Microsoft-Windows-NCSI

58 events across 2 channels

Event ID	Title	Channel
2001	Corporate connectivity check will be skipped.	Analytic
2002	Corporate connectivity check is enabled	Analytic
2003	Corporate inside/outside location check will be skipped.	Analytic
2004	Corporate inside/outside location check is enabled	Analytic
4001	Entered State: %2 Interface Luid: %3.	Analytic
4002	Transitioning to State: %2 Interface Luid: %3.	Analytic
4003	Entered State: %2 Interface Luid: %3.	Analytic
4004	Transitioning to State: %2 Interface Luid: %3.	Analytic
4005	Entered State: %2 Interface Luid: %3.	Analytic
4006	Transitioning to State: %2 Interface Luid: %3.	Analytic
4007	Entered State: %2 Interface Luid: %3.	Analytic
4008	Transitioning to State: %2 Interface Luid: %3.	Analytic
4009	Inside/Outside detection started for interface %3.	Operational
4010	Inside/Outside detection finished for interface %3 (%4).	Operational
4011	Windows Firewall Group Policy settings have been updated.	Operational
4012	Inside/Outside probe failed for interface %1.	Operational
4013	Active Internet Probe started on interface %1.	Analytic
4014	Active Internet Probe finished on interface %1 (%2).	Analytic
4015	Active Internet Probe (DNS) started on interface %1.	Analytic
4016	Active Internet Probe (DNS) finished on interface %1.	Analytic
4017	Active Internet Probe (HTTP) started on interface %1.	Analytic
4018	Active Internet Probe (HTTP) finished on interface %1.	Analytic
4019	Active Corp Probe started on interface %1.	Analytic
4020	Active Corp Probe finished on interface %1 (%2).	Analytic
4021	Active Corp Probe (DNS) started on interface %1.	Analytic
4022	Active Corp Probe (DNS) finished on interface %1.	Analytic
4023	Active Corp Probe (HTTP) started on interface %1.	Analytic
4024	Active Corp Probe (HTTP) finished on interface %1.	Analytic
4025	Proxy Detection started	Analytic
4026	Proxy Detection stopped (HasProxy=%1).	Analytic
4027	Opportunistic Internet flag on interface %1 for family %2 marked.	Analytic
4028	Inside/Outside detection is suspect	Operational
4029	Entered suspect state on interface %2 (Family: %3 Reason: %4).	Analytic
4030	Suspect state cancelled on interface %2 (Family: %3).	Analytic
4031	Suspect state expired on interface %2 (Family: %3).	Analytic
4032	Entered corporate suspect state on interface %2.	Analytic
4033	Corporate suspect state cancelled on interface %2.	Analytic
4034	Corporate suspect state expired on interface %2.	Analytic
4035	Cancelling hotspot detection scenario for interface %1.	Analytic
4036		Analytic
4037	Starting hotspot detection for family %2 on interface %1.	Analytic
4038	Hotspot detected on interface %1 (Family: %2).	Operational
4039	Hotspot not detected on interface %1 (Family: %2).	Analytic
4040	Interface %1 (%2) has been connected.	Analytic
4041	Interface %1 (%2) has been disconnected.	Analytic
4042	Capability change on %1 (%2 Family: %3 Capability: %4 ChangeReason: %5).	Operational
4043	Proxied capability change on %1 (%2 Family: %3 ProxiedCapability: %4).	Analytic
4044	Passive Poll state change.	Analytic
4045	NetReady update on %1 (%2 Family: %3 NetReady: %4).	Analytic
4046	Corporate connectivity change on %1 (%2 Family: %3 HasCorporateConnectivity: …	Analytic
4047	Default gateway is set on %1 (%2 Family: %3 GatewayIP: %5 GatewayMAC: %7 …	Analytic
4048	Next hop to Internet has changed on %1 (%2 Family: %3 HasNextHopToInternet: %4 …	Analytic
4049	Preferred address change on %1 (%2 Family: %3 HasPreferredAddress: %4 …	Analytic
4050	Preferred global address change on %1 (%2 Family: %3 HasPreferredGlobalAddress: …	Analytic
4051	Active probe result code on interface %1 (%2 Family: %3) = %4.	Analytic
4052	Interface diagnostic for %1 (%2): IPv4 address: %3, IPv6 address: %4, IPv4 …	Analytic
4053		Analytic
4054		Analytic

Event ID 2001 — Corporate connectivity check will be skipped.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Corporate connectivity check will be skipped. Reason: %1

Fields

Name	Description
`CorpCheckDisabledReason`	—

Event ID 2002 — Corporate connectivity check is enabled

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Corporate connectivity check is enabled

Event ID 2003 — Corporate inside/outside location check will be skipped.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Corporate inside/outside location check will be skipped. Reason: %1

Fields

Name	Description
`CorpCheckDisabledReason`	—

Event ID 2004 — Corporate inside/outside location check is enabled

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Corporate inside/outside location check is enabled

Event ID 4001 — Entered State: %2 Interface Luid: %3.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Entered State: %2 Interface Luid: %3

Fields

Name	Description
`Entered_State`	—
`Interface_Luid`	—
`InterfaceGuid`	—
`CurrentOrNextState`	—
`IfLuid`	—

Event ID 4002 — Transitioning to State: %2 Interface Luid: %3.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Transitioning to State: %2 Interface Luid: %3

Fields

Name	Description
`InterfaceGuid`	—
`CurrentOrNextState`	—
`IfLuid`	—

Event ID 4003 — Entered State: %2 Interface Luid: %3.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Entered State: %2 Interface Luid: %3

Fields

Name	Description
`Entered_State`	—
`Interface_Luid`	—
`InterfaceGuid`	—
`CurrentOrNextState`	—
`IfLuid`	—

Event ID 4004 — Transitioning to State: %2 Interface Luid: %3.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Transitioning to State: %2 Interface Luid: %3

Fields

Name	Description
`InterfaceGuid`	—
`CurrentOrNextState`	—
`IfLuid`	—

Event ID 4005 — Entered State: %2 Interface Luid: %3.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Entered State: %2 Interface Luid: %3

Fields

Name	Description
`Entered_State`	—
`Interface_Luid`	—
`InterfaceGuid`	—
`CurrentOrNextState`	—
`IfLuid`	—

Event ID 4006 — Transitioning to State: %2 Interface Luid: %3.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Transitioning to State: %2 Interface Luid: %3

Fields

Name	Description
`InterfaceGuid`	—
`CurrentOrNextState`	—
`IfLuid`	—

Event ID 4007 — Entered State: %2 Interface Luid: %3.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Entered State: %2 Interface Luid: %3

Fields

Name	Description
`Entered_State`	—
`Interface_Luid`	—
`InterfaceGuid`	—
`CurrentOrNextState`	—
`IfLuid`	—

Event ID 4008 — Transitioning to State: %2 Interface Luid: %3.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Transitioning to State: %2 Interface Luid: %3

Fields

Name	Description
`InterfaceGuid`	—
`CurrentOrNextState`	—
`IfLuid`	—

Event ID 4009 — Inside/Outside detection started for interface %3.

Provider: Microsoft-Windows-NCSI
Channel: Operational

Message

Inside/Outside detection started for interface %3.

Fields

Name	Description
`InterfaceGuid`	—
`CurrentOrNextState`	—
`IfLuid`	—

Event ID 4010 — Inside/Outside detection finished for interface %3 (%4).

Provider: Microsoft-Windows-NCSI
Channel: Operational

Message

Inside/Outside detection finished for interface %3 (%4).

Fields

Name	Description
`InterfaceGuid`	—
`CurrentOrNextState`	—
`IfLuid`	—
`CorporateLocation`	—
`CorporateLocationMetadata`	—

Event ID 4011 — Windows Firewall Group Policy settings have been updated.

Provider: Microsoft-Windows-NCSI
Channel: Operational

Message

Windows Firewall Group Policy settings have been updated. Triggering another inside/outside location detection

Event ID 4012 — Inside/Outside probe failed for interface %1.

Provider: Microsoft-Windows-NCSI
Channel: Operational

Message

Inside/Outside probe failed for interface %1.

Error: %6 (%5)
Host: %3/%4
Next retry: %7 second(s).

Fields

Name	Description
`Host`	—
`Error`	—
`Next_retry`	Host.
`IfLuid`	—
`InterfaceGuid`	—
`ProbeHost`	—
`ProbePath`	—
`ErrorCode`	—
`ErrorString`	—
`RetryInterval`	—

Event ID 4013 — Active Internet Probe started on interface %1.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Active Internet Probe started on interface %1

Fields

Name	Description
`InterfaceGuid`	—
`ForceWeb`	—
`UseProxyCache`	—

Event ID 4014 — Active Internet Probe finished on interface %1 (%2).

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Active Internet Probe finished on interface %1 (%2)

Fields

Name	Description
`InterfaceGuid`	—
`Succeeded`	—
`UsedDnsProbe`	—
`UsedProxy`	—
`ContentComparison`	—
`WebCompleted`	—
`WebRedirected`	—
`LocalErrorOccured`	—

Event ID 4015 — Active Internet Probe (DNS) started on interface %1.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Active Internet Probe (DNS) started on interface %1

Fields

Name	Description
`InterfaceGuid`	—
`Family`	—

Event ID 4016 — Active Internet Probe (DNS) finished on interface %1.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Active Internet Probe (DNS) finished on interface %1

Fields

Name	Description
`InterfaceGuid`	—
`Family`	—

Event ID 4017 — Active Internet Probe (HTTP) started on interface %1.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Active Internet Probe (HTTP) started on interface %1

Fields

Name	Description
`InterfaceGuid`	—
`Family`	—

Event ID 4018 — Active Internet Probe (HTTP) finished on interface %1.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Active Internet Probe (HTTP) finished on interface %1

Fields

Name	Description
`InterfaceGuid`	—
`Family`	—

Event ID 4019 — Active Corp Probe started on interface %1.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Active Corp Probe started on interface %1

Fields

Name	Description
`InterfaceGuid`	—

Event ID 4020 — Active Corp Probe finished on interface %1 (%2).

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Active Corp Probe finished on interface %1 (%2)

Fields

Name	Description
`InterfaceGuid`	—
`Succeeded`	—

Event ID 4021 — Active Corp Probe (DNS) started on interface %1.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Active Corp Probe (DNS) started on interface %1

Fields

Name	Description
`InterfaceGuid`	—

Event ID 4022 — Active Corp Probe (DNS) finished on interface %1.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Active Corp Probe (DNS) finished on interface %1

Fields

Name	Description
`InterfaceGuid`	—

Event ID 4023 — Active Corp Probe (HTTP) started on interface %1.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Active Corp Probe (HTTP) started on interface %1

Fields

Name	Description
`InterfaceGuid`	—

Event ID 4024 — Active Corp Probe (HTTP) finished on interface %1.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Active Corp Probe (HTTP) finished on interface %1

Fields

Name	Description
`InterfaceGuid`	—

Event ID 4025 — Proxy Detection started

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Proxy Detection started

Event ID 4026 — Proxy Detection stopped (HasProxy=%1).

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Proxy Detection stopped (HasProxy=%1)

Fields

Name	Description
`ErrorCode`	—
`Source`	—

Event ID 4027 — Opportunistic Internet flag on interface %1 for family %2 marked.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Opportunistic Internet flag on interface %1 for family %2 marked

Fields

Name	Description
`InterfaceGuid`	—
`Family`	—

Event ID 4028 — Inside/Outside detection is suspect

Provider: Microsoft-Windows-NCSI
Channel: Operational

Message

Inside/Outside detection is suspect

Event ID 4029 — Entered suspect state on interface %2 (Family: %3 Reason: %4).

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Entered suspect state on interface %2 (Family: %3 Reason: %4)

Fields

Name	Description
`Reason`	—
`InterfaceGuid`	—
`IfLuid`	—
`Family`	—
`SuspectStateReason`	—

Event ID 4030 — Suspect state cancelled on interface %2 (Family: %3).

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Suspect state cancelled on interface %2 (Family: %3)

Fields

Name	Description
`InterfaceGuid`	—
`IfLuid`	—
`Family`	—

Event ID 4031 — Suspect state expired on interface %2 (Family: %3).

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Suspect state expired on interface %2 (Family: %3)

Fields

Name	Description
`InterfaceGuid`	—
`IfLuid`	—
`Family`	—

Event ID 4032 — Entered corporate suspect state on interface %2.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Entered corporate suspect state on interface %2

Fields

Name	Description
`InterfaceGuid`	—
`IfLuid`	—

Event ID 4033 — Corporate suspect state cancelled on interface %2.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Corporate suspect state cancelled on interface %2

Fields

Name	Description
`InterfaceGuid`	—
`IfLuid`	—

Event ID 4034 — Corporate suspect state expired on interface %2.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Corporate suspect state expired on interface %2

Fields

Name	Description
`InterfaceGuid`	—
`IfLuid`	—

Event ID 4035 — Cancelling hotspot detection scenario for interface %1.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Cancelling hotspot detection scenario for interface %1

Fields

Name	Description
`InterfaceGuid`	—

Event ID 4036 —

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Fields

Name	Description
`InterfaceGuid`	—

Event ID 4037 — Starting hotspot detection for family %2 on interface %1.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Starting hotspot detection for family %2 on interface %1

Fields

Name	Description
`IfLuid`	—
`Family`	—

Event ID 4038 — Hotspot detected on interface %1 (Family: %2).

Provider: Microsoft-Windows-NCSI
Channel: Operational

Message

Hotspot detected on interface %1 (Family: %2)

Fields

Name	Description
`IfLuid`	—
`Family`	—

Event ID 4039 — Hotspot not detected on interface %1 (Family: %2).

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Hotspot not detected on interface %1 (Family: %2)

Fields

Name	Description
`IfLuid`	—
`Family`	—

Event ID 4040 — Interface %1 (%2) has been connected.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Interface %1 (%2) has been connected

Fields

Name	Description
`ConnectedInterfaceGuid`	—
`IfLuid`	—

Event ID 4041 — Interface %1 (%2) has been disconnected.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Interface %1 (%2) has been disconnected

Fields

Name	Description
`DisconnectedInterfaceGuid`	—
`IfLuid`	—

Event ID 4042 — Capability change on %1 (%2 Family: %3 Capability: %4 ChangeReason: %5).

Provider: Microsoft-Windows-NCSI
Channel: Operational
Level: 4
Samples: 1

Message

Capability change on %1 (%2 Family: %3 Capability: %4 ChangeReason: %5)

Fields

Name	Description
`InterfaceGuid`	—
`IfLuid`	—
`Family`	2 Family.
`Capability`	—
`CapabilityChangeReason`	ChangeReason.
`PreviousCapability`	—

Example Event

system:
  provider: Microsoft-Windows-NCSI
  guid: 314DE49F-CE63-4779-BA2B-D616F6963A88
  event_source_name: ''
  event_id: 4042
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387936
  time_created: '2023-11-06T06:25:52.980589+00:00'
  event_record_id: 19
  correlation:
    ActivityID: F590C418-1079-0000-E6C4-90F57910DA01
  execution:
    process_id: 1696
    thread_id: 3516
  channel: Microsoft-Windows-NCSI/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-20
event_data:
  InterfaceGuid: 3D03B11E-98A0-4304-84E2-CD3AAE8EFE1D
  IfLuid: 1689399649632256
  Family: 0
  Capability: 2
  CapabilityChangeReason: 4
  PreviousCapability: 0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 4043 — Proxied capability change on %1 (%2 Family: %3 ProxiedCapability: %4).

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Proxied capability change on %1 (%2 Family: %3 ProxiedCapability: %4)

Fields

Name	Description
`ProxiedCapability`	—
`InterfaceGuid`	—
`IfLuid`	—
`Family`	—

Event ID 4044 — Passive Poll state change.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Passive Poll state change (ShouldPassivePollRun: %1 WasPassivePollRunning: %2 IsPassivePollAllowed: %3 ClientPresent: %4 UserPresent: %5 NetworkQuietMode: %6 DeadUserPollCount: %7 DeadNetPollCountV4: %8 DeadNetPollCountV6: %9)

Fields

Name	Description
`ShouldPassivePollRun`	—
`WasPassivePollRunning`	—
`IsPassivePollAllowed`	—
`ClientPresent`	—
`UserPresent`	—
`NetworkQuietMode`	—
`DeadUserPollCount`	—
`DeadNetPollCountV4`	—
`DeadNetPollCountV6`	—

Event ID 4045 — NetReady update on %1 (%2 Family: %3 NetReady: %4).

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

NetReady update on %1 (%2 Family: %3 NetReady: %4)

Fields

Name	Description
`NetReady`	—
`InterfaceGuid`	—
`IfLuid`	—
`Family`	—

Event ID 4046 — Corporate connectivity change on %1 (%2 Family: %3 HasCorporateConnectivity: %4).

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Corporate connectivity change on %1 (%2 Family: %3 HasCorporateConnectivity: %4)

Fields

Name	Description
`HasCorporateConnectivity`	—
`InterfaceGuid`	—
`IfLuid`	—
`Family`	—

Event ID 4047 — Default gateway is set on %1 (%2 Family: %3 GatewayIP: %5 GatewayMAC: %7 KnownHotspot: %8 KnownOppInternet: %9 KnownProxiedOppInternet: %10).

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Default gateway is set on %1 (%2 Family: %3 GatewayIP: %5 GatewayMAC: %7 KnownHotspot: %8 KnownOppInternet: %9 KnownProxiedOppInternet: %10)

Fields

Name	Description
`GatewayIP`	—
`GatewayMAC`	2 Family.
`KnownProxyless`	—
`KnownHotspot`	GatewayIP.
`KnownOppInternet`	—
`KnownProxiedOppInternet`	GatewayMAC.
`InterfaceGuid`	—
`IfLuid`	—
`Family`	—
`IpAddressLength`	—
`IpAddress`	—
`MacAddressLength`	—
`MacAddress`	—

Event ID 4048 — Next hop to Internet has changed on %1 (%2 Family: %3 HasNextHopToInternet: %4 NextHopAddress: %6).

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Next hop to Internet has changed on %1 (%2 Family: %3 HasNextHopToInternet: %4 NextHopAddress: %6)

Fields

Name	Description
`HasNextHopToInternet`	—
`NextHopAddress`	2 Family.
`InterfaceGuid`	—
`IfLuid`	—
`Family`	—
`NextHopAddressLength`	—

Event ID 4049 — Preferred address change on %1 (%2 Family: %3 HasPreferredAddress: %4 AddressSuffixOrigins: %5).

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Preferred address change on %1 (%2 Family: %3 HasPreferredAddress: %4 AddressSuffixOrigins: %5)

Fields

Name	Description
`HasPreferredAddress`	—
`AddressSuffixOrigins`	2 Family.
`InterfaceGuid`	—
`IfLuid`	—
`Family`	—

Event ID 4050 — Preferred global address change on %1 (%2 Family: %3 HasPreferredGlobalAddress: %4 AddressSuffixOrigins: %5).

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Preferred global address change on %1 (%2 Family: %3 HasPreferredGlobalAddress: %4 AddressSuffixOrigins: %5)

Fields

Name	Description
`HasPreferredGlobalAddress`	—
`AddressSuffixOrigins`	2 Family.
`InterfaceGuid`	—
`IfLuid`	—
`Family`	—

Event ID 4051 — Active probe result code on interface %1 (%2 Family: %3) = %4.

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Active probe result code on interface %1 (%2 Family: %3) = %4

Fields

Name	Description
`InterfaceGuid`	—
`IfLuid`	—
`Family`	—
`ActiveProbeResultCode`	—

Event ID 4052 — Interface diagnostic for %1 (%2): IPv4 address: %3, IPv6 address: %4, IPv4 capability: %5, IPv6 capability: %6, IPv4 test used: %7, IPv6 test used:...

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Message

Interface diagnostic for %1 (%2): IPv4 address: %3, IPv6 address: %4, IPv4 capability: %5, IPv6 capability: %6, IPv4 test used: %7, IPv6 test used: %8

Fields

Name	Description
`IPv6_address`	—
`IPv4_capability`	2): IPv4 address.
`IPv6_capability`	—
`IPv4_test_used`	—
`IPv6_test_used`	—
`InterfaceGuid`	—
`IfLuid`	—
`HasPreferredGlobalAddressIPv4`	—
`HasPreferredGlobalAddressIPv6`	—
`InternetCapabilityIPv4`	—
`InternetCapabilityIPv6`	—
`InternetTestIPv4`	—
`InternetTestIPv6`	—

Event ID 4053 —

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Fields

Name	Description
`InterfaceGuid`	—
`Family`	—

Event ID 4054 —

Provider: Microsoft-Windows-NCSI
Channel: Analytic

Fields

Name	Description
`InterfaceGuid`	—
`Family`	—