Description

Request received (request ID RequestId) on connection (connection ID ConnectionId) from remote address RemoteAddr.

Message #

Request received (request ID %1) on connection (connection ID %2) from remote address %4.

Fields #

Description

Parsed request (request pointer RequestObj, method HttpVerb) with URI Url.

Message #

Parsed request (request pointer %1, method %2) with URI %3.

Fields #

Description

Delivered request to server application (request pointer RequestObj, request ID RequestId, site ID SiteId) from request queue RequestQueueName for URI Url with status Status.

Message #

Delivered request to server application (request pointer %1, request ID %2, site ID %3) from request queue %4 for URI %5 with status %6.

Fields #

Description

Server application passed response (request ID RequestId, connection ID ConnectionId, method Verb, header length HeaderLength, number of entity chunks EntityChunkCount, cache policy CachePolicy) with status code StatusCode.

Message #

Server application passed response (request ID %1, connection ID %2, method %4, header length %5, number of entity chunks %6, cache policy %7) with status code %3.

Fields #

Description

Server application passed the last response (corresponding to request ID RequestId).

Message #

Server application passed the last response (corresponding to request ID %1).

Fields #

Description

Server application passed entity body for request ID RequestId (connection ID ConnectionId).

Message #

Server application passed entity body for request ID %1 (connection ID %2).

Fields #

Description

Server application passed the last entity body for request ID RequestId.

Message #

Server application passed the last entity body for request ID %1.

Fields #

Description

Server application passed response (request ID RequestId, connection ID ConnectionId, method Verb, header length HeaderLength, number of entity chunks EntityChunkCount, cache policy CachePolicy) with status code StatusCode.

Message #

Server application passed response (request ID %1, connection ID %2, method %4, header length %5, number of entity chunks %6, cache policy %7) with status code %3.

Fields #

Description

Server application passed the last response (corresponding to request ID RequestId).

Message #

Server application passed the last response (corresponding to request ID %1).

Fields #

Description

Response ready for send (corresponding to request ID RequestId) with status code HttpStatus.

Message #

Response ready for send (corresponding to request ID %1) with status code %2.

Fields #

Description

Cached the response (corresponding to request ID RequestId) with status code HttpStatus. Response to be sent.

Message #

Cached the response (corresponding to request ID %1) with status code %2. Response to be sent.

Fields #

Description

Queued last response (corresponding to request ID RequestId) for sending. Status code is HttpStatus.

Message #

Queued last response (corresponding to request ID %1) for sending. Status code is %2.

Fields #

Description

Response sent (corresponding to request ID RequestId) with status code HttpStatus. If disconnect is required, a TCP FIN has been sent.

Message #

Response sent (corresponding to request ID %1) with status code %2. If disconnect is required, a TCP FIN has been sent.

Fields #

Description

Error occurred while sending the last response (corresponding to request ID RequestId) with status code HttpStatus. A TCP Reset has been sent.

Message #

Error occurred while sending the last response (corresponding to request ID %1) with status code %2. A TCP Reset has been sent.

Fields #

Description

Error Status occurred while sending (corresponding to request ID RequestId). A TCP Reset will be sent.

Message #

Error %3 occurred while sending (corresponding to request ID %1). A TCP Reset will be sent.

Fields #

Description

Response (request pointer RequestObj, site ID SiteId, number of bytes BytesSent) queued for sending from the cache.

Message #

Response (request pointer %1, site ID %2, number of bytes %3) queued for sending from the cache.

Fields #

Description

Response (request pointer RequestObj, site ID SiteId, number of bytes BytesSent) queued for sending with status code 304 (cache not modified).

Message #

Response (request pointer %1, site ID %2, number of bytes %3) queued for sending with status code 304 (cache not modified).

Fields #

Description

Attempted to reserve URL (Url). Status ReserveStatus.

Message #

Attempted to reserve URL (%1). Status %2.

Fields #

Description

Successfully read the IP listen list for IP address IpAddrLength.

Message #

Successfully read the IP listen list for IP address %1.

Fields #

Description

SSL credentials for IP address and port CertHashLength successfully created.

Message #

SSL credentials for IP address and port %3 successfully created.

Fields #

Description

New connection created (local IP address LocalAddr and remote address RemoteAddr).

Message #

New connection created (local IP address %3 and remote address %5).

Fields #

Description

Connection ID (ConnectionId) assigned to connection and request (request ID RequestId) will be parsed.

Message #

Connection ID (%2) assigned to connection and request (request ID %1) will be parsed.

Fields #

Description

Client closed the connection (connection pointer ConnectionObj). Status of whether closed by TCP Reset: Abortive.

Message #

Client closed the connection (connection pointer %1). Status of whether closed by TCP Reset: %2.

Fields #

Description

Connection (connection pointer ConnectionObj) cleanup started due to either the sending of a TCP Reset, receiving of a TCP Reset, or after the mutual exchange of TCP Fins.

Message #

Connection (connection pointer %1) cleanup started due to either the sending of a TCP Reset, receiving of a TCP Reset, or after the mutual exchange of TCP Fins.

Fields #

Description

Successfully added entry (URI Uri) to cache.

Message #

Successfully added entry (URI %1) to cache.

Fields #

Description

Failed to add an entry (URI UrlBuffer) to the cache. Status: ErrorStatus.

Message #

Failed to add an entry (URI %1) to the cache. Status: %2.

Fields #

Description

Flushed entry (URI Uri) from the cache.

Message #

Flushed entry (URI %1) from the cache.

Fields #

Description

Attempted to set URL group property: Property. Status: Status.

Message #

Attempted to set URL group property: %1. Status: %2.

Fields #

Description

Attempted to set server session property: Property. Status: Status.

Message #

Attempted to set server session property: %1. Status: %2.

Fields #

Description

Attempted to set request queue property: Property. Status: Status.

Message #

Attempted to set request queue property: %1. Status: %2.

Fields #

Description

Attempted to add URL (Url) to URL group (UrlGroupId). Status: Status.

Message #

Attempted to add URL (%2) to URL group (%1). Status: %3.

Fields #

Description

Removed URL (Url) from URL group (UrlGroupId).

Message #

Removed URL (%2) from URL group (%1).

Fields #

Description

Removed all URLs from URL group UrlGroupId.

Message #

Removed all URLs from URL group %1.

Fields #

Description

Initiating SSL connection.

Message #

Initiating SSL connection.

Fields #

Description

Initiating SSL handshake.

Message #

Initiating SSL handshake.

Fields #

Description

SSL handshake completed with status: Status.

Message #

SSL handshake completed with status: %1.

Fields #

Description

Server application is attempting to receive the SSL client certificate, which will be provided if available. If the client certificate is not available, a renegotiation will be initiated.

Message #

Server application is attempting to receive the SSL client certificate, which will be provided if available. If the client certificate is not available, a renegotiation will be initiated.

Fields #

Description

Attempt by server application to receive client certificate failed with status: Status.

Message #

Attempt by server application to receive client certificate failed with status: %1.

Fields #

Description

Raw SSL data is available for processing.

Message #

Raw SSL data is available for processing.

Fields #

Description

Decrypted SSL data is available for processing.

Message #

Decrypted SSL data is available for processing.

Fields #

Description

Passed plaintext data for encryption.

Message #

Passed plaintext data for encryption.

Fields #

Description

Attempt (on connection ID ConnectionId) to authenticate client completed. Authentication type AuthType. Security status: SecStatus.

Message #

Attempt (on connection ID %1) to authenticate client completed. Authentication type %2. Security status: %3.

Fields #

Description

Attempted to add entry to the AuthCacheType authentication cache. Status: Status.

Message #

Attempted to add entry to the %2 authentication cache. Status: %4.

Fields #

Description

Entry successfully removed from the authentication cache.

Message #

Entry successfully removed from the authentication cache.

Fields #

Description

Successfully associated QoS flow with connection (connection ID ConnectionId). Bandwidth throttled to: Bandwidth Bytes per second.

Message #

Successfully associated QoS flow with connection (connection ID %1). Bandwidth throttled to: %2 Bytes per second.

Fields #

Description

Failed to configure the Type logging (directory Directory), Status: Status.

Message #

Failed to configure the %2 logging (directory %4), Status: %1.

Fields #

Description

Successfully configured Type logging (directory Directory).

Message #

Successfully configured %2 logging (directory %5).

Fields #

Description

Failed to create Type log file Filename. Status: Status.

Message #

Failed to create %2 log file %5. Status: %1.

Fields #

Description

Successfully created new Type log file Filename.

Message #

Successfully created new %2 log file %5.

Fields #

Description

Entry has been written to Type log file.

Message #

Entry has been written to %3 log file.

Fields #

Description

Parsing of request (request ID RequestId) failed due to reason: Reason. Request may not be compliant with HTTP/1.1.

Message #

Parsing of request (request ID %2) failed due to reason: %3. Request may not be compliant with HTTP/1.1.

Fields #

Description

HTTP timer Timer expired. The connection will be reset.

Message #

HTTP timer %3 expired. The connection will be reset.

Fields #

Description

Failed to acquire handle for SSL credentials. Failure will be event logged. Security status: SecStatus.

Message #

Failed to acquire handle for SSL credentials. Failure will be event logged. Security status: %2.

Fields #

Description

SSL connection will be disconnected as initiated by the client.

Message #

SSL connection will be disconnected as initiated by the client.

Fields #

Description

SSL connection will be disconnected as initiated by the server application. Status: Status.

Message #

SSL connection will be disconnected as initiated by the server application. Status: %2.

Fields #

Description

Attempt to decrypt SSL data failed. Security status: SecStatus.

Message #

Attempt to decrypt SSL data failed. Security status: %2.

Fields #

Description

Query for SSL connection parameters failed. Security status: SecStatus. Connection will be reset.

Message #

Query for SSL connection parameters failed. Security status: %2. Connection will be reset.

Fields #

Description

Cannot find SSL endpoint for inbound connection for local IP address and port Address.

Message #

Cannot find SSL endpoint for inbound connection for local IP address and port %3.

Fields #

Description

Attempt to perform SSL handshake failed. Security status: SecStatus.

Message #

Attempt to perform SSL handshake failed. Security status: %2.

Fields #

Description

Attempt to encrypt SSL data failed. Security status: SecStatus.

Message #

Attempt to encrypt SSL data failed. Security status: %2.

Fields #

Description

Request (request ID RequestId) rejected due to reason: Reason.

Message #

Request (request ID %1) rejected due to reason: %2.

Fields #

Description

Server application canceled the processing of its request (request ID RequestId).

Message #

Server application canceled the processing of its request (request ID %1).

Fields #

Description

Http.sys failed to process CPU hot-add. Processor number: NewProcNumber, reason: ReasonString, status: Status.

Message #

Http.sys failed to process CPU hot-add. Processor number: %1, reason: %2, status: %3.

Fields #

Description

Hot-add information: Current UxNumberOfProcessors: Hotadd_information_Current_UxNumberOfProcessors, comment: comment.

Message #

Hot-add information: Current UxNumberOfProcessors: %1, comment: %2.

Fields #

Description

Initialized QoS flow: FlowHandle FlowHandle, bandwidth Bandwidth, peak bandwidth PeakBandwidth, burst size BurstSize.

Message #

Initialized QoS flow: FlowHandle %1, bandwidth %2, peak bandwidth %3, burst size %4

Fields #

Description

Initialized QoS flow: FlowHandle FlowHandle, bandwidth Bandwidth, peak bandwidth PeakBandwidth, burst size BurstSize.

Message #

Initialized QoS flow: FlowHandle %1, bandwidth %2, peak bandwidth %3, burst size %4

Fields #

Description

QoS flow initialization failed: bandwidth Bandwidth, peak bandwidth PeakBandwidth, burst size BurstSize, status Status.

Message #

QoS flow initialization failed: bandwidth %1, peak bandwidth %2, burst size %3, status %4

Fields #

Description

Setting flow: Connection Connection, FlowHandle FlowHandle.

Message #

Setting flow: Connection %1, FlowHandle %2

Fields #

Description

Assign to Configuration QoS Flow: FlowHandle FlowHandle.

Message #

Assign to Configuration QoS Flow: FlowHandle %1

Fields #

Description

[re]Setting QoS Flow failed: Connection Connection, FlowHandle FlowHandle, status Status.

Message #

[re]Setting QoS Flow failed: Connection %1, FlowHandle %2, status %3

Fields #

Description

Response range processing done. Req. RequestId, response content size ContentBytes, ranges NumberOfRanges (Range1Start-Range1End, Range2Start-Range2End,...).

Message #

Response range processing done. Req. %1, response content size %2, ranges %3 (%4-%5, %6-%7,...)

Fields #

Description

Begin building slices. Req. RequestId, slices NumberOfSlices (SliceIndex1,SliceIndex2,...), ranges NumberOfRanges (Range1Start-Range1End, Range2Start-Range2End,...).

Message #

Begin building slices. Req. %1, slices %2 (%3,%4,...), ranges %5 (%6-%7, %8-%9,...)

Fields #

Description

Send cached slices. Req. RequestId, CacheEntry CacheEntryPtr, slices NumberOfSlices (SliceIndex1,SliceIndex2,...), ranges NumberOfRanges (Range1Start-Range1End, Range2Start-Range2End,...).

Message #

Send cached slices. Req. %1, CacheEntry %2, slices %3 (%4,%5,...), ranges %6 (%7-%8, %9-%10,...)

Fields #

Description

Cached slices match content. Req. RequestId, CacheEntry CacheEntryPtr, slices NumberOfSlices (SliceIndex1,SliceIndex2,...), ranges NumberOfRanges (Range1Start-Range1End, Range2Start-Range2End,...).

Message #

Cached slices match content. Req. %1, CacheEntry %2, slices %3 (%4,%5,...), ranges %6 (%7-%8, %9-%10,...)

Fields #

Description

Merge slices to cache. CacheEntry CacheEntryPtr, slices to merge NofSlicesToMerge, slices to cache NofSlicesInCache.

Message #

Merge slices to cache. CacheEntry %1, slices to merge %2, slices to cache %3

Fields #

Description

Sending range from flat cache entry. CacheEntry CacheEntryPtr, range Range1Start-Range1End.

Message #

Sending range from flat cache entry. CacheEntry %1, range %2-%3

Fields #

Description

Channel bind ASC parameters: connection ConnectionId, buffers NoBindBuffers, flags SecFlags.

Message #

Channel bind ASC parameters: connection %1, buffers %2, flags %3

Fields #

Description

Service bind check done. Connection ConnectionId, Context SecContextL-SecContextH, status SecStatus, target Target.

Message #

Service bind check done. Connection %1, Context %2-%3, status %4, target %5

Fields #

Description

Captured channel bind config. Hardening Hardening, flags Flags, service count ServiceNameCount.

Message #

Captured channel bind config. Hardening %1, flags %2, service count %3

Fields #

Description

Channel bind response config overwrites ReplaceConfigOf.

Message #

Channel bind response config overwrites %1

Fields #

Description

Policy-Based QoS: Connection Connection, FlowHandle FlowHandle.

Message #

Policy-Based QoS: Connection %1, FlowHandle %2

Fields #

Description

Thread pool extension. Pool type: Thread_pool_extension_Pool_type, active pools: active_pools.

Message #

Thread pool extension. Pool type: %1, active pools: %2.

Fields #

Description

Thread ready. Pool type: Thread_ready_Pool_type, active pools: active_pools, thread count: thread_count.

Message #

Thread ready. Pool type: %1, active pools: %2, thread count: %3

Fields #

Description

Thread pool trim. Pool type: Thread_pool_trim_Pool_type, active pools: active_pools.

Message #

Thread pool trim. Pool type: %1, active pools: %2.

Fields #

Description

Thread gone. Pool type: Thread_gone_Pool_type, active pools: active_pools, thread count: thread_count.

Message #

Thread gone. Pool type: %1, active pools: %2, thread count: %3

Fields #

Description

SNI parsed for connection: ConnectionObj with status: Status.

Message #

SNI parsed for connection: %1 with status: %2

Fields #

Description

Request RequestId has initated opaque mode.

Message #

Request %1 has initated opaque mode

Fields #

Description

Endpoint auto-generated for EndpointName.

Message #

Endpoint auto-generated for %2

Fields #

Description

Deleted auto-generated endpoint for EndpointName.

Message #

Deleted auto-generated endpoint for %2

Fields #

Description

Inbound connection for IP: IpAddress, SNI: SniHostname. SSL endpoint found: MatchingEndpointName.

Message #

Inbound connection for IP: %3, SNI: %4. SSL endpoint found: %5

Fields #

Description

SSL connection with local IP address and port Address rejected due to configuration policy.

Message #

SSL connection with local IP address and port %2 rejected due to configuration policy.

Fields #

Description

Parsing of response (response ID ResponseId) failed due to reason: Reason. Request may not be compliant with HTTP/1.1.

Message #

Parsing of response (response ID %2) failed due to reason: %3. Request may not be compliant with HTTP/1.1.

Fields #

Description

SSL handshake failed. Local IP: Remote_IP, Remote IP: Thumbprint, SNI: Client_Initiated_Disconnect, Thumbprint: Connection_Status, Client Initiated Disconnect: LocalAddressLength, Abortive Disconnect: LocalAddress, Connection Status: RemoteAddressLength.

Message #

SSL handshake failed. Local IP: %2, Remote IP: %4, SNI: %5, Thumbprint: %7, Client Initiated Disconnect: %8, Abortive Disconnect: %9, Connection Status: %10

Fields #

Message #

HTTP error response sent. Url: %1, Verb: %2, Status Code: %3, Cache Send: %4, Request Queue: %5, PID: %6, TID: %7, Image Name: %8, Working Set(Bytes): %9, Send Status: %10, Thread Count: %11, Reason Phrase: %12, Error Cause: %13, Verbosity: %14

Fields #

Description

SSL renegotiate timed out. Local IP: Remote_IP, Remote IP: Thumbprint, SNI: Connection_Buffer_Full, Thumbprint: LocalAddress, Connection Buffer Full: RemoteAddressLength.

Message #

SSL renegotiate timed out. Local IP: %2, Remote IP: %4, SNI: %5, Thumbprint: %7, Connection Buffer Full: %8

Fields #

Description

HTTP 11 Required. Verb: HTTP_11_Required_Verb, Fault Code: Fault_Code.

Message #

HTTP 11 Required. Verb: %1, Fault Code: %2

Fields #

Description

Version: Version Counts: Counts.

Message #

Version: %1 Counts: %2

Fields #

Description

Version: Version Counts: Counts.

Message #

Version: %1 Counts: %2

Fields #

Description

QUIC Connection. QuicConnectionId: QUIC_Connection_QuicConnectionId, Connection: Connection, Local IP: Remote_IP, Remote IP: ErrorCode, SNI: QuicConnectionId, ErrorCode: LocalAddressLength, Status: LocalAddress.

Message #

QUIC Connection. QuicConnectionId: %1, Connection: %2, Local IP: %4, Remote IP: %6, SNI: %8, ErrorCode: %9, Status: %10

Fields #

Description

QUIC Connection Callback. Connection: QUIC_Connection_Callback_Connection, Event: Event, EventParam: EventParam.

Message #

QUIC Connection Callback. Connection: %1, Event: %2, EventParam: %3

Fields #

Description

QUIC Stream. QuicStreamId: QUIC_Stream_QuicStreamId, Connection: Connection, Stream: Stream.

Message #

QUIC Stream. QuicStreamId: %1, Connection: %2, Stream: %3

Fields #

Description

QUIC Stream Callback. Stream: QUIC_Stream_Callback_Stream, Connection: Connection, StreamType: StreamType, Event: Event, EventParam: EventParam.

Message #

QUIC Stream Callback. Stream: %1, Connection: %2, StreamType: %3, Event: %4, EventParam: %5

Fields #

Description

QUIC Registration Failed. Status: QUIC_Registration_Failed_Status.

Message #

QUIC Registration Failed. Status: %1

Fields #

Description

Correlation ID for request RequestId: CorrelationId.

Message #

Correlation ID for request %1: %2

Fields #

Description

Create URL group UrlGroupId. Status Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Create URL group %1. Status %2. Process Id %3 Executable path %4, User %5

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "DD5EF90A-6398-47A4-AD34-4DCECDEF795F",
    "event_source_name": "",
    "event_id": 111,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 125,
    "keywords": 4611686018427387968,
    "time_created": "2026-03-13T20:06:22.592017+00:00",
    "event_record_id": 2069,
    "correlation": {},
    "execution": {
      "process_id": 4260,
      "thread_id": 4596
    },
    "channel": "System",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "UrlGroupId": 18302628890465533953,
    "Status": 0,
    "ProcessId": 4260,
    "ExecutablePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
    "UserSid": "S-1-5-18"
  },
  "message": ""
}

Description

Attempted to reserve URL Url. Status ReserveStatus. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Attempted to reserve URL %1. Status %2. Process Id %3 Executable path %4, User %5

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "DD5EF90A-6398-47A4-AD34-4DCECDEF795F",
    "event_source_name": "",
    "event_id": 112,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 121,
    "keywords": 4611686018427387905,
    "time_created": "2023-11-06T06:25:42.192778+00:00",
    "event_record_id": 1703,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 228
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Url": "http://+:10243/WMPNSSv4/",
    "ReserveStatus": 0,
    "ProcessId": 4,
    "ExecutablePath": "",
    "UserSid": "S-1-5-18"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Attempted to add URL (Url) to URL group (UrlGroupId). Status: Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Attempted to add URL (%2) to URL group (%1). Status: %3. Process Id %4 Executable path %5, User %6

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "DD5EF90A-6398-47A4-AD34-4DCECDEF795F",
    "event_source_name": "",
    "event_id": 113,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 122,
    "keywords": 4611686018427387968,
    "time_created": "2026-03-11T06:29:35.510270+00:00",
    "event_record_id": 2802,
    "correlation": {},
    "execution": {
      "process_id": 1608,
      "thread_id": 1656
    },
    "channel": "System",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "UrlGroupId": 18302628907645403137,
    "Url": "https://+:5986/wsman/",
    "Status": 0,
    "ProcessId": 1608,
    "ExecutablePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
    "UserSid": "S-1-5-20"
  },
  "message": ""
}

Description

Removed URL (Url) from URL group (UrlGroupId). Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Removed URL (%2) from URL group (%1). Process Id %3 Executable path %4, User %5

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "DD5EF90A-6398-47A4-AD34-4DCECDEF795F",
    "event_source_name": "",
    "event_id": 114,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 123,
    "keywords": 4611686018427387968,
    "time_created": "2023-10-25T22:56:15.387118+00:00",
    "event_record_id": 1477,
    "correlation": {},
    "execution": {
      "process_id": 3840,
      "thread_id": 3904
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "UrlGroupId": 18302628886170566657,
    "Url": "http://*:5357/31383106-803d-411b-9763-a28cdc0f0c3f/",
    "ProcessId": 3840,
    "ExecutablePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
    "UserSid": "S-1-5-19"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Removed all URLs from URL group UrlGroupId. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Removed all URLs from URL group %1. Process Id %2 Executable path %3, User %4

Fields #

Description

Attempted to set URL group UrlGroupId property Property. Status: Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Attempted to set URL group %1 property %2. Status: %3. Process Id %4 Executable path %5, User %6

Fields #

Description

Delete URL group UrlGroupId. Status Status. Process Id ProcessId Executable path ExecutablePath, User UserSid.

Message #

Delete URL group %1. Status %2. Process Id %3 Executable path %4, User %5

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-HttpService",
    "guid": "DD5EF90A-6398-47A4-AD34-4DCECDEF795F",
    "event_source_name": "",
    "event_id": 117,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 126,
    "keywords": 4611686018427387968,
    "time_created": "2023-10-25T22:56:15.387403+00:00",
    "event_record_id": 1478,
    "correlation": {},
    "execution": {
      "process_id": 3840,
      "thread_id": 3904
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "UrlGroupId": 18302628886170566657,
    "Status": 0,
    "ProcessId": 3840,
    "ExecutablePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
    "UserSid": "S-1-5-19"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline