Microsoft-Windows-WebAuthN

146 events across 4 channels

Event	Title	Channel	Sample
1000	WebAuthN Ctap MakeCredential started.	Operational	N
1001	WebAuthN Ctap MakeCredential completed.	Operational	N
1002	WebAuthN Ctap MakeCredential completed.	Operational	N
1003	WebAuthN Ctap GetAssertion started.	Operational	N
1004	WebAuthN Ctap GetAssertion completed.	Operational	N
1005	WebAuthN Ctap GetAssertion completed.	Operational	N
1006	WebAuthN Ctap SendCommand started.	Operational	N
1007	WebAuthN Ctap SendCommand completed.	Operational	N
1008	WebAuthN Ctap SendCommand completed.	Operational	N
1020	WebAuthN Ngc MakeCredential started.	Operational	N
1021	WebAuthN Ngc MakeCredential completed.	Operational	N
1022	WebAuthN Ngc MakeCredential completed.	Operational	N
1023	WebAuthN Ngc GetAssertion started.	Operational	N
1024	WebAuthN Ngc GetAssertion completed.	Operational	N
1025	WebAuthN Ngc GetAssertion completed.	Operational	N
1040	Ngc MakeCredential request.	Operational	N
1041	Ngc MakeCredential response.	Operational	N
1042	Ngc GetAssertion request.	Operational	N
1043	Ngc GetAssertion response.	Operational	N
1050	WebAuthN remote RPC request.	Operational	Y
1052	WebAuthN remote RPC response.	Operational	Y
1060	WebAuthN error at: Action.	Operational	N
1070	WebAuthN IsUserVerifyingPlatformAuthenticatorAvailale: value.	Operational	Y
1071	WebAuthN ApiVersion: value.	Operational	Y
1072	WebAuthN CancelCurrentOperation: value.	Operational	N
1100	Cbor decode error.	Operational	N
1101	Cbor encode MakeCredential request.	Operational	N
1102	Cbor decode MakeCredential response.	Operational	N
1103	Cbor encode GetAssertion request.	Operational	N
1104	Cbor decode GetAssertion response.	Operational	N
2000	Ctap service started successfully.	Operational	Y
2001	Ctap service stopped successfully.	Operational	Y
2100	Ctap Command started.	Operational	Y
2101	Ctap command started.	Operational	N
2102	Ctap Command completed.	Operational	Y
2103	Ctap Command completed.	Operational	N
2104	Ctap device info.	Operational	N
2105	Ctap Function: Function Location: Location.	Operational	N
2106	Ctap Name: Name Value: Value.	Operational	N
2107	Event ID 2107	Operational	N
2110	Ctap device device state info.	Operational	N
2111	Ctap device change notify info.	Operational	N
2200	Ctap Usb provider thread started.	Operational	N
2201	Ctap Usb provider thread completed.	Operational	N
2202	Ctap Usb provider thread completed.	Operational	N
2203	Ctap Usb provider thread completed.	Operational	N
2210	Ctap Usb device thread started.	Operational	N
2211	Ctap Usb device thread completed.	Operational	N
2212	Ctap Usb device thread completed.	Operational	N
2213	Ctap Usb device thread completed.	Operational	N
2220	Ctap Usb add device.	Operational	N
2221	Ctap Usb remove device.	Operational	N
2222	Ctap Usb device changes.	Operational	N
2223	Ctap Usb U2F device.	Operational	N
2224	Ctap Usb connect to device.	Operational	N
2225	Ctap Usb Send Receive.	Operational	N
2226	Ctap Usb Send Receive.	Operational	N
2250	Ctap Ble provider thread started.	Operational	N
2251	Ctap Ble provider thread completed.	Operational	N
2252	Ctap Ble provider thread completed.	Operational	N
2253	Ctap Ble provider thread completed.	Operational	N
2260	Ctap Ble device thread started.	Operational	N
2261	Ctap Ble device thread completed.	Operational	N
2262	Ctap Ble device thread completed.	Operational	N
2263	Ctap Ble device thread completed.	Operational	N
2270	Ctap Ble Function: Function Location: Location.	Operational	N
2271	Ctap Ble U2F device.	Operational	N
2272	Ctap Ble Send Receive.	Operational	N
2273	Ctap Ble Send Receive.	Operational	N
2300	Ctap Nfc provider thread started.	Operational	N
2301	Ctap Nfc provider thread completed.	Operational	N
2302	Ctap Nfc provider thread completed.	Operational	N
2303	Ctap Nfc provider thread completed.	Operational	N
2310	Ctap Nfc reader thread started.	Operational	N
2311	Ctap Nfc reader thread completed.	Operational	N
2312	Ctap Nfc reader thread completed.	Operational	N
2313	Ctap Nfc reader thread completed.	Operational	N
2314	Ctap Nfc reader manager thread started.	Operational	N
2315	Ctap Nfc reader manager thread completed.	Operational	N
2316	Cancelling Reader Threads.	Operational	N
2320	Ctap Nfc add reader.	Operational	N
2321	Ctap Nfc skip reader for: Action.	Operational	N
2322	Ctap Nfc transition reader for: Action.	Operational	N
2323	Ctap Nfc send message warning for: Action.	Operational	N
2324	Ctap Nfc send request error for: Action.	Operational	N
2325	Ctap Nfc U2F device.	Operational	N
2326	Ctap Nfc send message at: Action.	Operational	N
2327	Ctap Nfc SCardTransmit Request.	Operational	N
2328	Ctap Nfc SCardTransmit Request.	Operational	N
2329	Ctap Hybrid process Ctap command request callback started.	Operational	N
2330	Ctap Hybrid process Ctap command request callback completed.	Operational	N
2331	Ctap Hybrid process Ctap command request callback completed with error.	Operational	N
2332	Ctap Hybrid Write Message: Message.	Operational	N
2333	Ctap Hybrid Read Message: Message.	Operational	N
2334	Ctap Hybrid Protocol setup started.	Operational	N
2335	Ctap Hybrid Protocol setup completed.	Operational	N
2336	Ctap Hybrid Protocol setup completed with error.	Operational	N
2337	Ctap Hybrid Linked Device Saved.	Operational	N
2400	Ctap Test provider thread started.	Operational	N
2401	Ctap Test provider thread completed.	Operational	N
2402	Ctap Test provider thread completed.	Operational	N
5002	Trust group deletion synchronized	Operational	N
5002	Trust group deletion synchronized.	Operatonal	N
5009	User storage created	Operational	N
5009	User storage created.	Operatonal	N
5010	Synchronization state:	Operational	N
5010	Synchronization state: SyncState.	Operatonal	N
6006	Trust group deleted	Operational	N
6006	Trust group deleted.	Operatonal	N
6007	Cleaned up Local Store	Operational	N
6007	Cleaned up Local Store.	Operatonal	N
6011	This Windows device was not found in the Trusted Device list, resetting local …	Operational	N
6011	This Windows device was not found in the Trusted Device list, resetting local …	Operatonal	N
6250	Event ID 6250	Operational	N
6251	Event ID 6251	Operational	N
6254	Event ID 6254	Operational	N
6254	Error when trying to decode a plugin passkey.	Operational	N
7000	Key rotation failed	Operational	N
7000	Key rotation failed.	Operatonal	N
7001	Cloud store operation failed	Operational	N
7001	Cloud store operation failed.	Operatonal	N
7003	Failed to add trusted device	Operational	N
7003	Failed to add trusted device.	Operatonal	N
7004	Failed to delete trusted device	Operational	N
7004	Failed to delete trusted device.	Operatonal	N
7005	Failed to rename trusted device	Operational	N
7005	Failed to rename trusted device.	Operatonal	N
7008	Local store operation failed	Operational	N
7008	Local store operation failed.	Operatonal	N
7251	Event ID 7251	Operational	N
7252	Event ID 7252	Operational	N
7253	Event ID 7253	Operational	N
7254	Event ID 7254	Operational	N
7255	Event ID 7255	Operational	N
8000	Key rotation succeeded	Operational	N
8000	Key rotation succeeded.	Operatonal	N
8001	Cloud store operation succeeded	Operational	N
8001	Cloud store operation succeeded.	Operatonal	N
8003	Trusted device successfully added	Operational	N
8003	Trusted device successfully added.	Operatonal	N
8004	Trusted device deleted successfully	Operational	N
8004	Trusted device deleted successfully.	Operatonal	N
8005	Trusted device renamed successfully	Operational	N
8005	Trusted device renamed successfully.	Operatonal	N
8008	Local store operation succeeded	Operational	N
8008	Local store operation succeeded.	Debug	N

Event ID 1000: WebAuthN Ctap MakeCredential started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthNCtapMakeCredential
Opcode: Start

Description

WebAuthN Ctap MakeCredential started.

Message #

WebAuthN Ctap MakeCredential started.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 1001: WebAuthN Ctap MakeCredential completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthN Ctap MakeCredential
Opcode: Stop

Description

WebAuthN Ctap MakeCredential completed.

Message #

WebAuthN Ctap MakeCredential completed.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 1002: WebAuthN Ctap MakeCredential completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthNCtapMakeCredential
Opcode: Stop

Description

WebAuthN Ctap MakeCredential completed.

Message #

WebAuthN Ctap MakeCredential completed.

TransactionId: %1
Error: %2. %3

Fields #

Name	Description
`TransactionId` GUID
`Error` HexInt32
`HResult` Int32

Event ID 1003: WebAuthN Ctap GetAssertion started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthNCtapGetAssertion
Opcode: Start

Description

WebAuthN Ctap GetAssertion started.

Message #

WebAuthN Ctap GetAssertion started.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 1004: WebAuthN Ctap GetAssertion completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthN Ctap GetAssertion
Opcode: Stop

Description

WebAuthN Ctap GetAssertion completed.

Message #

WebAuthN Ctap GetAssertion completed.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 1005: WebAuthN Ctap GetAssertion completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthNCtapGetAssertion
Opcode: Stop

Description

WebAuthN Ctap GetAssertion completed.

Message #

WebAuthN Ctap GetAssertion completed.

TransactionId: %1
Error: %2. %3

Fields #

Name	Description
`TransactionId` GUID
`Error` HexInt32
`HResult` Int32

Event ID 1006: WebAuthN Ctap SendCommand started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthNCtapSendCommand
Opcode: Start

Description

WebAuthN Ctap SendCommand started.

Message #

WebAuthN Ctap SendCommand started.

TransactionId: %1
Ticket: %3

Fields #

Name	Description
`TransactionId` GUID
`TicketLength` UInt32
`Ticket` Binary

Event ID 1007: WebAuthN Ctap SendCommand completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthN Ctap SendCommand
Opcode: Stop

Description

WebAuthN Ctap SendCommand completed.

Message #

WebAuthN Ctap SendCommand completed.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 1008: WebAuthN Ctap SendCommand completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthNCtapSendCommand
Opcode: Stop

Description

WebAuthN Ctap SendCommand completed.

Message #

WebAuthN Ctap SendCommand completed.

TransactionId: %1
Error: %2. %3

Fields #

Name	Description
`TransactionId` GUID
`Error` HexInt32
`HResult` Int32

Event ID 1020: WebAuthN Ngc MakeCredential started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthNNgcMakeCredential
Opcode: Start

Description

WebAuthN Ngc MakeCredential started.

Message #

WebAuthN Ngc MakeCredential started.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 1021: WebAuthN Ngc MakeCredential completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthN Ngc MakeCredential
Opcode: Stop

Description

WebAuthN Ngc MakeCredential completed.

Message #

WebAuthN Ngc MakeCredential completed.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 1022: WebAuthN Ngc MakeCredential completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthNNgcMakeCredential
Opcode: Stop

Description

WebAuthN Ngc MakeCredential completed.

Message #

WebAuthN Ngc MakeCredential completed.

TransactionId: %1
Error: %2. %3

Fields #

Name	Description
`TransactionId` GUID
`Error` HexInt32
`HResult` Int32

Event ID 1023: WebAuthN Ngc GetAssertion started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthNNgcGetAssertion
Opcode: Start

Description

WebAuthN Ngc GetAssertion started.

Message #

WebAuthN Ngc GetAssertion started.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 1024: WebAuthN Ngc GetAssertion completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthN Ngc GetAssertion
Opcode: Stop

Description

WebAuthN Ngc GetAssertion completed.

Message #

WebAuthN Ngc GetAssertion completed.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 1025: WebAuthN Ngc GetAssertion completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthNNgcGetAssertion
Opcode: Stop

Description

WebAuthN Ngc GetAssertion completed.

Message #

WebAuthN Ngc GetAssertion completed.

TransactionId: %1
Error: %2. %3

Fields #

Name	Description
`TransactionId` GUID
`Error` HexInt32
`HResult` Int32

Event ID 1040: Ngc MakeCredential request.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: NgcMakeCredentialRequest
Opcode: Informational

Description

Ngc MakeCredential request.

Message #

Ngc MakeCredential request.

TransactionId: %1
RpId: %2
AccountId: %3
ClientDataHashAlgId: %4 ClientDataLength: %5 ClientDataHash: %7
ExcludeCredentialCount: %8
CredentialParameterCount: %9

Fields #

Name	Description
`TransactionId` GUID
`RpId` UnicodeString
`AccountId` UnicodeString
`ClientDataHashAlgId` UnicodeString
`ClientDataLength` UInt32
`ClientDataHashLength` UInt32
`ClientDataHash` Binary
`CredentialCount` UInt32
`CredentialParameterCount` UInt32

Event ID 1041: Ngc MakeCredential response.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: NgcMakeCredentialResponse
Opcode: Informational

Description

Ngc MakeCredential response.

Message #

Ngc MakeCredential response.

TransactionId: %1
AttestationFormatType: %2
RpIdHash: %4
Flags: %5
SignCount: %6
AAGuid: %7
CredentialId: %9
U2fPublicKey: %10
PublicKey: %12
Response: %14

Fields #

Name	Description
`TransactionId` GUID
`AttestationFormatType` UnicodeString
`RpIdHashLength` UInt32
`RpIdHash` Binary
`Flags` HexInt32
`SignCount` HexInt32
`AAGuid` GUID
`CredentialIdLength` UInt32
`CredentialId` Binary
`U2fPublicKey` Boolean
`PublicKeyLength` UInt32
`PublicKey` Binary
`ResponseLength` UInt32
`Response` Binary

Event ID 1042: Ngc GetAssertion request.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: NgcGetAssertionRequest
Opcode: Informational

Description

Ngc GetAssertion request.

Message #

Ngc GetAssertion request.

TransactionId: %1
RpId: %2
ClientDataHashAlgId: %3 ClientDataLength: %4 ClientDataHash: %6
AllowCredentialCount: %7

Fields #

Name	Description
`TransactionId` GUID
`RpId` UnicodeString
`ClientDataHashAlgId` UnicodeString
`ClientDataLength` UInt32
`ClientDataHashLength` UInt32
`ClientDataHash` Binary
`CredentialCount` UInt32

Event ID 1043: Ngc GetAssertion response.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: NgcGetAssertionResponse
Opcode: Informational

Description

Ngc GetAssertion response.

Message #

Ngc GetAssertion response.

TransactionId: %1
RpIdHash: %3
Flags: %4
SignCount: %5
CredentialId: %7%

Fields #

Name	Description
`TransactionId` GUID
`RpIdHashLength` UInt32
`RpIdHash` Binary
`Flags` HexInt32
`SignCount` HexInt32
`CredentialIdLength` UInt32
`CredentialId` Binary

Event ID 1050: WebAuthN remote RPC request.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Level: Informational
Task: WebAuthNRemoteRPCRequest
Opcode: Informational

Description

WebAuthN remote RPC request.

Message #

WebAuthN remote RPC request.

TransactionId: %1
RemoteRpcRequest: %3

Fields #

Name	Description
`TransactionId` GUID
`RemoteRpcRequestLength` UInt32
`RemoteRpcRequest` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WebAuthN",
    "guid": "3AE1EA61-C002-47FB-B06C-4022A8C98929",
    "event_source_name": "",
    "event_id": 1050,
    "version": 0,
    "level": 4,
    "task": 16,
    "opcode": 12,
    "keywords": 9223372036854776065,
    "time_created": "2026-03-11T06:37:46.991338+00:00",
    "event_record_id": 130,
    "correlation": {},
    "execution": {
      "process_id": 8132,
      "thread_id": 10968
    },
    "channel": "Microsoft-Windows-WebAuthN/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
    }
  },
  "event_data": {
    "TransactionId": "39B0A1B3-2EFB-4565-85F8-1963661CDCA3",
    "RemoteRpcRequestLength": 57,
    "RemoteRpcRequest": "A467636F6D6D616E640865666C616773006774696D656F7574006D7472616E73616374696F6E49645000000000000000000000000000000000"
  },
  "message": ""
}

Event ID 1052: WebAuthN remote RPC response.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Level: Informational
Task: WebAuthNRemoteRPCResponse
Opcode: Informational

Description

WebAuthN remote RPC response.

Message #

WebAuthN remote RPC response.

TransactionId: %1
Error: %2. %3
RemoteRpcResponse: %5

Fields #

Name	Description
`TransactionId` GUID
`Error` HexInt32
`HResult` Int32
`RemoteRpcResponseLength` UInt32
`RemoteRpcResponse` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WebAuthN",
    "guid": "3AE1EA61-C002-47FB-B06C-4022A8C98929",
    "event_source_name": "",
    "event_id": 1052,
    "version": 0,
    "level": 4,
    "task": 17,
    "opcode": 12,
    "keywords": 9223372036854776065,
    "time_created": "2026-03-11T06:37:46.994687+00:00",
    "event_record_id": 131,
    "correlation": {},
    "execution": {
      "process_id": 8132,
      "thread_id": 10968
    },
    "channel": "Microsoft-Windows-WebAuthN/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
    }
  },
  "event_data": {
    "TransactionId": "39B0A1B3-2EFB-4565-85F8-1963661CDCA3",
    "Error": "0x0",
    "HResult": 0,
    "RemoteRpcResponseLength": 0,
    "RemoteRpcResponse": ""
  },
  "message": ""
}

Event ID 1060: WebAuthN error at: Action.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthNError
Opcode: Informational

Description

WebAuthN error at: Action.

Message #

WebAuthN error at: %2

TransactionId: %1
Error: %3. %4

Fields #

Name	Description
`TransactionId` GUID
`Action` AnsiString
`Error` HexInt32
`HResult` Int32

Event ID 1070: WebAuthN IsUserVerifyingPlatformAuthenticatorAvailale: value.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Level: Informational
Task: WebAuthNIUVPAA
Opcode: Informational

Description

WebAuthN IsUserVerifyingPlatformAuthenticatorAvailale: value.

Message #

WebAuthN IsUserVerifyingPlatformAuthenticatorAvailale: %1
Error: %2. %3

Fields #

Name	Description
`value` Boolean
`Error` HexInt32
`HResult` Int32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WebAuthN",
    "guid": "{3AE1EA61-C002-47FB-B06C-4022A8C98929}",
    "event_source_name": "",
    "event_id": 1070,
    "version": 0,
    "level": 4,
    "task": 18,
    "opcode": 12,
    "keywords": -9223372036854775743,
    "time_created": "2026-04-08T19:35:37.1972396+00:00",
    "event_record_id": 83,
    "correlation": {},
    "execution": {
      "process_id": 11476,
      "thread_id": 10452
    },
    "channel": "Microsoft-Windows-WebAuthN/Operational",
    "computer": "JD-WIN11-22H2-1.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1104"
    }
  },
  "event_data": {
    "value": "true",
    "Error": "0x0",
    "HResult": "0"
  },
  "message": "WebAuthN IsUserVerifyingPlatformAuthenticatorAvailale: true\r\nError: 0x0. The operation completed successfully."
}

Event ID 1071: WebAuthN ApiVersion: value.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Level: Informational
Task: WebAuthNApiVersion
Opcode: Informational

Description

WebAuthN ApiVersion: value.

Message #

WebAuthN ApiVersion: %1
Error: %2. %3

Fields #

Name	Description
`value` Int32
`Error` HexInt32
`HResult` Int32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WebAuthN",
    "guid": "3AE1EA61-C002-47FB-B06C-4022A8C98929",
    "event_source_name": "",
    "event_id": 1071,
    "version": 0,
    "level": 4,
    "task": 19,
    "opcode": 12,
    "keywords": 9223372036854775873,
    "time_created": "2023-11-06T01:55:31.345190+00:00",
    "event_record_id": 39,
    "correlation": {},
    "execution": {
      "process_id": 17736,
      "thread_id": 9464
    },
    "channel": "Microsoft-Windows-WebAuthN/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "value": 4,
    "Error": "0x0",
    "HResult": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1072: WebAuthN CancelCurrentOperation: value.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WebAuthNCancelCurrentOperation
Opcode: Informational

Description

WebAuthN CancelCurrentOperation: value.

Message #

WebAuthN CancelCurrentOperation: %1
Error: %2. %3

Fields #

Name	Description
`value` GUID
`Error` HexInt32
`HResult` Int32

Event ID 1100: Cbor decode error.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CborDecodeError
Opcode: Informational

Description

Cbor decode error.

Message #

Cbor decode error.

TransactionId: %1
Function: %2
CborError: %3 %4
ErrorOffset: %5 LineNumber: %6
Encoded: %8

Fields #

Name	Description
`TransactionId` GUID
`Function` AnsiString
`CborError` Int32
`CborErrorString` AnsiString
`ErrorOffset` UInt32
`LineNumber` UInt32
`EncodedLength` UInt32
`Encoded` Binary

Event ID 1101: Cbor encode MakeCredential request.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CborEncodeMakeCredentialRequest
Opcode: Informational

Description

Cbor encode MakeCredential request.

Message #

Cbor encode MakeCredential request.

TransactionId: %1
RpId: %2
UserId: %4
ClientDataHashAlgId: %5 ClientDataLength: %6 ClientDataHash: %8
RequireResidentKey: %9
ExcludeCredentialCount: %10
CredentialParameterCount: %11
Request: %13

Fields #

Name	Description
`TransactionId` GUID
`RpId` UnicodeString
`UserIdLength` UInt32
`UserId` Binary
`ClientDataHashAlgId` UnicodeString
`ClientDataLength` UInt32
`ClientDataHashLength` UInt32
`ClientDataHash` Binary
`RequireResidentKey` Boolean
`CredentialCount` UInt32
`CredentialParameterCount` UInt32
`RequestLength` UInt32
`Request` Binary

Event ID 1102: Cbor decode MakeCredential response.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CborDecodeMakeCredentialResponse
Opcode: Informational

Description

Cbor decode MakeCredential response.

Message #

Cbor decode MakeCredential response.

TransactionId: %1
AttestationFormatType: %2
RpIdHash: %4
Flags: %5
SignCount: %6
AAGuid: %7
CredentialId: %9
U2fPublicKey: %10
PublicKey: %12
Response: %14

Fields #

Name	Description
`TransactionId` GUID
`AttestationFormatType` UnicodeString
`RpIdHashLength` UInt32
`RpIdHash` Binary
`Flags` HexInt32
`SignCount` HexInt32
`AAGuid` GUID
`CredentialIdLength` UInt32
`CredentialId` Binary
`U2fPublicKey` Boolean
`PublicKeyLength` UInt32
`PublicKey` Binary
`ResponseLength` UInt32
`Response` Binary

Event ID 1103: Cbor encode GetAssertion request.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CborEncodeGetAssertionRequest
Opcode: Informational

Description

Cbor encode GetAssertion request.

Message #

Cbor encode GetAssertion request.

TransactionId: %1
RpId: %2
ClientDataHashAlgId: %3 ClientDataLength: %4 ClientDataHash: %6
AllowCredentialCount: %7
Request: %9

Fields #

Name	Description
`TransactionId` GUID
`RpId` UnicodeString
`ClientDataHashAlgId` UnicodeString
`ClientDataLength` UInt32
`ClientDataHashLength` UInt32
`ClientDataHash` Binary
`CredentialCount` UInt32
`RequestLength` UInt32
`Request` Binary

Event ID 1104: Cbor decode GetAssertion response.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CborDecodeGetAssertionResponse
Opcode: Informational

Description

Cbor decode GetAssertion response.

Message #

Cbor decode GetAssertion response.

TransactionId: %1
RpIdHash: %3
Flags: %4
SignCount: %5
CredentialId: %7
Response: %9

Fields #

Name	Description
`TransactionId` GUID
`RpIdHashLength` UInt32
`RpIdHash` Binary
`Flags` HexInt32
`SignCount` HexInt32
`CredentialIdLength` UInt32
`CredentialId` Binary
`ResponseLength` UInt32
`Response` Binary

Event ID 2000: Ctap service started successfully.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Level: Success
Task: Ctap Service
Opcode: Start

Description

Ctap service started successfully.

Message #

Ctap service started successfully.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WebAuthN",
    "guid": "{3AE1EA61-C002-47FB-B06C-4022A8C98929}",
    "event_source_name": "",
    "event_id": 2000,
    "version": 0,
    "level": 16,
    "task": 500,
    "opcode": 10,
    "keywords": -9223372036854775806,
    "time_created": "2026-05-29T16:33:04.4411371+00:00",
    "event_record_id": 19,
    "correlation": {},
    "execution": {
      "process_id": 3592,
      "thread_id": 3780
    },
    "channel": "Microsoft-Windows-WebAuthN/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {},
  "message": "Ctap service started successfully."
}

Event ID 2001: Ctap service stopped successfully.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Level: Success
Task: Ctap Service
Opcode: Stop

Description

Ctap service stopped successfully.

Message #

Ctap service stopped successfully.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WebAuthN",
    "guid": "{3AE1EA61-C002-47FB-B06C-4022A8C98929}",
    "event_source_name": "",
    "event_id": 2001,
    "version": 0,
    "level": 16,
    "task": 500,
    "opcode": 11,
    "keywords": -9223372036854775806,
    "time_created": "2026-06-13T05:22:34.8634456+00:00",
    "event_record_id": 20,
    "correlation": {},
    "execution": {
      "process_id": 3700,
      "thread_id": 4156
    },
    "channel": "Microsoft-Windows-WebAuthN/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {},
  "message": "Ctap service stopped successfully."
}

Event ID 2100: Ctap Command started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Level: Informational
Task: CtapCommand
Opcode: Start

Description

Ctap Command started.

Message #

Ctap %1 started.

TransactionId: %2
Flags: %3
TimeoutMilliseconds: %4
Ticket: %6
Request: %8

Fields #

Name	Description
`Command` UnicodeString
`TransactionId` GUID
`Flags` HexInt32
`TimeoutMilliseconds` UInt32
`TicketLength` UInt32
`Ticket` Binary
`RequestLength` UInt32
`Request` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WebAuthN",
    "event_id": 2100,
    "level": 4,
    "task": 501,
    "opcode": 10,
    "time_created": "2026-04-17T21:49:07.6566494+00:00",
    "computer": "WIN11-25H2-X64",
    "channel": "Microsoft-Windows-WebAuthN"
  },
  "event_data": {
    "TicketLength": "0",
    "Command": "command",
    "Flags": "0x0",
    "RequestLength": "80",
    "TimeoutMilliseconds": "0",
    "TransactionId": "{d3cbcfa6-7e0d-4cc3-9da8-c05205f86cda}",
    "Request": "A567636F6D6D616E640B65666C616773006774696D656F7574006D7472616E73616374696F6E496450A6CFCBD30D7EC34C9DA8C05205F86CDA7566696C7465724879627269645472616E73706F7274F4"
  }
}

Event ID 2101: Ctap command started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapCommand
Opcode: Start

Description

Ctap command started.

Message #

Ctap command started.

Request: %2

Fields #

Name	Description
`RequestLength` UInt32
`Request` Binary

Event ID 2102: Ctap Command completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Level: Success
Task: Ctap Command
Opcode: Stop

Description

Ctap Command completed.

Message #

Ctap %1 completed.

TransactionId: %2
Response: %4

Fields #

Name	Description
`Command` UnicodeString
`TransactionId` GUID
`ResponseLength` UInt32
`Response` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WebAuthN",
    "event_id": 2102,
    "level": 16,
    "task": 501,
    "opcode": 11,
    "time_created": "2026-04-17T21:49:07.9559850+00:00",
    "computer": "WIN11-25H2-X64",
    "channel": "Microsoft-Windows-WebAuthN"
  },
  "event_data": {
    "TransactionId": "{d3cbcfa6-7e0d-4cc3-9da8-c05205f86cda}",
    "Command": "command",
    "ResponseLength": "0"
  }
}

Event ID 2103: Ctap Command completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapCommand
Opcode: Stop

Description

Ctap Command completed.

Message #

Ctap %1 completed.

TransactionId: %2
Error: %3. %4

Fields #

Name	Description
`Command` UnicodeString
`TransactionId` GUID
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2104: Ctap device info.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapDeviceInfo
Opcode: Informational

Description

Ctap device info.

Message #

Ctap device info.

TransactionId: %1
ProviderName: %2
DevicePath: %3
Manufacturer: %4
Product: %5
AAGuid: %6
U2fProtocol: %7

Fields #

Name	Description
`TransactionId` GUID
`ProviderName` UnicodeString
`DevicePath` UnicodeString
`Manufacturer` UnicodeString
`Product` UnicodeString
`AAGuid` GUID
`U2fProtocol` Boolean

Event ID 2105: Ctap Function: Function Location: Location.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapFunction
Opcode: Informational

Description

Ctap Function: Function Location: Location.

Message #

Ctap Function: %1 Location: %2

Error: %3. %4

Fields #

Name	Description
`Function` AnsiString
`Location` AnsiString
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2106: Ctap Name: Name Value: Value.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapFunction
Opcode: Informational

Description

Ctap Name: Name Value: Value.

Message #

Ctap Name: %1 Value: %2

Fields #

Name	Description
`Name` UnicodeString
`Value` UnicodeString

Event ID 2107

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapFunction
Opcode: Informational

Event ID 2110: Ctap device device state info.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WNFCtapDeviceStateInfo
Opcode: Informational

Description

Ctap device device state info.

Message #

Ctap device device state info.

Transport Type: %1
WnfState: %2
Error: %3. %4

Fields #

Name	Description
`Transport` HexInt32
`WnfState` HexInt32
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2111: Ctap device change notify info.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: WNFCtapDeviceChangeNotifyInfo
Opcode: Informational

Description

Ctap device change notify info.

Message #

Ctap device change notify info.

Transport Type: %1

Fields #

Name	Description
`Transport` HexInt32

Event ID 2200: Ctap Usb provider thread started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapUsbProviderThread
Opcode: Start

Description

Ctap Usb provider thread started.

Message #

Ctap Usb provider thread started.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 2201: Ctap Usb provider thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: Ctap Usb Provider Thread
Opcode: Stop

Description

Ctap Usb provider thread completed.

Message #

Ctap Usb provider thread completed.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 2202: Ctap Usb provider thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapUsbProviderThread
Opcode: Stop

Description

Ctap Usb provider thread completed.

Message #

Ctap Usb provider thread completed.

TransactionId: %1
Error: %2. %3

Fields #

Name	Description
`TransactionId` GUID
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2203: Ctap Usb provider thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapUsbProviderThread
Opcode: Stop

Description

Ctap Usb provider thread completed.

Message #

Ctap Usb provider thread completed.

TransactionId: %1
Error: %2. %3

Fields #

Name	Description
`TransactionId` GUID
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2210: Ctap Usb device thread started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapUsbDeviceThread
Opcode: Start

Description

Ctap Usb device thread started.

Message #

Ctap Usb device thread started.

TransactionId: %1
DevicePath: %2
Manufacturer: %3
Product: %4

Fields #

Name	Description
`TransactionId` GUID
`DevicePath` UnicodeString
`Manufacturer` UnicodeString
`Product` UnicodeString

Event ID 2211: Ctap Usb device thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: Ctap Usb Device Thread
Opcode: Stop

Description

Ctap Usb device thread completed.

Message #

Ctap Usb device thread completed.

TransactionId: %1
DevicePath: %2
Manufacturer: %3
Product: %4
AAGuid: %5
U2fProtocol: %6

Fields #

Name	Description
`TransactionId` GUID
`DevicePath` UnicodeString
`Manufacturer` UnicodeString
`Product` UnicodeString
`AAGuid` GUID
`U2fProtocol` Boolean

Event ID 2212: Ctap Usb device thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapUsbDeviceThread
Opcode: Stop

Description

Ctap Usb device thread completed.

Message #

Ctap Usb device thread completed.

TransactionId: %1
DevicePath: %2
Manufacturer: %3
Product: %4
AAGuid: %5
U2fProtocol: %6
State: %7
Status: %8
Error: %9. %10

Fields #

Name	Description
`TransactionId` GUID
`DevicePath` UnicodeString
`Manufacturer` UnicodeString
`Product` UnicodeString
`AAGuid` GUID
`U2fProtocol` Boolean
`State` UInt32
`Status` HexInt32	NTSTATUS reference
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2213: Ctap Usb device thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapUsbDeviceThread
Opcode: Stop

Description

Ctap Usb device thread completed.

Message #

Ctap Usb device thread completed.

TransactionId: %1
DevicePath: %2
Manufacturer: %3
Product: %4
AAGuid: %5
U2fProtocol: %6
State: %7
Status: %8
Error: %9. %10

Fields #

Name	Description
`TransactionId` GUID
`DevicePath` UnicodeString
`Manufacturer` UnicodeString
`Product` UnicodeString
`AAGuid` GUID
`U2fProtocol` Boolean
`State` UInt32
`Status` HexInt32	NTSTATUS reference
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2220: Ctap Usb add device.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapUsbAdd
Opcode: Informational

Description

Ctap Usb add device.

Message #

Ctap Usb add device.

TransactionId: %1
DevicePath: %2
Manufacturer: %3
Product: %4

Fields #

Name	Description
`TransactionId` GUID
`DevicePath` UnicodeString
`Manufacturer` UnicodeString
`Product` UnicodeString

Event ID 2221: Ctap Usb remove device.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapUsbRemove
Opcode: Informational

Description

Ctap Usb remove device.

Message #

Ctap Usb remove device.

TransactionId: %1
DevicePath: %2
Manufacturer: %3
Product: %4

Fields #

Name	Description
`TransactionId` GUID
`DevicePath` UnicodeString
`Manufacturer` UnicodeString
`Product` UnicodeString

Event ID 2222: Ctap Usb device changes.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapUsbChanges
Opcode: Informational

Description

Ctap Usb device changes.

Message #

Ctap Usb device changes.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 2223: Ctap Usb U2F device.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapUsbSwitchToU2F
Opcode: Informational

Description

Ctap Usb U2F device.

Message #

Ctap Usb U2F device.

TransactionId: %1
DevicePath: %2
Manufacturer: %3
Product: %4

Fields #

Name	Description
`TransactionId` GUID
`DevicePath` UnicodeString
`Manufacturer` UnicodeString
`Product` UnicodeString

Event ID 2224: Ctap Usb connect to device.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapUsbConnect
Opcode: Informational

Description

Ctap Usb connect to device.

Message #

Ctap Usb connect to device.

TransactionId: %1
DevicePath: %2
Manufacturer: %3
Product: %4
DeviceErr: %5
Status: %6
Error: %7. %8

Fields #

Name	Description
`TransactionId` GUID
`DevicePath` UnicodeString
`Manufacturer` UnicodeString
`Product` UnicodeString
`DeviceErr` HexInt32
`Status` HexInt32	NTSTATUS reference
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2225: Ctap Usb Send Receive.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapUsbSendReceive
Opcode: Informational

Description

Ctap Usb Send Receive.

Message #

Ctap Usb Send Receive:

TransactionId: %1
Request Command: %2 Response Command: %5
Request: %4
Response: %7

Fields #

Name	Description
`TransactionId` GUID
`RequestCommand` UInt8
`RequestLength` UInt32
`Request` Binary
`ResponseCommand` UInt8
`ResponseLength` UInt32
`Response` Binary

Event ID 2226: Ctap Usb Send Receive.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapUsbSendReceive
Opcode: Informational

Description

Ctap Usb Send Receive.

Message #

Ctap Usb Send Receive:

TransactionId: %1
Request Command: %2 Response Command: %5
Request: %4
Response: %7
Error: %8. %9

Fields #

Name	Description
`TransactionId` GUID
`RequestCommand` UInt8
`RequestLength` UInt32
`Request` Binary
`ResponseCommand` UInt8
`ResponseLength` UInt32
`Response` Binary
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2250: Ctap Ble provider thread started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapBleProviderThread
Opcode: Start

Description

Ctap Ble provider thread started.

Message #

Ctap Ble provider thread started.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 2251: Ctap Ble provider thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: Ctap Ble Provider Thread
Opcode: Stop

Description

Ctap Ble provider thread completed.

Message #

Ctap Ble provider thread completed.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 2252: Ctap Ble provider thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapBleProviderThread
Opcode: Stop

Description

Ctap Ble provider thread completed.

Message #

Ctap Ble provider thread completed.

TransactionId: %1
Error: %2. %3

Fields #

Name	Description
`TransactionId` GUID
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2253: Ctap Ble provider thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapBleProviderThread
Opcode: Stop

Description

Ctap Ble provider thread completed.

Message #

Ctap Ble provider thread completed.

TransactionId: %1
Error: %2. %3

Fields #

Name	Description
`TransactionId` GUID
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2260: Ctap Ble device thread started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapBleDeviceThread
Opcode: Start

Description

Ctap Ble device thread started.

Message #

Ctap Ble device thread started.

TransactionId: %1
DevicePath: %2
PairedName: %3

Fields #

Name	Description
`TransactionId` GUID
`DevicePath` UnicodeString
`PairedName` UnicodeString

Event ID 2261: Ctap Ble device thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: Ctap Ble Device Thread
Opcode: Stop

Description

Ctap Ble device thread completed.

Message #

Ctap Ble device thread completed.

TransactionId: %1
DevicePath: %2
PairedName: %3
AAGuid: %4
U2fProtocol: %5

Fields #

Name	Description
`TransactionId` GUID
`DevicePath` UnicodeString
`PairedName` UnicodeString
`AAGuid` GUID
`U2fProtocol` Boolean

Event ID 2262: Ctap Ble device thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapBleDeviceThread
Opcode: Stop

Description

Ctap Ble device thread completed.

Message #

Ctap Ble device thread completed.

TransactionId: %1
DevicePath: %2
PairedName: %3
AAGuid: %4
U2fProtocol: %5
State: %6
Status: %7
Error: %8. %9

Fields #

Name	Description
`TransactionId` GUID
`DevicePath` UnicodeString
`PairedName` UnicodeString
`AAGuid` GUID
`U2fProtocol` Boolean
`State` UInt32
`Status` HexInt32	NTSTATUS reference
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2263: Ctap Ble device thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapBleDeviceThread
Opcode: Stop

Description

Ctap Ble device thread completed.

Message #

Ctap Ble device thread completed.

TransactionId: %1
DevicePath: %2
PairedName: %3
AAGuid: %4
U2fProtocol: %5
State: %6
Status: %7
Error: %8. %9

Fields #

Name	Description
`TransactionId` GUID
`DevicePath` UnicodeString
`PairedName` UnicodeString
`AAGuid` GUID
`U2fProtocol` Boolean
`State` UInt32
`Status` HexInt32	NTSTATUS reference
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2270: Ctap Ble Function: Function Location: Location.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapBleFunction
Opcode: Informational

Description

Ctap Ble Function: Function Location: Location.

Message #

Ctap Ble Function: %1 Location: %2

Error: %3. %4

Fields #

Name	Description
`Function` AnsiString
`Location` AnsiString
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2271: Ctap Ble U2F device.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapBleSwitchToU2F
Opcode: Informational

Description

Ctap Ble U2F device.

Message #

Ctap Ble U2F device.

TransactionId: %1
DevicePath: %2
PairedName: %3

Fields #

Name	Description
`TransactionId` GUID
`DevicePath` UnicodeString
`PairedName` UnicodeString

Event ID 2272: Ctap Ble Send Receive.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapBleSendReceive
Opcode: Informational

Description

Ctap Ble Send Receive.

Message #

Ctap Ble Send Receive:

TransactionId: %1
Request Command: %2 Response Command: %5
Request: %4
Response: %7

Fields #

Name	Description
`TransactionId` GUID
`RequestCommand` UInt8
`RequestLength` UInt32
`Request` Binary
`ResponseCommand` UInt8
`ResponseLength` UInt32
`Response` Binary

Event ID 2273: Ctap Ble Send Receive.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapBleSendReceive
Opcode: Informational

Description

Ctap Ble Send Receive.

Message #

Ctap Ble Send Receive:

TransactionId: %1
Request Command: %2 Response Command: %5
Request: %4
Response: %7
Location: %8
Error: %9. %10

Fields #

Name	Description
`TransactionId` GUID
`RequestCommand` UInt8
`RequestLength` UInt32
`Request` Binary
`ResponseCommand` UInt8
`ResponseLength` UInt32
`Response` Binary
`Location` AnsiString
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2300: Ctap Nfc provider thread started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcProviderThread
Opcode: Start

Description

Ctap Nfc provider thread started.

Message #

Ctap Nfc provider thread started.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 2301: Ctap Nfc provider thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: Ctap Nfc Provider Thread
Opcode: Stop

Description

Ctap Nfc provider thread completed.

Message #

Ctap Nfc provider thread completed.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 2302: Ctap Nfc provider thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcProviderThread
Opcode: Stop

Description

Ctap Nfc provider thread completed.

Message #

Ctap Nfc provider thread completed.

TransactionId: %1
Error: %2. %3

Fields #

Name	Description
`TransactionId` GUID
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2303: Ctap Nfc provider thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcProviderThread
Opcode: Stop

Description

Ctap Nfc provider thread completed.

Message #

Ctap Nfc provider thread completed.

TransactionId: %1
Error: %2. %3

Fields #

Name	Description
`TransactionId` GUID
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2310: Ctap Nfc reader thread started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcReaderThread
Opcode: Start

Description

Ctap Nfc reader thread started.

Message #

Ctap Nfc reader thread started.

TransactionId: %1
Reader: %2

Fields #

Name	Description
`TransactionId` GUID
`Reader` UnicodeString

Event ID 2311: Ctap Nfc reader thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: Ctap Nfc Reader Thread
Opcode: Stop

Description

Ctap Nfc reader thread completed.

Message #

Ctap Nfc reader thread completed.

TransactionId: %1
Reader: %2
AAGuid: %3
U2fProtocol: %4

Fields #

Name	Description
`TransactionId` GUID
`Reader` UnicodeString
`AAGuid` GUID
`U2fProtocol` Boolean

Event ID 2312: Ctap Nfc reader thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcReaderThread
Opcode: Stop

Description

Ctap Nfc reader thread completed.

Message #

Ctap Nfc reader thread completed.

TransactionId: %1
Reader: %2
AAGuid: %3
U2fProtocol: %4
State: %5
Status: %6
Error: %7. %8

Fields #

Name	Description
`TransactionId` GUID
`Reader` UnicodeString
`AAGuid` GUID
`U2fProtocol` Boolean
`State` UInt32
`Status` HexInt32	NTSTATUS reference
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2313: Ctap Nfc reader thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcReaderThread
Opcode: Stop

Description

Ctap Nfc reader thread completed.

Message #

Ctap Nfc reader thread completed.

TransactionId: %1
Reader: %2
AAGuid: %3
U2fProtocol: %4
State: %5
Status: %6
Error: %7. %8

Fields #

Name	Description
`TransactionId` GUID
`Reader` UnicodeString
`AAGuid` GUID
`U2fProtocol` Boolean
`State` UInt32
`Status` HexInt32	NTSTATUS reference
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2314: Ctap Nfc reader manager thread started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcReaderManagerThread
Opcode: Start

Description

Ctap Nfc reader manager thread started.

Message #

Ctap Nfc reader manager thread started.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 2315: Ctap Nfc reader manager thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: Ctap Nfc Reader Manager Thread
Opcode: Stop

Description

Ctap Nfc reader manager thread completed.

Message #

Ctap Nfc reader manager thread completed.

TransactionId: %1
NumberOfTimesScardCancelCommandsSent: %2

Fields #

Name	Description
`TransactionId` GUID
`NumberOfTimesScardCancelCommandsSent` UInt32

Event ID 2316: Cancelling Reader Threads.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcReaderManagerThread
Opcode: Informational

Description

Cancelling Reader Threads.

Message #

Cancelling Reader Threads.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID
`CallCancelled` Boolean

Event ID 2320: Ctap Nfc add reader.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcAddReader
Opcode: Informational

Description

Ctap Nfc add reader.

Message #

Ctap Nfc add reader.

TransactionId: %1
Reader: %2

Fields #

Name	Description
`TransactionId` GUID
`Reader` UnicodeString

Event ID 2321: Ctap Nfc skip reader for: Action.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcSkipReader
Opcode: Informational

Description

Ctap Nfc skip reader for: Action.

Message #

Ctap Nfc skip reader for: %2.

TransactionId: %1
Reader: %3
DeviceInstanceId: %4

Fields #

Name	Description
`TransactionId` GUID
`Action` AnsiString
`Reader` UnicodeString
`DeviceInstanceId` UnicodeString

Event ID 2322: Ctap Nfc transition reader for: Action.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcTransitionReader
Opcode: Informational

Description

Ctap Nfc transition reader for: Action.

Message #

Ctap Nfc transition reader for: %2.

TransactionId: %1
Reader: %3

Fields #

Name	Description
`TransactionId` GUID
`Action` AnsiString
`Reader` UnicodeString

Event ID 2323: Ctap Nfc send message warning for: Action.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcSendMessage
Opcode: Informational

Description

Ctap Nfc send message warning for: Action.

Message #

Ctap Nfc send message warning for: %2.

TransactionId: %1
Reader: %3
ApduStatus: %4
DeviceStatus: %5
SmartCardError: %6. %7

Fields #

Name	Description
`TransactionId` GUID
`Action` AnsiString
`Reader` UnicodeString
`ApduStatus` UInt16
`DeviceStatus` HexInt32
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2324: Ctap Nfc send request error for: Action.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcSendRequest
Opcode: Informational

Description

Ctap Nfc send request error for: Action.

Message #

Ctap Nfc send request error for: %2.

TransactionId: %1
Reader: %3
ApduStatus: %4
DeviceStatus: %5
Error: %6. %7

Fields #

Name	Description
`TransactionId` GUID
`Action` AnsiString
`Reader` UnicodeString
`ApduStatus` UInt16
`DeviceStatus` HexInt32
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2325: Ctap Nfc U2F device.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcSwitchToU2F
Opcode: Informational

Description

Ctap Nfc U2F device.

Message #

Ctap Nfc U2F device.

TransactionId: %1
Reader: %2

Fields #

Name	Description
`TransactionId` GUID
`Reader` UnicodeString

Event ID 2326: Ctap Nfc send message at: Action.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcSendMessage
Opcode: Informational

Description

Ctap Nfc send message at: Action.

Message #

Ctap Nfc send message at: %2.

TransactionId: %1
Reader: %3

Fields #

Name	Description
`TransactionId` GUID
`Action` AnsiString
`Reader` UnicodeString

Event ID 2327: Ctap Nfc SCardTransmit Request.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcSCardTransmitRequest
Opcode: Informational

Description

Ctap Nfc SCardTransmit Request.

Message #

Ctap Nfc SCardTransmit Request:

TransactionId: %1
Reader: %2

Request: %3 bytes
%4

Response data: %5 bytes
%6

Apdu Status: %7

Fields #

Name	Description
`TransactionId` GUID
`Reader` UnicodeString
`RequestLength` UInt32
`Request` Binary
`ResponseLength` UInt32
`Response` Binary
`ApduStatus` UInt16

Event ID 2328: Ctap Nfc SCardTransmit Request.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapNfcSCardTransmitRequest
Opcode: Informational

Description

Ctap Nfc SCardTransmit Request.

Message #

Ctap Nfc SCardTransmit Request:

TransactionId: %1
Reader: %2

Request: %3 bytes
%4

Response data: %5 bytes
%6

Apdu Status: %7

Error: %8. %9

Fields #

Name	Description
`TransactionId` GUID
`Reader` UnicodeString
`RequestLength` UInt32
`Request` Binary
`ResponseLength` UInt32
`Response` Binary
`ApduStatus` UInt16
`Error` HexInt32
`Win32Error` HexInt32

Event ID 2329: Ctap Hybrid process Ctap command request callback started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapHybridProcessCtapCommandRequestCallback
Opcode: Start

Description

Ctap Hybrid process Ctap command request callback started.

Message #

Ctap Hybrid process Ctap command request callback started. 

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 2330: Ctap Hybrid process Ctap command request callback completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapHybridProcessCtapCommandRequestCallback
Opcode: Stop

Description

Ctap Hybrid process Ctap command request callback completed.

Message #

Ctap Hybrid process Ctap command request callback completed. 

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 2331: Ctap Hybrid process Ctap command request callback completed with error.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapHybridProcessCtapCommandRequestCallback
Opcode: Stop

Description

Ctap Hybrid process Ctap command request callback completed with error.

Message #

Ctap Hybrid process Ctap command request callback completed with error. 

TransactionId: %1
Error: %2. %3

Fields #

Name	Description
`TransactionId` GUID
`Error` HexInt32
`HResult` Int32

Event ID 2332: Ctap Hybrid Write Message: Message.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapHybridWriteMessage
Opcode: Informational

Description

Ctap Hybrid Write Message: Message.

Message #

Ctap Hybrid Write Message: %2

Fields #

Name	Description
`MessageLength` UInt32
`Message` Binary

Event ID 2333: Ctap Hybrid Read Message: Message.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapHybridReadMessage
Opcode: Informational

Description

Ctap Hybrid Read Message: Message.

Message #

Ctap Hybrid Read Message: %2

Fields #

Name	Description
`MessageLength` UInt32
`Message` Binary

Event ID 2334: Ctap Hybrid Protocol setup started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapHybridProtocolSetup
Opcode: Start

Description

Ctap Hybrid Protocol setup started.

Message #

Ctap Hybrid Protocol setup started. 

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 2335: Ctap Hybrid Protocol setup completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapHybridProtocolSetup
Opcode: Stop

Description

Ctap Hybrid Protocol setup completed.

Message #

Ctap Hybrid Protocol setup completed. 

TransactionId: %1 
SetupType: %2

Fields #

Name	Description
`TransactionId` GUID
`Action` AnsiString
`Error` HexInt32
`HResult` Int32

Event ID 2336: Ctap Hybrid Protocol setup completed with error.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapHybridProtocolSetup
Opcode: Stop

Description

Ctap Hybrid Protocol setup completed with error.

Message #

Ctap Hybrid Protocol setup completed with error. 

TransactionId: %1 
SetupType: %2 
Error: %3. %4

Fields #

Name	Description
`TransactionId` GUID
`Action` AnsiString
`Error` HexInt32
`HResult` Int32

Event ID 2337: Ctap Hybrid Linked Device Saved.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapHybridLinkedDeviceSaved
Opcode: Informational

Description

Ctap Hybrid Linked Device Saved.

Message #

Ctap Hybrid Linked Device Saved. 

Success: %1 
Error: %2. %3

Fields #

Name	Description
`value` Boolean
`Error` HexInt32
`HResult` Int32

Event ID 2400: Ctap Test provider thread started.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapTestProviderThread
Opcode: Start

Description

Ctap Test provider thread started.

Message #

Ctap Test provider thread started.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 2401: Ctap Test provider thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: Ctap Test Provider Thread
Opcode: Stop

Description

Ctap Test provider thread completed.

Message #

Ctap Test provider thread completed.

TransactionId: %1

Fields #

Name	Description
`TransactionId` GUID

Event ID 2402: Ctap Test provider thread completed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CtapTestProviderThread
Opcode: Stop

Description

Ctap Test provider thread completed.

Message #

Ctap Test provider thread completed.

TransactionId: %1
Error: %2. %3

Fields #

Name	Description
`TransactionId` GUID
`Error` HexInt32
`Win32Error` HexInt32

Event ID 5002: Trust group deletion synchronized

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: Sync
Opcode: Informational

Description

Trust group deletion synchronized.

Event ID 5002: Trust group deletion synchronized.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: Sync
Opcode: Informational

Description

Trust group deletion synchronized.

Message #

Trust group deletion synchronized.

Event ID 5009: User storage created

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: LocalStore
Opcode: Informational

Description

User storage created.

Fields #

Name	Description
`StorageID` GUID
`UserSid` SID

Event ID 5009: User storage created.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: LocalStore
Opcode: Informational

Description

User storage created.

Message #

User storage created.

StorageID: %1
UserSid: %2

Fields #

Name	Description
`StorageID` GUID
`UserSid` SID

Event ID 5010: Synchronization state:

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: SyncState
Opcode: Informational

Description

Synchronization state.

Fields #

Name	Description
`SyncState` UInt32

Event ID 5010: Synchronization state: SyncState.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: SyncState
Opcode: Informational

Description

Synchronization state: SyncState.

Message #

Synchronization state: %1

Fields #

Name	Description
`SyncState` UInt32

Event ID 6006: Trust group deleted

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: TrustGroup
Opcode: Informational

Description

Trust group deleted.

Event ID 6006: Trust group deleted.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: TrustGroup
Opcode: Informational

Description

Trust group deleted.

Message #

Trust group deleted.

Event ID 6007: Cleaned up Local Store

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: LocalStore
Opcode: Informational

Description

Cleaned up Local Store.

Event ID 6007: Cleaned up Local Store.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: LocalStore
Opcode: Informational

Description

Cleaned up Local Store.

Message #

Cleaned up Local Store.

Event ID 6011: This Windows device was not found in the Trusted Device list, resetting local state

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: TrustedDevice
Opcode: Informational

Description

This Windows device was not found in the Trusted Device list, resetting local state.

Event ID 6011: This Windows device was not found in the Trusted Device list, resetting local state.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: TrustedDevice
Opcode: Informational

Description

This Windows device was not found in the Trusted Device list, resetting local state.

Message #

This Windows device was not found in the Trusted Device list, resetting local state.

Event ID 6250

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CredentialMetadataFieldMissing
Opcode: Informational

Fields #

Name	Description
`PluginClsId` UnicodeString

Event ID 6251

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: GetKCMUVKey
Opcode: Informational

Fields #

Name	Description
`PluginClsId` UnicodeString
`KeyName` UnicodeString
`NumKeysFound` UInt32

Event ID 6254

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CredentialMetadataFieldMissing
Opcode: Informational

Description

Error when trying to decode a plugin passkey. Some metadata fields may be missing or incorrect.

Fields #

Name	Description
`PluginClsId` UnicodeString

Event ID 6254: Error when trying to decode a plugin passkey.

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: CredentialMetadataFieldMissing
Opcode: Informational

Description

Error when trying to decode a plugin passkey. Some metadata fields may be missing or incorrect.

Message #

Error when trying to decode a plugin passkey. Some metadata fields may be missing or incorrect.
Plugin ClsId: %1

Fields #

Name	Description
`PluginClsId` UnicodeString

Event ID 7000: Key rotation failed

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: KeyRotation
Opcode: Stop

Description

Key rotation failed.

Fields #

Name	Description
`Error` HexInt32

Event ID 7000: Key rotation failed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: KeyRotation
Opcode: Stop

Description

Key rotation failed.

Message #

Key rotation failed.

Error: %1

Fields #

Name	Description
`Error` HexInt32

Event ID 7001: Cloud store operation failed

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: Sync
Opcode: Stop

Description

Cloud store operation failed.

Fields #

Name	Description
`OperationType` UInt32	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`PropertyType` UInt32
`BackupId` UnicodeString
`CorrelationVector` AnsiString
`Error` HexInt32

Event ID 7001: Cloud store operation failed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: Sync
Opcode: Stop

Description

Cloud store operation failed.

Message #

Cloud store operation failed.

OperationType: %1
PropertyType: %2
BackupId: %3
CorrelationVector: %4
Error: %5

Fields #

Name	Description
`OperationType` UInt32	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`PropertyType` UInt32
`BackupId` UnicodeString
`CorrelationVector` AnsiString
`Error` HexInt32

Event ID 7003: Failed to add trusted device

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: TrustedDevice
Opcode: Stop

Description

Failed to add trusted device.

Fields #

Name	Description
`Error` HexInt32

Event ID 7003: Failed to add trusted device.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: TrustedDevice
Opcode: Stop

Description

Failed to add trusted device.

Message #

Failed to add trusted device.

Error: %1

Fields #

Name	Description
`Error` HexInt32

Event ID 7004: Failed to delete trusted device

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: TrustedDevice
Opcode: Stop

Description

Failed to delete trusted device.

Fields #

Name	Description
`Error` HexInt32

Event ID 7004: Failed to delete trusted device.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: TrustedDevice
Opcode: Stop

Description

Failed to delete trusted device.

Message #

Failed to delete trusted device.

Error: %1

Fields #

Name	Description
`Error` HexInt32

Event ID 7005: Failed to rename trusted device

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: TrustedDevice
Opcode: Stop

Description

Failed to rename trusted device.

Fields #

Name	Description
`Error` HexInt32

Event ID 7005: Failed to rename trusted device.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: TrustedDevice
Opcode: Stop

Description

Failed to rename trusted device.

Message #

Failed to rename trusted device.

Error: %1

Fields #

Name	Description
`Error` HexInt32

Event ID 7008: Local store operation failed

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: LocalStore
Opcode: Stop

Description

Local store operation failed.

Fields #

Name	Description
`OperationType` UInt32	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`PropertyType` UInt32
`BackupId` UnicodeString
`CorrelationVector` AnsiString
`Error` HexInt32

Event ID 7008: Local store operation failed.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: LocalStore
Opcode: Stop

Description

Local store operation failed.

Message #

Local store operation failed.

OperationType: %1
PropertyType: %2
BackupId: %3
CorrelationVector: %4
Error: %5

Fields #

Name	Description
`OperationType` UInt32	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`PropertyType` UInt32
`BackupId` UnicodeString
`CorrelationVector` AnsiString
`Error` HexInt32

Event ID 7251

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: GetKCMUVKey
Opcode: Informational

Fields #

Name	Description
`PluginClsId` UnicodeString
`KeyName` UnicodeString
`Error` HexInt32
`HResult` Int32

Event ID 7252

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: PluginGetLockStatus
Opcode: Informational

Fields #

Name	Description
`PluginClsId` UnicodeString
`Error` HexInt32
`HResult` Int32

Event ID 7253

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: PluginMakeCredential
Opcode: Informational

Fields #

Name	Description
`PluginClsId` UnicodeString
`Error` HexInt32
`HResult` Int32

Event ID 7254

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: PluginGetAssertion
Opcode: Informational

Fields #

Name	Description
`PluginClsId` UnicodeString
`Error` HexInt32
`HResult` Int32

Event ID 7255

Provider: Microsoft-Windows-WebAuthN
Channel: Operational
Task: PluginCancelOperation
Opcode: Informational

Fields #

Name	Description
`PluginClsId` UnicodeString
`Error` HexInt32
`HResult` Int32

Event ID 8000: Key rotation succeeded

Provider: Microsoft-Windows-WebAuthN
Channel: Operational

Description

Key rotation succeeded.

Fields #

Name	Description
`EncryptionKeyType` UInt32

Event ID 8000: Key rotation succeeded.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: KeyRotation
Opcode: Informational

Description

Key rotation succeeded.

Message #

Key rotation succeeded.

EncryptionKeyType: %1

Fields #

Name	Description
`EncryptionKeyType` UInt32

Event ID 8001: Cloud store operation succeeded

Provider: Microsoft-Windows-WebAuthN
Channel: Operational

Description

Cloud store operation succeeded.

Fields #

Name	Description
`OperationType` UInt32	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`PropertyType` UInt32
`BackupId` UnicodeString
`CorrelationVector` AnsiString

Event ID 8001: Cloud store operation succeeded.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: Sync
Opcode: Informational

Description

Cloud store operation succeeded.

Message #

Cloud store operation succeeded.

OperationType: %1
PropertyType: %2
BackupId: %3
CorrelationVector: %4

Fields #

Name	Description
`OperationType` UInt32	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`PropertyType` UInt32
`BackupId` UnicodeString
`CorrelationVector` AnsiString

Event ID 8003: Trusted device successfully added

Provider: Microsoft-Windows-WebAuthN
Channel: Operational

Description

Trusted device successfully added.

Fields #

Name	Description
`DeviceID` UInt32

Event ID 8003: Trusted device successfully added.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: TrustedDevice
Opcode: Informational

Description

Trusted device successfully added.

Message #

Trusted device successfully added.

DeviceID: %1

Fields #

Name	Description
`DeviceID` UInt32

Event ID 8004: Trusted device deleted successfully

Provider: Microsoft-Windows-WebAuthN
Channel: Operational

Description

Trusted device deleted successfully.

Fields #

Name	Description
`DeviceID` UInt32

Event ID 8004: Trusted device deleted successfully.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: TrustedDevice
Opcode: Informational

Description

Trusted device deleted successfully.

Message #

Trusted device deleted successfully.

DeviceID: %1

Fields #

Name	Description
`DeviceID` UInt32

Event ID 8005: Trusted device renamed successfully

Provider: Microsoft-Windows-WebAuthN
Channel: Operational

Description

Trusted device renamed successfully.

Fields #

Name	Description
`DeviceID` UInt32

Event ID 8005: Trusted device renamed successfully.

Provider: Microsoft-Windows-WebAuthN
Channel: Operatonal
Task: TrustedDevice
Opcode: Informational

Description

Trusted device renamed successfully.

Message #

Trusted device renamed successfully.

DeviceID: %1

Fields #

Name	Description
`DeviceID` UInt32

Event ID 8008: Local store operation succeeded

Provider: Microsoft-Windows-WebAuthN
Channel: Operational

Description

Local store operation succeeded.

Fields #

Name	Description
`OperationType` UInt32	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`PropertyType` UInt32
`BackupId` UnicodeString
`CorrelationVector` AnsiString

Event ID 8008: Local store operation succeeded.

Provider: Microsoft-Windows-WebAuthN
Channel: Debug
Task: LocalStore
Opcode: Informational

Description

Local store operation succeeded.

Message #

Local store operation succeeded.

OperationType: %1
PropertyType: %2
BackupId: %3
CorrelationVector: %4

Fields #

Name	Description
`OperationType` UInt32	Known values `%%1904` New registry value created `%%1905` Existing registry value modified `%%1906` Registry value deleted `%%14674` Value Added `%%14675` Value Deleted `%%14680` Value Added With Expiration Time `%%14681` Value Deleted With Expiration Time `%%14688` Value Auto Deleted With Expiration Time
`PropertyType` UInt32
`BackupId` UnicodeString
`CorrelationVector` AnsiString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 3ae1ea61-c002-47fb-b06c-4022a8c98929

Defined in webauthn.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)