Microsoft-Windows-RPC

17 events across 2 channels

Event ID	Title	Channel
1	Extended Error Information.	EEInfo
2	An RPC call was blocked by an RPC firewall filter.	Debug
3	An error occured.	Debug
4	RPC Log Event.	Debug
5	Client RPC call started.	Debug
6	Server RPC call started.	Debug
7	Client RPC call completed.	Debug
8	Server RPC call was completed.	Debug
9	Call failed due to RpcRaiseException.	Debug
10	RPC received a packet	Debug
11	RPC sent a packet	Debug
12	RPC/HTTP start event	Debug
13	RPC/HTTP stop event	Debug
14	RPC interface registered.	Debug
15	RPC interface unregistered.	Debug
16	RPC Server bound to protocol.	Debug
17	RPC interface re-triggering failed with error RPC Status.	Debug

Event ID 1 — Extended Error Information.

Provider: Microsoft-Windows-RPC
Channel: EEInfo
Level: Error
Task: RpcClientCall
Opcode: Stop

Description

Extended Error Information.

Message #

Extended Error Information: 
	ProcessName: %1 
	ComputerName: %2 
	ProcessId: %3 
	Status: %6 
	DetectionLocation: %7

Fields #

Name	Description
`ImageName` UnicodeString	—
`ComputerName` UnicodeString	[Extended Error Information] ComputerName.
`ProcessID` UInt32	—
`TimeStamp` SYSTEMTIME	—
`GeneratingComponent` UInt32	—
`Status` HexInt32	— NTSTATUS reference
`DetectionLocation` UInt16	—
`Flags` UInt16	—
`NumberOfParameters` UInt16	—
`Params` UInt64	—
`ProcessName`	[Extended Error Information] ProcessName.
`ProcessId`	[Extended Error Information] ProcessId.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-RPC",
    "guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
    "event_source_name": "",
    "event_id": "1",
    "version": "1",
    "level": "2",
    "task": "1",
    "opcode": "2",
    "keywords": 9223372036854775808,
    "time_created": "2026-03-15T23:30:32.748148700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{ddfcc07c-682f-4c87-aa7a-a64b052307bc}"
    },
    "execution": {
      "process_id": "7800",
      "thread_id": "1480"
    },
    "channel": "Microsoft-Windows-RPC/EEInfo",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ImageName": "DFSRs.exe",
    "ComputerName": "",
    "ProcessID": "    7800",
    "TimeStamp": "2026-03-15T23:30:32.749Z",
    "GeneratingComponent": "       2",
    "Status": "0x6D9",
    "DetectionLocation": "883",
    "Flags": "0",
    "NumberOfParameters": "0",
    "Params": "\n\t\t"
  },
  "message": ""
}

Event ID 2 — An RPC call was blocked by an RPC firewall filter.

Provider: Microsoft-Windows-RPC
Channel: Debug
Task: RpcServerCall

Description

An RPC call was blocked by an RPC firewall filter.

Message #

An RPC call was blocked by an RPC firewall filter. 
	ProcessName: %1 
	InterfaceUuid: %2 
	RpcFilterKey: %3

Fields #

Name	Description
`ProcessName` UnicodeString	—
`InterfaceUuid` GUID	—
`RpcFilterKey` GUID	—
`ImangeName` UnicodeString	—
`FilterKey` GUID	—

Event ID 3 — An error occured.

Provider: Microsoft-Windows-RPC
Channel: Debug

Description

An error occured.

Message #

An error occured. 
	ProcessName: %1 
	DetectionLocation: %2 
	Status: %3 
	AdditionaData: %4 
	AddtionalData: %5

Fields #

Name	Description
`ProcessName` UnicodeString	—
`DetectionLocation` UInt16	—
`Status` UInt32	— NTSTATUS reference
`AdditionaData` HexInt32	—
`AddtionalData` HexInt32	—
`ImageName` UnicodeString	—
`AdditionalData1` HexInt32	—
`AdditionalData2` HexInt32	—

Event ID 4 — RPC Log Event.

Provider: Microsoft-Windows-RPC
Channel: Debug
Level: Verbose
Task: Debug

Description

RPC Log Event.

Message #

RPC Log Event. 
	Subject: %1 	Verb: %2 	SubjectPointer: %3 	ObjectPointer: %4 	Data: %5

Fields #

Name	Description
`Subject` UInt8	—
`Verb` UInt8	—
`SubjectPointer` UInt64	—
`ObjectPointer` UInt64	—
`DataPointer` UInt64	—
`Data` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-RPC",
    "guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
    "event_source_name": "",
    "event_id": "4",
    "version": "1",
    "level": "5",
    "task": "3",
    "opcode": "0",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-15T04:33:21.215462200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{3752554e-5fb8-4d7f-a7ce-5882de61dd12}"
    },
    "execution": {
      "process_id": "1208",
      "thread_id": "15148"
    },
    "channel": "Microsoft-Windows-RPC/Debug",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Subject": "108",
    "Verb": "45",
    "SubjectPointer": "0x256B32635E0",
    "ObjectPointer": "0x0",
    "DataPointer": "0x1"
  },
  "message": ""
}

Event ID 5 — Client RPC call started.

Provider: Microsoft-Windows-RPC
Channel: Debug
Level: Informational
Task: RpcClientCall
Opcode: Start

Description

Client RPC call started. InterfaceUuid: InterfaceUuid OpNum: ProcNum Protocol: Protocol NetworkAddress NetworkAddress Endpoint Endpoint Binding Options Options Authentication Level AuthenticationLevel Authentication Service AuthenticationService Impersonation Level ImpersonationLevel.

Message #

Client RPC call started. 	InterfaceUuid: %1 	OpNum: %2 	Protocol: %3 	NetworkAddress 	%4 	Endpoint 	%5 	Binding Options 	%6 	Authentication Level 	%7 	Authentication Service 	%8 Impersonation Level 	%9

Fields #

Name	Description
`InterfaceUuid` GUID	—
`ProcNum` UInt32	—
`Protocol` UInt32	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`NetworkAddress` UnicodeString	—
`Endpoint` UnicodeString	—
`Options` UnicodeString	—
`AuthenticationLevel` UInt32	—
`AuthenticationService` UInt32	—
`ImpersonationLevel` UInt32	— Known values `%%1831` Anonymous `%%1832` Identification `%%1833` Impersonation `%%1840` Delegation
`OpNum`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-RPC",
    "guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
    "event_source_name": "",
    "event_id": "5",
    "version": "1",
    "level": "4",
    "task": "1",
    "opcode": "1",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-15T04:33:21.215705400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{a5815ac6-1491-48eb-83e1-5dce6480a060}"
    },
    "execution": {
      "process_id": "7284",
      "thread_id": "6724"
    },
    "channel": "Microsoft-Windows-RPC/Debug",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "InterfaceUuid": "{4f32adc8-6052-4a04-8701-293ccf2096f0}",
    "ProcNum": "0xE",
    "Protocol": "       3",
    "NetworkAddress": "NULL",
    "Endpoint": "lsasspirpc",
    "Options": "NULL",
    "AuthenticationLevel": "       6",
    "AuthenticationService": "      20",
    "ImpersonationLevel": "       0"
  },
  "message": ""
}

Event ID 6 — Server RPC call started.

Provider: Microsoft-Windows-RPC
Channel: Debug
Level: Informational
Task: RpcServerCall
Opcode: Start

Description

Server RPC call started. InterfaceUuid: InterfaceUuid OpNum: ProcNum Protocol: Protocol Endpoint Endpoint Authentication Level AuthenticationLevel Authentication Service AuthenticationService.

Message #

Server RPC call started. 	InterfaceUuid: %1 	OpNum: %2 	Protocol: %3 	Endpoint 	%5 	Authentication Level 	%7 	Authentication Service 	%8

Fields #

Name	Description
`InterfaceUuid` GUID	—
`ProcNum` UInt32	—
`Protocol` UInt32	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`NetworkAddress` UnicodeString	—
`Endpoint` UnicodeString	—
`Options` UnicodeString	—
`AuthenticationLevel` UInt32	—
`AuthenticationService` UInt32	—
`ImpersonationLevel` UInt32	— Known values `%%1831` Anonymous `%%1832` Identification `%%1833` Impersonation `%%1840` Delegation
`OpNum`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-RPC",
    "guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
    "event_source_name": "",
    "event_id": "6",
    "version": "1",
    "level": "4",
    "task": "2",
    "opcode": "1",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-15T04:33:21.215559300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{8c1139c0-0115-4536-ab2e-f8988fa6709c}"
    },
    "execution": {
      "process_id": "7284",
      "thread_id": "6724"
    },
    "channel": "Microsoft-Windows-RPC/Debug",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "InterfaceUuid": "{9556dc99-828c-11cf-a37e-00aa003240c7}",
    "ProcNum": "0x13",
    "Protocol": "       3",
    "NetworkAddress": "NULL",
    "Endpoint": "OLEA4C20506C22A06548F25B11DD64D",
    "Options": "NULL",
    "AuthenticationLevel": "       6",
    "AuthenticationService": "      20",
    "ImpersonationLevel": "       0"
  },
  "message": ""
}

Event ID 7 — Client RPC call completed.

Provider: Microsoft-Windows-RPC
Channel: Debug
Level: Informational
Task: RpcClientCall
Opcode: Stop

Description

Client RPC call completed. Status: Status.

Message #

Client RPC call completed. 	Status: %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-RPC",
    "guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
    "event_source_name": "",
    "event_id": "7",
    "version": "1",
    "level": "4",
    "task": "1",
    "opcode": "2",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-15T04:33:21.215489700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{49470a04-b8d9-40fa-a695-fb986574536f}"
    },
    "execution": {
      "process_id": "4020",
      "thread_id": "2900"
    },
    "channel": "Microsoft-Windows-RPC/Debug",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Status": "0x0"
  },
  "message": ""
}

Event ID 8 — Server RPC call was completed.

Provider: Microsoft-Windows-RPC
Channel: Debug
Level: Informational
Task: RpcServerCall
Opcode: Stop

Description

Server RPC call was completed. Status: Status.

Message #

Server RPC call was completed. 	Status: %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-RPC",
    "guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
    "event_source_name": "",
    "event_id": "8",
    "version": "1",
    "level": "4",
    "task": "2",
    "opcode": "2",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-15T04:33:21.215464600+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{3752554e-5fb8-4d7f-a7ce-5882de61dd12}"
    },
    "execution": {
      "process_id": "1208",
      "thread_id": "15148"
    },
    "channel": "Microsoft-Windows-RPC/Debug",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Status": "0x0"
  },
  "message": ""
}

Event ID 9 — Call failed due to RpcRaiseException.

Provider: Microsoft-Windows-RPC
Channel: Debug
Level: Verbose

Description

Call failed due to RpcRaiseException. Status: Status.

Message #

Call failed due to RpcRaiseException. 	Status: %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-RPC",
    "guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
    "event_source_name": "",
    "event_id": "9",
    "version": "1",
    "level": "5",
    "task": "0",
    "opcode": "0",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-15T23:30:32.748153900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{ddfcc07c-682f-4c87-aa7a-a64b052307bc}"
    },
    "execution": {
      "process_id": "7800",
      "thread_id": "1480"
    },
    "channel": "Microsoft-Windows-RPC/Debug",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Status": "0x6D9"
  },
  "message": ""
}

Event ID 10 — RPC received a packet

Provider: Microsoft-Windows-RPC
Channel: Debug
Task: Debug

Description

RPC received a packet.

Message #

RPC received a packet

Fields #

Name	Description
`SubjectPointer` UInt64	—
`FragmentSize` UInt32	—
`Fragment` Binary	—

Event ID 11 — RPC sent a packet

Provider: Microsoft-Windows-RPC
Channel: Debug
Task: Debug

Description

RPC sent a packet.

Message #

RPC sent a packet

Fields #

Name	Description
`SubjectPointer` UInt64	—
`FragmentSize` UInt32	—
`Fragment` Binary	—

Event ID 12 — RPC/HTTP start event

Provider: Microsoft-Windows-RPC
Channel: Debug
Task: Debug
Opcode: Start

Description

RPC/HTTP start event.

Message #

RPC/HTTP start event

Fields #

Name	Description
`ObjectType` UInt32	—
`Operation` UInt32	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`Address` UInt64	—
`Data` UInt64	—

Event ID 13 — RPC/HTTP stop event

Provider: Microsoft-Windows-RPC
Channel: Debug
Task: Debug
Opcode: Stop

Description

RPC/HTTP stop event.

Message #

RPC/HTTP stop event

Fields #

Name	Description
`ObjectType` UInt32	—
`Operation` UInt32	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`Address` UInt64	—
`Data` UInt64	—

Event ID 14 — RPC interface registered.

Provider: Microsoft-Windows-RPC
Channel: Debug
Level: Informational
Task: FunctionTrace
Opcode: Start

Description

RPC interface registered. Interface UUID InterfaceUuid TypeMgr TypeMgrUuid Flags Flags Max Calls Max Calls.

Message #

RPC interface registered. 	Interface UUID %1	TypeMgr %2	Flags %3	Max Calls %4

Fields #

Name	Description
`InterfaceUuid` GUID	—
`TypeMgrUuid` GUID	—
`Flags` UInt32	—
`Max Calls` UInt32	—
`SDSize` UInt32	—
`SD` Binary	—
`MaxCalls` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-RPC",
    "guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
    "event_source_name": "",
    "event_id": "14",
    "version": "1",
    "level": "4",
    "task": "4",
    "opcode": "1",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-15T04:33:34.952456400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{6ac3d8ef-0d1a-428d-b5ba-29d4db562727}"
    },
    "execution": {
      "process_id": "4368",
      "thread_id": "10432"
    },
    "channel": "Microsoft-Windows-RPC/Debug",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "InterfaceUuid": "{00000001-0000-0000-c000-000000000046}",
    "TypeMgrUuid": "{00000000-0000-0000-0000-000000000000}",
    "Flags": "0x53",
    "Max Calls": "    1234",
    "SDSize": "     164",
    "SD": "0x0100048000000000000000000000000014000000020090000200000000001400FFFFF3EF01010000000000010000000000001400FFFFF3EF010100000000000507000000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000100000004000000000000000000000000000000000000000000000000000000"
  },
  "message": ""
}

Event ID 15 — RPC interface unregistered.

Provider: Microsoft-Windows-RPC
Channel: Debug
Level: Informational
Task: FunctionTrace
Opcode: Stop

Description

RPC interface unregistered. Interface UUID InterfaceUuid TypeMgr.

Message #

RPC interface unregistered. 	Interface UUID %1	TypeMgr

Fields #

Name	Description
`InterfaceUuid` GUID	—
`TypeMgrUuid` GUID	—
`Flags` UInt32	—
`Max Calls` UInt32	—
`MaxCalls` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-RPC",
    "guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
    "event_source_name": "",
    "event_id": "15",
    "version": "1",
    "level": "4",
    "task": "4",
    "opcode": "2",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-15T23:26:30.306713200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "13380",
      "thread_id": "9092"
    },
    "channel": "Microsoft-Windows-RPC/Debug",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "InterfaceUuid": "{18f70770-8e64-11cf-9af1-0020af6e72f4}",
    "TypeMgrUuid": "{00000000-0000-0000-0000-000000000000}",
    "Flags": "0x0",
    "Max Calls": "       0"
  },
  "message": ""
}

Event ID 16 — RPC Server bound to protocol.

Provider: Microsoft-Windows-RPC
Channel: Debug
Level: Informational
Task: FunctionTrace
Opcode: Start

Description

RPC Server bound to protocol. Protocol Protocol Endpoint Endpoint.

Message #

RPC Server bound to protocol. 	Protocol %1	Endpoint %2

Fields #

Name	Description
`Protocol` UnicodeString	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Endpoint` UnicodeString	—
`NetworkAddress` UnicodeString	—
`PendingQueueSize` UInt32	—
`EndpointFlags` UInt32	—
`NicFlags` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-RPC",
    "guid": "{6ad52b32-d609-4be9-ae07-ce8dae937e39}",
    "event_source_name": "",
    "event_id": "16",
    "version": "1",
    "level": "4",
    "task": "4",
    "opcode": "1",
    "keywords": 4611686018427387904,
    "time_created": "2026-03-15T23:27:13.914822600+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "10844",
      "thread_id": "8932"
    },
    "channel": "Microsoft-Windows-RPC/Debug",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Protocol": "ncalrpc",
    "Endpoint": "OLE173E898F7677BDB64DE2071842AC",
    "NetworkAddress": "NULL",
    "PendingQueueSize": "      11",
    "EndpointFlags": "0x0",
    "NicFlags": "0x0"
  },
  "message": ""
}

Event ID 17 — RPC interface re-triggering failed with error RPC Status.

Provider: Microsoft-Windows-RPC
Channel: Debug

Description

RPC interface re-triggering failed with error RPC Status.

Message #

RPC interface re-triggering failed with error %1.

Fields #

Name	Description
`RPC Status` HexInt32	—
`RPCStatus` HexInt32	—