Microsoft-Windows-Iphlpsvc
18 events across 2 channels
Event ID 4000: Teredo server has successfully started.
#Description
Teredo server has successfully started.
Message #
Event ID 4001: Teredo server has failed to start with the following error: ErrorCode.
#Event ID 4002: Teredo server primary or secondary IPv4 address is invalid.
#Event ID 4003: Configured Teredo server name ServerName is invalid.
#Event ID 4004: Teredo server initialization has failed with the following error code ErrorCode.
#Event ID 4100: ISATAP router address IsatapRouter was set with status ErrorCode.
#Description
ISATAP router address IsatapRouter was set with status ErrorCode.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
IsatapRouter UnicodeString | 2 | |
ErrorCode UInt32 |
Detection Rules #
View all rules referencing this event →
Sigma # view in coverage
- ISATAP Router Address Was Set source medium: Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
Event ID 4200: ProtocolType interface Interface with address Address has been brought up.
#Event ID 4201: ProtocolType interface Interface is no longer active.
#Event ID 4202: Unable to update the IP address on Error_Code interface ProtocolType.
#Event ID 4300: IP-HTTPS server has successfully started using the server URL ServerUrl.
#Event ID 4302: IP-HTTPS server has failed to start with the following error: ErrorCode.
#Event ID 4303: IP-HTTPS client ClientMachineName (TunnelSourceIP) is associated with IP address RemoteIP.
#Event ID 4304: IP-HTTPS client ClientMachineName (TunnelSourceIP) is disassociated from IP address RemoteIP.
#Event ID 4400: DNS64: No matching IPv6 prefix found for IPv4 address Translated IPv4 Address, received for name QuestionName queried by client ClientIP.
#Event ID 4500: DA MULTISITE: Configured DA site SiteName.
#Event ID 4501: DA MULTISITE: Unconfigured DA site SiteName.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 66a5c15c-4f8e-4044-bf6e-71d896038977
Defined in iphlpsvc.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893 · schema read from the registered manifest · binary version 10.0.20348.1 · captured 2026-06-02
- Win11-26200.6584 · schema read from the registered manifest · binary version 10.0.26100.4484 · captured 2026-06-02
Downloads
- Microsoft-Windows-Iphlpsvc registered manifest XML (WS2022-20348.4893) manifest-xml
- Microsoft-Windows-Iphlpsvc registered manifest XML (Win11-26200.6584) manifest-xml