIn DataSegmentsIn SegmentsOut SegmentsOut SegmentsIn SegmentsIn NonRecovDa...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: TcpSummary
Task: TcpConnectionSummary
Opcode: Info

Description

TCP: Connection Tcb Summary: DataBytesOut DataBytesOut DataBytesIn DataBytesIn DataSegmentsOut DataSegmentsOut DataSegmentsIn DataSegmentsIn SegmentsOut SegmentsOut SegmentsIn SegmentsIn NonRecovDa \ NonRecovDa NonRecovDaEpisodes NonRecovDaEpisodes DupAcksIn DupAcksIn BytesRetrans BytesRetrans Timeouts Timeouts SpuriousRtoDetections SpuriousRtoDetections FastRetran FastRetran MaxSsthresh MaxSsthresh MaxSsCwnd MaxSsCwnd \ MaxCaCwnd MaxCaCwnd SndLimTransRwin SndLimTransRwin SndLimTimeRwin SndLimTimeRwin SndLimBytesRwin SndLimBytesRwin SndLimTransCwnd SndLimTransCwnd SndLimTimeCwnd SndLimTimeCwnd SndLimBytesCwnd SndLimBytesCwnd \ SndLimTransSnd SndLimTransSnd SndLimTimeSnd SndLimTimeRSnd SndLimBytesSnd SndLimBytesRSnd ConnectionTimeMs ConnectionTimeMs Timestamps TimestampsEnabled RttUs RttUs MinRtt MinRttUs MaxRtt MaxRttUs SynRetrans SynRetrans CongestionAlgorithm CongestionAlgorithm \ State State Local LocalAddress Remote RemoteAddress CWnd CWnd SsThresh SsThresh RcvWnd RcvWnd RcvBuf RcvBuf SndWnd SndWnd \ InterfaceIndex InterfaceIndex LocalPort LocalPort IsLoopback IsLoopback.

Message #

TCP: Connection %1 Summary: DataBytesOut %2 DataBytesIn %3 DataSegmentsOut %4 DataSegmentsIn %5 SegmentsOut %6 SegmentsIn %7 NonRecovDa \   %8 NonRecovDaEpisodes %9 DupAcksIn %10 BytesRetrans %11 Timeouts %12 SpuriousRtoDetections %13 FastRetran %14 MaxSsthresh %15 MaxSsCwnd %16 \   MaxCaCwnd %17 SndLimTransRwin %18 SndLimTimeRwin %19 SndLimBytesRwin %20 SndLimTransCwnd %21 SndLimTimeCwnd %22 SndLimBytesCwnd %23 \   SndLimTransSnd %24 SndLimTimeSnd %25 SndLimBytesSnd %26 ConnectionTimeMs %27 Timestamps %28 RttUs %29 MinRtt %30 MaxRtt %31 SynRetrans %32 CongestionAlgorithm %33 \   State %34 Local %36 Remote %38 CWnd %39 SsThresh %40 RcvWnd %41 RcvBuf %42 SndWnd %43.

Fields #

Name	Description
`Tcb` Pointer
`DataBytesOut` UInt64
`DataBytesIn` UInt64
`DataSegmentsOut` UInt64
`DataSegmentsIn` UInt64
`SegmentsOut` UInt64
`SegmentsIn` UInt64
`NonRecovDa` UInt32
`NonRecovDaEpisodes` UInt32
`DupAcksIn` UInt32
`BytesRetrans` UInt32
`Timeouts` UInt32
`SpuriousRtoDetections` UInt32
`FastRetran` UInt32
`MaxSsthresh` UInt32
`MaxSsCwnd` UInt32
`MaxCaCwnd` UInt32
`SndLimTransRwin` UInt32
`SndLimTimeRwin` UInt32
`SndLimBytesRwin` UInt64
`SndLimTransCwnd` UInt32
`SndLimTimeCwnd` UInt32
`SndLimBytesCwnd` UInt64
`SndLimTransSnd` UInt32
`SndLimTimeRSnd` UInt32
`SndLimBytesRSnd` UInt64
`ConnectionTimeMs` UInt64
`TimestampsEnabled` UInt32
`RttUs` UInt32
`MinRttUs` UInt32
`MaxRttUs` UInt32
`SynRetrans` UInt32
`CongestionAlgorithm` UInt32
`State` UInt32
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`CWnd` UInt32
`SsThresh` UInt32
`RcvWnd` UInt32
`RcvBuf` UInt32
`SndWnd` UInt32
`InterfaceIndex` UInt32
`LocalPort` UInt32
`IsLoopback` Boolean

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1477",
    "version": "1",
    "level": "16",
    "task": "1341",
    "opcode": "0",
    "keywords": 9223407221226864640,
    "time_created": "2026-03-16T00:21:38.733329900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7444"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0EEE7560",
    "DataBytesOut": "426",
    "DataBytesIn": "5091",
    "DataSegmentsOut": "2",
    "DataSegmentsIn": "5",
    "SegmentsOut": "6",
    "SegmentsIn": "8",
    "NonRecovDa": "       0",
    "NonRecovDaEpisodes": "       0",
    "DupAcksIn": "       0",
    "BytesRetrans": "       0",
    "Timeouts": "       0",
    "SpuriousRtoDetections": "       0",
    "FastRetran": "       0",
    "MaxSsthresh": "4294967295",
    "MaxSsCwnd": "   15027",
    "MaxCaCwnd": "       0",
    "SndLimTransRwin": "       0",
    "SndLimTimeRwin": "       0",
    "SndLimBytesRwin": "0",
    "SndLimTransCwnd": "       0",
    "SndLimTimeCwnd": "       0",
    "SndLimBytesCwnd": "0",
    "SndLimTransSnd": "       1",
    "SndLimTimeRSnd": "       0",
    "SndLimBytesRSnd": "430",
    "ConnectionTimeMs": "14",
    "TimestampsEnabled": "       0",
    "RttUs": "    1146",
    "MinRttUs": "     982",
    "MaxRttUs": "    1717",
    "SynRetrans": "       0",
    "CongestionAlgorithm": "       5",
    "State": "       0",
    "LocalAddressLength": "      28",
    "LocalAddress": "[::ffff:10.2.10.21]:5985",
    "RemoteAddressLength": "      28",
    "RemoteAddress": "[::ffff:10.2.10.11]:51201",
    "CWnd": "   15027",
    "SsThresh": "4294967295",
    "RcvWnd": " 2098020",
    "RcvBuf": " 2098020",
    "SndWnd": "  262144",
    "InterfaceIndex": "       6",
    "LocalPort": "   24855",
    "IsLoopback": "false"
  },
  "message": ""
}

Event ID 1478: TCPIP: Framing layer PathDirection (AddressFamily=AddressFamily) dropped PacketCount packet(s) on interface=Interface, Reason=Reason, Data=Data.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingPacketDrops

Description

TCPIP: Framing layer PathDirection (AddressFamily=AddressFamily) dropped PacketCount packet(s) on interface=Interface, Reason=Reason, Data=Data.

Message #

TCPIP: Framing layer %1 (AddressFamily=%2) dropped %4 packet(s) on interface=%3, Reason=%5, Data=%6.

Fields #

Name	Description
`PathDirection` UInt32
`AddressFamily` UInt32
`Interface` UInt32
`PacketCount` UInt32
`Reason` UInt32
`Data` UInt32

Event ID 1479: TCP: Connection Tcb Transport (Protocol IPTransportProtocol, AddressFamily = AddressFamily) sent RST with Local = LocalSockAddr, Remote = RemoteSockAddr.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpRstSend

Description

TCP: Connection Tcb Transport (Protocol IPTransportProtocol, AddressFamily = AddressFamily) sent RST with Local = LocalSockAddr, Remote = RemoteSockAddr. Reason = Reason.

Message #

TCP: Connection %1 Transport (Protocol %2, AddressFamily = %3) sent RST with Local = %5, Remote = %7. Reason = %8.

Fields #

Name	Description
`Tcb` Pointer
`IPTransportProtocol` UInt32
`AddressFamily` UInt32
`LocalSockAddrLength` UInt32
`LocalSockAddr` Binary
`RemoteSockAddrLength` UInt32
`RemoteSockAddr` Binary
`Reason` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1479",
    "version": "0",
    "level": "4",
    "task": "1466",
    "opcode": "0",
    "keywords": 9223372586610589824,
    "time_created": "2026-03-16T00:22:37.889812500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0E584560",
    "IPTransportProtocol": "       6",
    "AddressFamily": "       2",
    "LocalSockAddrLength": "      16",
    "LocalSockAddr": "10.2.10.21:52990",
    "RemoteSockAddrLength": "      16",
    "RemoteSockAddr": "52.159.108.190:443",
    "Reason": "      10"
  },
  "message": ""
}

Event ID 1480: TCP connection failed with Status = Status, Local = LocalSockAddr, Remote = RemoteSockAddr, ProcessId = TcpState, TcpState = ProcessId at Hour:Minute:Second Reason = Reason.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: TcpSummary
Task: TcpRecentConnectionFailure
Opcode: Info

Description

TCP connection failed with Status = Status, Local = LocalSockAddr, Remote = RemoteSockAddr, ProcessId = TcpState, TcpState = ProcessId at Hour:Minute:Second Reason = Reason.

Message #

TCP connection failed with Status = %1, Local = %3, Remote = %5, ProcessId = %6, TcpState = %7 at %8:%9:%10 Reason = %11.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`LocalSockAddrLength` UInt32
`LocalSockAddr` Binary
`RemoteSockAddrLength` UInt32
`RemoteSockAddr` Binary
`TcpState` UInt32
`ProcessId` UInt32
`Hour` UInt16
`Minute` UInt16
`Second` UInt16
`Reason` UInt32
`ProcessStartKey` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1480",
    "version": "1",
    "level": "16",
    "task": "1467",
    "opcode": "0",
    "keywords": 9223407221226864640,
    "time_created": "2026-03-16T00:21:34.294926800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "9132",
      "thread_id": "4236"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Status": "0xC0000241",
    "LocalSockAddrLength": "      16",
    "LocalSockAddr": "10.2.10.21:50542",
    "RemoteSockAddrLength": "      16",
    "RemoteSockAddr": "20.42.65.85:443",
    "TcpState": "       6",
    "ProcessId": "    3688",
    "Hour": "0",
    "Minute": "17",
    "Second": "1",
    "Reason": "      14",
    "ProcessStartKey": "2814749767106643"
  },
  "message": ""
}

Event ID 1481: TCP: Connection Tcb PRR send SackIsLostSeq SackIsLostSeq SackInFlight SackInFlight SackBytes SackBytes SackIsLost SackIsLost SsThresh SsThresh RecoveryFS HeadSeq AckedData AckedData BytesInFlight B...

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: TcpPrrSend

Description

TCP: Connection Tcb PRR send SackIsLostSeq SackIsLostSeq SackInFlight SackInFlight SackBytes SackBytes SackIsLost SackIsLost SsThresh SsThresh RecoveryFS HeadSeq AckedData AckedData BytesInFlight BytesInFlight BytesToSend BytesToSend PrrDelivered PrrDelivered PrrOut PrrOut.

Message #

TCP: Connection %1 PRR send SackIsLostSeq %2 SackInFlight %3 SackBytes %4 SackIsLost %5 SsThresh %6 RecoveryFS %7 AckedData %8 BytesInFlight %9 BytesToSend %10 PrrDelivered %11 PrrOut %12.

Fields #

Name	Description
`Tcb` Pointer
`SackIsLostSeq` UInt32
`SackInFlight` UInt32
`SackBytes` UInt32
`SackIsLost` UInt32
`SsThresh` UInt32
`HeadSeq` UInt32
`AckedData` UInt32
`BytesInFlight` UInt32
`BytesToSend` Int64
`PrrDelivered` UInt32
`PrrOut` UInt32

Event ID 1482: UDP: Endpoint Endpoint segment message.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: UdpSegmentMessage

Description

UDP: Endpoint Endpoint segment message. SegmentSize = SegmentSize (0 == No Segmentation) MessageLength = MessageLength HwDatagrams = HwDatagrams HwSegments = HwSegments SwSegments = SwSegments Status = SubMssSegments.

Message #

UDP: Endpoint %1 segment message. SegmentSize = %2 (0 == No Segmentation) MessageLength = %3 HwDatagrams = %4 HwSegments = %5 SwSegments = %6 Status = %7.

Fields #

Name	Description
`Endpoint` Pointer
`SegmentSize` UInt32
`MessageLength` UInt64
`HwDatagrams` UInt32
`HwSegments` UInt32
`SwSegments` UInt32
`SubMssSegments` UInt32
`Status` UInt32	NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1482",
    "version": "1",
    "level": "5",
    "task": "1469",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.078220100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11735e80-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A11735E80",
    "SegmentSize": "       0",
    "MessageLength": "63",
    "HwDatagrams": "       0",
    "HwSegments": "       0",
    "SwSegments": "       0",
    "SubMssSegments": "       0",
    "Status": "0x0"
  },
  "message": ""
}

Event ID 1483: UDP: Endpoint Endpoint segmentation offload unavailable.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpUsoFallback

Description

UDP: Endpoint Endpoint segmentation offload unavailable. Reason = FailureReason SegmentSize = SegmentSize LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr.

Message #

UDP: Endpoint %1 segmentation offload unavailable. Reason = %2 SegmentSize = %3 LocalAddress = %5, RemoteAddress = %7.

Fields #

Name	Description
`Endpoint` Pointer
`FailureReason` UInt32	Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`SegmentSize` UInt32
`LocalSockAddrLength` UInt32
`LocalSockAddr` Binary
`RemoteSockAddrLength` UInt32
`RemoteSockAddr` Binary

Event ID 1484: TCPIP: Framing layer interface IfIndex (AddressFamily = AddressFamily) failed to bind to its provider.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingInterfaceStatus

Description

TCPIP: Framing layer interface IfIndex (AddressFamily = AddressFamily) failed to bind to its provider. Code = FailureCode. Status = Status.

Message #

TCPIP: Framing layer interface %1 (AddressFamily = %2) failed to bind to its provider. Code = %3. Status = %4.

Fields #

Name	Description
`IfIndex` UInt32
`AddressFamily` UInt32
`FailureCode` UInt32	NTSTATUS reference
`Status` UInt32	NTSTATUS reference

Event ID 1485: TCPIP: OID request from framing layer interface IfIndex (AddressFamily = AddressFamily) failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingOidFailure

Description

TCPIP: OID request from framing layer interface IfIndex (AddressFamily = AddressFamily) failed. OID = OID. Status = Status.

Message #

TCPIP: OID request from framing layer interface %1 (AddressFamily = %2) failed. OID = %3. Status = %4.

Fields #

Name	Description
`IfIndex` UInt32
`AddressFamily` UInt32
`OID` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1486: TCPIP received a status indication on interface IfIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipStatusIndication

Description

TCPIP received a status indication on interface IfIndex. AddressFamily = AddressFamily. NdisStatus = NdisStatus.

Message #

TCPIP received a status indication on interface %1. AddressFamily = %2. NdisStatus = %3.

Fields #

Name	Description
`IfIndex` UInt32
`AddressFamily` UInt32
`NdisStatus` UInt32

Event ID 1487: IP: Failed to set socket option.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Error
Task: IpSessionFailure

Description

IP: Failed to set socket option. Level = SocketOptionLevel. Option = SocketOptionValue. Status = Status.

Message #

IP: Failed to set socket option. Level = %1. Option = %2. Status = %3.

Fields #

Name	Description
`SocketOptionLevel` UInt32
`SocketOptionValue` UInt32
`Status` UInt32	NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1487",
    "version": "0",
    "level": "2",
    "task": "1474",
    "opcode": "0",
    "keywords": 9223372036854775952,
    "time_created": "2026-03-16T00:23:11.242873300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "2612"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SocketOptionLevel": "      41",
    "SocketOptionValue": "       9",
    "Status": "0xC0000225"
  },
  "message": ""
}

Event ID 1488: IP: Failed to set socket IOCTL.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSessionFailure

Description

IP: Failed to set socket IOCTL. IOCTL = SocketIoctl. Status = Status.

Message #

IP: Failed to set socket IOCTL. IOCTL = %1. Status = %2.

Fields #

Name	Description
`SocketIoctl` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1489: Failed to process multicast RequestType request.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSessionMulticastOperation

Description

Failed to process multicast RequestType request. Address = IPv4Address IPv6Address. Source Address = IPv4SourceAddress IPv6SourceAddress. Reason = FailureReason. Status = Status.

Message #

Failed to process multicast %1 request. Address = %2 %6. Source Address = %3 %7. Reason = %8. Status = %9.

Fields #

Name	Description
`RequestType` UInt32
`IPv4Address` UInt32
`IPv4SourceAddress` UInt32
`IpAddrLength` UInt32
`IpSourceAddrLength` UInt32
`IPv6Address` Binary
`IPv6SourceAddress` Binary
`FailureReason` UInt32	Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`Status` UInt32	NTSTATUS reference

Event ID 1490: Processed multicast RequestType request successfully.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSessionMulticastOperation

Description

Processed multicast RequestType request successfully. Address = IPv4Address IPv6Address. Source Address = IPv4SourceAddress IPv6SourceAddress.

Message #

Processed multicast %1 request successfully. Address = %2 %6. Source Address = %3 %7.

Fields #

Name	Description
`RequestType` UInt32
`IPv4Address` UInt32
`IPv4SourceAddress` UInt32
`IpAddrLength` UInt32
`IpSourceAddrLength` UInt32
`IPv6Address` Binary
`IPv6SourceAddress` Binary

Event ID 1491: MessageType.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpMulticast

Description

MessageType. Interface = IfIndex. Address = IPv4Address IPv6Address. Data = Data.

Message #

%1. Interface = %2. Address = %3 %5. Data = %6.

Fields #

Name	Description
`MessageType` UInt32
`IfIndex` UInt32
`IPv4Address` UInt32
`IpAddrLength` UInt32
`IPv6Address` Binary
`Data` UInt32

Event ID 1492: MessageType.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpMulticast

Description

MessageType. Interface = IfIndex. Address = IPv4Address IPv6Address. Data = Data. Status = Status.

Message #

%1. Interface = %2. Address = %3 %5. Data = %6. Status = %7.

Fields #

Name	Description
`MessageType` UInt32
`IfIndex` UInt32
`IPv4Address` UInt32
`IpAddrLength` UInt32
`IPv6Address` Binary
`Data` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1493: Invalid ECN codepoints in reassembly.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpReassembly

Description

Invalid ECN codepoints in reassembly. Ce = Ce. Ect0 = Ect0. Ect1 = Ect1. NotEct = NotEct.

Message #

Invalid ECN codepoints in reassembly. Ce = %1. Ect0 = %2. Ect1 = %3. NotEct = %4.

Fields #

Name	Description
`Ce` UInt32
`Ect0` UInt32
`Ect1` UInt32
`NotEct` UInt32

Event ID 1494: Reassembly failure: packets do not add up correctly.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpReassembly

Description

Reassembly failure: packets do not add up correctly. Interface = InterfaceIndex. Address family = AddressFamily.

Message #

Reassembly failure: packets do not add up correctly.  Interface = %1. Address family = %2.

Fields #

Name	Description
`InterfaceIndex` UInt32
`AddressFamily` UInt32

Event ID 1495: Reassembly failure: failed to restore IPSec packet history.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpReassembly

Description

Reassembly failure: failed to restore IPSec packet history. Interface = IfIndex. Address family = AddressFamily. Status = Status.

Message #

Reassembly failure: failed to restore IPSec packet history.  Interface = %1. Address family = %2. Status = %3.

Fields #

Name	Description
`IfIndex` UInt32
`AddressFamily` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1496: Could not transfer FragmentContextDirection.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpReassembly

Description

Could not transfer FragmentContextDirection. Interface = IfIndex. Address family = AddressFamily.

Message #

Could not transfer %1.  Interface = %2. Address family = %3.

Fields #

Name	Description
`FragmentContextDirection` UInt32
`IfIndex` UInt32
`AddressFamily` UInt32

Event ID 1497: Attempting to GroupChangeType the multicast group at FL.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpMulticast

Description

Attempting to GroupChangeType the multicast group at FL. Interface = IfIndex. Address = IPv4Address IPv6Address. Data = Data. Status = Status.

Message #

Attempting to %1 the multicast group at FL.  Interface = %2. Address = %3 %5. Data = %6. Status = %7.

Fields #

Name	Description
`GroupChangeType` UInt32
`IfIndex` UInt32
`IPv4Address` UInt32
`IpAddrLength` UInt32
`IPv6Address` Binary
`Data` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1498: Failed to update address list at FL.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpFlUpdateAddressList

Description

Failed to update address list at FL. Interface = IfIndex. Address Family = AddressFamily. Status = Status.

Message #

Failed to update address list at FL. Interface = %1. Address Family = %2. Status = %3.

Fields #

Name	Description
`IfIndex` UInt32
`AddressFamily` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1499: Too many DAD failures, so will not create temporary address.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpTemporaryAddressCreation

Description

Too many DAD failures, so will not create temporary address. Interface = IfIndex. Address = IPv4Address IPv6Address.

Message #

Too many DAD failures, so will not create temporary address. Interface = %1. Address = %2 %4.

Fields #

Name	Description
`IfIndex` UInt32
`IPv4Address` UInt32
`IpAddrLength` UInt32
`IPv6Address` Binary

Event ID 1500: Failed to address interface; deleting it.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSubInterfaceCreation

Description

Failed to address interface; deleting it. Interface = IfIndex. Status = Status.

Message #

Failed to address interface; deleting it. Interface = %1. Status = %2.

Fields #

Name	Description
`IfIndex` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1501: Failed to reach default gateway after reconnect; cleaning settings.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipMediaReconnect

Description

Failed to reach default gateway after reconnect; cleaning settings. Interface = IfIndex.

Message #

Failed to reach default gateway after reconnect; cleaning settings.  Interface = %1.

Fields #

Name	Description
`IfIndex` UInt32

Event ID 1502: Failed to sync interface with registry.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipRegSyncInterface

Description

Failed to sync interface with registry. Interface = IfIndex. Field = Field. Status = Status.

Message #

Failed to sync interface with registry.  Interface = %1. Field = %2. Status = %3.

Fields #

Name	Description
`IfIndex` UInt32
`Field` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1503: Failed to Release an active reference on the interface.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipActiveRefFailure

Description

Failed to Release an active reference on the interface. Interface = IfIndex. Reference Reason = Subtask. Status = Status.

Message #

Failed to %1 an active reference on the interface.  Interface = %2. Reference Reason = %3. Status = %4.

Fields #

Name	Description
`Release` UInt32
`IfIndex` UInt32
`Subtask` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1504: Redirect path hijack for destination IPv4DestinationAddress IPv4NextHop from IPv6DestinationAddress IPv6NextHop.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipIpRedirectPath

Description

Redirect path hijack for destination IPv4DestinationAddress IPv4NextHop from IPv6DestinationAddress IPv6NextHop. Interface = IfIndex.

Message #

Redirect path hijack for destination %2 %3 from %5 %6. Interface = %1.

Fields #

Name	Description
`IfIndex` UInt32
`IPv4DestinationAddress` UInt32
`IPv4NextHop` UInt32
`IpAddrLength` UInt32
`IPv6DestinationAddress` Binary
`IPv6NextHop` Binary

Event ID 1505: Redirect path rate limit for IPv6 source address IPv6Address.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipIpRedirectPath

Description

Redirect path rate limit for IPv6 source address IPv6Address. Interface = IfIndex.

Message #

Redirect path rate limit for IPv6 source address %3. Interface = %1.

Fields #

Name	Description
`IfIndex` UInt32
`IpAddrLength` UInt32
`IPv6Address` Binary

Event ID 1506: Dropped AddressFamily fragment.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpReassembly

Description

Dropped AddressFamily fragment. Interface = IfIndex. Reason = Release.

Message #

Dropped %2 fragment. Interface = %3. Reason = %1.

Fields #

Name	Description
`Release` UInt32
`AddressFamily` UInt32
`IfIndex` UInt32

Event ID 1507: Reassembly timeout.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpReassembly

Description

Reassembly timeout. Interface = IfIndex. Id = ReassemblyId. Source Address = IPv4SourceAddress IPv6SourceAddress. Destination Address = IPv4DestinationAddress IPv6DestinationAddress.

Message #

Reassembly timeout. Interface = %1. Id = %2. Source Address = %3 %6.  Destination Address = %4 %7.

Fields #

Name	Description
`IfIndex` UInt32
`ReassemblyId` UInt32
`IPv4SourceAddress` UInt32
`IPv4DestinationAddress` UInt32
`IpAddrLength` UInt32
`IPv6SourceAddress` Binary
`IPv6DestinationAddress` Binary

Event ID 1508: Invalid IP option.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAncillaryData

Description

Invalid IP option. Option = SocketOption. Level = SocketLevel. Reason = Reason.

Message #

Invalid IP option. Option = %3. Level = %2. Reason = %1.

Fields #

Name	Description
`Reason` UInt32
`SocketLevel` UInt32
`SocketOption` UInt32

Event ID 1509: Invalid IP hop-by-hop option.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAncillaryData

Description

Invalid IP hop-by-hop option. Option = Option. Reason = Reason.

Message #

Invalid IP hop-by-hop option.  Option = %2. Reason = %1.

Fields #

Name	Description
`Reason` UInt32
`Option` UInt32

Event ID 1510: Invalid IP hop-by-hop option.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAncillaryData

Description

Invalid IP hop-by-hop option. Option = Option. Reason = Reason.

Message #

Invalid IP hop-by-hop option.  Option = %2. Reason = %1.

Fields #

Name	Description
`Reason` UInt32
`Option` UInt32

Event ID 1511: Invalid IP routing header option.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAncillaryData

Description

Invalid IP routing header option. Reason = Reason.

Message #

Invalid IP routing header option. Reason = %1.

Fields #

Name	Description
`Reason` UInt32

Event ID 1512: Invalid IP routing header option.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAncillaryData

Description

Invalid IP routing header option. Reason = Reason.

Message #

Invalid IP routing header option. Reason = %1.

Fields #

Name	Description
`Reason` UInt32

Event ID 1513: This option cannot be specified by the user

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAncillaryData

Description

This option cannot be specified by the user.

Message #

This option cannot be specified by the user

Fields #

Name	Description
`Reason` UInt32

Event ID 1514: TCP: interface IfIndex: received potential RSC status indication.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpInterfaceRscStateChange

Description

TCP: interface IfIndex: received potential RSC status indication. Current IPv4 State = TcpRscEnabledIpv4, Offload IPv4 State = OffloadRscEnabledIpv4, Current IPv6 State = TcpRscEnabledIpv6, Offload IPv6 State = OffloadRscEnabledIpv6.

Message #

TCP: interface %1: received potential RSC status indication. Current IPv4 State = %2, Offload IPv4 State = %3, Current IPv6 State = %4, Offload IPv6 State = %5.

Fields #

Name	Description
`IfIndex` UInt32
`TcpRscEnabledIpv4` UInt32
`OffloadRscEnabledIpv4` UInt32
`TcpRscEnabledIpv6` UInt32
`OffloadRscEnabledIpv6` UInt32

Event ID 1515: UDP: endpoint Endpoint: URO SCU received.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpUroNblOobInfo

Description

UDP: endpoint Endpoint: URO SCU received. SegCount = SegCount, SegSize = SegSize, DataLength = DataLength.

Message #

UDP: endpoint %1: URO SCU received. SegCount = %2, SegSize = %3, DataLength = %4.

Fields #

Name	Description
`Endpoint` Pointer
`SegCount` UInt16
`SegSize` UInt16
`DataLength` UInt32

Event ID 1516: TCP software RSC global disabled mask = TcpRscDisabledMask, UDP software URO global disabled mask = UdpUroDisabledMask.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: SoftwareReceiveOffloadGlobalState

Description

TCP software RSC global disabled mask = TcpRscDisabledMask, UDP software URO global disabled mask = UdpUroDisabledMask.

Message #

TCP software RSC global disabled mask = %1, UDP software URO global disabled mask = %2.

Fields #

Name	Description
`TcpRscDisabledMask` Int32
`UdpUroDisabledMask` Int32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1516",
    "version": "0",
    "level": "4",
    "task": "1486",
    "opcode": "0",
    "keywords": 9223372586610589824,
    "time_created": "2026-03-16T00:21:34.295804400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "9132",
      "thread_id": "4236"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TcpRscDisabledMask": "0",
    "UdpUroDisabledMask": "48"
  },
  "message": ""
}

Event ID 1517: UDP: Global parameters updated for Address Family AddressFamily: DisableUro = DisableUro.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpGlobalParameters

Description

UDP: Global parameters updated for Address Family AddressFamily: DisableUro = DisableUro.

Message #

UDP: Global parameters updated for Address Family %1: DisableUro = %2.

Fields #

Name	Description
`AddressFamily` UInt32
`DisableUro` UInt8
`DisableUso` UInt8

Event ID 1518: IP: IPSNPI client rundown.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: InterfaceRundown
Opcode: win:Info

Description

IP: IPSNPI client rundown. AddressFamily Interface = IfIndex, Compartment = CompartmentId, Client = ClientName.

Message #

IP: IPSNPI client rundown. %3 Interface = %1, Compartment = %2, Client = %4.

Fields #

Name	Description
`IfIndex` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ClientName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}",
    "event_source_name": "",
    "event_id": 1518,
    "version": 0,
    "level": 4,
    "task": 1202,
    "opcode": 0,
    "keywords": "0x0000008000000090",
    "time_created": "2026-06-02T06:03:32.470+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}"
    },
    "execution": {
      "process_id": 11500,
      "thread_id": 16068
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AddressFamily": 2,
    "ClientName": "SlbNat",
    "CompartmentId": 1,
    "IfIndex": 1
  },
  "message": "InterfaceRundown"
}

Event ID 1519: TCPIP: Process with PID=ProcessId, ProcessSeqNum=ProcessSequenceNumber acquired port tracker reservation of type ReservationType, Protocol IPTransportProtocol for NumberOfPorts ports starting at St...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalPortReservation

Description

TCPIP: Process with PID=ProcessId, ProcessSeqNum=ProcessSequenceNumber acquired port tracker reservation of type ReservationType, Protocol IPTransportProtocol for NumberOfPorts ports starting at StartPort with status = Status.

Message #

TCPIP: Process with PID=%1, ProcessSeqNum=%7 acquired port tracker reservation of type %3, Protocol %4 for %6 ports starting at %5 with status = %2.

Fields #

Name	Description
`ProcessId` UInt32
`Status` UInt32	NTSTATUS reference
`ReservationType` UInt32
`IPTransportProtocol` UInt32
`StartPort` UInt16
`NumberOfPorts` UInt16
`ProcessSequenceNumber` UInt64

Event ID 1520: Illegal tunnel.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingTunnels

Description

Illegal tunnel. Interface: IfIndex, Tunnel type: TunnelType. Reason: Reason.

Message #

Illegal tunnel. Interface: %1, Tunnel type: %2. Reason: %3.

Fields #

Name	Description
`IfIndex` UInt32
`TunnelType` UInt32
`Reason` UInt32

Event ID 1521: Framing: Interface change in progress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingInterfaceStatus

Description

Framing: Interface change in progress. Interface: IfIndex. Address Family: AddressFamily. Current progress: CurrentProgress. Status: NtStatus.

Message #

Framing: Interface change in progress. Interface: %1. Address Family: %2. Current progress: %3. Status: %4.

Fields #

Name	Description
`IfIndex` UInt32
`AddressFamily` UInt32
`CurrentProgress` UInt32
`NtStatus` UInt32

Event ID 1522: Framing: Isolation is not supported on this network adapter.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingIsolation

Description

Framing: Isolation is not supported on this network adapter. Interface: IfIndex. Address Family: AddressFamily. Reason: Reason.

Message #

Framing: Isolation is not supported on this network adapter. Interface: %1. Address Family: %2. Reason: %3.

Fields #

Name	Description
`IfIndex` UInt32
`AddressFamily` UInt32
`Reason` UInt32

Event ID 1523: Framing: Failed to set pattern.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingPatterns

Description

Framing: Failed to set pattern. Interface: IfIndex. Address Family: AddressFamily. Pattern type: FailureType. Status: NtStatus.

Message #

Framing: Failed to set pattern. Interface: %1. Address Family: %2. Pattern type: %3. Status: %4.

Fields #

Name	Description
`IfIndex` UInt32
`AddressFamily` UInt32
`FailureType` UInt32
`NtStatus` UInt32

Event ID 1524: Framing: Interface management request.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpipFramingInterfaceMgmt

Description

Framing: Interface management request. Interface: IfIndex. Address Family: AddressFamily. Request code: FlicCode. Status: NtStatus.

Message #

Framing: Interface management request. Interface: %1. Address Family: %2. Request code: %3. Status: %4.

Fields #

Name	Description
`IfIndex` UInt32
`AddressFamily` UInt32
`FlicCode` UInt32
`NtStatus` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1524",
    "version": "0",
    "level": "4",
    "task": "1491",
    "opcode": "0",
    "keywords": 9223372586610589712,
    "time_created": "2026-03-15T23:27:10.979455500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "7392",
      "thread_id": "7388"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IfIndex": "       4",
    "AddressFamily": "       2",
    "FlicCode": "0x7",
    "NtStatus": "0x0"
  },
  "message": ""
}

Event ID 1525: Framing: WOL capabilities update in progress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingPatterns

Description

Framing: WOL capabilities update in progress. Interface: IfIndex. Address Family: AddressFamily. Current progress: CurrentProgress. Status: NtStatus.

Message #

Framing: WOL capabilities update in progress. Interface: %1. Address Family: %2. Current progress: %3. Status: %4.

Fields #

Name	Description
`IfIndex` UInt32
`AddressFamily` UInt32
`CurrentProgress` UInt32
`NtStatus` UInt32

Event ID 1526: Framing: A PNP event has been indicated.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingPnp

Description

Framing: A PNP event has been indicated. Interface: IfIndex. Address Family: AddressFamily. Compartment: Compartment. Event: Event. Data: Data.

Message #

Framing: A PNP event has been indicated. Interface: %1. Address Family: %2. Compartment: %3. Event: %4. Data: %5.

Fields #

Name	Description
`IfIndex` UInt32
`AddressFamily` UInt32
`Compartment` UInt32
`Event` UInt32
`Data` UInt32

Event ID 1527: Framing: interface rundown: Interface = IfIndex, Luid = IfLuid, Address family = AddressFamily, Compartment = Compartment, Isolation mode = IsolationMode, Isolation ID = IsolalationId, DL address =...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: InterfaceRundown

Description

Framing: interface rundown: Interface = IfIndex, Luid = IfLuid, Address family = AddressFamily, Compartment = Compartment, Isolation mode = IsolationMode, Isolation ID = IsolalationId, DL address = DLAddress, Interface type = InterfaceType, Physical medium type = PhysicalMediumType, SW RSC/URO applicable = SwRscUroApplicable, SW RSC enabled = SwRscEnabled, Alias = IfAlias, SW URO enabled = SwUroEnabled.

Message #

Framing: interface rundown: Interface = %1, Luid = %2, Address family = %3, Compartment = %4, Isolation mode = %5, Isolation ID = %6, DL address = %8, Interface type = %9, Physical medium type = %10, SW RSC/URO applicable = %11, SW RSC enabled = %12, Alias = %13.

Fields #

Name	Description
`IfIndex` UInt32
`IfLuid` UInt64
`AddressFamily` UInt32
`Compartment` UInt32
`IsolationMode` UInt32
`IsolalationId` UInt32
`DlAddrLength` UInt32
`DLAddress` Binary
`InterfaceType` UInt32
`PhysicalMediumType` UInt32
`SwRscUroApplicable` UInt32
`SwRscEnabled` UInt32
`IfAlias` UnicodeString
`SwUroEnabled` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1527",
    "version": "0",
    "level": "4",
    "task": "1202",
    "opcode": "0",
    "keywords": 9223372586610589712,
    "time_created": "2026-03-16T00:21:34.295249100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "9132",
      "thread_id": "4236"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IfIndex": "       6",
    "IfLuid": "0x6008001000000",
    "AddressFamily": "       2",
    "Compartment": "       1",
    "IsolationMode": "       0",
    "IsolalationId": "       0",
    "DlAddrLength": "       6",
    "DLAddress": "0xBC24119A4DC2",
    "InterfaceType": "       6",
    "PhysicalMediumType": "       0",
    "SwRscUroApplicable": "       1",
    "SwRscEnabled": "       0",
    "IfAlias": "Ethernet"
  },
  "message": ""
}

Event ID 1528: RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) sending NumMessages messages and a total of NumBytes bytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) sending NumMessages messages and a total of NumBytes bytes.

Message #

RAW: endpoint %1 (Proto = %2, LocalAddress = %6, RemoteAddress = %8) sending %3 messages and a total of %4 bytes.

Fields #

Name	Description
`Endpoint` Pointer
`IPTransportProtocol` UInt32
`NumMessages` UInt32
`NumBytes` UInt32
`LocalSockAddrLength` UInt32
`LocalSockAddr` Binary
`RemoteSockAddrLength` UInt32
`RemoteSockAddr` Binary

Event ID 1529: RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) delivering NumBytes bytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) delivering NumBytes bytes.

Message #

RAW: endpoint %1 (Proto = %2, LocalAddress = %6, RemoteAddress = %8) delivering %4 bytes.

Fields #

Name	Description
`Endpoint` Pointer
`IPTransportProtocol` UInt32
`NumMessages` UInt32
`NumBytes` UInt32
`LocalSockAddrLength` UInt32
`LocalSockAddr` Binary
`RemoteSockAddrLength` UInt32
`RemoteSockAddr` Binary

Event ID 1530: RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = EndpointAddress, RemoteAddress = SendAddress) send failed with reason = Reason status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = EndpointAddress, RemoteAddress = SendAddress) send failed with reason = Reason status = Status.

Message #

RAW: endpoint %1 (Proto = %2, LocalAddress = %4, RemoteAddress = %6) send failed with reason = %7 status = %8.

Fields #

Name	Description
`Endpoint` Pointer
`IPTransportProtocol` UInt32
`EndpointAddressLength` UInt32
`EndpointAddress` Binary
`SendAddressLength` UInt32
`SendAddress` Binary
`Reason` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1531: RAW: endpoint Endpoint (Family = AddressFamily, Proto = IPTransportProtocol, Compartment = Compartment, PID = ProcessId, ProcessSeqNum = ProcessSequenceNumber) created.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint Endpoint (Family = AddressFamily, Proto = IPTransportProtocol, Compartment = Compartment, PID = ProcessId, ProcessSeqNum = ProcessSequenceNumber) created.

Message #

RAW: endpoint %1 (Family = %2, Proto = %3, Compartment = %4, PID = %5, ProcessSeqNum = %6) created.

Fields #

Name	Description
`Endpoint` Pointer
`AddressFamily` UInt32
`IPTransportProtocol` UInt32
`Compartment` UInt32
`ProcessId` UInt32
`ProcessSequenceNumber` UInt64
`Reason` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1532: RAW: endpoint (Family = AddressFamily, Proto = IPTransportProtocol, Compartment = Compartment, PID = ProcessId, ProcessSeqNum = ProcessSequenceNumber) create failed with reason Reason status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint (Family = AddressFamily, Proto = IPTransportProtocol, Compartment = Compartment, PID = ProcessId, ProcessSeqNum = ProcessSequenceNumber) create failed with reason Reason status Status.

Message #

RAW: endpoint (Family = %2, Proto = %3, Compartment = %4, PID = %5, ProcessSeqNum = %6) create failed with reason %7 status %8.

Fields #

Name	Description
`Endpoint` Pointer
`AddressFamily` UInt32
`IPTransportProtocol` UInt32
`Compartment` UInt32
`ProcessId` UInt32
`ProcessSequenceNumber` UInt64
`Reason` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1533: RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr) bound.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr) bound.

Message #

RAW: endpoint %1 (Proto = %2, LocalAddress = %4) bound.

Fields #

Name	Description
`Endpoint` Pointer
`IPTransportProtocol` UInt32
`LocalSockAddrLength` UInt32
`LocalSockAddr` Binary
`Reason` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1534: RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr) bind failed with reason Reason status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr) bind failed with reason Reason status Status.

Message #

RAW: endpoint %1 (Proto = %2, LocalAddress = %4) bind failed with reason %5 status %6.

Fields #

Name	Description
`Endpoint` Pointer
`IPTransportProtocol` UInt32
`LocalSockAddrLength` UInt32
`LocalSockAddr` Binary
`Reason` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1535: RAW: endpoint Endpoint closed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint Endpoint closed.

Message #

RAW: endpoint %1 closed.

Fields #

Name	Description
`Endpoint` Pointer

Event ID 1536: TCPIP: Error processing router advertisement on interface index IfIndex - Preferred lifetime of PreferredLifetime should not be greater than the valid lifetime of ValidLifetime.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IcmpRouterAdvertisement

Description

TCPIP: Error processing router advertisement on interface index IfIndex - Preferred lifetime of PreferredLifetime should not be greater than the valid lifetime of ValidLifetime.

Message #

TCPIP: Error processing router advertisement on interface index %1 - Preferred lifetime of %2 should not be greater than the valid lifetime of %3.

Fields #

Name	Description
`IfIndex` UInt32
`PreferredLifetime` UInt32
`ValidLifetime` UInt32

Event ID 1537: TCPIP: Error processing router advertisement on interface index IfIndex - Prefix length of PrefixLength and identifier of IdentifierLength must add up to the size of an IPv6 ad...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IcmpRouterAdvertisement

Description

TCPIP: Error processing router advertisement on interface index IfIndex - Prefix length of PrefixLength and identifier of IdentifierLength must add up to the size of an IPv6 address (128 bits).

Message #

TCPIP: Error processing router advertisement on interface index %1 - Prefix length of %2 and identifier of %3 must add up to the size of an IPv6 address (128 bits).

Fields #

Name	Description
`IfIndex` UInt32
`PrefixLength` UInt32
`IdentifierLength` UInt32

Event ID 1538: TCPIP: An ARP request was dropped on interface IfIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: ArpPacketDrops

Description

TCPIP: An ARP request was dropped on interface IfIndex. Physical address = DlSourceAddress, IP source address = IpSourceAddress, IP target address = IpTargetAddress, Reason = DropReason.

Message #

TCPIP: An ARP request was dropped on interface %1. Physical address = %3, IP source address = %4, IP target address = %5, Reason = %6.

Fields #

Name	Description
`IfIndex` UInt32
`DlAddrLength` UInt32
`DlSourceAddress` Binary
`IpSourceAddress` UInt32
`IpTargetAddress` UInt32
`DropReason` UInt32

Event ID 1539: TCPIP: An ARP reply was dropped on interface IfIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: ArpPacketDrops

Description

TCPIP: An ARP reply was dropped on interface IfIndex. Physical address = DlSourceAddress, IP source address = IpSourceAddress, Directed to this interface = Directed, Reason = DropReason.

Message #

TCPIP: An ARP reply was dropped on interface %1. Physical address = %3, IP source address = %4, Directed to this interface = %5, Reason = %6.

Fields #

Name	Description
`IfIndex` UInt32
`DlAddrLength` UInt32
`DlSourceAddress` Binary
`IpSourceAddress` UInt32
`Directed` UInt32
`DropReason` UInt32

Event ID 1540: TCPIP: No handler found for an AddressFamily packet with upper layer protocol IPTransportProtocol.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UpperLayerProtocolFailure

Description

TCPIP: No handler found for an AddressFamily packet with upper layer protocol IPTransportProtocol.

Message #

TCPIP: No handler found for an %1 packet with upper layer protocol %2

Fields #

Name	Description
`AddressFamily` UInt32
`IPTransportProtocol` UInt32

Event ID 1541: TCPIP: Handler for upper layer protocol IPTransportProtocol for an AddressFamily packet returned with error Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: UpperLayerProtocolFailure

Description

TCPIP: Handler for upper layer protocol IPTransportProtocol for an AddressFamily packet returned with error Status.

Message #

TCPIP: Handler for upper layer protocol %2 for an %1 packet returned with error %3

Fields #

Name	Description
`AddressFamily` UInt32
`IPTransportProtocol` UInt32
`Status` UInt32	NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1541",
    "version": "0",
    "level": "5",
    "task": "1496",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-15T23:27:12.462571400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AddressFamily": "       2",
    "IPTransportProtocol": "       6",
    "Status": "0x40000026"
  },
  "message": ""
}

Event ID 1542: IP: neighbor rundown: Interface = IfIndex, Compartment = CompartmentId, IpAddress = IPAddress, DlAddress = DLAddress, State = Neighbor State, LastReachable = LastReachableInMs ms, IsUnreachable = I...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: NeighborRundown

Description

IP: neighbor rundown: Interface = IfIndex, Compartment = CompartmentId, IpAddress = IPAddress, DlAddress = DLAddress, State = Neighbor State, LastReachable = LastReachableInMs ms, IsUnreachable = IsUnreachable, Flags = Flags.

Message #

IP: neighbor rundown: Interface = %1, Compartment = %2, IpAddress = %4, DlAddress = %6, State = %7, LastReachable = %8 ms, IsUnreachable = %9, Flags = %10.

Fields #

Name	Description
`IfIndex` UInt32
`CompartmentId` UInt32
`IpAddrLength` UInt32
`IPAddress` Binary
`DlAddrLength` UInt32
`DLAddress` Binary
`NeighborState` UInt32
`LastReachableInMs` UInt32
`IsUnreachable` UInt32
`Flags` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1542",
    "version": "0",
    "level": "4",
    "task": "1497",
    "opcode": "0",
    "keywords": 9223372586610589728,
    "time_created": "2026-03-16T00:21:34.295470700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "9132",
      "thread_id": "4236"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IfIndex": "       1",
    "CompartmentId": "       1",
    "IpAddrLength": "      16",
    "IPAddress": "224.0.0.22",
    "DlAddrLength": "       0",
    "DLAddress": "",
    "Neighbor State": "       6",
    "LastReachableInMs": "57839000",
    "IsUnreachable": "       0",
    "Flags": "0xAC"
  },
  "message": ""
}

Event ID 1543: TCPIP: An ARP request was dropped on interface IfIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: ArpPacketDrops
Opcode: Info

Description

TCPIP: An ARP request was dropped on interface IfIndex. Physical address = DlSourceAddress, IP source address = IpSourceAddress, IP target address = IpTargetAddress, Reason = DropReason.

Message #

TCPIP: An ARP request was dropped on interface %1. Physical address = %3, IP source address = %4, IP target address = %5, Reason = %6.

Fields #

Name	Description
`IfIndex` UInt32
`DlAddrLength` UInt32
`DlSourceAddress` Binary
`IpSourceAddress` UInt32
`IpTargetAddress` UInt32
`DropReason` UInt32

Event ID 1544: Endpoint Endpoint socket option set with level Level, name Name, value Value.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpipSetSockOpt

Description

Endpoint Endpoint socket option set with level Level, name Name, value Value.

Message #

Endpoint %1 socket option set with level %2, name %3, value %5.

Fields #

Name	Description
`Endpoint` Pointer
`Level` UInt32
`Name` UInt32
`Length` UInt32
`Value` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1544",
    "version": "0",
    "level": "4",
    "task": "1498",
    "opcode": "0",
    "keywords": 9223372036854775936,
    "time_created": "2026-03-16T00:21:40.064415100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15f74b50-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "7552"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A15F74B50",
    "Level": "      41",
    "Name": "      27",
    "Length": "       4",
    "Value": "0x00000000"
  },
  "message": ""
}

Event ID 1545: TCP: connection = Tcb RACK timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRackTimeout

Description

TCP: connection = Tcb RACK timeout expired. SndUna = SndUna, SndMax = SndMax, SackedBytes = SackedBytes, LossDetected = LossDetected, InRecovery = InRecovery.

Message #

TCP: connection = %1 RACK timeout expired. SndUna = %2, SndMax = %3, SackedBytes = %4, LossDetected = %5, InRecovery = %6.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32
`SackedBytes` UInt32
`LossDetected` UInt32
`InRecovery` UInt32

Event ID 1546: TCP: connection = Tcb armed RACK timer.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpArmRackTimer

Description

TCP: connection = Tcb armed RACK timer. SndUna = SndUna, SndMax = SndMax, SackedBytes = SackedBytes, LossDetected = LossDetected, InRecovery = InRecovery, DeltaTicks = DeltaTicks.

Message #

TCP: connection = %1 armed RACK timer. SndUna = %2, SndMax = %3, SackedBytes = %4, LossDetected = %5, InRecovery = %6, DeltaTicks = %7.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32
`SackedBytes` UInt32
`LossDetected` UInt32
`InRecovery` UInt32
`DeltaTicks` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1546",
    "version": "0",
    "level": "4",
    "task": "1501",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.488186800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "SndUna": "155002622",
    "SndMax": "155007102",
    "SackedBytes": "    1440",
    "LossDetected": "       0",
    "InRecovery": "       0",
    "DeltaTicks": "      18"
  },
  "message": ""
}

Event ID 1547: TCP: connection = Tcb received a SACK block.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpReceiveSackBlock

Description

TCP: connection = Tcb received a SACK block. SndUna = SndUna, SndMax = SndMax, Ack = Ack, SLE = SLE, SRE = SRE.

Message #

TCP: connection = %1 received a SACK block. SndUna = %2, SndMax = %3, Ack = %4, SLE = %5, SRE = %6.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32
`Ack` UInt32
`SLE` UInt32
`SRE` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1547",
    "version": "0",
    "level": "5",
    "task": "1502",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.488113200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "SndUna": "155002622",
    "SndMax": "155007102",
    "Ack": "155002622",
    "SLE": "155004100",
    "SRE": "155005540"
  },
  "message": ""
}

Event ID 1548: TCP: connection = Tcb received a SACK.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpReceiveSack

Description

TCP: connection = received a SACK. SndUna = , SndMax = , Ack = , SackedBytes = , LossDetected = , InRecovery = , NumSackBlocks = , DSackCount = , NewSackInfo = , RecoveryMax = .

Message #

TCP: connection = %1 received a SACK. SndUna = %2, SndMax = %3, Ack = %4, SackedBytes = %5, LossDetected = %6, InRecovery = %7, NumSackBlocks = %8, DSackCount = %9, NewSackInfo = %10, RecoveryMax = %11.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32
`Ack` UInt32
`SackedBytes` UInt32
`LossDetected` UInt32
`InRecovery` UInt32
`NumSackBlocks` UInt32
`DSackCount` UInt32
`NewSackInfo` UInt32
`RecoveryMax` UInt32
`NewSackedBytes` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1548",
    "version": "0",
    "level": "4",
    "task": "1503",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:27:12.440654000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{fd182260-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFD182260",
    "SndUna": "4068749001",
    "SndMax": "4068767248",
    "Ack": "4068749001",
    "SackedBytes": "    1460",
    "LossDetected": "       1",
    "InRecovery": "       0",
    "NumSackBlocks": "       1",
    "DSackCount": "       0",
    "NewSackInfo": "       1",
    "RecoveryMax": "4068565828"
  },
  "message": ""
}

Event ID 1549: TCP: connection = Tcb enabled send tracker.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpSendTrackerEnabled

Description

TCP: connection = Tcb enabled send tracker.

Message #

TCP: connection = %1 enabled send tracker.

Fields #

Name	Description
`Tcb` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1549",
    "version": "0",
    "level": "4",
    "task": "1504",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.119290700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "12888"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0"
  },
  "message": ""
}

Event ID 1550: TCP: connection = Tcb send tracker acked a transmit.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpSendTrackerAck

Description

TCP: connection = Tcb send tracker acked a transmit. AckNo = AckNo, Start = Start, End = End, Timestamp = Timestamps, EverTransmitted = EverRetransmitted, SackedBytes = SackedBytes, BytesInFlight = BytesInFlight.

Message #

TCP: connection = %1 send tracker acked a transmit. AckNo = %2, Start = %3, End = %4, Timestamp = %5, EverTransmitted = %6, SackedBytes = %7, BytesInFlight = %8.

Fields #

Name	Description
`Tcb` Pointer
`AckNo` UInt32
`Start` UInt32
`End` UInt32
`Timestamps` UInt32
`EverRetransmitted` UInt32
`SackedBytes` UInt32
`BytesInFlight` UInt32
`State` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1550",
    "version": "0",
    "level": "5",
    "task": "1505",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:26:13.268229900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{ff7afb40-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4200",
      "thread_id": "7084"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFF7AF7E0",
    "AckNo": "644687492",
    "Start": "644684595",
    "End": "644687492",
    "Timestamps": "2483305555",
    "EverRetransmitted": "       0",
    "SackedBytes": "       0",
    "BytesInFlight": "       0"
  },
  "message": ""
}

Event ID 1551: TCP: connection = Tcb send tracker enqueued a transmit.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpSendTrackerSend

Description

TCP: connection = Tcb send tracker enqueued a transmit. Start = Start, End = End, Timestamp = Timestamps, SackedBytes = SackedBytes, BytesInFlight = BytesInFlight.

Message #

TCP: connection = %1 send tracker enqueued a transmit. Start = %2, End = %3, Timestamp = %4, SackedBytes = %5, BytesInFlight = %6.

Fields #

Name	Description
`Tcb` Pointer
`Start` UInt32
`End` UInt32
`Timestamps` UInt32
`SackedBytes` UInt32
`BytesInFlight` UInt32
`NoNewTransmitCreated` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1551",
    "version": "0",
    "level": "5",
    "task": "1506",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:26:13.267679100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{ff7afb40-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4200",
      "thread_id": "7948"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFF7AF7E0",
    "Start": "644684595",
    "End": "644687492",
    "Timestamps": "2483305555",
    "SackedBytes": "       0",
    "BytesInFlight": "    2897"
  },
  "message": ""
}

Event ID 1552: TCP: connection = Tcb send tracker marked a transmit as lost.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpSendTrackerDetectLoss

Description

TCP: connection = Tcb send tracker marked a transmit as lost. Start = Start, End = End, Timestamp = Timestamps, EverTransmitted = EverRetransmitted, InFlightCount = InFlightCount, SackedBytes = SackedBytes, BytesInFlight = BytesInFlight.

Message #

TCP: connection = %1 send tracker marked a transmit as lost. Start = %2, End = %3, Timestamp = %4, EverTransmitted = %5, InFlightCount = %6, SackedBytes = %7, BytesInFlight = %8.

Fields #

Name	Description
`Tcb` Pointer
`Start` UInt32
`End` UInt32
`Timestamps` UInt32
`EverRetransmitted` UInt32
`InFlightCount` UInt32
`SackedBytes` UInt32
`BytesInFlight` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1552",
    "version": "0",
    "level": "5",
    "task": "1507",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.490313500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6eb8-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "Start": "155004062",
    "End": "155004100",
    "Timestamps": "1924745937",
    "EverRetransmitted": "       0",
    "InFlightCount": "       0",
    "SackedBytes": "    3002",
    "BytesInFlight": "    2804"
  },
  "message": ""
}

Event ID 1553: TCP: accept redirection: original listener = OriginalListener, redirected listener = RedirectedListener, succeeded = Succeeded, redirected = Redirected, codepath = CodePath, local address = SockAdd...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpAcceptRedirect

Description

TCP: accept redirection: original listener = OriginalListener, redirected listener = RedirectedListener, succeeded = Succeeded, redirected = Redirected, codepath = CodePath, local address = SockAddrLength, remote address = LocalSockAddr, redirected address = RemoteSockAddr.

Message #

TCP: accept redirection: original listener = %1, redirected listener = %2, succeeded = %3, redirected = %4, codepath = %5, local address = %6, remote address = %7, redirected address = %8

Fields #

Name	Description
`OriginalListener` Pointer
`RedirectedListener` Pointer
`Succeeded` UInt32
`Redirected` UInt32
`CodePath` UInt32
`SockAddrLength` UInt32
`LocalSockAddr` Binary
`RemoteSockAddr` Binary
`RedirectSockAddr` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1553",
    "version": "0",
    "level": "5",
    "task": "1508",
    "opcode": "0",
    "keywords": 9223372045444710528,
    "time_created": "2026-03-16T00:21:38.718862500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0ef4b580-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "OriginalListener": "0xFFFF980A0EF4B580",
    "RedirectedListener": "0x0",
    "Succeeded": "       1",
    "Redirected": "       0",
    "CodePath": "       2",
    "SockAddrLength": "      16",
    "LocalSockAddr": "10.2.10.21:5985",
    "RemoteSockAddr": "10.2.10.11:51201",
    "RedirectSockAddr": "0x00000000000000000000000000000000"
  },
  "message": ""
}

Event ID 1554: TCP: connection = Tcb dropped a SACK block due to SACK limit reached.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSendTrackerSackLimitReached

Description

TCP: connection = Tcb dropped a SACK block due to SACK limit reached. SndUna = SndUna, SndMax = SndMax, Ack = Ack, SLE = SLE, SRE = SRE, NumSackedTransmits = NumSackTransmits, limit = Limit.

Message #

TCP: connection = %1 dropped a SACK block due to SACK limit reached. SndUna = %2, SndMax = %3, Ack = %4, SLE = %5, SRE = %6, NumSackedTransmits = %7, limit = %8.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32
`Ack` UInt32
`SLE` UInt32
`SRE` UInt32
`NumSackTransmits` UInt32
`Limit` UInt32

Event ID 1555: TCP: connection Tcb terminated by NSI.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectionTerminatedByNsi

Description

TCP: connection Tcb terminated by NSI. State = State, PID = Pid, ProcessSeqNum = ProcessStartKey, Shutdown = Shutdown.

Message #

TCP: connection %1 terminated by NSI. State = %2, PID = %3, ProcessSeqNum = %4, Shutdown = %5.

Fields #

Name	Description
`Tcb` Pointer
`State` UInt32
`Pid` UInt32
`ProcessStartKey` UInt64
`Shutdown` UInt32

Event ID 1556: TCP: connection = Tcb rate-based pacing timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRateBasedPacingTimeout

Description

TCP: connection = Tcb rate-based pacing timeout expired. SndUna = SndUna, SndMax = SndMax, PacingAllowance = PacingAllowance B, PacingRate = PacingRate B/ms.

Message #

TCP: connection = %1 rate-based pacing timeout expired. SndUna = %2, SndMax = %3, PacingAllowance = %4 B, PacingRate = %5 B/ms.

Fields #

Name	Description
`Tcb` Pointer
`SndUna` UInt32
`SndMax` UInt32
`PacingAllowance` UInt32
`PacingRate` UInt32

Event ID 1557: TCP RLedbat connection = Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRLedbatState

Description

TCP RLedbat connection = . Type = , SSThresh = , Wnd = , WndWs = , DrainedBytes = , ReceiveHigh = , TsHigh = , LastRollOverTimeMs = , EndReductionTimeMs = , MinDelaySampleMs = , MinBaseDelayMs =.

Message #

TCP RLedbat connection = %1. Type = %2, SSThresh = %3, Wnd = %4, WndWs = %5, DrainedBytes = %6, ReceiveHigh = %7, TsHigh = %8, LastRollOverTimeMs = %9, EndReductionTimeMs = %10, MinDelaySampleMs = %11, MinBaseDelayMs = %12

Fields #

Name	Description
`Tcb` Pointer
`EventType` UInt32
`SsThresh` UInt32
`Wnd` UInt32
`WndWs` UInt32
`DrainedBytes` UInt32
`ReceiveHigh` UInt32
`TsHigh` UInt32
`LastRollOverTimeMs` UInt32
`EndReductionTimeMs` UInt32
`MinDelaySampleMs` UInt32
`MinBaseDelayMs` UInt32

Event ID 1558: UDP: endpoint Endpoint rebind initiated: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpRebindEndpointInit

Description

UDP: endpoint Endpoint rebind initiated: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress.

Message #

UDP: endpoint %5 rebind initiated: current address = %2, modified address = %4

Fields #

Name	Description
`CurrentLocalAddressLength` UInt32
`CurrentLocalAddress` Binary
`ModifiedLocalAddressLength` UInt32
`ModifiedLocalAddress` Binary
`Endpoint` Pointer
`Status` UInt32	NTSTATUS reference
`EndpointRestored` Boolean

Event ID 1559: UDP: endpoint Endpoint rebind failed: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress, port-switch status = Status, endpoint-restored = EndpointRestored.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpRebindEndpointFailure

Description

UDP: endpoint Endpoint rebind failed: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress, port-switch status = Status, endpoint-restored = EndpointRestored.

Message #

UDP: endpoint %5 rebind failed: current address = %2, modified address = %4, port-switch status = %6, endpoint-restored = %7

Fields #

Name	Description
`CurrentLocalAddressLength` UInt32
`CurrentLocalAddress` Binary
`ModifiedLocalAddressLength` UInt32
`ModifiedLocalAddress` Binary
`Endpoint` Pointer
`Status` UInt32	NTSTATUS reference
`EndpointRestored` Boolean

Event ID 1560: TCP: endpoint Endpoint rebind initiated: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRebindEndpointInit

Description

TCP: endpoint Endpoint rebind initiated: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress.

Message #

TCP: endpoint %5 rebind initiated: current address = %2, modified address = %4

Fields #

Name	Description
`CurrentLocalAddressLength` UInt32
`CurrentLocalAddress` Binary
`ModifiedLocalAddressLength` UInt32
`ModifiedLocalAddress` Binary
`Endpoint` Pointer
`Status` UInt32	NTSTATUS reference
`EndpointRestored` Boolean

Event ID 1561: TCP: endpoint Endpoint rebind failed: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress, port-switch status = Status, endpoint-restored = EndpointRestored.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRebindEndpointFailure

Description

TCP: endpoint Endpoint rebind failed: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress, port-switch status = Status, endpoint-restored = EndpointRestored.

Message #

TCP: endpoint %5 rebind failed: current address = %2, modified address = %4, port-switch status = %6, endpoint-restored = %7

Fields #

Name	Description
`CurrentLocalAddressLength` UInt32
`CurrentLocalAddress` Binary
`ModifiedLocalAddressLength` UInt32
`ModifiedLocalAddress` Binary
`Endpoint` Pointer
`Status` UInt32	NTSTATUS reference
`EndpointRestored` Boolean

Event ID 1562: TCP: endpoint (PID=ProcessId ProcessSeqNum=ProcessStartKey) create failed: access denied.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateEndpointAccessFailure

Description

TCP: endpoint (PID=ProcessId ProcessSeqNum=ProcessStartKey) create failed: access denied.

Message #

TCP: endpoint (PID=%4 ProcessSeqNum=%7) create failed: access denied.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1563: UDP: endpoint (PID=ProcessId ProcessSeqNum=ProcessStartKey) create failed: access denied.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpCreateEndpointAccessFailure

Description

UDP: endpoint (PID=ProcessId ProcessSeqNum=ProcessStartKey) create failed: access denied.

Message #

UDP: endpoint (PID=%3 ProcessSeqNum=%6) create failed: access denied.

Fields #

Name	Description
`Endpoint` Pointer
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`CompartmentId` UInt32
`AddressFamily` UInt32
`ProcessStartKey` UInt64

Event ID 1564: TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId ProcessSeqNum=ProcessStartKey) connect failed: access denied.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailedAccess

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId ProcessSeqNum=ProcessStartKey) connect failed: access denied.

Message #

TCP: connection %8 (local=%2 remote=%4 PID=%6 ProcessSeqNum=%9) connect failed: access denied.

Fields #

Name	Description
`LocalAddressLength` UInt32
`LocalAddress` Binary
`RemoteAddressLength` UInt32
`RemoteAddress` Binary
`Status` UInt32	NTSTATUS reference
`ProcessId` UInt32
`Compartment` UInt32
`Tcb` Pointer
`ProcessStartKey` UInt64

Event ID 1565: TCP: Congestion state changed for connection = Tcb from OldState = OldState to NewState = NewState.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCongestionStateChange

Description

TCP: Congestion state changed for connection = Tcb from OldState = OldState to NewState = NewState.

Message #

TCP: Congestion state changed for connection = %1 from OldState = %2 to NewState = %3.

Fields #

Name	Description
`Tcb` Pointer
`OldState` UInt32
`NewState` UInt32

Event ID 1566: TCP: connection = Tcb detected reordering.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSendTrackerSackReorderingDetected

Description

TCP: connection = Tcb detected reordering. MaxReorderingBytes = MaxReorderingBytes, Fack = Fack, EndSeq = EndSeq.

Message #

TCP: connection = %1 detected reordering. MaxReorderingBytes = %2, Fack = %3, EndSeq = %4.

Fields #

Name	Description
`Tcb` Pointer
`MaxReorderingBytes` UInt32
`Fack` UInt32
`EndSeq` UInt32

Event ID 1577: TCP: connection = Tcb updated reownd.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSendTrackerUpdateReoWnd

Description

TCP: connection = updated reownd. Multiplier = , Persist = , Reownd = , ReorderingSeen = , DSackSeenOnLatestAck = , InLossRecovery = , DupAckCountReached = , DSackRound = , DSackRoundValid = .

Message #

TCP: connection = %1 updated reownd. Multiplier = %2, Persist = %3, Reownd = %4, ReorderingSeen = %5, DSackSeenOnLatestAck = %6, InLossRecovery = %7, DupAckCountReached = %8, DSackRound = %9, DSackRoundValid = %10.

Fields #

Name	Description
`Tcb` Pointer
`Multiplier` UInt32
`Persist` UInt32
`Reownd` UInt32
`ReorderingSeen` UInt32
`DSackSeenOnLatestAck` UInt32
`InLossRecovery` UInt32
`DupAckCountReached` UInt32
`DSackRound` UInt32
`DSackRoundValid` UInt32

Event ID 1578: IP: Injecting NBL Nbl on send path.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInjectNbl

Description

IP: Injecting NBL Nbl on send path. Family = AddressFamily, Compartment = CompartmentId, Protocol = IPTransportProtocol.

Message #

IP: Injecting NBL %1 on send path. Family = %2, Compartment = %3, Protocol = %5

Fields #

Name	Description
`Nbl` Pointer
`AddressFamily` UInt32
`CompartmentId` UInt32
`Interface` UInt32
`IPTransportProtocol` UInt32

Event ID 1579: IP: Injecting NBL Nbl on raw send path.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInjectNbl

Description

IP: Injecting NBL Nbl on raw send path. Family = AddressFamily, Compartment = CompartmentId.

Message #

IP: Injecting NBL %1 on raw send path. Family = %2, Compartment = %3

Fields #

Name	Description
`Nbl` Pointer
`AddressFamily` UInt32
`CompartmentId` UInt32
`Interface` UInt32
`IPTransportProtocol` UInt32

Event ID 1580: IP: Injecting NBL Nbl on receive path.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInjectNbl

Description

IP: Injecting NBL Nbl on receive path. Family = AddressFamily, Compartment = CompartmentId, Interface = Interface.

Message #

IP: Injecting NBL %1 on receive path. Family = %2, Compartment = %3, Interface = %4

Fields #

Name	Description
`Nbl` Pointer
`AddressFamily` UInt32
`CompartmentId` UInt32
`Interface` UInt32
`IPTransportProtocol` UInt32

Event ID 1581: IP: Injecting NBL Nbl on forward path.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInjectNbl

Description

IP: Injecting NBL Nbl on forward path. Family = AddressFamily, Compartment = CompartmentId, Interface = Interface.

Message #

IP: Injecting NBL %1 on forward path. Family = %2, Compartment = %3, Interface = %4

Fields #

Name	Description
`Nbl` Pointer
`AddressFamily` UInt32
`CompartmentId` UInt32
`Interface` UInt32
`IPTransportProtocol` UInt32

Event ID 1582: IP: Indication filtered because destination interface IfIndex is not contained in IF list.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipIndicationFilteredForIflist

Description

IP: Indication filtered because destination interface IfIndex is not contained in IF list.

Message #

IP: Indication filtered because destination interface %1 is not contained in IF list

Fields #

Name	Description
`IfIndex` UInt32

Event ID 1583: BBR2: TCB Tcb bbr_bw bbr_bw min_rtt_us min_rtt_us mode mode cycle_idx cycle_idx CWnd CWnd PacingRate PacingRate BytesSent BytesSent SRtt SRtt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBbr2

Description

BBR2: TCB Tcb bbr_bw bbr_bw min_rtt_us min_rtt_us mode mode cycle_idx cycle_idx CWnd CWnd PacingRate PacingRate BytesSent BytesSent SRtt SRtt.

Message #

BBR2: TCB %1 bbr_bw %2 min_rtt_us %3 mode %4 cycle_idx %5 CWnd %6 PacingRate %7 BytesSent %8 SRtt %9

Fields #

Name	Description
`Tcb` Pointer
`bbr_bw` UInt32
`min_rtt_us` UInt32
`mode` UInt32
`cycle_idx` UInt32
`CWnd` UInt32
`PacingRate` UInt32
`BytesSent` UInt32
`SRtt` UInt32

Event ID 1584: TCP: connection = Tcb send tracker marked a transmit as rexmit.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSendTrackerMarkRexmit

Description

TCP: connection = Tcb send tracker marked a transmit as rexmit. Start = Start, End = End, Timestamp = Timestamps, InFlightCount = InFlightCount, SackedBytes = SackedBytes, BytesInFlight = BytesInFlight.

Message #

TCP: connection = %1 send tracker marked a transmit as rexmit. Start = %2, End = %3, Timestamp = %4, InFlightCount = %5, SackedBytes = %6, BytesInFlight = %7.

Fields #

Name	Description
`Tcb` Pointer
`Start` UInt32
`End` UInt32
`Timestamps` UInt32
`InFlightCount` UInt32
`SackedBytes` UInt32
`BytesInFlight` UInt32

Event ID 1585: TCP: connection = Tcb send tracker update RACK info.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpSendTrackerRackUpdate
Opcode: win:Info

Description

TCP: connection = Tcb send tracker update RACK info. RackXmitTimeStampValid = RackXmitTimeStampValid, RackXmitTimeStampInUs = RackXmitTimeStampInUs, RackEndSeq = RackEndSeq, RackRttInUs = RackRttInUs, NowInUs = NowInUs, TimeStampInUs = TimeStampInUs.

Message #

TCP: connection = %1 send tracker update RACK info. RackXmitTimeStampValid = %2, RackXmitTimeStampInUs = %3, RackEndSeq = %4, RackRttInUs = %5, NowInUs = %6, TimeStampInUs = %7.

Fields #

Name	Description
`Tcb` Pointer
`RackXmitTimeStampValid` UInt32
`RackXmitTimeStampInUs` UInt32
`RackEndSeq` UInt32
`RackRttInUs` UInt32
`NowInUs` UInt32
`TimeStampInUs` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}",
    "event_source_name": "",
    "event_id": 1585,
    "version": 0,
    "level": 5,
    "task": 1527,
    "opcode": 0,
    "keywords": "0x0000000100000000",
    "time_created": "2026-06-02T06:03:34.154+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{F76423D8-BD09-FFFF-0000-000000000000}"
    },
    "execution": {
      "process_id": 2764,
      "thread_id": 812
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "NowInUs": 3164724227,
    "RackEndSeq": 2424967783,
    "RackRttInUs": 1236,
    "RackXmitTimeStampInUs": 3164722991,
    "RackXmitTimeStampValid": 1,
    "Tcb": "0xFFFFBD09F7642010",
    "TimeStampInUs": 3164722991
  },
  "message": "TcpSendTrackerRackUpdate"
}

Event ID 1586: IP: Prefix sharing now PrefixSharing on Interface = Interface, Compartment = CompartmentId, Family = AddressFamily.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceChange

Description

IP: Prefix sharing now PrefixSharing on Interface = Interface, Compartment = CompartmentId, Family = AddressFamily. Updating shared prefixes and resetting autoconfigured state, such as addresses and routes.

Message #

IP: Prefix sharing now %4 on Interface = %3, Compartment = %2, Family = %1. Updating shared prefixes and resetting autoconfigured state, such as addresses and routes.

Fields #

Name	Description
`AddressFamily` UInt32
`CompartmentId` UInt32
`Interface` UInt32
`PrefixSharing` UInt32

Event ID 1587: TCP: connection Tcb received a careful ACK.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCarefulAck

Description

TCP: connection Tcb received a careful ACK. ThAck = ThAck, SndUna = SndUna, SndMax = SndMax, RecoveryMax = RecoveryMax, SndWnd = SndWnd, SndWndChanged = SndWndChanged, SackUpdated = SackUpdated, State = TcpState, CongestionState = CongestionState, F-RTO = Frto.

Message #

TCP: connection %1 received a careful ACK. ThAck = %2, SndUna = %3, SndMax = %4, RecoveryMax = %5, SndWnd = %6, SndWndChanged = %7, SackUpdated = %8, State = %9, CongestionState = %10, F-RTO = %11.

Fields #

Name	Description
`Tcb` Pointer
`ThAck` UInt32
`SndUna` UInt32
`SndMax` UInt32
`RecoveryMax` UInt32
`SndWnd` UInt32
`SndWndChanged` UInt32
`SackUpdated` UInt32
`TcpState` UInt32
`CongestionState` UInt32
`Frto` UInt32

Event ID 1588: IP: Forwarding tag on Interface = Interface, Compartment = CompartmentId, Family = AddressFamily changed from OldForwardingTag to NewForwardingTag.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceChange

Description

IP: Forwarding tag on Interface = Interface, Compartment = CompartmentId, Family = AddressFamily changed from OldForwardingTag to NewForwardingTag.

Message #

IP: Forwarding tag on Interface = %3, Compartment = %2, Family = %1 changed from %4 to %5.

Fields #

Name	Description
`AddressFamily` UInt32
`CompartmentId` UInt32
`Interface` UInt32
`OldForwardingTag` UInt32
`NewForwardingTag` UInt32

Event ID 1589: TCP: AF AddressFamily, RssEnabled = RssEnabled .

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpAfRundown
Opcode: win:Info

Description

TCP: AF AddressFamily, RssEnabled = RssEnabled .

Message #

TCP: AF %1, RssEnabled = %2 .

Fields #

Name	Description
`AddressFamily` UInt32
`RssEnabled` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}",
    "event_source_name": "",
    "event_id": 1589,
    "version": 0,
    "level": 4,
    "task": 1530,
    "opcode": 0,
    "keywords": "0x0000000000000080",
    "time_created": "2026-06-02T06:03:32.469+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E27FDE20-BD09-FFFF-0000-000000000000}"
    },
    "execution": {
      "process_id": 11500,
      "thread_id": 16068
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AddressFamily": 23,
    "RssEnabled": 1
  },
  "message": "TcpAfRundown"
}

Event ID 1590: TCP: connection = Tcb send completion failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSendCompletionFailure

Description

TCP: connection = Tcb send completion failed. NBL = Nbl, Status = Status.

Message #

TCP: connection = %1 send completion failed. NBL = %2, Status = %3.

Fields #

Name	Description
`Tcb` Pointer
`Nbl` Pointer
`Status` UInt32	NTSTATUS reference

Event ID 1591: TCPIP: Alloc hooks setup: Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipAllocHooksSetup

Description

TCPIP: Alloc hooks setup: Status = Status.

Message #

TCPIP: Alloc hooks setup: Status = %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 1592: IP: Neighbor with IpAddress = IPAddress DlAddress = DLAddress on Interface = Interface was reset while in state OldNeighborState due to Reason = ResetReason.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpNeighborReset

Description

IP: Neighbor with IpAddress = IPAddress DlAddress = DLAddress on Interface = Interface was reset while in state OldNeighborState due to Reason = ResetReason.

Message #

IP: Neighbor with IpAddress = %3 DlAddress = %5 on Interface = %1 was reset while in state %6 due to Reason = %7.

Fields #

Name	Description
`Interface` UInt32
`IpAddrLength` UInt32
`IPAddress` Binary
`DlAddrLength` UInt32
`DLAddress` Binary
`OldNeighborState` UInt32
`ResetReason` UInt32
`CompartmentId` UInt32

Event ID 1593: TCP: Global timer fired, Processor = Processor, Tick = Tick.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalTimerFired

Description

TCP: Global timer fired, Processor = Processor, Tick = Tick.

Message #

TCP: Global timer fired, Processor = %1, Tick = %2

Fields #

Name	Description
`Processor` UInt32
`Tick` UInt32

Event ID 1594: TCP: Global timer armed, NextToExpire = NextToExpire, Period = Period.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalTimerArmed

Description

TCP: Global timer armed, NextToExpire = NextToExpire, Period = Period.

Message #

TCP: Global timer armed, NextToExpire = %1, Period = %2

Fields #

Name	Description
`NextToExpire` UInt32
`Period` UInt32

Event ID 1595: TCP: Global timer cancelled

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalTimerCancelled

Description

TCP: Global timer cancelled.

Message #

TCP: Global timer cancelled

Event ID 1596: TCP: Updating Fastopen Key

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFastopenKeyUpdate

Description

TCP: Updating Fastopen Key.

Message #

TCP: Updating Fastopen Key

Event ID 1597: TCP: paused receive buffer growth for high memory usage, AF = AddressFamily, TCB = Tcb, TotalBytesBuffered = TotalBytesBuffered, UpperLimit = UpperLimit.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAutoTuningPausedForMemoryUsage

Description

TCP: paused receive buffer growth for high memory usage, AF = AddressFamily, TCB = Tcb, TotalBytesBuffered = TotalBytesBuffered, UpperLimit = UpperLimit.

Message #

TCP: paused receive buffer growth for high memory usage, AF = %1, TCB = %2, TotalBytesBuffered = %3, UpperLimit = %4

Fields #

Name	Description
`AddressFamily` UInt32
`Tcb` Pointer
`TotalBytesBuffered` UInt64
`UpperLimit` UInt64

Event ID 1598: IP: Autoconfigured address creation failed due to autoconfiguration limit, Address = IPv4Address IPProtocol IPv6Address, Interface = Interface, Compartment = CompartmentId, Protocol = Protocol.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressAutoConfigurationLimitFailure

Description

IP: Autoconfigured address creation failed due to autoconfiguration limit, Address = IPv4Address IPProtocol IPv6Address, Interface = Interface, Compartment = CompartmentId, Protocol = Protocol.

Message #

IP: Autoconfigured address creation failed due to autoconfiguration limit, Address = %5 %7 %6, Interface = %1, Compartment = %2, Protocol = %3

Fields #

Name	Description
`Interface` UInt32
`CompartmentId` UInt32
`Protocol` AnsiString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`IpAddrLength` UInt32
`IPv4Address` UInt32
`IPv6Address` Binary
`IPProtocol` UInt32

Event ID 1599: IP: Autoconfigured route creation failed due to autoconfiguration limit, DestinationPrefix = IPv4DestinationPrefix IPProtocol DestinationPrefix /DestinationPrefixLength, Nexthop = IPv4NextHopAddres...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouteAutoConfigurationLimitFailure

Description

IP: Autoconfigured route creation failed due to autoconfiguration limit, DestinationPrefix = IPv4DestinationPrefix IPProtocol DestinationPrefix /DestinationPrefixLength, Nexthop = IPv4NextHopAddress IPProtocol NextHopAddress, Interface = Interface, Compartment = CompartmentId, Protocol = Protocol.

Message #

IP: Autoconfigured route creation failed due to autoconfiguration limit, DestinationPrefix = %9 %11 %7 /%6, Nexthop = %10 %11 %8, Interface = %1, Compartment = %2, Protocol = %3

Fields #

Name	Description
`Interface` UInt32
`CompartmentId` UInt32
`Protocol` AnsiString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DestinationPrefixAddressLength` UInt32
`NextHopAddressLength` UInt32
`DestinationPrefixLength` UInt32
`DestinationPrefix` Binary
`NextHopAddress` Binary
`IPv4DestinationPrefix` UInt32
`IPv4NextHopAddress` UInt32
`IPProtocol` UInt32

Event ID 1600: IP: Policy based routing failed - Compartment: Compartment DstAddr: DestinationAddress SrcAddr: SourceAddress TransProto: TransportProtocol IcmpType: IcmpType IcmpCode: IcmpCode PolicySrcAddr: Poli...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipPBRFailure

Description

IP: Policy based routing failed - Compartment: DstAddr: SrcAddr: TransProto: IcmpType: IcmpCode: PolicySrcAddr: PolicyNextHopAddr: PolicyIfIndex: FailureReason: Status.

Message #

IP: Policy based routing failed - Compartment: %1 DstAddr: %3 SrcAddr: %5 TransProto: %6 IcmpType: %7 IcmpCode: %8 PolicySrcAddr: %10 PolicyNextHopAddr: %12 PolicyIfIndex: %13 FailureReason: %14 Status: %15

Fields #

Name	Description
`Compartment` UInt32
`DestinationAddrLength` UInt32
`DestinationAddress` Binary
`SourceAddrLength` UInt32
`SourceAddress` Binary
`TransportProtocol` UInt32
`IcmpType` UInt8
`IcmpCode` UInt8
`PolicySourceAddrLength` UInt32
`PolicySourceAddress` Binary
`PolicyNextHopAddrLength` UInt32
`PolicyNextHopAddress` Binary
`PolicyInterfaceLuid` UInt64
`FailureReason` UInt32	Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`Status` UInt32	NTSTATUS reference

Event ID 1601: TCP: connection Tcb in NewState received NBL NBL in FastPath = FastPath Seq = ThSeq Ack = ThAck Flags = ThFlags RSC = RSC CoalescedSegCount = CoalescedSegCount RscTcpTimestampDelta = RscTcpTimestam...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpRx
Opcode: win:Info

Description

TCP: connection Tcb in NewState received NBL NBL in FastPath = FastPath Seq = ThSeq Ack = ThAck Flags = ThFlags RSC = RSC CoalescedSegCount = CoalescedSegCount RscTcpTimestampDelta = RscTcpTimestampDelta EcnCePresent = EcnCePresent.

Message #

TCP: connection %1 in %2 received NBL %4 in FastPath = %3 Seq = %5 Ack = %6 Flags = %7 RSC = %8 CoalescedSegCount = %9 RscTcpTimestampDelta = %10 EcnCePresent = %11.

Fields #

Name	Description
`Tcb` Pointer
`NewState` UInt32
`FastPath` UInt32
`NBL` Pointer
`ThSeq` UInt32
`ThAck` UInt32
`ThFlags` UInt8
`RSC` UInt32
`CoalescedSegCount` UInt16
`RscTcpTimestampDelta` UInt32
`EcnCePresent` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}",
    "event_source_name": "",
    "event_id": 1601,
    "version": 0,
    "level": 5,
    "task": 1601,
    "opcode": 0,
    "keywords": "0x0000000200000000",
    "time_created": "2026-06-02T06:03:34.154+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{F7642010-BD09-FFFF-0000-000000000000}"
    },
    "execution": {
      "process_id": 2764,
      "thread_id": 812
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "CoalescedSegCount": 1,
    "EcnCePresent": 0,
    "FastPath": 1,
    "NBL": "0xFFFFBD09F35BD070",
    "NewState": 4,
    "RSC": 0,
    "RscTcpTimestampDelta": 0,
    "Tcb": "0xFFFFBD09F7642010",
    "ThAck": 2424967783,
    "ThFlags": 16,
    "ThSeq": 3278916547
  },
  "message": "TcpRx"
}

Event ID 1602: TCP: connection Tcb process fast RX batch SegmentCount = SegmentCount NumBytes = NumBytes NblHead = NblHead NblTail = NblTail Inspect = Inspect.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpProcessFastRxBatch
Opcode: win:Info

Description

TCP: connection Tcb process fast RX batch SegmentCount = SegmentCount NumBytes = NumBytes NblHead = NblHead NblTail = NblTail Inspect = Inspect.

Message #

TCP: connection %1 process fast RX batch SegmentCount = %2 NumBytes = %3 NblHead = %4 NblTail = %5 Inspect = %6.

Fields #

Name	Description
`Tcb` Pointer
`SegmentCount` UInt32
`NumBytes` UInt32
`NblHead` Pointer
`NblTail` Pointer
`Inspect` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}",
    "event_source_name": "",
    "event_id": 1602,
    "version": 0,
    "level": 5,
    "task": 1602,
    "opcode": 0,
    "keywords": "0x0000000200000000",
    "time_created": "2026-06-02T06:03:34.157+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{F7642010-BD09-FFFF-0000-000000000000}"
    },
    "execution": {
      "process_id": 10696,
      "thread_id": 5148
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Inspect": 1,
    "NblHead": "0xFFFFBD09F35BD070",
    "NblTail": "0xFFFFBD09F3386D20",
    "NumBytes": 4874,
    "SegmentCount": 5,
    "Tcb": "0xFFFFBD09F7642010"
  },
  "message": "TcpProcessFastRxBatch"
}

Event ID 1603: TCP: connection Tcb in State Injected disconnect DataLength=DataLength.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDisconnect

Description

TCP: connection Tcb in State Injected disconnect DataLength=DataLength.

Message #

TCP: connection %1 in %2 %3 disconnect DataLength=%4.

Fields #

Name	Description
`Tcb` Pointer
`State` UInt32
`Injected` UnicodeString
`DataLength` UInt64

Event ID 1604: NDKPI Disconnect Event CallbackEx: DisconnectEventContext DisconnectEventContext ProviderDisconnectReason ProviderDisconnectReason.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Disconnect_Event_Callback_Ex

Description

NDKPI Disconnect Event CallbackEx: DisconnectEventContext DisconnectEventContext ProviderDisconnectReason ProviderDisconnectReason.

Message #

NDKPI Disconnect Event CallbackEx: DisconnectEventContext %1 ProviderDisconnectReason %2

Fields #

Name	Description
`DisconnectEventContext` Pointer
`ProviderDisconnectReason` UInt32

Event ID 1605: NDKPI AcceptEx: RequestContext RequestContext Connector NdkConnector QP NdkQp IRD IRD ORD ORD PrivateDataLength PrivateDataLength DisconnectEventContext DisconnectEventContext.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Accept_Ex

Description

NDKPI AcceptEx: RequestContext RequestContext Connector NdkConnector QP NdkQp IRD IRD ORD ORD PrivateDataLength PrivateDataLength DisconnectEventContext DisconnectEventContext.

Message #

NDKPI AcceptEx: RequestContext %6 Connector %1 QP %2 IRD %3 ORD %4 PrivateDataLength %7 DisconnectEventContext %5

Fields #

Name	Description
`NdkConnector` Pointer
`NdkQp` Pointer
`IRD` UInt32
`ORD` UInt32
`DisconnectEventContext` Pointer
`RequestContext` Pointer
`PrivateDataLength` UInt32

Event ID 1606: NDKPI CompleteConnectEx: RequestContext RequestContext Connector NdkConnector DisconnectEventContext DisconnectEventContext.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Complete_Connect_Ex

Description

NDKPI CompleteConnectEx: RequestContext RequestContext Connector NdkConnector DisconnectEventContext DisconnectEventContext.

Message #

NDKPI CompleteConnectEx: RequestContext %3 Connector %1 DisconnectEventContext %2

Fields #

Name	Description
`NdkConnector` Pointer
`DisconnectEventContext` Pointer
`RequestContext` Pointer

Event ID 1607: NDKPI Open Adapter Version Override: IF_INDEX IF_INDEX ProviderSupportedNDKVersion {ProviderSupportedNDKVersionMajor.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Open_Adapter_Version_Override

Description

NDKPI Open Adapter Version Override: IF_INDEX ProviderSupportedNDKVersion {.} FlConfiguredNdkpiVersion {.} ActualSupportedVersion {.}.

Message #

NDKPI Open Adapter Version Override: IF_INDEX %7 ProviderSupportedNDKVersion {%1.%2} FlConfiguredNdkpiVersion {%3.%4} ActualSupportedVersion {%5.%6}

Fields #

Name	Description
`ProviderSupportedNDKVersionMajor` UInt16
`ProviderSupportedNDKVersionMinor` UInt16
`FlConfiguredNdkpiVersionMajor` UInt16
`FlConfiguredNdkpiVersionMinor` UInt16
`ActualSupportedNDKVersionMajor` UInt16
`ActualSupportedNDKVersionMinor` UInt16
`IF_INDEX` UInt32

Event ID 1608: Fl Reload Registry Config: Override Status: OverrideStatus OldFlConfiguredVersion {OldFlVersionMajor.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Fl_Version_Config_Registry_Override

Description

Fl Reload Registry Config: Override Status: OverrideStatus OldFlConfiguredVersion {OldFlVersionMajor.OldFlVersionMinor} NewFlConfiguredVersion {NewFlVersionMajor.NewFlVersionMinor}.

Message #

Fl Reload Registry Config: Override Status: %5 OldFlConfiguredVersion {%1.%2} NewFlConfiguredVersion {%3.%4}

Fields #

Name	Description
`OldFlVersionMajor` UInt16
`OldFlVersionMinor` UInt16
`NewFlVersionMajor` UInt16
`NewFlVersionMinor` UInt16
`OverrideStatus` UnicodeString

Event ID 1609: NDKPI Open Adapter: Unexpected version returned by provider, IF_INDEX IF_INDEX ProviderSupportedNDKVersion {ProviderSupportedNDKVersionMajor.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Open_Adapter_Unexpected_Provider_Version

Description

NDKPI Open Adapter: Unexpected version returned by provider, IF_INDEX IF_INDEX ProviderSupportedNDKVersion {ProviderSupportedNDKVersionMajor.ProviderSupportedNDKVersionMinor} ConsumerSpecifiedVersion {ConsumerSpecifiedNdkpiVersionMajor.ConsumerSpecifiedNdkpiVersionMinor}.

Message #

NDKPI Open Adapter: Unexpected version returned by provider, IF_INDEX %5 ProviderSupportedNDKVersion {%1.%2} ConsumerSpecifiedVersion {%3.%4}

Fields #

Name	Description
`ProviderSupportedNDKVersionMajor` UInt16
`ProviderSupportedNDKVersionMinor` UInt16
`ConsumerSpecifiedNdkpiVersionMajor` UInt16
`ConsumerSpecifiedNdkpiVersionMinor` UInt16
`IF_INDEX` UInt32

Event ID 1610: TCPIP: Disconnected Standby traffic.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipDsDetectTraffic

Description

TCPIP: Disconnected Standby traffic. Event = StandbyEvent AddressFamily = AddressFamily.

Message #

TCPIP: Disconnected Standby traffic. Event = %1 AddressFamily = %2

Fields #

Name	Description
`StandbyEvent` UInt32
`AddressFamily` UInt32

Event ID 1611: TCPIP: Disconnected Standby (DS) transition detected.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipDsStateChange

Description

TCPIP: Disconnected Standby (DS) transition detected. IsSystemInDs=DSState.

Message #

TCPIP: Disconnected Standby (DS) transition detected. IsSystemInDs=%1

Fields #

Name	Description
`DSState` UInt32

Event ID 1612: ResetResolve API call: ProcessName API.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipDsResolveApi

Description

ResetResolve API call: ProcessName API.

Message #

ResetResolve API call: ProcessName %1

Fields #

Name	Description
`API` AnsiString

Event ID 1613: USO global disabled mask = UdpUsoDisabledMask.

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: SendOffloadGlobalState
Opcode: win:Info

Description

USO global disabled mask = UdpUsoDisabledMask.

Message #

USO global disabled mask = %1.

Fields #

Name	Description
`UdpUsoDisabledMask` Int32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}",
    "event_source_name": "",
    "event_id": 1613,
    "version": 0,
    "level": 4,
    "task": 1613,
    "opcode": 0,
    "keywords": "0x0000008000000080",
    "time_created": "2026-06-02T06:03:32.471+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}"
    },
    "execution": {
      "process_id": 11500,
      "thread_id": 16068
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "UdpUsoDisabledMask": 0
  },
  "message": "SendOffloadGlobalState"
}

Event ID 1614: Framing: SW URO SwUroEnabled, HW URO HwUroEnabled.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingUroStatus

Description

Framing: SW URO SwUroEnabled, HW URO HwUroEnabled.

Message #

Framing: SW URO %1, HW URO %2

Fields #

Name	Description
`SwUroEnabled` UInt32
`HwUroEnabled` UInt32

Event ID 1615: Tcpip Power Policy set to: PowerPolicy.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipGlobalPowerPolicyChange

Description

Tcpip Power Policy set to: PowerPolicy.

Message #

Tcpip Power Policy set to: %1

Fields #

Name	Description
`PowerPolicy` UInt32

Event ID 1616: Router Solicitation sent.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipGlobalPowerPolicySendRS

Description

Router Solicitation sent. Interface: InterfaceIndex, Reason: RouterSolicitationReason, Tcpip Power Policy: PowerPolicy.

Message #

Router Solicitation sent. Interface: %1, Reason: %2, Tcpip Power Policy: %3

Fields #

Name	Description
`InterfaceIndex` UInt32
`RouterSolicitationReason` UInt32
`PowerPolicy` UInt32

Event ID 1617: Router Solicitation requested on dormant interface.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipGlobalPowerPolicyRequestRS

Description

Router Solicitation requested on dormant interface. Interface: InterfaceIndex, Reason: RouterSolicitationReason, Tcpip Power Policy: PowerPolicy.

Message #

Router Solicitation requested on dormant interface. Interface: %1, Reason: %2, Tcpip Power Policy: %3

Fields #

Name	Description
`InterfaceIndex` UInt32
`RouterSolicitationReason` UInt32
`PowerPolicy` UInt32

Event ID 1618: IP: Route lifetime refresh.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpipIpRouteLifetime
Opcode: win:Info

Description

IP: Route lifetime refresh. Interface = Interface, Protocol = Protocol, Compartment = Compartment, Prefix = DestinationPrefix/DestinationPrefixLength, NextHop = NextHopAddress, Metric = Metric, Origin = Origin, CurrentTime = CurrentTime, Old BaseTime = OldBasetime, Old ValidTime = OldValidTime, Old PreferredTime = OldPreferredTime, New BaseTime = NewBasetime, New ValidTime = NewValidTime, New PreferredTime = NewPreferredTime.

Message #

IP: Route lifetime refresh. Interface = %1, Protocol = %2, Compartment = %3, Prefix = %5/%6, NextHop = %8, Metric = %9, Origin = %10, CurrentTime = %11, Old BaseTime = %12, Old ValidTime = %13, Old PreferredTime = %14, New BaseTime = %15, New ValidTime = %16, New PreferredTime = %17.

Fields #

Name	Description
`Interface` UInt32
`Protocol` AnsiString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Compartment` UInt32
`DestinationPrefixAddressLength` UInt32
`DestinationPrefix` Binary
`DestinationPrefixLength` UInt32
`NextHopAddressLength` UInt32
`NextHopAddress` Binary
`Metric` UInt32
`Origin` UInt32
`CurrentTime` UInt32
`OldBasetime` UInt32
`OldValidTime` UInt32
`OldPreferredTime` UInt32
`NewBasetime` UInt32
`NewValidTime` UInt32
`NewPreferredTime` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}",
    "event_source_name": "",
    "event_id": 1618,
    "version": 0,
    "level": 4,
    "task": 1618,
    "opcode": 0,
    "keywords": "0x0000008000000020",
    "time_created": "2026-06-02T06:03:39.063+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}"
    },
    "execution": {
      "process_id": 17168,
      "thread_id": 16688
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Compartment": 1,
    "CurrentTime": 246857,
    "DestinationPrefix": "02000000000000000000000000000000",
    "DestinationPrefixAddressLength": 16,
    "DestinationPrefixLength": 0,
    "Interface": 11,
    "Metric": 256,
    "New Basetime": 246857,
    "New PreferredTime": 4294967295,
    "New ValidTime": 4294967295,
    "NextHopAddress": "020000000A020AFE0000000000000000",
    "NextHopAddressLength": 16,
    "Old Basetime": 246797,
    "Old PreferredTime": 4294967295,
    "Old ValidTime": 4294967295,
    "Origin": 0,
    "Protocol": "IPv4"
  },
  "message": "TcpipIpRouteLifetime"
}

Event ID 1619: IP: Constraint computation (unused) - Source address PreferredSourceIPAddress is preferred over NonPreferredSourceIPAddress for Destination DestinationIPAddress in Compartment CompartmentId, Reason...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSourceAddressSelection

Description

IP: Constraint computation (unused) - Source address PreferredSourceIPAddress is preferred over NonPreferredSourceIPAddress for Destination DestinationIPAddress in Compartment CompartmentId, Reason: RuleName (Rule Rule.RuleExtension).

Message #

IP: Constraint computation (unused) - Source address %2 is preferred over %3 for Destination %4 in Compartment %5, Reason: %8 (Rule %6.%7).

Fields #

Name	Description
`IpAddrLength` UInt32
`PreferredSourceIPAddress` Binary
`NonPreferredSourceIPAddress` Binary
`DestinationIPAddress` Binary
`CompartmentId` UInt32
`Rule` UInt32
`RuleExtension` UInt32
`RuleName` UInt32

Event ID 1620: WFP-ALE: RemoteEndPoint Cleanup: (local=LocalAddress remote=RemoteAddress) currentTick=CurrentTick lastTick=LastTick lifeTime=LifeTime LifetimeFactor=LifetimeFactor.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: RemoteEndpointCleanup
Opcode: win:Info

Description

WFP-ALE: RemoteEndPoint Cleanup: (local=LocalAddress remote=RemoteAddress) currentTick=CurrentTick lastTick=LastTick lifeTime=LifeTime LifetimeFactor=LifetimeFactor.

Message #

WFP-ALE: RemoteEndPoint Cleanup: (local=%2 remote=%3) currentTick=%4 lastTick=%5 lifeTime=%6 LifetimeFactor=%7

Fields #

Name	Description
`AddressLength` UInt32
`LocalAddress` Binary
`RemoteAddress` Binary
`CurrentTick` UInt64
`LastTick` UInt64
`LifeTime` UInt32
`LifetimeFactor` UInt16

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}",
    "event_source_name": "",
    "event_id": 1620,
    "version": 0,
    "level": 4,
    "task": 1620,
    "opcode": 0,
    "keywords": "0x0000000000008000",
    "time_created": "2026-06-02T06:03:37.765+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}"
    },
    "execution": {
      "process_id": 9180,
      "thread_id": 17448
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AddressLength": 16,
    "CurrentTick": 123427397,
    "LastTick": 123307081,
    "LifeTime": 60,
    "LifetimeFactor": 1,
    "LocalAddress": "020000000A020A6F0000000000000000",
    "RemoteAddress": "02000001080808080000000000000000"
  },
  "message": "RemoteEndpointCleanup"
}

Event ID 1621: FL: Virtual interface creation.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlVirtualInterfaceCreation

Description

FL: Virtual interface creation. Interface = IfLuid, Family = AddressFamily, CompartmentGuid = CompartmentGuid, CompartmentId = CompartmentId, IsolationMode = IsolationMode, IsolationId = IsolalationId, Origin = Origin, VirtualIfLuid = VirtualIfLuid, VirtualIfIndex = VirtualIfIndex.

Message #

FL: Virtual interface creation. Interface = %1, Family = %2, CompartmentGuid = %3, CompartmentId = %4, IsolationMode = %5, IsolationId = %6, Origin = %7, VirtualIfLuid = %8, VirtualIfIndex = %9

Fields #

Name	Description
`IfLuid` UInt64
`AddressFamily` UInt32
`CompartmentGuid` GUID
`CompartmentId` UInt32
`IsolationMode` UInt32
`IsolalationId` UInt32
`Origin` UInt32
`VirtualIfLuid` UInt64
`VirtualIfIndex` UInt32

Event ID 1622: FL: Virtual interface deletion.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlVirtualInterfaceDeletion

Description

FL: Virtual interface deletion. Interface = IfLuid, Family = AddressFamily, CompartmentGuid = CompartmentGuid, CompartmentId = CompartmentId, IsolationMode = IsolationMode, IsolationId = IsolalationId, Origin = Origin, VirtualIfLuid = VirtualIfLuid, VirtualIfIndex = VirtualIfIndex.

Message #

FL: Virtual interface deletion. Interface = %1, Family = %2, CompartmentGuid = %3, CompartmentId = %4, IsolationMode = %5, IsolationId = %6, Origin = %7, VirtualIfLuid = %8, VirtualIfIndex = %9

Fields #

Name	Description
`IfLuid` UInt64
`AddressFamily` UInt32
`CompartmentGuid` GUID
`CompartmentId` UInt32
`IsolationMode` UInt32
`IsolalationId` UInt32
`Origin` UInt32
`VirtualIfLuid` UInt64
`VirtualIfIndex` UInt32

Event ID 1623: Tcpip Power Policy Standby-to-Full-Power transition detected.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipGlobalPowerPolicyTransitionAdjustment

Description

Tcpip Power Policy Standby-to-Full-Power transition detected. Lifetimes adjusted for Interface:InterfaceIndex, DestinationPrefix:DestinationPrefix/DestinationPrefixLength, NextHopAddress:NextHopAddress, EnteredStandbySystemTickCount:EnteredStandbySystemTickCount, CurrentTickCount:CurrentTickCount, ValidLifetimeHighWaterTickCount:ValidLifetimeHighWaterTickCount

Message #

Tcpip Power Policy Standby-to-Full-Power transition detected. Lifetimes adjusted for Interface:%1, DestinationPrefix:%3/%4, NextHopAddress:%6, EnteredStandbySystemTickCount:%7, CurrentTickCount:%8, ValidLifetimeHighWaterTickCount:%9

Fields #

Name	Description
`InterfaceIndex` UInt32
`DestinationPrefixAddressLength` UInt32
`DestinationPrefix` Binary
`DestinationPrefixLength` UInt32
`NextHopAddressLength` UInt32
`NextHopAddress` Binary
`EnteredStandbySystemTickCount` UInt64
`CurrentTickCount` UInt32
`ValidLifetimeHighWaterTickCount` UInt32

Event ID 1624: TCP: connection Tcb: flow label refreshed, old = OldFlowLabel new = NewFlowLabel.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFlowLabelRefresh

Description

TCP: connection Tcb: flow label refreshed, old = OldFlowLabel new = NewFlowLabel.

Message #

TCP: connection %1: flow label refreshed, old = %2 new = %3.

Fields #

Name	Description
`Tcb` Pointer
`OldFlowLabel` UInt32
`NewFlowLabel` UInt32

Event ID 1625: TCP: Connection Tcb send idle triggered.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpCwndRestart
Opcode: win:Info

Description

TCP: Connection Tcb send idle triggered. OldCwnd = OldCwnd, NewCwnd = NewCwnd, CurrentTick = CurrentTick, IdleTick = IdleTick, RTO = Rto.

Message #

TCP: Connection %1 send idle triggered. OldCwnd = %2, NewCwnd = %3, CurrentTick = %5, IdleTick = %6, RTO = %7

Fields #

Name	Description
`Tcb` Pointer
`OldCwnd` UInt32
`NewCwnd` UInt32
`Processor` UInt32
`CurrentTick` UInt32
`IdleTick` UInt32
`Rto` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}",
    "event_source_name": "",
    "event_id": 1625,
    "version": 0,
    "level": 4,
    "task": 1221,
    "opcode": 0,
    "keywords": "0x0000000100000000",
    "time_created": "2026-06-02T06:03:34.152+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{F7642010-BD09-FFFF-0000-000000000000}"
    },
    "execution": {
      "process_id": 2940,
      "thread_id": 13708
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "CurrentTick": 123423807,
    "IdleTick": 123421941,
    "NewCwnd": 269440,
    "OldCwnd": 269440,
    "Processor": 0,
    "Rto": 300,
    "Tcb": "0xFFFFBD09F7642010"
  },
  "message": "TcpCwndRestart"
}

Event ID 1626: TCP: connection Tcb: bytes limited by sender = SenderLimitedBytes receiver = ReceiverLimitedBytes congestion = CongestionLimitedBytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Verbose
Task: TcpLimitingFactor
Opcode: win:Info

Description

TCP: connection Tcb: bytes limited by sender = SenderLimitedBytes receiver = ReceiverLimitedBytes congestion = CongestionLimitedBytes.

Message #

TCP: connection %1: bytes limited by sender = %2 receiver = %3 congestion = %4.

Fields #

Name	Description
`Tcb` Pointer
`SenderLimitedBytes` UInt64
`ReceiverLimitedBytes` UInt64
`CongestionLimitedBytes` UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}",
    "event_source_name": "",
    "event_id": 1626,
    "version": 0,
    "level": 5,
    "task": 1626,
    "opcode": 0,
    "keywords": "0x0000000100000000",
    "time_created": "2026-06-02T06:03:34.153+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{F7642010-BD09-FFFF-0000-000000000000}"
    },
    "execution": {
      "process_id": 2940,
      "thread_id": 13708
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "CongestionLimitedBytes": 0,
    "ReceiverLimitedBytes": 0,
    "SenderLimitedBytes": 2328397,
    "Tcb": "0xFFFFBD09F7642010"
  },
  "message": "TcpLimitingFactor"
}

Event ID 1627: UDP: ChangeReason scheduled HW URO to be NewUroState on interface IfLuid.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpOffloadHwUroChangeScheduled

Description

UDP: ChangeReason scheduled HW URO to be NewUroState on interface IfLuid. CurrentState:CurrentUroState. Last scheduled state: LastScheduledState.

Message #

UDP: %2 scheduled HW URO to be %3 on interface %1. CurrentState:%4. Last scheduled state: %5

Fields #

Name	Description
`IfLuid` UInt64
`ChangeReason` UInt32
`NewUroState` UInt32
`CurrentUroState` UInt32
`LastScheduledState` UInt32
`FailureReasonFlags` UInt32

Event ID 1628: UDP: ChangeReason NewUroState HW URO on interface IfLuid.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpOffloadHwUroChangeComplete

Description

UDP: ChangeReason NewUroState HW URO on interface IfLuid. Status: Status.

Message #

UDP: %2 %3 HW URO on interface %1. Status: %4

Fields #

Name	Description
`IfLuid` UInt64
`ChangeReason` UInt32
`NewUroState` UInt32
`Status` UInt32	NTSTATUS reference
`FailureReasonFlags` UInt32

Event ID 1629: FL: FLSNPI client attach.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlsnpiClientAttach

Description

FL: FLSNPI client attach. Client: ClientName, AddressFamily: AddressFamily, NpiVersion: ClientNpiVersion, NblContextSize: NblContextSize, FailureReason: FailureReason, Status: Status.

Message #

FL: FLSNPI client attach. Client: %1, AddressFamily: %2, NpiVersion: %3, NblContextSize: %4, FailureReason: %5, Status: %6.

Fields #

Name	Description
`ClientName` UnicodeString
`AddressFamily` UInt32
`ClientNpiVersion` UInt32
`NblContextSize` UInt32
`FailureReason` UInt32	Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`Status` UInt32	NTSTATUS reference

Event ID 1630: FL: FLSNPI client detach.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlsnpiClientDetach

Description

FL: FLSNPI client detach. Client: ClientName, AddressFamily: AddressFamily.

Message #

FL: FLSNPI client detach. Client: %1, AddressFamily: %2.

Fields #

Name	Description
`ClientName` UnicodeString
`AddressFamily` UInt32

Event ID 1631: FL: FLSNPI client interface attach.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlsnpiClientInterfaceAttach

Description

FL: FLSNPI client interface attach. Client: ClientName, AddressFamily: AddressFamily, CompartmentId: CompartmentId, IfIndex: IfIndex, VirtualIfId: VirtualIfId, Flags: Flags, FailureReason: FailureReason, Status: Status.

Message #

FL: FLSNPI client interface attach. Client: %1, AddressFamily: %2, CompartmentId: %3, IfIndex: %4, VirtualIfId: %5, Flags: %6, FailureReason: %7, Status: %8.

Fields #

Name	Description
`ClientName` UnicodeString
`AddressFamily` UInt32
`CompartmentId` UInt32
`IfIndex` UInt32
`VirtualIfId` UInt32
`Flags` UInt32
`FailureReason` UInt32	Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`Status` UInt32	NTSTATUS reference

Event ID 1632: FL: FLSNPI client interface detach.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlsnpiClientInterfaceDetach

Description

FL: FLSNPI client interface detach. Client: ClientName, AddressFamily: AddressFamily, CompartmentId: CompartmentId, IfIndex: IfIndex, VirtualIfId: VirtualIfId, Flags: Flags, FailureReason: FailureReason, Status: Status.

Message #

FL: FLSNPI client interface detach. Client: %1,  AddressFamily: %2, CompartmentId: %3, IfIndex: %4, VirtualIfId: %5, Flags: %8, FailureReason: %6, Status: %7.

Fields #

Name	Description
`ClientName` UnicodeString
`AddressFamily` UInt32
`CompartmentId` UInt32
`IfIndex` UInt32
`VirtualIfId` UInt32
`FailureReason` UInt32	Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`Status` UInt32	NTSTATUS reference
`Flags` UInt32

Event ID 1633: FL: FLSNPI datapath failure.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlsnpiDataPathFailure

Description

FL: FLSNPI datapath failure. Operation: Operation, AddressFamily: AddressFamily, Direction: PathDirection, Client:ClientName, CompartmentId: CompartmentId, IfIndex: IfIndex, VirtualIfId: VirtualIfId, Flags: Flags, InjectIfIndex: InjectionIfIndex, FailureReason: FailureReason, Status: Status.

Message #

FL: FLSNPI datapath failure. Operation: %1, AddressFamily: %2, Direction: %3, Client:%4, CompartmentId: %5, IfIndex: %6, VirtualIfId: %7, Flags: %8, InjectIfIndex: %11, FailureReason: %9, Status: %10

Fields #

Name	Description
`Operation` UInt32	Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`AddressFamily` UInt32
`PathDirection` UInt32
`ClientName` UnicodeString
`CompartmentId` UInt32
`IfIndex` UInt32
`VirtualIfId` UInt32
`Flags` UInt32
`FailureReason` UInt32	Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`Status` UInt32	NTSTATUS reference
`InjectionIfIndex` UInt32

Event ID 1634: FL: FLSNPI client silent drop.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlsnpiClientSilentDrop

Description

FL: FLSNPI client silent drop. Direction: PathDirection, AddressFamily:AddressFamily, Client: ClientName, CompartmentId: CompartmentId, IfIndex: InterfaceIndex, VirtualIfId: VirtualIfId, PacketCount: PacketCount.

Message #

FL: FLSNPI client silent drop. Direction: %1, AddressFamily:%2, Client: %3, CompartmentId: %4, IfIndex: %5, VirtualIfId: %6, PacketCount: %7.

Fields #

Name	Description
`PathDirection` UInt32
`AddressFamily` UInt32
`ClientName` UnicodeString
`CompartmentId` UInt32
`InterfaceIndex` UInt32
`VirtualIfId` UInt32
`PacketCount` UInt32

Event ID 1635: FL: FLSNPI indication stats.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlsnpiPacketStats

Description

FL: FLSNPI indication stats. Direction: Direction, AddressFamily:AddressFamily, CompartmentId: CompartmentId, IfIndex: InterfaceIndex, VirtualIfId: VirtualIfId, PacketsIndicated: PacketsIndicated, PacketsReturned: PacketsReturned, PacketsInjected: PacketsInjected, PacketsCloned: PacketsCloned, PacketsClonedForSplitNB: PacketsClonedWithNBSplit, PacketsDropped: PacketsDropped, PacketsSilentlyDropped: PacketsSilentlyDropped.

Message #

FL: FLSNPI indication  stats. Direction: %1, AddressFamily:%2, CompartmentId: %3, IfIndex: %4, VirtualIfId: %5, PacketsIndicated: %6, PacketsReturned: %7, PacketsInjected: %8, PacketsCloned: %9, PacketsClonedForSplitNB: %10, PacketsDropped: %11, PacketsSilentlyDropped: %12.

Fields #

Name	Description
`Direction` UInt32	Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`AddressFamily` UInt32
`CompartmentId` UInt32
`InterfaceIndex` UInt32
`VirtualIfId` UInt32
`PacketsIndicated` UInt32
`PacketsReturned` UInt32
`PacketsInjected` UInt32
`PacketsCloned` UInt32
`PacketsClonedWithNBSplit` UInt32
`PacketsDropped` UInt32
`PacketsSilentlyDropped` UInt32

Event ID 1636: TCPIP: Current Power Policy : PowerPolicy.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpipPowerPolicyRundown
Opcode: win:Info

Description

TCPIP: Current Power Policy : PowerPolicy.

Message #

TCPIP: Current Power Policy : %1.

Fields #

Name	Description
`PowerPolicy` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}",
    "event_source_name": "",
    "event_id": 1636,
    "version": 0,
    "level": 4,
    "task": 1636,
    "opcode": 0,
    "keywords": "0x0000008000000000",
    "time_created": "2026-06-02T06:03:32.471+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}"
    },
    "execution": {
      "process_id": 11500,
      "thread_id": 16068
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PowerPolicy": 1
  },
  "message": "TcpipPowerPolicyRundown"
}

Event ID 1637: TCP: connection Tcb send acked NumBytes bytes starting from SndNxt ActivityID = ActivityID.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Also via: realtime ETW trace
Level: Informational
Task: TcpSendAcked
Opcode: win:Info

Description

TCP: connection Tcb send acked NumBytes bytes starting from SndNxt ActivityID = ActivityID.

Message #

TCP: connection %1 send acked %2 bytes starting from %3 ActivityID = %4.

Fields #

Name	Description
`Tcb` Pointer
`NumBytes` UInt32
`SndNxt` UInt32
`ActivityID` Pointer
`SndLimBytesSnd` UInt64
`SndLimBytesRwin` UInt64
`SndLimBytesCwnd` UInt64
`CWnd` UInt32
`SRtt` UInt32
`LossRecoveryEpisodes` UInt32
`RtoEpisodes` UInt32
`PtoEpisodes` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}",
    "event_source_name": "",
    "event_id": 1637,
    "version": 0,
    "level": 4,
    "task": 1637,
    "opcode": 0,
    "keywords": "0x0000400100000000",
    "time_created": "2026-06-02T06:03:34.154+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{F7642010-BD09-FFFF-0000-000000000000}"
    },
    "execution": {
      "process_id": 2764,
      "thread_id": 812
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ActivityID": "0xFFFFBD09E5A7D5B0",
    "CWnd": 269440,
    "LossRecoveryEpisodes": 0,
    "NumBytes": 1564,
    "PtoEpisodes": 0,
    "RtoEpisodes": 0,
    "SRtt": 2444,
    "SndLimBytesCwnd": 0,
    "SndLimBytesRwin": 0,
    "SndLimBytesSnd": 2328397,
    "SndNxt": 2424966219,
    "Tcb": "0xFFFFBD09F7642010"
  },
  "message": "TcpSendAcked"
}

Event ID 1638: IP: Event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRaPref64Event

Description

IP: Event. Interface = Interface, Compartment = CompartmentId, RouterAddress = RouterAddress, Prefix = Prefix/PrefixLength, Lifetime = Lifetime.

Message #

IP: %1. Interface = %2, Compartment = %3, RouterAddress = %5, Prefix = %7/%8, Lifetime = %9.

Fields #

Name	Description
`Event` UInt32
`Interface` UInt32
`CompartmentId` UInt32
`RouterAddrLength` UInt32
`RouterAddress` Binary
`PrefixAddrLength` UInt32
`Prefix` Binary
`PrefixLength` UInt32
`Lifetime` UInt32

Event ID 1638: IP:

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: IpRaPref64Event

Description

IP: . Interface = , Compartment = , RouterAddress = , Prefix = /, Lifetime = .

Fields #

Name	Description
`Event` UInt32
`Interface` UInt32
`CompartmentId` UInt32
`RouterAddrLength` UInt32
`RouterAddress` Binary
`PrefixAddrLength` UInt32
`Prefix` Binary
`PrefixLength` UInt32
`Lifetime` UInt32

Event ID 1639: IP: Destination cache invalidated.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpDestinationCacheInvalidation

Description

IP: Destination cache invalidated. Compartment = CompartmentId, Family = AddressFamily, RoutingEpoch = RoutingEpoch.

Message #

IP: Destination cache invalidated. Compartment = %1, Family = %2, RoutingEpoch = %3.

Fields #

Name	Description
`CompartmentId` UInt32
`AddressFamily` UInt32
`RoutingEpoch` Int32

Event ID 1639: IP: Destination cache invalidated

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: IpDestinationCacheInvalidation

Description

IP: Destination cache invalidated. Compartment = , Family = , RoutingEpoch = .

Fields #

Name	Description
`CompartmentId` UInt32
`AddressFamily` UInt32
`RoutingEpoch` Int32

Event ID 1640: FL: Virtual interface set failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlVirtualIfSetError

Description

FL: Virtual interface set failed. NsiAction = NsiAction, Family AddressFamily, IfLuid = IfLuid, CompartmentGuid = CompartmentGuid, VirtualIfId = VirtualIfId, IsolationMode = IsolationMode, Status = Status, Reason = FailureReason.

Message #

FL: Virtual interface set failed. NsiAction = %1, Family %2, IfLuid = %3, CompartmentGuid = %4, VirtualIfId = %5, IsolationMode = %6, Status = %7, Reason = %8

Fields #

Name	Description
`NsiAction` UInt32
`AddressFamily` UInt32
`IfLuid` UInt64
`CompartmentGuid` GUID
`VirtualIfId` UInt32
`IsolationMode` UInt32
`Status` UInt32	NTSTATUS reference
`FailureReason` UInt32	Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.

Event ID 1640: FL: Virtual interface set failed

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: FlVirtualIfSetError

Description

FL: Virtual interface set failed. NsiAction = , Family , IfLuid = , CompartmentGuid = , VirtualIfId = , IsolationMode = , Status = , Reason =.

Fields #

Name	Description
`NsiAction` UInt32
`AddressFamily` UInt32
`IfLuid` UInt64
`CompartmentGuid` GUID
`VirtualIfId` UInt32
`IsolationMode` UInt32
`Status` UInt32	NTSTATUS reference
`FailureReason` UInt32	Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.

Event ID 1641: FL: Virtual interface get failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlVirtualIfGetError

Description

FL: Virtual interface get failed. NsiAction = NsiAction, Family AddressFamily, IfLuid = IfLuid, CompartmentGuid = CompartmentGuid, VirtualIfId = VirtualIfId, IsolationMode = IsolationMode, Status = Status, Reason = FailureReason.

Message #

FL: Virtual interface get failed. NsiAction = %1, Family %2, IfLuid = %3, CompartmentGuid = %4, VirtualIfId = %5, IsolationMode = %6, Status = %7, Reason = %8

Fields #

Name	Description
`NsiAction` UInt32
`AddressFamily` UInt32
`IfLuid` UInt64
`CompartmentGuid` GUID
`VirtualIfId` UInt32
`IsolationMode` UInt32
`Status` UInt32	NTSTATUS reference
`FailureReason` UInt32	Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.

Event ID 1641: FL: Virtual interface get failed

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: FlVirtualIfGetError

Description

FL: Virtual interface get failed. NsiAction = , Family , IfLuid = , CompartmentGuid = , VirtualIfId = , IsolationMode = , Status = , Reason =.

Fields #

Name	Description
`NsiAction` UInt32
`AddressFamily` UInt32
`IfLuid` UInt64
`CompartmentGuid` GUID
`VirtualIfId` UInt32
`IsolationMode` UInt32
`Status` UInt32	NTSTATUS reference
`FailureReason` UInt32	Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.

Event ID 1642: IP: Received Prefix Option in Router Advertisement.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRecvPrefixOptionInRouterAdvertisement

Description

IP: Received Prefix Option in Router Advertisement. Interface(Index/GUID) = InterfaceIndex/InterfaceGuid, Compartment = CompartmentId, SourceIpAddress = SourceIpAddress, Prefix(Value/Length) = PrefixValue/PrefixLength, Lifetimes(Valid/Preferred) = ValidLifetime/PreferredLifetime, Flags = FlagsValue (Route = IsRoute, SitePrefix = IsSitePrefix, RouterAddress = IsRouterAddress, Autonomous = IsAutonomous, OnLink = IsOnLink)

Message #

IP: Received Prefix Option in Router Advertisement. Interface(Index/GUID) = %1/%2, Compartment = %3, SourceIpAddress = %5, Prefix(Value/Length) = %6/%7, Lifetimes(Valid/Preferred) = %8/%9, Flags = %10 (Route = %11, SitePrefix = %12, RouterAddress = %13, Autonomous = %14, OnLink = %15)

Fields #

Name	Description
`InterfaceIndex` UInt32
`InterfaceGuid` GUID
`CompartmentId` UInt32
`AddressLength` UInt32
`SourceIpAddress` Binary
`PrefixValue` Binary
`PrefixLength` UInt32
`ValidLifetime` UInt32
`PreferredLifetime` UInt32
`FlagsValue` UInt8
`IsRoute` Boolean
`IsSitePrefix` Boolean
`IsRouterAddress` Boolean
`IsAutonomous` Boolean
`IsOnLink` Boolean

Event ID 1642: IP: Received Prefix Option in Router Advertisement

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: IpRecvPrefixOptionInRouterAdvertisement

Fields #

Name	Description
`InterfaceIndex` UInt32
`InterfaceGuid` GUID
`CompartmentId` UInt32
`AddressLength` UInt32
`SourceIpAddress` Binary
`PrefixValue` Binary
`PrefixLength` UInt32
`ValidLifetime` UInt32
`PreferredLifetime` UInt32
`FlagsValue` UInt8
`IsRoute` Boolean
`IsSitePrefix` Boolean
`IsRouterAddress` Boolean
`IsAutonomous` Boolean
`IsOnLink` Boolean

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {2F07E2EE-15DB-40F1-90EF-9D7BA282188A}

Defined in tcpip.sys, the binary that emits these events.

Observed on:

WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.4297, captured 2026-06-02
Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.5074, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.4297, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)