Active Directory: Kerberos KDC

2 events across 1 channel

EventTitleChannel
1Kdc GetASTicketETW Trace
2KDC Password ChangeETW Trace

Event ID 1: Kdc GetASTicket

#
Provider
Active Directory: Kerberos KDC
Channel
ETW Trace
Opcode
Start
Source
Trace

Message #

Kdc TGSRequest

Fields #

NameDescription
KdcOption mof:UInt32

Event ID 2: KDC Password Change

#
Provider
Active Directory: Kerberos KDC
Channel
ETW Trace
Opcode
End
Source
Trace

Message #

Kdc TGSRequest

Fields #

NameDescription
KerbErr mof:UInt32
ExtErr mof:UInt32
Klininfo mof:UInt32
ClientRealm mof:String
AccountName mof:String

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {24DB8964-E6BC-11D1-916A-0000F8045B04}

Observed on:

  • WS2025-26100.0 · schema read from the WMI MOF class · captured 2026-02-26

    Taken from Windows installation media (build 26100.1), not a patched system, so the exact update level is unknown.

  • WS2022-20348.4893 · schema read from the WMI MOF class · captured 2026-06-02

    MOF class: MSKdcTrace

Credits

  • Microsoft - authored the ETW manifests and PDBs the schema comes from
  • jdu2600 - the event-schema TSV format this catalog adopted
  • nasbench - the tool that dumps registered providers and manifests