Message

Your computer has lost the lease to its IP address %1 on the Network Card with network address %3.

Fields

Message

Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address %2.  The following error occurred: %3. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Fields

Message

The IP address lease %1 for the Network Card with network address %3 has been denied by the DHCP server %4 (The DHCP Server sent a DHCPNACK message).

Fields

Example Event

system:
  provider: Microsoft-Windows-Dhcp-Client
  guid: 15A7A4F8-0072-4EAB-ABAD-F98A4D666AED
  event_source_name: ''
  event_id: 1002
  version: 0
  level: 2
  task: 3
  opcode: 76
  keywords: 4611686018427387905
  time_created: '2023-10-25T22:48:31.191302+00:00'
  event_record_id: 7
  correlation: {}
  execution:
    process_id: 2076
    thread_id: 2312
  channel: Microsoft-Windows-Dhcp-Client/Admin
  computer: WinDevEval
  security:
    user_id: S-1-5-19
event_data:
  Address1: 2182457536
  HWLength: 6
  HWAddress: 000C29B19818
  Address2: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address %2.  The following error occurred: %3. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Fields

Message

Error occurred in stopping the Dhcpv4 Client service. Error code is %1. ShutDown Flag value is %2

Fields

Message

Your computer has detected that the IP address %1 for the Network Card with network address %3 is already in use on the network. Your computer will automatically attempt to obtain a different address.

Fields

Message

Your computer was unable to automatically configure the IP parameters for the Network Card with the network address %2.  The following error occurred during configuration: %3.

Fields

Message

Your computer has automatically configured the IP address for the Network Card with network address %2.  The IP address being used is %3.

Fields

Message

Your computer was unable to initialize a Network Interface attached to the system. The error code is: %1.

Fields

Message

Dhcpv6 Initialization has failed on the computer with the error code %1. Dhcp service will start with IPv4 only.

Fields

Message

Unplumbing OLD Config for the adapter: %1

Fields

Message

Stack Media Connect: %1. Creating new context

Fields

Message

MEDIA DISCONNECT: Someone still using context. So not destroying the context

Message

Updating Stack with CACHED config %1 on %2. Error code is %3.

Fields

Message

Updating Stack at address %1 on %2. Error code is %3.

Fields

Message

Handling ip conflct on %1.

Fields

Message

Waiting for Offer on %1. Wait time is %2 milliseconds

Fields

Message

Receiving a DHCP message on %1. Error code is %2

Fields

Message

Received DHCP message on %1 is NOT Offer.

Fields

Message

Waiting for ACK on %1.

Fields

Message

Waiting for Renew ACK on %1.

Fields

Message

OBTAIN LEASE - AdapterName: %1 Interface LUID: %2

Fields

Message

DhcpRenewState: %1

Fields

Message

InitRebootState: %1

Fields

Message

DhcpSetGatewaysAndStaticRoutes for the adapter: %1,  Error: %2

Fields

Message

DhcpDeleteGatewaysAndStaticRoutes for the adapter: %1,  Error: %2

Fields

Message

Route is added with the values Dest = %1, DestMask = %2, NextHop = %3, Address = %4

Fields

Message

Route is deleted with the values Dest = %1, DestMask = %2, NextHop = %3, Address = %4

Fields

Message

Locking Dhcp Context: [%1]

Fields

Message

Unlocking Dhcp Context: [%1]

Fields

Message

Destroying Dhcp Context: [%1]

Fields

Message

Successfully Plumbed the address: %1

Fields

Message

Successfully Deleted the address: %1

Fields

Message

Successfully Plumbed the CACHED address using network identifier (Network Hint): %1

Fields

Message

DhcpRegReadOptionCache returned %1

Fields

Message

RegOpenKeyEx returned %1

Fields

Message

Fallback Params Read Fail. Error returned is %1

Fields

Message

Successfully read fallback configuration

Message

RegQueryValueEx returned %1, Fallback config name type %2

Fields

Message

Registering AdapterName: %1 Address: %2 Flags : [%3] Error : %4

Fields

Message

Deregistering AdapterName: %1. Errorcode is %2

Fields

Message

Deregistering AdapterName: [Dynamic DNS disabled]. Error is %1

Fields

Message

Failed to Acquire Wcm in Disconnected Standby. Error is %1

Fields

Message

Media Connect notification received on interface %1

Fields

Message

Media Disconnect notification received on interface %1

Fields

Message

Media Reconnect notification received on interface %1

Fields

Message

DHCP is enabled on the interface with Interface Id %1

Fields

Message

DHCP is disabled on the interface with Interface Id %1

Fields

Message

Request-Ack is initiated on the interface with Interface Id %1

Fields

Message

Discover-Offer-Request-Ack is initiated on the interface with Interface Id %1

Fields

Message

Interface is converted from static to DHCP on the interface with Interface Id %1

Fields

Message

Discover is sent from the interface %1. Status code is %2

Fields

Message

Offer is accepted on the interface %1. Offered Address is %2. Server address is %3

Fields

Message

Offer is discarded on the interface %1. Error code is %2

Fields

Message

Request is sent from the interface %1. Status code is %2

Fields

Message

Ack is accepted on the interface %1. Received Address is %2. Server address is %3

Fields

Message

Ack is discarded on the interface %1. Error code is %2

Fields

Message

Nack is received on the interface %1

Fields

Message

Unknown message is discarded on the interface %1.

Fields

Message

Decline is sent on the interface %1. Status code is %2

Fields

Message

Inform is sent on the interface %1. Status code is %2

Fields

Message

Release is sent on the interface %1. Status code is %2

Fields

Message

The broadcast bit was toggled on the interface %1. The broadcast bit after toggling is %2

Fields

Message

Error occurred in extracting the options on the interface %1. Status code is %2

Fields

Message

Setting up a Fallback configuration on interface %1. The Fallback address %2 is set. The status code is %3

Fields

Message

Offer Receive Timeout has happened on the interface %1

Fields

Message

Ack Receive Timeout has happened on the interface %1

Fields

Message

Cancelling pending renewals on the interface with the Interface Id %1

Fields

Message

Address %1 is plumbed on the interface %2. Status code is %3

Fields

Message

Address %1 is unplumbed on the interface %2. Status code is %3

Fields

Message

Plumbing error has occurred on the interface %1. Status Code is %2

Fields

Message

Lease is expired on the interface %1. Expired address is %2

Fields

Message

An interface is added whose interface index is %1 and Status Code is %2.

Fields

Message

An error has occurred in initializing the interface %1. Error Code is %2

Fields

Message

Routes are updated on the interface %1. Status Code is %2

Fields

Message

DHCPv4 client service is started

Example Event

system:
  provider: Microsoft-Windows-Dhcp-Client
  guid: 15A7A4F8-0072-4EAB-ABAD-F98A4D666AED
  event_source_name: ''
  event_id: 50036
  version: 0
  level: 4
  task: 4
  opcode: 68
  keywords: 2305843009213693952
  time_created: '2023-11-06T06:25:39.972933+00:00'
  event_record_id: 1675
  correlation: {}
  execution:
    process_id: 2372
    thread_id: 2408
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data: {}
message: ''

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

DHCPv4 client service is stopped. ShutDown Flag value is %1

Fields

Example Event

system:
  provider: Microsoft-Windows-Dhcp-Client
  guid: 15A7A4F8-0072-4EAB-ABAD-F98A4D666AED
  event_source_name: ''
  event_id: 50037
  version: 0
  level: 4
  task: 4
  opcode: 69
  keywords: 2305843009213693952
  time_created: '2023-11-05T22:31:37.010108+00:00'
  event_record_id: 1858
  correlation: {}
  execution:
    process_id: 2232
    thread_id: 2328
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  DwordVal: 1
message: ''

References

• Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Message

An error occurred in initializing DHCPv4. Error Code is %1

Fields

Message

An error has occurred in opening the socket on the interface %1. Error Code is %2

Fields

Message

An error has occurred in closing the socket on the interface %1. Error Code is %2

Fields

Message

Domain change notification is received from DNS

Example Event

system:
  provider: Microsoft-Windows-Dhcp-Client
  guid: 15A7A4F8-0072-4EAB-ABAD-F98A4D666AED
  event_source_name: ''
  event_id: 50041
  version: 0
  level: 4
  task: 6
  opcode: 71
  keywords: 4611686018427387904
  time_created: '2023-10-26T04:17:38.252255+00:00'
  event_record_id: 1
  correlation: {}
  execution:
    process_id: 2228
    thread_id: 2320
  channel: Microsoft-Windows-Dhcp-Client/Admin
  computer: WIN-OQ6R0RVA4NF
  security:
    user_id: S-1-5-19
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

DNS registration has happened for the interface %1. Status Code is %2. DNS Flag settings is %3.

Fields

Message

DNS Deregistration has happened for the interface %1. Status Code is %2

Fields

Message

Inform ack is received on the interface %1.

Fields

Message

A network error occurred when trying to send a message on interface %1. The error code is: %2.

Fields

Message

Gateway address %1 is reachable on the interface %2

Fields

Message

Gateway is not reachable on the interface %1

Fields

Message

Your computer was successfully assigned an address from the network, and it can now connect to other computers.

Message

Route is added with the values Dest = %1, DestMask = %2, NextHop = %3, Address = %4

Fields

Message

Route is deleted with the values Dest = %1, DestMask = %2, NextHop = %3, Address = %4

Fields

Message

An offer is received for the dummy discovers that are sent for Diagnostics on the interface %1.

Fields

Message

Checking reachability of gateway %1 on the the interface %2

Fields

Message

DHCP has notified NLA for the configuration changes for the interface %1

Fields

Message

DHCP has run the cache scavenger for the interface %1

Fields

Message

DHCP has found a match in the cache for Service Set Identifier(SSID) %1(Hexadecimal value of SSID: %2) for the Network Card with the network address %4

Fields

Message

DHCP has plumbed an address using Service Set Identifier(SSID) %1(Hexadecimal value of SSID: %2) for the Network Card with the network address %4

Fields

Message

DHCP has received a Service Set Identifier(SSID) %1(Hexadecimal value of SSID: %2) for the Network Card with the network address %4

Fields

Message

Address %1 being plumbed for adapter %2 already exists

Fields

Message

The broadcast bit %1 was successfully set and cached on the interface %2

Fields

Message

DHCP has not received a Service Set Identifier(SSID) for the interface %1

Fields

Message

DHCP has not found a match in the cache for Service Set Identifier(SSID) %1(Hexadecimal value of SSID: %2) for the interface %3

Fields

Message

Network Diagnostics Framework(NDF) discovery is being initiated on interface %1.

Fields

Message

Network Diagnostics Framework(NDF) discovery failed to discover a DHCP server on interface %1.

Fields

Message

Firewall port %1 is exempted on interface %2. Error code is %3.

Fields

Message

Firewall port %1 is closed on interface %2. Error code is %3.

Fields

Message

DHCP has not plumbed an address using Service Set Identifier(SSID) %1(Hexadecimal value of SSID: %2) for the Network Card with the network address %4 since the lease has expired

Fields

Message

Regular address acquisition will be done on interface %1 because aggressive address acquisition is turned ON.

Fields

Message

DHCP has cancelled IPv4 address acquisition cycle after %1 DISCOVER transmissions on interface %2 because the machine is in Connected Standby state and the interface has the DHCP IPv6 address %3.

Fields

Message

Attempting to acquire a reference for interface %1. Error code is %2.

Fields

Message

Attempting to release the reference for interface %1. Error code is %2.

Fields

Message

Registered duplicate address detection on interface %1 for IP address %2.

Fields

Message

Completed duplicate address detection on interface %1 for IP address %2. Error code is %3.

Fields

Message

Duplicate address detection on interface %1 for IP address %2 timed out - reattempting.

Fields

Message

Parameter change request registered for process %1 with descriptor %2.

Fields

Message

Parameter change request unregistered for process %1 with descriptor %2.

Fields

Message

Parameter change request notified for process %1 with descriptor %2. The status of the operation was %3.

Fields

Message

Parameter request received on interface with LUID %1. Attempting to acquire the interface context.

Fields

Message

Parameter request unblocked on interface with LUID %1 and index %2.

Fields

Message

Parameter request completed on interface with LUID %1 and index %2. The status of the operation was %3.

Fields

Message

Firewall port %2 exemption triggered on interface %1.

Fields

Message

Firewall port %2 close triggered on interface %1.

Fields

Message

DHCP has cancelled IPv4 address acquisition cycle after %1 DISCOVER transmissions on interface %2 because the machine is in Connected Standby state and the interface has the stateless IPv6 address %3.

Fields

Message

DHCP has cancelled IPv4 address acquisition cycle after %1 DISCOVER transmissions on interface %2 because the machine is in Connected Standby state and the interface has the static IPv6 address %3.

Fields

Message

DHCP will not try regular IPv4 address acquisition on interface %1 since the machine is in Connected Standby state and the interface has the IPv6 address %2.

Fields

Message

DHCP will try regular IPv4 address acquisition on interface %1 even though the machine is in Connected Standby state since the interface has no IPv6 address.

Fields

Message

DHCP will try regular IPv4 address acquisition on interface %1 due to registry settings even though the machine is in Connected Standby state and the interface has an IPv6 address.

Fields

Message

The DHCPv4 client received connected standby entry notification.

Message

The DHCPv4 client received connected standby exit notification.

Message

DHCPv4 client registered for shutdown notification

Example Event

system:
  provider: Microsoft-Windows-Dhcp-Client
  guid: 15A7A4F8-0072-4EAB-ABAD-F98A4D666AED
  event_source_name: ''
  event_id: 50103
  version: 0
  level: 4
  task: 4
  opcode: 129
  keywords: 2305843009213693952
  time_created: '2023-11-06T06:25:39.972458+00:00'
  event_record_id: 1674
  correlation: {}
  execution:
    process_id: 2372
    thread_id: 2408
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

DHCPv4 client received shutdown notification

Example Event

system:
  provider: Microsoft-Windows-Dhcp-Client
  guid: 15A7A4F8-0072-4EAB-ABAD-F98A4D666AED
  event_source_name: ''
  event_id: 50104
  version: 0
  level: 4
  task: 4
  opcode: 129
  keywords: 2305843009213693952
  time_created: '2023-11-05T22:31:36.636619+00:00'
  event_record_id: 1852
  correlation: {}
  execution:
    process_id: 2232
    thread_id: 2236
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

DHCPv4 client ProcessDHCPRequestForever received TERMINATE_EVENT

Example Event

system:
  provider: Microsoft-Windows-Dhcp-Client
  guid: 15A7A4F8-0072-4EAB-ABAD-F98A4D666AED
  event_source_name: ''
  event_id: 50105
  version: 0
  level: 4
  task: 4
  opcode: 129
  keywords: 2305843009213693952
  time_created: '2023-11-05T22:31:36.639339+00:00'
  event_record_id: 1853
  correlation: {}
  execution:
    process_id: 2232
    thread_id: 2328
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

DHCPv4 is waiting on DHCPv6 service to stop

Example Event

system:
  provider: Microsoft-Windows-Dhcp-Client
  guid: 15A7A4F8-0072-4EAB-ABAD-F98A4D666AED
  event_source_name: ''
  event_id: 50106
  version: 0
  level: 4
  task: 4
  opcode: 129
  keywords: 2305843009213693952
  time_created: '2023-11-05T22:31:37.009976+00:00'
  event_record_id: 1857
  correlation: {}
  execution:
    process_id: 2232
    thread_id: 2328
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Firewall port exemption is in progress but incomplete. Error code is %1.

Fields

Message

PERFTRACK (Request-Ack): Address confirmed for the interface %2. Confirmed Address is %3. Server address is %4

Fields

Message

PERFTRACK (DORA): Offer is accepted on the interface %2. Offered Address is %3. Server address is %4

Fields

Message

PERFTRACK: Gateway is reachable on the interface %2

Fields

Message

PERFTRACK: DHCP is not enabled on the interface %2

Fields

Message

PERFTRACK: Setting up Fallback configuration on the interface %2 since no response is received for request. Status code is %3

Fields

Message

PERFTRACK (Request-Ack): Address confirmed for the interface %2 after toggling the broadcast bit in INIT-REBOOT. Confirmed address is %3. Server address is %4

Fields

Message

PERFTRACK (Request-Nack-Dora): Offer is accepted on the interface %2 after toggling the broadcast bit in INIT-REBOOT. Offered Address is %3. Server address is %4

Fields

Message

PERFTRACK (Init-Dora): Offer is accepted on the interface %2 after toggling the broadcast bit in INIT. Offered Address is %3. Server address is %4

Fields

Message

PERFTRACK (Request-Ack): Address confirmed for the interface %2. Confirmed Address is %3. Server address is %4

Fields

Message

PERFTRACK (DORA): Offer is accepted on the interface %2. Offered Address is %3. Server address is %4

Fields

Message

PERFTRACK: Gateway is reachable on the interface %2

Fields

Message

PERFTRACK: DHCP is not enabled on the interface %2

Fields

Message

PERFTRACK: Setting up Fallback configuration on the interface %2 since no response is received for request. Status code is %3

Fields

Message

PERFTRACK (Request-Ack): Address confirmed for the interface %2 after toggling the broadcast bit in INIT-REBOOT. Confirmed address is %3. Server address is %4

Fields

Message

PERFTRACK (Request-Nack-Dora): Offer is accepted on the interface %2 after toggling the broadcast bit in INIT-REBOOT. Offered Address is %3. Server address is %4

Fields

Message

PERFTRACK (Init-Dora): Offer is accepted on the interface %2 after toggling the broadcast bit in INIT. Offered Address is %3. Server address is %4

Fields

Message

PERFTRACK (DHCPv4): Media Connect on interface %2

Fields

Message

PERFTRACK (DHCPv4): End of Media Connect on interface %2

Fields

Message

PERFTRACK (Media Reconnect): Media reconnect notification was received on interface %2

Fields

Message

PERFTRACK (Discover-DelayedResponse): Offer/Ack is not received for first discover/request on interface %2.

Fields

Message

PERFTRACK (Discover-Timeout): No response is received for all 8 discovers on interface %2. Fallback address is not set.

Fields

Message

PERFTRACK (Request-DelayedAck): Ack is not received for first request on interface %2.

Fields

Message

PERFTRACK (Request-NoResponse): There is no response for INIT-REBOOT Request on interface %2. Gateway is not reachable and fallback address is not set.

Fields

Message

PERFTRACK: Fallback address %2 is plumbed on interface %3 after DHCP did not get response for discover.

Fields

Message

Entered ProcessDhcpRequestForever.

Message

ProcessDhcpRequestForever Timed out.

Message

CreateRenewalSignalHandle failed with error %1.

Fields

Message

DeleteRenewTimer failed with error %1.

Fields

Message

ResetRenewalSignalHandle failed with error %1.

Fields

Message

CreateRenewTimer failed with error %1.

Fields

Message

ProcessDhcpRequestForever failed with error %1.

Fields