Microsoft-Windows-SMBClient

181 events across 9 channels

Event ID	Title	Channel
101	Create SrvCall Error: ErrorCode Location: Location Context: Context.	HelperClassDiagnostic
201	Session Setup Error: ErrorCode Location: Location Context: Context.	HelperClassDiagnostic
301	Tree Connect Error: ErrorCode Location: Location Context: Context.	HelperClassDiagnostic
401	Create VNetRoot Error: ErrorCode Location: Location Context: Context.	HelperClassDiagnostic
501	Create File Error: ErrorCode Location: Location Context: Context.	HelperClassDiagnostic
2000	Packet Fragment (FragmentSize bytes).	Diagnostic
20001	Transitioned to State: CurrentOrNextState Context: Context.	HelperClassDiagnostic
30101	SMB ISC request: SessionEntry {SessionEntry} ServerName {ServerName}.	XPerfAnalytic
30102	SMB ISC completion: SessionEntry {SessionEntry} ServerName {ServerName} Status …	XPerfAnalytic
30103	SMB exchange suspended: RxContext RxContext Exchange Exchange ListHead ListHead.	Analytic
30104	SMB exchange resumed: RxContext RxContext Exchange Exchange ExchangeState …	Analytic
30105	SMB buffer context suspended: BufferCtxt BufferCtxt Exchange Exchange MidCharge …	Analytic
30106	SMB buffer context resumed: BufferCtxt BufferCtxt Exchange Exchange MidCharge …	Analytic
30107	SMB exchange expired: Exchange {Exchange} Window {Window}.	XPerfAnalytic
30108	SMB Mid window blocked: Window Window HungSession HungSession.	Analytic
30109	SMB rechunk multi-credit request: BufferCtxt BufferCtxt Exchange Exchange …	Analytic
30110	SMB initialize Mid window: Server ServerName Window MidWindow.	Analytic
30111	SMB Mid window state: Window MidWindow CurrentWindowSize CurrentWindowSize …	Analytic
30112	SMB teardown Mid window: Server ServerName Window MidWindow.	Analytic
30113	SMB copy data completion: Status Status VcEndpoint VcEndpoint.	Analytic
30114	SMB send completion: Status Status VcEndpoint VcEndpoint.	Analytic
30201	WSK get address info request: ServerName {ServerName} Irp {Irp}.	XPerfAnalytic
30202	WSK get address info completion: Irp {Irp} Status {Status}.	XPerfAnalytic
30203	WSK connect: SocketAddress RemoteAddress VcEndpoint VcEndpoint Socket Socket.	Analytic
30204	WSK connect completion: VcEndpoint VcEndpoint Socket Socket Status Status.	Analytic
30205	WSK send: VcEndpoint VcEndpoint Socket Socket SendMdl SendMdl SendLength …	Analytic
30206	WSK send completion: VcEndpoint VcEndpoint Socket Socket SendMdl SendMdl …	Analytic
30207	WSK receive: VcEndpoint VcEndpoint Socket Socket ReceiveMdl SendMdl …	Analytic
30208	WSK receive completion: VcEndpoint VcEndpoint Socket Socket ReceiveMdl SendMdl …	Analytic
30209	Compression requested for file object Smb2Fobx: Status Status.	Analytic
30210	Decompression failed: VcEndpoint VcEndpoint Socket Socket ReceiveBuffer SendMdl …	Analytic
30211	Compression failed: VcEndpoint VcEndpoint Socket Socket SendBuffer SendMdl …	Analytic
30401	SMB session expired: SessionEntry SessionEntry ServerName ServerName.	Analytic
30402	SMB 3 part SPN reauth: SessionEntry SessionEntry ServiceName ServerName.	Analytic
30403	SMB reconnect durable open: Fcb Fcb SrvOpen SrvOpen.	Analytic
30404	SMB defer open: Fcb Fcb SrvOpen SrvOpen.	Analytic
30405	SMB undefer open: Fcb Fcb SrvOpen SrvOpen.	Analytic
30406	SMB send[Count]: [Command] (Mid/Sid/Tid) (MessageId/SessionId/TreeId) MidCharge …	Analytic
30407	SMB receive: [Command] (Mid/Sid/Tid) (MessageId/SessionId/TreeId) Creds …	Analytic
30408	SMB receive interim: [Command] (Mid/AsyncId/Sid/Tid) …	Analytic
30409	SMB receive async: [Command] (AsyncId/Sid/Tid) (AsyncId/SessionId/TreeId) Creds …	Analytic
30410	SMB registry key: RegName = RegValue.	Analytic
30501	SMB update file info cache: RxContext RxContext Fcb Fcb FileName FileName.	Analytic
30502	SMB fetch file info cache: RxContext RxContext Fcb Fcb FileName FileName Status …	Analytic
30503	SMB invalidate file info cache: RxContext RxContext Fcb Fcb FileName FileName.	Analytic
30504	SMB update file not found cache: RxContext RxContext Fcb Fcb FileName FileName.	Analytic
30505	SMB fetch file not found cache: RxContext RxContext Fcb Fcb FileName FileName …	Analytic
30506	SMB invalidate file not found cache: RxContext RxContext Fcb Fcb FileName …	Analytic
30507	SMB populate dir cache: RxContext RxContext Fcb Fcb DirName FileName.	Analytic
30508	SMB fetch dir cache: RxContext RxContext Fcb Fcb FileName FileName Status …	Analytic
30600	Session Object to ObjectName transitioned from [OldState] to [NewState] with …	ObjectStateDiagnostic
30601	Share connection Object to ObjectName transitioned from [OldState] to [NewState] …	ObjectStateDiagnostic
30603	Open handle Object to ShareNameObjectName transitioned from [OldState] to …	ObjectStateDiagnostic
30604	The local computer didn't received an SMB1 negotiate response in the last 20 …	ObjectStateDiagnostic
30611	Failed to reconnect a persistent handle.	Operational
30612	Failed to reconnect a resilient handle.	Operational
30613	Failed to open a persistent handle.	Operational
30614	Persistent handle {PersistentFID}:{VolatileFID} CreateGUID {CreateGUID} to …	Operational
30615	Resilient handle {PersistentFID}:{VolatileFID} to {Object}0{Object}2 was …	Operational
30620	Connection to server {ServerName} IP Address {RemoteAddress} was aborted.	Operational
30621	Session to server {ObjectName} was lost Status {Status}.	Operational
30622	Session to server {ObjectName} was re-established.	Operational
30623	Connection to share {ObjectName} was lost.	Operational
30624	Connection to share {ObjectName} was re-established.	Operational
30625	Handle {PersistentFID}:{VolatileFID} CreateGUID {CreateGUID} to …	Operational
30626	The SMB client received a request to move file server cluster {ServerName} to IP …	Operational
30627	The SMB client successfully moved file server cluster {ServerName} to IP address …	Operational
30628	The SMB client failed to move file server cluster {ServerName}.	Operational
30700	The server {ServerName} does not support multichannel.	Operational
30701	An invalid FSCTL_QUERY_NETWORK_INTERFACE_INFO response was sent by the server …	ObjectStateDiagnostic
30702	The client failed to connect to the server ServerName from the local IP address …	ObjectStateDiagnostic
30703	The client failed to connect to the server ServerName from the local IP address …	ObjectStateDiagnostic
30704	The client connected to the server ServerName from the local IP address …	ObjectStateDiagnostic
30705	The client connected to the server ServerName from the local IP address …	ObjectStateDiagnostic
30706	The client can not connect to the server {ServerName} due to a multichannel …	Operational
30800	The server name cannot be resolved.	Connectivity
30801	Reason.	Connectivity
30802	Reason.	Connectivity
30803	Failed to establish a network connection.	Connectivity
30804	A network connection was disconnected.	Connectivity
30805	The client lost its session to the server.	Connectivity
30806	The client re-established its session to the server.	Connectivity
30807	The connection to the share was lost.	Connectivity
30808	The connection to the share was re-established.	Connectivity
30809	A request timed out because there was no response from the server.	Connectivity
30810	Added a TCP/IP transport interface.	Connectivity
30811	Deleted a TCP/IP transport interface.	Connectivity
30812	Added a TDI transport interface.	Connectivity
30813	Deleted a TDI transport interface.	Connectivity
30814	Witness registration has completed.	Connectivity
30815	Witness deregistration has completed.	Connectivity
30816	The server failed the negotiate request.	Connectivity
30817	Close request failed.	Connectivity
30818	RDMA interfaces are available but the client failed to connect to the server …	Connectivity
30819	The SMB client received a request to move to a different node on a file server …	Connectivity
30820	The SMB client successfully moved to a different node on a file server cluster.	Connectivity
30821	The SMB client failed to move to a different node on a file server cluster.	Connectivity
30822	Failed to establish an SMB multichannel network connection.	Connectivity
30823	The connection was terminated due to one or more IO request timeouts.	Connectivity
30824	The connection was forcibly disconnected.	Connectivity
30825	The disconnect state on connection was cleared.	Connectivity
30826	The SMB negotiate response processing failed on the client to determine the …	Connectivity
30827	Could not find a certificate mapping that matches the server name.	Connectivity
30828	The client established its session to the server.	Connectivity
30829	The client failed to establish its session to the server.	Connectivity
30830	The SMB redirector selected the connection initiated with the following …	Connectivity
30831	The SMB client was denied access to the SMB server during mutual authentication.	Connectivity
30832	The SMB connection was successfully established.	Connectivity
30833	The initial connection to the share was established.	Connectivity
30834	The client was unable to perform revocation checks on the server certificate …	Connectivity
30835	Server authentication failed.	Connectivity
30837	The requested transport is disabled.	Connectivity
30900	The handle was created without persistence.	Operational
30904	The server does not support multichannel.	Operational
30905	The client cannot connect to the server due to a multichannel constraint …	Operational
30906	A request on persistent/resilient handle failed because the handle was invalid …	Operational
30907	The SMB Multichannel registry value is not configured with default settings.	Operational
30908	The SMB 3 and SMB 2 driver is not configured with the default start type.	Operational
30909	The client supports SMB Direct (RDMA) and SMB Signing is in use.	Operational
30910	The client supports SMB Direct (RDMA) and SMB Encryption is in use.	Operational
30911	The Cipher Suite Order group policy setting is invalid.	Operational
30912	The RequireSecureNegotiate setting has been removed.	Operational
30913	Server ServerName share ShareName has requested client to use isolated …	Operational
30914	RDMA rundown is active.	Operational
30915	RDMA rundown is complete.	Operational
30916	Reactivation of RDMA support has commenced.	Operational
30917	RDMA is no longer disabled.	Operational
30918	SMBDirect load attempt complete.	Operational
30950	Component capabilities: ComponentCapabilities.	Operational
30951	The alternative port PortNumber is not a valid port within the range 0 to 65535 …	Operational
30952	The SMB redirector did not select the connection initiated with the following …	Operational
30953	SMB Dialect Change.	Operational
30954	It took CallDuration secs to execute FunctionName.	HelperClassDiagnostic
30955	It took CallDuration secs to execute FunctionName which is longer than threshold …	Operational
31000	Reason.	Security
31001	Reason.	Security
31002	The outbound authentication failed using a network token.	Security
31003	The LmCompatibilityLevel value is different from the default.	Security
31010	The SMB client failed to connect to the share.	Security
31012	The negotiate validation failed.	Security
31013	The signing validation failed.	Security
31014	The client received an unencrypted message when encryption was expected.	Security
31015	Failed to decrypt an encrypted SMB message.	Security
31016	The SMB Signing registry value is not configured with default settings.	Security
31017	Rejected an insecure guest logon.	Security
31018	Guidance: An administrator has enabled AllowInsecureGuestAuth.	Security
31019	Mutual authentication was unexpectedly lost after re-authenticating to …	Security
31020	Session key for connection is weaker than required.	Security
31021	SMB DDP security changed from OldValue to NewValue.	Security
31022	Allowed an insecure guest logon.	Security
31023	NTLM is prohibited for authentication on the server.	Security
31997	The SMB client was logged on as Guest account.	Audit
31998	The SMB client observed that the server doesn't support signing.	Audit
31999	The SMB client observed that the server doesn't support encryption.	Audit
32000	SMB1 negotiate response received from remote device when SMB1 cannot be …	Audit
32002	The local computer received an SMB1 negotiate response.	Audit
32003	The local computer didn't received an SMB1 negotiate response in the last Days …	Audit
32004	SMB2 rxcontext performance work started	Analytic
32005	SMB2 exchange performance work started	Analytic
32006	SMB2 buffer context performance work started	Analytic
32007	SMB2 performance work transition	Analytic
32008	SMB2 rxcontext performance work read summary	Analytic
32009	SMB2 rxcontext performance work write summary	Analytic
32010	SMB2 rxcontext performance work create summary	Analytic
32011	SMB2 rxcontext performance work close summary	Analytic
32012	SMB2 rxcontext performance work query directory summary	Analytic
32013	SMB2 rxcontext performance work fsctl summary	Analytic
32028	SMB2 exchange performance work read summary	Analytic
32029	SMB2 exchange performance work write summary	Analytic
32030	SMB2 exchange performance work create summary	Analytic
32031	SMB2 exchange performance work close summary	Analytic
32032	SMB2 exchange performance work query directory summary	Analytic
32033	SMB2 exchange performance work fsctl summary	Analytic
32048	SMB2 buffer context performance work read summary	Analytic
32049	SMB2 buffer context performance work write summary	Analytic
32050	SMB2 buffer context performance work create summary	Analytic
32051	SMB2 buffer context performance work close summary	Analytic
32052	SMB2 buffer context performance work query directory summary	Analytic
32053	SMB2 buffer context performance work fsctl summary	Analytic
32068	SMB2 FCB capture summary	Analytic
40000	Packet (PacketSize bytes).	Diagnostic

Event ID 101 — Create SrvCall Error: ErrorCode Location: Location Context: Context.

Provider: Microsoft-Windows-SMBClient
Channel: HelperClassDiagnostic
Opcode: Info

Description

Create SrvCall Error: ErrorCode Location: Location Context: Context.

Message #

Create SrvCall Error: %1 Location: %2 Context: %3

Fields #

Name	Description
`ErrorCode` UInt32	—
`Location` UInt32	—
`Context` UInt32	—

Event ID 201 — Session Setup Error: ErrorCode Location: Location Context: Context.

Provider: Microsoft-Windows-SMBClient
Channel: HelperClassDiagnostic
Opcode: Info

Description

Session Setup Error: ErrorCode Location: Location Context: Context.

Message #

Session Setup Error: %1 Location: %2 Context: %3

Fields #

Name	Description
`ErrorCode` UInt32	—
`Location` UInt32	—
`Context` UInt32	—

Event ID 301 — Tree Connect Error: ErrorCode Location: Location Context: Context.

Provider: Microsoft-Windows-SMBClient
Channel: HelperClassDiagnostic
Opcode: Info

Description

Tree Connect Error: ErrorCode Location: Location Context: Context.

Message #

Tree Connect Error: %1 Location: %2 Context: %3

Fields #

Name	Description
`ErrorCode` UInt32	—
`Location` UInt32	—
`Context` UInt32	—

Event ID 401 — Create VNetRoot Error: ErrorCode Location: Location Context: Context.

Provider: Microsoft-Windows-SMBClient
Channel: HelperClassDiagnostic
Opcode: Info

Description

Create VNetRoot Error: ErrorCode Location: Location Context: Context.

Message #

Create VNetRoot Error: %1 Location: %2 Context: %3

Fields #

Name	Description
`ErrorCode` UInt32	—
`Location` UInt32	—
`Context` UInt32	—

Event ID 501 — Create File Error: ErrorCode Location: Location Context: Context.

Provider: Microsoft-Windows-SMBClient
Channel: HelperClassDiagnostic
Opcode: Info

Description

Create File Error: ErrorCode Location: Location Context: Context.

Message #

Create File Error: %1 Location: %2 Context: %3

Fields #

Name	Description
`ErrorCode` UInt32	—
`Location` UInt32	—
`Context` UInt32	—

Event ID 2000 — Packet Fragment (FragmentSize bytes).

Provider: Microsoft-Windows-SMBClient
Channel: Diagnostic
Opcode: Info

Description

Packet Fragment (FragmentSize bytes).

Message #

Packet Fragment (%2 bytes)

Fields #

Name	Description
`ReassembledEventID` UInt16	—
`FragmentSize` UInt32	—
`FragmentData` Binary	—

Event ID 20001 — Transitioned to State: CurrentOrNextState Context: Context.

Provider: Microsoft-Windows-SMBClient
Channel: HelperClassDiagnostic
Opcode: Info

Description

Transitioned to State: CurrentOrNextState Context: Context.

Message #

Transitioned to State: %1 Context: %2

Fields #

Name	Description
`CurrentOrNextState` UInt8	—
`Context` UInt32	—

Event ID 30101 — SMB ISC request: SessionEntry {SessionEntry} ServerName {ServerName}.

Provider: Microsoft-Windows-SMBClient
Channel: XPerfAnalytic

Description

SMB ISC request: SessionEntry {SessionEntry} ServerName {ServerName}.

Message #

SMB ISC request: SessionEntry {SessionEntry} ServerName {ServerName}

Fields #

Name	Description
`SessionEntry`	—
`ServerName`	—

Event ID 30102 — SMB ISC completion: SessionEntry {SessionEntry} ServerName {ServerName} Status {Status}.

Provider: Microsoft-Windows-SMBClient
Channel: XPerfAnalytic

Description

SMB ISC completion: SessionEntry {SessionEntry} ServerName {ServerName} Status {Status}.

Message #

SMB ISC completion: SessionEntry {SessionEntry} ServerName {ServerName} Status {Status}

Fields #

Name	Description
`SessionEntry`	—
`ServerName`	—
`Status`	— NTSTATUS reference

Event ID 30103 — SMB exchange suspended: RxContext RxContext Exchange Exchange ListHead ListHead.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB exchange suspended: RxContext RxContext Exchange Exchange ListHead ListHead.

Message #

SMB exchange suspended: RxContext %1 Exchange %2 ListHead %3

Fields #

Name	Description
`RxContext` Pointer	—
`Exchange` Pointer	—
`ListHead` Pointer	—

Event ID 30104 — SMB exchange resumed: RxContext RxContext Exchange Exchange ExchangeState ExchangeState ExchangeStatus ExchangeStatus.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB exchange resumed: RxContext RxContext Exchange Exchange ExchangeState ExchangeState ExchangeStatus ExchangeStatus.

Message #

SMB exchange resumed: RxContext %1 Exchange %2 ExchangeState %3 ExchangeStatus %4

Fields #

Name	Description
`RxContext` Pointer	—
`Exchange` Pointer	—
`ExchangeState` UInt32	—
`ExchangeStatus` UInt32	—

Event ID 30105 — SMB buffer context suspended: BufferCtxt BufferCtxt Exchange Exchange MidCharge MidCharge Window Window CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit CurrentWind...

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB buffer context suspended: BufferCtxt BufferCtxt Exchange Exchange MidCharge MidCharge Window Window CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit CurrentWindowSize CurrentWindowSize.

Message #

SMB buffer context suspended: BufferCtxt %1 Exchange %2 MidCharge %3 Window %4 CurrentWindowLimit %5 ThrottlingWindowLimit %6 CurrentWindowSize %7

Fields #

Name	Description
`BufferCtxt` Pointer	—
`Exchange` Pointer	—
`MidCharge` UInt32	—
`Window` Pointer	—
`CurrentWindowLimit` UInt32	—
`ThrottlingWindowLimit` UInt32	—
`CurrentWindowSize` UInt32	—

Event ID 30106 — SMB buffer context resumed: BufferCtxt BufferCtxt Exchange Exchange MidCharge MidCharge Window Window CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit CurrentWindow...

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB buffer context resumed: BufferCtxt BufferCtxt Exchange Exchange MidCharge MidCharge Window Window CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit CurrentWindowSize CurrentWindowSize.

Message #

SMB buffer context resumed: BufferCtxt %1 Exchange %2 MidCharge %3 Window %4 CurrentWindowLimit %5 ThrottlingWindowLimit %6 CurrentWindowSize %7

Fields #

Name	Description
`BufferCtxt` Pointer	—
`Exchange` Pointer	—
`MidCharge` UInt32	—
`Window` Pointer	—
`CurrentWindowLimit` UInt32	—
`ThrottlingWindowLimit` UInt32	—
`CurrentWindowSize` UInt32	—

Event ID 30107 — SMB exchange expired: Exchange {Exchange} Window {Window}.

Provider: Microsoft-Windows-SMBClient
Channel: XPerfAnalytic

Description

SMB exchange expired: Exchange {Exchange} Window {Window}.

Message #

SMB exchange expired: Exchange {Exchange} Window {Window}

Fields #

Name	Description
`Exchange`	—
`Window`	—

Event ID 30108 — SMB Mid window blocked: Window Window HungSession HungSession.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB Mid window blocked: Window Window HungSession HungSession.

Message #

SMB Mid window blocked: Window %1 HungSession %2

Fields #

Name	Description
`Window` Pointer	—
`HungSession` UInt32	—

Event ID 30109 — SMB rechunk multi-credit request: BufferCtxt BufferCtxt Exchange Exchange MidCharge MidCharge Window Window CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit Current...

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB rechunk multi-credit request: BufferCtxt BufferCtxt Exchange Exchange MidCharge MidCharge Window Window CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit CurrentWindowSize CurrentWindowSize.

Message #

SMB rechunk multi-credit request: BufferCtxt %1 Exchange %2 MidCharge %3 Window %4 CurrentWindowLimit %5 ThrottlingWindowLimit %6 CurrentWindowSize %7

Fields #

Name	Description
`BufferCtxt` Pointer	—
`Exchange` Pointer	—
`MidCharge` UInt32	—
`Window` Pointer	—
`CurrentWindowLimit` UInt32	—
`ThrottlingWindowLimit` UInt32	—
`CurrentWindowSize` UInt32	—

Event ID 30110 — SMB initialize Mid window: Server ServerName Window MidWindow.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB initialize Mid window: Server ServerName Window MidWindow.

Message #

SMB initialize Mid window: Server %2 Window %3

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`MidWindow` Pointer	—

Event ID 30111 — SMB Mid window state: Window MidWindow CurrentWindowSize CurrentWindowSize CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit OldestPendingMid OldestPendingMid NextAv...

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB Mid window state: Window MidWindow CurrentWindowSize CurrentWindowSize CurrentWindowLimit CurrentWindowLimit ThrottlingWindowLimit ThrottlingWindowLimit OldestPendingMid OldestPendingMid NextAvailableMid NextAvailableMid CreditsGranted CreditsGranted.

Message #

SMB Mid window state: Window %1 CurrentWindowSize %2 CurrentWindowLimit %3 ThrottlingWindowLimit %4 OldestPendingMid %5 NextAvailableMid %6 CreditsGranted %7

Fields #

Name	Description
`MidWindow` Pointer	—
`CurrentWindowSize` UInt32	—
`CurrentWindowLimit` UInt32	—
`ThrottlingWindowLimit` UInt32	—
`OldestPendingMid` UInt64	—
`NextAvailableMid` UInt64	—
`CreditsGranted` Int32	—

Event ID 30112 — SMB teardown Mid window: Server ServerName Window MidWindow.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB teardown Mid window: Server ServerName Window MidWindow.

Message #

SMB teardown Mid window: Server %2 Window %3

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`MidWindow` Pointer	—

Event ID 30113 — SMB copy data completion: Status Status VcEndpoint VcEndpoint.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB copy data completion: Status Status VcEndpoint VcEndpoint.

Message #

SMB copy data completion: Status %1 VcEndpoint %2

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`VcEndpoint` Pointer	—

Event ID 30114 — SMB send completion: Status Status VcEndpoint VcEndpoint.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB send completion: Status Status VcEndpoint VcEndpoint.

Message #

SMB send completion: Status %1 VcEndpoint %2

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`VcEndpoint` Pointer	—

Event ID 30201 — WSK get address info request: ServerName {ServerName} Irp {Irp}.

Provider: Microsoft-Windows-SMBClient
Channel: XPerfAnalytic

Description

WSK get address info request: ServerName {ServerName} Irp {Irp}.

Message #

WSK get address info request: ServerName {ServerName} Irp {Irp}

Fields #

Name	Description
`ServerName`	—
`Irp`	—

Event ID 30202 — WSK get address info completion: Irp {Irp} Status {Status}.

Provider: Microsoft-Windows-SMBClient
Channel: XPerfAnalytic

Description

WSK get address info completion: Irp {Irp} Status {Status}.

Message #

WSK get address info completion: Irp {Irp} Status {Status}

Fields #

Name	Description
`Irp`	—
`Status`	— NTSTATUS reference

Event ID 30203 — WSK connect: SocketAddress RemoteAddress VcEndpoint VcEndpoint Socket Socket.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

WSK connect: SocketAddress RemoteAddress VcEndpoint VcEndpoint Socket Socket.

Message #

WSK connect: SocketAddress %2 VcEndpoint %3 Socket %4

Fields #

Name	Description
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`VcEndpoint` Pointer	—
`Socket` Pointer	—
`ConnectionType` UInt32	—

Event ID 30204 — WSK connect completion: VcEndpoint VcEndpoint Socket Socket Status Status.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

WSK connect completion: VcEndpoint VcEndpoint Socket Socket Status Status.

Message #

WSK connect completion: VcEndpoint %1 Socket %2 Status %3

Fields #

Name	Description
`VcEndpoint` Pointer	—
`Socket` Pointer	—
`Status` UInt32	— NTSTATUS reference
`ConnectionType` UInt32	—

Event ID 30205 — WSK send: VcEndpoint VcEndpoint Socket Socket SendMdl SendMdl SendLength SendLength.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

WSK send: VcEndpoint VcEndpoint Socket Socket SendMdl SendMdl SendLength SendLength.

Message #

WSK send: VcEndpoint %1 Socket %2 SendMdl %3 SendLength %4

Fields #

Name	Description
`VcEndpoint` Pointer	—
`Socket` Pointer	—
`SendMdl` Pointer	—
`SendLength` UInt32	—
`ConnectionType` UInt32	—

Event ID 30206 — WSK send completion: VcEndpoint VcEndpoint Socket Socket SendMdl SendMdl SendLength SendLength Status Status.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

WSK send completion: VcEndpoint VcEndpoint Socket Socket SendMdl SendMdl SendLength SendLength Status Status.

Message #

WSK send completion: VcEndpoint %1 Socket %2 SendMdl %3 SendLength %4 Status %5

Fields #

Name	Description
`VcEndpoint` Pointer	—
`Socket` Pointer	—
`SendMdl` Pointer	—
`SendLength` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ConnectionType` UInt32	—

Event ID 30207 — WSK receive: VcEndpoint VcEndpoint Socket Socket ReceiveMdl SendMdl ReceiveLength SendLength.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

WSK receive: VcEndpoint VcEndpoint Socket Socket ReceiveMdl SendMdl ReceiveLength SendLength.

Message #

WSK receive: VcEndpoint %1 Socket %2 ReceiveMdl %3 ReceiveLength %4

Fields #

Name	Description
`VcEndpoint` Pointer	—
`Socket` Pointer	—
`SendMdl` Pointer	—
`SendLength` UInt32	—
`ConnectionType` UInt32	—

Event ID 30208 — WSK receive completion: VcEndpoint VcEndpoint Socket Socket ReceiveMdl SendMdl ReceiveLength SendLength Status Status.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

WSK receive completion: VcEndpoint VcEndpoint Socket Socket ReceiveMdl SendMdl ReceiveLength SendLength Status Status.

Message #

WSK receive completion: VcEndpoint %1 Socket %2 ReceiveMdl %3 ReceiveLength %4 Status %5

Fields #

Name	Description
`VcEndpoint` Pointer	—
`Socket` Pointer	—
`SendMdl` Pointer	—
`SendLength` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ConnectionType` UInt32	—

Event ID 30209 — Compression requested for file object Smb2Fobx: Status Status.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

Compression requested for file object Smb2Fobx: Status Status.

Message #

Compression requested for file object %3: Status %4

Fields #

Name	Description
`VcEndpoint` Pointer	—
`Socket` Pointer	—
`Smb2Fobx` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 30210 — Decompression failed: VcEndpoint VcEndpoint Socket Socket ReceiveBuffer SendMdl ReceiveLength SendLength Status Status.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

Decompression failed: VcEndpoint VcEndpoint Socket Socket ReceiveBuffer SendMdl ReceiveLength SendLength Status Status.

Message #

Decompression failed: VcEndpoint %1 Socket %2 ReceiveBuffer %3 ReceiveLength %4 Status %5

Fields #

Name	Description
`VcEndpoint` Pointer	—
`Socket` Pointer	—
`SendMdl` Pointer	—
`SendLength` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ConnectionType` UInt32	—

Event ID 30211 — Compression failed: VcEndpoint VcEndpoint Socket Socket SendBuffer SendMdl SendLength SendLength Status Status.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

Compression failed: VcEndpoint VcEndpoint Socket Socket SendBuffer SendMdl SendLength SendLength Status Status.

Message #

Compression failed: VcEndpoint %1 Socket %2 SendBuffer %3 SendLength %4 Status %5

Fields #

Name	Description
`VcEndpoint` Pointer	—
`Socket` Pointer	—
`SendMdl` Pointer	—
`SendLength` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ConnectionType` UInt32	—

Event ID 30401 — SMB session expired: SessionEntry SessionEntry ServerName ServerName.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB session expired: SessionEntry SessionEntry ServerName ServerName.

Message #

SMB session expired: SessionEntry %1 ServerName %3

Fields #

Name	Description
`SessionEntry` Pointer	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 30402 — SMB 3 part SPN reauth: SessionEntry SessionEntry ServiceName ServerName.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB 3 part SPN reauth: SessionEntry SessionEntry ServiceName ServerName.

Message #

SMB 3 part SPN reauth: SessionEntry %1 ServiceName %3

Fields #

Name	Description
`SessionEntry` Pointer	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 30403 — SMB reconnect durable open: Fcb Fcb SrvOpen SrvOpen.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB reconnect durable open: Fcb Fcb SrvOpen SrvOpen.

Message #

SMB reconnect durable open: Fcb %1 SrvOpen %2

Fields #

Name	Description
`Fcb` Pointer	—
`SrvOpen` Pointer	—

Event ID 30404 — SMB defer open: Fcb Fcb SrvOpen SrvOpen.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB defer open: Fcb Fcb SrvOpen SrvOpen.

Message #

SMB defer open: Fcb %1 SrvOpen %2

Fields #

Name	Description
`Fcb` Pointer	—
`SrvOpen` Pointer	—

Event ID 30405 — SMB undefer open: Fcb Fcb SrvOpen SrvOpen.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB undefer open: Fcb Fcb SrvOpen SrvOpen.

Message #

SMB undefer open: Fcb %1 SrvOpen %2

Fields #

Name	Description
`Fcb` Pointer	—
`SrvOpen` Pointer	—

Event ID 30406 — SMB send[Count]: [Command] (Mid/Sid/Tid) (MessageId/SessionId/TreeId) MidCharge MidCharge Creds CreditRequested SendLengh SendLength VcEndpoint VcEndpoint.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB send[Count]: [Command] (Mid/Sid/Tid) (MessageId/SessionId/TreeId) MidCharge MidCharge Creds CreditRequested SendLengh SendLength VcEndpoint VcEndpoint.

Message #

SMB send[%1]: [%2] (Mid/Sid/Tid) (%3/%4/%5) MidCharge %6 Creds %7 SendLengh %8 VcEndpoint %9

Fields #

Name	Description
`Count` UInt32	—
`Command` AnsiString	—
`MessageId` UInt64	—
`SessionId` UInt64	—
`TreeId` UInt32	—
`MidCharge` UInt16	—
`CreditRequested` UInt16	—
`SendLength` UInt32	—
`VcEndpoint` Pointer	—

Event ID 30407 — SMB receive: [Command] (Mid/Sid/Tid) (MessageId/SessionId/TreeId) Creds CreditGranted Status Status VcEndpoint VcEndpoint.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB receive: [Command] (Mid/Sid/Tid) (MessageId/SessionId/TreeId) Creds CreditGranted Status Status VcEndpoint VcEndpoint.

Message #

SMB receive: [%1] (Mid/Sid/Tid) (%2/%4/%5) Creds %6 Status %7 VcEndpoint %8

Fields #

Name	Description
`Command` AnsiString	—
`MessageId` UInt64	—
`AsyncId` UInt64	—
`SessionId` UInt64	—
`TreeId` UInt32	—
`CreditGranted` UInt16	—
`Status` UInt32	— NTSTATUS reference
`VcEndpoint` Pointer	—

Event ID 30408 — SMB receive interim: [Command] (Mid/AsyncId/Sid/Tid) (MessageId/AsyncId/SessionId/TreeId) Creds CreditGranted Status Status VcEndpoint VcEndpoint.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB receive interim: [Command] (Mid/AsyncId/Sid/Tid) (MessageId/AsyncId/SessionId/TreeId) Creds CreditGranted Status Status VcEndpoint VcEndpoint.

Message #

SMB receive interim: [%1] (Mid/AsyncId/Sid/Tid) (%2/%3/%4/%5) Creds %6 Status %7 VcEndpoint %8

Fields #

Name	Description
`Command` AnsiString	—
`MessageId` UInt64	—
`AsyncId` UInt64	—
`SessionId` UInt64	—
`TreeId` UInt32	—
`CreditGranted` UInt16	—
`Status` UInt32	— NTSTATUS reference
`VcEndpoint` Pointer	—

Event ID 30409 — SMB receive async: [Command] (AsyncId/Sid/Tid) (AsyncId/SessionId/TreeId) Creds CreditGranted Status Status VcEndpoint VcEndpoint.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB receive async: [Command] (AsyncId/Sid/Tid) (AsyncId/SessionId/TreeId) Creds CreditGranted Status Status VcEndpoint VcEndpoint.

Message #

SMB receive async: [%1] (AsyncId/Sid/Tid) (%3/%4/%5) Creds %6 Status %7 VcEndpoint %8

Fields #

Name	Description
`Command` AnsiString	—
`MessageId` UInt64	—
`AsyncId` UInt64	—
`SessionId` UInt64	—
`TreeId` UInt32	—
`CreditGranted` UInt16	—
`Status` UInt32	— NTSTATUS reference
`VcEndpoint` Pointer	—

Event ID 30410 — SMB registry key: RegName = RegValue.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB registry key: RegName = RegValue.

Message #

SMB registry key: %1 = %2

Fields #

Name	Description
`RegName` UnicodeString	—
`RegValue` UInt32	—

Event ID 30501 — SMB update file info cache: RxContext RxContext Fcb Fcb FileName FileName.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB update file info cache: RxContext RxContext Fcb Fcb FileName FileName.

Message #

SMB update file info cache: RxContext %1 Fcb %2 FileName %4

Fields #

Name	Description
`RxContext` Pointer	—
`Fcb` Pointer	—
`FileNameLength` UInt16	—
`FileName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 30502 — SMB fetch file info cache: RxContext RxContext Fcb Fcb FileName FileName Status Status.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB fetch file info cache: RxContext RxContext Fcb Fcb FileName FileName Status Status.

Message #

SMB fetch file info cache: RxContext %1 Fcb %2 FileName %4 Status %5

Fields #

Name	Description
`RxContext` Pointer	—
`Fcb` Pointer	—
`FileNameLength` UInt16	—
`FileName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 30503 — SMB invalidate file info cache: RxContext RxContext Fcb Fcb FileName FileName.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB invalidate file info cache: RxContext RxContext Fcb Fcb FileName FileName.

Message #

SMB invalidate file info cache: RxContext %1 Fcb %2 FileName %4

Fields #

Name	Description
`RxContext` Pointer	—
`Fcb` Pointer	—
`FileNameLength` UInt16	—
`FileName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 30504 — SMB update file not found cache: RxContext RxContext Fcb Fcb FileName FileName.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB update file not found cache: RxContext RxContext Fcb Fcb FileName FileName.

Message #

SMB update file not found cache: RxContext %1 Fcb %2 FileName %4

Fields #

Name	Description
`RxContext` Pointer	—
`Fcb` Pointer	—
`FileNameLength` UInt16	—
`FileName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 30505 — SMB fetch file not found cache: RxContext RxContext Fcb Fcb FileName FileName Result Status.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB fetch file not found cache: RxContext RxContext Fcb Fcb FileName FileName Result Status.

Message #

SMB fetch file not found cache: RxContext %1 Fcb %2 FileName %4 Result %5

Fields #

Name	Description
`RxContext` Pointer	—
`Fcb` Pointer	—
`FileNameLength` UInt16	—
`FileName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 30506 — SMB invalidate file not found cache: RxContext RxContext Fcb Fcb FileName FileName.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB invalidate file not found cache: RxContext RxContext Fcb Fcb FileName FileName.

Message #

SMB invalidate file not found cache: RxContext %1 Fcb %2 FileName %4

Fields #

Name	Description
`RxContext` Pointer	—
`Fcb` Pointer	—
`FileNameLength` UInt16	—
`FileName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 30507 — SMB populate dir cache: RxContext RxContext Fcb Fcb DirName FileName.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB populate dir cache: RxContext RxContext Fcb Fcb DirName FileName.

Message #

SMB populate dir cache: RxContext %1 Fcb %2 DirName %4

Fields #

Name	Description
`RxContext` Pointer	—
`Fcb` Pointer	—
`FileNameLength` UInt16	—
`FileName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 30508 — SMB fetch dir cache: RxContext RxContext Fcb Fcb FileName FileName Status Status.

Provider: Microsoft-Windows-SMBClient
Channel: Analytic
Opcode: Info

Description

SMB fetch dir cache: RxContext RxContext Fcb Fcb FileName FileName Status Status.

Message #

SMB fetch dir cache: RxContext %1 Fcb %2 FileName %4 Status %5

Fields #

Name	Description
`RxContext` Pointer	—
`Fcb` Pointer	—
`FileNameLength` UInt16	—
`FileName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 30600 — Session Object to ObjectName transitioned from [OldState] to [NewState] with Status Status.

Provider: Microsoft-Windows-SMBClient
Channel: ObjectStateDiagnostic
Opcode: Info

Description

Session Object to ObjectName transitioned from [OldState] to [NewState] with Status Status.

Message #

Session %1 to %6 transitioned from [%2] to [%3] with Status %4

Fields #

Name	Description
`Object` Pointer	—
`OldState` UInt16	—
`NewState` UInt16	—
`Status` UInt32	— NTSTATUS reference
`NameLength` UInt16	—
`ObjectName` UnicodeString	—

Event ID 30601 — Share connection Object to ObjectName transitioned from [OldState] to [NewState] with Status Status.

Provider: Microsoft-Windows-SMBClient
Channel: ObjectStateDiagnostic
Opcode: Info

Description

Share connection Object to ObjectName transitioned from [OldState] to [NewState] with Status Status.

Message #

Share connection %1 to %6 transitioned from [%2] to [%3] with Status %4

Fields #

Name	Description
`Object` Pointer	—
`OldState` UInt16	—
`NewState` UInt16	—
`Status` UInt32	— NTSTATUS reference
`NameLength` UInt16	—
`ObjectName` UnicodeString	—

Event ID 30603 — Open handle Object to ShareNameObjectName transitioned from [OldState] to [NewState] with Status Status.

Provider: Microsoft-Windows-SMBClient
Channel: ObjectStateDiagnostic
Opcode: Info

Description

Open handle Object to ShareNameObjectName transitioned from [OldState] to [NewState] with Status Status.

Message #

Open handle %1 to %10%12 transitioned from [%5] to [%6] with Status %7

Fields #

Name	Description
`Object` Pointer	—
`PersistentFID` UInt64	—
`VolatileFID` UInt64	—
`CreateGUID` GUID	—
`OldState` UInt16	—
`NewState` UInt16	—
`Status` UInt32	— NTSTATUS reference
`Reason` UInt32	—
`ShareNameLength` UInt16	—
`ShareName` UnicodeString	—
`ObjectNameLength` UInt16	—
`ObjectName` UnicodeString	—
`PreviousStatus` UInt32	—
`PreviousReason` UInt32	—

Event ID 30604 — The local computer didn't received an SMB1 negotiate response in the last 20 minutes.

Provider: Microsoft-Windows-SMBClient
Channel: ObjectStateDiagnostic
Opcode: Info

Description

The local computer didn't received an SMB1 negotiate response in the last 20 minutes.n.

Message #

The local computer didn't received an SMB1 negotiate response in the last 20 minutes.n
Guidance:

This event indicates that no attempt was made to contact this computer via the SMB1 protocol. After %1 online days of no SMB1 contact attempts, the SMB1 Client service will automatically uninstall.

Fields #

Name	Description
`Days` UInt32	—

Event ID 30611 — Failed to reconnect a persistent handle.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Opcode: Info

Description

Failed to reconnect a persistent handle.

Message #

Failed to reconnect a persistent handle.

Error: %7

FileId: %2:%3
CreateGUID: %4
Path: %10%12

Reason: %8

Previous reconnect error: %13
Previous reconnect reason: %14

Guidance:
A persistent handle allows transparent failover on Windows File Server clusters. This event has many causes and does not always indicate an issue with SMB. Review online documentation for troubleshooting information.

Fields #

Name	Description
`Object` Pointer	—
`PersistentFID` UInt64	—
`VolatileFID` UInt64	—
`CreateGUID` GUID	—
`OldState` UInt16	—
`NewState` UInt16	—
`Status` UInt32	— NTSTATUS reference
`Reason` UInt32	—
`ShareNameLength` UInt16	—
`ShareName` UnicodeString	—
`ObjectNameLength` UInt16	—
`ObjectName` UnicodeString	—
`PreviousStatus` UInt32	—
`PreviousReason` UInt32	—

Event ID 30612 — Failed to reconnect a resilient handle.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Opcode: Info

Description

Failed to reconnect a resilient handle.

Message #

Failed to reconnect a resilient handle.

Error: %7

FileId: %2:%3
Path: %10%12

Reason: %8.

Previous reconnect error: %13
Previous reconnect reason: %14

Guidance:
A resilient handle provides guarantees to applications requesting it. This event has many causes and does not always indicate an issue with SMB. Review online documentation for troubleshooting information.

Fields #

Name	Description
`Object` Pointer	—
`PersistentFID` UInt64	—
`VolatileFID` UInt64	—
`CreateGUID` GUID	—
`OldState` UInt16	—
`NewState` UInt16	—
`Status` UInt32	— NTSTATUS reference
`Reason` UInt32	—
`ShareNameLength` UInt16	—
`ShareName` UnicodeString	—
`ObjectNameLength` UInt16	—
`ObjectName` UnicodeString	—
`PreviousStatus` UInt32	—
`PreviousReason` UInt32	—

Event ID 30613 — Failed to open a persistent handle.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Opcode: Info

Description

Failed to open a persistent handle.

Message #

Failed to open a persistent handle.

Error: %7

FileId: %2:%3
CreateGUID: %4
Path: %10%12

Reason: %8

Guidance:
A persistent handle allows transparent failover on Windows File Server clusters. This event has many causes and does not always indicate an issue with SMB. Review online documentation for troubleshooting information.

Fields #

Name	Description
`Object` Pointer	—
`PersistentFID` UInt64	—
`VolatileFID` UInt64	—
`CreateGUID` GUID	—
`OldState` UInt16	—
`NewState` UInt16	—
`Status` UInt32	— NTSTATUS reference
`Reason` UInt32	—
`ShareNameLength` UInt16	—
`ShareName` UnicodeString	—
`ObjectNameLength` UInt16	—
`ObjectName` UnicodeString	—
`PreviousStatus` UInt32	—
`PreviousReason` UInt32	—

Event ID 30614 — Persistent handle {PersistentFID}:{VolatileFID} CreateGUID {CreateGUID} to {Object}0{Object}2 was orphaned.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

Persistent handle {PersistentFID}:{VolatileFID} CreateGUID {CreateGUID} to {Object}0{Object}2 was orphaned.

Message #

Persistent handle {PersistentFID}:{VolatileFID} CreateGUID {CreateGUID} to {Object}0{Object}2 was orphaned.

Fields #

Name	Description
`PersistentFID`	—
`VolatileFID`	—
`CreateGUID`	—
`Object`	—

Event ID 30615 — Resilient handle {PersistentFID}:{VolatileFID} to {Object}0{Object}2 was orphaned.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

Resilient handle {PersistentFID}:{VolatileFID} to {Object}0{Object}2 was orphaned.

Message #

Resilient handle {PersistentFID}:{VolatileFID} to {Object}0{Object}2 was orphaned.

Fields #

Name	Description
`PersistentFID`	—
`VolatileFID`	—
`Object`	—

Event ID 30620 — Connection to server {ServerName} IP Address {RemoteAddress} was aborted.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

Connection to server {ServerName} IP Address {RemoteAddress} was aborted.

Message #

Connection to server {ServerName} IP Address {RemoteAddress} was aborted.

Fields #

Name	Description
`ServerName`	—
`RemoteAddress`	—

Event ID 30621 — Session to server {ObjectName} was lost Status {Status}.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

Session to server {ObjectName} was lost Status {Status}.

Message #

Session to server {ObjectName} was lost Status {Status}

Fields #

Name	Description
`ObjectName`	—
`Status`	— NTSTATUS reference

Event ID 30622 — Session to server {ObjectName} was re-established.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Collection Priority: Recommended (Microsoft-WEF)

Description

Session to server {ObjectName} was re-established.

Message #

Session to server {ObjectName} was re-established.

Fields #

Name	Description
`ObjectName`	—

Event ID 30623 — Connection to share {ObjectName} was lost.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

Connection to share {ObjectName} was lost. Status {Status}.

Message #

Connection to share {ObjectName} was lost. Status {Status}

Fields #

Name	Description
`ObjectName`	—
`Status`	— NTSTATUS reference

Event ID 30624 — Connection to share {ObjectName} was re-established.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Collection Priority: Recommended (Microsoft-WEF)

Description

Connection to share {ObjectName} was re-established.

Message #

Connection to share {ObjectName} was re-established.

Fields #

Name	Description
`ObjectName`	—

Event ID 30625 — Handle {PersistentFID}:{VolatileFID} CreateGUID {CreateGUID} to {Object}0{Object}2 granted without persistence.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

Handle {PersistentFID}:{VolatileFID} CreateGUID {CreateGUID} to {Object}0{Object}2 granted without persistence.

Message #

Handle {PersistentFID}:{VolatileFID} CreateGUID {CreateGUID} to {Object}0{Object}2 granted without persistence.

Fields #

Name	Description
`PersistentFID`	—
`VolatileFID`	—
`CreateGUID`	—
`Object`	—

Event ID 30626 — The SMB client received a request to move file server cluster {ServerName} to IP address {RemoteAddress}.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

The SMB client received a request to move file server cluster {ServerName} to IP address {RemoteAddress}.

Message #

The SMB client received a request to move file server cluster {ServerName} to IP address {RemoteAddress}

Fields #

Name	Description
`ServerName`	—
`RemoteAddress`	—

Event ID 30627 — The SMB client successfully moved file server cluster {ServerName} to IP address {RemoteAddress}.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

The SMB client successfully moved file server cluster {ServerName} to IP address {RemoteAddress}.

Message #

The SMB client successfully moved file server cluster {ServerName} to IP address {RemoteAddress}

Fields #

Name	Description
`ServerName`	—
`RemoteAddress`	—

Event ID 30628 — The SMB client failed to move file server cluster {ServerName}.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

The SMB client failed to move file server cluster {ServerName}. Error: {Status}.

Message #

The SMB client failed to move file server cluster {ServerName}. Error: {Status}

Fields #

Name	Description
`ServerName`	—
`Status`	— NTSTATUS reference

Event ID 30700 — The server {ServerName} does not support multichannel.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

The server {ServerName} does not support multichannel.

Message #

The server {ServerName} does not support multichannel

Fields #

Name	Description
`ServerName`	—

Event ID 30701 — An invalid FSCTL_QUERY_NETWORK_INTERFACE_INFO response was sent by the server ServerName.

Provider: Microsoft-Windows-SMBClient
Channel: ObjectStateDiagnostic
Opcode: Info

Description

An invalid FSCTL_QUERY_NETWORK_INTERFACE_INFO response was sent by the server ServerName.

Message #

An invalid FSCTL_QUERY_NETWORK_INTERFACE_INFO response was sent by the server %2

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 30702 — The client failed to connect to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over TCP transport.

Provider: Microsoft-Windows-SMBClient
Channel: ObjectStateDiagnostic
Opcode: Info

Description

The client failed to connect to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over TCP transport. Error: Status.

Message #

The client failed to connect to the server %2 from the local IP address %4 to the remote IP address %6 over TCP transport. Error: %7

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 30703 — The client failed to connect to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over RDMA transport.

Provider: Microsoft-Windows-SMBClient
Channel: ObjectStateDiagnostic
Opcode: Info

Description

The client failed to connect to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over RDMA transport. Error: Status.

Message #

The client failed to connect to the server %2 from the local IP address %4 to the remote IP address %6 over RDMA transport. Error: %7

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 30704 — The client connected to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over TCP transport successfully.

Provider: Microsoft-Windows-SMBClient
Channel: ObjectStateDiagnostic
Opcode: Info

Description

The client connected to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over TCP transport successfully.

Message #

The client connected to the server %2 from the local IP address %4 to the remote IP address %6 over TCP transport successfully

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 30705 — The client connected to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over RDMA transport successfully.

Provider: Microsoft-Windows-SMBClient
Channel: ObjectStateDiagnostic
Opcode: Info

Description

The client connected to the server ServerName from the local IP address LocalAddress to the remote IP address RemoteAddress over RDMA transport successfully.

Message #

The client connected to the server %2 from the local IP address %4 to the remote IP address %6 over RDMA transport successfully

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 30706 — The client can not connect to the server {ServerName} due to a multichannel constraint registry setting.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

The client can not connect to the server {ServerName} due to a multichannel constraint registry setting.

Message #

The client can not connect to the server {ServerName} due to a multichannel constraint registry setting

Fields #

Name	Description
`ServerName`	—

Event ID 30800 — The server name cannot be resolved.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Level: Error
Opcode: Info

Description

The server name cannot be resolved.

Message #

The server name cannot be resolved.

Error: %2

Server name: %4

Guidance:
The client cannot resolve the server address in DNS or WINS. This issue often manifests immediately after joining a computer to the domain, when the client's DNS registration may not yet have propagated to all DNS servers. You should also expect this event at system startup on a DNS server (such as a domain controller) that points to itself for the primary DNS. You should validate the DNS client settings on this computer using IPCONFIG /ALL and NSLOOKUP.

Fields #

Name	Description
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SMBClient",
    "guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
    "event_source_name": "",
    "event_id": 30800,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 288230376151711808,
    "time_created": "2022-04-07T16:53:50.061721+00:00",
    "event_record_id": 19,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 592
    },
    "channel": "Microsoft-Windows-SmbClient/Connectivity",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Reason": 1,
    "Status": 3221226021,
    "ServerNameLength": 8,
    "ServerName": "lab.local"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 30801 — Reason.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Message #

%1.

Error: %2

Server name: %4

Fields #

Name	Description
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 30802 — Reason.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Message #

%1.

Error: %2

Server name: %4

Fields #

Name	Description
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 30803 — Failed to establish a network connection.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Level: Error
Opcode: Info

Description

Failed to establish a network connection.

Message #

Failed to establish a network connection.

Error: %2

Server name: %4
Server address: %6!S!
Connection type: %7

Guidance:
This indicates a problem with the underlying network or transport, such as with TCP/IP, and not with SMB. A firewall that blocks TCP port 445, or TCP port 5445 when using an iWARP RDMA adapter, can also cause this issue.

Fields #

Name	Description
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`AddressLength` UInt32	—
`RemoteAddress` Binary	—
`LocalAddress` Binary	—
`InstanceNameLength` UInt16	—
`InstanceName` UnicodeString	—
`ConnectionType` UInt32	—
`PortSelectionOrigin` UInt32	—
`ConnectionIdSize` UInt32	—
`ConnectionId` Binary	—
`ClientCertSha1HashSize` UInt32	—
`ClientCertSha1Hash` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SMBClient",
    "guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
    "event_source_name": "",
    "event_id": 30803,
    "version": 2,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 288230376151711808,
    "time_created": "2026-02-17T05:21:07.002021+00:00",
    "event_record_id": 35,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 12828
    },
    "channel": "Microsoft-Windows-SmbClient/Connectivity",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Reason": 0,
    "Status": 3221226045,
    "ServerNameLength": 25,
    "ServerName": "LAB-DC01.ludus.domain",
    "AddressLength": 16,
    "RemoteAddress": "020001BB0A020A0B0000000000000000",
    "LocalAddress": "00000000000000000000000000000000",
    "InstanceNameLength": 24,
    "InstanceName": "\\Device\\LanmanRedirector",
    "ConnectionType": 4
  },
  "message": ""
}

Event ID 30804 — A network connection was disconnected.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Level: Error
Opcode: Info

Description

A network connection was disconnected.

Message #

A network connection was disconnected.

Server name: %4
Server address: %6!S!
Connection type: %7

Guidance:
This indicates that the client's connection to the server was disconnected.

Frequent, unexpected disconnects when using an RDMA over Converged Ethernet (RoCE) adapter may indicate a network misconfiguration. RoCE requires Priority Flow Control (PFC) to be configured for every host, switch and router on the RoCE network. Failure to properly configure PFC will cause packet loss, frequent disconnects and poor performance.

Fields #

Name	Description
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`InstanceNameLength` UInt16	—
`InstanceName` UnicodeString	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`AddressLength` UInt32	—
`Address` Binary	—
`ConnectionType` UInt32	—
`InterfaceId` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SMBClient",
    "guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
    "event_source_name": "",
    "event_id": 30804,
    "version": 2,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 288230376151711808,
    "time_created": "2026-02-11T17:39:20.782502+00:00",
    "event_record_id": 30,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Microsoft-Windows-SmbClient/Connectivity",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Reason": 7,
    "Status": 3221225996,
    "InstanceNameLength": 24,
    "InstanceName": "\\Device\\LanmanRedirector",
    "ServerNameLength": 26,
    "ServerName": "\\LAB-DC01.ludus.domain",
    "AddressLength": 16,
    "Address": "020001BD0A020A0B0000000000000000",
    "ConnectionType": 1,
    "InterfaceId": 5
  },
  "message": ""
}

Event ID 30805 — The client lost its session to the server.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Level: Warning
Opcode: Info

Description

The client lost its session to the server.

Message #

The client lost its session to the server.

Error: %1

Server name: %5
Session ID: %2

Guidance:
If the server is a Windows Failover Cluster file server, then this message occurs when the file share moves between cluster nodes. There should also be an anti-event 30806 indicating the session to the server was re-established. If the server is not a failover cluster, it is likely that the server was previously online, but it is now inaccessible over the network.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`SessionId` UInt64	—
`TreeId` UInt32	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`AddressLength` UInt32	—
`Address` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SMBClient",
    "guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
    "event_source_name": "",
    "event_id": 30805,
    "version": 2,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 288230376151711808,
    "time_created": "2026-02-11T17:39:20.782525+00:00",
    "event_record_id": 31,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Microsoft-Windows-SmbClient/Connectivity",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Status": 3221225996,
    "SessionId": 21990366773273,
    "TreeId": 0,
    "ServerNameLength": 26,
    "ServerName": "\\LAB-DC01.ludus.domain",
    "AddressLength": 0,
    "Address": ""
  },
  "message": ""
}

Event ID 30806 — The client re-established its session to the server.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Level: Informational
Opcode: Info

Description

The client re-established its session to the server.

Message #

The client re-established its session to the server.

Server name: %5
Server address: %7!S!
Session ID: %2

Guidance:
You should expect this event if there was a previous event 30805, but the client successfully resumed the cached connection before the timeout expired.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`SessionId` UInt64	—
`TreeId` UInt32	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`AddressLength` UInt32	—
`Address` Binary	—
`SigningUsed` Boolean	—
`EncryptionUsed` Boolean	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SMBClient",
    "guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
    "event_source_name": "",
    "event_id": 30806,
    "version": 2,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 288230376151711808,
    "time_created": "2026-02-11T17:39:20.790247+00:00",
    "event_record_id": 33,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 3932
    },
    "channel": "Microsoft-Windows-SmbClient/Connectivity",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Status": 0,
    "SessionId": 21990366773289,
    "TreeId": 0,
    "ServerNameLength": 26,
    "ServerName": "\\LAB-DC01.ludus.domain",
    "AddressLength": 16,
    "Address": "020001BD0A020A0B0000000000000000"
  },
  "message": ""
}

Event ID 30807 — The connection to the share was lost.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Level: Warning
Opcode: Info

Description

The connection to the share was lost.

Message #

The connection to the share was lost.

Error: %1

Share name: %5
Session ID: %2
Tree ID: %3

Guidance:
If the server is a Windows Failover Cluster file server, then this message occurs when the file share moves between cluster nodes. There should also be an anti-event 30808 indicating the session to the server was re-established. If the server is not a failover cluster, it is likely that the server was previously online, but it is now inaccessible over the network.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`SessionId` UInt64	—
`TreeId` UInt32	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`AddressLength` UInt32	—
`Address` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SMBClient",
    "guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
    "event_source_name": "",
    "event_id": 30807,
    "version": 2,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 288230376151711808,
    "time_created": "2026-02-11T17:39:20.782531+00:00",
    "event_record_id": 32,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Microsoft-Windows-SmbClient/Connectivity",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Status": 3221225996,
    "SessionId": 21990366773273,
    "TreeId": 1,
    "ServerNameLength": 33,
    "ServerName": "\\LAB-DC01.ludus.domain\\sysvol",
    "AddressLength": 0,
    "Address": ""
  },
  "message": ""
}

Event ID 30808 — The connection to the share was re-established.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Level: Informational
Opcode: Info

Description

The connection to the share was re-established.

Message #

The connection to the share was re-established.

Share name: %5
Server address: %7!S!
Session ID: %2
Tree ID: %3

Guidance:
You should expect this event if there was a previous event 30807, but the client successfully resumed the cached connection before the timeout expired.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`SessionId` UInt64	—
`TreeId` UInt32	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`AddressLength` UInt32	—
`Address` Binary	—
`SigningUsed` Boolean	—
`EncryptionUsed` Boolean	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SMBClient",
    "guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
    "event_source_name": "",
    "event_id": 30808,
    "version": 2,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 288230376151711808,
    "time_created": "2026-02-11T17:39:20.790983+00:00",
    "event_record_id": 34,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 1000
    },
    "channel": "Microsoft-Windows-SmbClient/Connectivity",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Status": 0,
    "SessionId": 21990366773289,
    "TreeId": 1,
    "ServerNameLength": 31,
    "ServerName": "\\LAB-DC01.ludus.domain\\IPC$",
    "AddressLength": 16,
    "Address": "020001BD0A020A0B0000000000000000"
  },
  "message": ""
}

Event ID 30809 — A request timed out because there was no response from the server.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

A request timed out because there was no response from the server.

Message #

A request timed out because there was no response from the server.

Server name: %6
Session ID:%3
Tree ID:%4
Message ID:%2
Command: %1
Instance Name: %9
RetryCount: %10
ElapsedTime(ms): %11

Guidance:
The server is responding over TCP but not over SMB. Ensure the Server service is running and responsive, and the disks do not have high per-IO latency, which makes the disks appear unresponsive to SMB. Also, ensure the server is responsive overall and not paused; for instance, make sure you can log on to it.

Fields #

Name	Description
`Smb2Command` UInt16	—
`MessageId` UInt64	—
`SessionId` UInt64	—
`TreeId` UInt32	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference
`InstanceNameLength` UInt16	—
`InstanceName` UnicodeString	—
`RetryCount` UInt32	—
`ElapsedTimeInMs` UInt32	—

Event ID 30810 — Added a TCP/IP transport interface.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Level: Informational
Opcode: Info

Description

Added a TCP/IP transport interface.

Message #

Added a TCP/IP transport interface.

Name: %2
InterfaceIndex: %3

Guidance:
A TCP/IP binding was added to the specified network adapter for the SMB client. The SMB client can now send and receive SMB traffic on this network adapter using TCP/IP. You should expect this event when a computer restarts or when a previously disabled network adaptor is re-enabled. No user action is required.

Fields #

Name	Description
`NameLength` UInt16	—
`Name` UnicodeString	—
`IfIndex` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SMBClient",
    "guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
    "event_source_name": "",
    "event_id": 30810,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 288230376151711808,
    "time_created": "2023-11-06T06:25:42.647569+00:00",
    "event_record_id": 86,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 428
    },
    "channel": "Microsoft-Windows-SmbClient/Connectivity",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NameLength": 9,
    "Name": "Ethernet1",
    "IfIndex": 4
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 30811 — Deleted a TCP/IP transport interface.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Level: Informational
Opcode: Info

Description

Deleted a TCP/IP transport interface.

Message #

Deleted a TCP/IP transport interface.

Name: %2
InterfaceIndex: %3

Guidance:
A TCP/IP binding was removed from the specified network adapter for the SMB client. You should expect this event when a computer shuts down or when a previously enabled network adaptor is disabled. No user action is required.

Fields #

Name	Description
`NameLength` UInt16	—
`Name` UnicodeString	—
`IfIndex` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SMBClient",
    "guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
    "event_source_name": "",
    "event_id": 30811,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 288230376151711808,
    "time_created": "2023-11-06T06:25:42.599960+00:00",
    "event_record_id": 84,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 428
    },
    "channel": "Microsoft-Windows-SmbClient/Connectivity",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NameLength": 9,
    "Name": "Ethernet1",
    "IfIndex": 4
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 30812 — Added a TDI transport interface.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Level: Informational
Opcode: Info

Description

Added a TDI transport interface.

Message #

Added a TDI transport interface.

Name: %2

Guidance:
A TDI (NetBIOS) binding was added to the specified network adapter for the SMB client. The SMB client can now send and receive SMB traffic on this network adapter using TDI. You should expect this event when a computer restarts or when a previously disabled network adaptor is re-enabled. No user action is required.

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SMBClient",
    "guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
    "event_source_name": "",
    "event_id": 30812,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 288230376151711808,
    "time_created": "2023-11-06T06:25:42.665527+00:00",
    "event_record_id": 88,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 224
    },
    "channel": "Microsoft-Windows-SmbClient/Connectivity",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ServerNameLength": 58,
    "ServerName": "\\Device\\NetBT_Tcpip_{3D03B11E-98A0-4304-84E2-CD3AAE8EFE1D}"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 30813 — Deleted a TDI transport interface.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Level: Informational
Opcode: Info

Description

Deleted a TDI transport interface.

Message #

Deleted a TDI transport interface.

Name: %2

Guidance:
A TDI (NetBIOS) binding was removed from the specified network adapter for the SMB client. You should expect this event when a computer shuts down or when a previously enabled network adaptor is disabled. No user action is required.

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SMBClient",
    "guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
    "event_source_name": "",
    "event_id": 30813,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 288230376151711808,
    "time_created": "2023-11-06T06:25:42.600171+00:00",
    "event_record_id": 85,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 224
    },
    "channel": "Microsoft-Windows-SmbClient/Connectivity",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ServerNameLength": 58,
    "ServerName": "\\Device\\NetBT_Tcpip_{3D03B11E-98A0-4304-84E2-CD3AAE8EFE1D}"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 30814 — Witness registration has completed.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

Witness registration has completed.

Message #

Witness registration has completed.

Status: %1

Cluster share name: %4
Cluster share type: %2
File server cluster address: %6!S!

Guidance:
The client successfully registered with the SMB Witness through RPC using TCP (port 135, then an endpoint port above 1023). No action is required.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`ShareType` UInt8	—
`NameLength` UInt16	—
`Name` UnicodeString	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—

Event ID 30815 — Witness deregistration has completed.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

Witness deregistration has completed.

Message #

Witness deregistration has completed.

Status: %1

Cluster share name: %4
Cluster share type: %2

Guidance:
The client successfully de-registered with the SMB Witness through RPC using TCP (port 135, then an endpoint port above 1023). No action is required.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`ShareType` UInt8	—
`NameLength` UInt16	—
`Name` UnicodeString	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—

Event ID 30816 — The server failed the negotiate request.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

The server failed the negotiate request.

Message #

The server failed the negotiate request.

Error: %2

Server name: %4

Guidance:
The server does not support any dialect that the client is trying to negotiate, such as the client has SMB2/SMB3 disabled and the server has SMB1 disabled.

Fields #

Name	Description
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 30817 — Close request failed.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

Close request failed.

Message #

Close request failed.

Error: %2

Path: %4%6

Guidance:
A persistent handle (Continuous Availability) or a resilient handle failed to close.

Fields #

Name	Description
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ShareNameLength` UInt16	—
`ShareName` UnicodeString	—
`ObjectNameLength` UInt16	—
`ObjectName` UnicodeString	—

Event ID 30818 — RDMA interfaces are available but the client failed to connect to the server over RDMA transport.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

RDMA interfaces are available but the client failed to connect to the server over RDMA transport.

Message #

RDMA interfaces are available but the client failed to connect to the server over RDMA transport.

Server name: %2

Guidance:
Both client and server have RDMA (SMB Direct) adaptors but there was a problem with the connection and the client had to fall back to using TCP/IP SMB (non-RDMA).

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 30819 — The SMB client received a request to move to a different node on a file server cluster.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

The SMB client received a request to move to a different node on a file server cluster.

Message #

The SMB client received a request to move to a different node on a file server cluster.

File server cluster name: %4
New file server cluster address: %6!S!

Guidance:
Continuous Availability (Transparent Failover) is in use and the client computer is going to move to a different node after an SMB witness request over RPC using TCP (first contacting port 135, then contacting an endpoint port above 1023). No user action is required.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`ShareType` UInt8	—
`NameLength` UInt16	—
`Name` UnicodeString	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—

Event ID 30820 — The SMB client successfully moved to a different node on a file server cluster.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

The SMB client successfully moved to a different node on a file server cluster.

Message #

The SMB client successfully moved to a different node on a file server cluster.

File server cluster name: %4
 New file server cluster address: %6!S!

Guidance:
Continuous Availability (Transparent Failover) is in use and the client computer successfully moved to a different node after an SMB witness request over RPC using TCP (first contacting port 135, then contacting an endpoint port above 1023). No user action is required.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`ShareType` UInt8	—
`NameLength` UInt16	—
`Name` UnicodeString	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—

Event ID 30821 — The SMB client failed to move to a different node on a file server cluster.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

The SMB client failed to move to a different node on a file server cluster.

Message #

The SMB client failed to move to a different node on a file server cluster.

Error: %1

File server cluster name: %4

Guidance:
Continuous Availability (Transparent Failover) is in use and the client computer failed to move to a different node after an SMB witness request over RPC using TCP (first contacting port 135, then contacting an endpoint port above 1023). The attempt to connect to the destination server failed, which is typically due to a network configuration issue. For example, this issue may occur if the destination node's IP address cannot be resolved, if the destination node is behind a firewall, or if there is no network route from the client to the node.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`ShareType` UInt8	—
`NameLength` UInt16	—
`Name` UnicodeString	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—

Event ID 30822 — Failed to establish an SMB multichannel network connection.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

Failed to establish an SMB multichannel network connection.

Message #

Failed to establish an SMB multichannel network connection.

Error: %2

Server name: %4
Server address: %6!S!
Client address: %7!S!
Instance name: %9
Connection type: %10

Guidance:
This indicates a problem with the underlying network or transport, such as with TCP/IP or QUIC/UDP, and not with SMB. A firewall that blocks TCP port 445 or UDP port 443 or TCP port 5445 when using an iWARP RDMA adapter can also cause this issue. Since the error occurred while trying to connect extra channels, it will not result in an application error. This event is for diagnostics only.

Fields #

Name	Description
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`AddressLength` UInt32	—
`RemoteAddress` Binary	—
`LocalAddress` Binary	—
`InstanceNameLength` UInt16	—
`InstanceName` UnicodeString	—
`ConnectionType` UInt32	—
`PortSelectionOrigin` UInt32	—

Event ID 30823 — The connection was terminated due to one or more IO request timeouts.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

The connection was terminated due to one or more IO request timeouts.

Message #

The connection was terminated due to one or more IO request timeouts.

Error: %2

Name: %4
Server address: %6!S!
Client address: %7!S!
Instance name: %9
Connection type: %10

Guidance:
This indicates a problem with the underlying network or the storage stack on the remote server. IO operations were not completed within the allotted time. The application may not see this failure because IOs are usually retried on a different connection. This event is for diagnostics only.

Fields #

Name	Description
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`AddressLength` UInt32	—
`RemoteAddress` Binary	—
`LocalAddress` Binary	—
`InstanceNameLength` UInt16	—
`InstanceName` UnicodeString	—
`ConnectionType` UInt32	—

Event ID 30824 — The connection was forcibly disconnected.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

The connection was forcibly disconnected.

Message #

The connection was forcibly disconnected. 

Error: %2

Name: %4

Server address: %6!S!
Client address: %7!S!
Instance name: %9
Connection type: %10

Guidance:
This connection is disconnected to force existing requests to fail back as soon as possible. This is a fast-fail mechanism to allow upper layers to apply their recovery policies as soon as possible. This event is for diagnostics only.

Fields #

Name	Description
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`AddressLength` UInt32	—
`RemoteAddress` Binary	—
`LocalAddress` Binary	—
`InstanceNameLength` UInt16	—
`InstanceName` UnicodeString	—
`ConnectionType` UInt32	—

Event ID 30825 — The disconnect state on connection was cleared.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

The disconnect state on connection was cleared.

Message #

The disconnect state on connection was cleared 

Name: %3
Instance name: %5

Guidance:
Any persistent disconnect state on this connection is cleared. Any new IO will be sent to the server as usual. This event is for diagnostics only.

Fields #

Name	Description
`Reason` UInt32	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`InstanceNameLength` UInt16	—
`InstanceName` UnicodeString	—

Event ID 30826 — The SMB negotiate response processing failed on the client to determine the selected encryption cipher for the client and server.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

The SMB negotiate response processing failed on the client to determine the selected encryption cipher for the client and server. Please ensure there is a common cipher between the client and server.

Message #

The SMB negotiate response processing failed on the client to determine the selected encryption cipher for the client and server. Please ensure there is a common cipher between the client and server.

Client encryption cipher suite order (most to least preferred): %2
Server replied back with its selected encryption cipher ID: %4

Fields #

Name	Description
`ClientCipherSuiteOrderLength` UInt32	—
`ClientCipherSuiteOrder` UnicodeString	—
`ServerChosenEncryptionCipherLength` UInt32	—
`ServerChosenEncryptionCipher` UnicodeString	—

Event ID 30827 — Could not find a certificate mapping that matches the server name.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity

Description

Could not find a certificate mapping that matches the server name.

Message #

Could not find a certificate mapping that matches the server name. 

Connection type: %1
Server name: %3.

Fields #

Name	Description
`ConnectionType` UInt32	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 30828 — The client established its session to the server.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

The client established its session to the server.

Message #

The client established its session to the server.

Server name: %4
Server address: %6!S!
Client address: %8!S!
Session ID: %2

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`SessionId` UInt64	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—

Event ID 30829 — The client failed to establish its session to the server.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity
Opcode: Info

Description

The client failed to establish its session to the server.

Message #

The client failed to establish its session to the server.

Error: %1

Server name: %4
Server address: %6!S!
Client address: %8!S!
Session ID: %2

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`SessionId` UInt64	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—

Event ID 30830 — The SMB redirector selected the connection initiated with the following parameters.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity

Description

The SMB redirector selected the connection initiated with the following parameters.

Message #

The SMB redirector selected the connection initiated with the following parameters:

Server name: %2
Server socket address: %5
Client socket address: %7
Client certificate thumbprint: %12
Transport: %3
Instance Name: %9

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`ConnectionType` UInt32	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`InstanceNameLength` UInt16	—
`InstanceName` UnicodeString	—
`PortSelectionOrigin` UInt32	—
`Status` HexInt32	— NTSTATUS reference
`ConnectionIdSize` UInt32	—
`ConnectionId` Binary	—
`ClientCertSha1HashSize` UInt32	—
`ClientCertSha1Hash` Binary	—

Event ID 30831 — The SMB client was denied access to the SMB server during mutual authentication.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity

Description

The SMB client was denied access to the SMB server during mutual authentication.

Message #

The SMB client was denied access to the SMB server during mutual authentication.

Server name: %2
Server socket address: %5
Client socket address: %7
Client certificate thumbprint: %11
Transport: %3
Instance Name: %9

Event ID 30832 — The SMB connection was successfully established.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity

Description

The SMB connection was successfully established.

Message #

The SMB connection was successfully established.

Server name: %2
Server socket address: %5
Client socket address: %7
Connection ID: %12
Client certificate thumbprint: %14
Transport: %3
Instance Name: %9
Port Origin: %10

Guidance:

The event occurs when server authentication succeeds. The connection may later be closed if client authentication fails or if the client is denied access to the server.

Event ID 30833 — The initial connection to the share was established.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity

Description

The initial connection to the share was established.

Message #

The initial connection to the share was established.

Share name: %5
Server address: %7!S!
Session ID: %2
Tree ID: %3
Transport type: %8
Signing used: %9
Encryption used: %10
Compression requested: %11
NTLM blocked: %12

Event ID 30834 — The client was unable to perform revocation checks on the server certificate chain.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity

Description

The client was unable to perform revocation checks on the server certificate chain. The connection will proceed.

Message #

The client was unable to perform revocation checks on the server certificate chain. The connection will proceed.

Verification Status: %1

Server name: %3
Server socket address: %6
Client socket address: %8
Connection ID: %13
Client certificate thumbprint: %15
Transport: %4
Instance Name: %10
Port Origin: %11

Event ID 30835 — Server authentication failed.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity

Description

Server authentication failed.

Message #

Server authentication failed.

Error: %1

Server name: %3
Server socket address: %6
Client socket address: %8
Connection ID: %13
Client certificate thumbprint: %15
Transport: %4
Instance Name: %10
Port Origin: %11

Event ID 30837 — The requested transport is disabled.

Provider: Microsoft-Windows-SMBClient
Channel: Connectivity

Description

The requested transport is disabled.

Message #

The requested transport is disabled.

Server name: %2
Server socket address: %5
Transport: %3

Event ID 30900 — The handle was created without persistence.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Opcode: Info

Description

The handle was created without persistence.

Message #

The handle was created without persistence.

File ID: %2:%3
CreateGUID: %4
Path: %10%12

Guidance:
The server supports Continuous Availability (persistent handles) and the request to create the handle succeeded. However, the server did not grant persistence. You should verify that the Resume Key Filter is running on the server and is attached to the target volume.

Fields #

Name	Description
`Object` Pointer	—
`PersistentFID` UInt64	—
`VolatileFID` UInt64	—
`CreateGUID` GUID	—
`OldState` UInt16	—
`NewState` UInt16	—
`Status` UInt32	— NTSTATUS reference
`Reason` UInt32	—
`ShareNameLength` UInt16	—
`ShareName` UnicodeString	—
`ObjectNameLength` UInt16	—
`ObjectName` UnicodeString	—
`PreviousStatus` UInt32	—
`PreviousReason` UInt32	—

Event ID 30904 — The server does not support multichannel.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Opcode: Info

Description

The server does not support multichannel.

Message #

The server does not support multichannel.

Server name: %2

Guidance:
The client attempted to use SMB Multichannel, but an administrator has disabled multichannel support on the server. This may also be a non-Microsoft file server that does not support multichannel or has multichannel disabled. You can enable SMB Multichannel on the server using this Windows PowerShell cmdlet: Set-SmbServerConfiguration -EnableMultiChannel:$true. This event does not apply to the multichannel settings of SMB client, which are controlled by the Set-SmbClientConfiguration Windows PowerShell cmdlet. Enabling or disabling client multichannel support does not affect server multichannel support.

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 30905 — The client cannot connect to the server due to a multichannel constraint registry setting.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Opcode: Info

Description

The client cannot connect to the server due to a multichannel constraint registry setting.

Message #

The client cannot connect to the server due to a multichannel constraint registry setting.

Server name: %2

Guidance:
The client attempted to use SMB Multichannel, but an administrator has configured multichannel support to prevent multichannel on the client. You can configure SMB Multichannel on the client using the Windows PowerShell cmdlets: New-SmbMultichannelConstraint and Remove-SmbMultichannelConstraint.

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 30906 — A request on persistent/resilient handle failed because the handle was invalid or it exceeded the timeout.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Opcode: Info

Description

A request on persistent/resilient handle failed because the handle was invalid or it exceeded the timeout.

Message #

A request on persistent/resilient handle failed because the handle was invalid or it exceeded the timeout.

Status: %7

Type: %1
Path: %4%6
Restart count: %2

Guidance:
After retrying a request on a Continuously Available (Persistent) handle or a Resilient handle, the client was unable to reconnect the handle. This event is the result of a handle recovery failure. Review other events for more details.

Fields #

Name	Description
`IrpCode` UInt8	—
`RestartCount` UInt32	—
`ShareNameLength` UInt16	—
`ShareName` UnicodeString	—
`ObjectNameLength` UInt16	—
`ObjectName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference
`Reason` UInt32	—
`HistoryCount` UInt32	—

Event ID 30907 — The SMB Multichannel registry value is not configured with default settings.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Opcode: Info

Description

The SMB Multichannel registry value is not configured with default settings.

Message #

The SMB Multichannel registry value is not configured with default settings.

Default Registry Value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"DisableMultiChannel"=dword:0
Configured Registry Value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"DisableMultiChannel"=dword:%2

Guidance:
You can configure SMB Multichannel on the client using the Windows PowerShell cmdlet Set-SmbClientConfiguration. Disabling SMB client multichannel support is not a recommended configuration, as it can lead to degraded performance and decreased reliability if one channel or network path fails.

Fields #

Name	Description
`RegName` UnicodeString	—
`RegValue` UInt32	—

Event ID 30908 — The SMB 3 and SMB 2 driver is not configured with the default start type.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Opcode: Info

Description

The SMB 3 and SMB 2 driver is not configured with the default start type.

Message #

The SMB 3 and SMB 2 driver is not configured with the default start type.

Default Start Type: DEMAND_START
Configured Start Type: DISABLED

Guidance:
You should expect this event when disabling SMB2/SMB3 for the client using SC.EXE or editing the Windows registry. Microsoft does not recommend disabling SMB2/SMB3. Disabling SMB2/SMB3 prevents use of features such as SMB Transparent Failover, SMB Scale Out, SMB Multichannel, SMB Direct (RDMA), SMB Encryption, VSS for SMB file shares, and SMB Directory Leasing. SMB provides alternative troubleshooting workarounds to disabling SMB2/SMB3 in most cases.

Fields #

Name	Description
`RegName` UnicodeString	—
`RegValue` UInt32	—

Event ID 30909 — The client supports SMB Direct (RDMA) and SMB Signing is in use.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Opcode: Info

Description

The client supports SMB Direct (RDMA) and SMB Signing is in use.

Message #

The client supports SMB Direct (RDMA) and SMB Signing is in use.

Share name: %2

Guidance:
For optimal SMB Direct performance, you can disable SMB Signing. This configuration is less secure and you should only consider this configuration on trustworthy private networks with strict access control.

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 30910 — The client supports SMB Direct (RDMA) and SMB Encryption is in use.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Opcode: Info

Description

The client supports SMB Direct (RDMA) and SMB Encryption is in use.

Message #

The client supports SMB Direct (RDMA) and SMB Encryption is in use.

Share name: %2

Guidance:
For optimal SMB Direct performance, you can disable SMB Encryption on the server for shares accessed by this client. This configuration is less secure and you should only consider this configuration on trustworthy private networks with strict access control.

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 30911 — The Cipher Suite Order group policy setting is invalid.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Opcode: Info

Description

The Cipher Suite Order group policy setting is invalid.

Message #

The Cipher Suite Order group policy setting is invalid.

Guidance:

This event indicates that an administrator has configured an invalid value for the "Computer Configuration\Administrative Templates\Network\Lanman Workstation\Cipher Suite Order" group policy setting. The client will use the default cipher suite order "%1" until this error is resolved.

Fields #

Name	Description
`CipherSuiteOrder` UnicodeString	—

Event ID 30912 — The RequireSecureNegotiate setting has been removed.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Opcode: Info

Description

The RequireSecureNegotiate setting has been removed.

Message #

The RequireSecureNegotiate setting has been removed.

Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
Registry Value: RequireSecureNegotiate

Guidance:

You should expect this event when an administrator configures the RequireSecureNegotiate setting. Secure negotiate prevents man-in-the-middle attacks against SMB connection establishment. Previous versions of Windows allowed secure negotiate to be disabled. Disabling secure negotiate is no longer allowed. The client removed the setting from the registry. No user action is required.

Event ID 30913 — Server ServerName share ShareName has requested client to use isolated connections to connection to the share.

Provider: Microsoft-Windows-SMBClient
Channel: Operational
Opcode: Info

Description

Server ServerName share ShareName has requested client to use isolated connections to connection to the share. Asymmetric flag AsymmetricFlag. Isolated transport flag IsolatedTransportFlag. NetRoot already use isolated connections IsIsolatedTransportServerEntry.

Message #

Server %2 share %4 has requested client to use isolated connections to connection to the share. Asymmetric flag %5. Isolated transport flag %6. NetRoot already use isolated connections %7.

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`ShareNameLength` UInt16	—
`ShareName` UnicodeString	—
`AsymmetricFlag` Boolean	—
`IsolatedTransportFlag` Boolean	—
`IsIsolatedTransportServerEntry` Boolean	—

Event ID 30914 — RDMA rundown is active.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

RDMA rundown is active. Active RDMA-based operations will be wound down. There are currently ActiveRdmaResourceCount active RDMA resources.

Message #

RDMA rundown is active. Active RDMA-based operations will be wound down. There are currently %1 active RDMA resources.

Fields #

Name	Description
`ActiveRdmaResourceCount` UInt32	—

Event ID 30915 — RDMA rundown is complete.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

RDMA rundown is complete. No further RDMA-based operations are allowed. Rundown no-op: NoOp.

Message #

RDMA rundown is complete. No further RDMA-based operations are allowed. Rundown no-op: %1.

Fields #

Name	Description
`NoOp` Boolean	—

Event ID 30916 — Reactivation of RDMA support has commenced.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

Reactivation of RDMA support has commenced.

Message #

Reactivation of RDMA support has commenced.

Event ID 30917 — RDMA is no longer disabled.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

RDMA is no longer disabled. RDMA-based operations can proceed, given hardware capabilities and OS policy. No-op: NoOp.

Message #

RDMA is no longer disabled. RDMA-based operations can proceed, given hardware capabilities and OS policy. No-op: %1.

Fields #

Name	Description
`NoOp` Boolean	—

Event ID 30918 — SMBDirect load attempt complete.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

SMBDirect load attempt complete.

Message #

SMBDirect load attempt complete.

Success: %1
Status code: %2
Service path: %4

Fields #

Name	Description
`IsSuccess` Boolean	—
`LoadStatus` HexInt32	—
`ServicePathLength` UInt16	—
`ServicePath` UnicodeString	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—

Event ID 30950 — Component capabilities: ComponentCapabilities.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

Component capabilities: ComponentCapabilities.

Message #

Component capabilities: %1
Internal patch number: %2

Fields #

Name	Description
`ComponentCapabilities` HexInt32	—
`PatchNumber` HexInt32	—

Event ID 30951 — The alternative port PortNumber is not a valid port within the range 0 to 65535 for mapping name ServerName:TransportName.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

The alternative port PortNumber is not a valid port within the range 0 to 65535 for mapping name ServerName:TransportName.

Message #

The alternative port %1 is not a valid port within the range 0 to 65535 for mapping name %3:%5.

Fields #

Name	Description
`PortNumber` UInt32	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`TransportNameLength` UInt16	—
`TransportName` UnicodeString	—

Event ID 30952 — The SMB redirector did not select the connection initiated with the following parameters.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

The SMB redirector did not select the connection initiated with the following parameters.

Message #

The SMB redirector did not select the connection initiated with the following parameters:

Server name: %2
IP Address: %5
Transport: %3
Instance Name:%7
Port Origin: %8

The failure status associated with this decision: %9

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`ConnectionType` UInt32	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`InstanceNameLength` UInt16	—
`InstanceName` UnicodeString	—
`PortSelectionOrigin` UInt32	—
`Status` HexInt32	— NTSTATUS reference

Event ID 30953 — SMB Dialect Change.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

SMB Dialect Change.

Message #

SMB Dialect Change

%1 was changed from %2 to %3.

Fields #

Name	Description
`SmbDialect` UnicodeString	—
`OldDialect` HexInt32	—
`NewDialect` HexInt32	—

Event ID 30954 — It took CallDuration secs to execute FunctionName.

Provider: Microsoft-Windows-SMBClient
Channel: HelperClassDiagnostic

Description

It took CallDuration secs to execute FunctionName.

Message #

It took %2 secs to execute %1.

Fields #

Name	Description
`FunctionName` UInt32	—
`CallDuration` Int32	—
`ThresholdDuration` Int32	—

Event ID 30955 — It took CallDuration secs to execute FunctionName which is longer than threshold of ThresholdDuration secs.

Provider: Microsoft-Windows-SMBClient
Channel: Operational

Description

It took CallDuration secs to execute FunctionName which is longer than threshold of ThresholdDuration secs. This warning is because FunctionName is taking longer than expected.

Message #

It took %2 secs to execute %1 which is longer than threshold of %3 secs. This warning is because %1 is taking longer than expected.

Fields #

Name	Description
`FunctionName` UInt32	—
`CallDuration` Int32	—
`ThresholdDuration` Int32	—

Event ID 31000 — Reason.

Provider: Microsoft-Windows-SMBClient
Channel: Security
Opcode: Info

Message #

%1.

Error: %2

Security status: %3
User name: %10
Logon ID: %4
Serrver name: %6

Fields #

Name	Description
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`SecurityStatus` UInt32	—
`LogonId` UInt64	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`PrincipalNameLength` UInt16	—
`PrincipalName` UnicodeString	—
`UserNameLength` UInt16	—
`UserName` UnicodeString	—

Event ID 31001 — Reason.

Provider: Microsoft-Windows-SMBClient
Channel: Security
Level: Error
Opcode: Info

Message #

%1.

Error: %2

Security status: %3
User name: %10
Logon ID: %4
Server name: %6
Principal name: %8

Fields #

Name	Description
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`SecurityStatus` UInt32	—
`LogonId` UInt64	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`PrincipalNameLength` UInt16	—
`PrincipalName` UnicodeString	—
`UserNameLength` UInt16	—
`UserName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SMBClient",
    "guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
    "event_source_name": "",
    "event_id": 31001,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 144115188075856000,
    "time_created": "2026-02-18T21:49:45.360595+00:00",
    "event_record_id": 101,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 1456
    },
    "channel": "Microsoft-Windows-SmbClient/Security",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Reason": 10,
    "Status": 3221225779,
    "SecurityStatus": 3221225779,
    "LogonId": 999,
    "ServerNameLength": 13,
    "ServerName": "\\LAB-DC01",
    "PrincipalNameLength": 17,
    "PrincipalName": "cifs/LAB-DC01",
    "UserNameLength": 0,
    "UserName": ""
  },
  "message": ""
}

Event ID 31002 — The outbound authentication failed using a network token.

Provider: Microsoft-Windows-SMBClient
Channel: Security
Opcode: Info

Description

The outbound authentication failed using a network token.

Message #

The outbound authentication failed using a network token.

Error: %2

Server name: %4

Guidance:
This typically indicates that delegation must be configured for a Kerberos double-hop scenario. If delegation is configured, confirm that the services are configured correctly on the middle-tier server.

Fields #

Name	Description
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 31003 — The LmCompatibilityLevel value is different from the default.

Provider: Microsoft-Windows-SMBClient
Channel: Security
Level: Warning
Opcode: Info

Description

The LmCompatibilityLevel value is different from the default.

Message #

The LmCompatibilityLevel value is different from the default.

Configured LM Compatibility Level: %2
Default LM Compatibility Level: 3

Guidance:
LAN Manager (LM) authentication is the protocol used to authenticate Windows clients for network operations. This includes joining a domain, accessing network resources, and authenticating users or computers. This determines which challenge/response authentication protocol is negotiated between the client and the server computers. Specifically, the LM authentication level determines which authentication protocols the client will try to negotiate or the server will accept. The value set for LmCompatibilityLevel determines which challenge/response authentication protocol is used for network logons. This value affects the level of authentication protocol that clients use, the level of session security negotiated, and the level of authentication accepted by servers.

Value (Setting) - Description

0 (Send LM & NTLM responses) - Clients use LM and NTLM authentication and never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

1 (Send LM & NTLM - use NTLMv2 session security if negotiated) - Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

2 (Send NTLM response only) - Clients use NTLM authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

3 (Send NTLM v2 response only) - Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

4 (Send NTLMv2 response only/refuse LM) - Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and accept only NTLM and NTLMv2 authentication.

5 (Send NTLM v2 response only/refuse LM & NTLM) - Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and NTLM and accept only NTLMv2 authentication.

Incompatibly configured  LmCompatibility levels between a client and server (such as 0 on a client and 5 on a server) prevent access to the server. Non-Microsoft clients and servers also provide these configuration settings.

Fields #

Name	Description
`RegName` UnicodeString	—
`RegValue` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SMBClient",
    "guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
    "event_source_name": "",
    "event_id": 31003,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 144115188075856000,
    "time_created": "2026-03-14T00:02:38.010007+00:00",
    "event_record_id": 15,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 992
    },
    "channel": "Microsoft-Windows-SmbClient/Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RegName": "LMCompatibilityLevel",
    "RegValue": 5
  },
  "message": ""
}

Event ID 31010 — The SMB client failed to connect to the share.

Provider: Microsoft-Windows-SMBClient
Channel: Security
Level: Error
Opcode: Info

Description

The SMB client failed to connect to the share.

Message #

The SMB client failed to connect to the share.

Error: %2

Path: %4%6

Fields #

Name	Description
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ShareNameLength` UInt16	—
`ShareName` UnicodeString	—
`ObjectNameLength` UInt16	—
`ObjectName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SMBClient",
    "guid": "988C59C5-0A1C-45B6-A555-0C62276E327D",
    "event_source_name": "",
    "event_id": 31010,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 144115188075856128,
    "time_created": "2026-03-13T17:13:50.805757+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Microsoft-Windows-SmbClient/Security",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Reason": 12,
    "Status": 3221225506,
    "ShareNameLength": 14,
    "ShareName": "\\10.2.10.21\\C$",
    "ObjectNameLength": 0,
    "ObjectName": ""
  },
  "message": ""
}

Event ID 31012 — The negotiate validation failed.

Provider: Microsoft-Windows-SMBClient
Channel: Security
Opcode: Info

Description

The negotiate validation failed.

Message #

The negotiate validation failed.

From negotiate response:
Dialect: %1
SecurityMode: %2
Capabilities: %3
ServerGuid: %4

From FSCTL_VALIDATE_NEGOTIATE_INFO response:
Dialect: %5
SecurityMode: %6
Capabilities: %7
ServerGuid: %8

Guidance:
The client successfully negotiated SMB dialect, security mode, capabilities and server GUID with the server, but the validation of these values then failed after connecting to a share. This may be due to a "adversary-in-the-middle" compromise attempt.

Fields #

Name	Description
`Dialect` UInt16	—
`SecurityMode` UInt16	—
`Capabilities` UInt32	—
`Guid` GUID	—
`Dialect2` UInt16	—
`SecurityMode2` UInt16	—
`Capabilities2` UInt32	—
`Guid2` GUID	—

Event ID 31013 — The signing validation failed.

Provider: Microsoft-Windows-SMBClient
Channel: Security
Opcode: Info

Description

The signing validation failed.

Message #

The signing validation failed.

Error:%7

Server name: %6
Session ID:%3
Tree ID:%4
Message ID:%2
Command: %1

Guidance:
This error indicates that SMB messages are being modified in transit across the network from the server to the client. This may be due to the session ending on the server, a problem with the network, a problem with a third-party SMB server, or a "adversary-in-the-middle" compromise attempt.

PacketFragment:%9

Fields #

Name	Description
`Smb2Command` UInt16	—
`MessageId` UInt64	—
`SessionId` UInt64	—
`TreeId` UInt32	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference
`MessageSize` UInt32	—
`FragmentOffset` UInt32	—
`FragmentSize` UInt32	—
`FragmentData` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—

Event ID 31014 — The client received an unencrypted message when encryption was expected.

Provider: Microsoft-Windows-SMBClient
Channel: Security
Opcode: Info

Description

The client received an unencrypted message when encryption was expected.

Message #

The client received an unencrypted message when encryption was expected.

Server name: %6
Session ID:%3
Tree ID:%4
Message ID:%2
Command: %1
Instance Name: %9

Guidance:
This error indicates that SMB messages are being modified in transit across the network from the server to the client. This may be due to the session ending on the server, a problem with the network, a problem with a third-party SMB server, or a "adversary-in-the-middle" compromise attempt.

Fields #

Name	Description
`Smb2Command` UInt16	—
`MessageId` UInt64	—
`SessionId` UInt64	—
`TreeId` UInt32	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference
`InstanceNameLength` UInt16	—
`InstanceName` UnicodeString	—
`RetryCount` UInt32	—
`ElapsedTimeInMs` UInt32	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—

Event ID 31015 — Failed to decrypt an encrypted SMB message.

Provider: Microsoft-Windows-SMBClient
Channel: Security
Opcode: Info

Description

Failed to decrypt an encrypted SMB message.

Message #

Failed to decrypt an encrypted SMB message.

Error:%7

Server name: %6
Session ID:%3
Instance Name: %9

Guidance:
The client received an encrypted SMB message but cannot decrypt the data. This typically means that the communication came from a previous session that no longer exists. The encryption header may also have been damaged or tampered with on the network between the client and server.

Fields #

Name	Description
`Smb2Command` UInt16	—
`MessageId` UInt64	—
`SessionId` UInt64	—
`TreeId` UInt32	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference
`InstanceNameLength` UInt16	—
`InstanceName` UnicodeString	—
`RetryCount` UInt32	—
`ElapsedTimeInMs` UInt32	—

Event ID 31016 — The SMB Signing registry value is not configured with default settings.

Provider: Microsoft-Windows-SMBClient
Channel: Security
Opcode: Info

Description

The SMB Signing registry value is not configured with default settings.

Message #

The SMB Signing registry value is not configured with default settings.

Default Registry Value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"EnableSecuritySignature"=dword:1
Configured Registry Value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"EnableSecuritySignature"=dword:0

Guidance:
Even though you can disable, enable, or require SMB Signing, the negotiation rules changed starting with SMB2 and not all combinations operate like SMB1.

The effective behavior for SMB2/SMB3 is:
Client Required and Server Required = Signed
Client Not Required and Server Required = Signed
Server Required and Client Not Required = Signed
Server Not Required and Client Not Required = Not Signed

When requiring SMB Encryption, SMB Signing is not used, regardless of settings. SMB Encryption implicitly provides the same integrity guarantees as SMB Signing.

Fields #

Name	Description
`RegName` UnicodeString	—
`RegValue` UInt32	—

Event ID 31017 — Rejected an insecure guest logon.

Provider: Microsoft-Windows-SMBClient
Channel: Security
Opcode: Info

Description

Rejected an insecure guest logon.

Message #

Rejected an insecure guest logon.

User name: %2
Server name: %4

Guidance:
This event indicates that the server attempted to log the user on as an unauthenticated guest and was denied by the client. Guest logons do not support standard security features such as signing and encryption. As a result, guest logons are vulnerable to man-in-the-middle attacks that can expose sensitive data on the network. Windows disables insecure guest logons by default. Microsoft does not recommend enabling insecure guest logons.

Fields #

Name	Description
`UserNameLength` UInt16	—
`UserName` UnicodeString	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 31018 — Guidance: An administrator has enabled AllowInsecureGuestAuth.

Provider: Microsoft-Windows-SMBClient
Channel: Security
Opcode: Info

Description

Guidance: An administrator has enabled AllowInsecureGuestAuth. Clients using insecure guest logons are more vulnerable to attackers-in-the-middle, phishing, and malware.

Message #

Guidance: An administrator has enabled AllowInsecureGuestAuth. Clients using insecure guest logons are more vulnerable to attackers-in-the-middle, phishing, and malware.

Fields #

Name	Description
`RegName` UnicodeString	—
`RegValue` UInt32	—

Event ID 31019 — Mutual authentication was unexpectedly lost after re-authenticating to ServerName.

Provider: Microsoft-Windows-SMBClient
Channel: Security
Opcode: Info

Description

Mutual authentication was unexpectedly lost after re-authenticating to ServerName.

Message #

Mutual authentication was unexpectedly lost after re-authenticating to %6
User %8
LogonID %4
Status %2
 AuthProtocol Old %9  New %10
MutualAuthState Old %11 New %12
Clustered %13

Fields #

Name	Description
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`SecurityStatus` UInt32	—
`LogonId` UInt64	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`UserNameLength` UInt16	—
`UserName` UnicodeString	—
`OldAuthProtocolId` UInt16	—
`NewAuthProtocolId` UInt16	—
`OldMutualAuthState` Boolean	—
`NewMutualAuthState` Boolean	—
`ClusteredServer` Boolean	—

Event ID 31020 — Session key for connection is weaker than required.

Provider: Microsoft-Windows-SMBClient
Channel: Security
Opcode: Info

Description

Session key for connection is weaker than required. Connection will be closed as a result.

Message #

Session key for connection is weaker than required. Connection will be closed as a result.

Server: %2
User: %6
Session key length: %3
Required Session key length: %4

Guidance:
To establish a connection with a shorter session key, set the following registry DWORD value name with the value as decimal bits:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"MinimumSessionKeyLength"

Important: If you have configured the 'Network security: Configure encryption types allowed for Kerberos' security policy to prevent use of 256-bit keys but also set the MinimumSessionKeyLength greater than 128 bits, the computer will not be able to make SMB connections. Setting MinimumSessionKeyLength higher than 128 bits will also prevent SMB connections using NTLM.

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`SessionKeyLength` UInt32	—
`RequiredSessionKeyLength` UInt32	—
`SessionId` UInt64	—
`UserName` UnicodeString	—
`AuthProtocol` UInt32	—

Event ID 31021 — SMB DDP security changed from OldValue to NewValue.

Provider: Microsoft-Windows-SMBClient
Channel: Security

Description

SMB DDP security changed from OldValue to NewValue.

Message #

SMB DDP security changed from %1 to %2.

Fields #

Name	Description
`OldValue` UInt32	—
`NewValue` UInt32	—

Event ID 31022 — Allowed an insecure guest logon.

Provider: Microsoft-Windows-SMBClient
Channel: Security

Description

Allowed an insecure guest logon.

Message #

Allowed an insecure guest logon.

User name: %2
Server name: %4

Guidance:
This event indicates that the server attempted to log the user on as an unauthenticated guest and was allowed by the client.

Fields #

Name	Description
`UserNameLength` UInt16	—
`UserName` UnicodeString	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 31023 — NTLM is prohibited for authentication on the server.

Provider: Microsoft-Windows-SMBClient
Channel: Security

Description

NTLM is prohibited for authentication on the server.

Message #

NTLM is prohibited for authentication on the server 

Server name: %2

 NTLM was disabled by user or by administrator using policies. For more information: https://go.microsoft.com/fwlink/?linkid=2267451.

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 31997 — The SMB client was logged on as Guest account.

Provider: Microsoft-Windows-SMBClient
Channel: Audit

Description

The SMB client was logged on as Guest account.

Message #

The SMB client was logged on as Guest account.

Server name: %2

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 31998 — The SMB client observed that the server doesn't support signing.

Provider: Microsoft-Windows-SMBClient
Channel: Audit

Description

The SMB client observed that the server doesn't support signing.

Message #

The SMB client observed that the server doesn't support signing.

Server name: %2
Client requires signing: %3

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`ClientRequireSigning` Boolean	—

Event ID 31999 — The SMB client observed that the server doesn't support encryption.

Provider: Microsoft-Windows-SMBClient
Channel: Audit

Description

The SMB client observed that the server doesn't support encryption.

Message #

The SMB client observed that the server doesn't support encryption.

Server name: %2
Client requires encyption: %3

Fields #

Name	Description
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—
`ClientRequireEncryption` Boolean	—

Event ID 32000 — SMB1 negotiate response received from remote device when SMB1 cannot be negotiated by the local computer.

Provider: Microsoft-Windows-SMBClient
Channel: Audit
Opcode: Info

Description

SMB1 negotiate response received from remote device when SMB1 cannot be negotiated by the local computer.

Message #

SMB1 negotiate response received from remote device when SMB1 cannot be negotiated by the local computer. 

Dialect: %1

 Server name: %3

 Guidance:
The client has SMB1 disabled or uninstalled. For more information: https://go.microsoft.com/fwlink/?linkid=852747.

Fields #

Name	Description
`Reason` UInt32	—
`Dialect` UInt16	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 32002 — The local computer received an SMB1 negotiate response.

Provider: Microsoft-Windows-SMBClient
Channel: Audit
Opcode: Info

Description

The local computer received an SMB1 negotiate response.

Message #

The local computer received an SMB1 negotiate response.

Dialect: %2

 SecurityMode %3

 Server name: %5

 Guidance:
 SMB1 is deprecated and should not be installed nor enabled. For more information, see https://go.microsoft.com/fwlink/?linkid=852747.

Fields #

Name	Description
`Reason` UInt32	—
`Dialect` UInt16	—
`SecurityMode` UInt16	—
`ServerNameLength` UInt16	—
`ServerName` UnicodeString	—

Event ID 32003 — The local computer didn't received an SMB1 negotiate response in the last Days days.

Provider: Microsoft-Windows-SMBClient
Channel: Audit
Opcode: Info

Description

The local computer didn't received an SMB1 negotiate response in the last Days days.n.

Message #

The local computer didn't received an SMB1 negotiate response in the last %1 days.n
Guidance:

This event indicates that after detecting no attempts to contact this computer via the SMB1 protocol for %1 online days, the SMB1 Client service was automatically uninstalled. The computer must be restarted for SMB1 removal to take effect.

Fields #

Name	Description
`Days` UInt32	—

Event ID 32004 — SMB2 rxcontext performance work started

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 rxcontext performance work started.

Message #

SMB2 rxcontext performance work started

Fields #

Name	Description
`RxContext` UInt64	—
`FileNameLength` UInt16	—
`FileName` UnicodeString	—
`MajorFunction` UInt8	—
`MinorFunction` UInt8	—

Event ID 32005 — SMB2 exchange performance work started

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 exchange performance work started.

Message #

SMB2 exchange performance work started

Fields #

Name	Description
`Exchange` UInt64	—
`MajorFunction` UInt8	—
`MinorFunction` UInt8	—

Event ID 32006 — SMB2 buffer context performance work started

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 buffer context performance work started.

Message #

SMB2 buffer context performance work started

Fields #

Name	Description
`BufferContext` UInt64	—
`MajorFunction` UInt8	—
`MinorFunction` UInt8	—
`Smb2Command` UInt16	—

Event ID 32007 — SMB2 performance work transition

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 performance work transition.

Message #

SMB2 performance work transition

Fields #

Name	Description
`BlockType` UInt32	—

Event ID 32008 — SMB2 rxcontext performance work read summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 rxcontext performance work read summary.

Message #

SMB2 rxcontext performance work read summary

Fields #

Name	Description
`RxContext` UInt64	—
`InstanceId` UInt8	—
`FileObject` UInt64	—
`IRP` UInt64	—
`ByteCount` UInt64	—
`TotalDuration` UInt64	—
`Construction` UInt64	—
`HitCountConstruction` UInt64	—
`DispatchProcessing` UInt64	—
`HitCountDispatchProcessing` UInt64	—
`ReadProcessing` UInt64	—
`HitCountReadProcessing` UInt64	—
`CallMiniRdr_MRXSMB` UInt64	—
`HitCountCallMiniRdr_MRXSMB` UInt64	—
`LowIoCompletionRoutine` UInt64	—
`HitCountLowIoCompletionRoutine` UInt64	—
`CompleteIRP` UInt64	—
`HitCountCompleteIRP` UInt64	—
`PostIOCompletion` UInt64	—
`HitCountPostIOCompletion` UInt64	—
`PostIORetry` UInt64	—
`HitCountPostIORetry` UInt64	—
`AttemptTurboIORead` UInt64	—
`HitCountAttemptTurboIORead` UInt64	—
`AttemptTurboIOInit` UInt64	—
`HitCountAttemptTurboIOInit` UInt64	—
`TurboIORxCompletion` UInt64	—
`HitCountTurboIORxCompletion` UInt64	—

Event ID 32009 — SMB2 rxcontext performance work write summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 rxcontext performance work write summary.

Message #

SMB2 rxcontext performance work write summary

Fields #

Name	Description
`RxContext` UInt64	—
`InstanceId` UInt8	—
`FileObject` UInt64	—
`IRP` UInt64	—
`ByteCount` UInt64	—
`TotalDuration` UInt64	—
`Construction` UInt64	—
`HitCountConstruction` UInt64	—
`DispatchProcessing` UInt64	—
`HitCountDispatchProcessing` UInt64	—
`WriteProcessing` UInt64	—
`HitCountWriteProcessing` UInt64	—
`CallMiniRdr_MRXSMB` UInt64	—
`HitCountCallMiniRdr_MRXSMB` UInt64	—
`LowIoCompletionRoutine` UInt64	—
`HitCountLowIoCompletionRoutine` UInt64	—
`CompleteIRP` UInt64	—
`HitCountCompleteIRP` UInt64	—
`PostIOCompletion` UInt64	—
`HitCountPostIOCompletion` UInt64	—
`PostIORetry` UInt64	—
`HitCountPostIORetry` UInt64	—
`AttemptTurboIOWrite` UInt64	—
`HitCountAttemptTurboIOWrite` UInt64	—
`AttemptTurboIOInit` UInt64	—
`HitCountAttemptTurboIOInit` UInt64	—
`TurboIORxCompletion` UInt64	—
`HitCountTurboIORxCompletion` UInt64	—

Event ID 32010 — SMB2 rxcontext performance work create summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 rxcontext performance work create summary.

Message #

SMB2 rxcontext performance work create summary

Fields #

Name	Description
`RxContext` UInt64	—
`InstanceId` UInt8	—
`IRP` UInt64	—
`TotalDuration` UInt64	—
`Construction` UInt64	—
`HitCountConstruction` UInt64	—
`DispatchProcessing` UInt64	—
`HitCountDispatchProcessing` UInt64	—
`CreateProcessing` UInt64	—
`HitCountCreateProcessing` UInt64	—
`CallMiniRdr_MRXSMB` UInt64	—
`HitCountCallMiniRdr_MRXSMB` UInt64	—
`LowIoCompletionRoutine` UInt64	—
`HitCountLowIoCompletionRoutine` UInt64	—
`CompleteIRP` UInt64	—
`HitCountCompleteIRP` UInt64	—
`PostIOCompletion` UInt64	—
`HitCountPostIOCompletion` UInt64	—
`PostIORetry` UInt64	—
`HitCountPostIORetry` UInt64	—

Event ID 32011 — SMB2 rxcontext performance work close summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 rxcontext performance work close summary.

Message #

SMB2 rxcontext performance work close summary

Fields #

Name	Description
`RxContext` UInt64	—
`InstanceId` UInt8	—
`IRP` UInt64	—
`TotalDuration` UInt64	—
`Construction` UInt64	—
`HitCountConstruction` UInt64	—
`DispatchProcessing` UInt64	—
`HitCountDispatchProcessing` UInt64	—
`CloseProcessing` UInt64	—
`HitCountCloseProcessing` UInt64	—
`CallMiniRdr_MRXSMB` UInt64	—
`HitCountCallMiniRdr_MRXSMB` UInt64	—
`LowIoCompletionRoutine` UInt64	—
`HitCountLowIoCompletionRoutine` UInt64	—
`CompleteIRP` UInt64	—
`HitCountCompleteIRP` UInt64	—
`PostIOCompletion` UInt64	—
`HitCountPostIOCompletion` UInt64	—
`PostIORetry` UInt64	—
`HitCountPostIORetry` UInt64	—

Event ID 32012 — SMB2 rxcontext performance work query directory summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 rxcontext performance work query directory summary.

Message #

SMB2 rxcontext performance work query directory summary

Fields #

Name	Description
`RxContext` UInt64	—
`InstanceId` UInt8	—
`IRP` UInt64	—
`TotalDuration` UInt64	—
`Construction` UInt64	—
`HitCountConstruction` UInt64	—
`DispatchProcessing` UInt64	—
`HitCountDispatchProcessing` UInt64	—
`QueryDirectoryProcessing` UInt64	—
`HitCountQueryDirectoryProcessing` UInt64	—
`CallMiniRdr_MRXSMB` UInt64	—
`HitCountCallMiniRdr_MRXSMB` UInt64	—
`LowIoCompletionRoutine` UInt64	—
`HitCountLowIoCompletionRoutine` UInt64	—
`CompleteIRP` UInt64	—
`HitCountCompleteIRP` UInt64	—
`PostIOCompletion` UInt64	—
`HitCountPostIOCompletion` UInt64	—
`PostIORetry` UInt64	—
`HitCountPostIORetry` UInt64	—

Event ID 32013 — SMB2 rxcontext performance work fsctl summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 rxcontext performance work fsctl summary.

Message #

SMB2 rxcontext performance work fsctl summary

Fields #

Name	Description
`RxContext` UInt64	—
`InstanceId` UInt8	—
`IRP` UInt64	—
`TotalDuration` UInt64	—
`Construction` UInt64	—
`HitCountConstruction` UInt64	—
`DispatchProcessing` UInt64	—
`HitCountDispatchProcessing` UInt64	—
`FsctlProcessing` UInt64	—
`HitCountFsctlProcessing` UInt64	—
`CallMiniRdr_MRXSMB` UInt64	—
`HitCountCallMiniRdr_MRXSMB` UInt64	—
`LowIoCompletionRoutine` UInt64	—
`HitCountLowIoCompletionRoutine` UInt64	—
`CompleteIRP` UInt64	—
`HitCountCompleteIRP` UInt64	—
`PostIOCompletion` UInt64	—
`HitCountPostIOCompletion` UInt64	—
`PostIORetry` UInt64	—
`HitCountPostIORetry` UInt64	—

Event ID 32028 — SMB2 exchange performance work read summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 exchange performance work read summary.

Message #

SMB2 exchange performance work read summary

Fields #

Name	Description
`Exchange` UInt64	—
`RxContext` UInt64	—
`ByteCount` UInt64	—
`InstanceId` UInt8	—
`TotalDuration` UInt64	—
`RestartCount` UInt64	—
`ResolvingConnectionObjects` UInt64	—
`HitCountResolvingConnectionObjects` UInt64	—
`CommandProcessing` UInt64	—
`HitCountCommandProcessing` UInt64	—
`ReadStart` UInt64	—
`HitCountReadStart` UInt64	—
`ReadBuildAndSendChunks` UInt64	—
`HitCountReadBuildAndSendChunks` UInt64	—
`CommandFinalizationCallback` UInt64	—
`HitCountCommandFinalizationCallback` UInt64	—
`Finalize` UInt64	—
`HitCountFinalize` UInt64	—
`PostFinalizeWorker` UInt64	—
`HitCountPostFinalizeWorker` UInt64	—
`FinalizeWorkerHitCount` UInt64	—
`HitCountFinalizeWorkerHitCount` UInt64	—
`TurboIOStart` UInt64	—
`HitCountTurboIOStart` UInt64	—
`TurboIOComplete` UInt64	—
`HitCountTurboIOComplete` UInt64	—

Event ID 32029 — SMB2 exchange performance work write summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 exchange performance work write summary.

Message #

SMB2 exchange performance work write summary

Fields #

Name	Description
`Exchange` UInt64	—
`RxContext` UInt64	—
`ByteCount` UInt64	—
`InstanceId` UInt8	—
`TotalDuration` UInt64	—
`RestartCount` UInt64	—
`ResolvingConnectionObjects` UInt64	—
`HitCountResolvingConnectionObjects` UInt64	—
`CommandProcessing` UInt64	—
`HitCountCommandProcessing` UInt64	—
`WriteStart` UInt64	—
`HitCountWriteStart` UInt64	—
`WriteBuildAndSendChunks` UInt64	—
`HitCountWriteBuildAndSendChunks` UInt64	—
`CommandFinalizationCallback` UInt64	—
`HitCountCommandFinalizationCallback` UInt64	—
`Finalize` UInt64	—
`HitCountFinalize` UInt64	—
`PostFinalizeWorker` UInt64	—
`HitCountPostFinalizeWorker` UInt64	—
`FinalizeWorkerHitCount` UInt64	—
`HitCountFinalizeWorkerHitCount` UInt64	—
`TurboIOStart` UInt64	—
`HitCountTurboIOStart` UInt64	—
`TurboIOComplete` UInt64	—
`HitCountTurboIOComplete` UInt64	—

Event ID 32030 — SMB2 exchange performance work create summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 exchange performance work create summary.

Message #

SMB2 exchange performance work create summary

Fields #

Name	Description
`Exchange` UInt64	—
`InstanceId` UInt8	—
`TotalDuration` UInt64	—
`RestartCount` UInt64	—
`ResolvingConnectionObjects` UInt64	—
`HitCountResolvingConnectionObjects` UInt64	—
`CommandProcessing` UInt64	—
`HitCountCommandProcessing` UInt64	—
`CreateStart` UInt64	—
`HitCountCreateStart` UInt64	—
`CommandFinalizationCallback` UInt64	—
`HitCountCommandFinalizationCallback` UInt64	—
`Finalize` UInt64	—
`HitCountFinalize` UInt64	—
`PostFinalizeWorker` UInt64	—
`HitCountPostFinalizeWorker` UInt64	—
`FinalizeWorkerHitCount` UInt64	—
`HitCountFinalizeWorkerHitCount` UInt64	—

Event ID 32031 — SMB2 exchange performance work close summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 exchange performance work close summary.

Message #

SMB2 exchange performance work close summary

Fields #

Name	Description
`Exchange` UInt64	—
`InstanceId` UInt8	—
`TotalDuration` UInt64	—
`RestartCount` UInt64	—
`ResolvingConnectionObjects` UInt64	—
`HitCountResolvingConnectionObjects` UInt64	—
`CommandProcessing` UInt64	—
`HitCountCommandProcessing` UInt64	—
`CloseStart` UInt64	—
`HitCountCloseStart` UInt64	—
`CommandFinalizationCallback` UInt64	—
`HitCountCommandFinalizationCallback` UInt64	—
`Finalize` UInt64	—
`HitCountFinalize` UInt64	—
`PostFinalizeWorker` UInt64	—
`HitCountPostFinalizeWorker` UInt64	—
`FinalizeWorkerHitCount` UInt64	—
`HitCountFinalizeWorkerHitCount` UInt64	—

Event ID 32032 — SMB2 exchange performance work query directory summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 exchange performance work query directory summary.

Message #

SMB2 exchange performance work query directory summary

Fields #

Name	Description
`Exchange` UInt64	—
`InstanceId` UInt8	—
`TotalDuration` UInt64	—
`RestartCount` UInt64	—
`ResolvingConnectionObjects` UInt64	—
`HitCountResolvingConnectionObjects` UInt64	—
`CommandProcessing` UInt64	—
`HitCountCommandProcessing` UInt64	—
`QueryDirectoryStart` UInt64	—
`HitCountQueryDirectoryStart` UInt64	—
`CommandFinalizationCallback` UInt64	—
`HitCountCommandFinalizationCallback` UInt64	—
`Finalize` UInt64	—
`HitCountFinalize` UInt64	—
`PostFinalizeWorker` UInt64	—
`HitCountPostFinalizeWorker` UInt64	—
`FinalizeWorkerHitCount` UInt64	—
`HitCountFinalizeWorkerHitCount` UInt64	—

Event ID 32033 — SMB2 exchange performance work fsctl summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 exchange performance work fsctl summary.

Message #

SMB2 exchange performance work fsctl summary

Fields #

Name	Description
`Exchange` UInt64	—
`InstanceId` UInt8	—
`TotalDuration` UInt64	—
`RestartCount` UInt64	—
`ResolvingConnectionObjects` UInt64	—
`HitCountResolvingConnectionObjects` UInt64	—
`CommandProcessing` UInt64	—
`HitCountCommandProcessing` UInt64	—
`FsctlStart` UInt64	—
`HitCountFsctlStart` UInt64	—
`CommandFinalizationCallback` UInt64	—
`HitCountCommandFinalizationCallback` UInt64	—
`Finalize` UInt64	—
`HitCountFinalize` UInt64	—
`PostFinalizeWorker` UInt64	—
`HitCountPostFinalizeWorker` UInt64	—
`FinalizeWorkerHitCount` UInt64	—
`HitCountFinalizeWorkerHitCount` UInt64	—

Event ID 32048 — SMB2 buffer context performance work read summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 buffer context performance work read summary.

Message #

SMB2 buffer context performance work read summary

Fields #

Name	Description
`BufferContext` UInt64	—
`Exchange` UInt64	—
`ByteCount` UInt64	—
`InstanceId` UInt8	—
`TotalDuration` UInt64	—
`Initialized` UInt64	—
`HitCountInitialized` UInt64	—
`WriteRDMABufferRegistration` UInt64	—
`HitCountWriteRDMABufferRegistration` UInt64	—
`RDMAGetDescriptors` UInt64	—
`HitCountRDMAGetDescriptors` UInt64	—
`AssociateMID` UInt64	—
`HitCountAssociateMID` UInt64	—
`Assembly` UInt64	—
`HitCountAssembly` UInt64	—
`BeginSmbSend` UInt64	—
`HitCountBeginSmbSend` UInt64	—
`BeginSmbSendAsyncPostWorkerCount` UInt64	—
`HitCountBeginSmbSendAsyncPostWorkerCount` UInt64	—
`SmbdPrepareSend` UInt64	—
`HitCountSmbdPrepareSend` UInt64	—
`ServerTimeTakenToReply` UInt64	—
`HitCountServerTimeTakenToReply` UInt64	—
`ReadReceive` UInt64	—
`HitCountReadReceive` UInt64	—

Event ID 32049 — SMB2 buffer context performance work write summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 buffer context performance work write summary.

Message #

SMB2 buffer context performance work write summary

Fields #

Name	Description
`BufferContext` UInt64	—
`Exchange` UInt64	—
`ByteCount` UInt64	—
`InstanceId` UInt8	—
`TotalDuration` UInt64	—
`Initialized` UInt64	—
`HitCountInitialized` UInt64	—
`ReadRDMABufferRegistration` UInt64	—
`HitCountReadRDMABufferRegistration` UInt64	—
`RDMAGetDescriptors` UInt64	—
`HitCountRDMAGetDescriptors` UInt64	—
`AssociateMID` UInt64	—
`HitCountAssociateMID` UInt64	—
`Assembly` UInt64	—
`HitCountAssembly` UInt64	—
`BeginSmbSend` UInt64	—
`HitCountBeginSmbSend` UInt64	—
`BeginSmbSendAsyncPostWorkerCount` UInt64	—
`HitCountBeginSmbSendAsyncPostWorkerCount` UInt64	—
`SmbdPrepareSend` UInt64	—
`HitCountSmbdPrepareSend` UInt64	—
`ServerTimeTakenToReply` UInt64	—
`HitCountServerTimeTakenToReply` UInt64	—
`WriteReceive` UInt64	—
`HitCountWriteReceive` UInt64	—

Event ID 32050 — SMB2 buffer context performance work create summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 buffer context performance work create summary.

Message #

SMB2 buffer context performance work create summary

Fields #

Name	Description
`BufferContext` UInt64	—
`InstanceId` UInt8	—
`TotalDuration` UInt64	—
`Initialized` UInt64	—
`HitCountInitialized` UInt64	—
`RDMAGetDescriptors` UInt64	—
`HitCountRDMAGetDescriptors` UInt64	—
`AssociateMID` UInt64	—
`HitCountAssociateMID` UInt64	—
`Assembly` UInt64	—
`HitCountAssembly` UInt64	—
`BeginSmbSend` UInt64	—
`HitCountBeginSmbSend` UInt64	—
`BeginSmbSendAsyncPostWorkerCount` UInt64	—
`HitCountBeginSmbSendAsyncPostWorkerCount` UInt64	—
`SmbdPrepareSend` UInt64	—
`HitCountSmbdPrepareSend` UInt64	—
`ServerTimeTakenToReply` UInt64	—
`HitCountServerTimeTakenToReply` UInt64	—
`CreateReceive` UInt64	—
`HitCountCreateReceive` UInt64	—

Event ID 32051 — SMB2 buffer context performance work close summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 buffer context performance work close summary.

Message #

SMB2 buffer context performance work close summary

Fields #

Name	Description
`BufferContext` UInt64	—
`InstanceId` UInt8	—
`TotalDuration` UInt64	—
`Initialized` UInt64	—
`HitCountInitialized` UInt64	—
`RDMAGetDescriptors` UInt64	—
`HitCountRDMAGetDescriptors` UInt64	—
`AssociateMID` UInt64	—
`HitCountAssociateMID` UInt64	—
`Assembly` UInt64	—
`HitCountAssembly` UInt64	—
`BeginSmbSend` UInt64	—
`HitCountBeginSmbSend` UInt64	—
`BeginSmbSendAsyncPostWorkerCount` UInt64	—
`HitCountBeginSmbSendAsyncPostWorkerCount` UInt64	—
`SmbdPrepareSend` UInt64	—
`HitCountSmbdPrepareSend` UInt64	—
`ServerTimeTakenToReply` UInt64	—
`HitCountServerTimeTakenToReply` UInt64	—
`CloseReceive` UInt64	—
`HitCountCloseReceive` UInt64	—

Event ID 32052 — SMB2 buffer context performance work query directory summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 buffer context performance work query directory summary.

Message #

SMB2 buffer context performance work query directory summary

Fields #

Name	Description
`BufferContext` UInt64	—
`InstanceId` UInt8	—
`TotalDuration` UInt64	—
`Initialized` UInt64	—
`HitCountInitialized` UInt64	—
`RDMAGetDescriptors` UInt64	—
`HitCountRDMAGetDescriptors` UInt64	—
`AssociateMID` UInt64	—
`HitCountAssociateMID` UInt64	—
`Assembly` UInt64	—
`HitCountAssembly` UInt64	—
`BeginSmbSend` UInt64	—
`HitCountBeginSmbSend` UInt64	—
`BeginSmbSendAsyncPostWorkerCount` UInt64	—
`HitCountBeginSmbSendAsyncPostWorkerCount` UInt64	—
`SmbdPrepareSend` UInt64	—
`HitCountSmbdPrepareSend` UInt64	—
`ServerTimeTakenToReply` UInt64	—
`HitCountServerTimeTakenToReply` UInt64	—
`QueryDirectoryReceive` UInt64	—
`HitCountQueryDirectoryReceive` UInt64	—

Event ID 32053 — SMB2 buffer context performance work fsctl summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 buffer context performance work fsctl summary.

Message #

SMB2 buffer context performance work fsctl summary

Fields #

Name	Description
`BufferContext` UInt64	—
`InstanceId` UInt8	—
`TotalDuration` UInt64	—
`Initialized` UInt64	—
`HitCountInitialized` UInt64	—
`RDMAGetDescriptors` UInt64	—
`HitCountRDMAGetDescriptors` UInt64	—
`AssociateMID` UInt64	—
`HitCountAssociateMID` UInt64	—
`Assembly` UInt64	—
`HitCountAssembly` UInt64	—
`BeginSmbSend` UInt64	—
`HitCountBeginSmbSend` UInt64	—
`BeginSmbSendAsyncPostWorkerCount` UInt64	—
`HitCountBeginSmbSendAsyncPostWorkerCount` UInt64	—
`SmbdPrepareSend` UInt64	—
`HitCountSmbdPrepareSend` UInt64	—
`ServerTimeTakenToReply` UInt64	—
`HitCountServerTimeTakenToReply` UInt64	—
`FsctlReceive` UInt64	—
`HitCountFsctlReceive` UInt64	—

Event ID 32068 — SMB2 FCB capture summary

Provider: Microsoft-Windows-SMBClient
Channel: Analytic

Description

SMB2 FCB capture summary.

Message #

SMB2 FCB capture summary

Fields #

Name	Description
`InstanceId` UInt8	—
`PrefixLength` UInt16	—
`Prefix` UnicodeString	—
`ServerShareLength` UInt16	—
`ServerShare` UnicodeString	—

Event ID 40000 — Packet (PacketSize bytes).

Provider: Microsoft-Windows-SMBClient
Channel: Diagnostic
Opcode: Info

Description

Packet (PacketSize bytes).

Message #

Packet (%4 bytes)

Fields #

Name	Description
`ConnectionType` UInt32	—
`PeerAddressLength` UInt32	—
`PeerAddress` Binary	—
`PacketSize` UInt32	—
`PacketData` Binary	—