Microsoft-Windows-WinHttp

62 events across 2 channels

Event	Title	Channel	Sample
1	param1.	Operational	N
2	param1.	Operational	N
4	loadunloadinfo.	Operational	N
9	Api(ApiHandle) API called.	Diagnostic	N
10	Api(ApiHandle) API returned successfully.	Diagnostic	N
11	Api(ApiHandle) API failed with an error = Result.	Diagnostic	N
12	Api(ApiHandle) API pending completion.	Diagnostic	N
13	Api(ApiHandle) API completed.	Diagnostic	N
14	Api(ApiHandle) API completed with an error = Result.	Diagnostic	N
100	hRequest: WinHttpSetCredentials Details: Target (AuthTargets) Schemes …	Diagnostic	N
801	Client begins attempts to locate the WPAD configuration file: …	Diagnostic	N
802	Begin search for configuration file using DHCP: Interface=Interface.	Diagnostic	N
803	WPAD configuration file found using DHCP: Interface=Interface, …	Diagnostic	N
804	Search for WPAD configuration file using DHCP failed: Interface=Interface, …	Diagnostic	N
805	Begin search for configuration file using DNS: DetectFlags=DetectFlags.	Diagnostic	Y
806	WPAD configuration file found using DNS: ConfigurationURL=ConfigurationURL, …	Diagnostic	N
807	Search for WPAD configuration file using DNS failed: DetectFlags=DetectFlags, …	Diagnostic	Y
808	Search for WPAD configruation file failed: Error=Error.	Diagnostic	N
809	Begin downloading the configuration file from the configuration URL: …	Diagnostic	N
810	Client successfully downloaded the configuration file from the configuration …	Diagnostic	N
811	Downloading the configuration file from the configuration URL failed: …	Diagnostic	N
812	The downloaded configuration file could not be used: …	Diagnostic	N
813	Searching for Proxy Information for the URL: URL=URL.	Diagnostic	N
814	Client has successfully retrieved proxy data for accessing a specified resource: …	Diagnostic	N
815	Error locating proxy information for the URL: URL=URL, Error=Error.	Diagnostic	N
816	Blocking autoproxy determination started	Diagnostic	N
817	Blocking autoproxy determination stopped	Diagnostic	N
818	WinHTTP Activity Transfer Event	Diagnostic	N
819	AutoProxy SWPAD Decision (WPADNetworkDecision) NumConnections (NetworkCount).	Diagnostic	Y
820	Autoproxy host IP lookup started	Diagnostic	N
821	Autoproxy host IP lookup stopped	Diagnostic	N
822	Autoproxy SWPAD lookup started	Diagnostic	N
823	Autoproxy SWPAD lookup stopped	Diagnostic	N
824	Autoproxy Detection with SWPAD ON started	Diagnostic	N
825	Autoproxy Detection with SWPAD ON stopped	Diagnostic	N
826	Autoproxy Detection with SWPAD UNKNOWN started	Diagnostic	N
827	Autoproxy Detection with SWPAD UNKNOWN stopped	Diagnostic	N
828	Autoproxy Script Download Started	Diagnostic	N
829	Autoproxy Script Download Stopped	Diagnostic	N
834	Autoproxy full scenario started	Diagnostic	Y
835	Autoproxy full scenario stopped	Diagnostic	Y
1051	WinHTTP_GetaddrinfoStart	Diagnostic	Y
1052	WinHTTP_GetaddrinfoStop	Diagnostic	Y
1053	The WinHttp TLS handshake failed with version mismatch error	Operational	N
12501	The WinHTTP Web Proxy Auto-Discovery Service detected an internal data …	Operational	N
12503	The WinHTTP Web Proxy Auto-Discovery Service has been idle for IdleTime minutes, …	Operational	N
12506	The WinHTTP Web Proxy Auto-Discovery Service encountered a system error from …	Operational	N
12507	The WinHTTP Web Proxy Auto-Discovery Service failed to allocate a critical …	Operational	N
12509	The WinHTTP Web Proxy Auto-Discovery Service detected a non- local RPC request …	Operational	N
12511	The WinHTTP Web Proxy Auto-Discovery Service failed to abort all pending …	Operational	N
12512	The WinHTTP Web Proxy Auto-Discovery Service failed parameter validation of a …	Operational	N
12513	The WinHTTP Web Proxy Auto-Discovery Service is shutting down and not accepting …	Operational	N
12514	The WinHTTP Web Proxy Auto-Discovery Service detected an unexpected exception …	Operational	N
12516	The WinHTTP Web Proxy Auto-Discovery Service discarded and is re-attempting a …	Operational	N
12517	The WinHTTP Web Proxy Auto-Discovery Service suspended operation.	Operational	N
12518	The WinHTTP Web Proxy Auto-Discovery Service resumed operation.	Operational	N
58999	Message.	Diagnostic	N
59995	Canceling EtwQueueActionType Thread Action (Context: Context).	Diagnostic	Y
59996	Queue EtwQueueActionType Thread Action (Context: Context).	Diagnostic	Y
59997	Stopping EtwQueueActionType Thread Action (Context: Context).	Diagnostic	Y
59998	Starting EtwQueueActionType Thread Action (Context: Context).	Diagnostic	Y
59999	(File:Line) Message.	Diagnostic	N

Event ID 1: param1.

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

param1

Message #

%1

Fields #

Name	Description
`param1` UnicodeString

Event ID 2: param1.

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

param1

Message #

%1

Fields #

Name	Description
`param1` UnicodeString

Event ID 4: loadunloadinfo.

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

loadunloadinfo

Message #

%1

Fields #

Name	Description
`loadunloadinfo` UnicodeString

Event ID 9: Api(ApiHandle) API called.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: API
Opcode: Start

Description

Api(ApiHandle) API called.

Message #

%2(%1) API called.

Fields #

Name	Description
`ApiHandle` UInt64
`Api` AnsiString

Event ID 10: Api(ApiHandle) API returned successfully.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: API
Opcode: Stop

Description

Api(ApiHandle) API returned successfully.

Message #

%2(%1) API returned successfully.

Fields #

Name	Description
`ApiHandle` UInt64
`Api` AnsiString
`Result` UInt32

Event ID 11: Api(ApiHandle) API failed with an error = Result.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: API
Opcode: Stop

Description

Api(ApiHandle) API failed with an error = Result.

Message #

%2(%1) API failed with an error = %3.

Fields #

Name	Description
`ApiHandle` UInt64
`Api` AnsiString
`Result` UInt32

Event ID 12: Api(ApiHandle) API pending completion.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: API

Description

Api(ApiHandle) API pending completion.

Message #

%2(%1) API pending completion.

Fields #

Name	Description
`ApiHandle` UInt64
`Api` AnsiString

Event ID 13: Api(ApiHandle) API completed.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: API
Opcode: Stop

Description

Api(ApiHandle) API completed.

Message #

%2(%1) API completed.

Fields #

Name	Description
`ApiHandle` UInt64
`Api` AnsiString
`Result` UInt32

Event ID 14: Api(ApiHandle) API completed with an error = Result.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: API
Opcode: Stop

Description

Api(ApiHandle) API completed with an error = Result.

Message #

%2(%1) API completed with an error = %3.

Fields #

Name	Description
`ApiHandle` UInt64
`Api` AnsiString
`Result` UInt32

Event ID 100: hRequest: WinHttpSetCredentials Details: Target (AuthTargets) Schemes (AuthScheme) UserName (UserName) Password (Password).

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: API

Description

hRequest: WinHttpSetCredentials Details: Target (AuthTargets) Schemes (AuthScheme) UserName (UserName) Password (Password).

Message #

%1: WinHttpSetCredentials Details: Target (%2) Schemes (%3) UserName (%4) Password (%5)

Fields #

Name	Description
`hRequest` Pointer
`AuthTargets` UInt32
`AuthScheme` UInt32
`UserName` UnicodeString
`Password` UnicodeString

Event ID 801: Client begins attempts to locate the WPAD configuration file: ConnectionName=ConnectionName, DetectFlags=DetectFlags.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_SEARCH
Opcode: Start

Description

Client begins attempts to locate the WPAD configuration file: ConnectionName=ConnectionName, DetectFlags=DetectFlags.

Message #

Client begins attempts to locate the WPAD configuration file: ConnectionName=%2, DetectFlags=%3

Fields #

Name	Description
`_ConnectionNameLength` UInt16
`ConnectionName` UnicodeString
`DetectFlags` UInt32

Event ID 802: Begin search for configuration file using DHCP: Interface=Interface.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_DHCP
Opcode: Start

Description

Begin search for configuration file using DHCP: Interface=Interface.

Message #

Begin search for configuration file using DHCP: Interface=%2

Fields #

Name	Description
`_InterfaceLength` UInt16
`Interface` UnicodeString

Event ID 803: WPAD configuration file found using DHCP: Interface=Interface, ConfigurationURL=ConfigurationURL.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_DHCP
Opcode: Stop

Description

WPAD configuration file found using DHCP: Interface=Interface, ConfigurationURL=ConfigurationURL.

Message #

WPAD configuration file found using DHCP: Interface=%2, ConfigurationURL=%4

Fields #

Name	Description
`_InterfaceLength` UInt16
`Interface` UnicodeString
`_ConfigurationURLLength` UInt16
`ConfigurationURL` UnicodeString

Event ID 804: Search for WPAD configuration file using DHCP failed: Interface=Interface, ConfigurationURL=ConfigurationURL, Error=Error.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_DHCP
Opcode: Fail

Description

Search for WPAD configuration file using DHCP failed: Interface=Interface, ConfigurationURL=ConfigurationURL, Error=Error.

Message #

Search for WPAD configuration file using DHCP failed: Interface=%2, ConfigurationURL=%4, Error=%5

Fields #

Name	Description
`_InterfaceLength` UInt16
`Interface` UnicodeString
`_ConfigurationURLLength` UInt16
`ConfigurationURL` UnicodeString
`Error` UInt32

Event ID 805: Begin search for configuration file using DNS: DetectFlags=DetectFlags.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Level: Verbose
Task: WINHTTP_AUTOPROXY_DNS
Opcode: Start

Description

Begin search for configuration file using DNS: DetectFlags=DetectFlags.

Message #

Begin search for configuration file using DNS: DetectFlags=%1

Fields #

Name	Description
`DetectFlags` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinHttp",
    "guid": "{7d44233d-3055-4b9c-ba64-0d47ca40a232}",
    "event_source_name": "",
    "event_id": "805",
    "version": "0",
    "level": "5",
    "task": "539",
    "opcode": "1",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-15T23:27:43.715349300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{76fd77dd-3e3d-0001-da4f-fe037c280000}"
    },
    "execution": {
      "process_id": "10364",
      "thread_id": "2964"
    },
    "channel": "Microsoft-Windows-WinHttp/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "DetectFlags": "       3"
  },
  "message": ""
}

Event ID 806: WPAD configuration file found using DNS: ConfigurationURL=ConfigurationURL, DetectFlags=DetectFlags.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_DNS
Opcode: Stop

Description

WPAD configuration file found using DNS: ConfigurationURL=ConfigurationURL, DetectFlags=DetectFlags.

Message #

WPAD configuration file found using DNS: ConfigurationURL=%2, DetectFlags=%3

Fields #

Name	Description
`_ConfigurationURLLength` UInt16
`ConfigurationURL` UnicodeString
`DetectFlags` UInt32

Event ID 807: Search for WPAD configuration file using DNS failed: DetectFlags=DetectFlags, Error=Error.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Level: Error
Task: WINHTTP_AUTOPROXY_DNS
Opcode: Fail

Description

Search for WPAD configuration file using DNS failed: DetectFlags=DetectFlags, Error=Error.

Message #

Search for WPAD configuration file using DNS failed: DetectFlags=%1, Error=%2

Fields #

Name	Description
`DetectFlags` UInt32
`Error` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinHttp",
    "guid": "{7d44233d-3055-4b9c-ba64-0d47ca40a232}",
    "event_source_name": "",
    "event_id": "807",
    "version": "0",
    "level": "2",
    "task": "539",
    "opcode": "11",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-15T23:27:43.720806000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{76fd77dd-3e3d-0001-da4f-fe037c280000}"
    },
    "execution": {
      "process_id": "10364",
      "thread_id": "2964"
    },
    "channel": "Microsoft-Windows-WinHttp/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "DetectFlags": "       3",
    "Error": "    1168"
  },
  "message": ""
}

Event ID 808: Search for WPAD configruation file failed: Error=Error.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_SEARCH
Opcode: Fail

Description

Search for WPAD configruation file failed: Error=Error.

Message #

Search for WPAD configruation file failed: Error=%1

Fields #

Name	Description
`Error` UInt32

Event ID 809: Begin downloading the configuration file from the configuration URL: ConfigurationURL=ConfigurationURL.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_DOWNLOAD
Opcode: Start

Description

Begin downloading the configuration file from the configuration URL: ConfigurationURL=ConfigurationURL.

Message #

Begin downloading the configuration file from the configuration URL: ConfigurationURL=%2

Fields #

Name	Description
`_ConfigurationURLLength` UInt16
`ConfigurationURL` UnicodeString

Event ID 810: Client successfully downloaded the configuration file from the configuration URL: ConfigurationURL=ConfigurationURL.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_DOWNLOAD
Opcode: Stop

Description

Client successfully downloaded the configuration file from the configuration URL: ConfigurationURL=ConfigurationURL.

Message #

Client successfully downloaded the configuration file from the configuration URL: ConfigurationURL=%2

Fields #

Name	Description
`_ConfigurationURLLength` UInt16
`ConfigurationURL` UnicodeString

Event ID 811: Downloading the configuration file from the configuration URL failed: ConfigurationURL=ConfigurationURL, Error=Error.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_DOWNLOAD
Opcode: Fail

Description

Downloading the configuration file from the configuration URL failed: ConfigurationURL=ConfigurationURL, Error=Error.

Message #

Downloading the configuration file from the configuration URL failed: ConfigurationURL=%2, Error=%3

Fields #

Name	Description
`_ConfigurationURLLength` UInt16
`ConfigurationURL` UnicodeString
`Error` UInt32

Event ID 812: The downloaded configuration file could not be used: ConfigurationURL=ConfigurationURL, MIMEType=MIMEType, Error=Error.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_DOWNLOAD
Opcode: Fail

Description

The downloaded configuration file could not be used: ConfigurationURL=ConfigurationURL, MIMEType=MIMEType, Error=Error.

Message #

The downloaded configuration file could not be used: ConfigurationURL=%2, MIMEType=%4, Error=%5

Fields #

Name	Description
`_ConfigurationURLLength` UInt16
`ConfigurationURL` UnicodeString
`_MIMETypeLength` UInt16
`MIMEType` UnicodeString
`Error` UInt32

Event ID 813: Searching for Proxy Information for the URL: URL=URL.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_FIND_INFO_FOR_URL
Opcode: Start

Description

Searching for Proxy Information for the URL: URL=URL.

Message #

Searching for Proxy Information for the URL: URL=%2

Fields #

Name	Description
`_URLLength` UInt16
`URL` UnicodeString

Event ID 814: Client has successfully retrieved proxy data for accessing a specified resource: URL=URL, ProxyString=ProxyString.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_FIND_INFO_FOR_URL
Opcode: Stop

Description

Client has successfully retrieved proxy data for accessing a specified resource: URL=URL, ProxyString=ProxyString.

Message #

Client has successfully retrieved proxy data for accessing a specified resource: URL=%2, ProxyString=%4

Fields #

Name	Description
`_URLLength` UInt16
`URL` UnicodeString
`_ProxyStringLength` UInt16
`ProxyString` UnicodeString

Event ID 815: Error locating proxy information for the URL: URL=URL, Error=Error.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_FIND_INFO_FOR_URL
Opcode: Fail

Description

Error locating proxy information for the URL: URL=URL, Error=Error.

Message #

Error locating proxy information for the URL: URL=%2, Error=%3

Fields #

Name	Description
`_URLLength` UInt16
`URL` UnicodeString
`Error` UInt32

Event ID 816: Blocking autoproxy determination started

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_BLOCKING_AUTOPROXY_DETERMINATION
Opcode: Start

Description

Blocking autoproxy determination started.

Message #

Blocking autoproxy determination started

Event ID 817: Blocking autoproxy determination stopped

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_BLOCKING_AUTOPROXY_DETERMINATION
Opcode: Stop

Description

Blocking autoproxy determination stopped.

Message #

Blocking autoproxy determination stopped

Event ID 818: WinHTTP Activity Transfer Event

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_TRANSFER

Description

WinHTTP Activity Transfer Event.

Message #

WinHTTP Activity Transfer Event

Event ID 819: AutoProxy SWPAD Decision (WPADNetworkDecision) NumConnections (NetworkCount).

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Level: Informational
Task: WINHTTP_AUTOPROXY_SWPAD

Description

AutoProxy SWPAD Decision (WPADNetworkDecision) NumConnections (NetworkCount).

Message #

AutoProxy SWPAD Decision (%1) NumConnections (%2)

Fields #

Name	Description
`WPADNetworkDecision` UInt32
`NetworkCount` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinHttp",
    "guid": "{7d44233d-3055-4b9c-ba64-0d47ca40a232}",
    "event_source_name": "",
    "event_id": "819",
    "version": "0",
    "level": "4",
    "task": "545",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-15T23:27:43.715279500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{76fd77dd-3e3b-0001-da4f-fe037c280000}"
    },
    "execution": {
      "process_id": "10364",
      "thread_id": "11368"
    },
    "channel": "Microsoft-Windows-WinHttp/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "WPADNetworkDecision": "0x0",
    "NetworkCount": "0x1"
  },
  "message": ""
}

Event ID 820: Autoproxy host IP lookup started

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_PERFTRACK_HOST_IP_LOOKUP
Opcode: Start

Description

Autoproxy host IP lookup started.

Message #

Autoproxy host IP lookup started

Event ID 821: Autoproxy host IP lookup stopped

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_PERFTRACK_HOST_IP_LOOKUP
Opcode: Stop

Description

Autoproxy host IP lookup stopped.

Message #

Autoproxy host IP lookup stopped

Event ID 822: Autoproxy SWPAD lookup started

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_PERFTRACK_SWPAD_LOOKUP
Opcode: Start

Description

Autoproxy SWPAD lookup started.

Message #

Autoproxy SWPAD lookup started

Event ID 823: Autoproxy SWPAD lookup stopped

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_PERFTRACK_SWPAD_LOOKUP
Opcode: Stop

Description

Autoproxy SWPAD lookup stopped.

Message #

Autoproxy SWPAD lookup stopped

Event ID 824: Autoproxy Detection with SWPAD ON started

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_PERFTRACK_KNOWN_DETECTION
Opcode: Start

Description

Autoproxy Detection with SWPAD ON started.

Message #

Autoproxy Detection with SWPAD ON started

Event ID 825: Autoproxy Detection with SWPAD ON stopped

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_PERFTRACK_KNOWN_DETECTION
Opcode: Stop

Description

Autoproxy Detection with SWPAD ON stopped.

Message #

Autoproxy Detection with SWPAD ON stopped

Event ID 826: Autoproxy Detection with SWPAD UNKNOWN started

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_PERFTRACK_UNKNOWN_DETECTION
Opcode: Start

Description

Autoproxy Detection with SWPAD UNKNOWN started.

Message #

Autoproxy Detection with SWPAD UNKNOWN started

Event ID 827: Autoproxy Detection with SWPAD UNKNOWN stopped

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_PERFTRACK_UNKNOWN_DETECTION
Opcode: Stop

Description

Autoproxy Detection with SWPAD UNKNOWN stopped.

Message #

Autoproxy Detection with SWPAD UNKNOWN stopped

Event ID 828: Autoproxy Script Download Started

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_PERFTRACK_SCRIPT_DOWNLOAD
Opcode: Start

Description

Autoproxy Script Download Started.

Message #

Autoproxy Script Download Started

Event ID 829: Autoproxy Script Download Stopped

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: WINHTTP_AUTOPROXY_PERFTRACK_SCRIPT_DOWNLOAD
Opcode: Stop

Description

Autoproxy Script Download Stopped.

Message #

Autoproxy Script Download Stopped

Event ID 834: Autoproxy full scenario started

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Level: Informational
Task: WINHTTP_AUTOPROXY_PERFTRACK_ALL
Opcode: Start

Description

Autoproxy full scenario started.

Message #

Autoproxy full scenario started

Fields #

Name	Description
`UniqueId` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinHttp",
    "guid": "{7d44233d-3055-4b9c-ba64-0d47ca40a232}",
    "event_source_name": "",
    "event_id": "834",
    "version": "0",
    "level": "4",
    "task": "587",
    "opcode": "1",
    "keywords": 9223653511831486496,
    "time_created": "2026-03-15T23:26:14.408939000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{5d9553b0-0020-0000-9411-bc32b053955d}"
    },
    "execution": {
      "process_id": "4500",
      "thread_id": "12988"
    },
    "channel": "Microsoft-Windows-WinHttp/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "UniqueId": "       2"
  },
  "message": ""
}

Event ID 835: Autoproxy full scenario stopped

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Level: Informational
Task: WINHTTP_AUTOPROXY_PERFTRACK_ALL
Opcode: Stop

Description

Autoproxy full scenario stopped.

Message #

Autoproxy full scenario stopped

Fields #

Name	Description
`UniqueId` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinHttp",
    "guid": "{7d44233d-3055-4b9c-ba64-0d47ca40a232}",
    "event_source_name": "",
    "event_id": "835",
    "version": "0",
    "level": "4",
    "task": "587",
    "opcode": "2",
    "keywords": 9223653511831486496,
    "time_created": "2026-03-15T23:26:14.409443400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{5d9553b0-0020-0000-9411-bc32b053955d}"
    },
    "execution": {
      "process_id": "4500",
      "thread_id": "12988"
    },
    "channel": "Microsoft-Windows-WinHttp/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "UniqueId": "       2"
  },
  "message": ""
}

Event ID 1051: WinHTTP_GetaddrinfoStart

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Level: Informational
Task: WinHTTP_Getaddrinfo
Opcode: Start

Fields #

Name	Description
`Flags` UInt32
`AddressName` AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinHttp",
    "guid": "{7d44233d-3055-4b9c-ba64-0d47ca40a232}",
    "event_source_name": "",
    "event_id": "1051",
    "version": "0",
    "level": "4",
    "task": "572",
    "opcode": "1",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-15T23:27:43.715355400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{76fd77dd-3e3d-0001-da4f-fe037c280000}"
    },
    "execution": {
      "process_id": "10364",
      "thread_id": "2964"
    },
    "channel": "Microsoft-Windows-WinHttp/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Flags": "0x1",
    "AddressName": "wpad"
  },
  "message": ""
}

Event ID 1052: WinHTTP_GetaddrinfoStop

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Level: Informational
Task: WinHTTP_Getaddrinfo
Opcode: Stop

Fields #

Name	Description
`error` UInt32
`Flags` UInt32
`AddressName` AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinHttp",
    "guid": "{7d44233d-3055-4b9c-ba64-0d47ca40a232}",
    "event_source_name": "",
    "event_id": "1052",
    "version": "0",
    "level": "4",
    "task": "572",
    "opcode": "2",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-15T23:27:43.720803100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{76fd77dd-3e3d-0001-da4f-fe037c280000}"
    },
    "execution": {
      "process_id": "10364",
      "thread_id": "2964"
    },
    "channel": "Microsoft-Windows-WinHttp/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "error": "   11001",
    "Flags": "0x1",
    "AddressName": "wpad"
  },
  "message": ""
}

Event ID 1053: The WinHttp TLS handshake failed with version mismatch error

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

The WinHttp TLS handshake failed with version mismatch error.

Message #

The WinHttp TLS handshake failed with version mismatch error

Fields #

Name	Description
`Host` UnicodeString
`ModulePath` UnicodeString
`ModuleName` UnicodeString
`ProcessPath` UnicodeString
`ProcessName` UnicodeString

Event ID 12501: The WinHTTP Web Proxy Auto-Discovery Service detected an internal data corruption.

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

The WinHTTP Web Proxy Auto-Discovery Service detected an internal data corruption.

Message #

The WinHTTP Web Proxy Auto-Discovery Service detected an internal data corruption.

Event ID 12503: The WinHTTP Web Proxy Auto-Discovery Service has been idle for IdleTime minutes, it will be shut down.

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

The WinHTTP Web Proxy Auto-Discovery Service has been idle for IdleTime minutes, it will be shut down.

Message #

The WinHTTP Web Proxy Auto-Discovery Service has been idle for %1 minutes, it will be shut down.

Fields #

Name	Description
`IdleTime` UInt32

Event ID 12506: The WinHTTP Web Proxy Auto-Discovery Service encountered a system error from Functionname: (Error Code = Errorcode) Errortext.

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

The WinHTTP Web Proxy Auto-Discovery Service encountered a system error from Functionname: (Error Code = Errorcode) Errortext.

Message #

The WinHTTP Web Proxy Auto-Discovery Service encountered a system error from %1: (Error Code = %3) %2

Fields #

Name	Description
`Functionname` UnicodeString
`Errortext` UnicodeString
`Errorcode` UnicodeString

Event ID 12507: The WinHTTP Web Proxy Auto-Discovery Service failed to allocate a critical resource.

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

The WinHTTP Web Proxy Auto-Discovery Service failed to allocate a critical resource. The system may be running low on physical memory.

Message #

The WinHTTP Web Proxy Auto-Discovery Service failed to allocate a critical resource. The system may be running low on physical memory.

Event ID 12509: The WinHTTP Web Proxy Auto-Discovery Service detected a non- local RPC request (Transport Type = Transporttype); Access Denied.

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

The WinHTTP Web Proxy Auto-Discovery Service detected a non- local RPC request (Transport Type = Transporttype); Access Denied. There may have been an rogue attempt to gain access to the service through the network.

Message #

The WinHTTP Web Proxy Auto-Discovery Service detected a non- local RPC request (Transport Type = %1); Access Denied. There may have been an rogue attempt to gain access to the service through the network.

Fields #

Name	Description
`Transporttype` UnicodeString

Event ID 12511: The WinHTTP Web Proxy Auto-Discovery Service failed to abort all pending requests in param1 seconds.

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

The WinHTTP Web Proxy Auto-Discovery Service failed to abort all pending requests in param1 seconds. The system WinHTTP Services may have been under stress and slow to respond to cancel requests.

Message #

The WinHTTP Web Proxy Auto-Discovery Service failed to abort all pending requests in %1 seconds.  The system WinHTTP Services may have been under stress and slow to respond to cancel requests.

Fields #

Name	Description
`param1` UnicodeString

Event ID 12512: The WinHTTP Web Proxy Auto-Discovery Service failed parameter validation of a client request.

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

The WinHTTP Web Proxy Auto-Discovery Service failed parameter validation of a client request. This may be due to an unexpected error from the system WinHTTP Services.

Message #

The WinHTTP Web Proxy Auto-Discovery Service failed parameter validation of a client request.  This may be due to an unexpected error from the system WinHTTP Services.

Event ID 12513: The WinHTTP Web Proxy Auto-Discovery Service is shutting down and not accepting client requests.

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

The WinHTTP Web Proxy Auto-Discovery Service is shutting down and not accepting client requests.

Message #

The WinHTTP Web Proxy Auto-Discovery Service is shutting down and not accepting client requests.

Event ID 12514: The WinHTTP Web Proxy Auto-Discovery Service detected an unexpected exception from the system WinHTTP Services.

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

The WinHTTP Web Proxy Auto-Discovery Service detected an unexpected exception from the system WinHTTP Services. (Exception Code = Exceptioncode).

Message #

The WinHTTP Web Proxy Auto-Discovery Service detected an unexpected exception from the system WinHTTP Services. (Exception Code = %1)

Fields #

Name	Description
`Exceptioncode` UnicodeString

Event ID 12516: The WinHTTP Web Proxy Auto-Discovery Service discarded and is re-attempting a request after a critical power event.

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

The WinHTTP Web Proxy Auto-Discovery Service discarded and is re-attempting a request after a critical power event.

Message #

The WinHTTP Web Proxy Auto-Discovery Service discarded and is re-attempting a request after a critical power event.

Event ID 12517: The WinHTTP Web Proxy Auto-Discovery Service suspended operation.

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

The WinHTTP Web Proxy Auto-Discovery Service suspended operation.

Message #

The WinHTTP Web Proxy Auto-Discovery Service suspended operation.

Event ID 12518: The WinHTTP Web Proxy Auto-Discovery Service resumed operation.

Provider: Microsoft-Windows-WinHttp
Channel: Operational
Opcode: Info

Description

The WinHTTP Web Proxy Auto-Discovery Service resumed operation.

Message #

The WinHTTP Web Proxy Auto-Discovery Service resumed operation.

Event ID 58999: Message.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: Debug

Description

Message

Message #

%1

Fields #

Name	Description
`Message` AnsiString

Event ID 59995: Canceling EtwQueueActionType Thread Action (Context: Context).

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Level: Verbose
Task: Debug
Opcode: Stop

Description

Canceling EtwQueueActionType Thread Action (Context: Context).

Message #

Canceling %2 Thread Action (Context: %1)

Fields #

Name	Description
`Context` Pointer
`EtwQueueActionType` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinHttp",
    "guid": "{7d44233d-3055-4b9c-ba64-0d47ca40a232}",
    "event_source_name": "",
    "event_id": "59995",
    "version": "0",
    "level": "5",
    "task": "110",
    "opcode": "2",
    "keywords": 9223372036854775808,
    "time_created": "2026-03-15T23:26:14.409411900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{5ddbd0e0-0025-0000-9411-bc32e0d0db5d}"
    },
    "execution": {
      "process_id": "4500",
      "thread_id": "12988"
    },
    "channel": "Microsoft-Windows-WinHttp/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Context": "0x1CE5DDCBB20",
    "EtwQueueActionType": "       1"
  },
  "message": ""
}

Event ID 59996: Queue EtwQueueActionType Thread Action (Context: Context).

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Level: Verbose
Task: Debug
Opcode: Start

Description

Queue EtwQueueActionType Thread Action (Context: Context).

Message #

Queue %2 Thread Action (Context: %1)

Fields #

Name	Description
`Context` Pointer
`EtwQueueActionType` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinHttp",
    "guid": "{7d44233d-3055-4b9c-ba64-0d47ca40a232}",
    "event_source_name": "",
    "event_id": "59996",
    "version": "0",
    "level": "5",
    "task": "110",
    "opcode": "1",
    "keywords": 9223372036854775808,
    "time_created": "2026-03-15T23:26:14.406370000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{5d9557c0-0013-0000-9411-b828c057955d}"
    },
    "execution": {
      "process_id": "4500",
      "thread_id": "12988"
    },
    "channel": "Microsoft-Windows-WinHttp/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Context": "0x1CE5DE08C00",
    "EtwQueueActionType": "       2"
  },
  "message": ""
}

Event ID 59997: Stopping EtwQueueActionType Thread Action (Context: Context).

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Level: Verbose
Task: Debug
Opcode: Stop

Description

Stopping EtwQueueActionType Thread Action (Context: Context).

Message #

Stopping %2 Thread Action (Context: %1)

Fields #

Name	Description
`Context` Pointer
`EtwQueueActionType` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinHttp",
    "guid": "{7d44233d-3055-4b9c-ba64-0d47ca40a232}",
    "event_source_name": "",
    "event_id": "59997",
    "version": "0",
    "level": "5",
    "task": "110",
    "opcode": "2",
    "keywords": 9223372036854775808,
    "time_created": "2026-03-15T23:26:14.406532000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{5d9557c0-0013-0000-9411-b828c057955d}"
    },
    "execution": {
      "process_id": "4500",
      "thread_id": "12988"
    },
    "channel": "Microsoft-Windows-WinHttp/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Context": "0x1CE5DE08C00",
    "EtwQueueActionType": "       2"
  },
  "message": ""
}

Event ID 59998: Starting EtwQueueActionType Thread Action (Context: Context).

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Level: Verbose
Task: Debug
Opcode: Start

Description

Starting EtwQueueActionType Thread Action (Context: Context).

Message #

Starting %2 Thread Action (Context: %1)

Fields #

Name	Description
`Context` Pointer
`EtwQueueActionType` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinHttp",
    "guid": "{7d44233d-3055-4b9c-ba64-0d47ca40a232}",
    "event_source_name": "",
    "event_id": "59998",
    "version": "0",
    "level": "5",
    "task": "110",
    "opcode": "1",
    "keywords": 9223372036854775808,
    "time_created": "2026-03-15T23:26:14.406401200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{5d9557c0-0013-0000-9411-b828c057955d}"
    },
    "execution": {
      "process_id": "4500",
      "thread_id": "12988"
    },
    "channel": "Microsoft-Windows-WinHttp/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Context": "0x1CE5DE08C00",
    "EtwQueueActionType": "       2"
  },
  "message": ""
}

Event ID 59999: (File:Line) Message.

Provider: Microsoft-Windows-WinHttp
Channel: Diagnostic
Task: Debug

Description

(File:Line) Message

Message #

(%1:%2) %4

Fields #

Name	Description
`File` AnsiString
`Line` UInt32
`Length` UInt16
`Message` AnsiString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 7d44233d-3055-4b9c-ba64-0d47ca40a232

Defined in winhttp.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)