Microsoft-Windows-TunnelDriver

28 events across 1 channel

Event	Title	Channel	Sample
1000	Tunnel Driver of type TunnelType successfully initialized with index Index.	Microsoft-Windows-TunnelDriver	N
1001	Tunnel Driver of type TunnelType could not initialize.	Microsoft-Windows-TunnelDriver	N
1002	Tunnel Driver Load: TunnelType.	Microsoft-Windows-TunnelDriver	N
1003	Tunnel Updated flag for Interface with index InterfaceIndex, interface …	Microsoft-Windows-TunnelDriver	N
1004	Tunnel received packet with incomplete inner IP header	Microsoft-Windows-TunnelDriver	N
1005	Could not find tunnel interface for packet.	Microsoft-Windows-TunnelDriver	N
1006	Packet filter on tunnel interface InterfaceIndex is off.	Microsoft-Windows-TunnelDriver	N
1007	Packet failed integrity check on interface type TunnelType with index …	Microsoft-Windows-TunnelDriver	N
1008	Non IPv6 Packet received on interface InterfaceIndex.	Microsoft-Windows-TunnelDriver	N
1009	Could not find tunnel interface for truncated ICMP message.	Microsoft-Windows-TunnelDriver	N
1010	Could not find the source of the ICMP message on tunnel interface …	Microsoft-Windows-TunnelDriver	N
1011	Failed to copy Buffer into MDL while generating ICMPv6 message on tunnel …	Microsoft-Windows-TunnelDriver	N
1012	Completing the pause for tunnel interface InterfaceIndex.	Microsoft-Windows-TunnelDriver	N
1013	Completing power notification for tunnel interface InterfaceIndex.	Microsoft-Windows-TunnelDriver	N
1014	Tunnel interface InterfaceIndex has media status set to MediaStatus.	Microsoft-Windows-TunnelDriver	N
1015	Tunnel interface InterfaceIndex ReadError could not be read.	Microsoft-Windows-TunnelDriver	N
1016	Tunnel interface Index has unknown type TunnelType.	Microsoft-Windows-TunnelDriver	N
1017	Tunnel interface of type TunnelType with index Index has been …	Microsoft-Windows-TunnelDriver	N
1018	Teredo Tunnel offload TeredoFlowTuple flow entry freed.	Microsoft-Windows-TunnelDriver	N
1019	Teredo WFP receive path worker has NULL clone list.	Microsoft-Windows-TunnelDriver	N
1020	Skipped offload flow creation for non-Teredo address pair.	Microsoft-Windows-TunnelDriver	N
1021	Teredo Wfp created IPv4 flow with following parameters.	Microsoft-Windows-TunnelDriver	N
1022	Teredo Wfp registration occured with status NTStatus.	Microsoft-Windows-TunnelDriver	N
1023	Teredo Wfp created V6 flow with status NTStatus following parameters.	Microsoft-Windows-TunnelDriver	N
1024	Tunnel type TunnelType with index TunnelInterfaceIndex has IPv4 address …	Microsoft-Windows-TunnelDriver	N
1025	Tunnel type TunnelType offloaded OffloadedNblCount NBLs, Could not offload …	Microsoft-Windows-TunnelDriver	N
1026	Tunnel Type TunnelType with index InterfaceIndex is in an invalid device state …	Microsoft-Windows-TunnelDriver	N
1027	Teredo tunnel callout wasn't allowed to modify a packet.	Microsoft-Windows-TunnelDriver	N

Event ID 1000: Tunnel Driver of type TunnelType successfully initialized with index Index.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Tunnel Driver of type TunnelType successfully initialized with index Index.

Message #

Tunnel Driver of type %1 successfully initialized with index %2.

Fields #

Name	Description
`TunnelType` UInt32
`Index` UInt32

Event ID 1001: Tunnel Driver of type TunnelType could not initialize.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Tunnel Driver of type TunnelType could not initialize.

Message #

Tunnel Driver of type %1 could not initialize.
 Windows Status Code %2, Tunnel Status Code %3.

Fields #

Name	Description
`TunnelType` UInt32
`ErrorCode` UInt32
`TunnelReasonCode` UInt32

Event ID 1002: Tunnel Driver Load: TunnelType.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Tunnel Driver Load: TunnelType. Status ErrorCode.

Message #

Tunnel Driver Load: %1. Status %2

Fields #

Name	Description
`TunnelType` UInt32
`ErrorCode` UInt32

Event ID 1003: Tunnel Updated flag for Interface with index InterfaceIndex, interface forwarding isForwardingset, weakhostreceive isWeakHostReceiveset.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Tunnel Updated flag for Interface with index InterfaceIndex, interface forwarding isForwardingset, weakhostreceive isWeakHostReceiveset.

Message #

Tunnel Updated flag for Interface with index %1, interface forwarding is%2set, weakhostreceive is%3set.

Fields #

Name	Description
`InterfaceIndex` UInt32
`Forwarding` UInt32
`WeakHostReceive` UInt32

Event ID 1004: Tunnel received packet with incomplete inner IP header

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Tunnel received packet with incomplete inner IP header.

Message #

Tunnel received packet with incomplete inner IP header

Event ID 1005: Could not find tunnel interface for packet.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Could not find tunnel interface for packet.

Message #

Could not find tunnel interface for packet.

Event ID 1006: Packet filter on tunnel interface InterfaceIndex is off.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Packet filter on tunnel interface InterfaceIndex is off. Dropping Packet.

Message #

Packet filter on tunnel interface %1 is off. Dropping Packet.

Fields #

Name	Description
`InterfaceIndex` UInt32

Event ID 1007: Packet failed integrity check on interface type TunnelType with index InterfaceIndex.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Packet failed integrity check on interface type TunnelType with index InterfaceIndex.

Message #

Packet failed integrity check on interface type %1 with index %2.

Fields #

Name	Description
`TunnelType` UInt32
`InterfaceIndex` UInt32

Event ID 1008: Non IPv6 Packet received on interface InterfaceIndex.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Non IPv6 Packet received on interface InterfaceIndex.

Message #

Non IPv6 Packet received on interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32

Event ID 1009: Could not find tunnel interface for truncated ICMP message.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Could not find tunnel interface for truncated ICMP message.

Message #

Could not find tunnel interface for truncated ICMP message.

Event ID 1010: Could not find the source of the ICMP message on tunnel interface InterfaceIndex.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Could not find the source of the ICMP message on tunnel interface InterfaceIndex.

Message #

Could not find the source of the ICMP message on tunnel interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32

Event ID 1011: Failed to copy Buffer into MDL while generating ICMPv6 message on tunnel interface InterfaceIndex.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Failed to copy Buffer into MDL while generating ICMPv6 message on tunnel interface InterfaceIndex.

Message #

Failed to copy Buffer into MDL while generating ICMPv6 message on tunnel interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32

Event ID 1012: Completing the pause for tunnel interface InterfaceIndex.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Completing the pause for tunnel interface InterfaceIndex.

Message #

Completing the pause for tunnel interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32

Event ID 1013: Completing power notification for tunnel interface InterfaceIndex.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Completing power notification for tunnel interface InterfaceIndex.

Message #

Completing power notification for tunnel interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32

Event ID 1014: Tunnel interface InterfaceIndex has media status set to MediaStatus.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Tunnel interface InterfaceIndex has media status set to MediaStatus.

Message #

Tunnel interface %1 has media status set to %2.

Fields #

Name	Description
`InterfaceIndex` UInt32
`MediaStatus` UInt32

Event ID 1015: Tunnel interface InterfaceIndex ReadError could not be read.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Tunnel interface InterfaceIndex ReadError could not be read.

Message #

Tunnel interface %1 %3 could not be read.
NDIS returned status %2.

Fields #

Name	Description
`InterfaceIndex` UInt32
`ErrorCode` UInt32
`ReadError` UInt32

Event ID 1016: Tunnel interface Index has unknown type TunnelType.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Tunnel interface Index has unknown type TunnelType.

Message #

Tunnel interface %1 has unknown type %2.

Fields #

Name	Description
`Index` UInt32
`TunnelType` UInt32

Event ID 1017: Tunnel interface of type TunnelType with index Index has been InterfaceOperation.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Tunnel interface of type TunnelType with index Index has been InterfaceOperation.

Message #

Tunnel interface of type %1 with index %2 has been %3.

Fields #

Name	Description
`TunnelType` UInt32
`Index` UInt32
`InterfaceOperation` UInt32

Event ID 1018: Teredo Tunnel offload TeredoFlowTuple flow entry freed.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Teredo Tunnel offload TeredoFlowTuple flow entry freed.

Message #

Teredo Tunnel offload %1 flow entry freed.

Fields #

Name	Description
`TeredoFlowTuple` UInt32

Event ID 1019: Teredo WFP receive path worker has NULL clone list.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Teredo WFP receive path worker has NULL clone list.

Message #

Teredo WFP receive path worker has NULL clone list.

Event ID 1020: Skipped offload flow creation for non-Teredo address pair.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Skipped offload flow creation for non-Teredo address pair.

Message #

Skipped offload flow creation for non-Teredo address pair.
Local %2 Remote %3.

Fields #

Name	Description
`IpAddrV6Length` UInt32
`LocalIpv6Address` Binary
`RemoteIPv6Address` Binary

Event ID 1021: Teredo Wfp created IPv4 flow with following parameters.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Teredo Wfp created IPv4 flow with following parameters.

Message #

Teredo Wfp created IPv4 flow with following parameters.
LocalV4:%1 RemoteV4:%2 
LocalPort:%3 RemotePort:%4.

Fields #

Name	Description
`SourceIPv4Address` UInt32
`DestinationIPv4Address` UInt32
`SourcePort` UInt16
`DestinationPort` UInt16

Event ID 1022: Teredo Wfp registration occured with status NTStatus.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Teredo Wfp registration occured with status NTStatus.

Message #

Teredo Wfp registration occured with status %1.

Fields #

Name	Description
`NTStatus` UInt32	NTSTATUS reference

Event ID 1023: Teredo Wfp created V6 flow with status NTStatus following parameters.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Teredo Wfp created V6 flow with status NTStatus following parameters.

Message #

Teredo Wfp created V6 flow with status %6 following parameters.
LocalV4:%2 RemoteV4:%3 
LocalV6:%4 RemoteV6:%5.

Fields #

Name	Description
`IpAddrV6Length` UInt32
`LocalIPv4Address` UInt32
`RemoteIPv4Address` UInt32
`LocalIPv6` Binary
`RemoteIPv6` Binary
`NTStatus` UInt32	NTSTATUS reference

Event ID 1024: Tunnel type TunnelType with index TunnelInterfaceIndex has IPv4 address IPv4Address now YesorNo associated with physical interface with index InterfaceIndex.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Tunnel type TunnelType with index TunnelInterfaceIndex has IPv4 address IPv4Address now YesorNo associated with physical interface with index InterfaceIndex.

Message #

Tunnel type %1 with index %2 has IPv4 address %3 now %4 associated with physical interface with index %5.

Fields #

Name	Description
`TunnelType` UInt32
`TunnelInterfaceIndex` UInt32
`IPv4Address` UInt32
`YesorNo` UInt32
`InterfaceIndex` UInt32

Event ID 1025: Tunnel type TunnelType offloaded OffloadedNblCount NBLs, Could not offload ReturnedNblCount NBLs.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Tunnel type TunnelType offloaded OffloadedNblCount NBLs, Could not offload ReturnedNblCount NBLs.

Message #

Tunnel type %1 offloaded %2 NBLs, Could not offload %3 NBLs

Fields #

Name	Description
`TunnelType` UInt32
`OffloadedNblCount` UInt32
`ReturnedNblCount` UInt32

Event ID 1026: Tunnel Type TunnelType with index InterfaceIndex is in an invalid device state such as not opened or being closed.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Tunnel Type TunnelType with index InterfaceIndex is in an invalid device state such as not opened or being closed.

Message #

Tunnel Type %1 with index %2 is in an invalid device state such as not opened or being closed.
%3 NBLs could not be sent.

Fields #

Name	Description
`TunnelType` UInt32
`InterfaceIndex` UInt32
`DroppedNblCount` UInt32

Event ID 1027: Teredo tunnel callout wasn't allowed to modify a packet.

Provider: Microsoft-Windows-TunnelDriver
Channel: Microsoft-Windows-TunnelDriver

Description

Teredo tunnel callout wasn't allowed to modify a packet. PID: ProcessID. FilterID: FilterID. Flow handle FlowHandle.

Message #

Teredo tunnel callout wasn't allowed to modify a packet. PID: %1. FilterID: %2. Flow handle %3.

Fields #

Name	Description
`ProcessID` UInt64
`FilterID` UInt64
`FlowHandle` UInt64

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 4edbe902-9ed3-4cf0-93e8-b8b5fa920299

Defined in tunnel.sys, the binary that emits these events.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)