Message

Smb2 Request Negotiate

Message

Smb2 Request Session Setup

Message

Smb2 Request Logoff

Message

Smb2 Request Tree Connect

Message

Smb2 Request Tree Disconnect

Message

Smb2 Request Echo

Message

Smb2 Request Cancel

Message

Smb2 Request Create

Message

Smb2 Request Close

Message

Smb2 Request Flush

Message

Smb2 Request Read

Message

Smb2 Request Write

Message

Smb2 Request Break Oplock

Message

Smb2 Request Notify Break Lease

Message

Smb2 Request Acknowledge Break Lease

Message

Smb2 Request Lock

Message

Smb2 Request Ioctl

Message

Smb2 Request Query Directory

Message

Smb2 Request Change Notify

Message

Smb2 Request Query Info

Message

Smb2 Request Set Info

Message

Smb2 Response Negotiate

Message

Smb2 Response Session Setup

Message

Smb2 Response Logoff

Message

Smb2 Response Tree Connect

Message

Smb2 Response Tree Disconnect

Message

Smb2 Response Echo

Message

Smb2 Response Create

Message

Smb2 Response Close

Message

Smb2 Response Flush

Message

Smb2 Response Read

Message

Smb2 Response Write

Message

Smb2 Response Break Oplock

Message

Smb2 Response Acknowledge Break Lease

Message

Smb2 Response Lock

Message

Smb2 Response Ioctl

Message

Smb2 Response Query Directory

Message

Smb2 Response Change Notify

Message

Smb2 Response Query Info

Message

Smb2 Response Set Info

Message

Smb2 Response Error

Message

Smb2 Work Item Component Transition

Message

Smb2 Work Item allocated

Message

Smb2 Work Item released

Message

SMB2 Work Item activity id transfer

Message

SMB2 Work Item external activity id stop

Message

Smb2 Connection accepted

Message

Smb2 Connection Disconnected by Peer

Message

Smb2 Connection Terminated

Message

Smb2 Session Allocated

Message

Smb2 Session Authentication Failure

Message

SMB Session Authentication Failure



Client Name: %11

Client Address: %6

User Name: %9

Session ID: %7

Status: %4 (%3)

SPN: %12

SPN Validation Policy: %13



Guidance:



You should expect this error when attempting to connect to shares using incorrect credentials.



This error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.



This error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, an incorrect service principal name, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled

Fields

Example Event

system:
  provider: Microsoft-Windows-SMBServer
  guid: D48CE617-33A2-4BC3-A5C7-11AA4F29619E
  event_source_name: ''
  event_id: 551
  version: 3
  level: 2
  task: 551
  opcode: 0
  keywords: 580964351930793992
  time_created: '2022-04-07T17:25:55.271679+00:00'
  event_record_id: 10
  correlation: {}
  execution:
    process_id: 4
    thread_id: 4460
  channel: Microsoft-Windows-SMBServer/Security
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
user_data:
  EventData:
    SessionGUID: E0AAB88C-4A9F-0000-B5F0-AAE09F4AD801
    ConnectionGUID: E0AAB88C-4A9F-0000-A5F0-AAE09F4AD801
    Status: '0xc000006d'
    TranslatedStatus: '0xc000006d'
    ClientAddressLength: 16
    ClientAddress: 0200C33B0A0002860000000000000000
    SessionId: '0x100000000061'
    UserNameLength: 0
    UserName: null
    ClientNameLength: 12
    ClientName: \\10.0.2.134
    SPN: session setup failed before the SPN could be queried
    SPNValidationPolicy: 0
    ReasonCode: 3
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Smb2 Session Authentication Success

Message

Smb2 Session Bound to Connection

Message

Smb2 Session Terminated

Message

SMB2 Session Closed.

Fields

Message

Smb2 TreeConnect Allocated

Message

Smb2 TreeConnect Disconnected

Message

Smb2 TreeConnect Terminated

Message

Smb2 TreeConnect Failed due to Cluster Endpoint Initializing

Message

A client connection to a continuously available share has been marked so that the client will be forced to reconnect to the server node with best possible storage connectivity. 

Session ID: %1
TreeConnect ID: %2
Share: %4

Fields

Message

A client request on a continuously available share has been failed so that the client will be forced to reconnect to the server node with best possible storage connectivity. 

Session ID: %1
TreeConnect ID: %2
Share: %4

Fields

Message

Smb2 Open established

Message

Smb2 Open Disconnected - Preserved

Message

Smb2 Open Reconnected

Message

Smb2 Open Suspended - Preserved

Message

Smb2 Open Closed

Message

Smb2 Open Timed Out

Message

Smb2 Open Terminated

Message

Smb2 Open Clustered Client Failover Closed

Message

File handle for file {ShareName}\{FileName} was invalidated by user {UserName} from computer {ComputerName}

Fields

Message

Smb2 Share Added

Message

Smb2 Share Modified

Message

Smb2 Share Deleted

Message

S4U2Self authentication failure - The client could not be reauthenticated with S4U2Self to obtain claims.  This may be expected if the account is not a domain account.

Message

SRV Disabled - The SMB1 negotiate request fails due to SMB1 is disabled.

Message

RKF failure - SRV2 failed to get acknowledgement from Resume Key filter for persistent handle request.

Message

The server received an unencrypted message from client {ClientName}. Messsage was rejected.

Fields

Message

The server received a incorrectly signed message from client {ClientName}. Message was rejected.

Fields

Message

The server failed to validate negotiation from client {ClientName}. Connection was terminated.

Fields

Message

The share denied access to the client.

Client Name: %10
Client Address: %6
User Name: %8
Session ID: %17
Share Name: %2
Share Path: %4
Status: %16 (%15)
Mapped Access: %11
Granted Access: %12
Security Descriptor: %14

Guidance:

You should expect access denied errors when a principal accesses a share without the necessary permissions. Usually, this indicates that the principal does not have direct security permissions or lacks membership in a group that has direct access permissions. To determine and correct the permissions on the specified share, an administrator can use the Security tab in File Explorer Properties dialog, the SMBSHARE Windows PowerShell module, or the NET SHARE command. You can also use the Effective Access tab in File Explorer to help diagnose the issue.

Applications may generate access denied errors if they attempt to open files in a writable mode first, and then reopen the files in a read-only mode. In this case, no user action is required.

If access to the share is denied and this event is not logged, you can examine the file and folder NTFS/REFS permissions.

This error does not indicate a problem with authentication, only authorization.

Fields

Message

The share denied anonymous access to the client.

Client Name: %8
Client Address: %6
Share Name: %2
Share Path: %4

Guidance:

You should expect this error when a client attempts to connect to shares and does not provide any credentials. This indicates that the client is not providing a user name (and domain credentials, if necessary). By default, anonymous access to shares is denied.

This error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.

Fields

Message

The server denied anonymous access to the client.

Client Name: %4
 Client Address: %2
Session ID: %5

Guidance:

You should expect this error when a client attempts to connect to shares and does not provide any credentials. This indicates that the client is not providing a user name (and domain credentials, if necessary). By default, Windows Server denies anonymous access to shares.

This error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.

Fields

Message

Endpoint added.

Name: %2
Domain Name: %4
Transport Name: %6
Transport Flags: %7

Guidance:

You should expect this event when the server starts listening on an interface, such as during system restart or when enabling a network adaptor. No user action is required.

Fields

Example Event

system:
  provider: Microsoft-Windows-SMBServer
  guid: D48CE617-33A2-4BC3-A5C7-11AA4F29619E
  event_source_name: ''
  event_id: 1010
  version: 0
  level: 4
  task: 1010
  opcode: 0
  keywords: 2305843009213693960
  time_created: '2023-11-06T06:25:52.476934+00:00'
  event_record_id: 99
  correlation: {}
  execution:
    process_id: 4
    thread_id: 124
  channel: Microsoft-Windows-SMBServer/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
user_data:
  EventData:
    NameLength: 16
    Name: 'WINDEV2310EVAL  '
    DomainNameLength: 9
    DomainName: WORKGROUP
    TransportNameLength: 58
    TransportName: \Device\NetBT_Tcpip_{8E4162AD-6500-4899-BA95-24051405E207}
    TransportFlags: '0x1'
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Endpoint removed.

Name: %2
Domain Name: %4
Transport Name: %6

Guidance:

You should expect this event when the server stops listening on an interface, such as during shutdown or when disabling a network adaptor. No user action is required.

Fields

Example Event

system:
  provider: Microsoft-Windows-SMBServer
  guid: D48CE617-33A2-4BC3-A5C7-11AA4F29619E
  event_source_name: ''
  event_id: 1011
  version: 0
  level: 4
  task: 1011
  opcode: 0
  keywords: 2305843009213693960
  time_created: '2022-04-04T12:00:04.359257+00:00'
  event_record_id: 18
  correlation: {}
  execution:
    process_id: 4
    thread_id: 196
  channel: Microsoft-Windows-SMBServer/Operational
  computer: WIN-TKC15D7KHUR
  security:
    user_id: S-1-5-18
user_data:
  EventData:
    NameLength: 0
    Name: null
    DomainNameLength: 0
    DomainName: null
    TransportNameLength: 58
    TransportName: \Device\NetBT_Tcpip_{64AAD862-869C-436D-A905-CCB55AA6A79F}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The network name information changed.

Change Type: %1
Net Name: %3
IP Address: %9
Flags: %4
Interface Index: %5
Capability: %6
Link Speed: %7

Guidance:

You should expect this event on a Windows Failover Cluster node during failover operations, at system startup, or during network configuration. No user action is required.

Fields

Message

Endpoint coming online.

Endpoint Name: %2
Transport Name: %4

Guidance:

You should expect this event on a Windows Failover Cluster node during failover operations. No user action is required.

Fields

Message

Endpoint going offline.

Endpoint Name: %2
Transport Name: %4

Guidance:

You should expect this event on a Windows Failover Cluster node during failover operations. No user action is required.

Fields

Message

Decrypt call failed.

Client Name: %2
Client Address: %4
Session ID: %7
Status: %6 (%5)

Guidance:

This event commonly occurs because a previous SMB session no longer exists. It may also be caused by packets that are altered on the network between the computers due to either errors or a "man-in-the-middle" attack.

Fields

Message

Reopen failed.

Client Name: %7
Client Address: %9
User Name: %13
Session ID: %14
Share Name: %11
File Name: %16
Resume Key: %20
Status: %2 (%1)
RKF Status: %4 (%3)
Durable: %17
Resilient: %18
Persistent: %19
Reason: %21

Guidance:

The client attempted to reopen a continuously available handle, but the attempt failed. This typically indicates a problem with the network or underlying file being re-opened.

Fields

Message

Handle scavenged.

Share Name: %7
File Name: %9
Resume Key: %5
Persistent File ID: %3
Volatile File ID: %4
Durable: %1
Resilient or Persistent: %2

Guidance:

The server closed a handle that was previously reserved for a client after 60 seconds. You should expect this event on a computer that is continuously available where a client did not gracefully close its session. For instance, this may occur when the client unexpectedly restarted.

Fields

Message

Backchannel invalidation of session completed.

Session ID: %1
Status: %3 (%2)
Task Status: %5 (%4)

Guidance:

You should expect this event on a computer that is continuously available. No user action is required

Fields

Message

Backchannel invalidation of file completed.

Resume Key: %1
Status: %3 (%2)
Task Status: %5 (%4)

Guidance:

You should expect this event on a computer that is continuously available. No user action is required

Fields

Message

File system operation has taken longer than expected.

Client Name: %8
Client Address: %10
User Name: %6
Session ID: %3
Share Name: %12
File Name: %14
Command: %1
Duration (in milliseconds): %15
Warning Threshold (in milliseconds): %16

Guidance:

The underlying file system has taken too long to respond to an operation. This typically indicates a problem with the storage and not SMB.

Fields

Message

LmCompatibilityLevel value is different from the default.

Configured LM Compatibility Level: %1
Default LM Compatibility Level: %2

Guidance:

LAN Manager (LM) authentication is the protocol used to authenticate Windows clients for network operations. This includes joining a domain, accessing network resources, and authenticating users or computers. This determines which challenge/response authentication protocol is negotiated between the client and the server computers. Specifically, the LM authentication level determines which authentication protocols the client will try to negotiate or the server will accept. The value set for LmCompatibilityLevel determines which challenge/response authentication protocol is used for network logons. This value affects the level of authentication protocol that clients use, the level of session security negotiated, and the level of authentication accepted by servers.

Value (Setting) - Description

0 (Send LM & NTLM responses) - Clients use LM and NTLM authentication and never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

1 (Send LM & NTLM - use NTLMv2 session security if negotiated) - Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

2 (Send NTLM response only) - Clients use NTLM authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

3 (Send NTLM v2 response only) - Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

4 (Send NTLMv2 response only/refuse LM) - Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and accept only NTLM and NTLMv2 authentication.

5 (Send NTLM v2 response only/refuse LM & NTLM) - Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and NTLM and accept only NTLMv2 authentication.

Incompatibly configured  LmCompatibility levels between a client and server (such as 0 on a client and 5 on a server) prevent access to the server. Non-Microsoft clients and servers also provide these configuration settings.

Fields

Message

File and printer sharing firewall rule enabled.

Guidance:

You should expect this event when Windows Firewall is configured to enable the File and Printer Sharing rule, which allows inbound SMB traffic. This event occurs on a computer that has custom shares configured.

Message

One or more shares present on this server have access based enumeration enabled.

Guidance:

You should expect this event when enabling access-based enumeration on one or more shares by using either Server Manager or the Set-SmbShare Windows PowerShell cmdlet. Access-based enumeration can raise CPU utilization when clients connect to shares with folders containing many peer-level resources to which a user does not have access. You can control the CPU utilization by configuring the ABELevel value in the Windows registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\ABELevel [DWORD]

You can set the value for ABELevel to greater depths to minimize CPU overhead, but doing so diminishes the effectiveness of access-based enumeration:

Value = 0: access-based enumeration is enabled for all levels

Value = 1: access-based enumeration is enabled for a depth of 1 (example: \server\share)

Value = 2: access-based enumeration is enabled for a depth of 2 (example: \server\share\folder)

You can continue setting values for multiple depth levels.

Message

SMB2 and SMB3 have been disabled on this server.  This results in reduced functionality and performance.

Registry Key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
Registry Value: Smb2
Default Value: 1 (or not present)
Current Value: 0

Guidance:

You should expect this event when disabling SMB2/SMB3. Microsoft does not recommend disabling SMB2/SMB3. When SMB3 is disabled, you cannot use features such as SMB Transparent Failover, SMB Scale Out, SMB Multichannel, SMB Direct (RDMA), SMB Encryption, VSS for SMB file shares, and SMB Directory Leasing. In most scenarios, SMB provides a troubleshooting workaround as an alternative to disabling SMB2/SMB3. Use the Set-SmbServerConfiguration Windows PowerShell cmdlet to enable SMB2/SMB3.

Message

One or more named pipes or shares have been marked for access by anonymous users.  This increases the security risk of the computer by allowing unauthenticated users to connect to this server.

Registry Key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
Registry Values: NullSessionPipes, NullSessionShares
Default Value: Empty (or not present)
Current Value: Non-empty

Guidance:

You should expect this event when modifying the default values of NullSessionShares and NullSessionPipes. On a typical file server, these settings do not exist or do not contain values, which is the most secure configuration. By default, domain controllers populate the NullSessionShares entry with netlogon, samr, and lsarpc to allow legacy access methods.

Example Event

system:
  provider: Microsoft-Windows-SMBServer
  guid: D48CE617-33A2-4BC3-A5C7-11AA4F29619E
  event_source_name: ''
  event_id: 1025
  version: 0
  level: 3
  task: 1025
  opcode: 0
  keywords: 2305843009213693960
  time_created: '2023-11-06T06:25:44.207725+00:00'
  event_record_id: 96
  correlation: {}
  execution:
    process_id: 3912
    thread_id: 3512
  channel: Microsoft-Windows-SMBServer/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
user_data:
  EventData: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

File leasing has been disabled for the SMB2 and SMB3 protocols.  This reduces functionality and can decrease performance.

Registry Key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
Registry Value: DisableLeasing
Default Value: 0 (or not present)
Current Value: non-zero

Guidance:

You should expect this event when disabling SMB 3 Leasing. Microsoft does not recommend disabling SMB Leasing. Once disabled, traffic from client to server may increase since metadata and data may no longer be retrieved from a local cache.

Message

The file and printer sharing firewall ports are currently closed.  This is the default configuration for a system that is not sharing content or is on a Public network.

Guidance:

You should expect this event when Windows Firewall is not configured to enable the File and Printer Sharing rule, which allows inbound SMB traffic. This event occurs on a computer that does not have custom shares configured. Clients cannot access SMB shares on this computer until SMB traffic is allowed through the firewall.

Example Event

system:
  provider: Microsoft-Windows-SMBServer
  guid: D48CE617-33A2-4BC3-A5C7-11AA4F29619E
  event_source_name: ''
  event_id: 1027
  version: 0
  level: 4
  task: 1027
  opcode: 0
  keywords: 2305843009213693960
  time_created: '2023-11-05T22:32:38.630794+00:00'
  event_record_id: 124
  correlation: {}
  execution:
    process_id: 3368
    thread_id: 3592
  channel: Microsoft-Windows-SMBServer/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
user_data:
  EventData: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The maximum cluster-supported SMB dialect has changed.

NewMaxDialect: %1
OldMaxDialect: %2

Guidance:

You should expect this event during a Windows Failover Cluster upgrade. No user action is required.

Fields

Message

The Cipher Suite Order group policy setting is invalid.

Guidance:

This event indicates that an administrator has configured an invalid value for the "Computer Configuration\Administrative Templates\Network\Lanman Server\Cipher Suite Order" group policy setting. The server will use the default cipher suite order "%1" until this error is resolved.

Fields

Message

An MDL read or write completion request failed.

Server Name: %2
Share Name: %4
File Name: %6
IsRead: %7
Status: %8

Guidance:

The SMB server sends MDL completion requests to a file system upon completion of a buffered I/O to release system resources. The file system and its filter drivers must not fail MDL completion requests. Failures may result in memory leaks and degraded system performance and stability. Non-Microsoft file system filter drivers are the most common cause of failed MDL completion requests.

Fields

Message

The server detected a problem and has captured a live kernel dump to collect debug information.

Reason: %1
Dump Location: %SystemRoot%\LiveKernelReports

Guidance:

The server supports the Live Dump feature, where the detection of a problem results in a kernel memory dump, but no bugcheck and reboot. This allows Microsoft Support to examine memory dumps without requiring a reboot or manual intervention. The reason code indicates the type of problem that was detected.

Stalled I/O

An I/O is taking an unreasonably long time to complete. Malfunctioning third-party file system minifilter drivers are a common source of this problem. Other causes include failed disks or a client-driven I/O workload that greatly exceeds the server's capacity.

Fields

Message

The server detected a problem but was unable to capture a live kernel dump to collect debug information.

Reason: %1

Guidance:

The server supports the Live Dump feature, where the detection of a problem results in a kernel memory dump, but no bugcheck and reboot. This allows Microsoft Support to examine memory dumps without requiring a reboot or manual intervention. The reason code indicates the type of problem that was detected. In this case, the server's request to create a live kernel dump was rejected. This is usually due to the live kernel dump throttle, which prevents frequent dumps from consuming too much disk space. Either wait for the throttle limit to expire (by default, 7 days), or contact Microsoft Support for steps to override the throttle. This event is written to the log no more than once per day. The problem that caused the server to the request a live kernel dump may be occuring more frequently.

Stalled I/O

An I/O is taking an unreasonably long time to complete. Malfunctioning third-party file system minifilter drivers are a common source of this problem. Other causes include failed disks or a client-driven I/O workload that greatly exceeds the server's capacity.

Fields

Fields

Message

Sent RDMA %1 event to LanmanServer for interface %3.

Fields

Example Event

system:
  provider: Microsoft-Windows-SMBServer
  guid: D48CE617-33A2-4BC3-A5C7-11AA4F29619E
  event_source_name: ''
  event_id: 1033
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213694464
  time_created: '2023-10-26T04:17:52.198363+00:00'
  event_record_id: 18
  correlation: {}
  execution:
    process_id: 4
    thread_id: 436
  channel: Microsoft-Windows-SMBServer/Operational
  computer: WIN-OQ6R0RVA4NF
  security:
    user_id: S-1-5-18
user_data:
  EventData:
    NotificationType: 0
    InterfaceNameLength: 34
    InterfaceName: \Device\RdmaSmbIpv4_169.254.253.61
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Fields

Message

Send RDMA Endpoint notification failure - %1

Fields

Example Event

system:
  provider: Microsoft-Windows-SMBServer
  guid: D48CE617-33A2-4BC3-A5C7-11AA4F29619E
  event_source_name: ''
  event_id: 1034
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213694464
  time_created: '2023-10-26T04:17:52.198365+00:00'
  event_record_id: 19
  correlation: {}
  execution:
    process_id: 4
    thread_id: 436
  channel: Microsoft-Windows-SMBServer/Operational
  computer: WIN-OQ6R0RVA4NF
  security:
    user_id: S-1-5-18
user_data:
  EventData:
    FailureType: 6
    InterfaceIndex: 0
    Error: '0xc0000034'
    DeviceNameLength: 34
    DeviceName: \Device\RdmaSmbIpv4_169.254.253.61
    ExtraInformation: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

RDMA Endpoint %4 for interface %2 was %1.

Fields

Fields

Fields

Message

RDMA Endpoint allocation failure - Endpoint allocation failed for interface %1. %2

Fields

Fields

Message

RDMA listener creation failure - %1

Fields

Fields

Message

RDMA Send endpoint notification RPC failure for device %3 - %1

Fields

Example Event

system:
  provider: Microsoft-Windows-SMBServer
  guid: D48CE617-33A2-4BC3-A5C7-11AA4F29619E
  event_source_name: ''
  event_id: 1038
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213694464
  time_created: '2023-11-06T06:25:49.867686+00:00'
  event_record_id: 98
  correlation: {}
  execution:
    process_id: 4
    thread_id: 428
  channel: Microsoft-Windows-SMBServer/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
user_data:
  EventData:
    FailureType: 3
    DeviceNameLength: 58
    DeviceName: \Device\NetBT_Tcpip_{8E4162AD-6500-4899-BA95-24051405E207}
    Error: '0x102'
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Fields

Message

Received Nsi notification type %1 for interface %2 with NdkOperationalState %3

Fields

Fields

Message

Received Mib notification type %1 for interface %2

Fields

Example Event

system:
  provider: Microsoft-Windows-SMBServer
  guid: D48CE617-33A2-4BC3-A5C7-11AA4F29619E
  event_source_name: ''
  event_id: 1040
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213694464
  time_created: '2023-11-05T22:32:37.991590+00:00'
  event_record_id: 123
  correlation: {}
  execution:
    process_id: 4
    thread_id: 136
  channel: Microsoft-Windows-SMBServer/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
user_data:
  EventData:
    NotificationType: 3
    InterfaceIndex: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Error reading FSCTL properties information from the registry. Registry value entry %3 will be ignored. Error: %1

Fields

Message

The certificate for the server is about to expire. 

Subject: %2
Thumbprint: %4
Expires on %5.

Guidance:

This event indicates the certificate is about to expire. 

Renew or issue new certificates to avoid service interruption.

Fields

Message

RDMA connection disconnected.

Transport name: %3
Milliseconds spent closing the connection: %1

Guidance:

Closing an RDMA connection should not take longer than 2 minutes. An RDMA IO that takes an abnormally long time to complete indicates a problem with the RDMA network adapters on this computer or its remote host. Contact your RDMA vendor for an updated driver and further troubleshooting.

Fields

Message

Quic connection shutdown.

Error: %1
Reason: %2
Endpoint Name: %4
Transport Name: %6

Guidance:

This event indicates that the winquic connection is shutting down by the server. This event commonly occurs because the server certificate mapping is not created. It may also be caused by the server failed to configure the winquic connections.

Fields

Fields

Message

The server failed to update server certificate mapping.

Name: %2
Subject: %4
Thumbprint: %6

The certificate can't be used for the server due to error %7

The server certificate mapping %9 removed.

Fields

Message

The server received a request and the server requires encryption, but the server and client did not negotiate an encryption cipher, nor does server allow unencrypted access.

Request: %10
Client Name: %4
Client Address: %8
User Name: %6
Session ID: %9
Share Name: %2

Guidance:

This event indicates that client is trying to access a server that requires encryption, but no cipher was negotiated, and server does not allow unencrypted access. Check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\RejectUnencryptedAccess to see if the value has been changed.

Fields

Message

The server received a %2 request but is taking an abnormal amount of time to process it.

Instance Id: %1
Command: %2
PerfBlock: %3
Duration(s): %4
Threshold(s): %5

Fields

Message

The server processed a %1 request. Times taken to complete each stage below.

Command: %1
AcquireLockTime(s): %2
IoTime(s): %3
TotalTime(s): %4
Threshold(s): %5

Fields

Message

The certificate for the server has expired. 

Subject: %2
Thumbprint: %4
Expires on %5.

Guidance:

This event indicates the certificate has expired. 

Renew or issue new certificates to avoid service interruption.

Fields

Message

Found %1 endpoint(s) related to interface ID %2, closed %3 of which.

Fields

Message

The SMB negotiate request processing failed on the server to select the encryption cipher for the client and server. Please ensure there is a common cipher between the client and server.

Client encryption cipher suite order (most to least preferred): %2
Server encryption cipher suite order (most to least preferred): %4

Fields

Message

Failed to restore a server certificate mapping from persistent storage.

Subject: %2
Thumbprint: %4

Error code: %5.

Fields

Message

Restored %2 of %1 server certificate mappings from persistent storage. Last error code: %3.

Fields

Message

Network operation has taken longer than expected.

Client Name: %8
Client Address: %10
User Name: %6
Session ID: %3
Share Name: %12
File Name: %14
Command: %1
Duration (in milliseconds): %15
Warning Threshold (in milliseconds): %16

Guidance:

The underlying file system has taken too long to respond to an operation. This typically indicates a problem with the storage and not SMB.

Fields

Message

RDMA rundown is active. Active RDMA-based operations will be wound down. There are currently %1 active RDMA resources.

Fields

Message

RDMA rundown is complete. No further RDMA-based operations are allowed. Rundown no-op: %1.

Fields

Message

Reactivation of RDMA support has commenced.

Message

RDMA is no longer disabled. RDMA-based operations can proceed, given hardware capabilities and OS policy. No-op: %1.

Fields

Message

SMBDirect load attempt complete.

Success: %1
Status code: %2
Service path: %4

Fields

Message

SMB DDP security changed from %1 to %2.

Fields

Message

SMB2 Request Negotiate Dialect Failure

Session ID: %1
Client Address: %18
Client Name:%20
Client Dialects: %12
Minimum dialect required by server: %15
Maximum dialect required by server: %16

Guidance:

You should expect this error when servers don't meet the dialects requested by client. Please check the minimum and maximum dialects set by the client and ensure the server supports the dialects.

Fields

Message

SMB Dialect Change 

%1 was changed from %2 to %3.

Fields

Message

Component capabilities: %1
Internal patch number: %2

Fields

Message

CA failure - Failed to set continuously available property on a new or existing file share as the file share is not a cluster share.

Message

CA failure - Failed to set continuously available property on a new or existing file share as Resume Key filter is not started.

Message

The server failed to reserve the next ID region in the cluster registry.

Message

The security descriptor differs from the default value.

 Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\%1

 Guidance:

 This is typically caused by an administrator or a third party changing the security on the object manually. To reset the security back to the default value, delete the path shown above.
 Microsoft does not recommend changing the default security of %1 as it may cause application incompatibilities or security concerns.

Fields

Message

No SMB1 usage detected in the last 20 minutes.

Guidance:

This event indicates that no attempt was made to contact this computer via the SMB1 protocol. After %1 online days of no SMB1 contact attempts, the SMB1 Server service will automatically uninstall.

Fields

Fields

Message

TDI mode enabled: %1

Fields

Example Event

system:
  provider: Microsoft-Windows-SMBServer
  guid: D48CE617-33A2-4BC3-A5C7-11AA4F29619E
  event_source_name: ''
  event_id: 1900
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213694464
  time_created: '2023-11-06T06:25:43.357313+00:00'
  event_record_id: 95
  correlation: {}
  execution:
    process_id: 4
    thread_id: 224
  channel: Microsoft-Windows-SMBServer/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  IsTdiEnabled: true
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Fields

Message

Failed to allocate an NSI table for network interface enumeration: %1

Fields

Fields

Message

Received notification of a newly-started network interface with Luid %2 on address family %1 (IPv4 == 2, IPv6 == 23)

Fields

Fields

Message

Received notification of a stopped network interface with Luid %2 on address family %1 (IPv4 == 2, IPv6 == 23)

Fields

Fields

Message

Failed to open network interface with Luid %1: error %2

Fields

Message

The server closed the session as part of periodic system cleanup.

Session Id: %1
Instance Id: %2
Reason: %3

Fields

Message

Session key for connection is weaker than required. Connection will be closed as a result.

Client: %2
User: %6
Session key length: %3
Required Session key length: %4

Guidance:
To establish a connection with a shorter session key, set the following registry DWORD value name with the value as decimal bits:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"MinimumSessionKeyLength"

Important: If you have configured the 'Network security: Configure encryption types allowed for Kerberos' security policy to prevent use of 256-bit keys but also set the MinimumSessionKeyLength greater than 128 bits, the computer will not be able to make SMB connections. Setting MinimumSessionKeyLength higher than 128 bits will also prevent SMB connections using NTLM.

Fields