Microsoft-Windows-LDAP-Client

31 events across 1 channel

EventTitleChannel
1task_0Debug
2task_02Debug
3task_03Debug
4task_04Debug
5task_05Debug
6task_06Debug
7task_07Debug
8task_08Debug
9task_09Debug
10task_010Debug
11task_011Debug
12task_012Debug
13task_013Debug
14task_014Debug
15task_015Debug
16task_016Debug
17task_017Debug
18task_018Debug
19task_019Debug
20task_020Debug
21task_021Debug
22task_022Debug
23task_023Debug
24task_024Debug
25task_025Debug
26task_026Debug
27task_027Debug
28task_028Debug
29task_029Debug
30LDAP search requestDebug
31task_031Debug

Event ID 1: task_0

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 2: task_02

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 3: task_03

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 4: task_04

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 5: task_05

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 6: task_06

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 7: task_07

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 8: task_08

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 9: task_09

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 10: task_010

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 11: task_011

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 12: task_012

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 13: task_013

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 14: task_014

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 15: task_015

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 16: task_016

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 17: task_017

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 18: task_018

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 19: task_019

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 20: task_020

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 21: task_021

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 22: task_022

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 23: task_023

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 24: task_024

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 25: task_025

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 26: task_026

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 27: task_027

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 28: task_028

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 29: task_029

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Event ID 30: LDAP search request

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Description

Emitted by wldap32.dll when an LDAP search is submitted to the server. Captures the search filter, base DN, scope, and requested attributes as supplied by the client process. Fires for every ldap_search call including rootDSE probes and paged searches. Verified by live ETW capture on Win11 26200 (2026-06-05).

Fields #

NameDescriptionRules
ScopeOfSearch UInt32LDAP search scope: 0 = base (root object only), 1 = one-level, 2 = subtree
SearchFilter UnicodeStringLDAP search filter string (RFC 4515 syntax), e.g. (objectClass=user)49
DistinguishedName UnicodeStringBase distinguished name for the search; empty string indicates rootDSE3
AttributeList UnicodeStringRequested attribute names, semicolon-separated; empty requests all non-operational attributes
ProcessId HexInt32Hex PID of the process initiating the LDAP search

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-LDAP-Client",
    "guid": "{099614a5-5dd7-4788-8bc9-e29f43db28fc}",
    "event_source_name": "",
    "event_id": "30",
    "version": "0",
    "level": "0",
    "task": "0",
    "opcode": "0",
    "keywords": -9223372036854775807,
    "time_created": "2026-06-05T07:31:06.778512400+00:00",
    "event_record_id": 16,
    "correlation": {
      "ActivityID": "{ae3adfdf-f2b5-0000-41b2-43aeb5f2dc01}"
    },
    "execution": {
      "process_id": "4580",
      "thread_id": "6584"
    },
    "channel": "Microsoft-Windows-LDAP-Client/Debug",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ScopeOfSearch": "2",
    "SearchFilter": "(objectClass=user)",
    "DistinguishedName": "DC=ludus,DC=domain",
    "AttributeList": "",
    "ProcessId": "0x11E4"
  },
  "message": ""
}

Detection Patterns #

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Event ID 31: task_031

#
Provider
Microsoft-Windows-LDAP-Client
Channel
Debug

Fields #

NameDescription
Message AnsiString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 099614a5-5dd7-4788-8bc9-e29f43db28fc

Defined in wldap32.dll, which carries the event manifest.

Observed on:

  • WS2022-20348.4893 · schema read from the registered manifest · binary version 10.0.20348.2849 · captured 2026-06-02
  • Win11-26200.6584 · schema read from the registered manifest · binary version 10.0.26100.1 · captured 2026-06-02

Downloads

Credits

  • Microsoft - authored the ETW manifests and PDBs the schema comes from
  • jdu2600 - the event-schema TSV format this catalog adopted
  • nasbench - the tool that dumps registered providers and manifests