sqlserver
1 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 0 | process_login_finish | ETW Trace | N |
Event ID 0: process_login_finish
#Message #
Fields #
| Name | Description |
|---|---|
FragmentId UInt32 | |
RemainingLength UInt32 | |
ActivityId Object | |
SequenceNumber UInt32 | |
state_desc UInt32 | |
external_governance_policy_authorization UInt32 | |
is_success SInt8 | |
is_external_authentication_only SInt8 | |
tds_version UInt32 | |
total_time_ms UInt32 | |
enqueue_time_ms UInt32 | |
netwrite_time_ms UInt32 | |
netread_time_ms UInt32 | |
ssl_time_ms UInt32 | |
sspi_time_ms UInt32 | |
login_time_ms UInt32 | |
logon_triggers_time_ms UInt32 | |
find_login_ms UInt32 | |
exec_classifier_ms UInt32 | |
session_recover_ms UInt32 | |
post_exec_classifier_ms UInt32 | |
ssl_read_time_ms UInt32 | |
ssl_write_time_ms UInt32 | |
ssl_secure_call_time_ms UInt32 | |
ssl_enqueue_time_ms UInt32 | |
ssl_protocol UInt32 | |
ssl_hash UInt32 | |
ssl_cipher UInt32 | |
sspi_read_time_ms UInt32 | |
sspi_write_time_ms UInt32 | |
sspi_secure_call_time_ms UInt32 | |
sspi_enqueue_time_ms UInt32 | |
fedauth_token_process_time_ms UInt32 | |
fedauth_fetch_signingkey_refresh_time_ms UInt32 | |
fedauth_jwt_token_parsing_time_ms UInt32 | |
fedauth_signature_validation_time_ms UInt32 | |
fedauth_context_build_time_ms UInt32 | |
fedauth_group_expansion_time_ms UInt32 | |
fedauth_token_wait_time_ms UInt32 | |
database_firewall_rules_time_ms UInt32 | |
use_db_database_firewall_rules_time_ms UInt32 | |
dosguard_check_time_ms UInt32 | |
xodbc_authentication_time_ms UInt32 | |
contained_authentication_time_ms UInt32 | |
peer_activity_seq UInt32 | |
peer_port UInt16 | |
fedauth_library_type SInt8 | |
fedauth_adal_workflow SInt8 | |
is_duplicated SInt8 | |
is_contained_user SInt8 | |
provider_type UInt8 | |
is_user_error SInt8 | |
error SInt32 | |
state SInt32 | |
concurrent_logins SInt32 | |
driver_version UInt32 | |
driver_version_minor UInt32 | |
session_recovery_format_length UInt32 | |
session_recovery_is_enabled SInt8 | |
session_recovery_is_recovered SInt8 | |
is_mars SInt8 | |
is_relogin SInt8 | |
login_flags UInt32 | |
client_pid UInt32 | |
is_replay_connection SInt8 | |
xodbc_authentication_type SInt8 | |
used_login_thread_pool SInt8 | |
is_mfa SInt8 | |
is_vnet_address SInt8 | |
is_failoverpartner_token_returned SInt8 | |
vnet_region_id UInt32 | |
vnet_gre_key UInt32 | |
is_peer_activity_id_null SInt8 | |
is_vnet_private_access_address SInt8 | |
is_nsp_claim_present SInt8 | |
vnet_subnet_id UInt32 | |
vnet_link_identifier SInt32 | |
spid SInt32 | |
sql_client_dns_caching_status SInt16 | |
force_refresh_status SInt16 | |
connection_id Object | |
connection_peer_id Object | |
peer_activity_id Object | |
server_name String | |
instance_name String | |
logical_server_name String | |
database_name String | |
driver_name String | |
partition_id Object | |
peer_address String | |
vnet_peer_address String | |
vnet_dest_peer_address String | |
login_correlation_hash Object | |
application_name String | |
control_ring_address String | |
message String | |
sni_server_name String | |
extra_info String |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 03fda7d0-91ba-45f8-9875-8b6dd0b8e9f2
Observed on:
- WS2022-20348.4893, schema read from the WMI MOF class, captured 2026-06-02
MOF class: XeSqlPkg