Microsoft-Windows-WLAN-AutoConfig
255 events across 3 channels
Event ID 4000: WLAN AutoConfig service has successfully started.
#Description
WLAN AutoConfig service has successfully started.
Message #
Event ID 4001: WLAN AutoConfig service has successfully stopped.
#Description
WLAN AutoConfig service has successfully stopped.
Message #
Event ID 4002: WLAN AutoConfig service has failed to start.
#Event ID 4003: WLAN AutoConfig detected limited connectivity, attempting automatic recovery.
#Event ID 8000: WLAN AutoConfig service started a connection to a wireless network.
#Event ID 8001: WLAN AutoConfig service has successfully connected to a wireless network.
#Description
WLAN AutoConfig service has successfully connected to a wireless network.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | Interface GUID of the wireless adapter |
InterfaceDescription UnicodeString | Name of the wireless adapter |
ConnectionMode UnicodeString | Whether the connection was automatic ("Automatic connection with a profile") or manual ("Connection to a secure network without a profile") |
ProfileName UnicodeString | |
SSID UnicodeString | SSID of the wireless network that was connected to |
BSSType UnicodeString | |
PHYType UnicodeString | |
AuthenticationAlgorithm UnicodeString | Security protocol used to connect (e.g. WEP, WPA2-Personal) |
CipherAlgorithm UnicodeString | |
OnexEnabled UInt32 | |
ConnectionId Pointer | |
NonBroadcast Boolean |
References #
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-8001-wlan-connect.md
Event ID 8002: WLAN AutoConfig service failed to connect to a wireless network.
#Description
WLAN AutoConfig service failed to connect to a wireless network.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
InterfaceDescription UnicodeString | |
ConnectionMode UnicodeString | |
ProfileName UnicodeString | |
SSID UnicodeString | |
BSSType UnicodeString | |
FailureReason UnicodeString | Known values
|
ReasonCode UInt32 | |
ConnectionId Pointer | |
RSSI Int32 |
Event ID 8003: WLAN AutoConfig service has successfully disconnected from a wireless network.
#Description
WLAN AutoConfig service has successfully disconnected from a wireless network.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | Interface GUID of the wireless adapter |
InterfaceDescription UnicodeString | Name of the wireless adapter |
ConnectionMode UnicodeString | |
ProfileName UnicodeString | |
SSID UnicodeString | SSID of the wireless network that was disconnected from |
BSSType UnicodeString | |
Reason UnicodeString | Reason the wireless network was disconnected |
ConnectionId Pointer | |
ReasonCode UInt32 |
References #
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-8003-wlan-disconnect.md
Event ID 8004: Wireless network is blocked due to connection failure.
#Description
Wireless network is blocked due to connection failure.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceDescription UnicodeString | |
InterfaceGuid GUID | |
SSIDs UnicodeString | |
ProfileName UnicodeString | |
ConnectionMode UnicodeString | |
BSSType UnicodeString | |
FailureReason UnicodeString | Known values
|
BlockTime UInt32 | |
ReasonCode UInt32 | |
ConnectionId Pointer |
Event ID 8005: WLAN AutoConfig service has begun starting the hosted network.
#Event ID 8006: WLAN AutoConfig service has finished starting the hosted network.
#Event ID 8007: WLAN AutoConfig service has failed to start the hosted network.
#Event ID 8008: AutoConfig service has begun to stop the hosted network.
#Event ID 8009: WLAN AutoConfig service has finished stopping the hosted network.
#Event ID 8010: WLAN AutoConfig service has failed to stop the hosted network.
#Event ID 8011: Connect to last good network.
#Event ID 8012: NLO discovery Network Adapter: Interface GUID: InterfaceGuid InterfaceDescription.
#Event ID 10000: WLAN Extensibility Module has failed to start.
#Event ID 10001: WLAN Extensibility Module has successfully started.
#Event ID 10002: WLAN Extensibility Module has stopped.
#Event ID 10003: WLAN Extensibility Module has stopped unexpectedly.
#Event ID 10004: WLAN Extensibility Module has timed out.
#Event ID 11000: Wireless network association started.
#Event ID 11001: Wireless network association succeeded.
#Event ID 11002: Wireless network association failed.
#Description
Wireless network association failed.
Message #
Fields #
| Name | Description |
|---|---|
Adapter UnicodeString | |
DeviceGuid GUID | |
LocalMac UnicodeString | |
SSID UnicodeString | |
BSSType UnicodeString | |
FailureReason UnicodeString | Known values
|
ReasonCode UInt32 | |
Dot11StatusCode UInt32 | |
ConnectionId Pointer | |
RSSI Int32 |
Event ID 11003: Wireless security started.
#Event ID 11004: Wireless security stopped.
#Event ID 11005: Wireless security succeeded.
#Event ID 11006: Wireless security failed.
#Event ID 11007: Wireless IHV security started.
#Event ID 11008: Wireless IHV security succeeded.
#Event ID 11009: Wireless IHV security failed.
#Event ID 11010: Wireless security started.
#Event ID 12011: Wireless 802.
#Event ID 12012: Wireless 802.
#Event ID 12013: Wireless 802.
#Description
Wireless 802.1x authentication failed.
Message #
Fields #
| Name | Description |
|---|---|
Adapter UnicodeString | |
DeviceGuid GUID | |
LocalMac UnicodeString | |
SSID UnicodeString | |
BSSType UnicodeString | |
PeerMac UnicodeString | |
Identity UnicodeString | |
User UnicodeString | |
Domain UnicodeString | |
ReasonText UnicodeString | |
ReasonCode HexInt32 | |
ErrorCode HexInt32 | |
EAPReasonCode HexInt32 | |
EAPRootCauseString UnicodeString | |
EAPErrorCode HexInt32 | |
ConnectionId Pointer | |
ExplicitCredentials Boolean |
Event ID 12014: Wireless 802.
#Event ID 13001: A pre-logon connection was not attempted.
#Event ID 13002: A pre-logon connection was attempted.
#Event ID 13011: A post-logon connection was not attempted.
#Event ID 13012: A post-logon connection was attempted.
#Event ID 13013: The post-logon connection attempt is complete.
#Event ID 13014: A post-logon connection was attempted.
#Event ID 13100: CostSource Cost is changed to CostValue for profile ProfileName on interface InterfaceGuid.
#Event ID 13101: Group Policy Cost is changed to CostValue.
#Event ID 13102: CostSource Cost is cleared for profile ProfileName on interface InterfaceGuid.
#Event ID 14000: Media notification received.
#Event ID 14001: Peer notification received.
#Event ID 14002: Enable AutoConfig.
#Event ID 14003: Set media streaming mode.
#Event ID 14004: Set BSS type.
#Event ID 14005: Set radio state.
#Event ID 14006: Start auto config.
#Event ID 14007: Stop auto config.
#Event ID 14008: Power setting = PowerSetting.
#Event ID 14009: Change session to ConnectionId.
#Event ID 14010: Radio is off.
#Event ID 14011: Change radio state for interface = InterfaceDescription : PHY = PHY, software state = SoftwareState, hardware state = HardwareState).
#Event ID 14012: The connection is not healthy.
#Event ID 14013: Profile Profile is updated.
#Event ID 14014: ConnectionResetReason, need to disconnect.
#Event ID 14015: Set current operation mode.
#Event ID 14016: Got connection request, mode = ConnectionMode, flags = Flags, profile name = Profile, session = ConnectionId.
#Description
Got connection request, mode = ConnectionMode, flags = Flags, profile name = Profile, session = ConnectionId. Interface = InterfaceDescription.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
InterfaceDescription UnicodeString | |
ConnectionMode UInt32 | |
Flags UInt32 | |
Profile UnicodeString | |
ConnectionId Pointer |
Event ID 14017: Connection cancelled by user.
#Event ID 14018: Connection failed.
#Event ID 14019: Stop all connection attempts for interface InterfaceDescription.
#Event ID 14020: Connection succeeded on interface InterfaceDescription.
#Event ID 14021: Connection complete on interface InterfaceDescription, session = ConnectionId, status = Status, ad hoc network formed = Adhoc.
#Description
Connection complete on interface InterfaceDescription, session = ConnectionId, status = Status, ad hoc network formed = Adhoc.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
InterfaceDescription UnicodeString | |
ConnectionId Pointer | |
Status UInt32 | NTSTATUS reference |
Adhoc Boolean |
Event ID 14022: Got disconnect request.
#Event ID 14023: Set profile Profile to manual temporarily.
#Event ID 14024: Disconnecting.
#Event ID 14025: Interface InterfaceDescription state is set to State.
#Event ID 14026: UI request for interface InterfaceDescription result = Result.
#Event ID 14027: Profile Profile HealthCheckResult.
#Event ID 14028: Profile name change.
#Event ID 14029: Interface InterfaceGuid (InterfaceDescription) is successfully initialized.
#Event ID 14030: The current operation mode for interface InterfaceDescription is OpMode.
#Event ID 14031: Interface InterfaceGuid type = Type.
#Event ID 14032: Interface InterfaceGuid cannot be queried, error ErrorCode.
#Event ID 14033: Failed to query physical medium for interface InterfaceGuid, because the device is not ready.
#Event ID 14034: Found name FriendlyName for interface DeviceGuid.
#Event ID 14035: Network SSID is not permitted.
#Event ID 14036: Power setting = Setting.
#Event ID 14037: Disconnect the temporary connection Profile for interface InterfaceDescription, Reason = Reason.
#Event ID 14038: Clear runtime state because the user who initiated the manual connection logged off.
#Event ID 14039: WTS session change.
#Event ID 14040: Scan for networks.
#Event ID 14041: Scan request is ignored because radio is off.
#Event ID 14042: Scan results are not queried because raido is off.
#Event ID 14043: The scan state machine is stopped.
#Event ID 14044: No auto switch for the current connection (Profile).
#Event ID 14045: Connection (auto = Auto) to SSID (multiple=Multiple) using profile ProfileName.
#Event ID 14046: The session id=ConnectionId, active=Active, console=Console is added.
#Event ID 14047: The state of session id=ConnectionId is refreshed to active=Active, console=Console.
#Event ID 14048: Active Console User state = ActiveConsole.
#Event ID 14049: The session id=ConnectionId is removed.
#Event ID 14050: Discovery module has taken care of the UI request.
#Event ID 14051: UI request not sent because the network is suppressed and the UI request is notification type.
#Event ID 14052: IntfCompleteTimely failed, error ErrorCode.
#Event ID 14053: Session ConnectionId, Network suppressed status for Network is Suppressed.
#Event ID 14054: Enable AutoConfig background scan.
#Event ID 14055: Discard this round of background scan because a connection process is in progress.
#Event ID 14056: Discard this round of background scan because the current connection does not allow auto switch.
#Event ID 14057: Discard this round of background scan because the current connection is the most preferred auto connection.
#Event ID 14058: Connect to SSID with profile ProfileName.
#Event ID 14059: Set operational state.
#Event ID 14060: Profile State changed.
#Event ID 14061: Profile State changed.
#Event ID 14062: RpcCall WlanRpcCallType from client ClientProcessId.
#Event ID 14063: SetAutoConfigParameterRpcCall for OpCode from process ClientProcessId.
#Event ID 14064: SetInterfaceRpcCall for OpCode from process ClientProcessId.
#Event ID 14065: PrivateSetInterfaceRpcCall for OpCode from process ClientProcessId on Interface InterfaceGuid.
#Event ID 14066: InternalPrivateQuerySetInterfaceCall for OpCode on Interface InterfaceGuid.
#Event ID 14067: Screen Power State changed.
#Event ID 14068: Low Power State changed.
#Event ID 14069: Adding WLAN Interface InterfaceGuid for InterfaceDescription.
#Event ID 14070: Removing WLAN Interface Interface InterfaceGuid.
#Event ID 14071: Expedited scan triggered on InterfaceGuid because ExpeditedScanTrigger.
#Event ID 14072: Disconnect triggered on InterfaceGuid Reason: DisconnectTrigger.
#Event ID 14073: Limited Connectivity Recovery Type: RecoveryType Event: EventType Data: EventData.
#Event ID 14074: Gateway Reachability State changed.
#Event ID 14075: Update allowed connectivity token - AutoConnect=[Enabled: IsAutoConnectEnabled, Count: AutoConnectProfileCount, FilterControl: AutoConnectFilterControl], ManualConnect=[Enabled: IsManualConnectEnab...
#Description
Update allowed connectivity token - AutoConnect=[Enabled: , Count: , FilterControl: ], ManualConnect=[Enabled: , Count: , FilterControl: ], Interface.
Message #
Fields #
| Name | Description |
|---|---|
IsAutoConnectEnabled Boolean | |
AutoConnectProfileCount UInt32 | |
AutoConnectFilterControl UInt32 | |
IsManualConnectEnabled Boolean | |
ManualConnectProfileCount UInt32 | |
ManualConnectFilterControl UInt32 | |
InterfaceDescription UnicodeString |
Event ID 14076: Connectivity token update - AutoConnect=[Enabled: IsAutoConnectEnabled], ManualConnect=[Enabled: IsManualConnectEnabled], Interface: InterfaceDescription.
#Description
Connectivity token update - AutoConnect=[Enabled: IsAutoConnectEnabled], ManualConnect=[Enabled: IsManualConnectEnabled], Interface: InterfaceDescription.
Message #
Fields #
| Name | Description |
|---|---|
IsAutoConnectEnabled Boolean | |
IsManualConnectEnabled Boolean | |
InterfaceDescription UnicodeString | |
ConnectivityBlockReason UInt32 |
Event ID 20000: Begin Connect API
#Event ID 20001: Begin Disconnect API
#Event ID 20002: Calling MSMSecPerformPreAssociateSecurity
#Event ID 20003: Calling MSMSecStopSecurity
#Event ID 20004: Connect completion reason Reason, session Session, adhoc formed AdHocFormed.
#Event ID 20005: Received CONNECT COMPLETION, status Status, assocStatus AssocStatus.
#Description
Received CONNECT COMPLETION, status Status, assocStatus AssocStatus.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
InterfaceDescription UnicodeString | |
Status UInt32 | NTSTATUS reference |
AssocStatus UInt32 |
Event ID 20006: FSM Current state CurrState, event EventId.
#Event ID 20007: FSM Transition from State: CurrState to State: NewState.
#Event ID 20008: Phy Type not compatible
#Event ID 20009: Link Quality: Quality.
#Event ID 20010: Received IHV PORT DOWN, peer BSSID.
#Event ID 20011: Received IHV PORT UP, peer BSSID.
#Event ID 20012: Post Connect Security has Completed Successfully
#Event ID 20013: Post Connect Security has FAILED with reason code: ErrorCode.
#Event ID 20014: Received Security Packet: PacketType.
#Event ID 20015: Security PreConnect Completion, security reason: Reason, error Error.
#Event ID 20016: Send Security Packet Length = Length and Completion Handle = Handle.
#Event ID 20017: Send Security Packet Length = Length and Completion Handle = Handle.
#Event ID 20018: SSID = SSID BSSIDCount = BSSIDCount.
#Event ID 20019: A client has associated with the hosted network.
#Event ID 20020: A client has successfully authenticated with the hosted network.
#Event ID 20021: A client has failed to authenticate with the hosted network.
#Event ID 20023: Scan completion Status Status.
#Description
Scan completion Status Status.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
Status UInt32 | NTSTATUS reference |
Event ID 20024: Number of Unique Wlan Networks Count.
#Event ID 20025: Visible Network: Ssid, BssidCount BSSIDS, AuthAlgoId/CipherAlgoId, Rssi RSSI.
#Event ID 21001: Adapter(InterfaceGuid) New Adapter FriendlyName (PKMIDs).
#Event ID 21002: Adapter(InterfaceGuid) IntfSecState Transition OldState --> NewState.
#Event ID 21003: Adapter(InterfaceGuid) Received StopSecurity.
#Event ID 21004: Pre-Associate Failure Auth AuthAlgoId, Cipher CipherAlgoId, OneX Enabled(OneXEnabled), UICancelled(UICancelled).
#Event ID 21005: Received MSMSec UI Response, but already have key material!
#Event ID 21006: Received UI response ResponseType.
#Event ID 21007: TIMING OUT 802.
#Event ID 21008: NOT TIMING OUT 802.
#Event ID 21009: 802.
#Event ID 21010: Port (PortId) Peer PeerAddr AuthMgr Transition OldState --> NewState.
#Event ID 21011: Sending UI response to 802.
#Event ID 21012: KeyExt Transition OldState --> NewState.
#Event ID 21013: Explicit failure from 802.
#Event ID 21015: Port(PortId) Peer PeerAddr KeyMgr transition OldState --> NewState.
#Event ID 21016: Auth sent M1(PortId), self LocalAddr, peer PeerAddr.
#Event ID 21017: Auth sent M3(PortId), self LocalAddr, peer PeerAddr.
#Event ID 21018: Auth sent G1(PortId), self LocalAddr, peer PeerAddr.
#Event ID 21019: Port(PortId) Peer PeerAddr KeyMgrAuth Transition OldState --> NewState.
#Event ID 21020: CONNECTION SECURED by OFFLOADED key exchange
#Event ID 21021: Port(PortId) Notify Key Exchange Status: Authenticator(Authenticator) reason Reason , self LocalAddr, peer PeerAddr.
#Event ID 21022: Default Key: Idx Index, Algo CipherAlgoId, Direction= Direction, Len Len.
#Event ID 21023: Pairwise Key (Addr): Algo CipherAlgoId, Direction= Direction, Len Len.
#Event ID 21024: Adapter(AdapterId) Connect Completion, Reason Reason, Error Error.
#Event ID 21025: Port(PortId) Indicate Security Result, Peer PeerAddr, Reason Reason Error Error.
#Event ID 21026: Adapter(Context) Tx to PeerAddr, Ethertype EtherType, size Size.
#Event ID 21027: Sending UI request to MSM (SessionId).
#Event ID 21028: Adapter(InterfaceGuid) MSM Connect notification, Network "SSID".
#Event ID 21029: Adapter(InterfaceGuid) MSM Disconnect notification.
#Event ID 21030: Adapter(InterfaceGuid) Port up for peer PeerAddr.
#Event ID 21031: Adapter(InterfaceGuid) Port down for peer PeerAddr.
#Event ID 21032: Adapter(InterfaceGuid) Rx from PeerAddr, Ethertype EtherType, size Size.
#Event ID 21033: Adapter(InterfaceGuid) UI Response, request type RequestType, response type ResponseType, cancelled = Cancelled.
#Event ID 21034: Adapter(InterfaceGuid) Create discovery profiles, SSID SSID, BSS type BSSType, secure Secure.
#Event ID 21035: Tx pkt completion, pkt Context.
#Event ID 21036: Adapter(InterfaceGuid) MSM Redo security request.
#Event ID 21037: Connection health status is AdapterId (InterfaceGuid), HealthyHint Healthy.
#Event ID 21038: Transition network suspected
#Event ID 21039: UI Response - Valid = Valid, Cancelled = Cancelled.
#Event ID 21040: Port(Context) MSMSendPacket failed, Error ErrorCode.
#Event ID 21041: Can't do fast roaming when PMK Cache is not valid
#Description
Can't do fast roaming when PMK Cache is not valid.
Message #
Event ID 21042: PreAuthMgr Transition OldState --> NewState.
#Event ID 21043: PreAuth: 802.
#Event ID 21044: PreAuth: Explicit failure from 802.
#Event ID 21045: PreAuth: 802.
#Event ID 21046: Received unicast key material in EAPOL-Key (Rapid rekey RapidRekey).
#Event ID 21047: CONNECTION SECURED by RC4 key exchange
#Event ID 21048: CONNECTION SECURED by RSN key exchange
#Event ID 21049: RSN Key Receive: Key Message M1
#Event ID 21050: RSN Key Receive: Key Message M3
#Event ID 21051: RSN Key Receive: Key Message M2
#Event ID 21052: RSN Key Receive: Key Message M4
#Event ID 21053: RSN Key Receive: Key Message G1
#Event ID 21054: RSN Key Receive: Key Message G2
#Event ID 21055: FAST ROAMING is FastRoam.
#Event ID 21056: Unknown transition into Failure, EventType Context.
#Event ID 21057: Port(PortId) Peer PeerAddr SecMgr Transition OldState --> NewState.
#Event ID 21058: CONNECTION SECURED by WPA key exchange
#Event ID 21059: WPA Key Receive: Key Message M1
#Event ID 21060: WPA Key Receive: Key Message M3
#Event ID 21061: WPA Key Receive: Key Message G1
#Event ID 21062: Eapol Key packet cache OVERFLOW
#Event ID 21063: PMK Cache overflowed, current Current, limit Max.
#Event ID 21064: WLAN Security Settings: BSS Type BSSType, Authentication AuthAlgoId, Encryption CipherAlgoId, OneX Enabled OnexEnabled, Eap Information - Type EapType, Vendor ID VendorID, Vendor Type VendorType, A...
#Description
WLAN Security Settings: BSS Type BSSType, Authentication AuthAlgoId, Encryption CipherAlgoId, OneX Enabled OnexEnabled, Eap Information - Type EapType, Vendor ID VendorID, Vendor Type VendorType, Author ID AuthorID.
Message #
Fields #
| Name | Description |
|---|---|
BSSType UInt32 | |
AuthAlgoId UInt32 | |
CipherAlgoId UInt32 | |
OnexEnabled UInt32 | |
EapType UInt32 | |
VendorID UInt32 | |
VendorType UInt32 | |
AuthorID UInt32 |
Event ID 21065: Received multicast key material in EAPOL-Key (Rapid rekey RapidRekey).
#Event ID 21066: Default Key ID set to Index Index.
#Event ID 30000: Connection started 1
#Event ID 30001: Connection timeout threshold reached 1
#Event ID 30002: Connection succeeded
#Event ID 30003: Connection started 2
#Event ID 30004: Connection timeout threshold reached 2
#Event ID 30005: Connection started 3
#Event ID 30006: Connection timeout threshold reached 3
#Event ID 30007: Manual connect initiated, end running reconnect scenarios
#Event ID 30008: Manual connect initiated, end running reconnect scenarios
#Event ID 30009: Manual connect initiated, end running reconnect scenarios
#Event ID 30010: UI interaction requested 1
#Event ID 30011: UI interaction requested 2
#Event ID 30012: UI interaction requested 3
#Event ID 30013: Connection succeeded - Hidden network 1
#Event ID 30014: Connection succeeded - Hidden network 2
#Event ID 30015: Connection succeeded - Hidden network 3
#Event ID 30016: Selection list exhausted 1
#Event ID 30017: Selection list exhausted 2
#Event ID 30018: Selection list exhausted 3
#Event ID 30019: Connection succeeded to previous network - expected roaming
#Event ID 30021: task_0Stop30021
#Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
WLANStatusCode UInt32 | |
DetailedStatusCode UInt32 | |
ConnectionInformation UInt32 | |
DeviceID UnicodeString |
Event ID 30103: Perftrack_WfdPairStop
#Fields #
| Name | Description |
|---|---|
RequestId UInt32 | |
WFDPairReturnCode UInt32 |
Event ID 30104: Cancel WLAN Resume-Reconnect Interface GUID: InterfaceGuid.
#Event ID 40001: Connect Diagnostic Information.
#Description
Connect Diagnostic Information.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
InterfaceDescription UnicodeString | |
ConnectionMode UInt32 | |
SSID UnicodeString | |
BSSType UInt32 | |
AuthAlgo UInt32 | |
CipherAlgo UInt32 | |
OnexEnabled UInt32 | |
IHVBitmap UInt32 | |
NonBroadcast Boolean | |
PeerMAC UnicodeString | |
WLANStatusCode UInt32 | |
DetailedStatusCode UInt32 | |
AssocDuration UInt32 | |
AssocRestartCount UInt32 | |
AuthDuration UInt32 | |
AuthRestartCount UInt32 | |
DeviceID UnicodeString | |
DriverVersion UnicodeString | |
DriverService UnicodeString | |
RSSI Int32 | |
SignalQualityPercentage Int32 | |
Channel Int32 | |
InterferingAPCount Int32 | |
TotalVisibleAPCount Int32 | |
APPhyType UnicodeString | |
APMaxChannelWidth Int32 | |
APDescription AnsiString | |
APManufacturer AnsiString | |
APModelName AnsiString | |
APModelNum AnsiString | |
DetailedStatusCodeOnRoam UInt32 | |
RxRate Int32 | |
TxRate Int32 | |
EAPType Int32 | |
OneXAuthMode UnicodeString | |
HotSpot20IEPresent Boolean | |
DeviceMfg UnicodeString | |
ProfileTypeUsed Int32 | |
SystemRandomizationStatus UInt32 | |
ProfileRandomizationStatus UInt32 | |
ConnectionFlags UInt64 | |
DriverDate SYSTEMTIME |
Event ID 40002: Limited Recovery Diagnostic Statistics.
#Description
Limited Recovery Diagnostic Statistics.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
DisconnectExtensions UInt32 | |
RoamExtensions UInt32 | |
SuspectDurationMs UInt32 | |
BssidChanged Boolean | |
DetectionLinkQuality UInt32 | |
CurrentLinkQuality UInt32 | |
MacTxUnicastCount Int32 | |
MacRxUnicastCount Int32 | |
MacRxMulticastCount Int32 | |
MacRxUnicastDecryptSuccess Int32 | |
MacRxUnicastDecryptFailure Int32 | |
PhyTxFailedCount Int32 | |
PhyTxFrameCount Int32 | |
PhyTxRetryCount Int32 | |
PhyRxFrameCount Int32 | |
PhyRxFcsErrorCount Int32 | |
CurrentTxRate UInt32 | |
CurrentRxRate UInt32 |
Event ID 40003: Diagnostic Statistics Difference.
#Description
Diagnostic Statistics Difference.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceGuid GUID | |
DiagnosticStatsDifferenceTrigger UInt32 | |
MacTxUnicastCount Int32 | |
MacRxUnicastCount Int32 | |
MacRxMulticastCount Int32 | |
MacRxUnicastDecryptSuccess Int32 | |
MacRxUnicastDecryptFailure Int32 | |
PhyTxFailedCount Int32 | |
PhyTxFrameCount Int32 | |
PhyTxRetryCount Int32 | |
PhyRxFrameCount Int32 | |
PhyRxFcsErrorCount Int32 | |
TimeDiffMs UInt64 |
Event ID 60001: Error: ErrorCode Location: Location Context: Context.
#Event ID 60002: Warning: WarningCode Location: Location Context: Context.
#Event ID 60003: Transitioned to State: NextState Context: Context.
#Event ID 60004: Updated Context: Context Update Reason: UpdateReasonCode.
#Event ID 60101: SourceAddress: SourceAddress SourcePort: SourcePort DestinationAddress: DestinationAddress DestinationPort: DestinationPort Protocol: Protocol ReferenceContext: ReferenceContext.
#Description
SourceAddress: SourceAddress SourcePort: SourcePort DestinationAddress: DestinationAddress DestinationPort: DestinationPort Protocol: Protocol ReferenceContext: ReferenceContext.
Message #
Fields #
| Name | Description |
|---|---|
SourceAddress UInt32 | |
SourcePort UInt32 | |
DestinationAddress UInt32 | |
DestinationPort UInt32 | |
Protocol UInt32 | Known values
|
ReferenceContext UInt32 |
Event ID 60102: SourceAddress: SourceAddress SourcePort: SourcePort DestinationAddress: DestinationAddress DestinationPort: DestinationPort Protocol: Protocol ReferenceContext: ReferenceContext.
#Description
SourceAddress: SourceAddress SourcePort: SourcePort DestinationAddress: DestinationAddress DestinationPort: DestinationPort Protocol: Protocol ReferenceContext: ReferenceContext.
Message #
Fields #
| Name | Description |
|---|---|
SourceAddress Binary | |
SourcePort UInt32 | |
DestinationAddress Binary | |
DestinationPort UInt32 | |
Protocol UInt32 | Known values
|
ReferenceContext UInt32 |
Event ID 60103: Interface Guid: IfGuid IfIndex: IfIndex Interface Luid: IfLuid ReferenceContext: ReferenceContext.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 9580d7dd-0379-4658-9870-d5be7d52d6de
Defined in wlansvc.dll, which carries the event manifest.
Observed on:
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02