Schannel

31 events across 1 channel

Event	Title	Channel	Sample
36864	The schannel security package has loaded successfully.	System	N
36865	A fatal error occurred while opening the system ModuleName cryptographic module.	System	N
36867	Creating a TLS Type credential.	System	N
36868	The TLS Type credential's private key has the following properties.	System	N
36869	The TLS Type credential's certificate does not have a private key information …	System	N
36870	A fatal error occurred when attempting to access the TLS Type credential private …	System	N
36871	A fatal error occurred while creating a TLS Type credential.	System	N
36872	The TLS Type specified certificate's chain could not be retrieved.	System	N
36873	No supported cipher suites were found when initiating a TLS connection.	System	N
36874	An Protocol connection request was received from a remote client application, …	System	N
36875	The remote server has requested TLS client authentication, but no suitable …	System	N
36876	The certificate received from the remote server has not validated correctly.	System	N
36877	The certificate received from the remote client application has not validated …	System	N
36878	The certificate received from the remote client application is not suitable for …	System	N
36879	The certificate received from the remote client application was not successfully …	System	N
36880	A TLS Type handshake completed successfully.	System	N
36881	The certificate received from the remote server has either expired or is not yet …	System	Y
36882	The certificate received from the remote server was issued by an untrusted …	System	N
36883	The certificate received from the remote server has been revoked.	System	N
36884	The certificate received from the remote server does not contain the expected …	System	N
36885	When asking for client authentication, this server sends a list of trusted …	System	N
36886	No suitable default server credential exists on this system.	System	Y
36887	A fatal alert was received from the remote endpoint.	System	N
36888	A fatal alert was generated and sent to the remote endpoint.	System	N
36889	The TLS Type specified certificate's chain is incomplete.	System	N
36896	Verification of the DTLS connection request failed.	System	N
36897	DTLS record was rejected because it is outside of current receive window.	System	N
36898	A DTLS record was rejected because it is a duplicate of a previously received …	System	N
36899	The retransmission of DTLS handshake messages has been requested.	System	N
36912	The key material used to protect TLS Session Tickets was not found at Path.	System	N
36928	Could not retrieve an OCSP response.	System	Y

Event ID 36864: The schannel security package has loaded successfully.

Provider: Schannel
Channel: System

Description

The schannel security package has loaded successfully.

Message #

The schannel security package has loaded successfully.

Event ID 36865: A fatal error occurred while opening the system ModuleName cryptographic module.

Provider: Schannel
Channel: System

Description

A fatal error occurred while opening the system ModuleName cryptographic module. Operations that require the SSL or TLS cryptographic protocols will not work correctly. The error code is Error.

Message #

A fatal error occurred while opening the system %1 cryptographic module. Operations that require the SSL or TLS cryptographic protocols will not work correctly. The error code is %2.

Fields #

Name	Description
`ModuleName` UnicodeString
`Error` HexInt32

Event ID 36867: Creating a TLS Type credential.

Provider: Schannel
Channel: System

Description

Creating a TLS Type credential.

Message #

Creating a TLS %3 credential.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`Type` UnicodeString
`__binLength` UInt32
`binaryData` Binary

Event ID 36868: The TLS Type credential's private key has the following properties.

Provider: Schannel
Channel: System

Description

The TLS Type credential's private key has the following properties.

Message #

The TLS %1 credential's private key has the following properties:

   CSP name: %2
   CSP type: %3
   Key name: %4
   Key Type: %5
   Key Flags: %6

 The attached data contains the certificate.

Fields #

Name	Description
`Type` UnicodeString
`CSPName` UnicodeString
`CSPType` UInt32
`KeyName` UnicodeString
`KeyType` UnicodeString	Known values `%%2499` Machine key `%%2500` User key
`KeyFlags` HexInt32
`__binLength` UInt32
`EncodedCert` Binary

Event ID 36869: The TLS Type credential's certificate does not have a private key information property attached to it.

Provider: Schannel
Channel: System

Description

The TLS Type credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure. The SSPI client process is CallerProcessImageName (PID: CallerProcessId).

Message #

The TLS %3 credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`Type` UnicodeString
`__binLength` UInt32
`binaryData` Binary

Event ID 36870: A fatal error occurred when attempting to access the TLS Type credential private key.

Provider: Schannel
Channel: System

Description

A fatal error occurred when attempting to access the TLS Type credential private key. The error code returned from the cryptographic module is ErrorCode. The internal error state is ErrorStatus.

Message #

A fatal error occurred when attempting to access the TLS %3 credential private key. The error code returned from the cryptographic module is %4. The internal error state is %5.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`Type` UnicodeString
`ErrorCode` HexInt32
`ErrorStatus` UInt32

Event ID 36871: A fatal error occurred while creating a TLS Type credential.

Provider: Schannel
Channel: System

Description

A fatal error occurred while creating a TLS Type credential. The internal error state is ErrorState.

Message #

A fatal error occurred while creating a TLS %3 credential. The internal error state is %4.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`Type` UnicodeString
`ErrorState` UInt32

Event ID 36872: The TLS Type specified certificate's chain could not be retrieved.

Provider: Schannel
Channel: System

Description

The TLS Type specified certificate's chain could not be retrieved.

Message #

The TLS %3 specified certificate's chain could not be retrieved:

   Failure Status: %4
   Flags: %5

 The attached data contains the certificate.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`Type` UnicodeString
`ErrorCode` HexInt32
`CertFlags` HexInt32
`__binLength` UInt32
`CredContext` Binary

Event ID 36873: No supported cipher suites were found when initiating a TLS connection.

Provider: Schannel
Channel: System

Description

No supported cipher suites were found when initiating a TLS connection. This indicates a configuration problem with the client application and/or the installed cryptographic modules. The TLS connection request has failed. The SSPI client process is CallerProcessImageName (PID: CallerProcessId).

Message #

No supported cipher suites were found when initiating a TLS connection. This indicates a configuration problem with the client application and/or the installed cryptographic modules. The TLS connection request has failed.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString

Event ID 36874: An Protocol connection request was received from a remote client application, but none of the cipher suites supported by the client application are suppo...

Provider: Schannel
Channel: System

Description

An Protocol connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed. The SSPI client process is CallerProcessImageName (PID: CallerProcessId).

Message #

An %3 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`Protocol` UnicodeString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP

Event ID 36875: The remote server has requested TLS client authentication, but no suitable client certificate could be found.

Provider: Schannel
Channel: System

Description

The remote server has requested TLS client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This TLS connection request may succeed or fail, depending on the server's policy settings. The SSPI client process is CallerProcessImageName (PID: CallerProcessId).

Message #

The remote server has requested TLS client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This TLS connection request may succeed or fail, depending on the server's policy settings.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString

Event ID 36876: The certificate received from the remote server has not validated correctly.

Provider: Schannel
Channel: System

Description

The certificate received from the remote server has not validated correctly. The error code is ErrorCode. The TLS connection request has failed. The attached data contains the server certificate.

Message #

The certificate received from the remote server has not validated correctly. The error code is %3. The TLS connection request has failed. The attached data contains the server certificate.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`ErrorCode` HexInt32
`__binLength` UInt32
`pCertificateContext` Binary

Event ID 36877: The certificate received from the remote client application has not validated correctly.

Provider: Schannel
Channel: System

Description

The certificate received from the remote client application has not validated correctly. The error code is ErrorCode. The attached data contains the client certificate.

Message #

The certificate received from the remote client application has not validated correctly. The error code is %3. The attached data contains the client certificate.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`ErrorCode` HexInt32
`__binLength` UInt32
`pCertificateContext` Binary

Event ID 36878: The certificate received from the remote client application is not suitable for direct mapping to a client system account, possibly because the aut...

Provider: Schannel
Channel: System

Description

The certificate received from the remote client application is not suitable for direct mapping to a client system account, possibly because the authority that issuing the certificate is not sufficiently trusted. The error code is ErrorCode. The attached data contains the client certificate. The SSPI client process is CallerProcessImageName (PID: CallerProcessId).

Message #

The certificate received from the remote client application is not suitable for direct mapping to a client system account, possibly because the authority that issuing the certificate is not sufficiently trusted. The error code is %3. The attached data contains the client certificate.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`ErrorCode` HexInt32
`__binLength` UInt32
`pCertificateContext` Binary

Event ID 36879: The certificate received from the remote client application was not successfully mapped to a client system account.

Provider: Schannel
Channel: System

Description

The certificate received from the remote client application was not successfully mapped to a client system account. The error code is ErrorCode. This is not necessarily a fatal error, as the server application may still find the certificate acceptable. The SSPI client process is CallerProcessImageName (PID: CallerProcessId).

Message #

The certificate received from the remote client application was not successfully mapped to a client system account. The error code is %3. This is not necessarily a fatal error, as the server application may still find the certificate acceptable.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`ErrorCode` HexInt32
`__binLength` UInt32
`pCertificateContext` Binary

Event ID 36880: A TLS Type handshake completed successfully.

Provider: Schannel
Channel: System

Description

A TLS Type handshake completed successfully. The negotiated cryptographic parameters are as follows.

Message #

A TLS %1 handshake completed successfully. The negotiated cryptographic parameters are as follows.

   Protocol version: %2
   CipherSuite: %3
   Exchange strength: %4 bits
   Context handle: %5
   Target name: %6
   Local certificate subject name: %7
   Remote certificate subject name: %8

Fields #

Name	Description
`Type` UnicodeString
`Protocol` UnicodeString	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`CipherSuite` HexInt32
`ExchangeStrength` UInt32
`ContextHandle` Pointer
`TargetName` UnicodeString
`LocalCertSubjectName` UnicodeString
`RemoteCertSubjectName` UnicodeString

Event ID 36881: The certificate received from the remote server has either expired or is not yet valid.

Provider: Schannel
Channel: System
Level: Error

Description

The certificate received from the remote server has either expired or is not yet valid. The TLS connection request has failed. The attached data contains the server certificate.

Message #

The certificate received from the remote server has either expired or is not yet valid. The TLS connection request has failed. The attached data contains the server certificate.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`__binLength` UInt32
`certificateContext` Binary

Example Event #

{
  "system": {
    "provider": "Schannel",
    "event_id": 36881,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "time_created": "2026-04-28T02:37:06.9635225+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "CallerProcessImageName": "svchost[WpnService]",
    "CallerProcessId": "3612"
  }
}

Event ID 36882: The certificate received from the remote server was issued by an untrusted certificate authority.

Provider: Schannel
Channel: System

Description

The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The TLS connection request has failed. The attached data contains the server certificate. The SSPI client process is CallerProcessImageName (PID: CallerProcessId).

Message #

The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The TLS connection request has failed. The attached data contains the server certificate.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`__binLength` UInt32
`certificateContext` Binary

Event ID 36883: The certificate received from the remote server has been revoked.

Provider: Schannel
Channel: System

Description

The certificate received from the remote server has been revoked. This means that the certificate authority that issued the certificate has invalidated it. The TLS connection request has failed. The attached data contains the server certificate. The SSPI client process is CallerProcessImageName (PID: CallerProcessId).

Message #

The certificate received from the remote server has been revoked. This means that the certificate authority that issued the certificate has invalidated it. The TLS connection request has failed. The attached data contains the server certificate.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`__binLength` UInt32
`certificateContext` Binary

Event ID 36884: The certificate received from the remote server does not contain the expected name.

Provider: Schannel
Channel: System

Description

The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is Name. The TLS connection request has failed. The attached data contains the server certificate. The SSPI client process is CallerProcessImageName (PID: CallerProcessId).

Message #

The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is %3. The TLS connection request has failed. The attached data contains the server certificate.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`Name` UnicodeString
`__binLength` UInt32
`certificateContext` Binary

Event ID 36885: When asking for client authentication, this server sends a list of trusted certificate authorities to the client.

Provider: Schannel
Channel: System

Description

When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted. The SSPI client process is CallerProcessImageName (PID: CallerProcessId).

Message #

When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString

Event ID 36886: No suitable default server credential exists on this system.

Provider: Schannel
Channel: System
Level: Warning

Description

No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this. The SSPI client process is CallerProcessImageName (PID: CallerProcessId).

Message #

No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Schannel",
    "guid": "1F678132-5938-4686-9FDC-C8FF68F15C85",
    "event_source_name": "",
    "event_id": 36886,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T17:05:18.904081+00:00",
    "event_record_id": 10649,
    "correlation": {},
    "execution": {
      "process_id": 908,
      "thread_id": 3272
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "CallerProcessId": 908,
    "CallerProcessImageName": "lsass"
  },
  "message": ""
}

Event ID 36887: A fatal alert was received from the remote endpoint.

Provider: Schannel
Channel: System

Description

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is AlertDesc.

Message #

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is %3.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`AlertDesc` UInt32

Event ID 36888: A fatal alert was generated and sent to the remote endpoint.

Provider: Schannel
Channel: System

Description

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal alert code is AlertDesc.

Message #

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal alert code is %3.

   Target name: %5

 The SSPI client process is %2 (PID: %1).
The TLS alert registry can be found at http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-6

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`AlertDesc` UInt32
`ErrorState` UInt32
`TargetName` UnicodeString

Event ID 36889: The TLS Type specified certificate's chain is incomplete.

Provider: Schannel
Channel: System

Description

The TLS Type specified certificate's chain is incomplete.

Message #

The TLS %3 specified certificate's chain is incomplete:

   Failure Status: %4

 This can cause trust validation failures or interoperability problems. For more information see KB 954755
 The attached data contains the certificate.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`Type` UnicodeString
`ErrorCode` HexInt32
`__binLength` UInt32
`CredContext` Binary

Event ID 36896: Verification of the DTLS connection request failed.

Provider: Schannel
Channel: System

Description

Verification of the DTLS connection request failed.

Message #

Verification of the DTLS connection request failed.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString

Event ID 36897: DTLS record was rejected because it is outside of current receive window.

Provider: Schannel
Channel: System

Description

DTLS record was rejected because it is outside of current receive window.

Message #

DTLS record was rejected because it is outside of current receive window.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString

Event ID 36898: A DTLS record was rejected because it is a duplicate of a previously received record.

Provider: Schannel
Channel: System

Description

A DTLS record was rejected because it is a duplicate of a previously received record.

Message #

A DTLS record was rejected because it is a duplicate of a previously received record.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString

Event ID 36899: The retransmission of DTLS handshake messages has been requested.

Provider: Schannel
Channel: System

Description

The retransmission of DTLS handshake messages has been requested.

Message #

The retransmission of DTLS handshake messages has been requested.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString

Event ID 36912: The key material used to protect TLS Session Tickets was not found at Path.

Provider: Schannel
Channel: System

Description

The key material used to protect TLS Session Tickets was not found at Path.

Message #

The key material used to protect TLS Session Tickets was not found at %3.
 The SSPI client process is %2 (PID: %1).

Fields #

Name	Description
`CallerProcessId` UInt32
`CallerProcessImageName` UnicodeString
`Path` UnicodeString

Event ID 36928: Could not retrieve an OCSP response.

Provider: Schannel
Channel: System
Level: Error

Description

Could not retrieve an OCSP response.

Message #

Could not retrieve an OCSP response.

   The Failure Reason is: %1
    The OCSP Url is: %2
   The previous OCSP response contained the following times:
      ThisUpdate: %3
      NextUpdate: %4

The attached data contains the certificate.

Fields #

Name	Description
`FailureReason` UnicodeString	Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`OCSPResponderURL` UnicodeString
`ThisUpdate` FILETIME
`NextUpdate` FILETIME
`__binLength` UInt32
`Certificate` Binary

Example Event #

{
  "system": {
    "provider": "Schannel",
    "guid": "1F678132-5938-4686-9FDC-C8FF68F15C85",
    "event_source_name": "",
    "event_id": 36928,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T20:17:39.780304+00:00",
    "event_record_id": 11772,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 9364
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "FailureReason": "REASON_OCSP_RESPONSE_RETRIEVAL_ERROR",
    "OCSPResponderURL": "",
    "ThisUpdate": "1601-01-01T00:00:00.000000Z",
    "NextUpdate": "1601-01-01T00:00:00.000000Z",
    "Binary": "308205F9308204E1A00302010202134A000000035FD5C8BB1377E3DC000000000003300D06092A864886F70D01010B0500304831163014060A0992268993F22C6401191606646F6D61696E31153013060A0992268993F22C64011916056C75647573311730150603550403130E45767447656E2D526F6F742D4341301E170D3236303331333230303733395A170D3237303331333230303733395A302431223020060355040313194A442D444330312D323032322E6C756475732E646F6D61696E30820122300D06092A864886F70D01010105000382010F003082010A0282010100C4B1FD366773339375612C77C34FBD4CDD44EBD501E531E6058A81A0531722310F4627071E1692851CAEE5AC56F5DF67F22AA9F06228FE17601C39735A653ABFE74AA8BFF89372359D81AED66FCE0EAAB2F46948D40E71E354404EB95B9C061A1D5FB2933F2D51AAA451815060AA57444EF2525571CE1C0FBDCE9A31FB8807EBE800B14D6F59D60801A58FABF0E0F75AFF73469D8880DBAAE43372F36E9849A732B0C22831F751FBFD1CE2E6D820B3CDFCABC5B10041119C3D7026781A37D5EE30248040A05E2CD89A972F8445D2F51646EE79A779D07429E887BDA9B145130DD467528838F7FE67A3AE5CCFC5A0A6743E34BF2713C362B3301746F8291A456D0203010001A38202FE308202FA302F06092B060104018237140204221E200044006F006D00610069006E0043006F006E00740072006F006C006C00650072301D0603551D250416301406082B0601050507030206082B06010505070301300E0603551D0F0101FF0404030205A0307806092A864886F70D01090F046B3069300E06082A864886F70D030202020080300E06082A864886F70D030402020080300B060960864801650304012A300B060960864801650304012D300B0609608648016503040102300B0609608648016503040105300706052B0E030207300A06082A864886F70D0307301D0603551D0E041604144CE17D561682CA51E7F0A2BE202C6517B6E3AA87301F0603551D2304183016801410FD42F39AB3CAE296A84658AF42919D14C50F273081D20603551D1F0481CA3081C73081C4A081C1A081BE8681BB6C6461703A2F2F2F434E3D45767447656E2D526F6F742D43412C434E3D4A442D444330312D323032322C434E3D4344502C434E3D5075626C69632532304B657925323053657276696365732C434E3D53657276696365732C434E3D436F6E66696775726174696F6E2C44433D6C756475732C44433D646F6D61696E3F63657274696669636174655265766F636174696F6E4C6973743F626173653F6F626A656374436C6173733D63524C446973747269627574696F6E506F696E743081C106082B060105050701010481B43081B13081AE06082B060105050730028681A16C6461703A2F2F2F434E3D45767447656E2D526F6F742D43412C434E3D4149412C434E3D5075626C69632532304B657925323053657276696365732C434E3D53657276696365732C434E3D436F6E66696775726174696F6E2C44433D6C756475732C44433D646F6D61696E3F634143657274696669636174653F626173653F6F626A656374436C6173733D63657274696669636174696F6E417574686F7269747930450603551D11043E303CA01F06092B0601040182371901A01204105B087A99015E754F9C22ED3AF23D348A82194A442D444330312D323032322E6C756475732E646F6D61696E300D06092A864886F70D01010B05000382010100638B3F6E62AA8ED007E58BA1EA5F2C919468F02B0BD1385ACB7189AEE00AE3E6A33D69A7C9A745323F20460348EADDE8AA2C92A8A5D886B89C3D59E36BB25327D490FDAE6CF2EF9ED499BA40C647616CD66BC1EC0415CA48F041EA053FBE5A7F44B2D8708A2BE2C7887AB45A0A9C8DFD51C0A1B2D051085612B7F78ED658741FD0C7FB08410A03050D3AF8E996420A5109B7932EC966074431ADA5F9A51C3C01D376CB68DC3FBAE1125B20A077B2835201328DA641344E31529357E2A9EE7980B35EC6F7F4D1F28F136309C7A2CFFFD24A059D023F7F48242D039504F67A9011C4C32A21BEC6E15CB6DDCADB59B95661C6546935C1D5640BB5F4F4DAA76C182F"
  },
  "message": ""
}

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 1f678132-5938-4686-9fdc-c8ff68f15c85

Defined in lsasrv.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3804, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)