Message

Create SrvCall Error: %1 Location: %2 Context: %3

Fields

Message

Session Setup Error: %1 Location: %2 Context: %3

Fields

Message

Tree Connect Error: %1 Location: %2 Context: %3

Fields

Message

Create VNetRoot Error: %1 Location: %2 Context: %3

Fields

Message

Create File Error: %1 Location: %2 Context: %3

Fields

Message

Packet Fragment (%2 bytes)

Fields

Message

Transitioned to State: %1 Context: %2

Fields

Message

SMB ISC request: SessionEntry {SessionEntry} ServerName {ServerName}

Fields

Message

SMB ISC completion: SessionEntry {SessionEntry} ServerName {ServerName} Status {Status}

Fields

Message

SMB exchange suspended: RxContext %1 Exchange %2 ListHead %3

Fields

Message

SMB exchange resumed: RxContext %1 Exchange %2 ExchangeState %3 ExchangeStatus %4

Fields

Message

SMB buffer context suspended: BufferCtxt %1 Exchange %2 MidCharge %3 Window %4 CurrentWindowLimit %5 ThrottlingWindowLimit %6 CurrentWindowSize %7

Fields

Message

SMB buffer context resumed: BufferCtxt %1 Exchange %2 MidCharge %3 Window %4 CurrentWindowLimit %5 ThrottlingWindowLimit %6 CurrentWindowSize %7

Fields

Message

SMB exchange expired: Exchange {Exchange} Window {Window}

Fields

Message

SMB Mid window blocked: Window %1 HungSession %2

Fields

Message

SMB rechunk multi-credit request: BufferCtxt %1 Exchange %2 MidCharge %3 Window %4 CurrentWindowLimit %5 ThrottlingWindowLimit %6 CurrentWindowSize %7

Fields

Message

SMB initialize Mid window: Server %2 Window %3

Fields

Message

SMB Mid window state: Window %1 CurrentWindowSize %2 CurrentWindowLimit %3 ThrottlingWindowLimit %4 OldestPendingMid %5 NextAvailableMid %6 CreditsGranted %7

Fields

Message

SMB teardown Mid window: Server %2 Window %3

Fields

Message

SMB copy data completion: Status %1 VcEndpoint %2

Fields

Message

SMB send completion: Status %1 VcEndpoint %2

Fields

Message

WSK get address info request: ServerName {ServerName} Irp {Irp}

Fields

Message

WSK get address info completion: Irp {Irp} Status {Status}

Fields

Message

WSK connect: SocketAddress %2 VcEndpoint %3 Socket %4

Fields

Message

WSK connect completion: VcEndpoint %1 Socket %2 Status %3

Fields

Message

WSK send: VcEndpoint %1 Socket %2 SendMdl %3 SendLength %4

Fields

Message

WSK send completion: VcEndpoint %1 Socket %2 SendMdl %3 SendLength %4 Status %5

Fields

Message

WSK receive: VcEndpoint %1 Socket %2 ReceiveMdl %3 ReceiveLength %4

Fields

Message

WSK receive completion: VcEndpoint %1 Socket %2 ReceiveMdl %3 ReceiveLength %4 Status %5

Fields

Message

Compression requested for file object %3: Status %4

Fields

Message

Decompression failed: VcEndpoint %1 Socket %2 ReceiveBuffer %3 ReceiveLength %4 Status %5

Fields

Message

Compression failed: VcEndpoint %1 Socket %2 SendBuffer %3 SendLength %4 Status %5

Fields

Message

SMB session expired: SessionEntry %1 ServerName %3

Fields

Message

SMB 3 part SPN reauth: SessionEntry %1 ServiceName %3

Fields

Message

SMB reconnect durable open: Fcb %1 SrvOpen %2

Fields

Message

SMB defer open: Fcb %1 SrvOpen %2

Fields

Message

SMB undefer open: Fcb %1 SrvOpen %2

Fields

Message

SMB send[%1]: [%2] (Mid/Sid/Tid) (%3/%4/%5) MidCharge %6 Creds %7 SendLengh %8 VcEndpoint %9

Fields

Message

SMB receive: [%1] (Mid/Sid/Tid) (%2/%4/%5) Creds %6 Status %7 VcEndpoint %8

Fields

Message

SMB receive interim: [%1] (Mid/AsyncId/Sid/Tid) (%2/%3/%4/%5) Creds %6 Status %7 VcEndpoint %8

Fields

Message

SMB receive async: [%1] (AsyncId/Sid/Tid) (%3/%4/%5) Creds %6 Status %7 VcEndpoint %8

Fields

Message

SMB registry key: %1 = %2

Fields

Message

SMB update file info cache: RxContext %1 Fcb %2 FileName %4

Fields

Message

SMB fetch file info cache: RxContext %1 Fcb %2 FileName %4 Status %5

Fields

Message

SMB invalidate file info cache: RxContext %1 Fcb %2 FileName %4

Fields

Message

SMB update file not found cache: RxContext %1 Fcb %2 FileName %4

Fields

Message

SMB fetch file not found cache: RxContext %1 Fcb %2 FileName %4 Result %5

Fields

Message

SMB invalidate file not found cache: RxContext %1 Fcb %2 FileName %4

Fields

Message

SMB populate dir cache: RxContext %1 Fcb %2 DirName %4

Fields

Message

SMB fetch dir cache: RxContext %1 Fcb %2 FileName %4 Status %5

Fields

Message

Session %1 to %6 transitioned from [%2] to [%3] with Status %4

Fields

Message

Share connection %1 to %6 transitioned from [%2] to [%3] with Status %4

Fields

Message

Open handle %1 to %10%12 transitioned from [%5] to [%6] with Status %7

Fields

Message

The local computer didn't received an SMB1 negotiate response in the last 20 minutes.n
Guidance:

This event indicates that no attempt was made to contact this computer via the SMB1 protocol. After %1 online days of no SMB1 contact attempts, the SMB1 Client service will automatically uninstall.

Fields

Message

Failed to reconnect a persistent handle.

Error: %7

FileId: %2:%3
CreateGUID: %4
Path: %10%12

Reason: %8

Previous reconnect error: %13
Previous reconnect reason: %14

Guidance:
A persistent handle allows transparent failover on Windows File Server clusters. This event has many causes and does not always indicate an issue with SMB. Review online documentation for troubleshooting information.

Fields

Message

Failed to reconnect a resilient handle.

Error: %7

FileId: %2:%3
Path: %10%12

Reason: %8.

Previous reconnect error: %13
Previous reconnect reason: %14

Guidance:
A resilient handle provides guarantees to applications requesting it. This event has many causes and does not always indicate an issue with SMB. Review online documentation for troubleshooting information.

Fields

Message

Failed to open a persistent handle.

Error: %7

FileId: %2:%3
CreateGUID: %4
Path: %10%12

Reason: %8

Guidance:
A persistent handle allows transparent failover on Windows File Server clusters. This event has many causes and does not always indicate an issue with SMB. Review online documentation for troubleshooting information.

Fields

Message

Persistent handle {PersistentFID}:{VolatileFID} CreateGUID {CreateGUID} to {Object}0{Object}2 was orphaned.

Fields

Message

Resilient handle {PersistentFID}:{VolatileFID} to {Object}0{Object}2 was orphaned.

Fields

Message

Connection to server {ServerName} IP Address {RemoteAddress} was aborted.

Fields

Message

Session to server {ObjectName} was lost Status {Status}

Fields

Message

Session to server {ObjectName} was re-established.

Fields

Message

Connection to share {ObjectName} was lost. Status {Status}

Fields

Message

Connection to share {ObjectName} was re-established.

Fields

Message

Handle {PersistentFID}:{VolatileFID} CreateGUID {CreateGUID} to {Object}0{Object}2 granted without persistence.

Fields

Message

The SMB client received a request to move file server cluster {ServerName} to IP address {RemoteAddress}

Fields

Message

The SMB client successfully moved file server cluster {ServerName} to IP address {RemoteAddress}

Fields

Message

The SMB client failed to move file server cluster {ServerName}. Error: {Status}

Fields

Message

The server {ServerName} does not support multichannel

Fields

Message

An invalid FSCTL_QUERY_NETWORK_INTERFACE_INFO response was sent by the server %2

Fields

Message

The client failed to connect to the server %2 from the local IP address %4 to the remote IP address %6 over TCP transport. Error: %7

Fields

Message

The client failed to connect to the server %2 from the local IP address %4 to the remote IP address %6 over RDMA transport. Error: %7

Fields

Message

The client connected to the server %2 from the local IP address %4 to the remote IP address %6 over TCP transport successfully

Fields

Message

The client connected to the server %2 from the local IP address %4 to the remote IP address %6 over RDMA transport successfully

Fields

Message

The client can not connect to the server {ServerName} due to a multichannel constraint registry setting

Fields

Message

The server name cannot be resolved.

Error: %2

Server name: %4

Guidance:
The client cannot resolve the server address in DNS or WINS. This issue often manifests immediately after joining a computer to the domain, when the client's DNS registration may not yet have propagated to all DNS servers. You should also expect this event at system startup on a DNS server (such as a domain controller) that points to itself for the primary DNS. You should validate the DNS client settings on this computer using IPCONFIG /ALL and NSLOOKUP.

Fields

Example Event

system:
  provider: Microsoft-Windows-SMBClient
  guid: 988C59C5-0A1C-45B6-A555-0C62276E327D
  event_source_name: ''
  event_id: 30800
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 288230376151711808
  time_created: '2022-04-07T16:53:50.061721+00:00'
  event_record_id: 19
  correlation: {}
  execution:
    process_id: 4
    thread_id: 592
  channel: Microsoft-Windows-SmbClient/Connectivity
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Reason: 1
  Status: 3221226021
  ServerNameLength: 8
  ServerName: sigma.fr
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

%1.

Error: %2

Server name: %4

Fields

Message

%1.

Error: %2

Server name: %4

Fields

Message

Failed to establish a network connection.

Error: %2

Server name: %4
Server address: %6!S!
Connection type: %7

Guidance:
This indicates a problem with the underlying network or transport, such as with TCP/IP, and not with SMB. A firewall that blocks TCP port 445, or TCP port 5445 when using an iWARP RDMA adapter, can also cause this issue.

Fields

Message

A network connection was disconnected.

Server name: %4
Server address: %6!S!
Connection type: %7

Guidance:
This indicates that the client's connection to the server was disconnected.

Frequent, unexpected disconnects when using an RDMA over Converged Ethernet (RoCE) adapter may indicate a network misconfiguration. RoCE requires Priority Flow Control (PFC) to be configured for every host, switch and router on the RoCE network. Failure to properly configure PFC will cause packet loss, frequent disconnects and poor performance.

Fields

Message

The client lost its session to the server.

Error: %1

Server name: %5
Session ID: %2

Guidance:
If the server is a Windows Failover Cluster file server, then this message occurs when the file share moves between cluster nodes. There should also be an anti-event 30806 indicating the session to the server was re-established. If the server is not a failover cluster, it is likely that the server was previously online, but it is now inaccessible over the network.

Fields

Message

The client re-established its session to the server.

Server name: %5
Server address: %7!S!
Session ID: %2

Guidance:
You should expect this event if there was a previous event 30805, but the client successfully resumed the cached connection before the timeout expired.

Fields

Message

The connection to the share was lost.

Error: %1

Share name: %5
Session ID: %2
Tree ID: %3

Guidance:
If the server is a Windows Failover Cluster file server, then this message occurs when the file share moves between cluster nodes. There should also be an anti-event 30808 indicating the session to the server was re-established. If the server is not a failover cluster, it is likely that the server was previously online, but it is now inaccessible over the network.

Fields

Message

The connection to the share was re-established.

Share name: %5
Server address: %7!S!
Session ID: %2
Tree ID: %3

Guidance:
You should expect this event if there was a previous event 30807, but the client successfully resumed the cached connection before the timeout expired.

Fields

Message

A request timed out because there was no response from the server.

Server name: %6
Session ID:%3
Tree ID:%4
Message ID:%2
Command: %1
Instance Name: %9
RetryCount: %10
ElapsedTime(ms): %11

Guidance:
The server is responding over TCP but not over SMB. Ensure the Server service is running and responsive, and the disks do not have high per-IO latency, which makes the disks appear unresponsive to SMB. Also, ensure the server is responsive overall and not paused; for instance, make sure you can log on to it.

Fields

Message

Added a TCP/IP transport interface.

Name: %2
InterfaceIndex: %3

Guidance:
A TCP/IP binding was added to the specified network adapter for the SMB client. The SMB client can now send and receive SMB traffic on this network adapter using TCP/IP. You should expect this event when a computer restarts or when a previously disabled network adaptor is re-enabled. No user action is required.

Fields

Example Event

system:
  provider: Microsoft-Windows-SMBClient
  guid: 988C59C5-0A1C-45B6-A555-0C62276E327D
  event_source_name: ''
  event_id: 30810
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 288230376151711808
  time_created: '2023-11-06T06:25:42.647569+00:00'
  event_record_id: 86
  correlation: {}
  execution:
    process_id: 4
    thread_id: 428
  channel: Microsoft-Windows-SmbClient/Connectivity
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  NameLength: 9
  Name: Ethernet1
  IfIndex: 4
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Deleted a TCP/IP transport interface.

Name: %2
InterfaceIndex: %3

Guidance:
A TCP/IP binding was removed from the specified network adapter for the SMB client. You should expect this event when a computer shuts down or when a previously enabled network adaptor is disabled. No user action is required.

Fields

Example Event

system:
  provider: Microsoft-Windows-SMBClient
  guid: 988C59C5-0A1C-45B6-A555-0C62276E327D
  event_source_name: ''
  event_id: 30811
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 288230376151711808
  time_created: '2023-11-06T06:25:42.599960+00:00'
  event_record_id: 84
  correlation: {}
  execution:
    process_id: 4
    thread_id: 428
  channel: Microsoft-Windows-SmbClient/Connectivity
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  NameLength: 9
  Name: Ethernet1
  IfIndex: 4
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Added a TDI transport interface.

Name: %2

Guidance:
A TDI (NetBIOS) binding was added to the specified network adapter for the SMB client. The SMB client can now send and receive SMB traffic on this network adapter using TDI. You should expect this event when a computer restarts or when a previously disabled network adaptor is re-enabled. No user action is required.

Fields

Example Event

system:
  provider: Microsoft-Windows-SMBClient
  guid: 988C59C5-0A1C-45B6-A555-0C62276E327D
  event_source_name: ''
  event_id: 30812
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 288230376151711808
  time_created: '2023-11-06T06:25:42.665527+00:00'
  event_record_id: 88
  correlation: {}
  execution:
    process_id: 4
    thread_id: 224
  channel: Microsoft-Windows-SmbClient/Connectivity
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  ServerNameLength: 58
  ServerName: \Device\NetBT_Tcpip_{3D03B11E-98A0-4304-84E2-CD3AAE8EFE1D}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Deleted a TDI transport interface.

Name: %2

Guidance:
A TDI (NetBIOS) binding was removed from the specified network adapter for the SMB client. You should expect this event when a computer shuts down or when a previously enabled network adaptor is disabled. No user action is required.

Fields

Example Event

system:
  provider: Microsoft-Windows-SMBClient
  guid: 988C59C5-0A1C-45B6-A555-0C62276E327D
  event_source_name: ''
  event_id: 30813
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 288230376151711808
  time_created: '2023-11-06T06:25:42.600171+00:00'
  event_record_id: 85
  correlation: {}
  execution:
    process_id: 4
    thread_id: 224
  channel: Microsoft-Windows-SmbClient/Connectivity
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  ServerNameLength: 58
  ServerName: \Device\NetBT_Tcpip_{3D03B11E-98A0-4304-84E2-CD3AAE8EFE1D}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Witness registration has completed.

Status: %1

Cluster share name: %4
Cluster share type: %2
File server cluster address: %6!S!

Guidance:
The client successfully registered with the SMB Witness through RPC using TCP (port 135, then an endpoint port above 1023). No action is required.

Fields

Message

Witness deregistration has completed.

Status: %1

Cluster share name: %4
Cluster share type: %2

Guidance:
The client successfully de-registered with the SMB Witness through RPC using TCP (port 135, then an endpoint port above 1023). No action is required.

Fields

Message

The server failed the negotiate request.

Error: %2

Server name: %4

Guidance:
The server does not support any dialect that the client is trying to negotiate, such as the client has SMB2/SMB3 disabled and the server has SMB1 disabled.

Fields

Message

Close request failed.

Error: %2

Path: %4%6

Guidance:
A persistent handle (Continuous Availability) or a resilient handle failed to close.

Fields

Message

RDMA interfaces are available but the client failed to connect to the server over RDMA transport.

Server name: %2

Guidance:
Both client and server have RDMA (SMB Direct) adaptors but there was a problem with the connection and the client had to fall back to using TCP/IP SMB (non-RDMA).

Fields

Message

The SMB client received a request to move to a different node on a file server cluster.

File server cluster name: %4
New file server cluster address: %6!S!

Guidance:
Continuous Availability (Transparent Failover) is in use and the client computer is going to move to a different node after an SMB witness request over RPC using TCP (first contacting port 135, then contacting an endpoint port above 1023). No user action is required.

Fields

Message

The SMB client successfully moved to a different node on a file server cluster.

File server cluster name: %4
 New file server cluster address: %6!S!

Guidance:
Continuous Availability (Transparent Failover) is in use and the client computer successfully moved to a different node after an SMB witness request over RPC using TCP (first contacting port 135, then contacting an endpoint port above 1023). No user action is required.

Fields

Message

The SMB client failed to move to a different node on a file server cluster.

Error: %1

File server cluster name: %4

Guidance:
Continuous Availability (Transparent Failover) is in use and the client computer failed to move to a different node after an SMB witness request over RPC using TCP (first contacting port 135, then contacting an endpoint port above 1023). The attempt to connect to the destination server failed, which is typically due to a network configuration issue. For example, this issue may occur if the destination node's IP address cannot be resolved, if the destination node is behind a firewall, or if there is no network route from the client to the node.

Fields

Message

Failed to establish an SMB multichannel network connection.

Error: %2

Server name: %4
Server address: %6!S!
Client address: %7!S!
Instance name: %9
Connection type: %10

Guidance:
This indicates a problem with the underlying network or transport, such as with TCP/IP or QUIC/UDP, and not with SMB. A firewall that blocks TCP port 445 or UDP port 443 or TCP port 5445 when using an iWARP RDMA adapter can also cause this issue. Since the error occurred while trying to connect extra channels, it will not result in an application error. This event is for diagnostics only.

Fields

Message

The connection was terminated due to one or more IO request timeouts.

Error: %2

Name: %4
Server address: %6!S!
Client address: %7!S!
Instance name: %9
Connection type: %10

Guidance:
This indicates a problem with the underlying network or the storage stack on the remote server. IO operations were not completed within the allotted time. The application may not see this failure because IOs are usually retried on a different connection. This event is for diagnostics only.

Fields

Message

The connection was forcibly disconnected. 

Error: %2

Name: %4

Server address: %6!S!
Client address: %7!S!
Instance name: %9
Connection type: %10

Guidance:
This connection is disconnected to force existing requests to fail back as soon as possible. This is a fast-fail mechanism to allow upper layers to apply their recovery policies as soon as possible. This event is for diagnostics only.

Fields

Message

The disconnect state on connection was cleared 

Name: %3
Instance name: %5

Guidance:
Any persistent disconnect state on this connection is cleared. Any new IO will be sent to the server as usual. This event is for diagnostics only.

Fields

Message

The SMB negotiate response processing failed on the client to determine the selected encryption cipher for the client and server. Please ensure there is a common cipher between the client and server.

Client encryption cipher suite order (most to least preferred): %2
Server replied back with its selected encryption cipher ID: %4

Fields

Message

Could not find a certificate mapping that matches the server name. 

Connection type: %1
Server name: %3.

Fields

Message

The client established its session to the server.

Server name: %4
Server address: %6!S!
Client address: %8!S!
Session ID: %2

Fields

Message

The client failed to establish its session to the server.

Error: %1

Server name: %4
Server address: %6!S!
Client address: %8!S!
Session ID: %2

Fields

Message

The SMB redirector selected the connection initiated with the following parameters:

Server name: %2
Server socket address: %5
Client socket address: %7
Client certificate thumbprint: %12
Transport: %3
Instance Name: %9

Fields

Message

The SMB client was denied access to the SMB server during mutual authentication.

Server name: %2
Server socket address: %5
Client socket address: %7
Client certificate thumbprint: %11
Transport: %3
Instance Name: %9

Message

The SMB connection was successfully established.

Server name: %2
Server socket address: %5
Client socket address: %7
Connection ID: %12
Client certificate thumbprint: %14
Transport: %3
Instance Name: %9
Port Origin: %10

Guidance:

The event occurs when server authentication succeeds. The connection may later be closed if client authentication fails or if the client is denied access to the server.

Message

The initial connection to the share was established.

Share name: %5
Server address: %7!S!
Session ID: %2
Tree ID: %3
Transport type: %8
Signing used: %9
Encryption used: %10
Compression requested: %11
NTLM blocked: %12

Message

The client was unable to perform revocation checks on the server certificate chain. The connection will proceed.

Verification Status: %1

Server name: %3
Server socket address: %6
Client socket address: %8
Connection ID: %13
Client certificate thumbprint: %15
Transport: %4
Instance Name: %10
Port Origin: %11

Message

Server authentication failed.

Error: %1

Server name: %3
Server socket address: %6
Client socket address: %8
Connection ID: %13
Client certificate thumbprint: %15
Transport: %4
Instance Name: %10
Port Origin: %11

Message

The requested transport is disabled.

Server name: %2
Server socket address: %5
Transport: %3

Message

The handle was created without persistence.

File ID: %2:%3
CreateGUID: %4
Path: %10%12

Guidance:
The server supports Continuous Availability (persistent handles) and the request to create the handle succeeded. However, the server did not grant persistence. You should verify that the Resume Key Filter is running on the server and is attached to the target volume.

Fields

Message

The server does not support multichannel.

Server name: %2

Guidance:
The client attempted to use SMB Multichannel, but an administrator has disabled multichannel support on the server. This may also be a non-Microsoft file server that does not support multichannel or has multichannel disabled. You can enable SMB Multichannel on the server using this Windows PowerShell cmdlet: Set-SmbServerConfiguration -EnableMultiChannel:$true. This event does not apply to the multichannel settings of SMB client, which are controlled by the Set-SmbClientConfiguration Windows PowerShell cmdlet. Enabling or disabling client multichannel support does not affect server multichannel support.

Fields

Message

The client cannot connect to the server due to a multichannel constraint registry setting.

Server name: %2

Guidance:
The client attempted to use SMB Multichannel, but an administrator has configured multichannel support to prevent multichannel on the client. You can configure SMB Multichannel on the client using the Windows PowerShell cmdlets: New-SmbMultichannelConstraint and Remove-SmbMultichannelConstraint.

Fields

Message

A request on persistent/resilient handle failed because the handle was invalid or it exceeded the timeout.

Status: %7

Type: %1
Path: %4%6
Restart count: %2

Guidance:
After retrying a request on a Continuously Available (Persistent) handle or a Resilient handle, the client was unable to reconnect the handle. This event is the result of a handle recovery failure. Review other events for more details.

Fields

Message

The SMB Multichannel registry value is not configured with default settings.

Default Registry Value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"DisableMultiChannel"=dword:0
Configured Registry Value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"DisableMultiChannel"=dword:%2

Guidance:
You can configure SMB Multichannel on the client using the Windows PowerShell cmdlet Set-SmbClientConfiguration. Disabling SMB client multichannel support is not a recommended configuration, as it can lead to degraded performance and decreased reliability if one channel or network path fails.

Fields

Message

The SMB 3 and SMB 2 driver is not configured with the default start type.

Default Start Type: DEMAND_START
Configured Start Type: DISABLED

Guidance:
You should expect this event when disabling SMB2/SMB3 for the client using SC.EXE or editing the Windows registry. Microsoft does not recommend disabling SMB2/SMB3. Disabling SMB2/SMB3 prevents use of features such as SMB Transparent Failover, SMB Scale Out, SMB Multichannel, SMB Direct (RDMA), SMB Encryption, VSS for SMB file shares, and SMB Directory Leasing. SMB provides alternative troubleshooting workarounds to disabling SMB2/SMB3 in most cases.

Fields

Message

The client supports SMB Direct (RDMA) and SMB Signing is in use.

Share name: %2

Guidance:
For optimal SMB Direct performance, you can disable SMB Signing. This configuration is less secure and you should only consider this configuration on trustworthy private networks with strict access control.

Fields

Message

The client supports SMB Direct (RDMA) and SMB Encryption is in use.

Share name: %2

Guidance:
For optimal SMB Direct performance, you can disable SMB Encryption on the server for shares accessed by this client. This configuration is less secure and you should only consider this configuration on trustworthy private networks with strict access control.

Fields

Message

The Cipher Suite Order group policy setting is invalid.

Guidance:

This event indicates that an administrator has configured an invalid value for the "Computer Configuration\Administrative Templates\Network\Lanman Workstation\Cipher Suite Order" group policy setting. The client will use the default cipher suite order "%1" until this error is resolved.

Fields

Message

The RequireSecureNegotiate setting has been removed.

Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
Registry Value: RequireSecureNegotiate

Guidance:

You should expect this event when an administrator configures the RequireSecureNegotiate setting. Secure negotiate prevents man-in-the-middle attacks against SMB connection establishment. Previous versions of Windows allowed secure negotiate to be disabled. Disabling secure negotiate is no longer allowed. The client removed the setting from the registry. No user action is required.

Message

Server %2 share %4 has requested client to use isolated connections to connection to the share. Asymmetric flag %5. Isolated transport flag %6. NetRoot already use isolated connections %7.

Fields

Message

RDMA rundown is active. Active RDMA-based operations will be wound down. There are currently %1 active RDMA resources.

Fields

Message

RDMA rundown is complete. No further RDMA-based operations are allowed. Rundown no-op: %1.

Fields

Message

Reactivation of RDMA support has commenced.

Message

RDMA is no longer disabled. RDMA-based operations can proceed, given hardware capabilities and OS policy. No-op: %1.

Fields

Message

SMBDirect load attempt complete.

Success: %1
Status code: %2
Service path: %4

Fields

Message

Component capabilities: %1
Internal patch number: %2

Fields

Message

The alternative port %1 is not a valid port within the range 0 to 65535 for mapping name %3:%5.

Fields

Message

The SMB redirector did not select the connection initiated with the following parameters:

Server name: %2
IP Address: %5
Transport: %3
Instance Name:%7
Port Origin: %8

The failure status associated with this decision: %9

Fields

Message

SMB Dialect Change

%1 was changed from %2 to %3.

Fields

Message

It took %2 secs to execute %1.

Fields

Message

It took %2 secs to execute %1 which is longer than threshold of %3 secs. This warning is because %1 is taking longer than expected.

Fields

Message

%1.

Error: %2

Security status: %3
User name: %10
Logon ID: %4
Serrver name: %6

Fields

Message

%1.

Error: %2

Security status: %3
User name: %10
Logon ID: %4
Server name: %6
Principal name: %8

Fields

Message

The outbound authentication failed using a network token.

Error: %2

Server name: %4

Guidance:
This typically indicates that delegation must be configured for a Kerberos double-hop scenario. If delegation is configured, confirm that the services are configured correctly on the middle-tier server.

Fields

Message

The LmCompatibilityLevel value is different from the default.

Configured LM Compatibility Level: %2
Default LM Compatibility Level: 3

Guidance:
LAN Manager (LM) authentication is the protocol used to authenticate Windows clients for network operations. This includes joining a domain, accessing network resources, and authenticating users or computers. This determines which challenge/response authentication protocol is negotiated between the client and the server computers. Specifically, the LM authentication level determines which authentication protocols the client will try to negotiate or the server will accept. The value set for LmCompatibilityLevel determines which challenge/response authentication protocol is used for network logons. This value affects the level of authentication protocol that clients use, the level of session security negotiated, and the level of authentication accepted by servers.

Value (Setting) - Description

0 (Send LM & NTLM responses) - Clients use LM and NTLM authentication and never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

1 (Send LM & NTLM - use NTLMv2 session security if negotiated) - Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

2 (Send NTLM response only) - Clients use NTLM authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

3 (Send NTLM v2 response only) - Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

4 (Send NTLMv2 response only/refuse LM) - Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and accept only NTLM and NTLMv2 authentication.

5 (Send NTLM v2 response only/refuse LM & NTLM) - Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and NTLM and accept only NTLMv2 authentication.

Incompatibly configured  LmCompatibility levels between a client and server (such as 0 on a client and 5 on a server) prevent access to the server. Non-Microsoft clients and servers also provide these configuration settings.

Fields

Message

The SMB client failed to connect to the share.

Error: %2

Path: %4%6

Fields

Message

The negotiate validation failed.

From negotiate response:
Dialect: %1
SecurityMode: %2
Capabilities: %3
ServerGuid: %4

From FSCTL_VALIDATE_NEGOTIATE_INFO response:
Dialect: %5
SecurityMode: %6
Capabilities: %7
ServerGuid: %8

Guidance:
The client successfully negotiated SMB dialect, security mode, capabilities and server GUID with the server, but the validation of these values then failed after connecting to a share. This may be due to a "adversary-in-the-middle" compromise attempt.

Fields

Message

The signing validation failed.

Error:%7

Server name: %6
Session ID:%3
Tree ID:%4
Message ID:%2
Command: %1

Guidance:
This error indicates that SMB messages are being modified in transit across the network from the server to the client. This may be due to the session ending on the server, a problem with the network, a problem with a third-party SMB server, or a "adversary-in-the-middle" compromise attempt.

PacketFragment:%9

Fields

Message

The client received an unencrypted message when encryption was expected.

Server name: %6
Session ID:%3
Tree ID:%4
Message ID:%2
Command: %1
Instance Name: %9

Guidance:
This error indicates that SMB messages are being modified in transit across the network from the server to the client. This may be due to the session ending on the server, a problem with the network, a problem with a third-party SMB server, or a "adversary-in-the-middle" compromise attempt.