Microsoft-Windows-NetworkSecurity
8 events across 1 channel
Event ID 801: SA Context SaContextID was created.
#Event ID 802: SA Context SaContextID: Result=Result.
#Event ID 803: SA Context 5nProtocol:\nLocal Address: SaContextID:LocalMask\nRemote Address: LocalAddr:LocalPort\nProtocol: RemoteAddress.
#Description
SA Context 5nProtocol:\nLocal Address: SaContextID:LocalMask\nRemote Address: LocalAddr:LocalPort\nProtocol: RemoteAddress.
Message #
Fields #
| Name | Description |
|---|---|
SaContextID UInt64 | |
LocalAddr UnicodeString | |
LocalMask UnicodeString | |
LocalPort UInt16 | |
RemoteAddress UnicodeString | |
RemoteMask UnicodeString | |
RemotePort UInt16 | |
IPProtocol UInt8 | |
LocalTunnelEndpt UnicodeString | |
RemoteTunnelEndpt UnicodeString |
Event ID 804: SA Context SaContextID was deleted.
#Event ID 805: SA Context SaContextID: SPI=SPI.
#Event ID 806: ----- BEGIN BFE_SA_CONTEXT processing -----
#Description
----- BEGIN BFE_SA_CONTEXT processing -----.
Message #
Event ID 807: ----- END BFE_SA_CONTEXT processing -----
#Description
----- END BFE_SA_CONTEXT processing -----.
Message #
Event ID 808: ----- BFE SA CONTEXT ID: (SaContextID) -----.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 7b702970-90bc-4584-8b20-c0799086ee5a
Defined in fwpuclnt.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893 · schema read from the registered manifest · binary version 10.0.20348.3328 · captured 2026-06-02
- Win11-26200.6584 · schema read from the registered manifest · binary version 10.0.26100.3915 · captured 2026-06-02
Downloads
- Microsoft-Windows-NetworkSecurity registered manifest XML (WS2022-20348.4893) manifest-xml
- Microsoft-Windows-NetworkSecurity registered manifest XML (Win11-26200.6584) manifest-xml