Microsoft-Windows-Winsock-AFD
96 events across 1 channel
Event ID 1: Socket creation: Process Endpoint AddressFamily SocketType Protocol.
#Description
Socket creation: Process Endpoint AddressFamily SocketType Protocol.
Message #
Fields #
| Name | Description |
|---|---|
Process Pointer | |
Endpoint Pointer | |
AddressFamily UInt32 | |
SocketType UInt32 | |
Protocol UInt32 | Known values
|
UserModePid Pointer |
Event ID 2: Socket bind: Process Endpoint Address Port Status.
#Description
Socket bind: Process Endpoint Address Port Status.
Message #
Fields #
| Name | Description |
|---|---|
Process Pointer | |
Endpoint Pointer | |
Address UInt32 | |
Port UInt16 | |
Status UInt32 | NTSTATUS reference |
Event ID 3: Socket bind: Process Endpoint Address Port Status.
#Description
Socket bind: Process Endpoint Address Port Status.
Message #
Fields #
| Name | Description |
|---|---|
Process Pointer | |
Endpoint Pointer | |
Address Binary | |
Port UInt16 | |
Status UInt32 | NTSTATUS reference |
Event ID 4: Socket connect: Process Endpoint Address Port.
#Event ID 5: Socket connect: Process Endpoint Address Port.
#Event ID 6: Connect completed: Process Endpoint Error.
#Event ID 7: AFD initiated abort: Process Endpoint Reason.
#Event ID 8: Transport initiated abort: Process Endpoint Reason.
#Event ID 9: Failed send request: Process Endpoint Error.
#Event ID 10: Failed WSASendMsg request: Process Endpoint Error.
#Event ID 11: Failed recv request: Process Endpoint Error.
#Event ID 12: Failed recvfrom request: Process Endpoint Error.
#Event ID 13: Socket close: Process Endpoint Error.
#Event ID 14: Socket cleanup (all references removed): Process Endpoint Error.
#Event ID 15: Socket accept: Process Endpoint Address Port Status.
#Description
Socket accept: Process Endpoint Address Port Status.
Message #
Fields #
| Name | Description |
|---|---|
Process Pointer | |
Endpoint Pointer | |
Address UInt32 | |
Port UInt16 | |
Status UInt32 | NTSTATUS reference |
Event ID 16: Socket accept: Process Endpoint Address Port Status.
#Description
Socket accept: Process Endpoint Address Port Status.
Message #
Fields #
| Name | Description |
|---|---|
Process Pointer | |
Endpoint Pointer | |
Address Binary | |
Port UInt16 | |
Status UInt32 | NTSTATUS reference |
Event ID 17: Accept failed: Process Endpoint Error.
#Event ID 18: Send posted: Process Endpoint FastPath BufferCount Buffer BufferLength.
#Event ID 19: Receive posted: Process Endpoint FastPath BufferCount Buffer BufferLength.
#Event ID 20: RecvFrom posted: Process Endpoint FastPath BufferCount Buffer BufferLength.
#Event ID 21: SendTo posted: Process Endpoint FastPath BufferCount Buffer BufferLength Address Port.
#Event ID 22: SendTo posted: Process Endpoint FastPath BufferCount Buffer BufferLength Address Port.
#Event ID 23: Recv completed: Process Endpoint Buffer BufferLength.
#Event ID 24: Send completed: Process Endpoint Buffer BufferLength.
#Event ID 25: SendMsg completed: Process Endpoint Buffer BufferLength.
#Event ID 26: RecvFrom completed: Process Endpoint BufferCount Buffer BufferLength Address Port.
#Event ID 27: RecvFrom completed: Process Endpoint BufferCount Buffer BufferLength Address Port.
#Event ID 28: SendTo completed: Process Endpoint Buffer BufferLength.
#Event ID 29: Socket option set: Process Endpoint Option Value.
#Event ID 30: Select/Poll posted: Process HandleCount Timeout.
#Event ID 31: Select/Poll completed: Process Endpoint Error.
#Event ID 32: WSAEventSelect: Process Endpoint EventMask.
#Event ID 33: Datagram dropped: Process Endpoint PacketSize Address Port Reason.
#Event ID 34: Datagram dropped: Process Endpoint PacketSize Address Port Reason.
#Event ID 35: Connection indicated: Process ListenEndpoint Address Port.
#Event ID 36: Connection indicated: Process ListenEndpoint Address Port.
#Event ID 37: Data indicated from transport: Process Endpoint BytesIndicated.
#Event ID 38: Data indicated from transport: Process Endpoint Address Port BytesIndicated.
#Event ID 39: Data indicated from transport: Process Endpoint Address Port BytesIndicated.
#Event ID 40: Failed bind: Process Endpoint Error.
#Event ID 41: Disconnect indicated from transport: Process Endpoint.
#Event ID 1000: socket: EnterExit: Process Process (ProcessId), Endpoint Endpoint, Family AddressFamily, Type SocketType, Protocol Protocol, Seq Location, Status Status.
#Description
socket: EnterExit: Process Process (ProcessId), Endpoint Endpoint, Family AddressFamily, Type SocketType, Protocol Protocol, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
AddressFamily UInt32 | |
SocketType UInt32 | |
Protocol UInt32 | Known values
|
ProcessId Pointer | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1000,
"version": 0,
"level": 4,
"task": 1000,
"opcode": 10,
"keywords": 9223372036854775814,
"time_created": "2026-03-13T19:59:51.602757+00:00",
"event_record_id": 3153,
"correlation": {
"ActivityID": "D9AB9B70-D189-FFFF-0000-000000000000"
},
"execution": {
"process_id": 3464,
"thread_id": 6604
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"EnterExit": 0,
"Location": 1006,
"Process": "0xffffd189daf16080",
"Endpoint": "0xffffd189d9ab9b70",
"AddressFamily": 2,
"SocketType": 1,
"Protocol": 6,
"ProcessId": "0xd88",
"Status": 0
},
"message": ""
}
Event ID 1001: closesocket: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
#Description
closesocket: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1001,
"version": 0,
"level": 4,
"task": 1001,
"opcode": 15,
"keywords": 9223372036854775814,
"time_created": "2026-03-13T19:59:57.027445+00:00",
"event_record_id": 4358,
"correlation": {
"ActivityID": "D9AFF980-D189-FFFF-0000-000000000000"
},
"execution": {
"process_id": 3384,
"thread_id": 428
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"EnterExit": 0,
"Location": 2000,
"Process": "0xffffd189daf44080",
"Endpoint": "0xffffd189d9aff980",
"Status": 0
},
"message": ""
}
Event ID 1002: socket cleanup: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
#Description
socket cleanup: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1002,
"version": 0,
"level": 4,
"task": 1002,
"opcode": 16,
"keywords": 9223372036854775814,
"time_created": "2026-03-13T19:59:57.027436+00:00",
"event_record_id": 4356,
"correlation": {
"ActivityID": "D9AFF980-D189-FFFF-0000-000000000000"
},
"execution": {
"process_id": 3384,
"thread_id": 428
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"EnterExit": 0,
"Location": 2002,
"Process": "0xffffd189daf44080",
"Endpoint": "0xffffd189d9aff980",
"Status": 0
},
"message": ""
}
Event ID 1003: send: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.
#Description
send: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
BufferCount UInt32 | |
Buffer Pointer | |
BufferLength UInt32 | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1003,
"version": 0,
"level": 4,
"task": 1003,
"opcode": 12,
"keywords": 9223372036854775830,
"time_created": "2026-03-13T19:59:49.323034+00:00",
"event_record_id": 2612,
"correlation": {
"ActivityID": "D2F886E0-D189-FFFF-0000-000000000000"
},
"execution": {
"process_id": 3676,
"thread_id": 5656
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"EnterExit": 1,
"Location": 3051,
"Process": "0xffffd189dc00f080",
"Endpoint": "0xffffd189da6fede0",
"BufferCount": 1,
"Buffer": "0xffffd189d2f88f28",
"BufferLength": 969,
"Status": 0
},
"message": ""
}
Event ID 1004: recv: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.
#Description
recv: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
BufferCount UInt32 | |
Buffer Pointer | |
BufferLength UInt32 | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1004,
"version": 0,
"level": 4,
"task": 1004,
"opcode": 12,
"keywords": 9223372036854775814,
"time_created": "2026-03-13T19:59:49.323097+00:00",
"event_record_id": 2613,
"correlation": {
"ActivityID": "DDDD9B70-D189-FFFF-0000-000000000000"
},
"execution": {
"process_id": 3676,
"thread_id": 5620
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"EnterExit": 0,
"Location": 4107,
"Process": "0xffffd189dc00f080",
"Endpoint": "0xffffd189da6fede0",
"BufferCount": 1,
"Buffer": "0xffffd189e0f16e50",
"BufferLength": 6,
"Status": 0
},
"message": ""
}
Event ID 1005: sendto: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.
#Description
sendto: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
BufferCount UInt32 | |
Buffer Pointer | |
BufferLength UInt32 | |
Status UInt32 | NTSTATUS reference |
Event ID 1006: recvfrom: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.
#Description
recvfrom: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
BufferCount UInt32 | |
Buffer Pointer | |
BufferLength UInt32 | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1006,
"version": 0,
"level": 4,
"task": 1006,
"opcode": 12,
"keywords": 9223372036854775813,
"time_created": "2026-03-13T20:31:42.532206+00:00",
"event_record_id": 663422,
"correlation": {
"ActivityID": "A5139320-800F-FFFF-0000-000000000000"
},
"execution": {
"process_id": 3936,
"thread_id": 5944
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"EnterExit": 0,
"Location": 4049,
"Process": "0xffff800fa5579080",
"Endpoint": "0xffff800faa88c810",
"BufferCount": 1,
"Buffer": "0xffff800facc0b9f0",
"BufferLength": 4000,
"Status": 0
},
"message": ""
}
Event ID 1007: sendto: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.
#Description
sendto: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
BufferCount UInt32 | |
Buffer Pointer | |
BufferLength UInt32 | |
Status UInt32 | NTSTATUS reference |
AddressLen UInt32 | |
Address Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1007,
"version": 0,
"level": 4,
"task": 1007,
"opcode": 12,
"keywords": 9223372036854775829,
"time_created": "2026-03-13T20:31:42.532271+00:00",
"event_record_id": 663423,
"correlation": {
"ActivityID": "9F2EAA00-800F-FFFF-0000-000000000000"
},
"execution": {
"process_id": 3936,
"thread_id": 5944
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"EnterExit": 0,
"Location": 3100,
"Process": "0xffff800fa5579080",
"Endpoint": "0xffff800fa62e1a70",
"BufferCount": 1,
"Buffer": "0xffff800f9f2ea940",
"BufferLength": 72,
"Status": 0,
"AddressLen": 16,
"Address": "020000350A020AFE0000000000000000"
},
"message": ""
}
Event ID 1009: recvfrom: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.
#Description
recvfrom: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
BufferCount UInt32 | |
Buffer Pointer | |
BufferLength UInt32 | |
Status UInt32 | NTSTATUS reference |
AddressLen UInt32 | |
Address Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1009,
"version": 0,
"level": 4,
"task": 1009,
"opcode": 12,
"keywords": 9223372036854775813,
"time_created": "2026-03-13T20:31:42.532160+00:00",
"event_record_id": 663421,
"correlation": {
"ActivityID": "AD936A20-800F-FFFF-0000-000000000000"
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"EnterExit": 1,
"Location": 4052,
"Process": "0xffff800fa5579080",
"Endpoint": "0xffff800faa88c810",
"BufferCount": 1,
"Buffer": "0xffff800faa5c8dc0",
"BufferLength": 61,
"Status": 0,
"AddressLen": 16,
"Address": "0200F1B40A020A150000000000000000"
},
"message": ""
}
Event ID 1011: sendmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.
#Description
sendmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
BufferCount UInt32 | |
Buffer Pointer | |
BufferLength UInt32 | |
Status UInt32 | NTSTATUS reference |
Event ID 1012: recvmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.
#Description
recvmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
BufferCount UInt32 | |
Buffer Pointer | |
BufferLength UInt32 | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1012,
"version": 0,
"level": 4,
"task": 1012,
"opcode": 12,
"keywords": 9223372036854775813,
"time_created": "2026-03-13T19:59:57.037247+00:00",
"event_record_id": 4361,
"correlation": {
"ActivityID": "D7C4C410-D189-FFFF-0000-000000000000"
},
"execution": {
"process_id": 1732,
"thread_id": 8072
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"EnterExit": 0,
"Location": 4049,
"Process": "0xffffd189dac41080",
"Endpoint": "0xffffd189da6fe240",
"BufferCount": 1,
"Buffer": "0xffffd189e2457150",
"BufferLength": 4096,
"Status": 0
},
"message": ""
}
Event ID 1013: sendmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.
#Description
sendmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
BufferCount UInt32 | |
Buffer Pointer | |
BufferLength UInt32 | |
Status UInt32 | NTSTATUS reference |
AddressLen UInt32 | |
Address Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1013,
"version": 0,
"level": 4,
"task": 1013,
"opcode": 12,
"keywords": 9223372036854775829,
"time_created": "2026-03-13T19:59:57.037177+00:00",
"event_record_id": 4360,
"correlation": {
"ActivityID": "DC276560-D189-FFFF-0000-000000000000"
},
"execution": {
"process_id": 1732,
"thread_id": 8072
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"EnterExit": 0,
"Location": 3100,
"Process": "0xffffd189dac41080",
"Endpoint": "0xffffd189da6fe240",
"BufferCount": 1,
"Buffer": "0xffffd189dc2767e8",
"BufferLength": 63,
"Status": 0,
"AddressLen": 28,
"Address": "170000350A020A0B00000000000000000000FFFF0A020A0B00000000"
},
"message": ""
}
Event ID 1015: recvmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.
#Description
recvmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
BufferCount UInt32 | |
Buffer Pointer | |
BufferLength UInt32 | |
Status UInt32 | NTSTATUS reference |
AddressLen UInt32 | |
Address Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1015,
"version": 0,
"level": 4,
"task": 1015,
"opcode": 12,
"keywords": 9223372036854775813,
"time_created": "2026-03-13T19:59:57.072482+00:00",
"event_record_id": 4366,
"correlation": {
"ActivityID": "D7C4C410-D189-FFFF-0000-000000000000"
},
"execution": {
"process_id": 3464,
"thread_id": 5140
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"EnterExit": 1,
"Location": 4052,
"Process": "0xffffd189dac41080",
"Endpoint": "0xffffd189da6fe240",
"BufferCount": 1,
"Buffer": "0xffffd189e2457150",
"BufferLength": 183,
"Status": 0,
"AddressLen": 28,
"Address": "170000350000000000000000000000000000FFFF0A020A0B00000000"
},
"message": ""
}
Event ID 1017: connect: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
#Description
connect: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1017,
"version": 0,
"level": 4,
"task": 1017,
"opcode": 12,
"keywords": 9223372036854775814,
"time_created": "2026-03-13T21:07:29.053448+00:00",
"event_record_id": 1134177,
"correlation": {
"ActivityID": "A3A895B0-800F-FFFF-0000-000000000000"
},
"execution": {
"process_id": 3852,
"thread_id": 2396
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"EnterExit": 1,
"Location": 5024,
"Process": "0xffff800f9f29a080",
"Endpoint": "0xffff800fa3a895b0",
"Status": 0
},
"message": ""
}
Event ID 1018: connect: EnterExit: Process Process, Endpoint Endpoint, Address Address, Seq Location, Status Status.
#Description
connect: EnterExit: Process Process, Endpoint Endpoint, Address Address, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Buffer Pointer | |
BufferLength UInt32 | |
Status UInt32 | NTSTATUS reference |
AddressLen UInt32 | |
Address Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1018,
"version": 0,
"level": 4,
"task": 1018,
"opcode": 11,
"keywords": 9223372036854775814,
"time_created": "2026-03-13T21:07:28.945199+00:00",
"event_record_id": 1134164,
"correlation": {
"ActivityID": "A3A8C0D0-800F-FFFF-0000-000000000000"
},
"execution": {
"process_id": 3852,
"thread_id": 2396
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"EnterExit": 0,
"Location": 5023,
"Process": "0xffff800f9f29a080",
"Endpoint": "0xffff800fa3a8c0d0",
"Buffer": "0x0",
"BufferLength": 0,
"Status": 0,
"AddressLen": 28,
"Address": "17000185000000000000000000000000000000000000000100000000"
},
"message": ""
}
Event ID 1020: ConnectEx: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
#Description
ConnectEx: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1020,
"version": 0,
"level": 4,
"task": 1020,
"opcode": 12,
"keywords": 9223372036854775814,
"time_created": "2026-03-13T19:59:51.691774+00:00",
"event_record_id": 3160,
"correlation": {
"ActivityID": "D9AB9B70-D189-FFFF-0000-000000000000"
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"EnterExit": 1,
"Location": 5032,
"Process": "0xffffd189daf16080",
"Endpoint": "0xffffd189d9ab9b70",
"Status": 0
},
"message": ""
}
Event ID 1021: ConnectEx: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Seq Location, Status Status.
#Description
ConnectEx: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Buffer Pointer | |
BufferLength UInt32 | |
Status UInt32 | NTSTATUS reference |
AddressLen UInt32 | |
Address Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1021,
"version": 0,
"level": 4,
"task": 1021,
"opcode": 11,
"keywords": 9223372036854775814,
"time_created": "2026-03-13T19:59:51.602921+00:00",
"event_record_id": 3157,
"correlation": {
"ActivityID": "D9AB9B70-D189-FFFF-0000-000000000000"
},
"execution": {
"process_id": 3464,
"thread_id": 6604
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"EnterExit": 0,
"Location": 5031,
"Process": "0xffffd189daf16080",
"Endpoint": "0xffffd189d9ab9b70",
"Buffer": "0xffffd189de5e8b80",
"BufferLength": 0,
"Status": 0,
"AddressLen": 16,
"Address": "020001BB14F2B5010000000000000000"
},
"message": ""
}
Event ID 1023: accept: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
#Description
accept: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Status UInt32 | NTSTATUS reference |
Event ID 1024: accept: EnterExit: Process Process, Endpoint Endpoint, Address Address, Accept Endpoint AcceptEndpoint, Current Backlog CurrentBacklog, Seq Location, Status Status.
#Description
accept: EnterExit: Process Process, Endpoint Endpoint, Address Address, Accept Endpoint AcceptEndpoint, Current Backlog CurrentBacklog, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Buffer Pointer | |
BufferLength UInt32 | |
Status UInt32 | NTSTATUS reference |
AddressLen UInt32 | |
Address Binary | |
AcceptEndpoint Pointer | |
CurrentBacklog UInt32 |
Event ID 1026: AcceptEx: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
#Description
AcceptEx: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1026,
"version": 0,
"level": 4,
"task": 1026,
"opcode": 11,
"keywords": 9223372036854775814,
"time_created": "2026-03-13T21:07:29.060306+00:00",
"event_record_id": 1134266,
"correlation": {
"ActivityID": "A58F82D0-800F-FFFF-0000-000000000000"
},
"execution": {
"process_id": 968,
"thread_id": 1756
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"EnterExit": 0,
"Location": 6024,
"Process": "0xffff800fa40450c0",
"Endpoint": "0xffff800fa58f82d0",
"Status": 0
},
"message": ""
}
Event ID 1027: AcceptEx: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Accept Endpoint AcceptEndpoint, Current Backlog CurrentBacklog, Seq Location, Status St...
#Description
AcceptEx: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Accept Endpoint AcceptEndpoint, Current Backlog CurrentBacklog, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Buffer Pointer | |
BufferLength UInt32 | |
Status UInt32 | NTSTATUS reference |
AddressLen UInt32 | |
Address Binary | |
AcceptEndpoint Pointer | |
CurrentBacklog UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1027,
"version": 0,
"level": 4,
"task": 1027,
"opcode": 12,
"keywords": 9223372036854775814,
"time_created": "2026-03-13T21:07:29.053439+00:00",
"event_record_id": 1134176,
"correlation": {
"ActivityID": "A58F82D0-800F-FFFF-0000-000000000000"
},
"execution": {
"process_id": 3852,
"thread_id": 2396
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"EnterExit": 1,
"Location": 6101,
"Process": "0xffff800fa40450c0",
"Endpoint": "0xffff800fa58f82d0",
"Buffer": "0xffff800fad6a0660",
"BufferLength": 0,
"Status": 0,
"AddressLen": 16,
"Address": "0200F1857F0000010000000000000000",
"AcceptEndpoint": "0xffff800fa3a89010",
"CurrentBacklog": 0
},
"message": ""
}
Event ID 1029: bind: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
#Description
bind: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Status UInt32 | NTSTATUS reference |
Event ID 1030: bind: EnterExit: Process Process, Endpoint Endpoint, Address Address, Seq Location, Status Status.
#Description
bind: EnterExit: Process Process, Endpoint Endpoint, Address Address, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Status UInt32 | NTSTATUS reference |
AddressLen UInt32 | |
Address Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1030,
"version": 0,
"level": 4,
"task": 1030,
"opcode": 10,
"keywords": 9223372036854775814,
"time_created": "2026-03-13T19:59:51.602810+00:00",
"event_record_id": 3155,
"correlation": {
"ActivityID": "D9AB9B70-D189-FFFF-0000-000000000000"
},
"execution": {
"process_id": 3464,
"thread_id": 6604
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"EnterExit": 0,
"Location": 7010,
"Process": "0xffffd189daf16080",
"Endpoint": "0xffffd189d9ab9b70",
"Status": 0,
"AddressLen": 16,
"Address": "02000000000000000000000000000000"
},
"message": ""
}
Event ID 1032: connection aborted: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Reason Reason.
#Description
connection aborted: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Reason Reason.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Reason UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1032,
"version": 0,
"level": 2,
"task": 1032,
"opcode": 14,
"keywords": 9223372036854775814,
"time_created": "2026-03-13T19:59:59.025920+00:00",
"event_record_id": 4800,
"correlation": {
"ActivityID": "DA6FFB70-D189-FFFF-0000-000000000000"
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"EnterExit": 2,
"Location": 8016,
"Process": "0xffffd189daf44080",
"Endpoint": "0xffffd189da6ffb70",
"Reason": 13
},
"message": ""
}
Event ID 1033: datagram dropped: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Seq Location, Reason Reason.
#Description
datagram dropped: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Seq Location, Reason Reason.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Buffer Pointer | |
BufferLength UInt32 | |
AddressLen UInt32 | |
Address Binary | |
Reason UInt32 |
Event ID 1035: Socket option: EnterExit: Process Process, Endpoint Endpoint, Option Option, Value Value, Seq Location, Status Status.
#Description
Socket option: EnterExit: Process Process, Endpoint Endpoint, Option Option, Value Value, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Option UInt32 | |
Value UInt32 | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 1035,
"version": 0,
"level": 4,
"task": 1035,
"opcode": 0,
"keywords": 9223372036854775814,
"time_created": "2026-03-13T20:32:26.825957+00:00",
"event_record_id": 394421,
"correlation": {
"ActivityID": "97549A70-920B-FFFF-0000-000000000000"
},
"execution": {
"process_id": 984,
"thread_id": 10204
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"EnterExit": 4,
"Location": 11015,
"Process": "0xffff920b97fd1100",
"Endpoint": "0xffff920b97549a70",
"Option": 7,
"Value": 65536,
"Status": 0
},
"message": ""
}
Event ID 1036: Wait for listen: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
#Description
Wait for listen: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "{E53C6823-7BB8-44BB-90DC-3F86090D48A6}",
"event_source_name": "",
"event_id": 1036,
"version": 0,
"level": 4,
"task": 1036,
"opcode": 0,
"keywords": -9223372036854775802,
"time_created": "2026-06-13T15:00:17.0025652+00:00",
"event_record_id": 48324,
"correlation": {
"ActivityID": "{7A160310-8004-FFFF-0000-000000000000}"
},
"execution": {
"process_id": 6836,
"thread_id": 1204
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"EnterExit": "0",
"Location": "6216",
"Process": "0xffff80047dec4080",
"Endpoint": "0xffff80047a160310",
"Status": "0"
},
"message": "Wait for listen: 0: Process 0xffff80047dec4080, Endpoint 0xffff80047a160310, Seq 6216, Status STATUS_SUCCESS"
}
Event ID 1037: Listen: EnterExit: Process Process, Endpoint Endpoint, Backlog Backlog, Seq Location, Status Status.
#Description
Listen: EnterExit: Process Process, Endpoint Endpoint, Backlog Backlog, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Backlog UInt32 | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "{E53C6823-7BB8-44BB-90DC-3F86090D48A6}",
"event_source_name": "",
"event_id": 1037,
"version": 0,
"level": 4,
"task": 1037,
"opcode": 0,
"keywords": -9223372036854775802,
"time_created": "2026-06-13T14:56:52.5285719+00:00",
"event_record_id": 42120,
"correlation": {
"ActivityID": "{43D84510-D385-FFFF-0000-000000000000}"
},
"execution": {
"process_id": 7600,
"thread_id": 4436
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"EnterExit": "1",
"Location": "13012",
"Process": "0xffffd3853cfef080",
"Endpoint": "0xffffd38543d84510",
"Backlog": "20",
"Status": "0"
},
"message": "Listen: 1: Process 0xffffd3853cfef080, Endpoint 0xffffd38543d84510, Backlog 20, Seq 13012, Status STATUS_SUCCESS"
}
Event ID 3000: Connect indication: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
#Description
Connect indication: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Status UInt32 | NTSTATUS reference |
Event ID 3001: Connect indication: EnterExit: Process Process, Endpoint Endpoint, Address Address, Backlog Count CurrentBacklog, Seq Location, Status Status.
#Description
Connect indication: EnterExit: Process Process, Endpoint Endpoint, Address Address, Backlog Count CurrentBacklog, Seq Location, Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Status UInt32 | NTSTATUS reference |
AddressLen UInt32 | |
Address Binary | |
CurrentBacklog UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 3001,
"version": 0,
"level": 4,
"task": 3001,
"opcode": 0,
"keywords": 9223372036854775818,
"time_created": "2026-03-13T21:07:29.053422+00:00",
"event_record_id": 1134175,
"correlation": {
"ActivityID": "A58F82D0-800F-FFFF-0000-000000000000"
},
"execution": {
"process_id": 3852,
"thread_id": 2396
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"EnterExit": 3,
"Location": 6501,
"Process": "0xffff800fa40450c0",
"Endpoint": "0xffff800fa58f82d0",
"Status": 0,
"AddressLen": 16,
"Address": "0200F1857F0000010000000000000000",
"CurrentBacklog": 0
},
"message": ""
}
Event ID 3003: Data indication: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Seq Location.
#Description
Data indication: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Seq Location.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Buffer Pointer | |
BufferLength UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 3003,
"version": 0,
"level": 4,
"task": 3003,
"opcode": 0,
"keywords": 9223372036854775818,
"time_created": "2026-03-13T19:59:49.505141+00:00",
"event_record_id": 2654,
"correlation": {
"ActivityID": "DA6FEDE0-D189-FFFF-0000-000000000000"
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"EnterExit": 3,
"Location": 9000,
"Process": "0xffffd189dc00f080",
"Endpoint": "0xffffd189da6fede0",
"Buffer": "0xffffd189dcf85eb0",
"BufferLength": 6
},
"message": ""
}
Event ID 3004: Data indication: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Seq Location.
#Description
Data indication: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Seq Location.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Buffer Pointer | |
BufferLength UInt32 | |
AddressLen UInt32 | |
Address Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 3004,
"version": 0,
"level": 4,
"task": 3004,
"opcode": 0,
"keywords": 9223372036854775817,
"time_created": "2026-03-13T19:59:57.072475+00:00",
"event_record_id": 4365,
"correlation": {
"ActivityID": "DA6FE240-D189-FFFF-0000-000000000000"
},
"execution": {
"process_id": 3464,
"thread_id": 5140
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"EnterExit": 3,
"Location": 9001,
"Process": "0xffffd189dac41080",
"Endpoint": "0xffffd189da6fe240",
"Buffer": "0xffffd189d87d16d0",
"BufferLength": 183,
"AddressLen": 28,
"Address": "170000350000000000000000000000000000FFFF0A020A0B00000000"
},
"message": ""
}
Event ID 3006: disconnect indicated: EnterExit: Process Process, Endpoint Endpoint, Seq Location.
#Description
disconnect indicated: EnterExit: Process Process, Endpoint Endpoint, Seq Location.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
Status UInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
"event_source_name": "",
"event_id": 3006,
"version": 0,
"level": 4,
"task": 3006,
"opcode": 13,
"keywords": 9223372036854775818,
"time_created": "2026-03-13T19:59:59.438556+00:00",
"event_record_id": 4914,
"correlation": {
"ActivityID": "D9AB9790-D189-FFFF-0000-000000000000"
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "Microsoft-Windows-Winsock-AFD/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"EnterExit": 3,
"Location": 12001,
"Process": "0xffffd189da51f140",
"Endpoint": "0xffffd189d9ab9790",
"Status": 0
},
"message": ""
}
Event ID 3007: Transport send backlog: Process EnterExit, Endpoint Location, Send Backlog SendBacklog.
#Description
Transport send backlog: Process EnterExit, Endpoint Location, Send Backlog SendBacklog.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
Endpoint Pointer | |
SendBacklog UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Winsock-AFD",
"event_id": 3007,
"level": "Information",
"task": null,
"opcode": "Info",
"time_created": "2026-05-27T17:44:28.9513179+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-Winsock-AFD/Operational"
},
"event_data": {
"EnterExit": "4",
"Endpoint": "0xffffd60c4eacb7f0",
"Location": "14000",
"SendBacklog": "131072",
"Process": "0xffffd60c4e9e8080"
}
}
Event ID 4000: Registration domain RegistrationDomain create status Status.
#Description
Registration domain RegistrationDomain create status Status.
Message #
Fields #
| Name | Description |
|---|---|
RegistrationDomain Pointer | |
Status UInt32 | NTSTATUS reference |
Event ID 4001: Registration domain RegistrationDomain closed.
#Event ID 4002: CQ Cq created with EntryCount entries, index CqIndex and notification type NotificationType, status Status.
#Description
CQ Cq created with EntryCount entries, index CqIndex and notification type NotificationType, status Status.
Message #
Fields #
| Name | Description |
|---|---|
Cq Pointer | |
RegistrationDomain Pointer | |
EntryCount UInt32 | |
UserAddress Pointer | |
SystemAddress Pointer | |
BufferSize UInt32 | |
CqIndex UInt32 | |
NotificationType UInt32 | |
NotificationHandle Pointer | |
NotificationObject Pointer | |
NotificationContext1 Pointer | |
NotificationContext2 Pointer | |
Status UInt32 | NTSTATUS reference |
Event ID 4003: CQ Cq closed with Commit commit.
#Event ID 4004: CQ Cq cleaned up.
#Event ID 4005: CQ Cq with Commit commit resized from OriginalEntryCount to RequestedEntryCount, status Status.
#Description
CQ Cq with Commit commit resized from OriginalEntryCount to RequestedEntryCount, status Status.
Message #
Fields #
| Name | Description |
|---|---|
Cq Pointer | |
OriginalEntryCount UInt32 | |
OriginalStart UInt32 | |
OriginalEnd UInt32 | |
Commit UInt32 | |
RequestedEntryCount UInt32 | |
UserAddress Pointer | |
SystemAddress Pointer | |
BufferSize UInt32 | |
Status UInt32 | NTSTATUS reference |
Event ID 4006: RQ RioState created on endpoint Endpoint with ReceiveEntryCount receive and SendEntryCount send entries, using receive CQ ReceiveCqIndex and send CQ SendCqIndex, status Status.
#Description
RQ RioState created on endpoint Endpoint with ReceiveEntryCount receive and SendEntryCount send entries, using receive CQ ReceiveCqIndex and send CQ SendCqIndex, status Status.
Message #
Fields #
| Name | Description |
|---|---|
Endpoint Pointer | |
RioState Pointer | |
RegistrationDomain Pointer | |
SendEntryCount UInt32 | |
SendUserAddress Pointer | |
SendSystemAddress Pointer | |
SendBufferSize UInt32 | |
ReceiveEntryCount UInt32 | |
ReceiveUserAddress Pointer | |
ReceiveSystemAddress Pointer | |
ReceiveBufferSize UInt32 | |
SendCqIndex UInt32 | |
ReceiveCqIndex UInt32 | |
Status UInt32 | NTSTATUS reference |
Event ID 4007: RQ RioState closed, receive = (ReceiveQueueStart,ReceiveQueueEnd) send = (SendQueueStart,SendQueueEnd).
#Event ID 4008: RQ RioState cleaned up.
#Event ID 4009: RQ RioState resized from (OriginalReceiveEntryCount,OriginalSendEntryCount) to (RequestedReceiveEntryCount,RequestedSendEntryCount), status = Status.
#Description
RQ RioState resized from (OriginalReceiveEntryCount,OriginalSendEntryCount) to (RequestedReceiveEntryCount,RequestedSendEntryCount), status = Status.
Message #
Fields #
| Name | Description |
|---|---|
RioState Pointer | |
OriginalSendEntryCount UInt32 | |
OriginalSendQueueStart UInt32 | |
OriginalSendQueueEnd UInt32 | |
RequestedSendEntryCount UInt32 | |
SendUserAddress Pointer | |
SendSystemAddress Pointer | |
SendBufferSize UInt32 | |
OriginalReceiveEntryCount UInt32 | |
OriginalReceiveQueueStart UInt32 | |
OriginalReceiveQueueEnd UInt32 | |
RequestedReceiveEntryCount UInt32 | |
ReceiveUserAddress Pointer | |
ReceiveSystemAddress Pointer | |
ReceiveBufferSize UInt32 | |
Status UInt32 | NTSTATUS reference |
Event ID 4010: Buffer Buffer registered with address UserAddress and length BufferSize, system address = SystemAddress, ID = BufferId, status = Status.
#Description
Buffer Buffer registered with address UserAddress and length BufferSize, system address = SystemAddress, ID = BufferId, status = Status.
Message #
Fields #
| Name | Description |
|---|---|
Buffer Pointer | |
RegistrationDomain Pointer | |
UserAddress Pointer | |
SystemAddress Pointer | |
BufferSize UInt32 | |
BufferId UInt32 | |
Status UInt32 | NTSTATUS reference |
Event ID 4011: Buffer Buffer deregistered with References references.
#Event ID 4012: Buffer Buffer cleaned up.
#Event ID 4013: RQ RioState using invalid buffer ID BufferId.
#Event ID 4014: RQ RioState invalid use of buffer Buffer, offset = BufferOffset, length = BufferLength.
#Event ID 4015: RQ RioState using invalid buffer size for BufferType, specified = SpecifiedLength, required = RequiredLength.
#Event ID 4016: NRT Create: Handle = NameResolutionHandle Process = Process Status = Status.
#Description
NRT Create: Handle = NameResolutionHandle Process = Process Status = Status.
Message #
Fields #
| Name | Description |
|---|---|
NameResolutionHandle Pointer | |
Process Pointer | |
Status UInt32 | NTSTATUS reference |
Event ID 4017: NRT Close: Handle = NameResolutionHandle Process = Process.
#Event ID 4018: CQ Cq notify EnterExit Seq Location Status Status.
#Description
CQ Cq notify EnterExit Seq Location Status Status.
Message #
Fields #
| Name | Description |
|---|---|
EnterExit UInt32 | |
Location UInt32 | |
Process Pointer | |
RegDomain Pointer | |
Cq Pointer | |
Status UInt32 | NTSTATUS reference |
Event ID 4019: accept EnterExit [1 = Pause, 0 = Unpause] PauseUnPause Seq Location Endpoint Process Process Endpoint TlBacklogCount TLBacklogCount.
#Event ID 4020: RQ RioState invalid buffer sharing ID BufferId sharing type BufferSharingType.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {E53C6823-7BB8-44BB-90DC-3F86090D48A6}
Defined in afd.sys, the binary that emits these events.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.4171, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.4171, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02