Microsoft-Windows-Wcmsvc

67 events across 2 channels

Event	Title	Channel	Sample
1001	WCMSVC: Service Startup	Operational	N
1002	WCMSVC: Service Shutdown	Operational	N
1003	CDE reported a state change.	Operational	Y
1004	A Group Policy change was processed	Operational	Y
1005	A Power change was processed.	Operational	N
1006	A Terminal Services session change was processed.	Operational	Y
1007	CDE reported a state change.	Diagnostic	N
1008	NLA interface property change.	Diagnostic	N
1009	CDE reported an L2 adapter arrival.	Operational	Y
1010	CDE reported an L2 adapter removal.	Operational	Y
1011	CDE reported a successful connection.	Diagnostic	N
1012	CDE reported a connection failure.	Operational	N
1013	CDE reported a disconnection.	Diagnostic	N
1014	WcmSetParameter Called.	Diagnostic	N
1015	Interface Token Applied.	Operational	N
1016	Interface Token Failed.	Operational	N
1017	Soft disconnect over thresholds for interface: InterfaceGUID.	Operational	N
1018	Soft disconnect under thresholds for interface: InterfaceGUID.	Operational	N
1019	CDE reported an unblocked profile.	Operational	N
1020	WCM Preferred Order List.	Operational	Y
1022	WCM entered connected standby	Operational	N
1023	WCM exited connected standby	Operational	N
1024	Acquired NDIS NIC Active Reference for interface: InterfaceGUID.	Diagnostic	N
1025	Released NDIS NIC Active Reference for interface: InterfaceGUID.	Diagnostic	N
1026	CDE reported an NDIS adapter arrival.	Operational	Y
1027	CDE reported an NDIS adapter removal.	Operational	Y
1028	WCM entered net quiet mode	Operational	N
1029	WCM exited net quiet mode	Operational	N
1030	Billing Cycle Reset Successful	Operational	N
1031	Server Time Retrieval Failure	Operational	N
1032	Acquire NDIS NIC Active Reference Failed for interface: InterfaceGUID.	Operational	N
1033	Release NDIS NIC Active Reference Failed for interface: InterfaceGUID.	Operational	N
1034	OnDemandInterfaceStateChanged.	Operational	N
1035	OnDemand PDP Profile Created.	Diagnostic	N
1036	OnDemand PDP Profile Deleted.	Diagnostic	N
1037	OnDemand Request opened.	Operational	N
1038	OnDemand Request closed.	Operational	N
1039	OnDemand Request started.	Diagnostic	N
1040	OnDemand Request cancelled.	Diagnostic	N
1050	WcmSvc acquired the NIC reference for Interface: InterfaceGUID for reason: …	Diagnostic	N
1051	WcmSvc released the NIC reference for Interface: InterfaceGUID for reason: …	Diagnostic	N
1052	WcmSvc signalled disconnected standby	Operational	N
1053	WcmSvc signalled end of disconnected standby	Operational	N
1054	WcmSvc received power policy update for networking in standby - the new policy …	Operational	N
4020	End of Wwan Resume Reconnect	Diagnostic	N
4021	End of Wlan Resume Reconnect to Same Network	Diagnostic	N
4022	End of Wlan Resume Reconnect to Same Network OneX	Diagnostic	N
4023	End of Wlan Resume Reconnect to Different Network	Diagnostic	N
4024	End of Wlan Resume Reconnect to Different Network OneX	Diagnostic	N
4025	Cancel of Wlan Resume Reconnect2	Diagnostic	N
4026	Measure WWAN Resume Reconnect task	Diagnostic	N
4027	WcmSvc CmPdcActivationClientRegister - Status [Status].	Operational	N
4028	WcmSvc CmPdcActivationClientUnregister - Status [Status].	Operational	N
4029	WcmSvc CmPdcActivationClientActivityRequest - Activate [Activity], Status …	Operational	N
4030	WcmSvc SetNetworkReference - Activate [Activate], Result [Result], …	Operational	N
4031	WcmSvc ReleaseNetworkReferenceInProcess - ProcessId [ProcessId], …	Operational	N
4032	WcmSvc AcquireNdisReference - Result [Result], TotalCmNdisRefCount …	Operational	N
4033	WcmSvc ReleaseNdisReference - Result [Result], TotalCmNdisRefCount …	Operational	N
4034	WcmSvc ReleaseNdisReferenceInProcess - ProcessId [ProcessId], …	Operational	N
4035	WcmSvc NdisReferenceError - [FunctionName]: Result [Error].	Operational	N
4036	CmService::NdisReference - [AcquireRelease] InterfaceLuid [InterfaceLuid], …	Operational	N
10001	WCMSVC: Start WCM Service Startup	Operational	Y
10002	WCMSVC: Complete WCM Service Startup	Operational	Y
10003	WCMSVC: Start Service Shutdown	Operational	Y
10004	WCMSVC: Complete Service Shutdown	Operational	Y
10005	Tethering Manager Loaded Successfully	Diagnostic	N
10006	Tethering Manager Unloaded Successfully	Diagnostic	N

Event ID 1001: WCMSVC: Service Startup

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WCMSVC: Service Startup.

Message #

WCMSVC: Service Startup

Event ID 1002: WCMSVC: Service Shutdown

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WCMSVC: Service Shutdown.

Message #

WCMSVC: Service Shutdown

Event ID 1003: CDE reported a state change.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

CDE reported a state change.

Message #

CDE reported a state change 

 State: %1 

 Name: %2

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference
`Name` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 1003,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775840,
    "time_created": "2023-11-06T06:25:42.259570+00:00",
    "event_record_id": 100,
    "correlation": {},
    "execution": {
      "process_id": 2540,
      "thread_id": 3204
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Status": 1,
    "Name": 2
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1004: A Group Policy change was processed

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

A Group Policy change was processed.

Message #

A Group Policy change was processed

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "{67D07935-283A-4791-8F8D-FA9117F3E6F2}",
    "event_source_name": "",
    "event_id": 1004,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T06:21:48.6534269+00:00",
    "event_record_id": 98,
    "correlation": {},
    "execution": {
      "process_id": 2204,
      "thread_id": 4052
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {},
  "message": "A Group Policy change was processed"
}

Event ID 1005: A Power change was processed.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

A Power change was processed.

Message #

A Power change was processed. 

 Reason: %1

Fields #

Name	Description
`Reason` UInt32

Event ID 1006: A Terminal Services session change was processed.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

A Terminal Services session change was processed.

Message #

A Terminal Services session change was processed. 

 Reason: %1

Fields #

Name	Description
`Reason` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "{67D07935-283A-4791-8F8D-FA9117F3E6F2}",
    "event_source_name": "",
    "event_id": 1006,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775776,
    "time_created": "2026-05-29T16:33:57.0710322+00:00",
    "event_record_id": 110,
    "correlation": {},
    "execution": {
      "process_id": 2992,
      "thread_id": 3064
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Reason": "5"
  },
  "message": "A Terminal Services session change was processed. \r\n\r\n Reason: A user has logged on to the session"
}

Event ID 1007: CDE reported a state change.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

CDE reported a state change.

Message #

CDE reported a state change 

 State: %1 

 Name: Nlasvc.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 1008: NLA interface property change.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

NLA interface property change.

Message #

NLA interface property change 

Interface: %1
Internet v4: %2
Internet v6: %3
Probe Complete v4: %4
Probe Complete v6: %5
Domain Authenticated: %6
Domain Probe Complete: %7

Fields #

Name	Description
`InterfaceGUID` GUID
`InternetConnectivityv4` Boolean
`InternetConnectivityv6` Boolean
`InternetProbeCompletev4` Boolean
`InternetProbeCompletev6` Boolean
`DomainConnectivity` Boolean
`DomainProbeComplete` Boolean

Event ID 1009: CDE reported an L2 adapter arrival.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

CDE reported an L2 adapter arrival.

Message #

CDE reported an L2 adapter arrival 

 Interface: %1 

 Type: %2

Fields #

Name	Description
`InterfaceGuid` GUID
`MediaType` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "{67D07935-283A-4791-8F8D-FA9117F3E6F2}",
    "event_source_name": "",
    "event_id": 1009,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775776,
    "time_created": "2026-05-29T16:32:57.3855017+00:00",
    "event_record_id": 107,
    "correlation": {},
    "execution": {
      "process_id": 2992,
      "thread_id": 3064
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "InterfaceGuid": "{2a7bd48e-ddc6-4641-9f41-682f29f1d76c}",
    "MediaType": "1"
  },
  "message": "CDE reported an L2 adapter arrival \r\n\r\n Interface: {2a7bd48e-ddc6-4641-9f41-682f29f1d76c} \r\n\r\n Type: Ethernet."
}

Event ID 1010: CDE reported an L2 adapter removal.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

CDE reported an L2 adapter removal.

Message #

CDE reported an L2 adapter removal 

 Interface: %1 

 Type: %2

Fields #

Name	Description
`InterfaceGuid` GUID
`MediaType` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 1010,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775840,
    "time_created": "2026-03-13T20:18:51.255303+00:00",
    "event_record_id": 170,
    "correlation": {},
    "execution": {
      "process_id": 2572,
      "thread_id": 2756
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "InterfaceGuid": "2A7BD48E-DDC6-4641-9F41-682F29F1D76C",
    "MediaType": 1
  },
  "message": ""
}

Event ID 1011: CDE reported a successful connection.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

CDE reported a successful connection.

Message #

CDE reported a successful connection 

 Interface: %1 

 Type: %2

Fields #

Name	Description
`InterfaceGuid` GUID
`MediaType` UInt32

Event ID 1012: CDE reported a connection failure.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

CDE reported a connection failure.

Message #

CDE reported a connection failure 

 Interface: %1 

 Type: %2

 Status: %3

Fields #

Name	Description
`InterfaceGuid` GUID
`MediaType` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1013: CDE reported a disconnection.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

CDE reported a disconnection.

Message #

CDE reported a disconnection 

 Interface: %1 

 Type: %2

Fields #

Name	Description
`InterfaceGuid` GUID
`MediaType` UInt32

Event ID 1014: WcmSetParameter Called.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

WcmSetParameter Called.

Message #

WcmSetParameter Called

Interface: %1
Profile Name: %2
Wcm Opcode: %3
Data Length: %4
Caller Process ID: %5
Return Value: %6

Fields #

Name	Description
`InterfaceGUID` GUID
`ProfileName` UnicodeString
`WcmOpcode` UInt32
`Datalength` UInt32
`CallerProcessID` UInt32
`ReturnValue` UInt32

Event ID 1015: Interface Token Applied.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Interface Token Applied.

Message #

Interface Token Applied

Interface: %1
Media Type: %2
Manual enabled: %3
Manual Filter: %4
Num Manual: %5
Manual Profiles: %6
Auto enabled: %7
Auto filter: %8
Num Auto: %9
Auto Profiles: %10

Fields #

Name	Description
`InterfaceGUID`
`Mediatype` UInt32
`ManualConnect`
`ManualFiltercontrol`
`NumManualprofiles`
`ManualProfileNames`
`AutoConnect`
`AutoFiltercontrol`
`NumAutoprofiles`
`AutoProfileNames`

Event ID 1016: Interface Token Failed.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Interface Token Failed.

Message #

Interface Token Failed

Interface: %1
Media Type: %2
Manual enabled: %3
Manual Filter: %4
Num Manual: %5
Manual Profiles: %6
Auto enabled: %7
Auto filter: %8
Num Auto: %9
AutoProfiles: %10
Status: %11

Fields #

Name	Description
`InterfaceGUID`
`Mediatype` UInt32
`ManualConnect`
`ManualFiltercontrol`
`NumManualprofiles`
`ManualProfileNames`
`AutoConnect`
`AutoFiltercontrol`
`NumAutoprofiles`
`AutoProfileNames`
`Error` UInt32

Event ID 1017: Soft disconnect over thresholds for interface: InterfaceGUID.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Soft disconnect over thresholds for interface: InterfaceGUID.

Message #

Soft disconnect over thresholds for interface: %1
AvgIn: %2 AvgOut: %3 SpikeIn: %4 SpikeOut: %5
Thresholds: AvgIn: %6 AvgOut: %7 SpikeIn: %8 SpikeOut:%9
All values are in bytes/second

Fields #

Name	Description
`InterfaceGUID` GUID
`AvgIn` UInt32
`AvgOut` UInt32
`SpikeIn` UInt32
`SpikeOut` UInt32
`ThresholdAvgIn` UInt32
`ThresholdAvgOut` UInt32
`ThresholdSpikeIn` UInt32
`ThresholdSpikeOut` UInt32

Event ID 1018: Soft disconnect under thresholds for interface: InterfaceGUID.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Soft disconnect under thresholds for interface: InterfaceGUID.

Message #

Soft disconnect under thresholds for interface: %1
AvgIn: %2 AvgOut: %3 SpikeIn: %4 SpikeOut: %5
Thresholds: AvgIn: %6 AvgOut: %7 SpikeIn: %8 SpikeOut:%9
All values are in bytes/second

Fields #

Name	Description
`InterfaceGUID` GUID
`AvgIn` UInt32
`AvgOut` UInt32
`SpikeIn` UInt32
`SpikeOut` UInt32
`ThresholdAvgIn` UInt32
`ThresholdAvgOut` UInt32
`ThresholdSpikeIn` UInt32
`ThresholdSpikeOut` UInt32

Event ID 1019: CDE reported an unblocked profile.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

CDE reported an unblocked profile.

Message #

CDE reported an unblocked profile 

 Interface: %1 

 Type: %2

 Profile: %3

Fields #

Name	Description
`InterfaceGuid` GUID
`MediaType` UInt32
`ProfileName` UnicodeString

Event ID 1020: WCM Preferred Order List.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

WCM Preferred Order List.

Message #

WCM Preferred Order List:
%1

Fields #

Name	Description
`WCMPreferredOrderList`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 1020,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775840,
    "time_created": "2023-10-26T04:17:43.215170+00:00",
    "event_record_id": 9,
    "correlation": {},
    "execution": {
      "process_id": 2288,
      "thread_id": 2612
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "WIN-OQ6R0RVA4NF",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "WCM Preferred Order List": "0: {3D03B11E-98A0-4304-84E2-CD3AAE8EFE1D}, Ethernet, 1\n1: {8E4162AD-6500-4899-BA95-24051405E207}, Ethernet, 1\n"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1022: WCM entered connected standby

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WCM entered connected standby.

Message #

WCM entered connected standby

Event ID 1023: WCM exited connected standby

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WCM exited connected standby.

Message #

WCM exited connected standby

Event ID 1024: Acquired NDIS NIC Active Reference for interface: InterfaceGUID.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

Acquired NDIS NIC Active Reference for interface: InterfaceGUID.

Message #

Acquired NDIS NIC Active Reference for interface: %1

Fields #

Name	Description
`InterfaceGUID` GUID

Event ID 1025: Released NDIS NIC Active Reference for interface: InterfaceGUID.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

Released NDIS NIC Active Reference for interface: InterfaceGUID.

Message #

Released NDIS NIC Active Reference for interface: %1

Fields #

Name	Description
`InterfaceGUID` GUID

Event ID 1026: CDE reported an NDIS adapter arrival.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

CDE reported an NDIS adapter arrival.

Message #

CDE reported an NDIS adapter arrival 

 Interface: %1 

 Type: %2

Fields #

Name	Description
`InterfaceGuid` GUID
`MediaType` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "{67D07935-283A-4791-8F8D-FA9117F3E6F2}",
    "event_source_name": "",
    "event_id": 1026,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775776,
    "time_created": "2026-05-29T16:32:57.3851898+00:00",
    "event_record_id": 106,
    "correlation": {},
    "execution": {
      "process_id": 2992,
      "thread_id": 3064
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "InterfaceGuid": "{2a7bd48e-ddc6-4641-9f41-682f29f1d76c}",
    "MediaType": "1"
  },
  "message": "CDE reported an NDIS adapter arrival \r\n\r\n Interface: {2a7bd48e-ddc6-4641-9f41-682f29f1d76c} \r\n\r\n Type: Ethernet."
}

Event ID 1027: CDE reported an NDIS adapter removal.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

CDE reported an NDIS adapter removal.

Message #

CDE reported an NDIS adapter removal 

 Interface: %1 

 Type: %2

Fields #

Name	Description
`InterfaceGuid` GUID
`MediaType` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 1027,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775840,
    "time_created": "2026-03-13T20:18:51.255300+00:00",
    "event_record_id": 169,
    "correlation": {},
    "execution": {
      "process_id": 2572,
      "thread_id": 2756
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "InterfaceGuid": "2A7BD48E-DDC6-4641-9F41-682F29F1D76C",
    "MediaType": 1
  },
  "message": ""
}

Event ID 1028: WCM entered net quiet mode

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WCM entered net quiet mode.

Message #

WCM entered net quiet mode

Event ID 1029: WCM exited net quiet mode

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WCM exited net quiet mode.

Message #

WCM exited net quiet mode

Event ID 1030: Billing Cycle Reset Successful

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Billing Cycle Reset Successful.

Message #

Billing Cycle Reset Successful

Fields #

Name	Description
`ProfileName` UnicodeString
`InterfaceGuid` GUID
`ProfileUpdatedorDeleted` UnicodeString

Event ID 1031: Server Time Retrieval Failure

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Server Time Retrieval Failure.

Message #

Server Time Retrieval Failure

Fields #

Name	Description
`ConfigtoSyncWithTimeServer` Boolean
`TimeServerName` UnicodeString
`NumServerTimeRetries` UInt32
`ServerTimeRetrievalError` UInt32

Event ID 1032: Acquire NDIS NIC Active Reference Failed for interface: InterfaceGUID.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Acquire NDIS NIC Active Reference Failed for interface: InterfaceGUID.

Message #

Acquire NDIS NIC Active Reference Failed for interface: %1

Fields #

Name	Description
`InterfaceGUID` GUID
`NdisRefError` UInt32

Event ID 1033: Release NDIS NIC Active Reference Failed for interface: InterfaceGUID.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Release NDIS NIC Active Reference Failed for interface: InterfaceGUID.

Message #

Release NDIS NIC Active Reference Failed for interface: %1

Fields #

Name	Description
`InterfaceGUID` GUID
`NdisRefError` UInt32

Event ID 1034: OnDemandInterfaceStateChanged.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

OnDemandInterfaceStateChanged. OnDemandType:OnDemandType, Interface: InterfaceGUID, OnDemandInfo:OnDemandInfo, ProviderID:ProviderID, NewState:NewState, Ref counter:Refcount.

Message #

OnDemandInterfaceStateChanged. OnDemandType:%1, Interface: %2, OnDemandInfo:%3, ProviderID:%4, NewState:%5, Ref counter:%6

Fields #

Name	Description
`OnDemandType` UInt32
`InterfaceGUID` GUID
`OnDemandInfo` UnicodeString
`ProviderID` UnicodeString
`NewState` UInt32
`Refcount` UInt32

Event ID 1035: OnDemand PDP Profile Created.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

OnDemand PDP Profile Created. OnDemandInfo:APNname, ProviderID:ProviderID, SubscriberID:SubscriberID, Profile Name:Profilename.

Message #

OnDemand PDP Profile Created. OnDemandInfo:%1, ProviderID:%2, SubscriberID:%3, Profile Name:%4

Fields #

Name	Description
`APNname` UnicodeString
`ProviderID` UnicodeString
`SubscriberID` UnicodeString
`Profilename` UnicodeString

Event ID 1036: OnDemand PDP Profile Deleted.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

OnDemand PDP Profile Deleted. Profile Name:Profilename.

Message #

OnDemand PDP Profile Deleted. Profile Name:%1

Fields #

Name	Description
`Profilename` UnicodeString

Event ID 1037: OnDemand Request opened.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

OnDemand Request opened. App ID:AppID, ProcessID:ProcessID,OnDemandType:OnDemandType, OnDemandInfo:OnDemandInfo, ProviderID:ProviderID, Error: Error.

Message #

OnDemand Request opened. App ID:%1, ProcessID:%2,OnDemandType:%3, OnDemandInfo:%4, ProviderID:%5, Error: %6

Fields #

Name	Description
`AppID` UnicodeString
`ProcessID` UInt32
`OnDemandType` UInt32
`OnDemandInfo` UnicodeString
`ProviderID` UnicodeString
`Error` UInt32

Event ID 1038: OnDemand Request closed.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

OnDemand Request closed. App ID:AppID, ProcessID:ProcessID,OnDemandType:OnDemandType, OnDemandInfo:OnDemandInfo, ProviderID:ProviderID, Error: Error.

Message #

OnDemand Request closed. App ID:%1, ProcessID:%2,OnDemandType:%3, OnDemandInfo:%4, ProviderID:%5, Error: %6

Fields #

Name	Description
`AppID` UnicodeString
`ProcessID` UInt32
`OnDemandType` UInt32
`OnDemandInfo` UnicodeString
`ProviderID` UnicodeString
`Error` UInt32

Event ID 1039: OnDemand Request started.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

OnDemand Request started. App ID:AppID, ProcessID:ProcessID,OnDemandType:OnDemandType, OnDemandInfo:OnDemandInfo, ProviderID:ProviderID, Error: Error.

Message #

OnDemand Request started. App ID:%1, ProcessID:%2,OnDemandType:%3, OnDemandInfo:%4, ProviderID:%5, Error: %6

Fields #

Name	Description
`AppID` UnicodeString
`ProcessID` UInt32
`OnDemandType` UInt32
`OnDemandInfo` UnicodeString
`ProviderID` UnicodeString
`Error` UInt32

Event ID 1040: OnDemand Request cancelled.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

OnDemand Request cancelled. App ID:AppID, ProcessID:ProcessID,OnDemandType:OnDemandType, OnDemandInfo:OnDemandInfo, ProviderID:ProviderID, Error: Error.

Message #

OnDemand Request cancelled. App ID:%1, ProcessID:%2,OnDemandType:%3, OnDemandInfo:%4, ProviderID:%5, Error: %6

Fields #

Name	Description
`AppID` UnicodeString
`ProcessID` UInt32
`OnDemandType` UInt32
`OnDemandInfo` UnicodeString
`ProviderID` UnicodeString
`Error` UInt32

Event ID 1050: WcmSvc acquired the NIC reference for Interface: InterfaceGUID for reason: ActionType.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

WcmSvc acquired the NIC reference for Interface: InterfaceGUID for reason: ActionType.

Message #

WcmSvc acquired the NIC reference for Interface: %1 for reason: %2

Fields #

Name	Description
`InterfaceGUID` GUID
`ActionType` UInt32

Event ID 1051: WcmSvc released the NIC reference for Interface: InterfaceGUID for reason: ActionType.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

WcmSvc released the NIC reference for Interface: InterfaceGUID for reason: ActionType.

Message #

WcmSvc released the NIC reference for Interface: %1 for reason: %2

Fields #

Name	Description
`InterfaceGUID` GUID
`ActionType` UInt32

Event ID 1052: WcmSvc signalled disconnected standby

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc signalled disconnected standby.

Message #

WcmSvc signalled disconnected standby

Event ID 1053: WcmSvc signalled end of disconnected standby

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc signalled end of disconnected standby.

Message #

WcmSvc signalled end of disconnected standby

Event ID 1054: WcmSvc received power policy update for networking in standby - the new policy value is PolicyValue.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc received power policy update for networking in standby - the new policy value is PolicyValue.

Message #

WcmSvc received power policy update for networking in standby - the new policy value is %1

Fields #

Name	Description
`PolicyValue` UInt32

Event ID 4020: End of Wwan Resume Reconnect

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Task: MeasureWWANResumeReconnecttask
Opcode: Stop

Description

End of Wwan Resume Reconnect.

Message #

End of Wwan Resume Reconnect

Fields #

Name	Description
`InterfaceGuid` GUID

Event ID 4021: End of Wlan Resume Reconnect to Same Network

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Task: MeasureWLANResumeReconnecttask
Opcode: Stop

Description

End of Wlan Resume Reconnect to Same Network.

Message #

End of Wlan Resume Reconnect to Same Network

Fields #

Name	Description
`InterfaceGuid` GUID

Event ID 4022: End of Wlan Resume Reconnect to Same Network OneX

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Task: MeasureWLANResumeReconnecttask
Opcode: Stop

Description

End of Wlan Resume Reconnect to Same Network OneX.

Message #

End of Wlan Resume Reconnect to Same Network OneX

Fields #

Name	Description
`InterfaceGuid` GUID

Event ID 4023: End of Wlan Resume Reconnect to Different Network

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Task: MeasureWLANResumeReconnecttask
Opcode: Stop

Description

End of Wlan Resume Reconnect to Different Network.

Message #

End of Wlan Resume Reconnect to Different Network

Fields #

Name	Description
`InterfaceGuid` GUID

Event ID 4024: End of Wlan Resume Reconnect to Different Network OneX

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Task: MeasureWLANResumeReconnecttask
Opcode: Stop

Description

End of Wlan Resume Reconnect to Different Network OneX.

Message #

End of Wlan Resume Reconnect to Different Network OneX

Fields #

Name	Description
`InterfaceGuid` GUID

Event ID 4025: Cancel of Wlan Resume Reconnect2

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Task: MeasureWLANResumeReconnecttask
Opcode: Stop

Description

Cancel of Wlan Resume Reconnect2.

Message #

Cancel of Wlan Resume Reconnect2

Fields #

Name	Description
`InterfaceGuid` GUID

Event ID 4026: Measure WWAN Resume Reconnect task

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Task: MeasureWWANResumeReconnecttask
Opcode: Stop

Fields #

Name	Description
`InterfaceGuid` GUID

Event ID 4027: WcmSvc CmPdcActivationClientRegister - Status [Status].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc CmPdcActivationClientRegister - Status [Status].

Message #

WcmSvc CmPdcActivationClientRegister - Status [%1]

Fields #

Name	Description
`Status` HexInt32	NTSTATUS reference

Event ID 4028: WcmSvc CmPdcActivationClientUnregister - Status [Status].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc CmPdcActivationClientUnregister - Status [Status].

Message #

WcmSvc CmPdcActivationClientUnregister - Status [%1]

Fields #

Name	Description
`Status` HexInt32	NTSTATUS reference

Event ID 4029: WcmSvc CmPdcActivationClientActivityRequest - Activate [Activity], Status [Status].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc CmPdcActivationClientActivityRequest - Activate [Activity], Status [Status].

Message #

WcmSvc CmPdcActivationClientActivityRequest - Activate [%1], Status [%2]

Fields #

Name	Description
`Activity` Boolean
`Status` HexInt32	NTSTATUS reference

Event ID 4030: WcmSvc SetNetworkReference - Activate [Activate], Result [Result], TotalNetworkRefCount [TotalNetworkRefCount], ProcessId [ProcessId], PerProcessNetworkRefCount [ProcessNetworkRefCount], App [AppNa...

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc SetNetworkReference - Activate [Activate], Result [Result], TotalNetworkRefCount [TotalNetworkRefCount], ProcessId [ProcessId], PerProcessNetworkRefCount [ProcessNetworkRefCount], App [AppName].

Message #

WcmSvc SetNetworkReference - Activate [%1], Result [%2], TotalNetworkRefCount [%3], ProcessId [%4], PerProcessNetworkRefCount [%5], App [%6]

Fields #

Name	Description
`Activate` Boolean
`Result` UInt32
`TotalNetworkRefCount` UInt32
`ProcessId` UInt32
`ProcessNetworkRefCount` UInt32
`AppName` UnicodeString

Event ID 4031: WcmSvc ReleaseNetworkReferenceInProcess - ProcessId [ProcessId], PerProcessNetworkRefCount [ProcessNetworkRefCount], TotalNetworkRefCount [TotalNetworkRefCount].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc ReleaseNetworkReferenceInProcess - ProcessId [ProcessId], PerProcessNetworkRefCount [ProcessNetworkRefCount], TotalNetworkRefCount [TotalNetworkRefCount].

Message #

WcmSvc ReleaseNetworkReferenceInProcess - ProcessId [%1], PerProcessNetworkRefCount [%2], TotalNetworkRefCount [%3]

Fields #

Name	Description
`ProcessId` UInt32
`ProcessNetworkRefCount` UInt32
`TotalNetworkRefCount` UInt32

Event ID 4032: WcmSvc AcquireNdisReference - Result [Result], TotalCmNdisRefCount [TotalCmNdisRefCount], ProcessId [ProcessId], PerProcessCmNdisRefCount [PerProcessCmNdisRefCount], App [AppName].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc AcquireNdisReference - Result [Result], TotalCmNdisRefCount [TotalCmNdisRefCount], ProcessId [ProcessId], PerProcessCmNdisRefCount [PerProcessCmNdisRefCount], App [AppName].

Message #

WcmSvc AcquireNdisReference - Result [%1], TotalCmNdisRefCount [%2], ProcessId [%3], PerProcessCmNdisRefCount [%4], App [%5]

Fields #

Name	Description
`Result` UInt32
`TotalCmNdisRefCount` UInt32
`ProcessId` UInt32
`PerProcessCmNdisRefCount` UInt32
`AppName` UnicodeString

Event ID 4033: WcmSvc ReleaseNdisReference - Result [Result], TotalCmNdisRefCount [TotalCmNdisRefCount], ProcessId [ProcessId], PerProcessCmNdisRefCount [PerProcessCmNdisRefCount], App [AppName].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc ReleaseNdisReference - Result [Result], TotalCmNdisRefCount [TotalCmNdisRefCount], ProcessId [ProcessId], PerProcessCmNdisRefCount [PerProcessCmNdisRefCount], App [AppName].

Message #

WcmSvc ReleaseNdisReference - Result [%1], TotalCmNdisRefCount [%2], ProcessId [%3], PerProcessCmNdisRefCount [%4], App [%5]

Fields #

Name	Description
`Result` UInt32
`TotalCmNdisRefCount` UInt32
`ProcessId` UInt32
`PerProcessCmNdisRefCount` UInt32
`AppName` UnicodeString

Event ID 4034: WcmSvc ReleaseNdisReferenceInProcess - ProcessId [ProcessId], PerProcessCmNdisRefCount [ProcessNetworkRefCount], TotalCmNdisRefCount [TotalNetworkRefCount].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc ReleaseNdisReferenceInProcess - ProcessId [ProcessId], PerProcessCmNdisRefCount [ProcessNetworkRefCount], TotalCmNdisRefCount [TotalNetworkRefCount].

Message #

WcmSvc ReleaseNdisReferenceInProcess - ProcessId [%1], PerProcessCmNdisRefCount [%2], TotalCmNdisRefCount [%3]

Fields #

Name	Description
`ProcessId` UInt32
`ProcessNetworkRefCount` UInt32
`TotalNetworkRefCount` UInt32

Event ID 4035: WcmSvc NdisReferenceError - [FunctionName]: Result [Error].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc NdisReferenceError - [FunctionName]: Result [Error].

Message #

WcmSvc NdisReferenceError - [%1]: Result [%2]

Fields #

Name	Description
`FunctionName` UnicodeString
`Error` UInt32

Event ID 4036: CmService::NdisReference - [AcquireRelease] InterfaceLuid [InterfaceLuid], Result [Result].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

CmService::NdisReference - [AcquireRelease] InterfaceLuid [InterfaceLuid], Result [Result].

Message #

CmService::NdisReference - [%1] InterfaceLuid [%2], Result [%3]

Fields #

Name	Description
`AcquireRelease` UnicodeString
`InterfaceLuid` UInt64
`Result` UInt32

Event ID 10001: WCMSVC: Start WCM Service Startup

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

WCMSVC: Start WCM Service Startup.

Message #

WCMSVC: Start WCM Service Startup

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "{67D07935-283A-4791-8F8D-FA9117F3E6F2}",
    "event_source_name": "",
    "event_id": 10001,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T16:32:57.3454710+00:00",
    "event_record_id": 105,
    "correlation": {},
    "execution": {
      "process_id": 2992,
      "thread_id": 3020
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {},
  "message": "WCMSVC: Start WCM Service Startup"
}

Event ID 10002: WCMSVC: Complete WCM Service Startup

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

WCMSVC: Complete WCM Service Startup.

Message #

WCMSVC: Complete WCM Service Startup

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "{67D07935-283A-4791-8F8D-FA9117F3E6F2}",
    "event_source_name": "",
    "event_id": 10002,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T16:32:57.3868780+00:00",
    "event_record_id": 108,
    "correlation": {},
    "execution": {
      "process_id": 2992,
      "thread_id": 3020
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {},
  "message": "WCMSVC: Complete WCM Service Startup"
}

Event ID 10003: WCMSVC: Start Service Shutdown

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

WCMSVC: Start Service Shutdown.

Message #

WCMSVC: Start Service Shutdown

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "{67D07935-283A-4791-8F8D-FA9117F3E6F2}",
    "event_source_name": "",
    "event_id": 10003,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T05:22:34.5250615+00:00",
    "event_record_id": 114,
    "correlation": {},
    "execution": {
      "process_id": 3004,
      "thread_id": 2064
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {},
  "message": "WCMSVC: Start Service Shutdown"
}

Event ID 10004: WCMSVC: Complete Service Shutdown

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

WCMSVC: Complete Service Shutdown.

Message #

WCMSVC: Complete Service Shutdown

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "{67D07935-283A-4791-8F8D-FA9117F3E6F2}",
    "event_source_name": "",
    "event_id": 10004,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T05:22:34.5306208+00:00",
    "event_record_id": 115,
    "correlation": {},
    "execution": {
      "process_id": 3004,
      "thread_id": 2064
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {},
  "message": "WCMSVC: Complete Service Shutdown"
}

Event ID 10005: Tethering Manager Loaded Successfully

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

Tethering Manager Loaded Successfully.

Message #

Tethering Manager Loaded Successfully

Event ID 10006: Tethering Manager Unloaded Successfully

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

Tethering Manager Unloaded Successfully.

Message #

Tethering Manager Unloaded Successfully

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 67d07935-283a-4791-8f8d-fa9117f3e6f2

Defined in wcmsvc.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)