Microsoft-Windows-TCPIP

624 events across 2 channels

Event ID	Title	Channel
1001	TCP: endpoint Endpoint (Family=AddressFamily, PID=Pid) created with status = …	Diagnostic
1002	TCP: Tcb Tcb (local=LocalAddress remote=RemoteAddress) requested to connect.	Diagnostic
1003	TCP: Inspect Connect has been completed on Tcb Tcb with status = Status.	Diagnostic
1004	TCP: Tcb Tcb is going to output SYN with ISN = ISN, RcvWnd = RcvWnd, RcvWndScale …	Diagnostic
1005	TCP: endpoint bind failed: address LocalAddressLength cannot be resolved …	Diagnostic
1006	TCP: endpoint (sockaddr=LocalAddressLength) bind failed: port-acquisition status …	Diagnostic
1007	TCP: endpoint (sockaddr=LocalAddressLength) bind failed: inspection status = …	Diagnostic
1008	TCP: endpoint (sockaddr=LocalAddressLength) bound.	Diagnostic
1009	TCP: endpoint (sockaddr=LocalAddressLength) closed.	Diagnostic
1010	TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: address family …	Diagnostic
1011	TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: compartment …	Diagnostic
1012	TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: inspection …	Diagnostic
1013	TCP: endpoint (Family=CompartmentId PID=Status) created.	Diagnostic
1014	TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: Route …	Diagnostic
1015	TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: …	Diagnostic
1016	TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: client …	Diagnostic
1017	TCP: listener (local=LocalAddress remote=RemoteAddress) accept completed.	Diagnostic
1018	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) …	Diagnostic
1019	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) …	Diagnostic
1020	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) …	Diagnostic
1021	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: …	Diagnostic
1022	TCP: Bypass rate limiting since flag is set on path Path (local=LocalAddress …	Diagnostic
1023	TCP: Charge rate limiting quota and set rate limiting flag for path Path …	Diagnostic
1024	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) deferred.	Diagnostic
1025	TCP: ConnectionRateLimitDepth rate-limiting paths ConnectionRateLimitBacklog …	Diagnostic
1026	TCP: Release and set rate limiting flag on path Path (local=LocalAddress …	Diagnostic
1027	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) released.	Diagnostic
1028	TCP: Clear rate limiting flag on path Path (local=LocalAddress …	Diagnostic
1029	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: …	Diagnostic
1030	TCP: connection (local=LocalAddressLength remote=RemoteAddressLength) connect …	Diagnostic
1031	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect …	Diagnostic
1032	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) released due to …	Diagnostic
1033	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect completed.	Diagnostic
1034	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect attempt …	Diagnostic
1035	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: …	Diagnostic
1036	TCP: ApplySynOptions, failed to create session state with status = Status, TCB = …	Diagnostic
1037	TCP: ApplySynOptions, failed to update DF with status = Status, TCB = Tcb.	Diagnostic
1038	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) close issued.	Diagnostic
1039	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) abort issued.	Diagnostic
1040	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) abort completed.	Diagnostic
1041	TCP: Injecting disconnect on a shutdown TCB failed.	Diagnostic
1042	TCP: connection disconnect Injected, length=Length.	Diagnostic
1043	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) disconnect …	Diagnostic
1044	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) shutdown initiated …	Diagnostic
1045	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: …	Diagnostic
1046	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: …	Diagnostic
1047	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: …	Diagnostic
1048	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: …	Diagnostic
1049	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: …	Diagnostic
1050	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: …	Diagnostic
1051	TCP: connection Tcb transition from OldState to NewState, SndNxt = SndNxt.	Diagnostic
1052	TCP: Process with PID = ProcessId reserved NumberOfPorts ports starting at …	Diagnostic
1053	TCP: Process with PID = ProcessId failed to reserve NumberOfPorts ports starting …	Diagnostic
1054	TCP: Process with PID = ProcessId completed global port reservation of …	Diagnostic
1055	TCP: entering SYN attack resistance mode, Syn Attacks Detected = …	Diagnostic
1056	TCP: reasembly rate-limiting violated ReassemblyLimitViolations times since …	Diagnostic
1057	TCP: connection rate-limiting violated ConnectionRateLimitViolations times since …	Diagnostic
1058	TCP: land attack has dropped LandAttackSegmentsDropped packets since boot.	Diagnostic
1059	TCP: low memory state detected.	Diagnostic
1060	TCP: leaving low memory state.	Diagnostic
1061	TCP: address family AddressFamily added to interface InterfaceIndex.	Diagnostic
1062	TCP: address family AddressFamily removed from interface InterfaceIndex.	Diagnostic
1063	TCP: leaving SYN attack resistance mode, Syn Attacks Detected = …	Diagnostic
1064	TCP: Connection Tcb TimerType timer started.	Diagnostic
1065	TCP: Connection Tcb stopping TimerType timer.	Diagnostic
1066	TCP: Connection Tcb TimerType timer has expired.	Diagnostic
1067	TCP: ISB changed to IsbSize.	Diagnostic
1068	TCP: moving RSS indirection table index TableEntry from processor …	Diagnostic
1069	TCP: connection Tcb: Timeout Event updated cwnd = Cwnd and updated ssthresh = …	Diagnostic
1070	TCP: connection Tcb: Rtt sample recorded RttSample.	Diagnostic
1071	TCP: connection Tcb: Cumulative ACK updated cwnd = Cwnd.	Diagnostic
1072	TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = …	Diagnostic
1073	TCP: connection Tcb: Sent data with number of bytes = NumBytes and Sequence …	Diagnostic
1074	TCP: connection Tcb: Received data with number of bytes = NumBytes.	Diagnostic
1075	TCP: connection Tcb: ECN Echo updated cwnd = Cwnd and updated ssthresh = …	Diagnostic
1076	TCP: connection Tcb: Spurious timeout with SndUna = SndUna.	Diagnostic
1077	TCP: connection Tcb: Send Retransmit round with SndUna = SeqNo, Round = Round, …	Diagnostic
1078	TCP: connection Tcb: Entered loss recovery phase with SndUna = SndUna and SndMax …	Diagnostic
1079	TCP: connection Tcb: Leaving loss recovery phase with SndUna = SndUna and SndMax …	Diagnostic
1080	TCP: connection Tcb entering SACK mode with SndUna = SndUna.	Diagnostic
1081	TCP: connection Tcb leaving SACK mode with SndUna = SndUna.	Diagnostic
1082	TCP: connection Tcb entering Congestion Avoidance Phase with cwnd = Cwnd and …	Diagnostic
1084	TCP: connection Tcb entered BH, BH MSS BHMSS, original MSS OriginalMSS.	Diagnostic
1085	TCP: connection Tcb Exiting BH due to TraceString, BH mss BHMSS, Original MSS …	Diagnostic
1086	TCP: connection Tcb not entering BH due to TraceString.	Diagnostic
1087	TCP: connection Tcb spurious RTO detection initiated at SndUna.	Diagnostic
1088	TCP: connection Tcb spurious RTO detection terminated at SndUna.	Diagnostic
1089	TCP: active connect failed (family=Status) connect-complete inspection failed: …	Diagnostic
1090	TCP: TcpReleaseIndicationList: Nbl = NBL.	Diagnostic
1091	TCP: connection Tcb posted an average of NumBytes bytes per send.	Diagnostic
1092	TCP: connection (local=LocalAddress remote=RemoteAddress) starting receive …	Diagnostic
1093	TCP: connection (local=LocalAddress remote=RemoteAddress) ending receive window …	Diagnostic
1094	TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter …	Diagnostic
1095	TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter …	Diagnostic
1096	TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter …	Diagnostic
1097	TCP: connection (local=LocalAddress remote=RemoteAddress) auto-tuner adjusted …	Diagnostic
1098	TCP: connection Tcb: Rtt resiliency detection complete with Rtt sample = …	Diagnostic
1099	TCP: connection Tcb: Connection State = TcbState, Offload State = OcbState.	Diagnostic
1100	TCP: SWS avoidance began on connection Tcb.	Diagnostic
1101	TCP: SWS avoidance ended on connection Tcb.	Diagnostic
1102	TCP: connection Tcb send: Beginning zero-window probing with SndUna = SndUna.	Diagnostic
1103	TCP: connection Tcb send: Leaving zero-window probing with SndUna = SndUna.	Diagnostic
1104	TCP: Option OptionType is going to be set for connection Tcb.	Diagnostic
1105	TCP: Socket Option SoOptionType is going to be set for connection Tcb.	Diagnostic
1106	IP: Disconnecting interface InterfaceIndex, trace = TraceString.	Diagnostic
1107	TCPIP: Module ModuleNameString started.	Diagnostic
1108	TCPIP: Module ModuleNameString stopped.	Diagnostic
1109	TCPIP: Failure allocating AllocationObjectString.	Diagnostic
1110	TCP: Global parameters updated for Address Family AddressFamily: …	Diagnostic
1111	TCP: Connection Tcb Large Send Offload, Bytes in segment = BytesInSegment and …	Diagnostic
1112	TCP: Connection Tcb status changed to Status.	Diagnostic
1113	TCP: Connection Tcb status = Status, Interface = Interface, PMax = PMax.	Diagnostic
1114	IP: DAD successful for IP address = IPv4Address IPProtocol IPv6Address on …	Diagnostic
1115	IP: DAD failed for IP address = IPv4Address IPProtocol IPv6Address on interface …	Diagnostic
1116	IP: DAD started for IP address = IPv4Address IPProtocol IPv6Address on interface …	Diagnostic
1117	TCP: listener (sockaddr=SocketAddress PID=ProcessId) activation failed: address …	Diagnostic
1118	TCP: listener Listener (family=AddressFamily PID=ProcessId) activation failed: …	Diagnostic
1119	TCP: listener Listener (family=AddressFamily PID=ProcessId) activation failed: …	Diagnostic
1120	TCP: listener Listener (sockaddr=SocketAddress) activation failed: inspection …	Diagnostic
1121	TCP: listener Listener (sockaddr=SocketAddress) bind failed: port-acquisition …	Diagnostic
1122	TCP: listener Listener (family=AddressFamily PID=ProcessId) bind failed: address …	Diagnostic
1123	TCP: listener Listener (sockaddr=SocketAddress) activated.	Diagnostic
1124	TCP: listener Listener (sockaddr=SocketAddress) unbound.	Diagnostic
1127	IP: IP address = IPv4Address IPProtocol IPv6Address added on interface = …	Diagnostic
1128	IP: IP address = IPv4Address IPProtocol IPv6Address deleted on interface = …	Diagnostic
1130	Framing: Interface operation status change.	Diagnostic
1136	Framing: NDIS pause event on interface InterfaceIndex.	Diagnostic
1137	Framing: NDIS restart event on interface InterfaceIndex.	Diagnostic
1138	IP: IP address = IPv4Address IPProtocol IPv6Address state changed to Preferred.	Diagnostic
1139	IP: IP address = IPv4Address IPProtocol IPv6Address state changed to …	Diagnostic
1144	IP: Interface Interface property change.	Diagnostic
1145	IP: Route Route created on interface Interface.	Diagnostic
1146	IP: Route Route deleted on interface Interface, Protocol = DestinationPrefix, …	Diagnostic
1147	IP: Route Route property change.	Diagnostic
1148	IP: Neighbor unreachable.	Diagnostic
1149	IP: Neighbor reachable.	Diagnostic
1150	TCP: CTCP DataTransferTimeout event.	Diagnostic
1151	TCP: CTCP Cumulative Ack event Connection Tcb, sequence = SeqNo, CWnd = Cwnd, …	Diagnostic
1152	TCP: CTCP Duplicate Ack event.	Diagnostic
1153	TCP: CTCP Send event.	Diagnostic
1154	TCP: CTCP ECN event.	Diagnostic
1155	TCP: CTCP Spurious timeout event.	Diagnostic
1156	TCP: connection Tcb, delivery Delivery, Request Request posted for NumBytes …	Diagnostic
1157	TCP: connection Tcb delivery Delivery indicated NumBytes bytes accepted Length …	Diagnostic
1158	TCP: connection Tcb delivery Delivery satisfied NumBytes bytes Length requested.	Diagnostic
1159	TCP: connection Tcb send Injected NumBytes bytes at SndNxt.	Diagnostic
1160	TCP: connection Tcb send transmitted NumBytes bytes at SndNxt.	Diagnostic
1161	TCP: connection Tcb send advance NumBytes bytes at SndNxt.	Diagnostic
1162	TCP: CTcp: Connection Tcb Delay window has not kicked in.	Diagnostic
1163	TCP: CTcp: Allocated blocks: AssignedBlocks; Assigned blocks: AllocatedBlocks.	Diagnostic
1164	TCP: CTcp: Connection Tcb, DWnd = DWnd (Prev = PrevDWnd), BaseRtt = BaseRtt, …	Diagnostic
1165	TCP: CTcp: Gamma Autotuning: Connection Tcb Updated Gamma Gamma, Average backlog …	Diagnostic
1166	TCP: connection Tcb SRTT measurement started (seq = SeqNum, tick = Tick).	Diagnostic
1167	TCP: connection Tcb SRTT measurement complete (tick = Tick, sample = RttSample …	Diagnostic
1168	TCP: connection Tcb: SRTT measurement cancelled.	Diagnostic
1169	UDP: endpoint Endpoint (LocalAddress = LocalSockAddr, RemoteAddress = …	Diagnostic
1170	UDP: endpoint Endpoint (LocalAddress = LocalSockAddr, RemoteAddress = …	Diagnostic
1171	TCP: connection Tcb delivery Delivery flushing NumBytes bytes Length requested …	Diagnostic
1172	TCP: Injecting receive on a shutdown TCB failed.	Diagnostic
1173	TCP: connection Tcb delivery Delivery injecting NumBytes bytes delta Length, …	Diagnostic
1174	TCP: Injecting fin on a shutdown TCB failed.	Diagnostic
1175	TCP: connection Tcb delivery Delivery accepting NumBytes bytes.	Diagnostic
1176	TCP: connection Tcb delivery Delivery delivering FIN.	Diagnostic
1178	TCP: connection Tcb delivery Delivery pushing NumBytes bytes Length requested.	Diagnostic
1180	TCP: Injecting fin on TCB completed.	Diagnostic
1181	TCP: connection Tcb delivery Delivery urgent boundary completing NumBytes bytes …	Diagnostic
1182	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress): initiating …	Diagnostic
1183	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: …	Diagnostic
1184	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connection …	Diagnostic
1185	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connection …	Diagnostic
1186	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) retransmitting …	Diagnostic
1187	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) retransmitting …	Diagnostic
1188	TCP: connection Tcb send keep-alive at SndUna = SndUna.	Diagnostic
1189	TCP: connection Tcb, delivery Delivery: delivery state changed from …	Diagnostic
1190	TCP: connection Tcb delivery Delivery dropping data.	Diagnostic
1191	TCP: endpoint/connection PortAcquirer acquired port number PortNumber.	Diagnostic
1192	TCP: connection PortAcquirer attempted to acquire weak reference on port number …	Diagnostic
1193	TCP: endpoint/connection PortAcquirer released port number PortNumber.	Diagnostic
1194	TCP: endpoint/connection PortAcquirer replaced base endpoint OriginalAcquirer …	Diagnostic
1195	TCP: Portpool assigned port number PortNumber with weak references due to port …	Diagnostic
1196	TCP: connection Tcb BH receive ACK for full size seq.	Diagnostic
1197	TCP: connection Tcb flushed SACK state at SndUna = SndUna.	Diagnostic
1198	TCP: Connection Tcb entering reassembly at RcvNxt = SndUna.	Diagnostic
1199	TCP: Connection Tcb leaving reassembly at RcvNxt = SndUna.	Diagnostic
1200	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: Zero …	Diagnostic
1201	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: …	Diagnostic
1202	IP: Interface rundown: Index = IfIndex, Linkspeed = CurrLinkSpeed bps, …	Diagnostic
1203	IP: Interface Index = IfIndex, Linkspeed changed to CurrLinkSpeed bps, …	Diagnostic
1204	TCP: Connection Tcb flushing reassembly state at RcvNxt = SndUna.	Diagnostic
1205	TCPIP: NBL Nbl fell off the receive fast path, Reason: Reason.	Diagnostic
1206	TCPIP: NBL Nbl fell off the send fast path, Reason: Reason.	Diagnostic
1207	TCP: WSD - TcpWsdEtwPoint Status: Status.	Diagnostic
1208	TCP: WSD - TcpWsdEtwPoint Status: Status.	Diagnostic
1209	TCP: WSD - TCB Tcb will use a highly restricted window scale factor due to a …	Diagnostic
1210	TCP: WSD - TCB Tcb will use a highly restricted window scale factor due to a …	Diagnostic
1211	TCP: WSD - Entry (Processor, Entry) moved from OldState to NewState due to …	Diagnostic
1212	TCP: WSD - Profile: Profile State: State Qualified: Qualified EreQualified: …	Diagnostic
1213	TCP: WSD - Enabled moved from OldEnabledState to NewEnabledState.	Diagnostic
1214	TCPIP: Transport (Protocol IPTransportProtocol, AddressFamily = AddressFamily) …	Diagnostic
1215	TCPIP: Network layer (Protocol IPTransportProtocol, AddressFamily = …	Diagnostic
1216	TCP: MPP NPP Evaluation PhysicalPages = PhysicalPages NonPagedPoolPages = …	Diagnostic
1217	TCP: MPP: Episode started.	Diagnostic
1218	TCP: MPP: Episode ended.	Diagnostic
1219	TCP: MPP: Epoch Epoch started.	Diagnostic
1220	TCP: MPP: Epoch Epoch ended.	Diagnostic
1221	TCP: Connection Tcb restarting Cwnd.	Diagnostic
1222	TCP: Connection Tcb adjust InitalCwnd.	Diagnostic
1223	TCP: Connection Tcb committed TemplateType = TemplateType.	Diagnostic
1224	TCP: Connection Tcb template changed.	Diagnostic
1225	TCP: connection Tcb: End of a round, SndRound = SndRound, Bytes sent = …	Diagnostic
1226	TCP: interface IfIndex: RSC state changed, IPV4 State = StateV4, IPV4 Failure …	Diagnostic
1227	TCP: connection Tcb: RSC SCU received.	Diagnostic
1228	TCPIP: TCB Tcb does not take fast path, Cause: Cause.	Diagnostic
1229	TCP: Connection Tcb send queue is idle.	Diagnostic
1230	RSS: Bind notification for AddressFamily on interface InterfaceIndex.	Diagnostic
1231	RSS: Bind notification for adapter AdapterIndex.	Diagnostic
1232	RSS: ReferenceAdded reference on adapter AdapterIndex.	Diagnostic
1233	RSS: adapter AdapterIndex with capabilities CapabilitiesFlags and …	Diagnostic
1234	RSS: adapter AdapterIndex processor group GroupNumber maximum processors …	Diagnostic
1235	RSS: assigning processor ProcessorIndex from adapter PreviousAdapterIndex to …	Diagnostic
1236	RSS: unassigning processor ProcessorIndex from adapter PreviousAdapterIndex.	Diagnostic
1237	RSS: adapter AdapterIndex reassigning indirection entry IndirectionIndex from …	Diagnostic
1238	RSS: adapter AdapterIndex removing processor ProcessorIndex from its indirection …	Diagnostic
1239	RSS: adapter AdapterIndex changing Setting to Value.	Diagnostic
1240	RSS: Failed to FailureDescription on IfIndex InterfaceIndex: Status.	Diagnostic
1241	RSS: bind completed successfully for AddressFamily on interface InterfaceIndex.	Diagnostic
1242	RSS: bind completed successfully for adapter AdapterIndex.	Diagnostic
1243	RSS: adapter AdapterIndex not supported.	Diagnostic
1244	RSS: adapter AdapterIndex indirection table initialized on group GroupNumber …	Diagnostic
1245	RSS: Rundown: interface InterfaceIndex with adapter AdapterIndex at port …	Diagnostic
1246	RSS: Rundown: adapter AdapterIndex hash info HashInfo maximum processors …	Diagnostic
1247	RSS: interface InterfaceIndex support: Capability.	Diagnostic
1248	NDKPI Create CQ: RequestContext RequestContext Adapter NdkAdapter CqDepth …	Diagnostic
1249	NDKPI Create Completion: RequestContext RequestContext Status Status …	Diagnostic
1250	NDKPI Close NdkObjectType: RequestContext RequestContext NdkObjectType …	Diagnostic
1251	NDKPI Close Completion: RequestContext RequestContext (CompletionType).	Diagnostic
1252	NDKPI Resize CQ: RequestContext RequestContext CQ NdkCq CqDepth CqDepth.	Diagnostic
1253	NDKPI Request Completion: RequestContext RequestContext Status Status …	Diagnostic
1254	NDKPI Arm CQ: CQ NdkCq ArmType.	Diagnostic
1255	NDKPI Result ResultIndex/ResultCount: CQ NdkCq RequestContext RequestContext …	Diagnostic
1256	NDKPI Create MR: RequestContext RequestContext PD NdkPd FastRegister …	Diagnostic
1257	NDKPI Flush: QP NdkQp.	Diagnostic
1258	NDKPI Send (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE …	Diagnostic
1259	NDKPI Receive (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE …	Diagnostic
1260	NDKPI Register MR: RequestContext RequestContext MR NdkMr MDL Mdl Length Length …	Diagnostic
1261	NDKPI Deregister MR: RequestContext RequestContext MR NdkObject.	Diagnostic
1262	NDKPI Initialize FastRegister MR: RequestContext RequestContext MR NdkMr …	Diagnostic
1263	NDKPI Modify SRQ: RequestContext RequestContext SRQ NdkSrq SrqDepth SrqDepth …	Diagnostic
1264	NDKPI Connect: RequestContext RequestContext Connector NdkConnector QP NdkQp …	Diagnostic
1265	NDKPI Connect: RequestContext RequestContext Connector NdkConnector QP NdkQp …	Diagnostic
1266	NDKPI CompleteConnect: RequestContext RequestContext Connector NdkConnector …	Diagnostic
1267	NDKPI Accept: RequestContext RequestContext Connector NdkConnector QP NdkQp IRD …	Diagnostic
1268	NDKPI Disconnect: RequestContext RequestContext Connector NdkObject.	Diagnostic
1269	NDKPI Listen: RequestContext RequestContext Listener NdkListener Address …	Diagnostic
1270	NDKPI Create MW: RequestContext RequestContext PD NdkObject.	Diagnostic
1271	NDKPI Create SRQ: RequestContext RequestContext PD NdkPd SrqDepth SrqDepth …	Diagnostic
1272	NDKPI Create QP: RequestContext RequestContext PD NdkPd ReceiveCQ ReceiveCq …	Diagnostic
1273	NDKPI Create QP: RequestContext RequestContext PD NdkPd ReceiveCQ ReceiveCq …	Diagnostic
1274	NDKPI Create PD: RequestContext RequestContext Adapter NdkObject.	Diagnostic
1275	NDKPI Create SharedEndpoint: RequestContext RequestContext Adapter NdkListener …	Diagnostic
1276	NDKPI Create Connector: RequestContext RequestContext Adapter NdkObject.	Diagnostic
1277	NDKPI Create Listener: RequestContext RequestContext Adapter NdkAdapter …	Diagnostic
1278	NDKPI Build LAM: RequestContext RequestContext Adapter NdkAdapter MDL Mdl Length …	Diagnostic
1279	NDKPI Release LAM: Adapter NdkAdapter LAMBuffer LAMBuffer.	Diagnostic
1280	NDKPI CQ Notification Callback: CqNotificationContext CqNotificationContext …	Diagnostic
1281	NDKPI SRQ Notification Callback: SrqNotificationContext SrqNotificationContext …	Diagnostic
1282	NDKPI Disconnect Event Callback: DisconnectEventContext DisconnectEventContext.	Diagnostic
1283	NDKPI Connect Event Callback: ConnectEventContext ConnectEventContext Connector …	Diagnostic
1284	NDKPI Got TokenType Token Token from NdkObjectType NdkObject.	Diagnostic
1285	NDKPI Got SockAddrType Address SockAddr from NdkObjectType NdkObject.	Diagnostic
1286	NDKPI SockAddrType Address query failure Status on NdkObjectType NdkObject.	Diagnostic
1287	NDKPI Reject: Connector NdkConnector PrivateDataLength PrivateDataLength Status …	Diagnostic
1288	NDKPI Get Connect Data: Connector NdkConnector IRD IRD ORD ORD PrivateDataLength …	Diagnostic
1289	NDKPI Work Request Inline Failure: RequestContext RequestContext QP NdkQp Status …	Diagnostic
1290	NDKPI Bind: RequestContext RequestContext QP NdkQp MR NdkMr MW NdkMw …	Diagnostic
1291	NDKPI FastRegister: RequestContext RequestContext QP NdkQp MR NdkMr …	Diagnostic
1292	NDKPI Invalidate: RequestContext RequestContext QP NdkQp NdkObjectType NdkObject …	Diagnostic
1293	NDKPI Read (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE …	Diagnostic
1294	NDKPI Write (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE …	Diagnostic
1295	NDKPI SRQ Receive (SGE SgeIndex/NumSge): RequestContext RequestContext SRQ …	Diagnostic
1296	NDKPI SRQ Work Request Inline Failure: RequestContext RequestContext SRQ NdkSrq …	Diagnostic
1297	NDKPI Open Adapter: InterfaceIndex InterfaceIndex Adapter NdkAdapter Status …	Diagnostic
1298	NDKPI Close Adapter (Enter): Adapter NdkAdapter.	Diagnostic
1299	NDKPI Close Adapter (Exit): Adapter NdkAdapter.	Diagnostic
1300	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) exists.	Diagnostic
1301	NDKPI Interface Event: InterfaceIndex InterfaceIndex, NDK-Operational …	Diagnostic
1302	Network adapter Luid AdapterLuid received a wake packet matching pattern …	Diagnostic
1302	Network adapter Luid .	Operational
1303	Network adapter Luid AdapterLuid received a wake packet matching pattern …	Diagnostic
1303	Network adapter Luid .	Operational
1304	TCP: Connection Tcb: Silent Mode SilentModeEvent Context Context.	Diagnostic
1305	TCP: Connection Tcb notification channel request.	Diagnostic
1306	TCP: Connection Tcb query notification channel status request.	Diagnostic
1307	TCP: Connection Tcb notification channel request processed.	Diagnostic
1308	TCP: Connection Tcb notification channel signal event.	Diagnostic
1309	TCP: Connection Tcb notification channel detached.	Diagnostic
1310	TCP: Connection Tcb notification channel unlinked.	Diagnostic
1311	TCP: Connection Tcb notification channel wake pattern plumbing.	Diagnostic
1312	TCP: Connection Tcb notification channel wake pattern deplumbing.	Diagnostic
1313	TCPIP: Interface index InterfaceIndex wake pattern properties.	Diagnostic
1314	NDKPI Control CQ Interrupt Moderation: CQ NdkCq Interval ModerationInterval …	Diagnostic
1315	TCP: Connection Tcb notification channel request processing.	Diagnostic
1316	IP: IP address lifetime = IPv4Address IPProtocol IPv6Address on interface = …	Diagnostic
1317	TCP: Repartition event Event (Type) OldPartitionCount.	Diagnostic
1318	Component PowerStateTransition on processor IndicatingProcessor at Tick = …	Diagnostic
1319	Component timer rescheduled by processor Indicating Processor for processor …	Diagnostic
1320	Component timer fired on processor Target Processor at Tick = Current Tick, was …	Diagnostic
1321	IP: Connecting interface InterfaceIndex, trace = TraceString.	Diagnostic
1322	IP: Limited link connectivity set on interface InterfaceIndex, trace = …	Diagnostic
1323	IP: Limited link connectivity reset on interface InterfaceIndex, trace = …	Diagnostic
1324	IP: Neighbor with IpAddress = IP Address DlAddress = DL Address on Interface = …	Diagnostic
1325	IP: Neighbor Event on Interface = Interface from SourceIpAddress = Source IP …	Diagnostic
1326	IP: Source address PreferredSourceIPAddress is preferred over …	Diagnostic
1327	IP: Address pair (Preferred Source IP Address, Preferred Destination IP Address) …	Diagnostic
1328	NDKPI ResultEx ResultIndex/ResultCount: CQ NdkCq RequestContext RequestContext …	Diagnostic
1329	NDKPI SendInvalidate (SGE SgeIndex/NumSge): RequestContext RequestContext QP …	Diagnostic
1330	TCP: connection Tcb: Cumulative Ack event, SeqNo = SeqNo, BytesAcked = …	Diagnostic
1331	TCP: connection Tcb: CTCP Cumulative Ack event, SeqNo = SeqNo, BytesAcked = …	Diagnostic
1332	TCP: connection Tcb: TCP send event, SeqNo = SeqNo, BytesSent = BytesSent, CWnd …	Diagnostic
1333	TCP: connection Tcb: TCP CTCP send event, SeqNo = SeqNo, BytesSent = BytesSent, …	Diagnostic
1334	UDP: Endpoint UdpEndpoint notification channel request.	Diagnostic
1335	UDP: Endpoint UdpEndpoint query notification channel status request.	Diagnostic
1336	UDP: Endpoint UdpEndpoint notification channel request processed.	Diagnostic
1337	UDP: Endpoint UdpEndpoint notification channel signal event.	Diagnostic
1338	UDP: Endpoint UdpEndpoint notification channel detached.	Diagnostic
1339	UDP: Endpoint UdpEndpoint notification channel unlinked.	Diagnostic
1340	UDP: Endpoint UdpEndpoint notification channel request processing.	Diagnostic
1341	TCP: connection Tcb: Rtt sample recorded RttSample SRTT SRTT RttVar RttVar.	Diagnostic
1342	TCP: connection Tcb: Rtt resiliency detection complete with Rtt sample = …	Diagnostic
1343	TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = …	Diagnostic
1344	TCP: CTCP Duplicate Ack event.	Diagnostic
1345	TCP: connection Tcb: Spurious timeout at Seq = SeqNo.	Diagnostic
1346	TCP: connection Tcb spurious RTO detection initiated at SeqNo.	Diagnostic
1347	TCP: connection Tcb spurious RTO detection terminated at SeqNo.	Diagnostic
1348	TCP: CTCP DataTransferTimeout event.	Diagnostic
1349	TCP: CTCP Spurious timeout event.	Diagnostic
1350	TCP: connection Tcb entering Congestion Avoidance Phase with cwnd = Cwnd and …	Diagnostic
1351	TCP: connection Tcb: Send Retransmit round with SndUna = SndUna, Round = …	Diagnostic
1352	TCP: Connection Tcb Summary: DataBytesOut DataBytesOut DataBytesIn DataBytesIn …	Diagnostic
1353	TCPIP: Message AllocationObjectString Param1 Param2 Param3 Param4.	Diagnostic
1354	TCP: Connection Tcb SACK updated SndUna SndUna SndMax SndMax SackCount SackCount …	Diagnostic
1355	TCP: TCB Tcb Requires address based pattern = RequireAddressCoalescing LocalPort …	Diagnostic
1356	TCP: Rtc Port Range Assignment.	Diagnostic
1357	TCPIP has failed a RequestType request from LocalAddress to RemoteAddress on …	Diagnostic
1358	IP: Interface configuration updated on interface InterfaceIndex property …	Diagnostic
1359	TCP: Connection Tcb notification channel unmark request.	Diagnostic
1360	TCPIP: A packet has been cloned for a raw listener.	Diagnostic
1361	TCPIP: A cloned packet has been dropped.	Diagnostic
1362	IP: Interface = Interface IpAddress = IPAddress processing WolEvent = WoLEvent …	Diagnostic
1363	IP: Interface = Interface WolHandle = WolHandle has DestinationIpAddress = …	Diagnostic
1364	TCP connection tuple inserted- TCB: Tcb LocalAddress: LocalAddress …	Diagnostic
1365	TCP connection tuple removed- TCB/TWTCB: Tcb LocalAddress: LocalAddress …	Diagnostic
1366	TCP port selection deferred for outbound connect- LocalAddress: LocalAddress.	Diagnostic
1367	Nbl Nbl OOB info (PathDirection): TcpIpChecksumNetBufferListInfo …	Diagnostic
1368	Teredo Add -- PID: PID started listening on LocalAddress.	Diagnostic
1369	Teredo Remove -- PID: PID stopped listening on LocalAddress.	Diagnostic
1370	IP: RouteLookup - API: API DstAddr: DestinationAddress ConstrainSrcAddr: …	Diagnostic
1371	IP: SourceAddrLookup - DstAddr: DestinationAddress ConstrainSrcAddr: …	Diagnostic
1372	WFP-ALE: Partition Count=PartitionCount Partition Mask=PartitionMask: Partition …	Diagnostic
1373	WFP-ALE: HotAdd/Remove: Old Partiton Count=OldPartitionCount Old Partition …	Diagnostic
1374	WFP-ALE: RemoteEndPoint Insertion: AddrLen=AddressLength …	Diagnostic
1375	WFP-ALE: RemoteEndPoint Deletion: AddrLen=AddressLength RemoteAddr=RemoteAddress …	Diagnostic
1376	WFP-ALE: ALE: low memory state detected.	Diagnostic
1377	WFP-ALE: leaving low memory state.	Diagnostic
1378	WFP-ALE: Dpc for cleanup initiated: LowMemoryEvent = LowMemoryEvent …	Diagnostic
1379	WFP: Dpc for cleanup QUEUED or RE-QUEUED: LowMemoryEvent = LowMemoryEvent …	Diagnostic
1380	TCP: LEDBAT LedbatEvent: Connection Tcb, BaseDelayMs = BaseDelayMs, …	Diagnostic
1381	TCP: AssociateNameResContext Endpoint: EndpointObj Status: %16 …	Diagnostic
1382	TCP: InspectConnectWithNameResContext Connection: Tcb (local: LocalAddress …	Diagnostic
1383	IP: Route [DestinationPrefix: PrDestinationPrefix/PrDestinationPrefixLength …	Diagnostic
1384	IP: Route [DestinationPrefix: DestinationPrefix/DestinationPrefixLength NextHop: …	Diagnostic
1385	TCP: Tail Loss Probe Send Connection = Tcb SndUna = SndUna, SndMax = SndMax, …	Diagnostic
1386	TCP: Tail Loss Probe Event Connection = Tcb, Event = TlpEvent.	Diagnostic
1387	TCP: RACK Event Connection = Tcb, Event = RackEvent, MinRTT = RackMinRtt, …	Diagnostic
1388	TCP: Fastopen state changed for connection = Tcb from OldState = OldState to …	Diagnostic
1389	UDP: endpoint (family=AddressFamily pid=ProcessId) create failed: address family …	Diagnostic
1390	UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) create failed: …	Diagnostic
1391	UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) created.	Diagnostic
1392	UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) create failed: …	Diagnostic
1393	UDP: endpoint Endpoint bind failed: address LocalAddress cannot be resolved, …	Diagnostic
1394	UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: port-acquisition …	Diagnostic
1395	UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: inspection status = …	Diagnostic
1396	UDP: endpoint Endpoint (sockaddr=LocalAddress) bound.	Diagnostic
1397	UDP: endpoint Endpoint (sockaddr=LocalAddress) closed.	Diagnostic
1398	UDP: endpoint Endpoint closed.	Diagnostic
1399	UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: …	Diagnostic
1400	UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: …	Diagnostic
1401	UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: …	Diagnostic
1402	UDP: endpoint {Endpoint} too many packets queued for the pending join path.	Diagnostic
1403	UDP: address family AddressFamilyadded to interface InterfaceIndex.	Diagnostic
1404	UDP: address family AddressFamilyremoved from interface InterfaceIndex.	Diagnostic
1405	UDP: Failure initializing transport protocol, status = Status.	Diagnostic
1406	UDP: Failure starting NLNPI client, status = Status.	Diagnostic
1407	UDP: Failure initializing NSI support, status = Status.	Diagnostic
1408	UDP: Failure starting TLNPI provider, status = Status.	Diagnostic
1409	UDP: Failure initializing QoS support, status = Status.	Diagnostic
1410	UDP: Failure starting FailedQueueString, status = Status.	Diagnostic
1411	UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: …	Diagnostic
1412	UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: …	Diagnostic
1413	UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: …	Diagnostic
1414	UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: …	Diagnostic
1415	TCP: Early Retransmission, FACK or RACK, Connection = Tcb, SndUna = SndUna, …	Diagnostic
1416	TCP: Ignoring fastopen SYN option due to limit on concurrent SYN_RCVD fastopen …	Diagnostic
1417	TCP: Failed to update fastopen key state, Location = Location, Status = Status.	Diagnostic
1418	TCP: Fast Retransmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = …	Diagnostic
1419	TCP: SACK Retransmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = …	Diagnostic
1420	TCP: Limited Transmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt …	Diagnostic
1421	TCP: SACK Retransmit Additional Send, Connection = Tcb, BytesToSend = …	Diagnostic
1422	IPTransportProtocol: PathDirectionmessage.	Diagnostic
1423	IPTransportProtocol: PathDirectionpath drop.	Diagnostic
1424	IPTransportProtocol: Echo timeout.	Diagnostic
1425	Component Timer state changed to CurrentState by Processor Processor Usage = …	Diagnostic
1426	TCP: connection Tcb send complete NumBytes bytes at SndNxt (Injected).	Diagnostic
1427	IP: Compartment creation.	Diagnostic
1428	IP: Compartment deletion.	Diagnostic
1429	TCP: connection Tcb: Cumulative Ack event, SeqNo = SeqNo, BytesAcked = …	Diagnostic
1430	TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = …	Diagnostic
1431	IP: Compartment cleanup.	Diagnostic
1432	IP: Interface network category state change.	Diagnostic
1433	IP: Interface creation.	Diagnostic
1434	IP: Interface deletion.	Diagnostic
1435	IP: Interface cleanup.	Diagnostic
1436	IP: SubInterface creation.	Diagnostic
1437	IP: SubInterface deletion.	Diagnostic
1438	IP: SubInterface cleanup.	Diagnostic
1439	IP: Interface change Notification.	Diagnostic
1440	IP: Interface internet connectivity status change.	Diagnostic
1441	IP: Address change notification.	Diagnostic
1442	IP: Route change notification.	Diagnostic
1443	IP: Neighbor change notification.	Diagnostic
1444	IP: Address DAD state change.	Diagnostic
1445	IP: Route Dead Gateway Detection state change.	Diagnostic
1446	IP: Disconnecting TCP connections with Address = Address, Interface = IfIndex, …	Diagnostic
1447	TCP: connection Tcb: Sending paced chunk of QuantizedAllowance bytes with CWnd = …	Diagnostic
1448	Fallback: Context = Fallback, Feature = Feature, TraceReason = Reason, …	Diagnostic
1449	TCPIP: TCB Tcb using fast loopback.	Diagnostic
1450	IP: Router information change notification.	Diagnostic
1451	IP: Event.	Diagnostic
1452	IP: Route rundown.	Diagnostic
1453	TCP: CUBIC ECN event.	Diagnostic
1454	INETINSPECT: Owner = Owner, InspectHandle = InspectHandle, InspectType = …	Diagnostic
1455	INETINSPECT: Owner = Owner, InspectHandle = InspectHandle, InspectType = …	Diagnostic
1456	FallbackCheck: Ctx = Fallback, Feature = Feature, Failed = Failed, Succeeeded = …	Diagnostic
1457	FallbackUpdate: Ctx = Fallback, Feature = Feature, Failed = Failed, Succeeeded = …	Diagnostic
1458	Fallback: Permanently disabling feature, Ctx = Fallback, Feature = Feature, …	Diagnostic
1459	Fallback: Enabling feature for this boot session, Ctx = Fallback, Feature = …	Diagnostic
1460	Fallback: Feature previously disabled, Ctx = Fallback, Feature = Feature, …	Diagnostic
1461	TCP Fastopen fallback update: Tcb = Tcb, FastopenState = FastopenState, …	Diagnostic
1462	Disabling feature until connectivity is established: CompartmentId …	Diagnostic
1463	Disabling Feature for loopback connection.	Diagnostic
1464	Disabling TCP Fastopen for BaseEndpoint = BaseEndpoint because an incompatible …	Diagnostic
1465	IP: Setting source constraint for route lookup - Compartment: Compartment …	Diagnostic
1466	WFP-ALE: RemoteEndPoint Insertion: (local=LocalAddress remote=RemoteAddress) …	Diagnostic
1467	WFP-ALE: RemoteEndPoint Deletion: (local=LocalAddress remote=RemoteAddress) …	Diagnostic
1468	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) system abort.	Diagnostic
1469	Disabling Feature due to no next hop.	Diagnostic
1470	TCP: endpoint (sockaddr=LocalAddressLength) bind failed: wake status = …	Diagnostic
1471	UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: wake status = …	Diagnostic
1472	Acquire wake port Port, type=AcquireType, family=AddressFamily, IF=Interface, …	Diagnostic
1473	TCP: Connection Tcb reached max SACK queue length.	Diagnostic
1474	TCP: Connection Tcb requested fast open.	Diagnostic
1475	TCP: CUBIC Hystart state change event.	Diagnostic
1476	IP: Transmitting loopback Nbl Nbl.	Diagnostic
1477	TCP: Connection Tcb Summary: DataBytesOut DataBytesOut DataBytesIn DataBytesIn …	Diagnostic
1478	TCPIP: Framing layer PathDirection (AddressFamily=AddressFamily) dropped …	Diagnostic
1479	TCP: Connection Tcb Transport (Protocol IPTransportProtocol, AddressFamily = …	Diagnostic
1480	TCP connection failed with Status = Status, Local = LocalSockAddr, Remote = …	Diagnostic
1481	TCP: Connection Tcb PRR send SackIsLostSeq SackIsLostSeq SackInFlight …	Operational
1482	UDP: Endpoint Endpoint segment message.	Diagnostic
1483	UDP: Endpoint Endpoint segmentation offload unavailable.	Diagnostic
1484	TCPIP: Framing layer interface IfIndex (AddressFamily = AddressFamily) failed to …	Diagnostic
1485	TCPIP: OID request from framing layer interface IfIndex (AddressFamily = …	Diagnostic
1486	TCPIP received a status indication on interface IfIndex.	Diagnostic
1487	IP: Failed to set socket option.	Diagnostic
1488	IP: Failed to set socket IOCTL.	Diagnostic
1489	Failed to process multicast RequestType request.	Diagnostic
1490	Processed multicast RequestType request successfully.	Diagnostic
1491	MessageType.	Diagnostic
1492	MessageType.	Diagnostic
1493	Invalid ECN codepoints in reassembly.	Diagnostic
1494	Reassembly failure: packets do not add up correctly.	Diagnostic
1495	Reassembly failure: failed to restore IPSec packet history.	Diagnostic
1496	Could not transfer FragmentContextDirection.	Diagnostic
1497	Attempting to GroupChangeType the multicast group at FL.	Diagnostic
1498	Failed to update address list at FL.	Diagnostic
1499	Too many DAD failures, so will not create temporary address.	Diagnostic
1500	Failed to address interface; deleting it.	Diagnostic
1501	Failed to reach default gateway after reconnect; cleaning settings.	Diagnostic
1502	Failed to sync interface with registry.	Diagnostic
1503	Failed to Release an active reference on the interface.	Diagnostic
1504	Redirect path hijack for destination IPv4DestinationAddress IPv4NextHop from …	Diagnostic
1505	Redirect path rate limit for IPv6 source address IPv6Address.	Diagnostic
1506	Dropped AddressFamily fragment.	Diagnostic
1507	Reassembly timeout.	Diagnostic
1508	Invalid IP option.	Diagnostic
1509	Invalid IP hop-by-hop option.	Diagnostic
1510	Invalid IP hop-by-hop option.	Diagnostic
1511	Invalid IP routing header option.	Diagnostic
1512	Invalid IP routing header option.	Diagnostic
1513	This option cannot be specified by the user	Diagnostic
1514	TCP: interface IfIndex: received potential RSC status indication.	Diagnostic
1515	UDP: endpoint Endpoint: URO SCU received.	Diagnostic
1516	TCP software RSC global disabled mask = TcpRscDisabledMask, UDP software URO …	Diagnostic
1517	UDP: Global parameters updated for Address Family AddressFamily: DisableUro = …	Diagnostic
1518	IP: IPSNPI client rundown.	Diagnostic
1519	TCPIP: Process with PID=ProcessId, ProcessSeqNum=ProcessSequenceNumber acquired …	Diagnostic
1520	Illegal tunnel.	Diagnostic
1521	Framing: Interface change in progress.	Diagnostic
1522	Framing: Isolation is not supported on this network adapter.	Diagnostic
1523	Framing: Failed to set pattern.	Diagnostic
1524	Framing: Interface management request.	Diagnostic
1525	Framing: WOL capabilities update in progress.	Diagnostic
1526	Framing: A PNP event has been indicated.	Diagnostic
1527	Framing: interface rundown: Interface = IfIndex, Luid = IfLuid, Address family = …	Diagnostic
1528	RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = …	Diagnostic
1529	RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = …	Diagnostic
1530	RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = …	Diagnostic
1531	RAW: endpoint Endpoint (Family = AddressFamily, Proto = IPTransportProtocol, …	Diagnostic
1532	RAW: endpoint (Family = AddressFamily, Proto = IPTransportProtocol, Compartment …	Diagnostic
1533	RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = …	Diagnostic
1534	RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = …	Diagnostic
1535	RAW: endpoint Endpoint closed.	Diagnostic
1536	TCPIP: Error processing router advertisement on interface index IfIndex - …	Diagnostic
1537	TCPIP: Error processing router advertisement on interface index IfIndex - Prefix …	Diagnostic
1538	TCPIP: An ARP request was dropped on interface IfIndex.	Diagnostic
1539	TCPIP: An ARP reply was dropped on interface IfIndex.	Diagnostic
1540	TCPIP: No handler found for an AddressFamily packet with upper layer protocol …	Diagnostic
1541	TCPIP: Handler for upper layer protocol IPTransportProtocol for an AddressFamily …	Diagnostic
1542	IP: neighbor rundown: Interface = IfIndex, Compartment = CompartmentId, …	Diagnostic
1543	TCPIP: An ARP request was dropped on interface IfIndex.	Diagnostic
1544	Endpoint Endpoint socket option set with level Level, name Name, value Value.	Diagnostic
1545	TCP: connection = Tcb RACK timeout expired.	Diagnostic
1546	TCP: connection = Tcb armed RACK timer.	Diagnostic
1547	TCP: connection = Tcb received a SACK block.	Diagnostic
1548	TCP: connection = Tcb received a SACK.	Diagnostic
1549	TCP: connection = Tcb enabled send tracker.	Diagnostic
1550	TCP: connection = Tcb send tracker acked a transmit.	Diagnostic
1551	TCP: connection = Tcb send tracker enqueued a transmit.	Diagnostic
1552	TCP: connection = Tcb send tracker marked a transmit as lost.	Diagnostic
1553	TCP: accept redirection: original listener = OriginalListener, redirected …	Diagnostic
1554	TCP: connection = Tcb dropped a SACK block due to SACK limit reached.	Diagnostic
1555	TCP: connection Tcb terminated by NSI.	Diagnostic
1556	TCP: connection = Tcb rate-based pacing timeout expired.	Diagnostic
1557	TCP RLedbat connection = Tcb.	Diagnostic
1558	UDP: endpoint Endpoint rebind initiated: current address = CurrentLocalAddress, …	Diagnostic
1559	UDP: endpoint Endpoint rebind failed: current address = CurrentLocalAddress, …	Diagnostic
1560	TCP: endpoint Endpoint rebind initiated: current address = CurrentLocalAddress, …	Diagnostic
1561	TCP: endpoint Endpoint rebind failed: current address = CurrentLocalAddress, …	Diagnostic
1562	TCP: endpoint (PID=ProcessId ProcessSeqNum=ProcessStartKey) create failed: …	Diagnostic
1563	UDP: endpoint (PID=ProcessId ProcessSeqNum=ProcessStartKey) create failed: …	Diagnostic
1564	TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId …	Diagnostic
1565	TCP: Congestion state changed for connection = Tcb from OldState = OldState to …	Diagnostic
1566	TCP: connection = Tcb detected reordering.	Diagnostic
1577	TCP: connection = Tcb updated reownd.	Diagnostic
1578	IP: Injecting NBL Nbl on send path.	Diagnostic
1579	IP: Injecting NBL Nbl on raw send path.	Diagnostic
1580	IP: Injecting NBL Nbl on receive path.	Diagnostic
1581	IP: Injecting NBL Nbl on forward path.	Diagnostic
1582	IP: Indication filtered because destination interface IfIndex is not contained …	Diagnostic
1583	BBR2: TCB Tcb bbr_bw bbr_bw min_rtt_us min_rtt_us mode mode cycle_idx cycle_idx …	Diagnostic
1584	TCP: connection = Tcb send tracker marked a transmit as rexmit.	Diagnostic
1585	TCP: connection = Tcb send tracker update RACK info.	Diagnostic
1586	IP: Prefix sharing now PrefixSharing on Interface = Interface, Compartment = …	Diagnostic
1587	TCP: connection Tcb received a careful ACK.	Diagnostic
1588	IP: Forwarding tag on Interface = Interface, Compartment = CompartmentId, Family …	Diagnostic
1589	TCP: AF AddressFamily, RssEnabled = RssEnabled .	Diagnostic
1590	TCP: connection = Tcb send completion failed.	Diagnostic
1591	TCPIP: Alloc hooks setup: Status = Status.	Diagnostic
1592	IP: Neighbor with IpAddress = IPAddress DlAddress = DLAddress on Interface = …	Diagnostic
1593	TCP: Global timer fired, Processor = Processor, Tick = Tick.	Diagnostic
1594	TCP: Global timer armed, NextToExpire = NextToExpire, Period = Period.	Diagnostic
1595	TCP: Global timer cancelled	Diagnostic
1596	TCP: Updating Fastopen Key	Diagnostic
1597	TCP: paused receive buffer growth for high memory usage, AF = AddressFamily, TCB …	Diagnostic
1598	IP: Autoconfigured address creation failed due to autoconfiguration limit, …	Diagnostic
1599	IP: Autoconfigured route creation failed due to autoconfiguration limit, …	Diagnostic
1600	IP: Policy based routing failed - Compartment: Compartment DstAddr: …	Diagnostic
1601	TCP: connection Tcb in NewState received NBL NBL in FastPath = FastPath Seq = …	Diagnostic
1602	TCP: connection Tcb process fast RX batch SegmentCount = SegmentCount NumBytes = …	Diagnostic
1603	TCP: connection Tcb in State Injected disconnect DataLength=DataLength.	Diagnostic
1604	NDKPI Disconnect Event CallbackEx: DisconnectEventContext DisconnectEventContext …	Diagnostic
1605	NDKPI AcceptEx: RequestContext RequestContext Connector NdkConnector QP NdkQp …	Diagnostic
1606	NDKPI CompleteConnectEx: RequestContext RequestContext Connector NdkConnector …	Diagnostic
1607	NDKPI Open Adapter Version Override: IF_INDEX IF_INDEX …	Diagnostic
1608	Fl Reload Registry Config: Override Status: OverrideStatus …	Diagnostic
1609	NDKPI Open Adapter: Unexpected version returned by provider, IF_INDEX IF_INDEX …	Diagnostic
1610	TCPIP: Disconnected Standby traffic.	Diagnostic
1611	TCPIP: Disconnected Standby (DS) transition detected.	Diagnostic
1612	ResetResolve API call: ProcessName API.	Diagnostic
1613	USO global disabled mask = UdpUsoDisabledMask.	Operational
1614	Framing: SW URO SwUroEnabled, HW URO HwUroEnabled.	Diagnostic
1615	Tcpip Power Policy set to: PowerPolicy.	Diagnostic
1616	Router Solicitation sent.	Diagnostic
1617	Router Solicitation requested on dormant interface.	Diagnostic
1618	IP: Route lifetime refresh.	Diagnostic
1619	IP: Constraint computation (unused) - Source address PreferredSourceIPAddress is …	Diagnostic
1620	WFP-ALE: RemoteEndPoint Cleanup: (local=LocalAddress remote=RemoteAddress) …	Diagnostic
1621	FL: Virtual interface creation.	Diagnostic
1622	FL: Virtual interface deletion.	Diagnostic
1623	Tcpip Power Policy Standby-to-Full-Power transition detected.	Diagnostic
1624	TCP: connection Tcb: flow label refreshed, old = OldFlowLabel new = …	Diagnostic
1625	TCP: Connection Tcb send idle triggered.	Diagnostic
1626	TCP: connection Tcb: bytes limited by sender = SenderLimitedBytes receiver = …	Diagnostic
1627	UDP: ChangeReason scheduled HW URO to be NewUroState on interface IfLuid.	Diagnostic
1628	UDP: ChangeReason NewUroState HW URO on interface IfLuid.	Diagnostic
1629	FL: FLSNPI client attach.	Diagnostic
1630	FL: FLSNPI client detach.	Diagnostic
1631	FL: FLSNPI client interface attach.	Diagnostic
1632	FL: FLSNPI client interface detach.	Diagnostic
1633	FL: FLSNPI datapath failure.	Diagnostic
1634	FL: FLSNPI client silent drop.	Diagnostic
1635	FL: FLSNPI indication stats.	Diagnostic
1636	TCPIP: Current Power Policy : PowerPolicy.	Diagnostic
1637	TCP: connection Tcb send acked NumBytes bytes starting from SndNxt ActivityID = …	Diagnostic
1638	IP: Event.	Diagnostic
1638		Operational
1639	IP: Destination cache invalidated.	Diagnostic
1639		Operational
1640	FL: Virtual interface set failed.	Diagnostic
1640		Operational
1641	FL: Virtual interface get failed.	Diagnostic
1641		Operational
1642	IP: Received Prefix Option in Router Advertisement.	Diagnostic
1642		Operational

Event ID 1001 — TCP: endpoint Endpoint (Family=AddressFamily, PID=Pid) created with status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpEndpointCreation

Description

TCP: endpoint Endpoint (Family=AddressFamily, PID=Pid) created with status = Status.

Message #

TCP: endpoint %2 (Family=%3, PID=%4) created with status = %1.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`Endpoint` Pointer	—
`AddressFamily` UInt32	—
`Pid` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1001",
    "version": "0",
    "level": "4",
    "task": "1001",
    "opcode": "0",
    "keywords": 9223372036854776832,
    "time_created": "2026-03-16T00:21:40.064345500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15f74b50-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "7552"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Status": "0x0",
    "Endpoint": "0xFFFF980A15F74B50",
    "AddressFamily": "      23",
    "Pid": "    3688"
  },
  "message": ""
}

Event ID 1002 — TCP: Tcb Tcb (local=LocalAddress remote=RemoteAddress) requested to connect.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpRequestConnect

Description

TCP: Tcb Tcb (local=LocalAddress remote=RemoteAddress) requested to connect.

Message #

TCP: Tcb %1 (local=%3 remote=%5) requested to connect.

Fields #

Name	Description
`Tcb` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`NewState` UInt32	—
`RexmitCount` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1002",
    "version": "0",
    "level": "4",
    "task": "1002",
    "opcode": "0",
    "keywords": 9223372054034646144,
    "time_created": "2026-03-16T00:21:40.119471500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "12888"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:52999",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "13.89.179.13:443",
    "NewState": "       0",
    "RexmitCount": "       0"
  },
  "message": ""
}

Event ID 1003 — TCP: Inspect Connect has been completed on Tcb Tcb with status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpInspectConnectComplete

Description

TCP: Inspect Connect has been completed on Tcb Tcb with status = Status.

Message #

TCP: Inspect Connect has been completed on Tcb %1 with status = %2.

Fields #

Name	Description
`Tcb` Pointer	—
`Status` UInt32	— NTSTATUS reference
`AddressFamily` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1003",
    "version": "0",
    "level": "4",
    "task": "1003",
    "opcode": "0",
    "keywords": 9223372054034646144,
    "time_created": "2026-03-16T00:21:40.119557300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "12888"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "Status": "0x0",
    "AddressFamily": "       0"
  },
  "message": ""
}

Event ID 1004 — TCP: Tcb Tcb is going to output SYN with ISN = ISN, RcvWnd = RcvWnd, RcvWndScale = RcvWndScale.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpTcbSynSend

Description

TCP: Tcb Tcb is going to output SYN with ISN = ISN, RcvWnd = RcvWnd, RcvWndScale = RcvWndScale.

Message #

TCP: Tcb %1 is going to output SYN with ISN = %2, RcvWnd = %3, RcvWndScale = %4.

Fields #

Name	Description
`Tcb` Pointer	—
`ISN` UInt32	—
`RcvWnd` UInt32	—
`RcvWndScale` UInt8	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1004",
    "version": "0",
    "level": "4",
    "task": "1004",
    "opcode": "0",
    "keywords": 9223372058329612416,
    "time_created": "2026-03-16T00:21:40.119603700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "12888"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "ISN": "155000287",
    "RcvWnd": "   64240",
    "RcvWndScale": "8"
  },
  "message": ""
}

Event ID 1005 — TCP: endpoint bind failed: address LocalAddressLength cannot be resolved (LocalAddress).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBindEndpointResolutionFailure

Description

TCP: endpoint bind failed: address LocalAddressLength cannot be resolved (LocalAddress).

Message #

TCP: endpoint bind failed: address %2 cannot be resolved (%3).

Fields #

Name	Description
`Endpoint` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 1006 — TCP: endpoint (sockaddr=LocalAddressLength) bind failed: port-acquisition status = LocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBindEndpointPortFailure

Description

TCP: endpoint (sockaddr=LocalAddressLength) bind failed: port-acquisition status = LocalAddress.

Message #

TCP: endpoint (sockaddr=%2) bind failed: port-acquisition status = %3.

Fields #

Name	Description
`Endpoint` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 1007 — TCP: endpoint (sockaddr=LocalAddressLength) bind failed: inspection status = LocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBindEndpointInspectionFailure

Description

TCP: endpoint (sockaddr=LocalAddressLength) bind failed: inspection status = LocalAddress.

Message #

TCP: endpoint (sockaddr=%2) bind failed: inspection status = %3.

Fields #

Name	Description
`Endpoint` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 1008 — TCP: endpoint (sockaddr=LocalAddressLength) bound.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpBindEndpointComplete

Description

TCP: endpoint (sockaddr=LocalAddressLength) bound.

Message #

TCP: endpoint (sockaddr=%2) bound.

Fields #

Name	Description
`Endpoint` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1008",
    "version": "1",
    "level": "4",
    "task": "1008",
    "opcode": "0",
    "keywords": 9223372036854776841,
    "time_created": "2026-03-16T00:21:40.119123100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0da8a910-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "12888"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A0DA8A910",
    "LocalAddressLength": "      16",
    "LocalAddress": "0.0.0.0:52999",
    "Status": "0x0"
  },
  "message": ""
}

Event ID 1009 — TCP: endpoint (sockaddr=LocalAddressLength) closed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpCloseEndpoint

Description

TCP: endpoint (sockaddr=LocalAddressLength) closed.

Message #

TCP: endpoint (sockaddr=%2) closed.

Fields #

Name	Description
`Endpoint` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1009",
    "version": "1",
    "level": "4",
    "task": "1009",
    "opcode": "0",
    "keywords": 9223372105574253569,
    "time_created": "2026-03-16T00:21:40.064514900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15f74b50-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "7552"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A15F74B50",
    "LocalAddressLength": "      28",
    "LocalAddress": "::",
    "Status": "0x0"
  },
  "message": ""
}

Event ID 1010 — TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: address family not attached.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateEndpointAfFailure

Description

TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: address family not attached.

Message #

TCP: endpoint (Family=%6 PID=%4) create failed: address family not attached.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1011 — TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: compartment CompartmentId not found.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateEndpointCompartmentFailure

Description

TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: compartment CompartmentId not found.

Message #

TCP: endpoint (Family=%6 PID=%4) create failed: compartment %5 not found.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1012 — TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: inspection status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateEndpointInspectionFailure

Description

TCP: endpoint (Family=AddressFamily PID=ProcessId) create failed: inspection status Status.

Message #

TCP: endpoint (Family=%6 PID=%4) create failed: inspection status %3.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1013 — TCP: endpoint (Family=CompartmentId PID=Status) created.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpCreateEndpointComplete

Description

TCP: endpoint (Family=CompartmentId PID=Status) created.

Message #

TCP: endpoint (Family=%6 PID=%4) created.

Fields #

Name	Description
`Endpoint` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1013",
    "version": "2",
    "level": "4",
    "task": "1013",
    "opcode": "0",
    "keywords": 9223372036854776833,
    "time_created": "2026-03-16T00:21:40.064333400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15f74b50-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "7552"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A15F74B50",
    "LocalAddressLength": "       0",
    "LocalAddress": "",
    "Status": "0x0",
    "ProcessId": "    3688",
    "CompartmentId": "       1",
    "AddressFamily": "      23",
    "ProcessStartKey": "2814749767106643"
  },
  "message": ""
}

Event ID 1014 — TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: Route lookup status = Status, TCB = Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAccpetListenerRouteLookupFailure

Description

TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: Route lookup status = Status, TCB = Tcb.

Message #

TCP: listener (local=%2 remote=%4) accept failed: Route lookup status = %5, TCB = %8.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1015 — TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: connection insertion.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAcceptListenerInsertionFailure

Description

TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: connection insertion. Duplicate TCB = Tcb.

Message #

TCP: listener (local=%3 remote=%5) accept failed: connection insertion. Duplicate TCB = %1.

Fields #

Name	Description
`Tcb` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`NewState` UInt32	—
`RexmitCount` UInt32	—

Event ID 1016 — TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: client rejection status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAcceptListenerRejected

Description

TCP: listener (local=LocalAddress remote=RemoteAddress) accept failed: client rejection status = Status.

Message #

TCP: listener (local=%2 remote=%4) accept failed: client rejection status = %5.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1017 — TCP: listener (local=LocalAddress remote=RemoteAddress) accept completed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpAcceptListenerComplete

Description

TCP: listener (local=LocalAddress remote=RemoteAddress) accept completed. TCB = Tcb. PID = ProcessId.

Message #

TCP: listener (local=%2 remote=%4) accept completed. TCB = %8. PID = %6.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1017",
    "version": "1",
    "level": "4",
    "task": "1017",
    "opcode": "0",
    "keywords": 9223372054034646150,
    "time_created": "2026-03-16T00:21:38.720229400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::ffff:10.2.10.21]:5985",
    "RemoteAddressLength": "      28",
    "RemoteAddress": "[::ffff:10.2.10.11]:51201",
    "Status": "0x0",
    "ProcessId": "       4",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A0EEE7560",
    "ProcessStartKey": "2814749767106561"
  },
  "message": ""
}

Event ID 1018 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) connect failed: address family not attached.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailedAf

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) connect failed: address family not attached.

Message #

TCP: connection %8 (local=%2 remote=%4 PID=%6) connect failed: address family not attached.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1019 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) connect failed: compartment Compartment not found.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailedCompartment

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) connect failed: compartment Compartment not found.

Message #

TCP: connection %8 (local=%2 remote=%4 PID=%6) connect failed: compartment %7 not found.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1020 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) connect failed: inspection status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailedInspect

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId) connect failed: inspection status = Status.

Message #

TCP: connection %8 (local=%2 remote=%4 PID=%6) connect failed: inspection status = %5.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1021 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: route lookup status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailedRoute

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: route lookup status = Status.

Message #

TCP: connection %8 (local=%2 remote=%4) connect failed: route lookup status = %5.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1022 — TCP: Bypass rate limiting since flag is set on path Path (local=LocalAddress remote=RemoteAddress).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbSkipRateLimit

Description

TCP: Bypass rate limiting since flag is set on path Path (local=LocalAddress remote=RemoteAddress).

Message #

TCP: Bypass rate limiting since flag is set on path %5 (local=%2 remote=%4)

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Path` Pointer	—

Event ID 1023 — TCP: Charge rate limiting quota and set rate limiting flag for path Path (local=LocalAddress remote=RemoteAddress).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbPassRateLimit

Description

TCP: Charge rate limiting quota and set rate limiting flag for path Path (local=LocalAddress remote=RemoteAddress).

Message #

TCP: Charge rate limiting quota and set rate limiting flag for path %5 (local=%2 remote=%4)

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Path` Pointer	—

Event ID 1024 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) deferred.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbCheckRateLimit

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) deferred.

Message #

TCP: connection %8 (local=%2 remote=%4) deferred.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1025 — TCP: ConnectionRateLimitDepth rate-limiting paths ConnectionRateLimitBacklog backlogged connections.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSecurityRateLimit

Description

TCP: ConnectionRateLimitDepth rate-limiting paths ConnectionRateLimitBacklog backlogged connections.

Message #

TCP: %6 rate-limiting paths %3 backlogged connections.

Fields #

Name	Description
`SynAttacksDetected` UInt32	—
`ReassemblyLimitViolations` UInt32	—
`ConnectionRateLimitBacklog` UInt32	—
`ConnectionRateLimitViolations` UInt32	—
`LandAttackSegmentsDropped` UInt32	—
`ConnectionRateLimitDepth` UInt32	—

Event ID 1026 — TCP: Release and set rate limiting flag on path Path (local=LocalAddress remote=RemoteAddress).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRateLimitPathRelease

Description

TCP: Release and set rate limiting flag on path Path (local=LocalAddress remote=RemoteAddress).

Message #

TCP: Release and set rate limiting flag on path %5 (local=%2 remote=%4)

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Path` Pointer	—

Event ID 1027 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) released.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbRateLimitRelease

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) released.

Message #

TCP: connection %8 (local=%2 remote=%4) released.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1028 — TCP: Clear rate limiting flag on path Path (local=LocalAddress remote=RemoteAddress) since connection is cancelled.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRateLimitPathCancel

Description

TCP: Clear rate limiting flag on path Path (local=LocalAddress remote=RemoteAddress) since connection is cancelled.

Message #

TCP: Clear rate limiting flag on path %5 (local=%2 remote=%4) since connection is cancelled.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Path` Pointer	—

Event ID 1029 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: connection cancelled.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbCancel

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: connection cancelled.

Message #

TCP: connection %8 (local=%2 remote=%4) connect failed: connection cancelled.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1030 — TCP: connection (local=LocalAddressLength remote=RemoteAddressLength) connect failed: connection insertion status = RemoteAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailInsertion

Description

TCP: connection (local=LocalAddressLength remote=RemoteAddressLength) connect failed: connection insertion status = RemoteAddress.

Message #

TCP: connection (local=%2 remote=%4) connect failed: connection insertion status = %5.

Fields #

Name	Description
`Tcb` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`NewState` UInt32	—
`RexmitCount` UInt32	—

Event ID 1031 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect proceeding.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpConnectTcbProceeding

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect proceeding.

Message #

TCP: connection %8 (local=%2 remote=%4) connect proceeding.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1031",
    "version": "1",
    "level": "4",
    "task": "1031",
    "opcode": "0",
    "keywords": 9223372054034646148,
    "time_created": "2026-03-16T00:21:40.119618200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "12888"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:52999",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "13.89.179.13:443",
    "Status": "0x0",
    "ProcessId": "       0",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A15CE6AE0",
    "ProcessStartKey": "0"
  },
  "message": ""
}

Event ID 1032 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) released due to cancel.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbRateLimitCancel

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) released due to cancel.

Message #

TCP: connection %8 (local=%2 remote=%4) released due to cancel.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1033 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect completed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpConnectTcbComplete

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect completed. PID = ProcessId.

Message #

TCP: connection %8 (local=%2 remote=%4) connect completed. PID = %6.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1033",
    "version": "1",
    "level": "4",
    "task": "1033",
    "opcode": "0",
    "keywords": 9223372054034646148,
    "time_created": "2026-03-16T00:21:40.246461800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:52999",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "13.89.179.13:443",
    "Status": "0x0",
    "ProcessId": "    3688",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A15CE6AE0",
    "ProcessStartKey": "2814749767106643"
  },
  "message": ""
}

Event ID 1034 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect attempt failed with status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Error
Task: TcpConnectTcbFailure

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect attempt failed with status = Status.

Message #

TCP: connection %8 (local=%2 remote=%4) connect attempt failed with status = %5.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1034",
    "version": "1",
    "level": "2",
    "task": "1034",
    "opcode": "0",
    "keywords": 9223372054034646148,
    "time_created": "2026-03-15T23:27:04.870761200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{009c52a0-d780-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3912",
      "thread_id": "13412"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::1]:51202",
    "RemoteAddressLength": "      28",
    "RemoteAddress": "[::1]:389",
    "Status": "0xC0000120",
    "ProcessId": "    3912",
    "Compartment": "       0",
    "Tcb": "0xFFFFD780009C52A0",
    "ProcessStartKey": "3940649673949252"
  },
  "message": ""
}

Event ID 1035 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: connect-complete inspect status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailInspectConnectComplete

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: connect-complete inspect status = Status.

Message #

TCP: connection %8 (local=%2 remote=%4) connect failed: connect-complete inspect status = %5.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1036 — TCP: ApplySynOptions, failed to create session state with status = Status, TCB = Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailSessionState

Description

TCP: ApplySynOptions, failed to create session state with status = Status, TCB = Tcb.

Message #

TCP: ApplySynOptions, failed to create session state with status = %5, TCB = %8.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1037 — TCP: ApplySynOptions, failed to update DF with status = Status, TCB = Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailDontFragment

Description

TCP: ApplySynOptions, failed to update DF with status = Status, TCB = Tcb.

Message #

TCP: ApplySynOptions, failed to update DF with status = %5, TCB = %8.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1038 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) close issued.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpCloseTcbRequest

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) close issued.

Message #

TCP: connection %8 (local=%2 remote=%4) close issued.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1038",
    "version": "1",
    "level": "4",
    "task": "1038",
    "opcode": "0",
    "keywords": 9223372105574253572,
    "time_created": "2026-03-16T00:21:38.733239500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7444"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::ffff:10.2.10.21]:5985",
    "RemoteAddressLength": "      28",
    "RemoteAddress": "[::ffff:10.2.10.11]:51201",
    "Status": "0x0",
    "ProcessId": "       0",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A0EEE7560",
    "ProcessStartKey": "0"
  },
  "message": ""
}

Event ID 1039 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) abort issued.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpAbortTcbRequest

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) abort issued.

Message #

TCP: connection %8 (local=%2 remote=%4) abort issued.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1039",
    "version": "1",
    "level": "4",
    "task": "1039",
    "opcode": "0",
    "keywords": 9223372105574253700,
    "time_created": "2026-03-16T00:22:37.889609500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0e584560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:52990",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "52.159.108.190:443",
    "Status": "0x0",
    "ProcessId": "       0",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A0E584560",
    "ProcessStartKey": "0"
  },
  "message": ""
}

Event ID 1040 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) abort completed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpAbortTcbComplete

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) abort completed.

Message #

TCP: connection %8 (local=%2 remote=%4) abort completed.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1040",
    "version": "1",
    "level": "4",
    "task": "1040",
    "opcode": "0",
    "keywords": 9223372105574253700,
    "time_created": "2026-03-16T00:22:37.890003800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0e584560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:52990",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "52.159.108.190:443",
    "Status": "0x0",
    "ProcessId": "       0",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A0E584560",
    "ProcessStartKey": "0"
  },
  "message": ""
}

Event ID 1041 — TCP: Injecting disconnect on a shutdown TCB failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDisconnectTcbInjectFailed

Description

TCP: Injecting disconnect on a shutdown TCB failed. TCB = Tcb.

Message #

TCP: Injecting disconnect on a shutdown TCB failed. TCB = %1.

Fields #

Name	Description
`Tcb` Pointer	—
`Delivery` Pointer	—
`Request` Pointer	—
`NumBytes` Pointer	—
`RequestFlags` UInt32	—
`Length` Pointer	—
`RequestStatus` UInt32	—
`IsUrgentDelivery` UInt32	—
`FullySatisfiedORDelayedPush` UInt32	—
`RcvNxt` UInt32	—

Event ID 1042 — TCP: connection disconnect Injected, length=Length.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDisconnectTcbRequest

Description

TCP: connection disconnect Injected, length=Length.

Message #

TCP: connection disconnect %3, length=%1.

Fields #

Name	Description
`Length` Pointer	—
`Timeout` UInt64	—
`Injected` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1042",
    "version": "0",
    "level": "4",
    "task": "1042",
    "opcode": "0",
    "keywords": 9223372105574253700,
    "time_created": "2026-03-16T00:21:38.732224500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7444"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Length": "0x0",
    "Timeout": "0x0",
    "Injected": "issued"
  },
  "message": ""
}

Event ID 1043 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) disconnect completed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDisconnectTcbComplete

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) disconnect completed.

Message #

TCP: connection %8 (local=%2 remote=%4) disconnect completed.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—
`Inspect` Boolean	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1043",
    "version": "1",
    "level": "4",
    "task": "1043",
    "opcode": "0",
    "keywords": 9223372105574253700,
    "time_created": "2026-03-16T00:21:38.732982900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::ffff:10.2.10.21]:5985",
    "RemoteAddressLength": "      28",
    "RemoteAddress": "[::ffff:10.2.10.11]:51201",
    "Status": "0x0",
    "ProcessId": "       0",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A0EEE7560",
    "ProcessStartKey": "0"
  },
  "message": ""
}

Event ID 1044 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) shutdown initiated (Status).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpShutdownTcb

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) shutdown initiated (Status). PID = ProcessId.

Message #

TCP: connection %8 (local=%2 remote=%4) shutdown initiated (%5). PID = %6.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1044",
    "version": "1",
    "level": "4",
    "task": "1044",
    "opcode": "0",
    "keywords": 9223372105574253700,
    "time_created": "2026-03-16T00:21:38.733255900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7444"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::ffff:10.2.10.21]:5985",
    "RemoteAddressLength": "      28",
    "RemoteAddress": "[::ffff:10.2.10.11]:51201",
    "Status": "0xC0000241",
    "ProcessId": "       4",
    "Compartment": "       0",
    "Tcb": "0xFFFF980A0EEE7560",
    "ProcessStartKey": "2814749767106561"
  },
  "message": ""
}

Event ID 1045 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: connect-request timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbTimeout

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: connect-request timeout expired.

Message #

TCP: connection %8 (local=%2 remote=%4) connect failed: connect-request timeout expired.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1046 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: retransmission timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDisconnectTcbRtoTimeout

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: retransmission timeout expired.

Message #

TCP: connection %8 (local=%2 remote=%4) terminating: retransmission timeout expired.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1046",
    "version": "1",
    "level": "4",
    "task": "1046",
    "opcode": "0",
    "keywords": 9223372105574253700,
    "time_created": "2026-03-15T23:32:02.749394100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{f9ca95f0-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.11:51269",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "10.2.10.21:389",
    "Status": "0x0",
    "ProcessId": "       0",
    "Compartment": "       0",
    "Tcb": "0xFFFFD78FF9CA95F0",
    "ProcessStartKey": "0"
  },
  "message": ""
}

Event ID 1047 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: keep-alive timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDisconnectTcbKeepaliveTimeout

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: keep-alive timeout expired.

Message #

TCP: connection %8 (local=%2 remote=%4) terminating: keep-alive timeout expired.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1048 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: disconnect timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDisconnectTcbTimeout

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: disconnect timeout expired.

Message #

TCP: connection %8 (local=%2 remote=%4) terminating: disconnect timeout expired.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1049 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: extended statistics status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbEstatsFailed

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: extended statistics status = Status.

Message #

TCP: connection %8 (local=%2 remote=%4) connect failed: extended statistics status = %5.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1050 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: port-acquisition status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectFailedPortAcquire

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: port-acquisition status = Status.

Message #

TCP: connection %8 (local=%2 remote=%4) connect failed: port-acquisition status = %5.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1051 — TCP: connection Tcb transition from OldState to NewState, SndNxt = SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpTcbStateChange

Description

TCP: connection Tcb transition from OldState to NewState, SndNxt = SndNxt.

Message #

TCP: connection %4 transition from %1 to %2, SndNxt = %3.

Fields #

Name	Description
`OldState` UInt32	—
`NewState` UInt32	—
`SndNxt` UInt32	—
`Tcb` Pointer	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1051",
    "version": "0",
    "level": "4",
    "task": "1051",
    "opcode": "0",
    "keywords": 9223372036854776836,
    "time_created": "2026-03-16T00:21:38.719167800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0ef4b580-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "OldState": "       1",
    "NewState": "       3",
    "SndNxt": "       0",
    "Tcb": "0xFFFF980A0EEE7560"
  },
  "message": ""
}

Event ID 1052 — TCP: Process with PID = ProcessId reserved NumberOfPorts ports starting at StartPort.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpEndpointAcquirePortReservation

Description

TCP: Process with PID = ProcessId reserved NumberOfPorts ports starting at StartPort.

Message #

TCP: Process with PID = %1 reserved %4 ports starting at %3.

Fields #

Name	Description
`ProcessId` UInt32	—
`Status` UInt32	— NTSTATUS reference
`StartPort` UInt16	—
`NumberOfPorts` UInt16	—
`ProcessStartKey` UInt64	—

Event ID 1053 — TCP: Process with PID = ProcessId failed to reserve NumberOfPorts ports starting at StartPort with status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpEndpointFailedPortReservation

Description

TCP: Process with PID = ProcessId failed to reserve NumberOfPorts ports starting at StartPort with status = Status.

Message #

TCP: Process with PID = %1 failed to reserve %4 ports starting at %3 with status = %2.

Fields #

Name	Description
`ProcessId` UInt32	—
`Status` UInt32	— NTSTATUS reference
`StartPort` UInt16	—
`NumberOfPorts` UInt16	—
`ProcessStartKey` UInt64	—

Event ID 1054 — TCP: Process with PID = ProcessId completed global port reservation of NumberOfPorts ports starting at StartPort with status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalPortReservation

Description

TCP: Process with PID = ProcessId completed global port reservation of NumberOfPorts ports starting at StartPort with status = Status.

Message #

TCP: Process with PID = %1 completed global port reservation of %4 ports starting at %3 with status = %2.

Fields #

Name	Description
`ProcessId` UInt32	—
`Status` UInt32	— NTSTATUS reference
`StartPort` UInt16	—
`NumberOfPorts` UInt16	—
`ProcessStartKey` UInt64	—

Event ID 1055 — TCP: entering SYN attack resistance mode, Syn Attacks Detected = SynAttacksDetected.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalSynAttackEntry

Description

TCP: entering SYN attack resistance mode, Syn Attacks Detected = SynAttacksDetected.

Message #

TCP: entering SYN attack resistance mode, Syn Attacks Detected = %1.

Fields #

Name	Description
`SynAttacksDetected` UInt32	—
`ReassemblyLimitViolations` UInt32	—
`ConnectionRateLimitBacklog` UInt32	—
`ConnectionRateLimitViolations` UInt32	—
`LandAttackSegmentsDropped` UInt32	—
`ConnectionRateLimitDepth` UInt32	—

Event ID 1056 — TCP: reasembly rate-limiting violated ReassemblyLimitViolations times since boot.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalReassemblyLimitViolation

Description

TCP: reasembly rate-limiting violated ReassemblyLimitViolations times since boot.

Message #

TCP: reasembly rate-limiting violated %2 times since boot.

Fields #

Name	Description
`SynAttacksDetected` UInt32	—
`ReassemblyLimitViolations` UInt32	—
`ConnectionRateLimitBacklog` UInt32	—
`ConnectionRateLimitViolations` UInt32	—
`LandAttackSegmentsDropped` UInt32	—
`ConnectionRateLimitDepth` UInt32	—

Event ID 1057 — TCP: connection rate-limiting violated ConnectionRateLimitViolations times since boot.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalConnectionRateLimitViolation

Description

TCP: connection rate-limiting violated ConnectionRateLimitViolations times since boot.

Message #

TCP: connection rate-limiting violated %4 times since boot.

Fields #

Name	Description
`SynAttacksDetected` UInt32	—
`ReassemblyLimitViolations` UInt32	—
`ConnectionRateLimitBacklog` UInt32	—
`ConnectionRateLimitViolations` UInt32	—
`LandAttackSegmentsDropped` UInt32	—
`ConnectionRateLimitDepth` UInt32	—

Event ID 1058 — TCP: land attack has dropped LandAttackSegmentsDropped packets since boot.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalLandAttackSegmentDrop

Description

TCP: land attack has dropped LandAttackSegmentsDropped packets since boot.

Message #

TCP: land attack has dropped %5 packets since boot.

Fields #

Name	Description
`SynAttacksDetected` UInt32	—
`ReassemblyLimitViolations` UInt32	—
`ConnectionRateLimitBacklog` UInt32	—
`ConnectionRateLimitViolations` UInt32	—
`LandAttackSegmentsDropped` UInt32	—
`ConnectionRateLimitDepth` UInt32	—

Event ID 1059 — TCP: low memory state detected.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalIsbBeginThrottle

Description

TCP: low memory state detected. LowMemoryEvent =LowMemoryEvent LowPagedPoolEvent = LowPagedPoolEvent.

Message #

TCP: low memory state detected. LowMemoryEvent =%3 LowPagedPoolEvent = %4.

Fields #

Name	Description
`HighMemoryEvent` UInt32	—
`HighPagedPoolEvent` UInt32	—
`LowMemoryEvent` UInt32	—
`LowPagedPoolEvent` UInt32	—

Event ID 1060 — TCP: leaving low memory state.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalIsbEndThrottle

Description

TCP: leaving low memory state. HighMemoryEvent = HighMemoryEvent HighPagedPoolEvent = HighPagedPoolEvent.

Message #

TCP: leaving low memory state. HighMemoryEvent = %1 HighPagedPoolEvent = %2.

Fields #

Name	Description
`HighMemoryEvent` UInt32	—
`HighPagedPoolEvent` UInt32	—
`LowMemoryEvent` UInt32	—
`LowPagedPoolEvent` UInt32	—

Event ID 1061 — TCP: address family AddressFamily added to interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalAddInterface

Description

TCP: address family AddressFamily added to interface InterfaceIndex.

Message #

TCP: address family %2 added to interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`AddressFamily` UInt32	—

Event ID 1062 — TCP: address family AddressFamily removed from interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalDeleteInterface

Description

TCP: address family AddressFamily removed from interface InterfaceIndex.

Message #

TCP: address family %2 removed from interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`AddressFamily` UInt32	—

Event ID 1063 — TCP: leaving SYN attack resistance mode, Syn Attacks Detected = SynAttacksDetected.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalSynAttackExit

Description

TCP: leaving SYN attack resistance mode, Syn Attacks Detected = SynAttacksDetected.

Message #

TCP: leaving SYN attack resistance mode, Syn Attacks Detected = %1.

Fields #

Name	Description
`SynAttacksDetected` UInt32	—
`ReassemblyLimitViolations` UInt32	—
`ConnectionRateLimitBacklog` UInt32	—
`ConnectionRateLimitViolations` UInt32	—
`LandAttackSegmentsDropped` UInt32	—
`ConnectionRateLimitDepth` UInt32	—

Event ID 1064 — TCP: Connection Tcb TimerType timer started.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpTcbStartTimer

Description

TCP: Connection Tcb TimerType timer started. Scheduled to expire in WaitTimeMilliseconds ms.

Message #

TCP: Connection %1 %2 timer started. Scheduled to expire in %3 ms.

Fields #

Name	Description
`Tcb` Pointer	—
`TimerType` UInt32	—
`WaitTimeMilliseconds` UInt32	—
`Processor` UInt32	—
`LastInterruptTime` UInt64	—
`LastMicroseconds` UInt64	—
`CachedKQPCValues`	—
`CachedFrequencyValues`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1064",
    "version": "1",
    "level": "5",
    "task": "1064",
    "opcode": "0",
    "keywords": 9223372036854776836,
    "time_created": "2026-03-16T00:21:34.388854500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "TimerType": "       0",
    "WaitTimeMilliseconds": "     201",
    "Processor": "       9",
    "LastInterruptTime": "577532689097",
    "LastMicroseconds": "57753289800",
    "CachedKQPCValues": "577532898003",
    "CachedFrequencyValues": "10000000"
  },
  "message": ""
}

Event ID 1065 — TCP: Connection Tcb stopping TimerType timer.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpTcbStopTimer

Description

TCP: Connection Tcb stopping TimerType timer.

Message #

TCP: Connection %1 stopping %2 timer.

Fields #

Name	Description
`Tcb` Pointer	—
`TimerType` UInt32	—
`WaitTimeMilliseconds` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1065",
    "version": "0",
    "level": "5",
    "task": "1065",
    "opcode": "0",
    "keywords": 9223372036854776836,
    "time_created": "2026-03-16T00:21:34.388747900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "TimerType": "       7",
    "WaitTimeMilliseconds": "       0"
  },
  "message": ""
}

Event ID 1066 — TCP: Connection Tcb TimerType timer has expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpTcbExpireTimer

Description

TCP: Connection Tcb TimerType timer has expired.

Message #

TCP: Connection %1 %2 timer has expired.

Fields #

Name	Description
`Tcb` Pointer	—
`TimerType` UInt32	—
`WaitTimeMilliseconds` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1066",
    "version": "0",
    "level": "5",
    "task": "1066",
    "opcode": "0",
    "keywords": 9223372036854776836,
    "time_created": "2026-03-16T00:21:34.715526000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "TimerType": "       2",
    "WaitTimeMilliseconds": "       0"
  },
  "message": ""
}

Event ID 1067 — TCP: ISB changed to IsbSize.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpTcbChangeIsb

Description

TCP: ISB changed to IsbSize. CWnd = Cwnd SndWnd = SndWnd SendAvailable = SendAvailable SSThresh = SSThresh.

Message #

TCP: ISB changed to %1. CWnd = %2 SndWnd = %3 SendAvailable = %4 SSThresh = %5.

Fields #

Name	Description
`IsbSize` UInt32	—
`Cwnd` UInt32	—
`SndWnd` UInt32	—
`SendAvailable` UInt32	—
`SSThresh` UInt32	—

Event ID 1068 — TCP: moving RSS indirection table index TableEntry from processor SourceProcessor to processor DestinationProcessor.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRssTableChange

Description

TCP: moving RSS indirection table index TableEntry from processor SourceProcessor to processor DestinationProcessor.

Message #

TCP: moving RSS indirection table index %6 from processor %1 to processor %3.

Fields #

Name	Description
`SourceProcessor` UInt32	—
`SourceActivity` UInt32	—
`DestinationProcessor` UInt32	—
`DestinationActivity` UInt32	—
`PartitionMovesRemaining` UInt32	—
`TableEntry` UInt8	—

Event ID 1069 — TCP: connection Tcb: Timeout Event updated cwnd = Cwnd and updated ssthresh = SSThresh.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferTimeout

Description

TCP: connection Tcb: Timeout Event updated cwnd = Cwnd and updated ssthresh = SSThresh.

Message #

TCP: connection %1: Timeout Event updated cwnd = %2 and updated ssthresh = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1070 — TCP: connection Tcb: Rtt sample recorded RttSample.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferRttSample

Description

TCP: connection Tcb: Rtt sample recorded RttSample.

Message #

TCP: connection %1:  Rtt sample recorded %4.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1071 — TCP: connection Tcb: Cumulative ACK updated cwnd = Cwnd.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferCumAck

Description

TCP: connection Tcb: Cumulative ACK updated cwnd = Cwnd.

Message #

TCP: connection %1: Cumulative ACK updated cwnd = %2.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1072 — TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = SSThresh.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferDupAck

Description

TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = SSThresh.

Message #

TCP: connection %1: Duplicate ACK updated cwnd = %2 and updated ssthresh = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1073 — TCP: connection Tcb: Sent data with number of bytes = NumBytes and Sequence number = SeqNo.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferSend

Description

TCP: connection Tcb: Sent data with number of bytes = NumBytes and Sequence number = SeqNo.

Message #

TCP: connection %1: Sent data with number of bytes = %5 and Sequence number = %6.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1074 — TCP: connection Tcb: Received data with number of bytes = NumBytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDataTransferReceive

Description

TCP: connection Tcb: Received data with number of bytes = NumBytes. ThSeq = SeqNo.

Message #

TCP: connection %1: Received data with number of bytes = %2. ThSeq = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`NumPkt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1074",
    "version": "0",
    "level": "4",
    "task": "1074",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:34.390777500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4248",
      "thread_id": "4684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "NumBytes": "       6",
    "SeqNo": "3537939053"
  },
  "message": ""
}

Event ID 1075 — TCP: connection Tcb: ECN Echo updated cwnd = Cwnd and updated ssthresh = SSThresh.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferEcn

Description

TCP: connection Tcb: ECN Echo updated cwnd = Cwnd and updated ssthresh = SSThresh. SndUna = SndUna, Mss = Mss, ThAck = ThAck.

Message #

TCP: connection %1: ECN Echo updated cwnd = %2 and updated ssthresh = %3. SndUna = %4, Mss = %5, ThAck = %6.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`SndUna` UInt32	—
`Mss` UInt32	—
`ThAck` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—

Event ID 1076 — TCP: connection Tcb: Spurious timeout with SndUna = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferSpuriousTimeout

Description

TCP: connection Tcb: Spurious timeout with SndUna = SndUna.

Message #

TCP: connection %1: Spurious timeout with SndUna = %7.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1077 — TCP: connection Tcb: Send Retransmit round with SndUna = SeqNo, Round = Round, SRTT = SRTT, RTO = RTO.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferRetransmitRound

Description

TCP: connection Tcb: Send Retransmit round with SndUna = SeqNo, Round = Round, SRTT = SRTT, RTO = RTO.

Message #

TCP: connection %1: Send Retransmit round with SndUna = %6, Round = %8, SRTT = %9, RTO = %10.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1078 — TCP: connection Tcb: Entered loss recovery phase with SndUna = SndUna and SndMax = SndMax.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpLossRecoveryEntry

Description

TCP: connection Tcb: Entered loss recovery phase with SndUna = SndUna and SndMax = SndMax.

Message #

TCP: connection %1: Entered loss recovery phase with SndUna = %2 and SndMax = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1078",
    "version": "0",
    "level": "4",
    "task": "1078",
    "opcode": "0",
    "keywords": 9223372045444710528,
    "time_created": "2026-03-16T00:21:40.489867400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "SndUna": "155002622",
    "SndMax": "155007102"
  },
  "message": ""
}

Event ID 1079 — TCP: connection Tcb: Leaving loss recovery phase with SndUna = SndUna and SndMax = SndMax.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpLossRecoveryExit

Description

TCP: connection Tcb: Leaving loss recovery phase with SndUna = SndUna and SndMax = SndMax.

Message #

TCP: connection %1: Leaving loss recovery phase with SndUna = %2 and SndMax = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1079",
    "version": "0",
    "level": "4",
    "task": "1079",
    "opcode": "0",
    "keywords": 9223372045444710528,
    "time_created": "2026-03-16T00:21:40.494494300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6656"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "SndUna": "155007102",
    "SndMax": "155007102"
  },
  "message": ""
}

Event ID 1080 — TCP: connection Tcb entering SACK mode with SndUna = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpLossRecoverySackEntry

Description

TCP: connection Tcb entering SACK mode with SndUna = SndUna.

Message #

TCP: connection %1 entering SACK mode with SndUna = %2.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—
`Reason` UnicodeString	—
`IsSack` UInt32	—

Event ID 1081 — TCP: connection Tcb leaving SACK mode with SndUna = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpLossRecoverySackExit

Description

TCP: connection Tcb leaving SACK mode with SndUna = SndUna.

Message #

TCP: connection %1 leaving SACK mode with SndUna = %2.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—
`Reason` UnicodeString	—
`IsSack` UInt32	—

Event ID 1082 — TCP: connection Tcb entering Congestion Avoidance Phase with cwnd = Cwnd and ssthresh = SSThresh.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSlowStartToCongestionAvoidance

Description

TCP: connection Tcb entering Congestion Avoidance Phase with cwnd = Cwnd and ssthresh = SSThresh.

Message #

TCP: connection %1 entering Congestion Avoidance Phase with cwnd = %2 and ssthresh = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1084 — TCP: connection Tcb entered BH, BH MSS BHMSS, original MSS OriginalMSS.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBlackHoleDetectionEntry

Description

TCP: connection Tcb entered BH, BH MSS BHMSS, original MSS OriginalMSS.

Message #

TCP: connection %1 entered BH, BH MSS %2, original MSS %3.

Fields #

Name	Description
`Tcb` Pointer	—
`BHMSS` UInt32	—
`OriginalMSS` UInt32	—
`TraceString` UnicodeString	—

Event ID 1085 — TCP: connection Tcb Exiting BH due to TraceString, BH mss BHMSS, Original MSS OriginalMSS.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBlackHoleDetectionExit

Description

TCP: connection Tcb Exiting BH due to TraceString, BH mss BHMSS, Original MSS OriginalMSS.

Message #

TCP: connection %1 Exiting BH due to %4, BH mss %2, Original MSS %3.

Fields #

Name	Description
`Tcb` Pointer	—
`BHMSS` UInt32	—
`OriginalMSS` UInt32	—
`TraceString` UnicodeString	—

Event ID 1086 — TCP: connection Tcb not entering BH due to TraceString.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBlackHoleDetectionFailed

Description

TCP: connection Tcb not entering BH due to TraceString.

Message #

TCP: connection %1 not entering BH due to %4.

Fields #

Name	Description
`Tcb` Pointer	—
`BHMSS` UInt32	—
`OriginalMSS` UInt32	—
`TraceString` UnicodeString	—

Event ID 1087 — TCP: connection Tcb spurious RTO detection initiated at SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSpuriousRtoDetectionBegin

Description

TCP: connection Tcb spurious RTO detection initiated at SndUna.

Message #

TCP: connection %1 spurious RTO detection initiated at %7.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1088 — TCP: connection Tcb spurious RTO detection terminated at SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSpuriousRtoDetectionEnd

Description

TCP: connection Tcb spurious RTO detection terminated at SndUna.

Message #

TCP: connection %1 spurious RTO detection terminated at %7.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1089 — TCP: active connect failed (family=Status) connect-complete inspection failed: status = AddressFamily.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailedActiveConnect

Description

TCP: active connect failed (family=Status) connect-complete inspection failed: status = AddressFamily.

Message #

TCP: active connect failed (family=%2) connect-complete inspection failed: status = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`Status` UInt32	— NTSTATUS reference
`AddressFamily` UInt32	—

Event ID 1090 — TCP: TcpReleaseIndicationList: Nbl = NBL.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpReleaseIndication

Description

TCP: TcpReleaseIndicationList: Nbl = NBL.

Message #

TCP: TcpReleaseIndicationList: Nbl = %1.

Fields #

Name	Description
`NBL` Pointer	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1090",
    "version": "0",
    "level": "5",
    "task": "1090",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:34.509548500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "NBL": "0xFFFF980A0EE312B0"
  },
  "message": ""
}

Event ID 1091 — TCP: connection Tcb posted an average of NumBytes bytes per send.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAppSendBufferSize

Description

TCP: connection Tcb posted an average of NumBytes bytes per send.

Message #

TCP: connection %1 posted an average of %5 bytes per send.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1092 — TCP: connection (local=LocalAddress remote=RemoteAddress) starting receive window auto-tuning.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpAutoTuningBegin

Description

TCP: connection (local=LocalAddress remote=RemoteAddress) starting receive window auto-tuning.

Message #

TCP: connection (local=%2 remote=%4) starting receive window auto-tuning.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`BufferSize` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1092",
    "version": "0",
    "level": "5",
    "task": "1092",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:40.316699400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:52999",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "13.89.179.13:443",
    "BufferSize": "       0"
  },
  "message": ""
}

Event ID 1093 — TCP: connection (local=LocalAddress remote=RemoteAddress) ending receive window auto-tuning.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpAutoTuningEnd

Description

TCP: connection (local=LocalAddress remote=RemoteAddress) ending receive window auto-tuning.

Message #

TCP: connection (local=%2 remote=%4) ending receive window auto-tuning.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`BufferSize` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1093",
    "version": "0",
    "level": "5",
    "task": "1093",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:22:31.341328500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0e7ae010-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::ffff:10.2.10.21]:5985",
    "RemoteAddressLength": "      28",
    "RemoteAddress": "[::ffff:10.2.10.11]:51208",
    "BufferSize": "       0"
  },
  "message": ""
}

Event ID 1094 — TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter auto-tuning because fine-grained RTT estimation could not be started.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAutoTuningFailedRttEstimation

Description

TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter auto-tuning because fine-grained RTT estimation could not be started.

Message #

TCP: connection (local=%2 remote=%4) failed to enter auto-tuning because fine-grained RTT estimation could not be started.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`BufferSize` UInt32	—

Event ID 1095 — TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter auto-tuning because receiver bandwidth estimation could not be started.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAutoTuningFailedBandwidthEstimation

Description

TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter auto-tuning because receiver bandwidth estimation could not be started.

Message #

TCP: connection (local=%2 remote=%4) failed to enter auto-tuning because receiver bandwidth estimation could not be started.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`BufferSize` UInt32	—

Event ID 1096 — TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter auto-tuning because of receive window tuning allocation failure.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAutoTuningFailedAllocationFailure

Description

TCP: connection (local=LocalAddress remote=RemoteAddress) failed to enter auto-tuning because of receive window tuning allocation failure.

Message #

TCP: connection (local=%2 remote=%4) failed to enter auto-tuning because of receive window tuning allocation failure.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`BufferSize` UInt32	—

Event ID 1097 — TCP: connection (local=LocalAddress remote=RemoteAddress) auto-tuner adjusted receive buffer size to BufferSize bytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAutoTuningChangeRcvBufferSize

Description

TCP: connection (local=LocalAddress remote=RemoteAddress) auto-tuner adjusted receive buffer size to BufferSize bytes.

Message #

TCP: connection (local=%2 remote=%4) auto-tuner adjusted receive buffer size to %5 bytes.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`BufferSize` UInt32	—

Event ID 1098 — TCP: connection Tcb: Rtt resiliency detection complete with Rtt sample = RttSample and new SRTT = SRTT.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRttResiliencyDetection

Description

TCP: connection Tcb: Rtt resiliency detection complete with Rtt sample = RttSample and new SRTT = SRTT.

Message #

TCP: connection %1: Rtt resiliency detection complete with Rtt sample = %4 and new SRTT = %9.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1099 — TCP: connection Tcb: Connection State = TcbState, Offload State = OcbState.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectionOffloadStateChange

Description

TCP: connection Tcb: Connection State = TcbState, Offload State = OcbState. SndNxt = SndNxt, RcvNxt = RcvNxt. NdisStatus = Status.

Message #

TCP: connection %5: Connection State = %1, Offload State = %2. SndNxt = %3, RcvNxt = %4. NdisStatus = %6.

Fields #

Name	Description
`TcbState` UInt32	—
`OcbState` UInt32	—
`SndNxt` UInt32	—
`RcvNxt` UInt32	—
`Tcb` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 1100 — TCP: SWS avoidance began on connection Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpSwsAvoidanceBegin

Description

TCP: SWS avoidance began on connection Tcb. Timer set for TimerValue ms. BytesToSend = BytesToSend, SendAvailable = SendAvailable, Cwnd = Cwnd, MaxSndWnd = MaxSndWnd.

Message #

TCP: SWS avoidance began on connection %1. Timer set for %2 ms. BytesToSend = %3, SendAvailable = %4, Cwnd = %5, MaxSndWnd = %6.

Fields #

Name	Description
`Tcb` Pointer	—
`TimerValue` UInt32	—
`BytesToSend` Pointer	—
`SendAvailable` UInt32	—
`Cwnd` UInt32	—
`MaxSndWnd` Pointer	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1100",
    "version": "0",
    "level": "4",
    "task": "1100",
    "opcode": "0",
    "keywords": 9223372041149743232,
    "time_created": "2026-03-16T00:23:27.100938500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{170d1290-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "10580"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A170D1290",
    "TimerValue": "    5000",
    "BytesToSend": "0x10E0",
    "SendAvailable": "   18500",
    "Cwnd": "   14786",
    "MaxSndWnd": "0x400000"
  },
  "message": ""
}

Event ID 1101 — TCP: SWS avoidance ended on connection Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSwsAvoidanceEnd

Description

TCP: SWS avoidance ended on connection Tcb.

Message #

TCP: SWS avoidance ended on connection %1.

Fields #

Name	Description
`Tcb` Pointer	—
`TimerValue` UInt32	—
`BytesToSend` Pointer	—
`SendAvailable` UInt32	—
`Cwnd` UInt32	—
`MaxSndWnd` Pointer	—

Event ID 1102 — TCP: connection Tcb send: Beginning zero-window probing with SndUna = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpZeroWindowProbingBegin

Description

TCP: connection Tcb send: Beginning zero-window probing with SndUna = SndUna.

Message #

TCP: connection %1 send: Beginning zero-window probing with SndUna = %2.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—

Event ID 1103 — TCP: connection Tcb send: Leaving zero-window probing with SndUna = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpZeroWindowProbingEnd

Description

TCP: connection Tcb send: Leaving zero-window probing with SndUna = SndUna.

Message #

TCP: connection %1 send: Leaving zero-window probing with SndUna = %2.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—

Event ID 1104 — TCP: Option OptionType is going to be set for connection Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpSetTcpOption

Description

TCP: Option OptionType is going to be set for connection Tcb.

Message #

TCP: Option %2 is going to be set for connection %1.

Fields #

Name	Description
`Tcb` Pointer	—
`OptionType` UInt32	—
`SoOptionType` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1104",
    "version": "0",
    "level": "4",
    "task": "1104",
    "opcode": "0",
    "keywords": 9223372311732683780,
    "time_created": "2026-03-16T00:23:28.314606700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0e584560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "1356",
      "thread_id": "4456"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0E584560",
    "OptionType": "       1",
    "SoOptionType": "       0"
  },
  "message": ""
}

Event ID 1105 — TCP: Socket Option SoOptionType is going to be set for connection Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpSetTcpSoOption

Description

TCP: Socket Option SoOptionType is going to be set for connection Tcb.

Message #

TCP: Socket Option %3 is going to be set for connection %1.

Fields #

Name	Description
`Tcb` Pointer	—
`OptionType` UInt32	—
`SoOptionType` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1105",
    "version": "0",
    "level": "4",
    "task": "1105",
    "opcode": "0",
    "keywords": 9223372311732683780,
    "time_created": "2026-03-16T00:23:28.314680700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0e584560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "1356",
      "thread_id": "4456"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0E584560",
    "OptionType": "       0",
    "SoOptionType": "       8"
  },
  "message": ""
}

Event ID 1106 — IP: Disconnecting interface InterfaceIndex, trace = TraceString.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpMediaDisconnect

Description

IP: Disconnecting interface InterfaceIndex, trace = TraceString.

Message #

IP: Disconnecting interface %1, trace = %2.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`TraceString` AnsiString	—
`CompartmentId` UInt32	—

Event ID 1107 — TCPIP: Module ModuleNameString started.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpModuleStarted

Description

TCPIP: Module ModuleNameString started.

Message #

TCPIP: Module %1 started.

Fields #

Name	Description
`ModuleNameString` UnicodeString	—

Event ID 1108 — TCPIP: Module ModuleNameString stopped.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpModuleStopped

Description

TCPIP: Module ModuleNameString stopped.

Message #

TCPIP: Module %1 stopped.

Fields #

Name	Description
`ModuleNameString` UnicodeString	—

Event ID 1109 — TCPIP: Failure allocating AllocationObjectString.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpMemoryFailures

Description

TCPIP: Failure allocating AllocationObjectString.

Message #

TCPIP: Failure allocating %1.

Fields #

Name	Description
`AllocationObjectString` UnicodeString	—

Event ID 1110 — TCP: Global parameters updated for Address Family AddressFamily: EnablePMtuDiscovery = EnablePMTUDiscovery, UseRfc1122UrgentPointer = TcpUseRFC1122UrgentPointer, DisableTaskOffload = DisableTaskOff...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalParameters

Message #

TCP: Global parameters updated for Address Family %1: EnablePMtuDiscovery = %2, UseRfc1122UrgentPointer = %3, DisableTaskOffload = %4, DisableTcpChimneyOffload = %5, DisableRss = %6, EnablePMtuBHDetect = %7, EcnCapability = %8, MaxDataRetransmissions = %9, KeepAliveTime = %10, KeepAliveInterval = %11, TimedWaitDelay = %12, SillyWindowTimeout = %13, FinWait2Timeout = %14, CongestionAlgorithm = %15, UseRfc1323Timestamps = %16, AutoTuningLevelLocal = %17, AutoTuningLevelGroupPolicy = %18.

Fields #

Name	Description
`AddressFamily` UInt32	—
`EnablePMTUDiscovery` UInt8	—
`TcpUseRFC1122UrgentPointer` UInt8	—
`DisableTaskOffload` UInt8	—
`EnablePMTUBHDetect` UInt8	—
`DisableTcpChimneyOffload` UInt8	—
`DisableRss` UInt8	—
`EcnCapability` UInt8	—
`TcpMaxDataRetransmissions` UInt8	—
`KeepAliveTime` UInt32	—
`KeepAliveInterval` UInt32	—
`TcpTimedWaitDelay` UInt32	—
`SillyWindowTimeout` UInt32	—
`TcpFinWait2Delay` UInt32	—
`CongestionAlgorithm` UInt8	—
`Tcp1323Opts` UInt8	—
`AutoTuningLevelLocal` UInt32	—
`AutoTuningLevelGroupPolicy` UInt32	—

Event ID 1111 — TCP: Connection Tcb Large Send Offload, Bytes in segment = BytesInSegment and Bytes remaining = BytesRemaining.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpLso

Description

TCP: Connection Tcb Large Send Offload, Bytes in segment = BytesInSegment and Bytes remaining = BytesRemaining.

Message #

TCP: Connection %1 Large Send Offload, Bytes in segment = %2 and Bytes remaining = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`BytesInSegment` UInt32	—
`BytesRemaining` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1111",
    "version": "0",
    "level": "5",
    "task": "1111",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.415610100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6972"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "BytesInSegment": "    1492",
    "BytesRemaining": "       0"
  },
  "message": ""
}

Event ID 1112 — TCP: Connection Tcb status changed to Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectionOffloadStatus

Description

TCP: Connection Tcb status changed to Status.

Message #

TCP: Connection %1 status changed to %2.

Fields #

Name	Description
`Tcb` Pointer	—
`Status` UInt32	— NTSTATUS reference
`Interface` UInt32	—
`PMax` UInt32	—

Event ID 1113 — TCP: Connection Tcb status = Status, Interface = Interface, PMax = PMax.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectionOffloadPmax

Description

TCP: Connection Tcb status = Status, Interface = Interface, PMax = PMax.

Message #

TCP: Connection %1 status = %2, Interface = %3, PMax = %4.

Fields #

Name	Description
`Tcb` Pointer	—
`Status` UInt32	— NTSTATUS reference
`Interface` UInt32	—
`PMax` UInt32	—

Event ID 1114 — IP: DAD successful for IP address = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpDadSuccessful

Description

IP: DAD successful for IP address = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol.

Message #

IP: DAD successful for IP address = %7 %9 %8 on interface = %1, protocol = %2.

Fields #

Name	Description
`Interface` UInt32	—
`Protocol` AnsiString	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DadState` UInt32	—
`DlAddrLength` UInt32	—
`DLAddress` Binary	—
`IpAddrLength` UInt32	—
`IPv4Address` UInt32	—
`IPv6Address` Binary	—
`IPProtocol` UInt32	—
`CompartmentId` UInt32	—

Event ID 1115 — IP: DAD failed for IP address = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol, DL address of packet = DLAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpDadFailed

Description

IP: DAD failed for IP address = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol, DL address of packet = DLAddress.

Message #

IP: DAD failed for IP address = %7 %9 %8 on interface = %1, protocol = %2, DL address of packet = %5.

Fields #

Name	Description
`Interface` UInt32	—
`Protocol` AnsiString	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DadState` UInt32	—
`DlAddrLength` UInt32	—
`DLAddress` Binary	—
`IpAddrLength` UInt32	—
`IPv4Address` UInt32	—
`IPv6Address` Binary	—
`IPProtocol` UInt32	—
`CompartmentId` UInt32	—

Event ID 1116 — IP: DAD started for IP address = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpDadStarted

Description

IP: DAD started for IP address = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol.

Message #

IP: DAD started for IP address = %7 %9 %8 on interface = %1, protocol = %2.

Fields #

Name	Description
`Interface` UInt32	—
`Protocol` AnsiString	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DadState` UInt32	—
`DlAddrLength` UInt32	—
`DLAddress` Binary	—
`IpAddrLength` UInt32	—
`IPv4Address` UInt32	—
`IPv6Address` Binary	—
`IPProtocol` UInt32	—
`CompartmentId` UInt32	—

Event ID 1117 — TCP: listener (sockaddr=SocketAddress PID=ProcessId) activation failed: address family not attached.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerActivationFailedAf

Description

TCP: listener (sockaddr=SocketAddress PID=ProcessId) activation failed: address family not attached.

Message #

TCP: listener (sockaddr=%3 PID=%5) activation failed: address family not attached.

Fields #

Name	Description
`Listener` Pointer	—
`AddressLength` UInt32	—
`SocketAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1118 — TCP: listener Listener (family=AddressFamily PID=ProcessId) activation failed: compartment CompartmentId not found.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerActivationFailedCompartment

Description

TCP: listener Listener (family=AddressFamily PID=ProcessId) activation failed: compartment CompartmentId not found. Status=Status.

Message #

TCP: listener %1 (family=%7 PID=%5) activation failed: compartment %6 not found. Status=%4.

Fields #

Name	Description
`Listener` Pointer	—
`AddressLength` UInt32	—
`SocketAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1119 — TCP: listener Listener (family=AddressFamily PID=ProcessId) activation failed: inspection status=Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerActivationFailedInspection1

Description

TCP: listener Listener (family=AddressFamily PID=ProcessId) activation failed: inspection status=Status.

Message #

TCP: listener %1 (family=%7 PID=%5) activation failed: inspection status=%4.

Fields #

Name	Description
`Listener` Pointer	—
`AddressLength` UInt32	—
`SocketAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1120 — TCP: listener Listener (sockaddr=SocketAddress) activation failed: inspection status=Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerActivationFailedInspection2

Description

TCP: listener Listener (sockaddr=SocketAddress) activation failed: inspection status=Status.

Message #

TCP: listener %1 (sockaddr=%3) activation failed: inspection status=%4.

Fields #

Name	Description
`Listener` Pointer	—
`AddressLength` UInt32	—
`SocketAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1121 — TCP: listener Listener (sockaddr=SocketAddress) bind failed: port-acquisition status=Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerBindFailedResolution

Description

TCP: listener Listener (sockaddr=SocketAddress) bind failed: port-acquisition status=Status.

Message #

TCP: listener %1 (sockaddr=%3) bind failed: port-acquisition status=%4.

Fields #

Name	Description
`Listener` Pointer	—
`AddressLength` UInt32	—
`SocketAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1122 — TCP: listener Listener (family=AddressFamily PID=ProcessId) bind failed: address SocketAddress cannot be resolved (Status=Status).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerBindFailedPort

Description

TCP: listener Listener (family=AddressFamily PID=ProcessId) bind failed: address SocketAddress cannot be resolved (Status=Status).

Message #

TCP: listener %1 (family=%7 PID=%5) bind failed: address %3 cannot be resolved (Status=%4).

Fields #

Name	Description
`Listener` Pointer	—
`AddressLength` UInt32	—
`SocketAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1123 — TCP: listener Listener (sockaddr=SocketAddress) activated.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerActivated

Description

TCP: listener Listener (sockaddr=SocketAddress) activated.

Message #

TCP: listener %1 (sockaddr=%3) activated.

Fields #

Name	Description
`Listener` Pointer	—
`AddressLength` UInt32	—
`SocketAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1124 — TCP: listener Listener (sockaddr=SocketAddress) unbound.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpListenerUnbound

Description

TCP: listener Listener (sockaddr=SocketAddress) unbound.

Message #

TCP: listener %1 (sockaddr=%3) unbound.

Fields #

Name	Description
`Listener` Pointer	—
`AddressLength` UInt32	—
`SocketAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1127 — IP: IP address = IPv4Address IPProtocol IPv6Address added on interface = Interface, Protocol = Protocol.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressAdded

Description

IP: IP address = IPv4Address IPProtocol IPv6Address added on interface = Interface, Protocol = Protocol.

Message #

IP: IP address = %7 %9 %8 added on interface = %1, Protocol = %2.

Fields #

Name	Description
`Interface` UInt32	—
`Protocol` AnsiString	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DadState` UInt32	—
`DlAddrLength` UInt32	—
`DLAddress` Binary	—
`IpAddrLength` UInt32	—
`IPv4Address` UInt32	—
`IPv6Address` Binary	—
`IPProtocol` UInt32	—
`CompartmentId` UInt32	—
`PrefixOrigin` UInt32	—
`SuffixOrigin` UInt32	—

Event ID 1128 — IP: IP address = IPv4Address IPProtocol IPv6Address deleted on interface = Interface, Protocol = Protocol.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressDeleted

Description

IP: IP address = IPv4Address IPProtocol IPv6Address deleted on interface = Interface, Protocol = Protocol.

Message #

IP: IP address = %7 %9 %8 deleted on interface = %1, Protocol = %2.

Fields #

Name	Description
`Interface` UInt32	—
`Protocol` AnsiString	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DadState` UInt32	—
`DlAddrLength` UInt32	—
`DLAddress` Binary	—
`IpAddrLength` UInt32	—
`IPv4Address` UInt32	—
`IPv6Address` Binary	—
`IPProtocol` UInt32	—
`CompartmentId` UInt32	—

Event ID 1130 — Framing: Interface operation status change.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FramingIfOperStatus

Description

Framing: Interface Interface Operational Status = OperationalStatus, Operational Status Flags = Status.

Message #

Framing: Interface %1 Operational Status = %2, Operational Status Flags = %3.

Fields #

Name	Description
`Interface` UInt32	—
`OperationalStatus` UInt32	—
`Status` UInt64	— NTSTATUS reference
`CompartmentId` UInt32	—

Event ID 1136 — Framing: NDIS pause event on interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FramingNdisPause

Description

Framing: NDIS pause event on interface InterfaceIndex.

Message #

Framing: NDIS pause event on interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`TraceString` AnsiString	—
`CompartmentId` UInt32	—

Event ID 1137 — Framing: NDIS restart event on interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FramingNdisRestart

Description

Framing: NDIS restart event on interface InterfaceIndex.

Message #

Framing: NDIS restart event on interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`TraceString` AnsiString	—
`CompartmentId` UInt32	—

Event ID 1138 — IP: IP address = IPv4Address IPProtocol IPv6Address state changed to Preferred.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressStatePreferred

Description

IP: IP address = IPv4Address IPProtocol IPv6Address state changed to Preferred. Interface = Interface.

Message #

IP: IP address = %7 %9 %8 state changed to Preferred. Interface = %1.

Fields #

Name	Description
`Interface` UInt32	—
`Protocol` AnsiString	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DadState` UInt32	—
`DlAddrLength` UInt32	—
`DLAddress` Binary	—
`IpAddrLength` UInt32	—
`IPv4Address` UInt32	—
`IPv6Address` Binary	—
`IPProtocol` UInt32	—

Event ID 1139 — IP: IP address = IPv4Address IPProtocol IPv6Address state changed to Non-preferred.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressStateNonPreferred

Description

IP: IP address = IPv4Address IPProtocol IPv6Address state changed to Non-preferred. Interface = Interface. DadState = DadState.

Message #

IP: IP address = %7 %9 %8 state changed to Non-preferred. Interface = %1. DadState = %3.

Fields #

Name	Description
`Interface` UInt32	—
`Protocol` AnsiString	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DadState` UInt32	—
`DlAddrLength` UInt32	—
`DLAddress` Binary	—
`IpAddrLength` UInt32	—
`IPv4Address` UInt32	—
`IPv6Address` Binary	—
`IPProtocol` UInt32	—

Event ID 1144 — IP: Interface Interface property change.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfacePropertyChange

Description

IP: Interface Interface property change. Advertise= Advertise, AdvertiseDefaultRoute = AdvertiseDefaultRoute, Forward = Forward, ForwardMulticast = ForwardMulticast, UseNud = UseNud, AdvertisingEnabled = AdvertisingEnabled.

Message #

IP: Interface %1 property change. Advertise= %2, AdvertiseDefaultRoute = %3, Forward = %4, ForwardMulticast = %5, UseNud = %6, AdvertisingEnabled = %7.

Fields #

Name	Description
`Interface` UInt32	—
`Advertise` UInt32	—
`AdvertiseDefaultRoute` UInt32	—
`Forward` UInt32	—
`ForwardMulticast` UInt32	—
`UseNud` UInt32	—
`AdvertisingEnabled` UInt32	—
`WeakHostSend` UInt32	—
`WeakHostReceive` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`StrictSourceForwarding` UInt32	—

Event ID 1145 — IP: Route Route created on interface Interface.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouteCreated

Description

IP: Route Route created on interface Interface. Protocol = DestinationPrefix, DestinationPrefix = IPUnicastroutedeletionreason %18 NextHopAddress /NextHopAddressLength, Nexthop = %17 %18 DestinationPrefixLength, ValidLifetime = ValidLifetime, PreferredLifetime = PreferredLifetime.

Message #

IP: Route %1 created on interface %2. Protocol = %5, DestinationPrefix = %16 %18 %7 /%6, Nexthop = %17 %18 %8, ValidLifetime = %9, PreferredLifetime = %10.

Fields #

Name	Description
`Route` Pointer	—
`Interface` UInt32	—
`CompartmentId` UInt32	—
`DestinationPrefixAddressLength` UInt32	—
`DestinationPrefix` Binary	—
`NextHopAddressLength` UInt32	—
`NextHopAddress` Binary	—
`DestinationPrefixLength` UInt32	—
`ValidLifetime` UInt64	—
`PreferredLifetime` UInt64	—
`Metric` UInt32	—
`Loopback` UInt32	—
`AutoconfigureAddress` UInt32	—
`Publish` UInt32	—
`Immortal` UInt32	—
`IPUnicastroutedeletionreason` UInt32	—

Event ID 1146 — IP: Route Route deleted on interface Interface, Protocol = DestinationPrefix, DestinationPrefix = IPUnicastroutedeletionreason %18 NextHopAddress /NextHopAddressLength, Nexthop = %17 %18 Destinatio...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouteDeleted

Description

IP: Route Route deleted on interface Interface, Protocol = DestinationPrefix, DestinationPrefix = IPUnicastroutedeletionreason %18 NextHopAddress /NextHopAddressLength, Nexthop = %17 %18 DestinationPrefixLength, ValidLifetime = ValidLifetime, PreferredLifetime = PreferredLifetime, Reason = %19.

Message #

IP: Route %1 deleted on interface %2, Protocol = %5, DestinationPrefix = %16 %18 %7 /%6, Nexthop = %17 %18 %8, ValidLifetime = %9, PreferredLifetime = %10, Reason = %19.

Fields #

Name	Description
`Route` Pointer	—
`Interface` UInt32	—
`CompartmentId` UInt32	—
`DestinationPrefixAddressLength` UInt32	—
`DestinationPrefix` Binary	—
`NextHopAddressLength` UInt32	—
`NextHopAddress` Binary	—
`DestinationPrefixLength` UInt32	—
`ValidLifetime` UInt64	—
`PreferredLifetime` UInt64	—
`Metric` UInt32	—
`Loopback` UInt32	—
`AutoconfigureAddress` UInt32	—
`Publish` UInt32	—
`Immortal` UInt32	—
`IPUnicastroutedeletionreason` UInt32	—

Event ID 1147 — IP: Route Route property change.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRoutePropertyChange

Message #

IP: Route %1 property change. Interface = %2, Protocol = %5, DestinationPrefix = %16 %18 %7 /%6, Nexthop = %17 %18 %8. Properties: ValidLifetime = %9, PreferredLifetime = %10, Metric = %11, Loopback = %12, AutoconfigureAddress = %13, Publish = %14, Immortal = %15.

Fields #

Name	Description
`Route` Pointer	—
`Interface` UInt32	—
`CompartmentId` UInt32	—
`DestinationPrefixAddressLength` UInt32	—
`DestinationPrefix` Binary	—
`NextHopAddressLength` UInt32	—
`NextHopAddress` Binary	—
`DestinationPrefixLength` UInt32	—
`ValidLifetime` UInt64	—
`PreferredLifetime` UInt64	—
`Metric` UInt32	—
`Loopback` UInt32	—
`AutoconfigureAddress` UInt32	—
`Publish` UInt32	—
`Immortal` UInt32	—
`IPUnicastroutedeletionreason` UInt32	—

Event ID 1148 — IP: Neighbor unreachable.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpNeighborUnreachable

Description

IP: Neighbor unreachable. Interface Interface, IP address = IPv4Address IPProtocol IPv6Address.

Message #

IP: Neighbor unreachable. Interface %1, IP address = %5 %7 %6.

Fields #

Name	Description
`Interface` UInt32	—
`DlAddrLength` UInt32	—
`DlAddress` Binary	—
`IpAddrLength` UInt32	—
`IPv4Address` UInt32	—
`IPv6Address` Binary	—
`IPProtocol` UInt32	—

Event ID 1149 — IP: Neighbor reachable.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpNeighborReachable

Description

IP: Neighbor reachable. Interface Interface, IP address = IPv4Address IPProtocol IPv6Address, DlAddress = DlAddress.

Message #

IP: Neighbor reachable. Interface %1, IP address = %5 %7 %6, DlAddress = %3.

Fields #

Name	Description
`Interface` UInt32	—
`DlAddrLength` UInt32	—
`DlAddress` Binary	—
`IpAddrLength` UInt32	—
`IPv4Address` UInt32	—
`IPv6Address` Binary	—
`IPProtocol` UInt32	—

Event ID 1150 — TCP: CTCP DataTransferTimeout event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferTimeout

Description

TCP: CTCP DataTransferTimeout event. Connection Tcb, CWnd = Cwnd, SsThresh = SSThresh.

Message #

TCP: CTCP DataTransferTimeout event. Connection %1, CWnd = %2, SsThresh = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1151 — TCP: CTCP Cumulative Ack event Connection Tcb, sequence = SeqNo, CWnd = Cwnd, DWnd = DWnd, BaseRtt = BaseRtt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferCumAck

Description

TCP: CTCP Cumulative Ack event Connection Tcb, sequence = SeqNo, CWnd = Cwnd, DWnd = DWnd, BaseRtt = BaseRtt.

Message #

TCP: CTCP Cumulative Ack event Connection %1, sequence = %6, CWnd = %2, DWnd = %11, BaseRtt = %12.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1152 — TCP: CTCP Duplicate Ack event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferDupAck

Description

TCP: CTCP Duplicate Ack event. Connection Tcb, sequence = SeqNo, SndUna = SndUna, CWnd = Cwnd, DWnd = DWnd, BaseRtt = BaseRtt, DupAckCount = DupAckCount.

Message #

TCP: CTCP Duplicate Ack event. Connection %1, sequence = %6, SndUna = %7, CWnd = %2, DWnd = %11, BaseRtt = %12, DupAckCount = %13.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1153 — TCP: CTCP Send event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferSend

Description

TCP: CTCP Send event. Connection Tcb, sequence = SeqNo, length = NumBytes.

Message #

TCP: CTCP Send event. Connection %1, sequence = %6, length = %5.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1154 — TCP: CTCP ECN event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferEcn

Description

TCP: CTCP ECN event. Connection Tcb, CWnd Cwnd, SndUna = SndUna, Mss = Mss, DWnd = DWnd, BaseRtt = BaseRtt.

Message #

TCP: CTCP ECN event. Connection %1, CWnd %2, SndUna = %4, Mss = %5, DWnd = %7, BaseRtt = %8.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`SndUna` UInt32	—
`Mss` UInt32	—
`ThAck` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—

Event ID 1155 — TCP: CTCP Spurious timeout event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferSpuriousTimeout

Description

TCP: CTCP Spurious timeout event. Connection Tcb, CWnd = Cwnd, SsThresh = SSThresh.

Message #

TCP: CTCP Spurious timeout event. Connection %1, CWnd = %2, SsThresh = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`RttSample` UInt32	—
`NumBytes` UInt32	—
`SeqNo` UInt32	—
`SndUna` UInt32	—
`Round` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`DWnd` UInt32	—
`BaseRtt` UInt32	—
`DupAckCount` UInt32	—

Event ID 1156 — TCP: connection Tcb, delivery Delivery, Request Request posted for NumBytes bytes, flags = RequestFlags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpReceiveRequest

Description

TCP: connection Tcb, delivery Delivery, Request Request posted for NumBytes bytes, flags = RequestFlags. RcvNxt = RcvNxt.

Message #

TCP: connection %1, delivery %2, Request %3  posted for %4 bytes, flags = %5. RcvNxt = %10.

Fields #

Name	Description
`Tcb` Pointer	—
`Delivery` Pointer	—
`Request` Pointer	—
`NumBytes` Pointer	—
`RequestFlags` UInt32	—
`Length` Pointer	—
`RequestStatus` UInt32	—
`IsUrgentDelivery` UInt32	—
`FullySatisfiedORDelayedPush` UInt32	—
`RcvNxt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1156",
    "version": "0",
    "level": "4",
    "task": "1156",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:34.389030100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Delivery": "0xFFFF980A1018B790",
    "Request": "0xFFFF980A15EC82E0",
    "NumBytes": "0x6",
    "RequestFlags": "       0",
    "Length": "0x0",
    "RequestStatus": "0x0",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       0",
    "RcvNxt": "3537939053"
  },
  "message": ""
}

Event ID 1157 — TCP: connection Tcb delivery Delivery indicated NumBytes bytes accepted Length bytes, status = RequestStatus.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDeliveryIndicated

Description

TCP: connection Tcb delivery Delivery indicated NumBytes bytes accepted Length bytes, status = RequestStatus. RcvNxt = RcvNxt.

Message #

TCP: connection %1 delivery %2 indicated %4 bytes accepted %6 bytes, status = %7. RcvNxt = %10.

Fields #

Name	Description
`Tcb` Pointer	—
`Delivery` Pointer	—
`Request` Pointer	—
`NumBytes` Pointer	—
`RequestFlags` UInt32	—
`Length` Pointer	—
`RequestStatus` UInt32	—
`IsUrgentDelivery` UInt32	—
`FullySatisfiedORDelayedPush` UInt32	—
`RcvNxt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1157",
    "version": "0",
    "level": "4",
    "task": "1157",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:34.418359700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "8632"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Delivery": "0xFFFF980A1018B790",
    "Request": "0x0",
    "NumBytes": "0x6",
    "RequestFlags": "       0",
    "Length": "0x0",
    "RequestStatus": "0xC000021B",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       0",
    "RcvNxt": "3537939065"
  },
  "message": ""
}

Event ID 1158 — TCP: connection Tcb delivery Delivery satisfied NumBytes bytes Length requested.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDeliverySatisfied

Description

TCP: connection Tcb delivery Delivery satisfied NumBytes bytes Length requested. IsFullySatisfied = FullySatisfiedORDelayedPush. RcvNxt = RcvNxt.

Message #

TCP: connection %1 delivery %2 satisfied %4 bytes %6 requested. IsFullySatisfied = %9. RcvNxt = %10.

Fields #

Name	Description
`Tcb` Pointer	—
`Delivery` Pointer	—
`Request` Pointer	—
`NumBytes` Pointer	—
`RequestFlags` UInt32	—
`Length` Pointer	—
`RequestStatus` UInt32	—
`IsUrgentDelivery` UInt32	—
`FullySatisfiedORDelayedPush` UInt32	—
`RcvNxt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1158",
    "version": "0",
    "level": "4",
    "task": "1158",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:34.390668300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4248",
      "thread_id": "4684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Delivery": "0xFFFF980A1018B790",
    "Request": "0xFFFF980A15EC82E0",
    "NumBytes": "0x6",
    "RequestFlags": "       0",
    "Length": "0x6",
    "RequestStatus": "0x0",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       1",
    "RcvNxt": "3537939053"
  },
  "message": ""
}

Event ID 1159 — TCP: connection Tcb send Injected NumBytes bytes at SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpSendPosted

Description

TCP: connection Tcb send Injected NumBytes bytes at SndNxt.

Message #

TCP: connection %1 send %2 %3 bytes at %4.

Fields #

Name	Description
`Tcb` Pointer	—
`Injected` UnicodeString	—
`NumBytes` UInt32	—
`SndNxt` UInt32	—
`SendAvailable` UInt32	—
`ActivityID` Pointer	—
`SndLimBytesSnd` UInt64	—
`SndLimBytesRwin` UInt64	—
`SndLimBytesCwnd` UInt64	—
`CWnd` UInt32	—
`SRtt` UInt32	—
`LossRecoveryEpisodes` UInt32	—
`RtoEpisodes` UInt32	—
`PtoEpisodes` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1159",
    "version": "0",
    "level": "4",
    "task": "1159",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.388647300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Injected": "posted",
    "NumBytes": "    1303",
    "SndNxt": "2307521250"
  },
  "message": ""
}

Event ID 1160 — TCP: connection Tcb send transmitted NumBytes bytes at SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpSendTransmitted

Description

TCP: connection Tcb send transmitted NumBytes bytes at SndNxt.

Message #

TCP: connection %1 send transmitted %3 bytes at %4.

Fields #

Name	Description
`Tcb` Pointer	—
`Injected` UnicodeString	—
`NumBytes` UInt32	—
`SndNxt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1160",
    "version": "0",
    "level": "5",
    "task": "1160",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.388761700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Injected": "",
    "NumBytes": "    1303",
    "SndNxt": "2307521250"
  },
  "message": ""
}

Event ID 1161 — TCP: connection Tcb send advance NumBytes bytes at SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpSendAdvance

Description

TCP: connection Tcb send advance NumBytes bytes at SndNxt.

Message #

TCP: connection %1 send advance %3 bytes at %4.

Fields #

Name	Description
`Tcb` Pointer	—
`Injected` UnicodeString	—
`NumBytes` UInt32	—
`SndNxt` UInt32	—
`SendAvailable` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1161",
    "version": "0",
    "level": "5",
    "task": "1161",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.390443300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4248",
      "thread_id": "4684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Injected": "",
    "NumBytes": "    1303",
    "SndNxt": "2307521250"
  },
  "message": ""
}

Event ID 1162 — TCP: CTcp: Connection Tcb Delay window has not kicked in.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCTcpDelayWndwInactive

Description

TCP: CTcp: Connection Tcb Delay window has not kicked in.

Message #

TCP: CTcp: Connection %1 Delay window has not kicked in.

Fields #

Name	Description
`Tcb` Pointer	—
`Status` UInt32	— NTSTATUS reference
`AddressFamily` UInt32	—

Event ID 1163 — TCP: CTcp: Allocated blocks: AssignedBlocks; Assigned blocks: AllocatedBlocks.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCTcpAssignedBlocks

Description

TCP: CTcp: Allocated blocks: AssignedBlocks; Assigned blocks: AllocatedBlocks.

Message #

TCP: CTcp: Allocated blocks: %1; Assigned blocks: %2.

Fields #

Name	Description
`AssignedBlocks` UInt32	—
`AllocatedBlocks` UInt32	—

Event ID 1164 — TCP: CTcp: Connection Tcb, DWnd = DWnd (Prev = PrevDWnd), BaseRtt = BaseRtt, AverageRtt = AvgRtt, CWnd =Cwnd, DiffWnd = DiffWnd, DWnd increment = DwndIncrement.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCTcpCongestionWndw

Description

TCP: CTcp: Connection Tcb, DWnd = DWnd (Prev = PrevDWnd), BaseRtt = BaseRtt, AverageRtt = AvgRtt, CWnd =Cwnd, DiffWnd = DiffWnd, DWnd increment = DwndIncrement.

Message #

TCP: CTcp: Connection %1, DWnd = %2 (Prev = %3), BaseRtt = %4, AverageRtt = %5, CWnd =%6, DiffWnd = %7, DWnd increment = %8.

Fields #

Name	Description
`Tcb` Pointer	—
`DWnd` UInt32	—
`PrevDWnd` UInt32	—
`BaseRtt` UInt32	—
`AvgRtt` UInt32	—
`Cwnd` UInt32	—
`DiffWnd` UInt32	—
`DwndIncrement` UInt32	—

Event ID 1165 — TCP: CTcp: Gamma Autotuning: Connection Tcb Updated Gamma Gamma, Average backlog AverageBacklog, Average backlog across LFPs AverageBacklogAcrossLFP.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCTcpGamma

Description

TCP: CTcp: Gamma Autotuning: Connection Tcb Updated Gamma Gamma, Average backlog AverageBacklog, Average backlog across LFPs AverageBacklogAcrossLFP.

Message #

TCP: CTcp: Gamma Autotuning: Connection %1 Updated Gamma %2, Average backlog %3, Average backlog across LFPs %4.

Fields #

Name	Description
`Tcb` Pointer	—
`Gamma` UInt32	—
`AverageBacklog` UInt32	—
`AverageBacklogAcrossLFP` UInt32	—

Event ID 1166 — TCP: connection Tcb SRTT measurement started (seq = SeqNum, tick = Tick).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSrttMeasurementStarted

Description

TCP: connection Tcb SRTT measurement started (seq = SeqNum, tick = Tick).

Message #

TCP: connection %1 SRTT measurement started (seq = %2, tick = %3).

Fields #

Name	Description
`Tcb` Pointer	—
`SeqNum` UInt32	—
`Tick` UInt32	—
`RttSample` UInt32	—
`NewSrtt` UInt32	—

Event ID 1167 — TCP: connection Tcb SRTT measurement complete (tick = Tick, sample = RttSample ms, new srtt = NewSrtt ms).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpSrttMeasurementComplete

Description

TCP: connection Tcb SRTT measurement complete (tick = Tick, sample = RttSample ms, new srtt = NewSrtt ms).

Message #

TCP: connection %1 SRTT measurement complete (tick = %3, sample = %4 ms, new srtt = %5 ms).

Fields #

Name	Description
`Tcb` Pointer	—
`SeqNum` UInt32	—
`Tick` UInt32	—
`RttSample` UInt32	—
`NewSrtt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1167",
    "version": "0",
    "level": "4",
    "task": "1167",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:26:13.268231300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{ff7af7e0-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4200",
      "thread_id": "7084"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFF7AF7E0",
    "SeqNum": "       0",
    "Tick": "66907815",
    "RttSample": "       0",
    "NewSrtt": "       0"
  },
  "message": ""
}

Event ID 1168 — TCP: connection Tcb: SRTT measurement cancelled.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpSrttMeasurementCancelled

Description

TCP: connection Tcb: SRTT measurement cancelled.

Message #

TCP: connection %1: SRTT measurement cancelled.

Fields #

Name	Description
`Tcb` Pointer	—
`SeqNum` UInt32	—
`Tick` UInt32	—
`RttSample` UInt32	—
`NewSrtt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1168",
    "version": "0",
    "level": "5",
    "task": "1168",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:27:12.440661100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{fd182260-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFD182260",
    "SeqNum": "       0",
    "Tick": "       0",
    "RttSample": "       0",
    "NewSrtt": "       0"
  },
  "message": ""
}

Event ID 1169 — UDP: endpoint Endpoint (LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) sending NumMessages messages and a total of NumBytes bytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: UdpEndpointSendMessages

Description

UDP: endpoint Endpoint (LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) sending NumMessages messages and a total of NumBytes bytes. PID = Pid.

Message #

UDP: endpoint %1 (LocalAddress = %5, RemoteAddress = %7) sending %2 messages and a total of %3 bytes. PID = %8.

Fields #

Name	Description
`Endpoint` Pointer	—
`NumMessages` UInt32	—
`NumBytes` UInt32	—
`LocalSockAddrLength` UInt32	—
`LocalSockAddr` Binary	—
`RemoteSockAddrLength` UInt32	—
`RemoteSockAddr` Binary	—
`Pid` UInt32	—
`ProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1169",
    "version": "0",
    "level": "4",
    "task": "1169",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.078234200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11735e80-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A11735E80",
    "NumMessages": "       1",
    "NumBytes": "      63",
    "LocalSockAddrLength": "      28",
    "LocalSockAddr": "[::ffff:0:0]:53893",
    "RemoteSockAddrLength": "      28",
    "RemoteSockAddr": "[::ffff:10.2.10.11]:53",
    "Pid": "     228"
  },
  "message": ""
}

Event ID 1170 — UDP: endpoint Endpoint (LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) delivering NumBytes bytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: UdpEndpointReceiveMessages

Description

UDP: endpoint Endpoint (LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) delivering NumBytes bytes. PID = Pid.

Message #

UDP: endpoint %1 (LocalAddress = %5, RemoteAddress = %7) delivering %3 bytes. PID = %8.

Fields #

Name	Description
`Endpoint` Pointer	—
`NumMessages` UInt32	—
`NumBytes` UInt32	—
`LocalSockAddrLength` UInt32	—
`LocalSockAddr` Binary	—
`RemoteSockAddrLength` UInt32	—
`RemoteSockAddr` Binary	—
`Pid` UInt32	—
`ProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1170",
    "version": "0",
    "level": "4",
    "task": "1170",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:40.117082900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11735e80-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A11735E80",
    "NumMessages": "       0",
    "NumBytes": "     186",
    "LocalSockAddrLength": "      28",
    "LocalSockAddr": "[::ffff:10.2.10.21]:53893",
    "RemoteSockAddrLength": "      28",
    "RemoteSockAddr": "[::ffff:10.2.10.11]:53",
    "Pid": "     228"
  },
  "message": ""
}

Event ID 1171 — TCP: connection Tcb delivery Delivery flushing NumBytes bytes Length requested status = RequestStatus.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpDeliveryFlush

Description

TCP: connection Tcb delivery Delivery flushing NumBytes bytes Length requested status = RequestStatus.

Message #

TCP: connection %1 delivery %2 flushing %4 bytes %6 requested status = %7.

Fields #

Name	Description
`Tcb` Pointer	—
`Delivery` Pointer	—
`Request` Pointer	—
`NumBytes` Pointer	—
`RequestFlags` UInt32	—
`Length` Pointer	—
`RequestStatus` UInt32	—
`IsUrgentDelivery` UInt32	—
`FullySatisfiedORDelayedPush` UInt32	—
`RcvNxt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1171",
    "version": "0",
    "level": "5",
    "task": "1171",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:40.593480400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "7552"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "Delivery": "0xFFFF980A15CE6D10",
    "Request": "0xFFFF980A11C13950",
    "NumBytes": "0x0",
    "RequestFlags": "       0",
    "Length": "0x2000",
    "RequestStatus": "0xC0000120",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       0",
    "RcvNxt": "       0"
  },
  "message": ""
}

Event ID 1172 — TCP: Injecting receive on a shutdown TCB failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpTcbInjectRcvFailure

Description

TCP: Injecting receive on a shutdown TCB failed. TCB = Tcb.

Message #

TCP: Injecting receive on a shutdown TCB failed. TCB = %1.

Fields #

Name	Description
`Tcb` Pointer	—
`Delivery` Pointer	—
`Request` Pointer	—
`NumBytes` Pointer	—
`RequestFlags` UInt32	—
`Length` Pointer	—
`RequestStatus` UInt32	—
`IsUrgentDelivery` UInt32	—
`FullySatisfiedORDelayedPush` UInt32	—
`RcvNxt` UInt32	—

Event ID 1173 — TCP: connection Tcb delivery Delivery injecting NumBytes bytes delta Length, IsUrgentDelivery = IsUrgentDelivery.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpDeliveryInjectingData

Description

TCP: connection Tcb delivery Delivery injecting NumBytes bytes delta Length, IsUrgentDelivery = IsUrgentDelivery.

Message #

TCP: connection %1 delivery %2 injecting %4 bytes delta %6, IsUrgentDelivery = %8.

Fields #

Name	Description
`Tcb` Pointer	—
`Delivery` Pointer	—
`Request` Pointer	—
`NumBytes` Pointer	—
`RequestFlags` UInt32	—
`Length` Pointer	—
`RequestStatus` UInt32	—
`IsUrgentDelivery` UInt32	—
`FullySatisfiedORDelayedPush` UInt32	—
`RcvNxt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1173",
    "version": "0",
    "level": "5",
    "task": "1173",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:23:28.315732300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0e584560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7644"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0E584560",
    "Delivery": "0xFFFF980A0E584790",
    "Request": "0x0",
    "NumBytes": "0x0",
    "RequestFlags": "       0",
    "Length": "0x70",
    "RequestStatus": "0x0",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       0",
    "RcvNxt": "       0"
  },
  "message": ""
}

Event ID 1174 — TCP: Injecting fin on a shutdown TCB failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpTcbInjectFinFailure

Description

TCP: Injecting fin on a shutdown TCB failed. TCB = Tcb.

Message #

TCP: Injecting fin on a shutdown TCB failed. TCB = %1.

Fields #

Name	Description
`Tcb` Pointer	—
`Delivery` Pointer	—
`Request` Pointer	—
`NumBytes` Pointer	—
`RequestFlags` UInt32	—
`Length` Pointer	—
`RequestStatus` UInt32	—
`IsUrgentDelivery` UInt32	—
`FullySatisfiedORDelayedPush` UInt32	—
`RcvNxt` UInt32	—

Event ID 1175 — TCP: connection Tcb delivery Delivery accepting NumBytes bytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpDeliveryAccept

Description

TCP: connection Tcb delivery Delivery accepting NumBytes bytes. RcvNxt = RcvNxt.

Message #

TCP: connection %1 delivery %2 accepting %4 bytes. RcvNxt = %10.

Fields #

Name	Description
`Tcb` Pointer	—
`Delivery` Pointer	—
`Request` Pointer	—
`NumBytes` Pointer	—
`RequestFlags` UInt32	—
`Length` Pointer	—
`RequestStatus` UInt32	—
`IsUrgentDelivery` UInt32	—
`FullySatisfiedORDelayedPush` UInt32	—
`RcvNxt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1175",
    "version": "0",
    "level": "5",
    "task": "1175",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:22:29.058226900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Delivery": "0xFFFF980A1018B790",
    "Request": "0x0",
    "NumBytes": "0x6",
    "RequestFlags": "       0",
    "Length": "0x0",
    "RequestStatus": "0x0",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       0",
    "RcvNxt": "3537945353"
  },
  "message": ""
}

Event ID 1176 — TCP: connection Tcb delivery Delivery delivering FIN.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDeliveryFin

Description

TCP: connection Tcb delivery Delivery delivering FIN. RcvNxt = RcvNxt.

Message #

TCP: connection %1 delivery %2 delivering FIN. RcvNxt = %10.

Fields #

Name	Description
`Tcb` Pointer	—
`Delivery` Pointer	—
`Request` Pointer	—
`NumBytes` Pointer	—
`RequestFlags` UInt32	—
`Length` Pointer	—
`RequestStatus` UInt32	—
`IsUrgentDelivery` UInt32	—
`FullySatisfiedORDelayedPush` UInt32	—
`RcvNxt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1176",
    "version": "0",
    "level": "4",
    "task": "1176",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:38.731999900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0EEE7560",
    "Delivery": "0xFFFF980A0EEE7790",
    "Request": "0x0",
    "NumBytes": "0x0",
    "RequestFlags": "       0",
    "Length": "0x0",
    "RequestStatus": "0x0",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       0",
    "RcvNxt": "2633618840"
  },
  "message": ""
}

Event ID 1178 — TCP: connection Tcb delivery Delivery pushing NumBytes bytes Length requested.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDeliveryPush

Description

TCP: connection Tcb delivery Delivery pushing NumBytes bytes Length requested. Delayed push = FullySatisfiedORDelayedPush.

Message #

TCP: connection %1 delivery %2 pushing %4 bytes %6 requested. Delayed push = %9.

Fields #

Name	Description
`Tcb` Pointer	—
`Delivery` Pointer	—
`Request` Pointer	—
`NumBytes` Pointer	—
`RequestFlags` UInt32	—
`Length` Pointer	—
`RequestStatus` UInt32	—
`IsUrgentDelivery` UInt32	—
`FullySatisfiedORDelayedPush` UInt32	—
`RcvNxt` UInt32	—

Event ID 1180 — TCP: Injecting fin on TCB completed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpTcbInjectFinComplete

Description

TCP: Injecting fin on TCB completed. TCB = Tcb, Processor = NumBytes.

Message #

TCP: Injecting fin on TCB completed. TCB = %1, Processor = %4.

Fields #

Name	Description
`Tcb` Pointer	—
`Delivery` Pointer	—
`Request` Pointer	—
`NumBytes` Pointer	—
`RequestFlags` UInt32	—
`Length` Pointer	—
`RequestStatus` UInt32	—
`IsUrgentDelivery` UInt32	—
`FullySatisfiedORDelayedPush` UInt32	—
`RcvNxt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1180",
    "version": "0",
    "level": "5",
    "task": "1180",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:23:59.852963300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{14cde010-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "13080"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A14CDE010",
    "Delivery": "0x0",
    "Request": "0x0",
    "NumBytes": "0xD",
    "RequestFlags": "       0",
    "Length": "0x0",
    "RequestStatus": "0x0",
    "IsUrgentDelivery": "       0",
    "FullySatisfiedORDelayedPush": "       0",
    "RcvNxt": "       0"
  },
  "message": ""
}

Event ID 1181 — TCP: connection Tcb delivery Delivery urgent boundary completing NumBytes bytes Length requested.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDeliveryCompleting

Description

TCP: connection Tcb delivery Delivery urgent boundary completing NumBytes bytes Length requested.

Message #

TCP: connection %1 delivery %2 urgent boundary completing %4 bytes %6 requested.

Fields #

Name	Description
`Tcb` Pointer	—
`Delivery` Pointer	—
`Request` Pointer	—
`NumBytes` Pointer	—
`RequestFlags` UInt32	—
`Length` Pointer	—
`RequestStatus` UInt32	—
`IsUrgentDelivery` UInt32	—
`FullySatisfiedORDelayedPush` UInt32	—
`RcvNxt` UInt32	—

Event ID 1182 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress): initiating SYN/RST validation.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpInitiateSynRstValidation

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress): initiating SYN/RST validation.

Message #

TCP: connection %1 (local=%3 remote=%5): initiating SYN/RST validation.

Fields #

Name	Description
`Tcb` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`NewState` UInt32	—
`RexmitCount` UInt32	—

Event ID 1183 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: received RST.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailedRcvdRst

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connect failed: received RST.

Message #

TCP: connection %1 (local=%3 remote=%5) connect failed: received RST.

Fields #

Name	Description
`Tcb` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`NewState` UInt32	—
`RexmitCount` UInt32	—

Event ID 1184 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connection terminated: received RST.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpConnectionTerminatedRcvdRst

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connection terminated: received RST.

Message #

TCP: connection %1 (local=%3 remote=%5) connection terminated: received RST.

Fields #

Name	Description
`Tcb` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`NewState` UInt32	—
`RexmitCount` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1184",
    "version": "0",
    "level": "4",
    "task": "1184",
    "opcode": "0",
    "keywords": 9223372062624579712,
    "time_created": "2026-03-16T00:23:11.140010200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11ae9ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A11AE9AE0",
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:53002",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "10.2.10.11:445",
    "NewState": "       0",
    "RexmitCount": "       0"
  },
  "message": ""
}

Event ID 1185 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connection terminated: received SYN in state NewState.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectionTerminatedRcvdSyn

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) connection terminated: received SYN in state NewState.

Message #

TCP: connection %1 (local=%3 remote=%5) connection terminated: received SYN in state %6.

Fields #

Name	Description
`Tcb` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`NewState` UInt32	—
`RexmitCount` UInt32	—

Event ID 1186 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) retransmitting connect attempt, RexmitCount = RexmitCount.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpConnectRestransmit

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) retransmitting connect attempt, RexmitCount = RexmitCount.

Message #

TCP: connection %1 (local=%3 remote=%5) retransmitting connect attempt, RexmitCount = %7.

Fields #

Name	Description
`Tcb` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`NewState` UInt32	—
`RexmitCount` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1186",
    "version": "0",
    "level": "4",
    "task": "1186",
    "opcode": "0",
    "keywords": 9223372058329612416,
    "time_created": "2026-03-15T23:31:42.716275300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{f9ca95f0-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FF9CA95F0",
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.11:51269",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "10.2.10.21:389",
    "NewState": "       0",
    "RexmitCount": "       1"
  },
  "message": ""
}

Event ID 1187 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) retransmitting data, RexmitCount = RexmitCount.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferRestransmit

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) retransmitting data, RexmitCount = RexmitCount.

Message #

TCP: connection %1 (local=%3 remote=%5) retransmitting data, RexmitCount = %7.

Fields #

Name	Description
`Tcb` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`NewState` UInt32	—
`RexmitCount` UInt32	—

Event ID 1188 — TCP: connection Tcb send keep-alive at SndUna = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpConnectionKeepAlive

Description

TCP: connection Tcb send keep-alive at SndUna = SndUna.

Message #

TCP: connection %1 send keep-alive at SndUna = %2.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1188",
    "version": "0",
    "level": "4",
    "task": "1188",
    "opcode": "0",
    "keywords": 9223372058329612416,
    "time_created": "2026-03-16T00:21:53.057881700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0e584560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0E584560",
    "SndUna": "2262383926",
    "SndMax": "       0"
  },
  "message": ""
}

Event ID 1189 — TCP: connection Tcb, delivery Delivery: delivery state changed from OldDeliveryState to NewDeliveryState.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDeliveryStateChange

Description

TCP: connection Tcb, delivery Delivery: delivery state changed from OldDeliveryState to NewDeliveryState.

Message #

TCP: connection %1, delivery %2: delivery state changed from %3 to %4.

Fields #

Name	Description
`Tcb` Pointer	—
`Delivery` Pointer	—
`OldDeliveryState` UInt32	—
`NewDeliveryState` UInt32	—

Event ID 1190 — TCP: connection Tcb delivery Delivery dropping data.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDeliveryDataDropped

Description

TCP: connection Tcb delivery Delivery dropping data. TotalBytesEnqueued = NumBytes. Length = Length. RcvNxt = RcvNxt.

Message #

TCP: connection %1 delivery %2 dropping data. TotalBytesEnqueued = %4. Length = %6. RcvNxt = %10.

Fields #

Name	Description
`Tcb` Pointer	—
`Delivery` Pointer	—
`Request` Pointer	—
`NumBytes` Pointer	—
`RequestFlags` UInt32	—
`Length` Pointer	—
`RequestStatus` UInt32	—
`IsUrgentDelivery` UInt32	—
`FullySatisfiedORDelayedPush` UInt32	—
`RcvNxt` UInt32	—

Event ID 1191 — TCP: endpoint/connection PortAcquirer acquired port number PortNumber.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpAcquirePort

Description

TCP: endpoint/connection PortAcquirer acquired port number PortNumber.

Message #

TCP: endpoint/connection %1 acquired port number %2.

Fields #

Name	Description
`PortAcquirer` Pointer	—
`PortNumber` UInt16	—
`WeakReference` UInt32	—
`OriginalAcquirer` Pointer	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1191",
    "version": "0",
    "level": "4",
    "task": "1191",
    "opcode": "0",
    "keywords": 9223372054034644992,
    "time_created": "2026-03-16T00:21:40.119043200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0da8a910-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "12888"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PortAcquirer": "0xFFFF980A0DA8A910",
    "PortNumber": "52999",
    "WeakReference": "       0",
    "OriginalAcquirer": "0x0"
  },
  "message": ""
}

Event ID 1192 — TCP: connection PortAcquirer attempted to acquire weak reference on port number PortNumber inherited from endpoint OriginalAcquirer.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpAcquireWeakRefPort

Description

TCP: connection PortAcquirer attempted to acquire weak reference on port number PortNumber inherited from endpoint OriginalAcquirer. Successful = WeakReference.

Message #

TCP: connection %1 attempted to acquire weak reference on port number %2 inherited from endpoint %4. Successful = %3.

Fields #

Name	Description
`PortAcquirer` Pointer	—
`PortNumber` UInt16	—
`WeakReference` UInt32	—
`OriginalAcquirer` Pointer	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1192",
    "version": "0",
    "level": "4",
    "task": "1192",
    "opcode": "0",
    "keywords": 9223372054034644992,
    "time_created": "2026-03-16T00:21:38.719220200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PortAcquirer": "0xFFFF980A0EEE7560",
    "PortNumber": "5985",
    "WeakReference": "       1",
    "OriginalAcquirer": "0xFFFF980A0EF4B580"
  },
  "message": ""
}

Event ID 1193 — TCP: endpoint/connection PortAcquirer released port number PortNumber.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpReleasePort

Description

TCP: endpoint/connection PortAcquirer released port number PortNumber. WeakReference = WeakReference.

Message #

TCP: endpoint/connection %1 released port number %2. WeakReference = %3.

Fields #

Name	Description
`PortAcquirer` Pointer	—
`PortNumber` UInt16	—
`WeakReference` UInt32	—
`OriginalAcquirer` Pointer	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1193",
    "version": "0",
    "level": "4",
    "task": "1193",
    "opcode": "0",
    "keywords": 9223372054034644992,
    "time_created": "2026-03-16T00:21:38.733428000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7444"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PortAcquirer": "0xFFFF980A0EEE7560",
    "PortNumber": "5985",
    "WeakReference": "       1",
    "OriginalAcquirer": "0x0"
  },
  "message": ""
}

Event ID 1194 — TCP: endpoint/connection PortAcquirer replaced base endpoint OriginalAcquirer and acquired reference to port number PortNumber.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpReplacePort

Description

TCP: endpoint/connection PortAcquirer replaced base endpoint OriginalAcquirer and acquired reference to port number PortNumber.

Message #

TCP: endpoint/connection %1 replaced base endpoint %4 and acquired reference to port number %2.

Fields #

Name	Description
`PortAcquirer` Pointer	—
`PortNumber` UInt16	—
`WeakReference` UInt32	—
`OriginalAcquirer` Pointer	—

Event ID 1195 — TCP: Portpool assigned port number PortNumber with weak references due to port exhaustion.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAssignedWeakReferencePort

Description

TCP: Portpool assigned port number PortNumber with weak references due to port exhaustion.

Message #

TCP: Portpool assigned port number %2 with weak references due to port exhaustion.

Fields #

Name	Description
`PortAcquirer` Pointer	—
`PortNumber` UInt16	—
`WeakReference` UInt32	—
`OriginalAcquirer` Pointer	—

Event ID 1196 — TCP: connection Tcb BH receive ACK for full size seq.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpBhDetectFullSizeAck

Description

TCP: connection Tcb BH receive ACK for full size seq. Seq = SndUna. IsSack = IsSack.

Message #

TCP: connection %1 BH receive ACK for full size seq. Seq = %2. IsSack = %5.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—
`Reason` UnicodeString	—
`IsSack` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1196",
    "version": "0",
    "level": "4",
    "task": "1196",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:23:27.217663000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{170d1290-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A170D1290",
    "SndUna": "1228953133",
    "SndMax": "       0",
    "Reason": "NULL",
    "IsSack": "       0"
  },
  "message": ""
}

Event ID 1197 — TCP: connection Tcb flushed SACK state at SndUna = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFlushSack

Description

TCP: connection Tcb flushed SACK state at SndUna = SndUna. Reason: Reason.

Message #

TCP: connection %1 flushed SACK state at SndUna = %2. Reason: %4.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—
`Reason` UnicodeString	—
`IsSack` UInt32	—

Event ID 1198 — TCP: Connection Tcb entering reassembly at RcvNxt = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpReassemblyEntry

Description

TCP: Connection Tcb entering reassembly at RcvNxt = SndUna.

Message #

TCP: Connection %1 entering reassembly at RcvNxt = %2.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1198",
    "version": "0",
    "level": "5",
    "task": "1198",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:23:59.839186900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{14cde010-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A14CDE010",
    "SndUna": "3358248696",
    "SndMax": "       0"
  },
  "message": ""
}

Event ID 1199 — TCP: Connection Tcb leaving reassembly at RcvNxt = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpReassemblyExit

Description

TCP: Connection Tcb leaving reassembly at RcvNxt = SndUna.

Message #

TCP: Connection %1 leaving reassembly at RcvNxt = %2.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1199",
    "version": "0",
    "level": "5",
    "task": "1199",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:23:59.839225300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{14cde010-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A14CDE010",
    "SndUna": "3358248696",
    "SndMax": "       0"
  },
  "message": ""
}

Event ID 1200 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: Zero window probe timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDisconnectTcbZeroWindowTimeout

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: Zero window probe timeout expired.

Message #

TCP: connection %8 (local=%2 remote=%4) terminating: Zero window probe timeout expired.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1201 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: FIN-WAIT-2 timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDisconnectTcbFinWait2Timeout

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) terminating: FIN-WAIT-2 timeout expired.

Message #

TCP: connection %8 (local=%2 remote=%4) terminating: FIN-WAIT-2 timeout expired.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1202 — IP: Interface rundown: Index = IfIndex, Linkspeed = CurrLinkSpeed bps, PhysicalMediumType = PhysicalMediumType, IP Address = IPv4 Address IPProtocol IPv6 Address.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: InterfaceRundown

Description

IP: Interface rundown: Index = IfIndex, Linkspeed = CurrLinkSpeed bps, PhysicalMediumType = PhysicalMediumType, IP Address = IPv4 Address IPProtocol IPv6 Address.

Message #

IP: Interface rundown: Index = %1, Linkspeed = %2 bps, PhysicalMediumType = %7, IP Address = %4 %3 %6.

Fields #

Name	Description
`IfIndex` UInt32	—
`CurrLinkSpeed` UInt64	—
`IPProtocol` UInt32	—
`IPv4 Address`	—
`IpAddrLength` UInt32	—
`IPv6 Address`	—
`PhysicalMediumType` UInt32	—
`CompartmentId` UInt32	—
`OldLinkSpeed` UInt64	—
`NetworkCategory` UInt32	—
`Metric` UInt32	—
`Connected` UInt32	—
`InternetConnectivityStatus` UInt32	—
`Flags` UInt64	—
`IsolationId` UInt32	—
`IPv4Address` UInt32	—
`IPv6Address` Binary	—
`NlMtu` UInt32	—
`ForwardingTag` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1202",
    "version": "4",
    "level": "4",
    "task": "1202",
    "opcode": "0",
    "keywords": 9223372586610589840,
    "time_created": "2026-03-15T23:26:13.264840100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "15176",
      "thread_id": "13152"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IfIndex": "       1",
    "CurrLinkSpeed": "0",
    "IPProtocol": "       4",
    "IPv4 Address": "127.0.0.1",
    "IpAddrLength": "       0",
    "IPv6 Address": "",
    "PhysicalMediumType": "       0",
    "CompartmentId": "       1",
    "OldLinkSpeed": "0",
    "NetworkCategory": "       0",
    "Metric": "      75",
    "Connected": "       1",
    "InternetConnectivityStatus": "4294967295",
    "Flags": "0x10262102300",
    "IsolationId": "       0"
  },
  "message": ""
}

Event ID 1203 — IP: Interface Index = IfIndex, Linkspeed changed to CurrLinkSpeed bps, PhysicalMediumType = PhysicalMediumType.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceSpeedChange

Description

IP: Interface Index = IfIndex, Linkspeed changed to CurrLinkSpeed bps, PhysicalMediumType = PhysicalMediumType.

Message #

IP: Interface Index = %1, Linkspeed changed to %2 bps, PhysicalMediumType = %7.

Fields #

Name	Description
`IfIndex` UInt32	—
`CurrLinkSpeed` UInt64	—
`IPProtocol` UInt32	—
`IPv4Address` UInt32	—
`IpAddrLength` UInt32	—
`IPv6Address` Binary	—
`PhysicalMediumType` UInt32	—
`CompartmentId` UInt32	—
`OldLinkSpeed` UInt64	—
`ReceiveLinkSpeed` UInt64	—
`MediaConnectState` UInt32	—

Event ID 1204 — TCP: Connection Tcb flushing reassembly state at RcvNxt = SndUna.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpReassemblyFlush

Description

TCP: Connection Tcb flushing reassembly state at RcvNxt = SndUna. Reason = Reason.

Message #

TCP: Connection %1 flushing reassembly state at RcvNxt = %2. Reason = %4.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—
`Reason` UnicodeString	—
`IsSack` UInt32	—

Event ID 1205 — TCPIP: NBL Nbl fell off the receive fast path, Reason: Reason.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpipReceiveSlowPath

Description

TCPIP: NBL Nbl fell off the receive fast path, Reason: Reason. Protocol = IPTransportProtocol, Family = AddressFamily, Number of NBLs = NblCount. SourceAddress = Source IPv4 Address IPProtocol IPv6 Source Address. DestAddress = Dest IPv4 Address IPProtocol IPv6 Dest Address.

Message #

TCPIP: NBL %1 fell off the receive fast path, Reason: %10. Protocol = %2, Family = %3, Number of NBLs = %11. SourceAddress = %4 %12 %7. DestAddress = %5 %12 %9.

Fields #

Name	Description
`Nbl` Pointer	—
`IPTransportProtocol` UInt32	—
`AddressFamily` UInt32	—
`Source IPv4 Address`	—
`Dest IPv4 Address`	—
`IPv6SourceIpAddrLength` UInt32	—
`IPv6 Source Address`	—
`IPv6DestIpAddrLength` UInt32	—
`IPv6 Dest Address`	—
`Reason` UInt32	—
`NblCount` UInt32	—
`IPProtocol` UInt32	—
`SourceIPv4Address` UInt32	—
`DestIPv4Address` UInt32	—
`IPv6SourceAddress` Binary	—
`IPv6DestAddress` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1205",
    "version": "0",
    "level": "5",
    "task": "1205",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:38.718814700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Nbl": "0xFFFF980A1D7C5570",
    "IPTransportProtocol": "       6",
    "AddressFamily": "       2",
    "Source IPv4 Address": "10.2.10.11",
    "Dest IPv4 Address": "10.2.10.21",
    "IPv6SourceIpAddrLength": "       0",
    "IPv6 Source Address": "",
    "IPv6DestIpAddrLength": "       0",
    "IPv6 Dest Address": "",
    "Reason": "      17",
    "NblCount": "       1",
    "IPProtocol": "       4"
  },
  "message": ""
}

Event ID 1206 — TCPIP: NBL Nbl fell off the send fast path, Reason: Reason.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpipSendSlowPath

Description

TCPIP: NBL Nbl fell off the send fast path, Reason: Reason. Protocol = IPTransportProtocol, Family = AddressFamily, Number of NBLs = NblCount. SourceAddress = Source IPv4 Address IPProtocol IPv6 Source Address. DestAddress = Dest IPv4 Address IPProtocol IPv6 Dest Address.

Message #

TCPIP: NBL %1 fell off the send fast path, Reason: %10. Protocol = %2, Family = %3, Number of NBLs = %11. SourceAddress = %4 %12 %7. DestAddress = %5 %12 %9.

Fields #

Name	Description
`Nbl` Pointer	—
`IPTransportProtocol` UInt32	—
`AddressFamily` UInt32	—
`Source IPv4 Address`	—
`Dest IPv4 Address`	—
`IPv6SourceIpAddrLength` UInt32	—
`IPv6 Source Address`	—
`IPv6DestIpAddrLength` UInt32	—
`IPv6 Dest Address`	—
`Reason` UInt32	—
`NblCount` UInt32	—
`IPProtocol` UInt32	—
`SourceIPv4Address` UInt32	—
`DestIPv4Address` UInt32	—
`IPv6SourceAddress` Binary	—
`IPv6DestAddress` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1206",
    "version": "0",
    "level": "5",
    "task": "1206",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.388870500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Nbl": "0xFFFF980A11CCA4F0",
    "IPTransportProtocol": "       6",
    "AddressFamily": "       2",
    "Source IPv4 Address": "10.2.10.21",
    "Dest IPv4 Address": "10.2.20.41",
    "IPv6SourceIpAddrLength": "       0",
    "IPv6 Source Address": "",
    "IPv6DestIpAddrLength": "       0",
    "IPv6 Dest Address": "",
    "Reason": "      11",
    "NblCount": "       1",
    "IPProtocol": "       4"
  },
  "message": ""
}

Event ID 1207 — TCP: WSD - TcpWsdEtwPoint Status: Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpWsdInitializationErrors

Description

TCP: WSD - TcpWsdEtwPoint Status: Status.

Message #

TCP: WSD - %1 Status: %2.

Fields #

Name	Description
`TcpWsdEtwPoint` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1208 — TCP: WSD - TcpWsdEtwPoint Status: Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpWsdInitializationInformation

Description

TCP: WSD - TcpWsdEtwPoint Status: Status.

Message #

TCP: WSD - %1 Status: %2.

Fields #

Name	Description
`TcpWsdEtwPoint` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1209 — TCP: WSD - TCB Tcb will use a highly restricted window scale factor due to a TcpWsdEtwPoint.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpWsdWsRestrictedProfile

Description

TCP: WSD - TCB Tcb will use a highly restricted window scale factor due to a TcpWsdEtwPoint.

Message #

TCP: WSD - TCB %2 will use a highly restricted window scale factor due to a %1.

Fields #

Name	Description
`TcpWsdEtwPoint` UInt32	—
`Tcb` Pointer	—

Event ID 1210 — TCP: WSD - TCB Tcb will use a highly restricted window scale factor due to a TcpWsdEtwPoint.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpWsdWsRestrictedDestination

Description

TCP: WSD - TCB Tcb will use a highly restricted window scale factor due to a TcpWsdEtwPoint.

Message #

TCP: WSD - TCB %2 will use a highly restricted window scale factor due to a %1.

Fields #

Name	Description
`TcpWsdEtwPoint` UInt32	—
`Tcb` Pointer	—

Event ID 1211 — TCP: WSD - Entry (Processor, Entry) moved from OldState to NewState due to TcpWsdEtwPoint.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpWsdCacheEntryStateChange

Description

TCP: WSD - Entry (Processor, Entry) moved from OldState to NewState due to TcpWsdEtwPoint.

Message #

TCP: WSD - Entry (%2, %3) moved from %4 to %5 due to %1.

Fields #

Name	Description
`TcpWsdEtwPoint` UInt32	—
`Processor` UInt32	—
`Entry` UInt32	—
`OldState` UInt32	—
`NewState` UInt32	—
`ProbeCount` UInt32	—
`ProbeCountWs` UInt32	—

Event ID 1212 — TCP: WSD - Profile: Profile State: State Qualified: Qualified EreQualified: EreQualified.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpWsdProfileStateChange

Description

TCP: WSD - Profile: Profile State: State Qualified: Qualified EreQualified: EreQualified.

Message #

TCP: WSD - Profile: %1 State: %2 Qualified: %3 EreQualified: %4.

Fields #

Name	Description
`Profile` UInt32	—
`State` UInt32	—
`Qualified` UInt32	—
`EreQualified` UInt32	—

Event ID 1213 — TCP: WSD - Enabled moved from OldEnabledState to NewEnabledState.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpWsdStateChange

Description

TCP: WSD - Enabled moved from OldEnabledState to NewEnabledState. Threshold moved from OldThreshold to NewThreshold.

Message #

TCP: WSD - Enabled moved from %1 to %2. Threshold moved from  %3 to %4.

Fields #

Name	Description
`OldEnabledState` UInt32	—
`NewEnabledState` UInt32	—
`OldThreshold` UInt32	—
`NewThreshold` UInt32	—

Event ID 1214 — TCPIP: Transport (Protocol IPTransportProtocol, AddressFamily = AddressFamily) dropped PacketCount packet(s) with Local = LocalSockAddr, Remote = RemoteSockAddr.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpipTransportPacketDrops

Description

TCPIP: Transport (Protocol IPTransportProtocol, AddressFamily = AddressFamily) dropped PacketCount packet(s) with Local = LocalSockAddr, Remote = RemoteSockAddr. Reason = Reason.

Message #

TCPIP: Transport (Protocol %1, AddressFamily = %2) dropped %8 packet(s) with Local = %4, Remote = %6. Reason = %7.

Fields #

Name	Description
`IPTransportProtocol` UInt32	—
`AddressFamily` UInt32	—
`LocalSockAddrLength` UInt32	—
`LocalSockAddr` Binary	—
`RemoteSockAddrLength` UInt32	—
`RemoteSockAddr` Binary	—
`Reason` UInt32	—
`PacketCount` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1214",
    "version": "0",
    "level": "4",
    "task": "1214",
    "opcode": "0",
    "keywords": 9223373694712152192,
    "time_created": "2026-03-16T00:21:38.733034500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IPTransportProtocol": "       6",
    "AddressFamily": "       2",
    "LocalSockAddrLength": "      16",
    "LocalSockAddr": "10.2.10.21:5985",
    "RemoteSockAddrLength": "      16",
    "RemoteSockAddr": "10.2.10.11:51201",
    "Reason": "      20",
    "PacketCount": "       1"
  },
  "message": ""
}

Event ID 1215 — TCPIP: Network layer (Protocol IPTransportProtocol, AddressFamily = AddressFamily) dropped PacketCount packet(s).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpipNetworkPacketDrops

Description

TCPIP: Network layer (Protocol IPTransportProtocol, AddressFamily = AddressFamily) dropped PacketCount packet(s). SourceAddress = Source IPv4 Address IPProtocol IPv6 Source Address. DestAddress = Dest IPv4 Address IPProtocol IPv6 Dest Address. Reason = Reason.

Message #

TCPIP: Network layer (Protocol %1, AddressFamily = %2) dropped %10 packet(s). SourceAddress = %3 %11 %6. DestAddress = %4 %11 %8. Reason = %9.

Fields #

Name	Description
`IPTransportProtocol` UInt32	—
`AddressFamily` UInt32	—
`Source IPv4 Address`	—
`Dest IPv4 Address`	—
`IPv6SourceIpAddrLength` UInt32	—
`IPv6 Source Address`	—
`IPv6DestIpAddrLength` UInt32	—
`IPv6 Dest Address`	—
`Reason` UInt32	—
`PacketCount` UInt32	—
`IPProtocol` UInt32	—
`SourceAddressLength` UInt32	—
`SourceAddress` Binary	—
`DestAddressLength` UInt32	—
`DestAddress` Binary	—
`IfIndex` UInt32	—
`PathDirection` UInt32	—
`SourceIPv4Address` UInt32	—
`DestIPv4Address` UInt32	—
`IPv6SourceAddress` Binary	—
`IPv6DestAddress` Binary	—
`Nbl` Pointer	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1215",
    "version": "1",
    "level": "4",
    "task": "1215",
    "opcode": "0",
    "keywords": 9223373699007119488,
    "time_created": "2026-03-15T23:27:04.761762100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "3912",
      "thread_id": "13412"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IPTransportProtocol": "       6",
    "AddressFamily": "      23",
    "Source IPv4 Address": "0.0.0.0",
    "Dest IPv4 Address": "0.0.0.0",
    "IPv6SourceIpAddrLength": "      16",
    "IPv6 Source Address": "::1",
    "IPv6DestIpAddrLength": "      16",
    "IPv6 Dest Address": "::1",
    "Reason": "     256",
    "PacketCount": "       1",
    "IPProtocol": "       6",
    "SourceAddressLength": "      28",
    "SourceAddress": "::1",
    "DestAddressLength": "      28",
    "DestAddress": "::1",
    "IfIndex": "       1",
    "PathDirection": "       1"
  },
  "message": ""
}

Event ID 1216 — TCP: MPP NPP Evaluation PhysicalPages = PhysicalPages NonPagedPoolPages = NonPagedPoolPages Current = CurrentWatermark Peak = PeakWatermark Low = HighWatermark High = LowWatermark.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpMppNppEvaluation

Description

TCP: MPP NPP Evaluation PhysicalPages = PhysicalPages NonPagedPoolPages = NonPagedPoolPages Current = CurrentWatermark Peak = PeakWatermark Low = HighWatermark High = LowWatermark.

Message #

TCP: MPP NPP Evaluation PhysicalPages = %1 NonPagedPoolPages = %2 Current = %3 Peak = %4 Low = %5 High = %6.

Fields #

Name	Description
`PhysicalPages` UInt32	—
`NonPagedPoolPages` UInt32	—
`CurrentWatermark` UInt32	—
`PeakWatermark` UInt32	—
`HighWatermark` UInt32	—
`LowWatermark` UInt32	—

Event ID 1217 — TCP: MPP: Episode started.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpMppStartEpisode

Description

TCP: MPP: Episode started. LowNppEventState = LowNppEventState HighNppEventState = HighNppEventState EpisodeStartTick = EpisodeStartTick EpisodeStopTick = EpisodeStopTick Current = CurrentWatermark Low = LowWatermark Reentry = ReentryWatermark.

Message #

TCP: MPP: Episode started. LowNppEventState = %1 HighNppEventState = %2 EpisodeStartTick = %3 EpisodeStopTick = %4 Current = %5 Low = %6 Reentry = %7.

Fields #

Name	Description
`LowNppEventState` UInt32	—
`HighNppEventState` UInt32	—
`EpisodeStartTick` UInt64	—
`EpisodeStopTick` UInt64	—
`CurrentWatermark` UInt32	—
`LowWatermark` UInt32	—
`ReentryWatermark` UInt32	—

Event ID 1218 — TCP: MPP: Episode ended.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpMppStopEpisode

Description

TCP: MPP: Episode ended. LowNppEventState = LowNppEventState HighNppEventState = HighNppEventState EpisodeStartTick = EpisodeStartTick EpisodeStopTick = EpisodeStopTick Reentry = ReentryWatermark.

Message #

TCP: MPP: Episode ended. LowNppEventState = %1 HighNppEventState = %2 EpisodeStartTick = %3 EpisodeStopTick = %4 Reentry = %5.

Fields #

Name	Description
`LowNppEventState` UInt32	—
`HighNppEventState` UInt32	—
`EpisodeStartTick` UInt64	—
`EpisodeStopTick` UInt64	—
`ReentryWatermark` UInt32	—

Event ID 1219 — TCP: MPP: Epoch Epoch started.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpMppStartEpoch

Description

TCP: MPP: Epoch Epoch started. LowNppEventState = LowNppEventState HighNppEventState = HighNppEventState EpochStartTick = EpochStartTick EpochStopTick = EpochStopTick SynDropRate = OldSynDropRate -> NewSynDropRate TcbKillRate = OldTcbKillRate -> NewTcbKillRate CurrentWatermark = CurrentWatermark.

Message #

TCP: MPP: Epoch %1 started. LowNppEventState = %2 HighNppEventState = %3 EpochStartTick = %4 EpochStopTick = %5 SynDropRate = %6 -> %7 TcbKillRate = %8 -> %9 CurrentWatermark = %10.

Fields #

Name	Description
`Epoch` UInt32	—
`LowNppEventState` UInt32	—
`HighNppEventState` UInt32	—
`EpochStartTick` UInt64	—
`EpochStopTick` UInt64	—
`OldSynDropRate` UInt32	—
`NewSynDropRate` UInt32	—
`OldTcbKillRate` UInt32	—
`NewTcbKillRate` UInt32	—
`CurrentWatermark` UInt32	—

Event ID 1220 — TCP: MPP: Epoch Epoch ended.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpMppStopEpoch

Description

TCP: MPP: Epoch Epoch ended. LowNppEventState = LowNppEventState HighNppEventState = HighNppEventState EpochStartTick = EpochStartTick EpochStopTick = EpochStopTick SynDropRate = SynDropRate TcbKillRate = TcbKillRate Current = CurrentWatermark.

Message #

TCP: MPP: Epoch %1 ended. LowNppEventState = %2 HighNppEventState = %3 EpochStartTick = %4 EpochStopTick = %5 SynDropRate = %6 TcbKillRate = %7 Current = %8.

Fields #

Name	Description
`Epoch` UInt32	—
`LowNppEventState` UInt32	—
`HighNppEventState` UInt32	—
`EpochStartTick` UInt64	—
`EpochStopTick` UInt64	—
`SynDropRate` UInt32	—
`TcbKillRate` UInt32	—
`CurrentWatermark` UInt32	—

Event ID 1221 — TCP: Connection Tcb restarting Cwnd.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCwndRestart

Description

TCP: Connection Tcb restarting Cwnd. Old Cwnd = OldCwnd, New Cwnd = NewCwnd, Processor = Processor, CurrentTick = CurrentTick, IdleTick = IdleTick, Rto = Rto.

Message #

TCP: Connection %1 restarting Cwnd. Old Cwnd = %2, New Cwnd = %3, Processor = %4, CurrentTick = %5, IdleTick = %6, Rto = %7.

Fields #

Name	Description
`Tcb` Pointer	—
`OldCwnd` UInt32	—
`NewCwnd` UInt32	—
`Processor` UInt32	—
`CurrentTick` UInt32	—
`IdleTick` UInt32	—
`Rto` UInt32	—

Event ID 1222 — TCP: Connection Tcb adjust InitalCwnd.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpInitialCwndAdjusted

Description

TCP: Connection Tcb adjust InitalCwnd. Cwnd = OldCwnd, New Initial Cwnd = NewCwnd MSS.

Message #

TCP: Connection %1 adjust InitalCwnd. Cwnd = %2, New Initial Cwnd = %3 MSS.

Fields #

Name	Description
`Tcb` Pointer	—
`OldCwnd` UInt32	—
`NewCwnd` UInt32	—
`Processor` UInt32	—
`CurrentTick` UInt32	—
`IdleTick` UInt32	—
`Rto` UInt32	—

Event ID 1223 — TCP: Connection Tcb committed TemplateType = TemplateType.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpTemplateParameters

Message #

TCP: Connection %1 committed TemplateType = %2. MinRto = %3 msec, EnableCwndRestart = %4, InitialCwnd = %5 MSS, CongestionAlgorithm = %6, MaxDataRetransmissions = %7, DelayedAckTicks = %8 msec, DelayedAckFrequency = %9, RACK enabled = %10, Tail Loss Probe enabled = %11.

Fields #

Name	Description
`Tcb` Pointer	—
`TemplateType` UInt32	—
`MinRto` UInt32	—
`EnableCwndRestart` UInt32	—
`InitialCwnd` UInt32	—
`CongestionAlgorithm` UInt32	—
`MaxDataRetransmissions` UInt32	—
`DelayedAckTicks` UInt32	—
`DelayedAckFrequency` UInt32	—
`Rack` UInt32	—
`TailLossProbe` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1223",
    "version": "0",
    "level": "4",
    "task": "1223",
    "opcode": "0",
    "keywords": 9223372586610589696,
    "time_created": "2026-03-16T00:21:38.719984100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0EEE7560",
    "TemplateType": "       0",
    "MinRto": "     300",
    "EnableCwndRestart": "       0",
    "InitialCwnd": "      10",
    "CongestionAlgorithm": "       5",
    "MaxDataRetransmissions": "       5",
    "DelayedAckTicks": "      40",
    "DelayedAckFrequency": "       2",
    "Rack": "       1",
    "TailLossProbe": "       1"
  },
  "message": ""
}

Event ID 1224 — TCP: Connection Tcb template changed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpTemplateChanged

Description

TCP: Connection Tcb template changed. New template=TemplateType. Context=Context.

Message #

TCP: Connection %1 template changed. New template=%2. Context=%3.

Fields #

Name	Description
`Tcb` Pointer	—
`TemplateType` UInt32	—
`Context` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1224",
    "version": "0",
    "level": "5",
    "task": "1224",
    "opcode": "0",
    "keywords": 9223372586610589696,
    "time_created": "2026-03-16T00:21:38.719121800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0EEE7560",
    "TemplateType": "       0",
    "Context": "Initializing Template Accept TCB"
  },
  "message": ""
}

Event ID 1225 — TCP: connection Tcb: End of a round, SndRound = SndRound, Bytes sent = EcnTotalByteCount.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferEcnAlpha

Description

TCP: connection Tcb: End of a round, SndRound = SndRound, Bytes sent = EcnTotalByteCount. Bytes marked = EcnTotalMarkedCount, ThAck = ThAck, updated EcnAlpha = EcnAlpha.

Message #

TCP: connection %1: End of a round, SndRound = %2, Bytes sent = %3. Bytes marked = %4, ThAck = %5, updated EcnAlpha = %6.

Fields #

Name	Description
`Tcb` Pointer	—
`SndRound` UInt32	—
`EcnTotalByteCount` UInt32	—
`EcnTotalMarkedCount` UInt32	—
`ThAck` UInt32	—
`EcnAlpha` UInt32	—

Event ID 1226 — TCP: interface IfIndex: RSC state changed, IPV4 State = StateV4, IPV4 Failure Reason = FailureReasonV4, IPV6 State = StateV6, IPV6 Failure Reason = FailureReasonV6, Event = Event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpInterfaceRscStateChange

Description

TCP: interface IfIndex: RSC state changed, IPV4 State = StateV4, IPV4 Failure Reason = FailureReasonV4, IPV6 State = StateV6, IPV6 Failure Reason = FailureReasonV6, Event = Event.

Message #

TCP: interface %1: RSC state changed, IPV4 State = %2, IPV4 Failure Reason = %3, IPV6 State = %4, IPV6 Failure Reason = %5, Event = %6.

Fields #

Name	Description
`IfIndex` UInt32	—
`StateV4` UInt32	—
`FailureReasonV4` UInt32	—
`StateV6` UInt32	—
`FailureReasonV6` UInt32	—
`Event` UInt32	—

Event ID 1227 — TCP: connection Tcb: RSC SCU received.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpRscNblOobInfo

Description

TCP: connection Tcb: RSC SCU received. CoalescedSegCount = CoalescedSegCount, DupAckCount = DupAckCount, RscTcpTimestampDelta = RscTcpTimestampDelta, HeaderFlags = HeaderFlags, EcnCePresent = EcnCePresent.

Message #

TCP: connection %1: RSC SCU received. CoalescedSegCount = %2, DupAckCount = %3, RscTcpTimestampDelta = %4, HeaderFlags = %5, EcnCePresent = %6.

Fields #

Name	Description
`Tcb` Pointer	—
`CoalescedSegCount` UInt16	—
`DupAckCount` UInt16	—
`RscTcpTimestampDelta` UInt32	—
`HeaderFlags` UInt16	—
`EcnCePresent` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1227",
    "version": "0",
    "level": "5",
    "task": "1227",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:36.016716200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{10708010-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A10708010",
    "CoalescedSegCount": "2",
    "DupAckCount": "0",
    "RscTcpTimestampDelta": "       0",
    "HeaderFlags": "24",
    "EcnCePresent": "       0"
  },
  "message": ""
}

Event ID 1228 — TCPIP: TCB Tcb does not take fast path, Cause: Cause.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpLoopbackFastPathFailReason

Description

TCPIP: TCB Tcb does not take fast path, Cause: Cause.

Message #

TCPIP: TCB %1 does not take fast path, Cause: %2.

Fields #

Name	Description
`Tcb` Pointer	—
`Cause` UInt32	—

Event ID 1229 — TCP: Connection Tcb send queue is idle.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpCwndRestart

Description

TCP: Connection Tcb send queue is idle. Cwnd = OldCwnd, Processor = Processor, CurrentTick = CurrentTick, IdleTick = IdleTick.

Message #

TCP: Connection %1 send queue is idle. Cwnd = %2, Processor = %4, CurrentTick = %5, IdleTick = %6.

Fields #

Name	Description
`Tcb` Pointer	—
`OldCwnd` UInt32	—
`NewCwnd` UInt32	—
`Processor` UInt32	—
`CurrentTick` UInt32	—
`IdleTick` UInt32	—
`Rto` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1229",
    "version": "0",
    "level": "4",
    "task": "1221",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.390542000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4248",
      "thread_id": "4684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "OldCwnd": " 2110976",
    "NewCwnd": "       0",
    "Processor": "       8",
    "CurrentTick": "57753291",
    "IdleTick": "57753291",
    "Rto": "       0"
  },
  "message": ""
}

Event ID 1230 — RSS: Bind notification for AddressFamily on interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssBindingChange

Description

RSS: Bind notification for AddressFamily on interface InterfaceIndex.

Message #

RSS: %3 notification for %2 on interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`AddressFamily` UInt16	—
`Bind` UInt32	—

Event ID 1231 — RSS: Bind notification for adapter AdapterIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssPortChange

Description

RSS: Bind notification for adapter AdapterIndex.

Message #

RSS: %4 notification for adapter %1.

Fields #

Name	Description
`AdapterIndex` UInt32	—
`InterfaceIndex` UInt32	—
`PortNumber` UInt32	—
`Bind` UInt32	—

Event ID 1232 — RSS: ReferenceAdded reference on adapter AdapterIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssPortReference

Description

RSS: ReferenceAdded reference on adapter AdapterIndex.

Message #

RSS: %4 reference on adapter %1.

Fields #

Name	Description
`AdapterIndex` UInt32	—
`ExistingInterfaceIndex` UInt32	—
`ExistingPortNumber` UInt32	—
`ReferenceAdded` UInt8	—

Event ID 1233 — RSS: adapter AdapterIndex with capabilities CapabilitiesFlags and NumberOfReceiveQueues receive queues.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssPortCapabilities

Description

RSS: adapter AdapterIndex with capabilities CapabilitiesFlags and NumberOfReceiveQueues receive queues.

Message #

RSS: adapter %1 with capabilities %2 and %4 receive queues.

Fields #

Name	Description
`AdapterIndex` UInt32	—
`CapabilitiesFlags` UInt32	—
`NumberOfInterruptMessages` UInt32	—
`NumberOfReceiveQueues` UInt32	—

Event ID 1234 — RSS: adapter AdapterIndex processor group GroupNumber maximum processors MaximumProcessors processor affinity GroupAffinity.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssPortProcessors

Description

RSS: adapter AdapterIndex processor group GroupNumber maximum processors MaximumProcessors processor affinity GroupAffinity.

Message #

RSS: adapter %1 processor group %2 maximum processors %3 processor affinity %4.

Fields #

Name	Description
`AdapterIndex` UInt32	—
`GroupNumber` UInt16	—
`MaximumProcessors` UInt32	—
`GroupAffinity` UInt64	—
`AvailableProcessorsSize` UInt32	—
`AvailableProcessors` Binary	—

Event ID 1235 — RSS: assigning processor ProcessorIndex from adapter PreviousAdapterIndex to NewAdapterIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssProcessorAssignment

Description

RSS: assigning processor ProcessorIndex from adapter PreviousAdapterIndex to NewAdapterIndex.

Message #

RSS: assigning processor %2 from adapter %3 to %1.

Fields #

Name	Description
`NewAdapterIndex` UInt32	—
`ProcessorIndex` UInt32	—
`PreviousAdapterIndex` UInt32	—
`TriggeringProcessorIndex` UInt32	—

Event ID 1236 — RSS: unassigning processor ProcessorIndex from adapter PreviousAdapterIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssProcessorUnassignment

Description

RSS: unassigning processor ProcessorIndex from adapter PreviousAdapterIndex.

Message #

RSS: unassigning processor %2 from adapter %1.

Fields #

Name	Description
`PreviousAdapterIndex` UInt32	—
`ProcessorIndex` UInt32	—

Event ID 1237 — RSS: adapter AdapterIndex reassigning indirection entry IndirectionIndex from processor OldProcessorIndex to NewProcessorIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssIndirectionChange

Description

RSS: adapter AdapterIndex reassigning indirection entry IndirectionIndex from processor OldProcessorIndex to NewProcessorIndex.

Message #

RSS: adapter %1 reassigning indirection entry %2 from processor %3 to %4.

Fields #

Name	Description
`AdapterIndex` UInt32	—
`IndirectionIndex` UInt16	—
`OldProcessorIndex` UInt32	—
`NewProcessorIndex` UInt32	—

Event ID 1238 — RSS: adapter AdapterIndex removing processor ProcessorIndex from its indirection table.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssProcessorConsolidation

Description

RSS: adapter AdapterIndex removing processor ProcessorIndex from its indirection table.

Message #

RSS: adapter %1 removing processor %2 from its indirection table.

Fields #

Name	Description
`AdapterIndex` UInt32	—
`ProcessorIndex` UInt8	—

Event ID 1239 — RSS: adapter AdapterIndex changing Setting to Value.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssConfigurationChange

Description

RSS: adapter AdapterIndex changing Setting to Value.

Message #

RSS: adapter %1 changing %2 to %3.

Fields #

Name	Description
`AdapterIndex` UInt32	—
`Setting` UInt32	—
`Value` UInt32	—

Event ID 1240 — RSS: Failed to FailureDescription on IfIndex InterfaceIndex: Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssFailure

Description

RSS: Failed to FailureDescription on IfIndex InterfaceIndex: Status.

Message #

RSS: Failed to %2 on IfIndex %1: %3

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`FailureDescription` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1241 — RSS: bind completed successfully for AddressFamily on interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssBindingBindComplete

Description

RSS: bind completed successfully for AddressFamily on interface InterfaceIndex.

Message #

RSS: bind completed successfully for %2 on interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`AddressFamily` UInt16	—

Event ID 1242 — RSS: bind completed successfully for adapter AdapterIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssPortBindComplete

Description

RSS: bind completed successfully for adapter AdapterIndex.

Message #

RSS: bind completed successfully for adapter %1.

Fields #

Name	Description
`AdapterIndex` UInt32	—

Event ID 1243 — RSS: adapter AdapterIndex not supported.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssPortNotSupported

Description

RSS: adapter AdapterIndex not supported.

Message #

RSS: adapter %1 not supported.

Fields #

Name	Description
`AdapterIndex` UInt32	—

Event ID 1244 — RSS: adapter AdapterIndex indirection table initialized on group GroupNumber with processor set ActiveAffinity.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssInitializeIndirectionTable

Description

RSS: adapter AdapterIndex indirection table initialized on group GroupNumber with processor set ActiveAffinity.

Message #

RSS: adapter %1 indirection table initialized on group %4 with processor set %5.

Fields #

Name	Description
`AdapterIndex` UInt32	—
`IndirectionTableSize` UInt32	—
`IndirectionTable` Binary	—
`GroupNumber` UInt16	—
`ActiveAffinity` UInt64	—

Event ID 1245 — RSS: Rundown: interface InterfaceIndex with adapter AdapterIndex at port PortNumber.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: RssBindingRundown

Description

RSS: Rundown: interface InterfaceIndex with adapter AdapterIndex at port PortNumber.

Message #

RSS: Rundown: interface %1 with adapter %2 at port %3.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`AdapterIndex` UInt32	—
`PortNumber` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1245",
    "version": "0",
    "level": "4",
    "task": "1245",
    "opcode": "0",
    "keywords": 9223372586610591888,
    "time_created": "2026-03-16T00:21:34.295777000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{517fdda0-f803-ffff-0600-000000000000}"
    },
    "execution": {
      "process_id": "9132",
      "thread_id": "4236"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "InterfaceIndex": "       6",
    "AdapterIndex": "       6",
    "PortNumber": "       0"
  },
  "message": ""
}

Event ID 1246 — RSS: Rundown: adapter AdapterIndex hash info HashInfo maximum processors MaximumProcessors group GroupNumber affinity GroupAffinity active processors ActiveAffinity active mode: ActiveMode.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: RssPortRundown

Description

RSS: Rundown: adapter AdapterIndex hash info HashInfo maximum processors MaximumProcessors group GroupNumber affinity GroupAffinity active processors ActiveAffinity active mode: ActiveMode.

Message #

RSS: Rundown: adapter %1 hash info %2 maximum processors %3 group %4 affinity %5 active processors %6 active mode: %7.

Fields #

Name	Description
`AdapterIndex` UInt32	—
`HashInfo` UInt32	—
`MaximumProcessors` UInt32	—
`GroupNumber` UInt16	—
`GroupAffinity` UInt64	—
`ActiveAffinity` UInt64	—
`ActiveMode` UInt32	—
`IndirectionTableSize` UInt32	—
`IndirectionTable` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1246",
    "version": "0",
    "level": "4",
    "task": "1246",
    "opcode": "0",
    "keywords": 9223372586610591888,
    "time_created": "2026-03-15T23:26:13.264909200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0f1f9564-f803-ffff-0400-000000000000}"
    },
    "execution": {
      "process_id": "15176",
      "thread_id": "13152"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AdapterIndex": "       4",
    "HashInfo": "0xD701",
    "MaximumProcessors": "      14",
    "GroupNumber": "0",
    "GroupAffinity": "0x3FFF",
    "ActiveAffinity": "0x3FFF",
    "ActiveMode": "    1002",
    "IndirectionTableSize": "     128",
    "IndirectionTable": "0x000102030405060708090A0B0C0D000102030405060708090A0B0C0D000102030405060708090A0B0C0D000102030405060708090A0B0C0D000102030405060708090A0B0C0D000102030405060708090A0B0C0D000102030405060708090A0B0C0D000102030405060708090A0B0C0D000102030405060708090A0B0C0D0001"
  },
  "message": ""
}

Event ID 1247 — RSS: interface InterfaceIndex support: Capability.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RssBindingCapability

Description

RSS: interface InterfaceIndex support: Capability.

Message #

RSS: interface %1 support: %2.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`Capability` UInt32	—

Event ID 1248 — NDKPI Create CQ: RequestContext RequestContext Adapter NdkAdapter CqDepth CqDepth CqNotificationContext CqNotificationContext AffinityMask AffinityMask AffinityGroup AffinityGroup.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Cq

Description

NDKPI Create CQ: RequestContext RequestContext Adapter NdkAdapter CqDepth CqDepth CqNotificationContext CqNotificationContext AffinityMask AffinityMask AffinityGroup AffinityGroup.

Message #

NDKPI Create CQ: RequestContext %6 Adapter %1 CqDepth %2 CqNotificationContext %3 AffinityMask %4 AffinityGroup %5

Fields #

Name	Description
`NdkAdapter` Pointer	—
`CqDepth` UInt32	—
`CqNotificationContext` Pointer	—
`AffinityMask` UInt64	—
`AffinityGroup` UInt16	—
`RequestContext` Pointer	—

Event ID 1249 — NDKPI Create Completion: RequestContext RequestContext Status Status (CompletionType) NdkObjectType NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Completion

Description

NDKPI Create Completion: RequestContext RequestContext Status Status (CompletionType) NdkObjectType NdkObject.

Message #

NDKPI Create Completion: RequestContext %1 Status %2 (%4) %5 %3

Fields #

Name	Description
`RequestContext` Pointer	—
`Status` UInt32	— NTSTATUS reference
`NdkObject` Pointer	—
`CompletionType` UInt32	—
`NdkObjectType` UInt32	—

Event ID 1250 — NDKPI Close NdkObjectType: RequestContext RequestContext NdkObjectType NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Close_Obj

Description

NDKPI Close NdkObjectType: RequestContext RequestContext NdkObjectType NdkObject.

Message #

NDKPI Close %2: RequestContext %3 %2 %1

Fields #

Name	Description
`NdkObject` Pointer	—
`NdkObjectType` UInt32	—
`RequestContext` Pointer	—

Event ID 1251 — NDKPI Close Completion: RequestContext RequestContext (CompletionType).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Close_Completion

Description

NDKPI Close Completion: RequestContext RequestContext (CompletionType).

Message #

NDKPI Close Completion: RequestContext %1 (%2)

Fields #

Name	Description
`RequestContext` Pointer	—
`CompletionType` UInt32	—

Event ID 1252 — NDKPI Resize CQ: RequestContext RequestContext CQ NdkCq CqDepth CqDepth.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Resize_Cq

Description

NDKPI Resize CQ: RequestContext RequestContext CQ NdkCq CqDepth CqDepth.

Message #

NDKPI Resize CQ: RequestContext %3 CQ %1 CqDepth %2

Fields #

Name	Description
`NdkCq` Pointer	—
`CqDepth` UInt32	—
`RequestContext` Pointer	—

Event ID 1253 — NDKPI Request Completion: RequestContext RequestContext Status Status (CompletionType).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Request_Completion

Description

NDKPI Request Completion: RequestContext RequestContext Status Status (CompletionType).

Message #

NDKPI Request Completion: RequestContext %1 Status %2 (%3)

Fields #

Name	Description
`RequestContext` Pointer	—
`Status` UInt32	— NTSTATUS reference
`CompletionType` UInt32	—

Event ID 1254 — NDKPI Arm CQ: CQ NdkCq ArmType.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Arm_Cq

Description

NDKPI Arm CQ: CQ NdkCq ArmType.

Message #

NDKPI Arm CQ: CQ %1 %2

Fields #

Name	Description
`NdkCq` Pointer	—
`ArmType` UInt32	—

Event ID 1255 — NDKPI Result ResultIndex/ResultCount: CQ NdkCq RequestContext RequestContext Status Status BytesTransferred BytesTransferred QpContext QpContext.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Cq_Result

Description

NDKPI Result ResultIndex/ResultCount: CQ NdkCq RequestContext RequestContext Status Status BytesTransferred BytesTransferred QpContext QpContext.

Message #

NDKPI Result %6/%7: CQ %1 RequestContext %5 Status %2 BytesTransferred %3 QpContext %4

Fields #

Name	Description
`NdkCq` Pointer	—
`Status` UInt32	— NTSTATUS reference
`BytesTransferred` UInt32	—
`QpContext` Pointer	—
`RequestContext` Pointer	—
`ResultIndex` Int32	—
`ResultCount` Int32	—

Event ID 1256 — NDKPI Create MR: RequestContext RequestContext PD NdkPd FastRegister FastRegister.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Mr

Description

NDKPI Create MR: RequestContext RequestContext PD NdkPd FastRegister FastRegister.

Message #

NDKPI Create MR: RequestContext %3 PD %1 FastRegister %2

Fields #

Name	Description
`NdkPd` Pointer	—
`FastRegister` UInt32	—
`RequestContext` Pointer	—

Event ID 1257 — NDKPI Flush: QP NdkQp.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Flush

Description

NDKPI Flush: QP NdkQp.

Message #

NDKPI Flush: QP %1

Fields #

Name	Description
`NdkQp` Pointer	—

Event ID 1258 — NDKPI Send (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken Flags Flags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Send

Description

NDKPI Send (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken Flags Flags.

Message #

NDKPI Send (SGE %8/%6): RequestContext %2 QP %1 SGE %3/%4/%5 Flags %7

Fields #

Name	Description
`NdkQp` Pointer	—
`RequestContext` Pointer	—
`SgeAddress` Pointer	—
`SgeLength` UInt32	—
`SgeMemoryRegionToken` UInt32	—
`NumSge` Int32	—
`Flags` UInt32	—
`SgeIndex` Int32	—

Event ID 1259 — NDKPI Receive (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Receive

Description

NDKPI Receive (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken.

Message #

NDKPI Receive (SGE %8/%6): RequestContext %2 QP %1 SGE %3/%4/%5

Fields #

Name	Description
`NdkQp` Pointer	—
`RequestContext` Pointer	—
`SgeAddress` Pointer	—
`SgeLength` UInt32	—
`SgeMemoryRegionToken` UInt32	—
`NumSge` Int32	—
`Flags` UInt32	—
`SgeIndex` Int32	—

Event ID 1260 — NDKPI Register MR: RequestContext RequestContext MR NdkMr MDL Mdl Length Length Flags Flags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Register_Mr

Description

NDKPI Register MR: RequestContext RequestContext MR NdkMr MDL Mdl Length Length Flags Flags.

Message #

NDKPI Register MR: RequestContext %5 MR %1 MDL %2 Length %3 Flags %4

Fields #

Name	Description
`NdkMr` Pointer	—
`Mdl` Pointer	—
`Length` UInt64	—
`Flags` UInt32	—
`RequestContext` Pointer	—

Event ID 1261 — NDKPI Deregister MR: RequestContext RequestContext MR NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Deregister_Mr

Description

NDKPI Deregister MR: RequestContext RequestContext MR NdkObject.

Message #

NDKPI Deregister MR: RequestContext %2 MR %1

Fields #

Name	Description
`NdkObject` Pointer	—
`RequestContext` Pointer	—

Event ID 1262 — NDKPI Initialize FastRegister MR: RequestContext RequestContext MR NdkMr AdapterPageCount AdapterPageCount RemoteAccess RemoteAccess.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Initialize_Fast_Register_Mr

Description

NDKPI Initialize FastRegister MR: RequestContext RequestContext MR NdkMr AdapterPageCount AdapterPageCount RemoteAccess RemoteAccess.

Message #

NDKPI Initialize FastRegister MR: RequestContext %4 MR %1 AdapterPageCount %2 RemoteAccess %3

Fields #

Name	Description
`NdkMr` Pointer	—
`AdapterPageCount` UInt32	—
`RemoteAccess` UInt32	—
`RequestContext` Pointer	—

Event ID 1263 — NDKPI Modify SRQ: RequestContext RequestContext SRQ NdkSrq SrqDepth SrqDepth NotifyThreshold NotifyThreshold.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Modify_Srq

Description

NDKPI Modify SRQ: RequestContext RequestContext SRQ NdkSrq SrqDepth SrqDepth NotifyThreshold NotifyThreshold.

Message #

NDKPI Modify SRQ: RequestContext %4 SRQ %1 SrqDepth %2 NotifyThreshold %3

Fields #

Name	Description
`NdkSrq` Pointer	—
`SrqDepth` UInt32	—
`NotifyThreshold` UInt32	—
`RequestContext` Pointer	—

Event ID 1264 — NDKPI Connect: RequestContext RequestContext Connector NdkConnector QP NdkQp SrcAddress SrcSockAddr DestAddress DestSockAddr IRD IRD ORD ORD PrivateDataLength PrivateDataLength.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Connect

Description

NDKPI Connect: RequestContext RequestContext Connector NdkConnector QP NdkQp SrcAddress SrcSockAddr DestAddress DestSockAddr IRD IRD ORD ORD PrivateDataLength PrivateDataLength.

Message #

NDKPI Connect: RequestContext %9 Connector %1 QP %2 SrcAddress %4 DestAddress %6 IRD %7 ORD %8 PrivateDataLength %11

Fields #

Name	Description
`NdkConnector` Pointer	—
`NdkQp` Pointer	—
`SrcSockAddrLength` UInt32	—
`SrcSockAddr` Binary	—
`DestSockAddrLength` UInt32	—
`DestSockAddr` Binary	—
`IRD` UInt32	—
`ORD` UInt32	—
`RequestContext` Pointer	—
`NdkSharedEndpoint` Pointer	—
`PrivateDataLength` UInt32	—

Event ID 1265 — NDKPI Connect: RequestContext RequestContext Connector NdkConnector QP NdkQp SharedEndpoint NdkSharedEndpoint DestAddress DestSockAddr IRD IRD ORD ORD PrivateDataLength PrivateDataLength.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Connect_Shared_Endpoint

Description

NDKPI Connect: RequestContext RequestContext Connector NdkConnector QP NdkQp SharedEndpoint NdkSharedEndpoint DestAddress DestSockAddr IRD IRD ORD ORD PrivateDataLength PrivateDataLength.

Message #

NDKPI Connect: RequestContext %9 Connector %1 QP %2 SharedEndpoint %10 DestAddress %6 IRD %7 ORD %8 PrivateDataLength %11

Fields #

Name	Description
`NdkConnector` Pointer	—
`NdkQp` Pointer	—
`SrcSockAddrLength` UInt32	—
`SrcSockAddr` Binary	—
`DestSockAddrLength` UInt32	—
`DestSockAddr` Binary	—
`IRD` UInt32	—
`ORD` UInt32	—
`RequestContext` Pointer	—
`NdkSharedEndpoint` Pointer	—
`PrivateDataLength` UInt32	—

Event ID 1266 — NDKPI CompleteConnect: RequestContext RequestContext Connector NdkConnector DisconnectEventContext DisconnectEventContext.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Complete_Connect

Description

NDKPI CompleteConnect: RequestContext RequestContext Connector NdkConnector DisconnectEventContext DisconnectEventContext.

Message #

NDKPI CompleteConnect: RequestContext %3 Connector %1 DisconnectEventContext %2

Fields #

Name	Description
`NdkConnector` Pointer	—
`DisconnectEventContext` Pointer	—
`RequestContext` Pointer	—

Event ID 1267 — NDKPI Accept: RequestContext RequestContext Connector NdkConnector QP NdkQp IRD IRD ORD ORD PrivateDataLength PrivateDataLength DisconnectEventContext DisconnectEventContext.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Accept

Description

NDKPI Accept: RequestContext RequestContext Connector NdkConnector QP NdkQp IRD IRD ORD ORD PrivateDataLength PrivateDataLength DisconnectEventContext DisconnectEventContext.

Message #

NDKPI Accept: RequestContext %6 Connector %1 QP %2 IRD %3 ORD %4 PrivateDataLength %7 DisconnectEventContext %5

Fields #

Name	Description
`NdkConnector` Pointer	—
`NdkQp` Pointer	—
`IRD` UInt32	—
`ORD` UInt32	—
`DisconnectEventContext` Pointer	—
`RequestContext` Pointer	—
`PrivateDataLength` UInt32	—

Event ID 1268 — NDKPI Disconnect: RequestContext RequestContext Connector NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Disconnect

Description

NDKPI Disconnect: RequestContext RequestContext Connector NdkObject.

Message #

NDKPI Disconnect: RequestContext %2 Connector %1

Fields #

Name	Description
`NdkObject` Pointer	—
`RequestContext` Pointer	—

Event ID 1269 — NDKPI Listen: RequestContext RequestContext Listener NdkListener Address SockAddr.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Listen

Description

NDKPI Listen: RequestContext RequestContext Listener NdkListener Address SockAddr.

Message #

NDKPI Listen: RequestContext %4 Listener %1 Address %3

Fields #

Name	Description
`NdkListener` Pointer	—
`SockAddrLength` UInt32	—
`SockAddr` Binary	—
`RequestContext` Pointer	—

Event ID 1270 — NDKPI Create MW: RequestContext RequestContext PD NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Mw

Description

NDKPI Create MW: RequestContext RequestContext PD NdkObject.

Message #

NDKPI Create MW: RequestContext %2 PD %1

Fields #

Name	Description
`NdkObject` Pointer	—
`RequestContext` Pointer	—

Event ID 1271 — NDKPI Create SRQ: RequestContext RequestContext PD NdkPd SrqDepth SrqDepth MaxReceiveRequestSge MaxReceiveRequestSge NotifyThreshold NotifyThreshold SrqNotificationContext SrqNotificationContext Af...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Srq

Description

NDKPI Create SRQ: RequestContext RequestContext PD NdkPd SrqDepth SrqDepth MaxReceiveRequestSge MaxReceiveRequestSge NotifyThreshold NotifyThreshold SrqNotificationContext SrqNotificationContext AffinityMask AffinityMask AffinityGroup AffinityGroup.

Message #

NDKPI Create SRQ: RequestContext %8 PD %1 SrqDepth %2 MaxReceiveRequestSge %3 NotifyThreshold %4 SrqNotificationContext %5 AffinityMask %6 AffinityGroup %7

Fields #

Name	Description
`NdkPd` Pointer	—
`SrqDepth` UInt32	—
`MaxReceiveRequestSge` UInt32	—
`NotifyThreshold` UInt32	—
`SrqNotificationContext` Pointer	—
`AffinityMask` UInt64	—
`AffinityGroup` UInt16	—
`RequestContext` Pointer	—

Event ID 1272 — NDKPI Create QP: RequestContext RequestContext PD NdkPd ReceiveCQ ReceiveCq InitiatorCQ InitiatorCq QPContext QPContext ReceiveQueueDepth ReceiveQueueDepth InitiatorQueueDepth InitiatorQueueDepth M...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Qp

Description

NDKPI Create QP: RequestContext RequestContext PD NdkPd ReceiveCQ ReceiveCq InitiatorCQ InitiatorCq QPContext QPContext ReceiveQueueDepth ReceiveQueueDepth InitiatorQueueDepth InitiatorQueueDepth MaxReceiveRequestSge MaxReceiveRequestSge MaxInitiatorRequestSge MaxInitiatorRequestSge.

Message #

NDKPI Create QP: RequestContext %9 PD %1 ReceiveCQ %2 InitiatorCQ %3 QPContext %4 ReceiveQueueDepth %5 InitiatorQueueDepth %6 MaxReceiveRequestSge %7 MaxInitiatorRequestSge %8

Fields #

Name	Description
`NdkPd` Pointer	—
`ReceiveCq` Pointer	—
`InitiatorCq` Pointer	—
`QPContext` Pointer	—
`ReceiveQueueDepth` UInt32	—
`InitiatorQueueDepth` UInt32	—
`MaxReceiveRequestSge` UInt32	—
`MaxInitiatorRequestSge` UInt32	—
`RequestContext` Pointer	—
`NdkSrq` Pointer	—

Event ID 1273 — NDKPI Create QP: RequestContext RequestContext PD NdkPd ReceiveCQ ReceiveCq InitiatorCQ InitiatorCq SRQ NdkSrq QPContext QPContext InitiatorQueueDepth InitiatorQueueDepth MaxInitiatorRequestSge Max...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Qp_Srq

Description

NDKPI Create QP: RequestContext RequestContext PD NdkPd ReceiveCQ ReceiveCq InitiatorCQ InitiatorCq SRQ NdkSrq QPContext QPContext InitiatorQueueDepth InitiatorQueueDepth MaxInitiatorRequestSge MaxInitiatorRequestSge.

Message #

NDKPI Create QP: RequestContext %9 PD %1 ReceiveCQ %2 InitiatorCQ %3 SRQ %10 QPContext %4 InitiatorQueueDepth %6 MaxInitiatorRequestSge %8

Fields #

Name	Description
`NdkPd` Pointer	—
`ReceiveCq` Pointer	—
`InitiatorCq` Pointer	—
`QPContext` Pointer	—
`ReceiveQueueDepth` UInt32	—
`InitiatorQueueDepth` UInt32	—
`MaxReceiveRequestSge` UInt32	—
`MaxInitiatorRequestSge` UInt32	—
`RequestContext` Pointer	—
`NdkSrq` Pointer	—

Event ID 1274 — NDKPI Create PD: RequestContext RequestContext Adapter NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Pd

Description

NDKPI Create PD: RequestContext RequestContext Adapter NdkObject.

Message #

NDKPI Create PD: RequestContext %2 Adapter %1

Fields #

Name	Description
`NdkObject` Pointer	—
`RequestContext` Pointer	—

Event ID 1275 — NDKPI Create SharedEndpoint: RequestContext RequestContext Adapter NdkListener Address SockAddr.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Shared_Endpoint

Description

NDKPI Create SharedEndpoint: RequestContext RequestContext Adapter NdkListener Address SockAddr.

Message #

NDKPI Create SharedEndpoint: RequestContext %4 Adapter %1 Address %3

Fields #

Name	Description
`NdkListener` Pointer	—
`SockAddrLength` UInt32	—
`SockAddr` Binary	—
`RequestContext` Pointer	—

Event ID 1276 — NDKPI Create Connector: RequestContext RequestContext Adapter NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Connector

Description

NDKPI Create Connector: RequestContext RequestContext Adapter NdkObject.

Message #

NDKPI Create Connector: RequestContext %2 Adapter %1

Fields #

Name	Description
`NdkObject` Pointer	—
`RequestContext` Pointer	—

Event ID 1277 — NDKPI Create Listener: RequestContext RequestContext Adapter NdkAdapter ConnectEventContext ConnectEventContext.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Create_Listener

Description

NDKPI Create Listener: RequestContext RequestContext Adapter NdkAdapter ConnectEventContext ConnectEventContext.

Message #

NDKPI Create Listener: RequestContext %3 Adapter %1 ConnectEventContext %2

Fields #

Name	Description
`NdkAdapter` Pointer	—
`ConnectEventContext` Pointer	—
`RequestContext` Pointer	—

Event ID 1278 — NDKPI Build LAM: RequestContext RequestContext Adapter NdkAdapter MDL Mdl Length Length LAMBuffer LAMBuffer LAMBufferSize LAMBufferSize.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Build_Lam

Description

NDKPI Build LAM: RequestContext RequestContext Adapter NdkAdapter MDL Mdl Length Length LAMBuffer LAMBuffer LAMBufferSize LAMBufferSize.

Message #

NDKPI Build LAM: RequestContext %4 Adapter %1 MDL %2 Length %3 LAMBuffer %5 LAMBufferSize %6

Fields #

Name	Description
`NdkAdapter` Pointer	—
`Mdl` Pointer	—
`Length` UInt64	—
`RequestContext` Pointer	—
`LAMBuffer` Pointer	—
`LAMBufferSize` UInt32	—

Event ID 1279 — NDKPI Release LAM: Adapter NdkAdapter LAMBuffer LAMBuffer.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Release_Lam

Description

NDKPI Release LAM: Adapter NdkAdapter LAMBuffer LAMBuffer.

Message #

NDKPI Release LAM: Adapter %1 LAMBuffer %2

Fields #

Name	Description
`NdkAdapter` Pointer	—
`LAMBuffer` Pointer	—

Event ID 1280 — NDKPI CQ Notification Callback: CqNotificationContext CqNotificationContext CqStatus CqStatus.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Cq_Notification_Callback

Description

NDKPI CQ Notification Callback: CqNotificationContext CqNotificationContext CqStatus CqStatus.

Message #

NDKPI CQ Notification Callback: CqNotificationContext %1 CqStatus %2

Fields #

Name	Description
`CqNotificationContext` Pointer	—
`CqStatus` UInt32	—

Event ID 1281 — NDKPI SRQ Notification Callback: SrqNotificationContext SrqNotificationContext SrqStatus SrqStatus.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Srq_Notification_Callback

Description

NDKPI SRQ Notification Callback: SrqNotificationContext SrqNotificationContext SrqStatus SrqStatus.

Message #

NDKPI SRQ Notification Callback: SrqNotificationContext %1 SrqStatus %2

Fields #

Name	Description
`SrqNotificationContext` Pointer	—
`SrqStatus` UInt32	—

Event ID 1282 — NDKPI Disconnect Event Callback: DisconnectEventContext DisconnectEventContext.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Disconnect_Event_Callback

Description

NDKPI Disconnect Event Callback: DisconnectEventContext DisconnectEventContext.

Message #

NDKPI Disconnect Event Callback: DisconnectEventContext %1

Fields #

Name	Description
`DisconnectEventContext` Pointer	—

Event ID 1283 — NDKPI Connect Event Callback: ConnectEventContext ConnectEventContext Connector NdkConnector.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Connect_Event_Callback

Description

NDKPI Connect Event Callback: ConnectEventContext ConnectEventContext Connector NdkConnector.

Message #

NDKPI Connect Event Callback: ConnectEventContext %1 Connector %2

Fields #

Name	Description
`ConnectEventContext` Pointer	—
`NdkConnector` Pointer	—

Event ID 1284 — NDKPI Got TokenType Token Token from NdkObjectType NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Get_Token

Description

NDKPI Got TokenType Token Token from NdkObjectType NdkObject.

Message #

NDKPI Got %3 Token %4 from %2 %1

Fields #

Name	Description
`NdkObject` Pointer	—
`NdkObjectType` UInt32	—
`TokenType` UInt32	—
`Token` UInt32	—

Event ID 1285 — NDKPI Got SockAddrType Address SockAddr from NdkObjectType NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Get_Sockaddr

Description

NDKPI Got SockAddrType Address SockAddr from NdkObjectType NdkObject.

Message #

NDKPI Got %3 Address %5 from %2 %1

Fields #

Name	Description
`NdkObject` Pointer	—
`NdkObjectType` UInt32	—
`SockAddrType` UInt32	—
`SockAddrLength` UInt32	—
`SockAddr` Binary	—

Event ID 1286 — NDKPI SockAddrType Address query failure Status on NdkObjectType NdkObject.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Get_Sockaddr_Failure

Description

NDKPI SockAddrType Address query failure Status on NdkObjectType NdkObject.

Message #

NDKPI %3 Address query failure %4 on %2 %1

Fields #

Name	Description
`NdkObject` Pointer	—
`NdkObjectType` UInt32	—
`SockAddrType` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1287 — NDKPI Reject: Connector NdkConnector PrivateDataLength PrivateDataLength Status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Reject

Description

NDKPI Reject: Connector NdkConnector PrivateDataLength PrivateDataLength Status Status.

Message #

NDKPI Reject: Connector %1 PrivateDataLength %2 Status %3

Fields #

Name	Description
`NdkConnector` Pointer	—
`PrivateDataLength` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1288 — NDKPI Get Connect Data: Connector NdkConnector IRD IRD ORD ORD PrivateDataLength PrivateDataLength Status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Get_Connect_Data

Description

NDKPI Get Connect Data: Connector NdkConnector IRD IRD ORD ORD PrivateDataLength PrivateDataLength Status Status.

Message #

NDKPI Get Connect Data: Connector %1 IRD %2 ORD %3 PrivateDataLength %4 Status %5

Fields #

Name	Description
`NdkConnector` Pointer	—
`IRD` UInt32	—
`ORD` UInt32	—
`PrivateDataLength` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1289 — NDKPI Work Request Inline Failure: RequestContext RequestContext QP NdkQp Status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Work_Request_Inline_Failure

Description

NDKPI Work Request Inline Failure: RequestContext RequestContext QP NdkQp Status Status.

Message #

NDKPI Work Request Inline Failure: RequestContext %2 QP %1 Status %3

Fields #

Name	Description
`NdkQp` Pointer	—
`RequestContext` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 1290 — NDKPI Bind: RequestContext RequestContext QP NdkQp MR NdkMr MW NdkMw VirtualAddress VirtualAddress Length Length Flags Flags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Bind

Description

NDKPI Bind: RequestContext RequestContext QP NdkQp MR NdkMr MW NdkMw VirtualAddress VirtualAddress Length Length Flags Flags.

Message #

NDKPI Bind: RequestContext %2 QP %1 MR %3 MW %4 VirtualAddress %5 Length %6 Flags %7

Fields #

Name	Description
`NdkQp` Pointer	—
`RequestContext` Pointer	—
`NdkMr` Pointer	—
`NdkMw` Pointer	—
`VirtualAddress` Pointer	—
`Length` UInt64	—
`Flags` UInt32	—

Event ID 1291 — NDKPI FastRegister: RequestContext RequestContext QP NdkQp MR NdkMr AdapterPageCount AdapterPageCount AdapterPageArray AdapterPageArray FBO FBO Length Length BaseVirtualAddress BaseVirtualAddress F...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Fast_Register

Description

NDKPI FastRegister: RequestContext RequestContext QP NdkQp MR NdkMr AdapterPageCount AdapterPageCount AdapterPageArray AdapterPageArray FBO FBO Length Length BaseVirtualAddress BaseVirtualAddress Flags Flags.

Message #

NDKPI FastRegister: RequestContext %2 QP %1 MR %3 AdapterPageCount %4 AdapterPageArray %5 FBO %6 Length %7 BaseVirtualAddress %8 Flags %9

Fields #

Name	Description
`NdkQp` Pointer	—
`RequestContext` Pointer	—
`NdkMr` Pointer	—
`AdapterPageCount` UInt32	—
`AdapterPageArray` Pointer	—
`FBO` UInt32	—
`Length` UInt64	—
`BaseVirtualAddress` Pointer	—
`Flags` UInt32	—

Event ID 1292 — NDKPI Invalidate: RequestContext RequestContext QP NdkQp NdkObjectType NdkObject Flags Flags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Invalidate

Description

NDKPI Invalidate: RequestContext RequestContext QP NdkQp NdkObjectType NdkObject Flags Flags.

Message #

NDKPI Invalidate: RequestContext %2 QP %1 %4 %3 Flags %5

Fields #

Name	Description
`NdkQp` Pointer	—
`RequestContext` Pointer	—
`NdkObject` Pointer	—
`NdkObjectType` UInt32	—
`Flags` UInt32	—

Event ID 1293 — NDKPI Read (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken RemoteAddress RemoteAddress RemoteToken RemoteToken Flags Flags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Read

Description

NDKPI Read (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken RemoteAddress RemoteAddress RemoteToken RemoteToken Flags Flags.

Message #

NDKPI Read (SGE %8/%6): RequestContext %2 QP %1 SGE %3/%4/%5 RemoteAddress %9 RemoteToken %10 Flags %7

Fields #

Name	Description
`NdkQp` Pointer	—
`RequestContext` Pointer	—
`SgeAddress` Pointer	—
`SgeLength` UInt32	—
`SgeMemoryRegionToken` UInt32	—
`NumSge` Int32	—
`Flags` UInt32	—
`SgeIndex` Int32	—
`RemoteAddress` UInt64	—
`RemoteToken` UInt32	—

Event ID 1294 — NDKPI Write (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken RemoteAddress RemoteAddress RemoteToken RemoteToken Flags Flags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Write

Description

NDKPI Write (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken RemoteAddress RemoteAddress RemoteToken RemoteToken Flags Flags.

Message #

NDKPI Write (SGE %8/%6): RequestContext %2 QP %1 SGE %3/%4/%5 RemoteAddress %9 RemoteToken %10 Flags %7

Fields #

Name	Description
`NdkQp` Pointer	—
`RequestContext` Pointer	—
`SgeAddress` Pointer	—
`SgeLength` UInt32	—
`SgeMemoryRegionToken` UInt32	—
`NumSge` Int32	—
`Flags` UInt32	—
`SgeIndex` Int32	—
`RemoteAddress` UInt64	—
`RemoteToken` UInt32	—

Event ID 1295 — NDKPI SRQ Receive (SGE SgeIndex/NumSge): RequestContext RequestContext SRQ NdkSrq SGE SgeAddress/SgeLength/SgeMemoryRegionToken.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_SrqReceive

Description

NDKPI SRQ Receive (SGE SgeIndex/NumSge): RequestContext RequestContext SRQ NdkSrq SGE SgeAddress/SgeLength/SgeMemoryRegionToken.

Message #

NDKPI SRQ Receive (SGE %8/%6): RequestContext %2 SRQ %1 SGE %3/%4/%5

Fields #

Name	Description
`NdkSrq` Pointer	—
`RequestContext` Pointer	—
`SgeAddress` Pointer	—
`SgeLength` UInt32	—
`SgeMemoryRegionToken` UInt32	—
`NumSge` Int32	—
`Flags` UInt32	—
`SgeIndex` Int32	—

Event ID 1296 — NDKPI SRQ Work Request Inline Failure: RequestContext RequestContext SRQ NdkSrq Status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Srq_Work_Request_Inline_Failure

Description

NDKPI SRQ Work Request Inline Failure: RequestContext RequestContext SRQ NdkSrq Status Status.

Message #

NDKPI SRQ Work Request Inline Failure: RequestContext %2 SRQ %1 Status %3

Fields #

Name	Description
`NdkSrq` Pointer	—
`RequestContext` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 1297 — NDKPI Open Adapter: InterfaceIndex InterfaceIndex Adapter NdkAdapter Status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Open_Adapter

Description

NDKPI Open Adapter: InterfaceIndex InterfaceIndex Adapter NdkAdapter Status Status.

Message #

NDKPI Open Adapter: InterfaceIndex %1 Adapter %2 Status %3

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`NdkAdapter` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 1298 — NDKPI Close Adapter (Enter): Adapter NdkAdapter.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Close_Adapter_Enter

Description

NDKPI Close Adapter (Enter): Adapter NdkAdapter.

Message #

NDKPI Close Adapter (Enter): Adapter %1

Fields #

Name	Description
`NdkAdapter` Pointer	—

Event ID 1299 — NDKPI Close Adapter (Exit): Adapter NdkAdapter.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Close_Adapter_Exit

Description

NDKPI Close Adapter (Exit): Adapter NdkAdapter.

Message #

NDKPI Close Adapter (Exit): Adapter %1

Fields #

Name	Description
`NdkAdapter` Pointer	—

Event ID 1300 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) exists.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpConnectionRundown

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) exists. State = State. PID = Pid.

Message #

TCP: connection %1 (local=%3 remote=%5) exists. State = %6. PID = %7.

Fields #

Name	Description
`Tcb` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`State` UInt32	—
`Pid` UInt32	—
`ProcessStartKey` UInt64	—
`SendTrackerEnabled` UInt32	—
`RcvBufSet` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1300",
    "version": "2",
    "level": "4",
    "task": "1300",
    "opcode": "0",
    "keywords": 9223372054034646148,
    "time_created": "2026-03-16T00:21:34.294712000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1cf5fec0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "9132",
      "thread_id": "4236"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1CF5FEC0",
    "LocalAddressLength": "      16",
    "LocalAddress": "10.2.10.21:52992",
    "RemoteAddressLength": "      16",
    "RemoteAddress": "10.2.10.11:49669",
    "State": "      10",
    "Pid": "       0",
    "ProcessStartKey": "0",
    "SendTrackerEnabled": "       0"
  },
  "message": ""
}

Event ID 1301 — NDKPI Interface Event: InterfaceIndex InterfaceIndex, NDK-Operational NDKOperational, EventDescription (StatusCode).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Interface_Event

Description

NDKPI Interface Event: InterfaceIndex InterfaceIndex, NDK-Operational NDKOperational, EventDescription (StatusCode).

Message #

NDKPI Interface Event: InterfaceIndex %1, NDK-Operational %3, %2 (%4)

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`EventDescription` UInt32	—
`NDKOperational` UInt32	—
`StatusCode` UInt32	—

Event ID 1302 — Network adapter Luid AdapterLuid received a wake packet matching pattern PatternFriendlyName.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipWakePacketIndicated

Description

Network adapter Luid AdapterLuid received a wake packet matching pattern PatternFriendlyName. Protocol: Protocol. Destination MAC address: DestDLAddress. Source: SrcAddress : SrcPort, Destination: DestAddress : DestPort.

Message #

Network adapter Luid %1 received a wake packet matching pattern %2. Protocol: %8. Destination MAC address: %5. Source: %6 : %9, Destination: %7 : %10.

Fields #

Name	Description
`AdapterLuid` UInt64	—
`PatternFriendlyName` UnicodeString	—
`DlAddrLength` UInt32	—
`SrcDLAddress` Binary	—
`DestDLAddress` Binary	—
`SrcAddress` UInt32	—
`DestAddress` UInt32	—
`Protocol` UInt32	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`SrcPort` UInt16	—
`DestPort` UInt16	—

Event ID 1302 — Network adapter Luid .

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: TcpipWakePacketIndicated

Description

Network adapter Luid received a wake packet matching pattern . Protocol: . Destination MAC address: . Source: : , Destination: : .

Fields #

Name	Description
`AdapterLuid` UInt64	—
`PatternFriendlyName` UnicodeString	—
`DlAddrLength` UInt32	—
`SrcDLAddress` Binary	—
`DestDLAddress` Binary	—
`SrcAddress` UInt32	—
`DestAddress` UInt32	—
`Protocol` UInt32	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`SrcPort` UInt16	—
`DestPort` UInt16	—

Event ID 1303 — Network adapter Luid AdapterLuid received a wake packet matching pattern PatternFriendlyName.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipWakePacketIndicated

Description

Message #

Network adapter Luid %1 received a wake packet matching pattern %2. Protocol: %9. Destination MAC address: %5. Source: %7 : %10, Destination %8 : %11.

Fields #

Name	Description
`AdapterLuid` UInt64	—
`PatternFriendlyName` UnicodeString	—
`DlAddrLength` UInt32	—
`SrcDLAddress` Binary	—
`DestDLAddress` Binary	—
`IpAddrLength` UInt32	—
`SrcAddress` Binary	—
`DestAddress` Binary	—
`Protocol` UInt32	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`SrcPort` UInt16	—
`DestPort` UInt16	—

Event ID 1303 — Network adapter Luid .

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: TcpipWakePacketIndicated

Description

Network adapter Luid received a wake packet matching pattern . Protocol: . Destination MAC address: . Source: : , Destination : .

Fields #

Name	Description
`AdapterLuid` UInt64	—
`PatternFriendlyName` UnicodeString	—
`DlAddrLength` UInt32	—
`SrcDLAddress` Binary	—
`DestDLAddress` Binary	—
`IpAddrLength` UInt32	—
`SrcAddress` Binary	—
`DestAddress` Binary	—
`Protocol` UInt32	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`SrcPort` UInt16	—
`DestPort` UInt16	—

Event ID 1304 — TCP: Connection Tcb: Silent Mode SilentModeEvent Context Context.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipSilentMode

Description

TCP: Connection Tcb: Silent Mode SilentModeEvent Context Context.

Message #

TCP: Connection %1: Silent Mode %2 Context %3

Fields #

Name	Description
`Tcb` Pointer	—
`SilentModeEvent` UInt32	—
`Context` Pointer	—

Event ID 1305 — TCP: Connection Tcb notification channel request.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateNotificationChannelRequest

Description

TCP: Connection Tcb notification channel request. NcmContext = NcmContext, TCB State = State, PID = Pid, IsLoopback = IsLoopback, Status = Status.

Message #

TCP: Connection %1 notification channel request. NcmContext = %2, TCB State = %3, PID = %4, IsLoopback = %5, Status = %7.

Fields #

Name	Description
`Tcb` Pointer	—
`NcmContext` Pointer	—
`State` UInt32	—
`Pid` UInt32	—
`IsLoopback` UInt32	—
`ChannelStatus` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1306 — TCP: Connection Tcb query notification channel status request.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpQueryNotificationChannelStatusRequest

Description

TCP: Connection Tcb query notification channel status request. NcmContext = NcmContext, PID = Pid, Channel Status = ChannelStatus, Status = Status.

Message #

TCP: Connection %1 query notification channel status request. NcmContext = %2, PID = %4, Channel Status = %6, Status = %7.

Fields #

Name	Description
`Tcb` Pointer	—
`NcmContext` Pointer	—
`State` UInt32	—
`Pid` UInt32	—
`IsLoopback` UInt32	—
`ChannelStatus` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1307 — TCP: Connection Tcb notification channel request processed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateNotificationChannelRequestProcessed

Description

TCP: Connection Tcb notification channel request processed. NcmContext = NcmContext, PID = Pid, Status = Status PushNotificationId = PushNotificationGuid.

Message #

TCP: Connection %1 notification channel request processed. NcmContext = %2, PID = %3, Status = %4 PushNotificationId = %5.

Fields #

Name	Description
`Tcb` Pointer	—
`NcmContext` Pointer	—
`Pid` UInt32	—
`Status` UInt32	— NTSTATUS reference
`PushNotificationGuid` GUID	—

Event ID 1308 — TCP: Connection Tcb notification channel signal event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSignalNotificationChannelEvent

Description

TCP: Connection Tcb notification channel signal event. NcmContext = NcmContext, PID = Pid, RcvNxt = RcvNxt, Delivered Data = Delivered, Indicated Data = Indicated, FinalEvent = FinalEvent.

Message #

TCP: Connection %1 notification channel signal event. NcmContext = %2, PID = %3, RcvNxt = %4, Delivered Data = %5, Indicated Data = %6, FinalEvent = %7.

Fields #

Name	Description
`Tcb` Pointer	—
`NcmContext` Pointer	—
`Pid` UInt32	—
`RcvNxt` UInt32	—
`Delivered` UInt32	—
`Indicated` UInt32	—
`FinalEvent` UInt32	—

Event ID 1309 — TCP: Connection Tcb notification channel detached.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDetachNotificationChannel

Description

TCP: Connection Tcb notification channel detached. NcmContext = NcmContext, TCB State = State. Cleanup NcmContext = IsLoopback.

Message #

TCP: Connection %1 notification channel detached. NcmContext = %2, TCB State = %3. Cleanup NcmContext = %5

Fields #

Name	Description
`Tcb` Pointer	—
`NcmContext` Pointer	—
`State` UInt32	—
`Pid` UInt32	—
`IsLoopback` UInt32	—
`ChannelStatus` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1310 — TCP: Connection Tcb notification channel unlinked.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpUnlinkNotificationChannel

Description

TCP: Connection Tcb notification channel unlinked. TCB State = State.

Message #

TCP: Connection %1 notification channel unlinked. TCB State = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`NcmContext` Pointer	—
`State` UInt32	—
`Pid` UInt32	—
`IsLoopback` UInt32	—
`ChannelStatus` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1311 — TCP: Connection Tcb notification channel wake pattern plumbing.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpPlumbWakePattern

Description

TCP: Connection Tcb notification channel wake pattern plumbing. SystemReserved = SystemReserved, Wake-on-Lan Handle = WolHandle, Status = Status.

Message #

TCP: Connection %1 notification channel wake pattern plumbing. SystemReserved = %2, Wake-on-Lan Handle = %3, Status = %4.

Fields #

Name	Description
`Tcb` Pointer	—
`SystemReserved` UInt32	—
`WolHandle` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1312 — TCP: Connection Tcb notification channel wake pattern deplumbing.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDeplumbWakePattern

Description

TCP: Connection Tcb notification channel wake pattern deplumbing. Wake-on-Lan Handle = WolHandle, Status = Status.

Message #

TCP: Connection %1 notification channel wake pattern deplumbing. Wake-on-Lan Handle = %3, Status = %4.

Fields #

Name	Description
`Tcb` Pointer	—
`SystemReserved` UInt32	—
`WolHandle` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1313 — TCPIP: Interface index InterfaceIndex wake pattern properties.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipPlumbWakePatternOnInterface

Message #

TCPIP: Interface index %1 wake pattern properties. AOAC capable = %2, Bitmap pattern supported = %3, ARP/ND offload supported = %4, IP address = %9 %11 %10 wake ready = %5, pattern priority = %6, interface medium = %7, Status = %12.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`AoAcCapable` UInt32	—
`BitmapPatternSupported` UInt32	—
`ARPNDOffloadSupported` UInt32	—
`IPAddressWakeReady` UInt32	—
`PatternPriority` UInt32	—
`PhysicalMediumType` UInt32	—
`IpAddrLength` UInt32	—
`IPv4Address` UInt32	—
`IPv6Address` Binary	—
`IPProtocol` UInt32	—
`Status` UInt32	— NTSTATUS reference
`HasBeenAoAcCapable` UInt32	—
`WolHandle` UInt32	—

Event ID 1314 — NDKPI Control CQ Interrupt Moderation: CQ NdkCq Interval ModerationInterval Count ModerationCount Status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Control_Cq_Im

Description

NDKPI Control CQ Interrupt Moderation: CQ NdkCq Interval ModerationInterval Count ModerationCount Status Status.

Message #

NDKPI Control CQ Interrupt Moderation: CQ %1 Interval %2 Count %3 Status %4

Fields #

Name	Description
`NdkCq` Pointer	—
`ModerationInterval` UInt32	—
`ModerationCount` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1315 — TCP: Connection Tcb notification channel request processing.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateNotificationChannelRequestProcessing

Description

TCP: Connection notification channel request processing. IsRedirected = , WfpFailure = , Status = , WaitStatus = , Local IP address = , Remote IP address = Local Port = , Remote Port = .

Message #

TCP: Connection %1 notification channel request processing. IsRedirected = %2, WfpFailure = %3, Status = %4, WaitStatus = %5, Local IP address = %7 %9 %8, Remote IP address = %10 %9 %11 Local Port = %12, Remote Port = %13.

Fields #

Name	Description
`Tcb` Pointer	—
`IsRedirected` UInt32	—
`WfpFailure` UInt32	—
`Status` UInt32	— NTSTATUS reference
`WaitStatus` UInt32	—
`IpAddrLength` UInt32	—
`LocalIPv4Address` UInt32	—
`LocalIPv6Address` Binary	—
`IPProtocol` UInt32	—
`RemoteIPv4Address` UInt32	—
`RemoteIPv6Address` Binary	—
`SrcPort` UInt16	—
`DestPort` UInt16	—

Event ID 1316 — IP: IP address lifetime = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol, CurrentTime = CurrentTime Old BaseTime = OldBaseTime Old ValidTime = OldValidTime New Bas...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipIpAddressLifetime

Description

IP: IP address lifetime = IPv4Address IPProtocol IPv6Address on interface = Interface, protocol = Protocol, CurrentTime = CurrentTime Old BaseTime = OldBaseTime Old ValidTime = OldValidTime New BaseTime = NewBaseTime New ValidTime = NewValidTime.

Message #

IP: IP address lifetime = %4 %6 %5 on interface = %1, protocol = %2, CurrentTime = %7 Old BaseTime = %8 Old ValidTime = %9 New BaseTime = %11 New ValidTime = %12.

Fields #

Name	Description
`Interface` UInt32	—
`Protocol` AnsiString	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`IpAddrLength` UInt32	—
`IPv4Address` UInt32	—
`IPv6Address` Binary	—
`IPProtocol` UInt32	—
`CurrentTime` UInt32	—
`OldBaseTime` UInt32	—
`OldValidTime` UInt32	—
`OldPreferredTime` UInt32	—
`NewBaseTime` UInt32	—
`NewValidTime` UInt32	—
`NewPreferredTime` UInt32	—
`InterfaceGuid` GUID	—
`IpAddressLifetimeChangeReason` UInt32	—

Event ID 1317 — TCP: Repartition event Event (Type) OldPartitionCount.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRepartitionEvent

Description

TCP: Repartition event Event (Type) OldPartitionCount.

Message #

TCP: Repartition event %1 (%2) %5.

Fields #

Name	Description
`Event` Pointer	—
`Type` UInt32	—
`Processor` UInt32	—
`PowerSource` UInt32	—
`OldPartitionCount` UInt32	—
`NewPartitionCount` UInt32	—
`Progress` UInt32	—

Event ID 1318 — Component PowerStateTransition on processor IndicatingProcessor at Tick = CurrentTick Time = CurrentTime.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipPowerStateTransitionEvent

Description

Component PowerStateTransition on processor IndicatingProcessor at Tick = CurrentTick Time = CurrentTime.

Message #

%1 %2 on processor %3 at Tick = %4 Time = %5.

Fields #

Name	Description
`Component` UInt32	—
`PowerStateTransition` UInt32	—
`IndicatingProcessor` UInt32	—
`CurrentTick` UInt32	—
`CurrentTime` UInt64	—

Event ID 1319 — Component timer rescheduled by processor Indicating Processor for processor Target Processor at Tick = Current Tick to Tick = Next Expiration Tick, OldScheduledExpiration = Old Scheduled Expiration...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpipTimerDpcRescheduleEvent

Description

Component timer rescheduled by processor Indicating Processor for processor Target Processor at Tick = Current Tick to Tick = Next Expiration Tick, OldScheduledExpiration = Old Scheduled Expiration NewScheduledExpiration = New Scheduled Expiration DueTime = Due Time Aperiodic = Aperiodic.

Message #

%1 timer rescheduled by processor %2 for processor %3 at Tick = %4 to Tick = %5, OldScheduledExpiration = %6 NewScheduledExpiration = %7 DueTime = %8 Aperiodic = %9.

Fields #

Name	Description
`Component` UInt32	—
`Indicating Processor`	—
`Target Processor`	—
`Current Tick`	—
`Next Expiration Tick`	—
`Old Scheduled Expiration`	—
`New Scheduled Expiration`	—
`Due Time`	—
`Aperiodic` UInt32	—
`IndicatingProcessor` UInt32	—
`TargetProcessor` UInt32	—
`CurrentTick` UInt32	—
`NextExpirationTick` UInt32	—
`DueTime` Int64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1319",
    "version": "0",
    "level": "5",
    "task": "1460",
    "opcode": "0",
    "keywords": 9223372586610589696,
    "time_created": "2026-03-16T00:21:34.388840200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Component": "       1",
    "Indicating Processor": "       9",
    "Target Processor": "      10",
    "Current Tick": "57753289",
    "Next Expiration Tick": "57753299",
    "Old Scheduled Expiration": "577539799250",
    "New Scheduled Expiration": "577532789097",
    "Due Time": "-100000",
    "Aperiodic": "       1"
  },
  "message": ""
}

Event ID 1320 — Component timer fired on processor Target Processor at Tick = Current Tick, was scheduled for = Next Expiration.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpipTimerDpcFiredEvent

Description

Component timer fired on processor Target Processor at Tick = Current Tick, was scheduled for = Next Expiration.

Message #

%1 timer fired on processor %2 at Tick = %3, was scheduled for = %4.

Fields #

Name	Description
`Component` UInt32	—
`Target Processor`	—
`Current Tick`	—
`Next Expiration`	—
`Current Interrupt Time`	—
`Scheduled Expiration Time`	—
`External Trigger`	—
`TargetProcessor` UInt32	—
`CurrentTick` UInt32	—
`NextExpiration` UInt32	—
`ExternalTrigger` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1320",
    "version": "0",
    "level": "5",
    "task": "1461",
    "opcode": "0",
    "keywords": 9223372586610589696,
    "time_created": "2026-03-16T00:21:34.401656600+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Component": "       1",
    "Target Processor": "      10",
    "Current Tick": "57753302",
    "Next Expiration": "57753299",
    "Current Interrupt Time": "577532821643",
    "Scheduled Expiration Time": "577532789097",
    "External Trigger": "       0"
  },
  "message": ""
}

Event ID 1321 — IP: Connecting interface InterfaceIndex, trace = TraceString.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipMediaConnect

Description

IP: Connecting interface InterfaceIndex, trace = TraceString.

Message #

IP: Connecting interface %1, trace = %2.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`TraceString` AnsiString	—
`CompartmentId` UInt32	—

Event ID 1322 — IP: Limited link connectivity set on interface InterfaceIndex, trace = TraceString.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipLimitedLinkConnectivity

Description

IP: Limited link connectivity set on interface InterfaceIndex, trace = TraceString.

Message #

IP: Limited link connectivity set on interface %1, trace = %2.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`TraceString` AnsiString	—
`CompartmentId` UInt32	—

Event ID 1323 — IP: Limited link connectivity reset on interface InterfaceIndex, trace = TraceString.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipLimitedLinkConnectivity

Description

IP: Limited link connectivity reset on interface InterfaceIndex, trace = TraceString.

Message #

IP: Limited link connectivity reset on interface %1, trace = %2.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`TraceString` AnsiString	—
`CompartmentId` UInt32	—

Event ID 1324 — IP: Neighbor with IpAddress = IP Address DlAddress = DL Address on Interface = Interface changed state from Old Neighbor State to New Neighbor State due to Event = Neighbor Event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: IpNeighborState

Description

IP: Neighbor with IpAddress = IP Address DlAddress = DL Address on Interface = Interface changed state from Old Neighbor State to New Neighbor State due to Event = Neighbor Event.

Message #

IP: Neighbor with IpAddress = %3 DlAddress = %5 on Interface = %1 changed state from %6 to %7 due to Event = %8.

Fields #

Name	Description
`Interface` UInt32	—
`IpAddrLength` UInt32	—
`IP Address`	—
`DlAddrLength` UInt32	—
`DL Address`	—
`Old Neighbor State`	—
`New Neighbor State`	—
`Neighbor Event`	—
`CompartmentId` UInt32	—
`IPAddress` Binary	—
`DLAddress` Binary	—
`OldNeighborState` UInt32	—
`NewNeighborState` UInt32	—
`NeighborEvent` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1324",
    "version": "1",
    "level": "4",
    "task": "1324",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:22:30.711141200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Interface": "       6",
    "IpAddrLength": "      16",
    "IP Address": "10.2.10.11",
    "DlAddrLength": "       6",
    "DL Address": "0xBC241141F258",
    "Old Neighbor State": "       5",
    "New Neighbor State": "       2",
    "Neighbor Event": "       9",
    "CompartmentId": "       1"
  },
  "message": ""
}

Event ID 1325 — IP: Neighbor Event on Interface = Interface from SourceIpAddress = Source IP Address for TargetIpAddress = Target IP Address.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: IpNeighborDiscovery

Description

IP: Neighbor Event on Interface = Interface from SourceIpAddress = Source IP Address for TargetIpAddress = Target IP Address.

Message #

IP: %5 on Interface = %1 from SourceIpAddress = %3 for TargetIpAddress = %4.

Fields #

Name	Description
`Interface` UInt32	—
`IpAddrLength` UInt32	—
`Source IP Address`	—
`Target IP Address`	—
`Neighbor Event`	—
`CompartmentId` UInt32	—
`SourceIPAddress` Binary	—
`TargetIPAddress` Binary	—
`NeighborEvent` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1325",
    "version": "1",
    "level": "5",
    "task": "1325",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:59.242716700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Interface": "       6",
    "IpAddrLength": "      16",
    "Source IP Address": "10.2.10.254",
    "Target IP Address": "10.2.10.21",
    "Neighbor Event": "      12",
    "CompartmentId": "       1"
  },
  "message": ""
}

Event ID 1326 — IP: Source address PreferredSourceIPAddress is preferred over NonPreferredSourceIPAddress for Destination DestinationIPAddress in Compartment CompartmentId, Reason: RuleName.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSourceAddressSelection

Description

IP: Source address PreferredSourceIPAddress is preferred over NonPreferredSourceIPAddress for Destination DestinationIPAddress in Compartment CompartmentId, Reason: RuleName (Rule Rule.RuleExtension).

Message #

IP: Source address %2 is preferred over %3 for Destination %4 in Compartment %5, Reason: %8 (Rule %6.%7).

Fields #

Name	Description
`IpAddrLength` UInt32	—
`PreferredSourceIPAddress` Binary	—
`NonPreferredSourceIPAddress` Binary	—
`DestinationIPAddress` Binary	—
`CompartmentId` UInt32	—
`Rule` UInt32	—
`RuleExtension` UInt32	—
`RuleName` UInt32	—

Event ID 1327 — IP: Address pair (Preferred Source IP Address, Preferred Destination IP Address) is preferred over (Non-Preferred Source IP Address, Non-Preferred Destination IP Address) by SortOptions = Sort Opti...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: IpSortedAddressPairs

Description

IP: Address pair (Preferred Source IP Address, Preferred Destination IP Address) is preferred over (Non-Preferred Source IP Address, Non-Preferred Destination IP Address) by SortOptions = Sort Option, Rule = Rule Type Rule Major.Rule Minor.

Message #

IP: Address pair (%2, %3) is preferred over (%4, %5) by SortOptions = %6, Rule = %7 %8.%9.

Fields #

Name	Description
`IpAddrLength` UInt32	—
`Preferred Source IP Address`	—
`Preferred Destination IP Address`	—
`Non-Preferred Source IP Address`	—
`Non-Preferred Destination IP Address`	—
`Sort Option`	—
`Rule Type`	—
`Rule Major`	—
`Rule Minor`	—
`RuleName` UInt32	—
`PreferredSourceIPAddress` Binary	—
`PreferredDestinationIPAddress` Binary	—
`NonPreferredSourceIPAddress` Binary	—
`NonPreferredDestinationIPAddress` Binary	—
`SortOption` UInt32	—
`RuleType` AnsiString	—
`RuleMajor` UInt32	—
`RuleMinor` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1327",
    "version": "1",
    "level": "5",
    "task": "1327",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:23:59.745142800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "1992",
      "thread_id": "6452"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IpAddrLength": "      28",
    "Preferred Source IP Address": "::ffff:10.2.10.21",
    "Preferred Destination IP Address": "::ffff:192.228.79.201",
    "Non-Preferred Source IP Address": "::",
    "Non-Preferred Destination IP Address": "2001:478:65::53",
    "Sort Option": "       0",
    "Rule Type": "D",
    "Rule Major": "       1",
    "Rule Minor": "       0",
    "RuleName": "      16"
  },
  "message": ""
}

Event ID 1328 — NDKPI ResultEx ResultIndex/ResultCount: CQ NdkCq RequestContext RequestContext Status Status BytesTransferred BytesTransferred QpContext QpContext Type Type TypeSpecific TypeSpecificCompletionOutput.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Cq_Result_Ex

Description

NDKPI ResultEx ResultIndex/ResultCount: CQ NdkCq RequestContext RequestContext Status Status BytesTransferred BytesTransferred QpContext QpContext Type Type TypeSpecific TypeSpecificCompletionOutput.

Message #

NDKPI ResultEx %6/%7: CQ %1 RequestContext %5 Status %2 BytesTransferred %3 QpContext %4 Type %8 TypeSpecific %9

Fields #

Name	Description
`NdkCq` Pointer	—
`Status` UInt32	— NTSTATUS reference
`BytesTransferred` UInt32	—
`QpContext` Pointer	—
`RequestContext` Pointer	—
`ResultIndex` Int32	—
`ResultCount` Int32	—
`Type` UInt32	—
`TypeSpecificCompletionOutput` UInt64	—
`ProviderErrorCode` UInt32	—

Event ID 1329 — NDKPI SendInvalidate (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken RemoteToken RemoteToken Flags Flags.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Send_Invalidate

Description

NDKPI SendInvalidate (SGE SgeIndex/NumSge): RequestContext RequestContext QP NdkQp SGE SgeAddress/SgeLength/SgeMemoryRegionToken RemoteToken RemoteToken Flags Flags.

Message #

NDKPI SendInvalidate (SGE %8/%6): RequestContext %2 QP %1 SGE %3/%4/%5 RemoteToken %9 Flags %7

Fields #

Name	Description
`NdkQp` Pointer	—
`RequestContext` Pointer	—
`SgeAddress` Pointer	—
`SgeLength` UInt32	—
`SgeMemoryRegionToken` UInt32	—
`NumSge` Int32	—
`Flags` UInt32	—
`SgeIndex` Int32	—
`RemoteToken` UInt32	—

Event ID 1330 — TCP: connection Tcb: Cumulative Ack event, SeqNo = SeqNo, BytesAcked = BytesAcked, CWnd = Cwnd, SndWnd =SndWnd.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDataTransferCumAck

Description

TCP: connection Tcb: Cumulative Ack event, SeqNo = SeqNo, BytesAcked = BytesAcked, CWnd = Cwnd, SndWnd =SndWnd.

Message #

TCP: connection %1: Cumulative Ack event, SeqNo = %5, BytesAcked = %4, CWnd = %2, SndWnd =%3.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SndWnd` UInt32	—
`BytesAcked` UInt32	—
`SeqNo` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1330",
    "version": "0",
    "level": "4",
    "task": "1071",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.390572700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4248",
      "thread_id": "4684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Cwnd": " 2110976",
    "SndWnd": " 2110976",
    "BytesAcked": "    1303",
    "SeqNo": "2307521250"
  },
  "message": ""
}

Event ID 1331 — TCP: connection Tcb: CTCP Cumulative Ack event, SeqNo = SeqNo, BytesAcked = BytesAcked, CWnd = Cwnd, SndWnd =SndWnd.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferCumAck

Description

TCP: connection Tcb: CTCP Cumulative Ack event, SeqNo = SeqNo, BytesAcked = BytesAcked, CWnd = Cwnd, SndWnd =SndWnd.

Message #

TCP: connection %1: CTCP Cumulative Ack event, SeqNo = %5, BytesAcked = %4, CWnd = %2, SndWnd =%3.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SndWnd` UInt32	—
`BytesAcked` UInt32	—
`SeqNo` UInt32	—

Event ID 1332 — TCP: connection Tcb: TCP send event, SeqNo = SeqNo, BytesSent = BytesSent, CWnd = Cwnd, SndWnd = SndWnd, SRtt = SRtt, RttVar = RttVar, RTO = RTO.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDataTransferSend

Description

TCP: connection Tcb: TCP send event, SeqNo = SeqNo, BytesSent = BytesSent, CWnd = Cwnd, SndWnd = SndWnd, SRtt = SRtt, RttVar = RttVar, RTO = RTO.

Message #

TCP: connection %1: TCP send event, SeqNo = %5, BytesSent = %4, CWnd = %2, SndWnd = %3, SRtt = %6, RttVar = %7, RTO = %8

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SndWnd` UInt32	—
`BytesSent` UInt32	—
`SeqNo` UInt32	—
`SRtt` UInt32	—
`RttVar` UInt32	—
`RTO` UInt32	—
`RcvWnd` UInt32	—
`PacingRate` UInt32	—
`TcpState` UInt32	—
`CongestionState` UInt32	—
`SndUna` UInt32	—
`SndMax` UInt32	—
`RecoveryMax` UInt32	—
`RcvBufSet` UInt32	—
`MaxRcvBuf` UInt32	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1332",
    "version": "1",
    "level": "4",
    "task": "1073",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:26:13.266633700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{ff7af7e0-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFF7AF7E0",
    "Cwnd": " 1705088",
    "SndWnd": " 1705088",
    "BytesSent": "       0",
    "SeqNo": "644684595",
    "SRtt": "     596",
    "RttVar": "     279",
    "RTO": "      60",
    "RcvWnd": "  261882"
  },
  "message": ""
}

Event ID 1333 — TCP: connection Tcb: TCP CTCP send event, SeqNo = SeqNo, BytesSent = BytesSent, CWnd = Cwnd, SndWnd = SndWnd, SRtt = SRtt, RttVar = RttVar, RTO = RTO.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferSend

Description

TCP: connection Tcb: TCP CTCP send event, SeqNo = SeqNo, BytesSent = BytesSent, CWnd = Cwnd, SndWnd = SndWnd, SRtt = SRtt, RttVar = RttVar, RTO = RTO.

Message #

TCP: connection %1: TCP CTCP send event, SeqNo = %5, BytesSent = %4, CWnd = %2, SndWnd = %3, SRtt = %6, RttVar = %7, RTO = %8.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SndWnd` UInt32	—
`BytesSent` UInt32	—
`SeqNo` UInt32	—
`SRtt` UInt32	—
`RttVar` UInt32	—
`RTO` UInt32	—
`RcvWnd` UInt32	—

Event ID 1334 — UDP: Endpoint UdpEndpoint notification channel request.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpCreateNotificationChannelRequest

Description

UDP: Endpoint UdpEndpoint notification channel request. NcmContext = NcmContext, Endpoint State = Activated, PID = Pid, IsLoopback = IsLoopback, Status = Status.

Message #

UDP: Endpoint %1 notification channel request. NcmContext = %2, Endpoint State = %3, PID = %4, IsLoopback = %5, Status = %7.

Fields #

Name	Description
`UdpEndpoint` Pointer	—
`NcmContext` Pointer	—
`Activated` UInt32	—
`Pid` UInt32	—
`IsLoopback` UInt32	—
`ChannelStatus` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1335 — UDP: Endpoint UdpEndpoint query notification channel status request.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpQueryNotificationChannelStatusRequest

Description

UDP: Endpoint UdpEndpoint query notification channel status request. NcmContext = NcmContext, Endpoint State = Activated, PID = Pid, Channel Status = ChannelStatus, Status = Status.

Message #

UDP: Endpoint %1 query notification channel status request. NcmContext = %2, Endpoint State = %3, PID = %4, Channel Status = %6, Status = %7.

Fields #

Name	Description
`UdpEndpoint` Pointer	—
`NcmContext` Pointer	—
`Activated` UInt32	—
`Pid` UInt32	—
`IsLoopback` UInt32	—
`ChannelStatus` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1336 — UDP: Endpoint UdpEndpoint notification channel request processed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpCreateNotificationChannelRequestProcessed

Description

UDP: Endpoint UdpEndpoint notification channel request processed. NcmContext = NcmContext, PID = Pid, Status = Status PushNotificationId = PushNotificationGuid.

Message #

UDP: Endpoint %1 notification channel request processed. NcmContext = %2, PID = %3, Status = %4 PushNotificationId = %5.

Fields #

Name	Description
`UdpEndpoint` Pointer	—
`NcmContext` Pointer	—
`Pid` UInt32	—
`Status` UInt32	— NTSTATUS reference
`PushNotificationGuid` GUID	—

Event ID 1337 — UDP: Endpoint UdpEndpoint notification channel signal event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSignalNotificationChannelEvent

Description

UDP: Endpoint UdpEndpoint notification channel signal event. NcmContext = NcmContext, PID = Pid, Delivered Data = Delivered FinalEvent = FinalEvent.

Message #

UDP: Endpoint %1 notification channel signal event. NcmContext = %2, PID = %3, Delivered Data = %4 FinalEvent = %5.

Fields #

Name	Description
`UdpEndpoint` Pointer	—
`NcmContext` Pointer	—
`Pid` UInt32	—
`Delivered` UInt32	—
`FinalEvent` UInt32	—

Event ID 1338 — UDP: Endpoint UdpEndpoint notification channel detached.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpDetachNotificationChannel

Description

UDP: Endpoint UdpEndpoint notification channel detached. NcmContext = NcmContext, Endpoint State = Activated.

Message #

UDP: Endpoint %1 notification channel detached. NcmContext = %2, Endpoint State = %3.

Fields #

Name	Description
`UdpEndpoint` Pointer	—
`NcmContext` Pointer	—
`Activated` UInt32	—
`Pid` UInt32	—
`IsLoopback` UInt32	—
`ChannelStatus` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1339 — UDP: Endpoint UdpEndpoint notification channel unlinked.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpUnlinkNotificationChannel

Description

UDP: Endpoint UdpEndpoint notification channel unlinked. Endpoint State = Activated.

Message #

UDP: Endpoint %1 notification channel unlinked. Endpoint State = %3.

Fields #

Name	Description
`UdpEndpoint` Pointer	—
`NcmContext` Pointer	—
`Activated` UInt32	—
`Pid` UInt32	—
`IsLoopback` UInt32	—
`ChannelStatus` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1340 — UDP: Endpoint UdpEndpoint notification channel request processing.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpCreateNotificationChannelRequestProcessing

Description

UDP: Endpoint UdpEndpoint notification channel request processing. Local IP address = LocalIPv4Address IPProtocol LocalIPv6Address, Local Port = SrcPort.

Message #

UDP: Endpoint %1 notification channel request processing. Local IP address = %3 %5 %4, Local Port = %6.

Fields #

Name	Description
`UdpEndpoint` Pointer	—
`IpAddrLength` UInt32	—
`LocalIPv4Address` UInt32	—
`LocalIPv6Address` Binary	—
`IPProtocol` UInt32	—
`SrcPort` UInt16	—

Event ID 1341 — TCP: connection Tcb: Rtt sample recorded RttSample SRTT SRTT RttVar RttVar.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpDataTransferRttSample

Description

TCP: connection Tcb: Rtt sample recorded RttSample SRTT SRTT RttVar RttVar.

Message #

TCP: connection %1:  Rtt sample recorded %2 SRTT %4 RttVar %3.

Fields #

Name	Description
`Tcb` Pointer	—
`RttSample` UInt32	—
`RttVar` UInt32	—
`SRTT` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1341",
    "version": "0",
    "level": "5",
    "task": "1070",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.390489700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4248",
      "thread_id": "4684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "RttSample": "    1632",
    "RttVar": "     544",
    "SRTT": "    1626"
  },
  "message": ""
}

Event ID 1342 — TCP: connection Tcb: Rtt resiliency detection complete with Rtt sample = RttSample and new SRTT = SRTT.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRttResiliencyDetection

Description

TCP: connection Tcb: Rtt resiliency detection complete with Rtt sample = RttSample and new SRTT = SRTT.

Message #

TCP: connection %1: Rtt resiliency detection complete with Rtt sample = %2 and new SRTT = %4.

Fields #

Name	Description
`Tcb` Pointer	—
`RttSample` UInt32	—
`RttVar` UInt32	—
`SRTT` UInt32	—

Event ID 1343 — TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = SSThresh DupAckCount = DupAckCount SndUna = SeqNo.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDataTransferDupAck

Description

TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = SSThresh DupAckCount = DupAckCount SndUna = SeqNo.

Message #

TCP: connection %1: Duplicate ACK updated cwnd = %2 and updated ssthresh = %3 DupAckCount = %4 SndUna = %5.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`DupAckCount` UInt32	—
`SeqNo` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1343",
    "version": "0",
    "level": "4",
    "task": "1072",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-16T00:21:40.488225900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "Cwnd": "   16734",
    "SSThresh": "4294967295",
    "DupAckCount": "       1",
    "SeqNo": "155002622"
  },
  "message": ""
}

Event ID 1344 — TCP: CTCP Duplicate Ack event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferDupAck

Description

TCP: CTCP Duplicate Ack event. Connection Tcb, SndUna = SeqNo, CWnd = Cwnd, DupAckCount = DupAckCount.

Message #

TCP: CTCP Duplicate Ack event. Connection %1, SndUna = %5, CWnd = %2, DupAckCount = %4.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`DupAckCount` UInt32	—
`SeqNo` UInt32	—

Event ID 1345 — TCP: connection Tcb: Spurious timeout at Seq = SeqNo.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDataTransferSpuriousTimeout

Description

TCP: connection Tcb: Spurious timeout at Seq = SeqNo.

Message #

TCP: connection %1: Spurious timeout at Seq = %2.

Fields #

Name	Description
`Tcb` Pointer	—
`SeqNo` UInt32	—

Event ID 1346 — TCP: connection Tcb spurious RTO detection initiated at SeqNo.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSpuriousRtoDetectionBegin

Description

TCP: connection Tcb spurious RTO detection initiated at SeqNo.

Message #

TCP: connection %1 spurious RTO detection initiated at %2.

Fields #

Name	Description
`Tcb` Pointer	—
`SeqNo` UInt32	—

Event ID 1347 — TCP: connection Tcb spurious RTO detection terminated at SeqNo.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSpuriousRtoDetectionEnd

Description

TCP: connection Tcb spurious RTO detection terminated at SeqNo.

Message #

TCP: connection %1 spurious RTO detection terminated at %2.

Fields #

Name	Description
`Tcb` Pointer	—
`SeqNo` UInt32	—

Event ID 1348 — TCP: CTCP DataTransferTimeout event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferTimeout

Description

TCP: CTCP DataTransferTimeout event. Connection Tcb, CWnd = Cwnd, SsThresh = SSThresh.

Message #

TCP: CTCP DataTransferTimeout event. Connection %1, CWnd = %2, SsThresh = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—

Event ID 1349 — TCP: CTCP Spurious timeout event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCtcpDataTransferSpuriousTimeout

Description

TCP: CTCP Spurious timeout event. Connection Tcb, CWnd = Cwnd, SsThresh = SSThresh.

Message #

TCP: CTCP Spurious timeout event. Connection %1, CWnd = %2, SsThresh = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—

Event ID 1350 — TCP: connection Tcb entering Congestion Avoidance Phase with cwnd = Cwnd and ssthresh = SSThresh.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpSlowStartToCongestionAvoidance

Description

TCP: connection Tcb entering Congestion Avoidance Phase with cwnd = Cwnd and ssthresh = SSThresh.

Message #

TCP: connection %1 entering Congestion Avoidance Phase with cwnd = %2 and ssthresh = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1350",
    "version": "0",
    "level": "4",
    "task": "1082",
    "opcode": "0",
    "keywords": 9223372045444710528,
    "time_created": "2026-03-15T23:27:12.440659500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{fd182260-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFD182260",
    "Cwnd": "   15414",
    "SSThresh": "   15414"
  },
  "message": ""
}

Event ID 1351 — TCP: connection Tcb: Send Retransmit round with SndUna = SndUna, Round = RexmitCount, SRTT = SRTT, RTO = RTO.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpDataTransferRetransmitRound

Description

TCP: connection Tcb: Send Retransmit round with SndUna = SndUna, Round = RexmitCount, SRTT = SRTT, RTO = RTO.

Message #

TCP: connection %1: Send Retransmit round with SndUna = %2, Round = %3, SRTT = %4, RTO = %5.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`RexmitCount` UInt32	—
`SRTT` UInt32	—
`RTO` UInt32	—
`SndMax` UInt32	—
`RecoveryMax` UInt32	—
`TcpState` UInt32	—
`CongestionState` UInt32	—
`Frto` UInt32	—
`TotalRT` UInt32	—
`MaxRT` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1351",
    "version": "0",
    "level": "4",
    "task": "1077",
    "opcode": "0",
    "keywords": 9223372041149743232,
    "time_created": "2026-03-15T23:31:42.716273800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{f9ca95f0-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FF9CA95F0",
    "SndUna": "2098991634",
    "RexmitCount": "       1",
    "SRTT": "    3000",
    "RTO": "    2000"
  },
  "message": ""
}

Event ID 1352 — TCP: Connection Tcb Summary: DataBytesOut DataBytesOut DataBytesIn DataBytesIn DataSegmentsOut DataSegmentsOut DataSegmentsIn DataSegmentsIn SegmentsOut SegmentsOut SegmentsIn SegmentsIn NonRecovDa...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectionSummary
Opcode: Info

Message #

TCP: Connection %1 Summary: DataBytesOut %2 DataBytesIn %3 DataSegmentsOut %4 DataSegmentsIn %5 SegmentsOut %6 SegmentsIn %7 NonRecovDa \   %8 NonRecovDaEpisodes %9 DupAcksIn %10 BytesRetrans %11 Timeouts %12 SpuriousRtoDetections %13 FastRetran %14 MaxSsthresh %15 MaxSsCwnd %16 \   MaxCaCwnd %17 SndLimTransRwin %18 SndLimTimeRwin %19 SndLimBytesRwin %20 SndLimTransCwnd %21 SndLimTimeCwnd %22 SndLimBytesCwnd %23 \   SndLimTransSnd %24 SndLimTimeSnd %25 SndLimBytesSnd %26.

Fields #

Name	Description
`Tcb` Pointer	—
`DataBytesOut` UInt64	—
`DataBytesIn` UInt64	—
`DataSegmentsOut` UInt64	—
`DataSegmentsIn` UInt64	—
`SegmentsOut` UInt64	—
`SegmentsIn` UInt64	—
`NonRecovDa` UInt32	—
`NonRecovDaEpisodes` UInt32	—
`DupAcksIn` UInt32	—
`BytesRetrans` UInt32	—
`Timeouts` UInt32	—
`SpuriousRtoDetections` UInt32	—
`FastRetran` UInt32	—
`MaxSsthresh` UInt32	—
`MaxSsCwnd` UInt32	—
`MaxCaCwnd` UInt32	—
`SndLimTransRwin` UInt32	—
`SndLimTimeRwin` UInt32	—
`SndLimBytesRwin` UInt64	—
`SndLimTransCwnd` UInt32	—
`SndLimTimeCwnd` UInt32	—
`SndLimBytesCwnd` UInt64	—
`SndLimTransSnd` UInt32	—
`SndLimTimeRSnd` UInt32	—
`SndLimBytesRSnd` UInt64	—

Event ID 1353 — TCPIP: Message AllocationObjectString Param1 Param2 Param3 Param4.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipGeneric

Description

TCPIP: Message AllocationObjectString Param1 Param2 Param3 Param4.

Message #

TCPIP: Message %1 %2 %3 %4 %5.

Fields #

Name	Description
`AllocationObjectString` UnicodeString	—
`Param1` Pointer	—
`Param2` Pointer	—
`Param3` UInt32	—
`Param4` UInt32	—

Event ID 1354 — TCP: Connection Tcb SACK updated SndUna SndUna SndMax SndMax SackCount SackCount SackBytes SackBytes SackInFlight SackInFlight SackIsLost SackIsLost.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSackUpdate

Description

TCP: Connection Tcb SACK updated SndUna SndUna SndMax SndMax SackCount SackCount SackBytes SackBytes SackInFlight SackInFlight SackIsLost SackIsLost.

Message #

TCP: Connection %1 SACK updated SndUna %2 SndMax %3 SackCount %4 SackBytes %5 SackInFlight %6 SackIsLost %7.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—
`SackCount` UInt32	—
`SackBytes` UInt32	—
`SackInFlight` UInt32	—
`SackIsLost` UInt32	—

Event ID 1355 — TCP: TCB Tcb Requires address based pattern = RequireAddressCoalescing LocalPort = LocalPort RtcPortRange = [RtcStartPort, RtcEndPort] Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpIsPatternCoalescingRequired

Description

TCP: TCB Tcb Requires address based pattern = RequireAddressCoalescing LocalPort = LocalPort RtcPortRange = [RtcStartPort, RtcEndPort] Status = Status.

Message #

TCP: TCB %1 Requires address based pattern = %2 LocalPort = %3 RtcPortRange = [%4, %5] Status = %6.

Fields #

Name	Description
`Tcb` Pointer	—
`RequireAddressCoalescing` UInt32	—
`LocalPort` UInt16	—
`RtcStartPort` UInt16	—
`RtcEndPort` UInt16	—
`Status` UInt32	— NTSTATUS reference

Event ID 1356 — TCP: Rtc Port Range Assignment.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRtcPortRangeAssignment

Description

TCP: Rtc Port Range Assignment. Allocated = AssignedFromRtcRange, Port = Port.

Message #

TCP: Rtc Port Range Assignment. Allocated = %1, Port = %2.

Fields #

Name	Description
`AssignedFromRtcRange` UInt32	—
`Port` UInt16	—

Event ID 1357 — TCPIP has failed a RequestType request from LocalAddress to RemoteAddress on endpoint TcbOrEndpoint owned by process ProcessId with Status since network interface InterfaceIndex is in low-power mode.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipAoacFailFast

Description

TCPIP has failed a RequestType request from LocalAddress to RemoteAddress on endpoint TcbOrEndpoint owned by process ProcessId with Status since network interface InterfaceIndex is in low-power mode.

Message #

TCPIP has failed a %1 request from %4 to %6 on endpoint %2 owned by process %8 with %7 since network interface %9 is in low-power mode.

Fields #

Name	Description
`RequestType` UInt32	—
`TcbOrEndpoint` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`InterfaceIndex` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1358 — IP: Interface configuration updated on interface InterfaceIndex property Property value Value event InterfaceUpdateEvent.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipUpdateInterfaceConfigFlags

Description

IP: Interface configuration updated on interface InterfaceIndex property Property value Value event InterfaceUpdateEvent.

Message #

IP: Interface configuration updated on interface %1 property %2 value %3 event %4.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`Property` AnsiString	—
`Value` UInt32	—
`InterfaceUpdateEvent` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—

Event ID 1359 — TCP: Connection Tcb notification channel unmark request.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateNotificationChannelUnmarkRequest

Description

TCP: Connection Tcb notification channel unmark request. NcmContext = NcmContext, TCB State = State, PID = Pid, IsLoopback = IsLoopback, IsShutdown = IsShutdown, Status = Status.

Message #

TCP: Connection %1 notification channel unmark request. NcmContext = %2, TCB State = %3, PID = %4, IsLoopback = %5, IsShutdown = %6, Status = %7.

Fields #

Name	Description
`Tcb` Pointer	—
`NcmContext` Pointer	—
`State` UInt32	—
`Pid` UInt32	—
`IsLoopback` UInt32	—
`IsShutdown` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1360 — TCPIP: A packet has been cloned for a raw listener.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipNblClonedForRaw

Description

TCPIP: A packet has been cloned for a raw listener. NBL ClonedNbl cloned from NBL Nbl. Protocol = IPTransportProtocol, Family = AddressFamily.

Message #

TCPIP: A packet has been cloned for a raw listener. NBL %2 cloned from NBL %1. Protocol = %3, Family = %4.

Fields #

Name	Description
`Nbl` Pointer	—
`ClonedNbl` Pointer	—
`IPTransportProtocol` UInt32	—
`AddressFamily` UInt32	—

Event ID 1361 — TCPIP: A cloned packet has been dropped.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipCloneDropped

Description

TCPIP: A cloned packet has been dropped. NBL ClonedNbl cloned from NBL Nbl. Family = AddressFamily.

Message #

TCPIP: A cloned packet has been dropped. NBL %2 cloned from NBL %1. Family = %3.

Fields #

Name	Description
`Nbl` Pointer	—
`ClonedNbl` Pointer	—
`AddressFamily` UInt32	—

Event ID 1362 — IP: Interface = Interface IpAddress = IPAddress processing WolEvent = WoLEvent with Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressWolStateChange

Description

IP: Interface = Interface IpAddress = IPAddress processing WolEvent = WoLEvent with Status = Status.

Message #

IP: Interface = %1 IpAddress = %3 processing WolEvent = %4 with Status = %5.

Fields #

Name	Description
`Interface` UInt32	—
`IpAddrLength` UInt32	—
`IPAddress` Binary	—
`WoLEvent` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1363 — IP: Interface = Interface WolHandle = WolHandle has DestinationIpAddress = DestinationIPAddress TargetIpAddress1 = TargetIPAddress1 TargetIpAddress2 = TargetIPAddress2 Flags = Flags while processin...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpWolContextChange

Description

IP: Interface = Interface WolHandle = WolHandle has DestinationIpAddress = DestinationIPAddress TargetIpAddress1 = TargetIPAddress1 TargetIpAddress2 = TargetIPAddress2 Flags = Flags while processing WolEvent = WoLEvent with Status = Status.

Message #

IP: Interface = %1 WolHandle = %3 has DestinationIpAddress = %4 TargetIpAddress1 = %5 TargetIpAddress2 = %6 Flags = %7 while processing WolEvent = %8 with Status = %9.

Fields #

Name	Description
`Interface` UInt32	—
`IpAddrLength` UInt32	—
`WolHandle` UInt32	—
`DestinationIPAddress` Binary	—
`TargetIPAddress1` Binary	—
`TargetIPAddress2` Binary	—
`Flags` UInt32	—
`WoLEvent` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1364 — TCP connection tuple inserted- TCB: Tcb LocalAddress: LocalAddress RemoteAddress: RemoteAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpInsertConnectionTuple

Description

TCP connection tuple inserted- TCB: Tcb LocalAddress: LocalAddress RemoteAddress: RemoteAddress.

Message #

TCP connection tuple inserted- TCB: %1 LocalAddress: %3 RemoteAddress: %5

Fields #

Name	Description
`Tcb` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`NewState` UInt32	—
`RexmitCount` UInt32	—

Event ID 1365 — TCP connection tuple removed- TCB/TWTCB: Tcb LocalAddress: LocalAddress RemoteAddress: RemoteAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRemoveConnectionTuple

Description

TCP connection tuple removed- TCB/TWTCB: Tcb LocalAddress: LocalAddress RemoteAddress: RemoteAddress.

Message #

TCP connection tuple removed- TCB/TWTCB: %1 LocalAddress: %3 RemoteAddress: %5

Fields #

Name	Description
`Tcb` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`NewState` UInt32	—
`RexmitCount` UInt32	—

Event ID 1366 — TCP port selection deferred for outbound connect- LocalAddress: LocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDeferPortSelection

Description

TCP port selection deferred for outbound connect- LocalAddress: LocalAddress.

Message #

TCP port selection deferred for outbound connect- LocalAddress: %2

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 1367 — Nbl Nbl OOB info (PathDirection): TcpIpChecksumNetBufferListInfo TcpIpChecksumNetBufferListInfo, TcpLargeSendNetBufferListInfo TcpLargeSendNetBufferListInfo, Ieee8021QNetBufferListInfo Ieee8021QNet...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: 17
Task: TcpipNblOob
Opcode: Info

Message #

Nbl %1 OOB info (%2): TcpIpChecksumNetBufferListInfo %3, TcpLargeSendNetBufferListInfo %4, Ieee8021QNetBufferListInfo %5, NetBufferListHashValue %6, NetBufferListHashInfo %7, VirtualSubnetInfo %8, TcpRecvSegCoalesceInfo %9

Fields #

Name	Description
`Nbl` Pointer	—
`PathDirection` UInt32	—
`TcpIpChecksumNetBufferListInfo` Pointer	—
`TcpLargeSendNetBufferListInfo` Pointer	—
`Ieee8021QNetBufferListInfo` Pointer	—
`NetBufferListHashValue` Pointer	—
`NetBufferListHashInfo` Pointer	—
`VirtualSubnetInfo` Pointer	—
`TcpRecvSegCoalesceInfo` Pointer	—
`NrtNameResolutionInfo` Pointer	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1367",
    "version": "1",
    "level": "17",
    "task": "1367",
    "opcode": "0",
    "keywords": 9223372049739677696,
    "time_created": "2026-03-16T00:21:34.388895400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Nbl": "0xFFFF980A11CCA4F0",
    "PathDirection": "       0",
    "TcpIpChecksumNetBufferListInfo": "0x220015",
    "TcpLargeSendNetBufferListInfo": "0x0",
    "Ieee8021QNetBufferListInfo": "0x0",
    "NetBufferListHashValue": "0xF92BBC40",
    "NetBufferListHashInfo": "0x0",
    "VirtualSubnetInfo": "0x0",
    "TcpRecvSegCoalesceInfo": "0x0",
    "NrtNameResolutionInfo": "0x0"
  },
  "message": ""
}

Event ID 1368 — Teredo Add -- PID: PID started listening on LocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipTeredoOpen

Description

Teredo Add -- PID: PID started listening on LocalAddress. AddressType AddressType. ScopeLevel ScopeLevel. Port Port. EndpointRecord EndpointRecord.

Message #

Teredo Add -- PID: %1 started listening on %3. AddressType %4. ScopeLevel %5. Port %6. EndpointRecord %7.

Fields #

Name	Description
`PID` UInt64	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`AddressType` UInt32	—
`ScopeLevel` UInt32	—
`Port` UInt32	—
`EndpointRecord` Pointer	—

Event ID 1369 — Teredo Remove -- PID: PID stopped listening on LocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipTeredoClose

Description

Teredo Remove -- PID: PID stopped listening on LocalAddress. AddressType AddressType. ScopeLevel ScopeLevel. Port Port. EndpointRecord EndpointRecord.

Message #

Teredo Remove -- PID: %1 stopped listening on %3. AddressType %4. ScopeLevel %5. Port %6. EndpointRecord %7.

Fields #

Name	Description
`PID` UInt64	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`AddressType` UInt32	—
`ScopeLevel` UInt32	—
`Port` UInt32	—
`EndpointRecord` Pointer	—

Event ID 1370 — IP: RouteLookup - API: API DstAddr: DestinationAddress ConstrainSrcAddr: ConstrainSourceAddress ConstrainIfIndex: ConstrainInterfaceIndex ConstraintOveridden: ConstraintOverridden ReturnConstrained...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpipRouteLookup

Description

IP: RouteLookup - API: API DstAddr: DestinationAddress ConstrainSrcAddr: ConstrainSourceAddress ConstrainIfIndex: ConstrainInterfaceIndex ConstraintOveridden: ConstraintOverridden ReturnConstrained: ReturnConstrained OutgoingIfIndex: OutgoingInterfaceIndex NextHopAddr: NextHopAddress Status: Status.

Message #

IP: RouteLookup - API: %1 DstAddr: %3 ConstrainSrcAddr: %4 ConstrainIfIndex: %5 ConstraintOveridden: %6 ReturnConstrained: %7 OutgoingIfIndex: %8 NextHopAddr: %9 Status: %10

Fields #

Name	Description
`API` AnsiString	—
`IpAddrLength` UInt32	—
`DestinationAddress` Binary	—
`ConstrainSourceAddress` Binary	—
`ConstrainInterfaceIndex` UInt32	—
`ConstraintOverridden` UInt32	—
`ReturnConstrained` UInt32	—
`OutgoingInterfaceIndex` UInt32	—
`NextHopAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ConstrainForwardingTag` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1370",
    "version": "0",
    "level": "5",
    "task": "1370",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-15T23:26:13.698249300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "1868",
      "thread_id": "2740"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "API": "IppFindPath",
    "IpAddrLength": "      16",
    "DestinationAddress": "127.0.0.1",
    "ConstrainSourceAddress": "0.0.0.0",
    "ConstrainInterfaceIndex": "       0",
    "ConstraintOverridden": "       0",
    "ReturnConstrained": "       0",
    "OutgoingInterfaceIndex": "       1",
    "NextHopAddress": "127.0.0.1",
    "Status": "0x0"
  },
  "message": ""
}

Event ID 1371 — IP: SourceAddrLookup - DstAddr: DestinationAddress ConstrainSrcAddr: ConstrainSourceAddress ConstrainIfIndex: ConstrainInterfaceIndex OutgoingIfIndex: OutgoingInterfaceIndex ReturnConstrained: Retu...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpipSrcAddrLookup

Description

IP: SourceAddrLookup - DstAddr: DestinationAddress ConstrainSrcAddr: ConstrainSourceAddress ConstrainIfIndex: ConstrainInterfaceIndex OutgoingIfIndex: OutgoingInterfaceIndex ReturnConstrained: ReturnConstrained SelectedSrcAddr: SelectedSourceAddress.

Message #

IP: SourceAddrLookup - DstAddr: %2 ConstrainSrcAddr: %3 ConstrainIfIndex: %4 OutgoingIfIndex: %5 ReturnConstrained: %6 SelectedSrcAddr: %7

Fields #

Name	Description
`IpAddrLength` UInt32	—
`DestinationAddress` Binary	—
`ConstrainSourceAddress` Binary	—
`ConstrainInterfaceIndex` UInt32	—
`OutgoingInterfaceIndex` UInt32	—
`ReturnConstrained` UInt32	—
`SelectedSourceAddress` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1371",
    "version": "0",
    "level": "5",
    "task": "1371",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:40.067796000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "7552"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IpAddrLength": "      16",
    "DestinationAddress": "0.0.0.0",
    "ConstrainSourceAddress": "0.0.0.0",
    "ConstrainInterfaceIndex": "       0",
    "OutgoingInterfaceIndex": "       6",
    "ReturnConstrained": "       0",
    "SelectedSourceAddress": "10.2.10.21"
  },
  "message": ""
}

Event ID 1372 — WFP-ALE: Partition Count=PartitionCount Partition Mask=PartitionMask: Partition Id=%d Partition NumEntries = NumEntries.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Partition

Description

WFP-ALE: Partition Count=PartitionCount Partition Mask=PartitionMask: Partition Id=%d Partition NumEntries = NumEntries.

Message #

WFP-ALE: Partition Count=%1 Partition Mask=%2: Partition Id=%d Partition NumEntries = %4.

Fields #

Name	Description
`PartitionCount` UInt64	—
`PartitionMask` UInt64	—
`PartitionId` UInt64	—
`NumEntries` UInt64	—

Event ID 1373 — WFP-ALE: HotAdd/Remove: Old Partiton Count=OldPartitionCount Old Partition Mask=OldPartitionMask New Partiton Count=OldPartitionCount New Partition Mask=OldPartitionMask.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Partition

Description

WFP-ALE: HotAdd/Remove: Old Partiton Count=OldPartitionCount Old Partition Mask=OldPartitionMask New Partiton Count=OldPartitionCount New Partition Mask=OldPartitionMask.

Message #

WFP-ALE: HotAdd/Remove: Old Partiton Count=%1 Old Partition Mask=%2 New Partiton Count=%1 New Partition Mask=%2.

Fields #

Name	Description
`OldPartitionCount` UInt64	—
`OldPartitionMask` UInt64	—
`NewPartitionCount` UInt64	—
`NewPartitionMask` UInt64	—

Event ID 1374 — WFP-ALE: RemoteEndPoint Insertion: AddrLen=AddressLength RemoteAddr=RemoteAddress RemotePort=RemotePort LocalAddr=LocalAddress LocalPort=LocalPort PartitionId=PartitionId PartitionNumEntries=NumEnt...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RemoteEndpoint

Description

WFP-ALE: RemoteEndPoint Insertion: AddrLen=AddressLength RemoteAddr=RemoteAddress RemotePort=RemotePort LocalAddr=LocalAddress LocalPort=LocalPort PartitionId=PartitionId PartitionNumEntries=NumEntries.

Message #

WFP-ALE: RemoteEndPoint Insertion: AddrLen=%1 RemoteAddr=%2 RemotePort=%3 LocalAddr=%4 LocalPort=%5 PartitionId=%6 PartitionNumEntries=%7

Fields #

Name	Description
`AddressLength` UInt32	—
`RemoteAddress` Binary	—
`RemotePort` UInt64	—
`LocalAddress` Binary	—
`LocalPort` UInt16	—
`PartitionId` UInt64	—
`NumEntries` UInt64	—

Event ID 1375 — WFP-ALE: RemoteEndPoint Deletion: AddrLen=AddressLength RemoteAddr=RemoteAddress RemotePort=RemotePort LocalAddr=LocalAddress LocalPort=LocalPort PartitionId=PartitionId PartitionNumEntries=NumEntr...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RemoteEndpoint

Description

WFP-ALE: RemoteEndPoint Deletion: AddrLen=AddressLength RemoteAddr=RemoteAddress RemotePort=RemotePort LocalAddr=LocalAddress LocalPort=LocalPort PartitionId=PartitionId PartitionNumEntries=NumEntries.

Message #

WFP-ALE: RemoteEndPoint Deletion: AddrLen=%1 RemoteAddr=%2 RemotePort=%3 LocalAddr=%4 LocalPort=%5 PartitionId=%6 PartitionNumEntries=%7

Fields #

Name	Description
`AddressLength` UInt32	—
`RemoteAddress` Binary	—
`RemotePort` UInt64	—
`LocalAddress` Binary	—
`LocalPort` UInt16	—
`PartitionId` UInt64	—
`NumEntries` UInt64	—

Event ID 1376 — WFP-ALE: ALE: low memory state detected.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Memory

Description

WFP-ALE: ALE: low memory state detected. LowMemoryEvent = LowMemoryEvent LowNonPagedPoolEvent = LowNonPagedPoolEvent.

Message #

WFP-ALE: ALE: low memory state detected. LowMemoryEvent = %3 LowNonPagedPoolEvent = %4.

Fields #

Name	Description
`HighMemoryEvent` UInt32	—
`HighNonPagedPoolEvent` UInt32	—
`LowMemoryEvent` UInt32	—
`LowNonPagedPoolEvent` UInt32	—

Event ID 1377 — WFP-ALE: leaving low memory state.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: Memory

Description

WFP-ALE: leaving low memory state. HighMemoryEvent = HighMemoryEvent HighNonPagedPoolEvent = HighNonPagedPoolEvent.

Message #

WFP-ALE: leaving low memory state. HighMemoryEvent = %1 HighNonPagedPoolEvent = %2.

Fields #

Name	Description
`HighMemoryEvent` UInt32	—
`HighNonPagedPoolEvent` UInt32	—
`LowMemoryEvent` UInt32	—
`LowNonPagedPoolEvent` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1377",
    "version": "0",
    "level": "4",
    "task": "1373",
    "opcode": "0",
    "keywords": 9223372036854841344,
    "time_created": "2026-03-15T23:26:23.462874700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "HighMemoryEvent": "       1",
    "HighNonPagedPoolEvent": "       1",
    "LowMemoryEvent": "       0",
    "LowNonPagedPoolEvent": "       0"
  },
  "message": ""
}

Event ID 1378 — WFP-ALE: Dpc for cleanup initiated: LowMemoryEvent = LowMemoryEvent LowNonPagedPoolEvent = LowNonPagedPoolEvent.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Memory

Description

WFP-ALE: Dpc for cleanup initiated: LowMemoryEvent = LowMemoryEvent LowNonPagedPoolEvent = LowNonPagedPoolEvent.

Message #

WFP-ALE: Dpc for cleanup initiated: LowMemoryEvent = %3 LowNonPagedPoolEvent = %4.

Fields #

Name	Description
`HighMemoryEvent` UInt32	—
`HighNonPagedPoolEvent` UInt32	—
`LowMemoryEvent` UInt32	—
`LowNonPagedPoolEvent` UInt32	—

Event ID 1379 — WFP: Dpc for cleanup QUEUED or RE-QUEUED: LowMemoryEvent = LowMemoryEvent LowNonPagedPoolEvent = LowNonPagedPoolEvent.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: Memory

Description

WFP: Dpc for cleanup QUEUED or RE-QUEUED: LowMemoryEvent = LowMemoryEvent LowNonPagedPoolEvent = LowNonPagedPoolEvent.

Message #

WFP: Dpc for cleanup QUEUED or RE-QUEUED: LowMemoryEvent = %3 LowNonPagedPoolEvent = %4.

Fields #

Name	Description
`HighMemoryEvent` UInt32	—
`HighNonPagedPoolEvent` UInt32	—
`LowMemoryEvent` UInt32	—
`LowNonPagedPoolEvent` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1379",
    "version": "0",
    "level": "5",
    "task": "1373",
    "opcode": "0",
    "keywords": 9223372036854841344,
    "time_created": "2026-03-16T00:21:40.078370400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "HighMemoryEvent": "       1",
    "HighNonPagedPoolEvent": "       1",
    "LowMemoryEvent": "       0",
    "LowNonPagedPoolEvent": "       0"
  },
  "message": ""
}

Event ID 1380 — TCP: LEDBAT LedbatEvent: Connection Tcb, BaseDelayMs = BaseDelayMs, CurrentDelayMs = CurrentDelayMs, CWnd = Cwnd, SsThresh = SsThresh, SndWnd = SndWnd, DelayBasedCwndFactor DelayBasedCwndFactorPerc...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpLedbatState

Description

TCP: LEDBAT LedbatEvent: Connection Tcb, BaseDelayMs = BaseDelayMs, CurrentDelayMs = CurrentDelayMs, CWnd = Cwnd, SsThresh = SsThresh, SndWnd = SndWnd, DelayBasedCwndFactor DelayBasedCwndFactorPercent%, RemainingTimeMs = RemainingTimeMs.

Message #

TCP: LEDBAT %2: Connection %1, BaseDelayMs = %6, CurrentDelayMs = %7, CWnd = %3, SsThresh = %4, SndWnd = %5, DelayBasedCwndFactor %9%%, RemainingTimeMs = %8.

Fields #

Name	Description
`Tcb` Pointer	—
`LedbatEvent` UInt32	—
`Cwnd` UInt32	—
`SsThresh` UInt32	—
`SndWnd` UInt32	—
`BaseDelayMs` UInt16	—
`CurrentDelayMs` UInt16	—
`RemainingTimeMs` UInt32	—
`DelayBasedCwndFactorPercent` Int32	—

Event ID 1381 — TCP: AssociateNameResContext Endpoint: EndpointObj Status: %16 NameResolutionContext: IsConnectionObj DnsName: NameResContext InterfaceIndex: Status IPAddrCount: %5 IPAddrs: %7 %9 %11 %...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAssociateNameResContext

Description

TCP: AssociateNameResContext Endpoint: EndpointObj Status: %16 NameResolutionContext: IsConnectionObj DnsName: NameResContext InterfaceIndex: Status IPAddrCount: %5 IPAddrs: %7 %9 %11 %13 %15.

Message #

TCP: AssociateNameResContext Endpoint: %1 Status: %16 NameResolutionContext: %2 DnsName: %3 InterfaceIndex: %4 IPAddrCount: %5 IPAddrs: %7 %9 %11 %13 %15

Fields #

Name	Description
`EndpointObj` Pointer	—
`IsConnectionObj` UInt32	—
`NameResContext` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 1382 — TCP: InspectConnectWithNameResContext Connection: Tcb (local: LocalAddress remote: RemoteAddress) NameResolutionContext: NameResContext DnsName: DnsName Status: Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpInspectConnectWithNameResContext

Description

TCP: InspectConnectWithNameResContext Connection: Tcb (local: LocalAddress remote: RemoteAddress) NameResolutionContext: NameResContext DnsName: DnsName Status: Status.

Message #

TCP: InspectConnectWithNameResContext Connection: %5 (local: %2 remote: %4) NameResolutionContext: %6 DnsName: %7 Status: %8.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Tcb` Pointer	—
`NameResContext` Pointer	—
`DnsName` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 1383 — IP: Route [DestinationPrefix: PrDestinationPrefix/PrDestinationPrefixLength NextHop: PrNextHopAddress InterfaceIndex: PrInterfaceIndex InterfaceMetric: PrInterfaceMetric RouteMetric: PrRouteMetric]...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouteSelection

Message #

IP: Route [DestinationPrefix: %6/%4 NextHop: %8 InterfaceIndex: %9 InterfaceMetric: %10 RouteMetric: %11] is preferred over Route [DestinationPrefix: %14/%12 NextHop: %16 InterfaceIndex: %17 InterfaceMetric: %18 RouteMetric: %19] for Destination: %3 in Compartment: %1, Reason: %20.

Fields #

Name	Description
`CompartmentId` UInt32	—
`DestinationAddressLength` UInt32	—
`DestinationAddress` Binary	—
`PrDestinationPrefixLength` UInt32	—
`PrDestinationPrefixAddressLength` UInt32	—
`PrDestinationPrefix` Binary	—
`PrNextHopAddressLength` UInt32	—
`PrNextHopAddress` Binary	—
`PrInterfaceIndex` UInt32	—
`PrInterfaceMetric` UInt32	—
`PrRouteMetric` UInt32	—
`NonPrDestinationPrefixLength` UInt32	—
`NonPrDestinationPrefixAddressLength` UInt32	—
`NonPrDestinationPrefix` Binary	—
`NonPrNextHopAddressLength` UInt32	—
`NonPrNextHopAddress` Binary	—
`NonPrInterfaceIndex` UInt32	—
`NonPrInterfaceMetric` UInt32	—
`NonPrRouteMetric` UInt32	—
`PreferenceReason` UInt32	—

Event ID 1384 — IP: Route [DestinationPrefix: DestinationPrefix/DestinationPrefixLength NextHop: NextHopAddress InterfaceIndex: InterfaceIndex RouteMetric: RouteMetric] is blocked for Destination: DestinationAddre...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouteBlocked

Description

IP: Route [DestinationPrefix: / NextHop: InterfaceIndex: RouteMetric: ] is blocked for Destination: ConstrainInterfaceIndex: ConstrainScopeZone: in Compartment: , Reason: .

Message #

IP: Route [DestinationPrefix: %6/%4 NextHop: %8 InterfaceIndex: %9 RouteMetric: %10] is blocked for Destination: %3 ConstrainInterfaceIndex: %11 ConstrainScopeZone: %12 in Compartment: %1, Reason: %13.

Fields #

Name	Description
`CompartmentId` UInt32	—
`DestinationAddressLength` UInt32	—
`DestinationAddress` Binary	—
`DestinationPrefixLength` UInt32	—
`DestinationPrefixAddressLength` UInt32	—
`DestinationPrefix` Binary	—
`NextHopAddressLength` UInt32	—
`NextHopAddress` Binary	—
`InterfaceIndex` UInt32	—
`RouteMetric` UInt32	—
`ConstrainInterfaceIndex` UInt32	—
`ConstrainScope` UInt32	—
`BlockReason` UInt32	—

Event ID 1385 — TCP: Tail Loss Probe Send Connection = Tcb SndUna = SndUna, SndMax = SndMax, SendAvailable = SendAvailable, TailProbeSeq = TailProbeSeq, TailProbeLast = TailProbeLast, ControlsToSend = ControlsToSe...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpTailLossProbe

Description

TCP: Tail Loss Probe Send Connection = Tcb SndUna = SndUna, SndMax = SndMax, SendAvailable = SendAvailable, TailProbeSeq = TailProbeSeq, TailProbeLast = TailProbeLast, ControlsToSend = ControlsToSend, ThFlags = ThFlags.

Message #

TCP: Tail Loss Probe Send Connection = %1 SndUna = %2, SndMax = %3, SendAvailable = %4, TailProbeSeq = %5, TailProbeLast = %6, ControlsToSend = %7, ThFlags = %8.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—
`SendAvailable` UInt32	—
`TailProbeSeq` UInt32	—
`TailProbeLast` UInt32	—
`ControlsToSend` UInt32	—
`ThFlags` UInt8	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1385",
    "version": "0",
    "level": "4",
    "task": "1380",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.721122900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "SndUna": "2308839694",
    "SndMax": "2308842691",
    "SendAvailable": "    2997",
    "TailProbeSeq": "2308841231",
    "TailProbeLast": "2308842691",
    "ControlsToSend": "       0",
    "ThFlags": "16"
  },
  "message": ""
}

Event ID 1386 — TCP: Tail Loss Probe Event Connection = Tcb, Event = TlpEvent.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpTailLossProbe

Description

TCP: Tail Loss Probe Event Connection = Tcb, Event = TlpEvent.

Message #

TCP: Tail Loss Probe Event Connection = %1, Event = %2.

Fields #

Name	Description
`Tcb` Pointer	—
`TlpEvent` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1386",
    "version": "0",
    "level": "4",
    "task": "1380",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.388823900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "TlpEvent": "       1"
  },
  "message": ""
}

Event ID 1387 — TCP: RACK Event Connection = Tcb, Event = RackEvent, MinRTT = RackMinRtt, ReoWind = RackReoWind, TimeSlotDeltaMin = RackTimeSlotDeltaMin, SeqNum = SequenceNumber, Timestamp = Timestamp, RttSample =...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpRack

Description

TCP: RACK Event Connection = Tcb, Event = RackEvent, MinRTT = RackMinRtt, ReoWind = RackReoWind, TimeSlotDeltaMin = RackTimeSlotDeltaMin, SeqNum = SequenceNumber, Timestamp = Timestamp, RttSample = RttSample.

Message #

TCP: RACK Event Connection = %1, Event = %2, MinRTT = %3, ReoWind = %4, TimeSlotDeltaMin = %5, SeqNum = %6, Timestamp = %7, RttSample = %8.

Fields #

Name	Description
`Tcb` Pointer	—
`RackEvent` UInt32	—
`RackMinRtt` UInt32	—
`RackReoWind` UInt32	—
`RackTimeSlotDeltaMin` UInt32	—
`SequenceNumber` UInt32	—
`Timestamp` UInt32	—
`RttSample` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1387",
    "version": "0",
    "level": "4",
    "task": "1381",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:26:14.411027300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{f6654220-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "10828",
      "thread_id": "9684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FF6654220",
    "RackEvent": "       1",
    "RackMinRtt": "     751",
    "RackReoWind": "       0",
    "RackTimeSlotDeltaMin": "       0",
    "SequenceNumber": "2723729970",
    "Timestamp": "4090263552",
    "RttSample": "     751"
  },
  "message": ""
}

Event ID 1388 — TCP: Fastopen state changed for connection = Tcb from OldState = OldState to NewState = NewState.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFastopenStateChange

Description

TCP: Fastopen state changed for connection = Tcb from OldState = OldState to NewState = NewState.

Message #

TCP: Fastopen state changed for connection = %1 from OldState = %2 to NewState = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`OldState` UInt32	—
`NewState` UInt32	—

Event ID 1389 — UDP: endpoint (family=AddressFamily pid=ProcessId) create failed: address family not attached.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpCreateEndpointAfFailure

Description

UDP: endpoint (family=AddressFamily pid=ProcessId) create failed: address family not attached.

Message #

UDP: endpoint (family=%5 pid=%3) create failed: address family not attached.

Fields #

Name	Description
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1390 — UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) create failed: compartment CompartmentId not found.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpCreateEndpointCompartmentFailure

Description

UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) create failed: compartment CompartmentId not found.

Message #

UDP: endpoint %1 (family=%5 pid=%3) create failed: compartment %4 not found.

Fields #

Name	Description
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1391 — UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) created.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: UdpCreateEndpointComplete

Description

UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) created.

Message #

UDP: endpoint %1 (family=%5 pid=%3) created.

Fields #

Name	Description
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1391",
    "version": "1",
    "level": "4",
    "task": "1385",
    "opcode": "0",
    "keywords": 9223372036854776833,
    "time_created": "2026-03-16T00:21:40.077667700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11735e80-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A11735E80",
    "Status": "0x0",
    "ProcessId": "     228",
    "CompartmentId": "       1",
    "AddressFamily": "      23",
    "ProcessStartKey": "2814749767106594"
  },
  "message": ""
}

Event ID 1392 — UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) create failed: inspection status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpCreateEndpointInspectionFailure

Description

UDP: endpoint Endpoint (family=AddressFamily pid=ProcessId) create failed: inspection status = Status.

Message #

UDP: endpoint %1 (family=%5 pid=%3) create failed: inspection status = %2

Fields #

Name	Description
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1393 — UDP: endpoint Endpoint bind failed: address LocalAddress cannot be resolved, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpBindEndpointResolutionFailure

Description

UDP: endpoint Endpoint bind failed: address LocalAddress cannot be resolved, status = Status.

Message #

UDP: endpoint %4 bind failed: address %2 cannot be resolved, status = %3

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`Endpoint` Pointer	—

Event ID 1394 — UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: port-acquisition status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpBindEndpointPortFailure

Description

UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: port-acquisition status = Status.

Message #

UDP: endpoint %4 (sockaddr=%2) bind failed: port-acquisition status = %3

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`Endpoint` Pointer	—

Event ID 1395 — UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: inspection status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpBindEndpointInspectionFailure

Description

UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: inspection status = Status.

Message #

UDP: endpoint %4 (sockaddr=%2) bind failed: inspection status = %3

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`Endpoint` Pointer	—

Event ID 1396 — UDP: endpoint Endpoint (sockaddr=LocalAddress) bound.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: UdpBindEndpointComplete

Description

UDP: endpoint Endpoint (sockaddr=LocalAddress) bound.

Message #

UDP: endpoint %4 (sockaddr=%2) bound.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`Endpoint` Pointer	—
`Pid` UInt32	—
`ProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1396",
    "version": "0",
    "level": "4",
    "task": "1390",
    "opcode": "0",
    "keywords": 9223372036854776841,
    "time_created": "2026-03-16T00:21:40.078017600+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11735e80-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::]:53893",
    "Status": "0x0",
    "Endpoint": "0xFFFF980A11735E80"
  },
  "message": ""
}

Event ID 1397 — UDP: endpoint Endpoint (sockaddr=LocalAddress) closed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: UdpCloseEndpointBound

Description

UDP: endpoint Endpoint (sockaddr=LocalAddress) closed.

Message #

UDP: endpoint %4 (sockaddr=%2) closed.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`Endpoint` Pointer	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1397",
    "version": "0",
    "level": "4",
    "task": "1391",
    "opcode": "0",
    "keywords": 9223372105574253569,
    "time_created": "2026-03-16T00:21:40.117474200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11735e80-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "2612"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "      28",
    "LocalAddress": "[::]:53893",
    "Status": "0x0",
    "Endpoint": "0xFFFF980A11735E80"
  },
  "message": ""
}

Event ID 1398 — UDP: endpoint Endpoint closed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: UdpCloseEndpointUnBound

Description

UDP: endpoint Endpoint closed.

Message #

UDP: endpoint %4 closed.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`Endpoint` Pointer	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1398",
    "version": "0",
    "level": "4",
    "task": "1392",
    "opcode": "0",
    "keywords": 9223372105574253569,
    "time_created": "2026-03-16T00:21:40.118277500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11737aa0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "10580"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LocalAddressLength": "       0",
    "LocalAddress": "",
    "Status": "0x0",
    "Endpoint": "0xFFFF980A11737AA0"
  },
  "message": ""
}

Event ID 1399 — UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: address resolution status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSendMessagesResolutionFailure

Description

UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: address resolution status = Status.

Message #

UDP: endpoint %1 (sockaddr=%3) send messages %5: address resolution status = %6

Fields #

Name	Description
`Endpoint` Pointer	—
`EndpointAddressLength` UInt32	—
`EndpointAddress` Binary	—
`SendAddressLength` UInt32	—
`SendAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 1400 — UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: address validation failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSendMessagesValidationFailure

Description

UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: address validation failed.

Message #

UDP: endpoint %1 (sockaddr=%3) send messages %5: address validation failed.

Fields #

Name	Description
`Endpoint` Pointer	—
`EndpointAddressLength` UInt32	—
`EndpointAddress` Binary	—
`SendAddressLength` UInt32	—
`SendAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 1401 — UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: source-address selection status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSendMessagesSrcAddrSelectionFailure

Description

UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: source-address selection status = Status.

Message #

UDP: endpoint %1 (sockaddr=%3) send messages %5: source-address selection status = %6

Fields #

Name	Description
`Endpoint` Pointer	—
`EndpointAddressLength` UInt32	—
`EndpointAddress` Binary	—
`SendAddressLength` UInt32	—
`SendAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 1402 — UDP: endpoint {Endpoint} too many packets queued for the pending join path.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic

Description

UDP: endpoint {Endpoint} too many packets queued for the pending join path.

Message #

UDP: endpoint {Endpoint} too many packets queued for the pending join path.

Fields #

Name	Description
`Endpoint`	—

Event ID 1403 — UDP: address family AddressFamilyadded to interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpGlobalAddInterface

Description

UDP: address family AddressFamilyadded to interface InterfaceIndex.

Message #

UDP: address family %2added to interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`AddressFamily` UInt32	—

Event ID 1404 — UDP: address family AddressFamilyremoved from interface InterfaceIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpGlobalDeleteInterface

Description

UDP: address family AddressFamilyremoved from interface InterfaceIndex.

Message #

UDP: address family %2removed from interface %1.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`AddressFamily` UInt32	—

Event ID 1405 — UDP: Failure initializing transport protocol, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpStartInetModuleFailure

Description

UDP: Failure initializing transport protocol, status = Status.

Message #

UDP: Failure initializing transport protocol, status = %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 1406 — UDP: Failure starting NLNPI client, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpStartNlnpiClientFailure

Description

UDP: Failure starting NLNPI client, status = Status.

Message #

UDP: Failure starting NLNPI client, status = %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 1407 — UDP: Failure initializing NSI support, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpStartNsiProviderFailure

Description

UDP: Failure initializing NSI support, status = Status.

Message #

UDP: Failure initializing NSI support, status = %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 1408 — UDP: Failure starting TLNPI provider, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpStartTlnpiProviderFailure

Description

UDP: Failure starting TLNPI provider, status = Status.

Message #

UDP: Failure starting TLNPI provider, status = %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 1409 — UDP: Failure initializing QoS support, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpStartQosClientFailure

Description

UDP: Failure initializing QoS support, status = Status.

Message #

UDP: Failure initializing QoS support, status = %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 1410 — UDP: Failure starting FailedQueueString, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpStartEndpointModuleFailure

Description

UDP: Failure starting FailedQueueString, status = Status.

Message #

UDP: Failure starting %1, status = %2

Fields #

Name	Description
`FailedQueueString` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 1411 — UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: could not allocate send context.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSendMessagesSendContextResourceFailure

Description

UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: could not allocate send context.

Message #

UDP: endpoint %1 (sockaddr=%3) send messages %5: could not allocate send context.

Fields #

Name	Description
`Endpoint` Pointer	—
`EndpointAddressLength` UInt32	—
`EndpointAddress` Binary	—
`SendAddressLength` UInt32	—
`SendAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 1412 — UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: path af failure, status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSendMessagesPathAfFailure

Description

UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: path af failure, status = Status.

Message #

UDP: endpoint %1 (sockaddr=%3) send messages %5: path af failure, status = %6

Fields #

Name	Description
`Endpoint` Pointer	—
`EndpointAddressLength` UInt32	—
`EndpointAddress` Binary	—
`SendAddressLength` UInt32	—
`SendAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 1413 — UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: path missing next hop failure.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSendMessagesPathNextHopMissingFailure

Description

UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: path missing next hop failure.

Message #

UDP: endpoint %1 (sockaddr=%3) send messages %5: path missing next hop failure.

Fields #

Name	Description
`Endpoint` Pointer	—
`EndpointAddressLength` UInt32	—
`EndpointAddress` Binary	—
`SendAddressLength` UInt32	—
`SendAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 1414 — UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: path next hop address failure.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpSendMessagesPathNextHopAddrFailure

Description

UDP: endpoint Endpoint (sockaddr=EndpointAddress) send messages SendAddress: path next hop address failure.

Message #

UDP: endpoint %1 (sockaddr=%3) send messages %5: path next hop address failure.

Fields #

Name	Description
`Endpoint` Pointer	—
`EndpointAddressLength` UInt32	—
`EndpointAddress` Binary	—
`SendAddressLength` UInt32	—
`SendAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 1415 — TCP: Early Retransmission, FACK or RACK, Connection = Tcb, SndUna = SndUna, SackIsLostSeq = SackIsLostSeq, DupAckCount = DupAckCount.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpEarlyRetransmit

Description

TCP: Early Retransmission, FACK or RACK, Connection = Tcb, SndUna = SndUna, SackIsLostSeq = SackIsLostSeq, DupAckCount = DupAckCount.

Message #

TCP: Early Retransmission, FACK or RACK, Connection = %1, SndUna = %2, SackIsLostSeq = %3, DupAckCount = %4

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SackIsLostSeq` UInt32	—
`DupAckCount` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1415",
    "version": "0",
    "level": "4",
    "task": "1409",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:27:12.440656500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{fd182260-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFD182260",
    "SndUna": "4068749001",
    "SackIsLostSeq": "       0",
    "DupAckCount": "       1"
  },
  "message": ""
}

Event ID 1416 — TCP: Ignoring fastopen SYN option due to limit on concurrent SYN_RCVD fastopen connections, Connection = Tcb, SynRcvdLimit = SynRcvdLimit.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFastopenSynRcvdLimit

Description

TCP: Ignoring fastopen SYN option due to limit on concurrent SYN_RCVD fastopen connections, Connection = Tcb, SynRcvdLimit = SynRcvdLimit.

Message #

TCP: Ignoring fastopen SYN option due to limit on concurrent SYN_RCVD fastopen connections, Connection = %1, SynRcvdLimit = %2

Fields #

Name	Description
`Tcb` Pointer	—
`SynRcvdLimit` UInt32	—

Event ID 1417 — TCP: Failed to update fastopen key state, Location = Location, Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFastopenKeyUpdateFailure

Description

TCP: Failed to update fastopen key state, Location = Location, Status = Status. Server-side fastopen will be disabled.

Message #

TCP: Failed to update fastopen key state, Location = %1, Status = %2. Server-side fastopen will be disabled

Fields #

Name	Description
`Location` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1418 — TCP: Fast Retransmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpLossRecoverySend

Description

TCP: Fast Retransmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Message #

TCP: Fast Retransmit Send, Connection = %1, BytesToSend = %2, SndNxt = %3

Fields #

Name	Description
`Tcb` Pointer	—
`BytesToSend` UInt32	—
`SndNxt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1418",
    "version": "0",
    "level": "4",
    "task": "1412",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.489901200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "BytesToSend": "    1440",
    "SndNxt": "155002622"
  },
  "message": ""
}

Event ID 1419 — TCP: SACK Retransmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpLossRecoverySend

Description

TCP: SACK Retransmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Message #

TCP: SACK Retransmit Send, Connection = %1, BytesToSend = %2, SndNxt = %3

Fields #

Name	Description
`Tcb` Pointer	—
`BytesToSend` UInt32	—
`SndNxt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1419",
    "version": "0",
    "level": "4",
    "task": "1412",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.490433800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "BytesToSend": "      38",
    "SndNxt": "155004100"
  },
  "message": ""
}

Event ID 1420 — TCP: Limited Transmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpLossRecoverySend

Description

TCP: Limited Transmit Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Message #

TCP: Limited Transmit Send, Connection = %1, BytesToSend = %2, SndNxt = %3

Fields #

Name	Description
`Tcb` Pointer	—
`BytesToSend` UInt32	—
`SndNxt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1420",
    "version": "0",
    "level": "4",
    "task": "1412",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:23:27.162052500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{170d1290-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A170D1290",
    "BytesToSend": "    1440",
    "SndNxt": "1228953133"
  },
  "message": ""
}

Event ID 1421 — TCP: SACK Retransmit Additional Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpLossRecoverySend

Description

TCP: SACK Retransmit Additional Send, Connection = Tcb, BytesToSend = BytesToSend, SndNxt = SndNxt.

Message #

TCP: SACK Retransmit Additional Send, Connection = %1, BytesToSend = %2, SndNxt = %3

Fields #

Name	Description
`Tcb` Pointer	—
`BytesToSend` UInt32	—
`SndNxt` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1421",
    "version": "0",
    "level": "4",
    "task": "1412",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:23:27.167320000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{170d1290-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A170D1290",
    "BytesToSend": "    1440",
    "SndNxt": "1228956013"
  },
  "message": ""
}

Event ID 1422 — IPTransportProtocol: PathDirectionmessage.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: IcmpSendRecv

Description

IPTransportProtocol: PathDirectionmessage. Type = IcmpType, Code = IcmpCode, CompartmentId = CompartmentId, SourceAddress = SourceAddress, DestAddress = DestAddress.

Message #

%1: %2message. Type = %3, Code = %4, CompartmentId = %5, SourceAddress = %7, DestAddress = %9

Fields #

Name	Description
`IPTransportProtocol` UInt32	—
`PathDirection` UInt32	—
`IcmpType` UInt32	—
`IcmpCode` UInt32	—
`CompartmentId` UInt32	—
`SourceAddressLength` UInt32	—
`SourceAddress` Binary	—
`DestAddressLength` UInt32	—
`DestAddress` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1422",
    "version": "0",
    "level": "4",
    "task": "1413",
    "opcode": "0",
    "keywords": 9223372586610589696,
    "time_created": "2026-03-16T00:21:40.180500700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IPTransportProtocol": "       1",
    "PathDirection": "       0",
    "IcmpType": "       3",
    "IcmpCode": "       3",
    "CompartmentId": "       1",
    "SourceAddressLength": "      16",
    "SourceAddress": "10.2.10.21",
    "DestAddressLength": "      16",
    "DestAddress": "8.8.8.8"
  },
  "message": ""
}

Event ID 1423 — IPTransportProtocol: PathDirectionpath drop.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: IcmpPacketDrops

Description

IPTransportProtocol: PathDirectionpath drop. Type = IcmpType, Code = IcmpCode, Reason = DropReason, Status = Status, CompartmentId = CompartmentId, SourceAddress = SourceAddress, DestAddress = DestAddress.

Message #

%1: %2path drop. Type = %3, Code = %4, Reason = %5, Status = %6, CompartmentId = %7, SourceAddress = %9, DestAddress = %11

Fields #

Name	Description
`IPTransportProtocol` UInt32	—
`PathDirection` UInt32	—
`IcmpType` UInt32	—
`IcmpCode` UInt32	—
`DropReason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`CompartmentId` UInt32	—
`SourceAddressLength` UInt32	—
`SourceAddress` Binary	—
`DestAddressLength` UInt32	—
`DestAddress` Binary	—
`IfIndex` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1423",
    "version": "1",
    "level": "4",
    "task": "1414",
    "opcode": "0",
    "keywords": 9223373136366403712,
    "time_created": "2026-03-15T23:30:50.067428800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "10828",
      "thread_id": "12980"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IPTransportProtocol": "       1",
    "PathDirection": "       0",
    "IcmpType": "       3",
    "IcmpCode": "       3",
    "DropReason": "      12",
    "Status": "0xC000021B",
    "CompartmentId": "       1",
    "SourceAddressLength": "      16",
    "SourceAddress": "10.2.10.11",
    "DestAddressLength": "      16",
    "DestAddress": "10.2.10.21",
    "IfIndex": "       4"
  },
  "message": ""
}

Event ID 1424 — IPTransportProtocol: Echo timeout.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IcmpEchoTimeout

Description

IPTransportProtocol: Echo timeout. Status = IcmpCode.

Message #

%1: Echo timeout. Status = %4

Fields #

Name	Description
`IPTransportProtocol` UInt32	—
`PathDirection` UInt32	—
`IcmpType` UInt32	—
`IcmpCode` UInt32	—
`DropReason` UInt32	—
`Status` UInt32	— NTSTATUS reference
`CompartmentId` UInt32	—
`SourceAddressLength` UInt32	—
`SourceAddress` Binary	—
`DestAddressLength` UInt32	—
`DestAddress` Binary	—

Event ID 1425 — Component Timer state changed to CurrentState by Processor Processor Usage = ProcessorUsage at Tick = CurrentTick.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipTimerStateChange

Description

Component Timer state changed to CurrentState by Processor Processor Usage = ProcessorUsage at Tick = CurrentTick.

Message #

%1 Timer state changed to %3 by Processor %2 Usage = %4 at Tick = %5

Fields #

Name	Description
`Component` UInt32	—
`Processor` UInt32	—
`CurrentState` UInt32	—
`ProcessorUsage` UInt32	—
`CurrentTick` UInt32	—

Event ID 1426 — TCP: connection Tcb send complete NumBytes bytes at SndNxt (Injected).

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpSendComplete

Description

TCP: connection Tcb send complete NumBytes bytes at SndNxt (Injected).

Message #

TCP: connection %1 send complete %3 bytes at %4 (%2).

Fields #

Name	Description
`Tcb` Pointer	—
`Injected` UnicodeString	—
`NumBytes` UInt32	—
`SndNxt` UInt32	—
`ActivityID` Pointer	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1426",
    "version": "0",
    "level": "5",
    "task": "1417",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:34.390792600+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4248",
      "thread_id": "4684"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A1018B560",
    "Injected": "normal",
    "NumBytes": "    1303",
    "SndNxt": "2307521250"
  },
  "message": ""
}

Event ID 1427 — IP: Compartment creation.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpCompartmentCreation

Description

IP: Compartment creation. Compartment = CompartmentId, Protocol = AddressFamily, Private = Private, Status = Status.

Message #

IP: Compartment creation. Compartment = %1, Protocol = %2, Private = %3, Status = %4.

Fields #

Name	Description
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`Private` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1428 — IP: Compartment deletion.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpCompartmentDeletion

Description

IP: Compartment deletion. Compartment = CompartmentId, Protocol = AddressFamily.

Message #

IP: Compartment deletion. Compartment = %1, Protocol = %2.

Fields #

Name	Description
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`Private` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1429 — TCP: connection Tcb: Cumulative Ack event, SeqNo = SeqNo, BytesAcked = BytesAcked, CWnd = Cwnd, SndWnd = SndWnd, InRecovery = InRecovery, TimeSinceLastLossMS = TimeSinceLastLossMS, CubicCwnd...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpCubicDataTransferCumAck

Description

TCP: connection : Cumulative Ack event, SeqNo = , BytesAcked = , CWnd = , SndWnd = , InRecovery = , TimeSinceLastLossMS = , CubicCwnd = , AimdCwnd = , K = , Wmax = , LastWmax = , MaxSndWnd = .

Message #

TCP: connection %1: Cumulative Ack event, SeqNo = %5, BytesAcked = %4, CWnd = %2, SndWnd = %3, InRecovery = %6, TimeSinceLastLossMS = %7, CubicCwnd = %8, AimdCwnd = %9, K = %10, Wmax = %11, LastWmax = %12, MaxSndWnd = %13.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SndWnd` UInt32	—
`BytesAcked` UInt32	—
`SeqNo` UInt32	—
`InRecovery` UInt8	—
`TimeSinceLastLossMS` UInt64	—
`CubicCwnd` UInt64	—
`AimdCwnd` UInt32	—
`K` UInt64	—
`Wmax` UInt32	—
`LastWmax` UInt32	—
`MaxSndWnd` UInt32	—
`IsLimitedSlowStart` UInt8	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1429",
    "version": "1",
    "level": "4",
    "task": "1420",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:36.015001500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{10708010-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A10708010",
    "Cwnd": "   27376",
    "SndWnd": "  262656",
    "BytesAcked": "       0",
    "SeqNo": "3807647817",
    "InRecovery": "0",
    "TimeSinceLastLossMS": "0",
    "CubicCwnd": "0",
    "AimdCwnd": "       0",
    "K": "0",
    "Wmax": "       0",
    "LastWmax": "       0",
    "MaxSndWnd": "  262656",
    "IsLimitedSlowStart": "0"
  },
  "message": ""
}

Event ID 1430 — TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = SSThresh DupAckCount = DupAckCount SndUna = SeqNo CwrMax = CwrMax.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpCubicDataTransferDupAck

Description

TCP: connection Tcb: Duplicate ACK updated cwnd = Cwnd and updated ssthresh = SSThresh DupAckCount = DupAckCount SndUna = SeqNo CwrMax = CwrMax.

Message #

TCP: connection %1: Duplicate ACK updated cwnd = %2 and updated ssthresh = %3 DupAckCount = %4 SndUna = %5 CwrMax = %6.

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`DupAckCount` UInt32	—
`SeqNo` UInt32	—
`CwrMax` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1430",
    "version": "0",
    "level": "4",
    "task": "1421",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-15T23:27:12.440654900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{fd182260-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFD182260",
    "Cwnd": "   22020",
    "SSThresh": "   16760",
    "DupAckCount": "       1",
    "SeqNo": "4068749001",
    "CwrMax": "4068749000"
  },
  "message": ""
}

Event ID 1431 — IP: Compartment cleanup.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpCompartmentCleanup

Description

IP: Compartment cleanup. Compartment = CompartmentId, Protocol = AddressFamily.

Message #

IP: Compartment cleanup. Compartment = %1, Protocol = %2.

Fields #

Name	Description
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`Private` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1432 — IP: Interface network category state change.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpUpdateInterfaceNetworkCategoryState

Description

IP: Interface network category state change. Interface = IfIndex, Compartment = CompartmentId , Protocol = AddressFamily, NetworkCategory = NetworkCategory, DomainNetworkLocation = DomainNetworkLocation, DomainType = DomainType, Signature = NetworkSignature.

Message #

IP: Interface network category state change. Interface = %1, Compartment = %2 , Protocol = %3, NetworkCategory = %4, DomainNetworkLocation = %5, DomainType = %6, Signature = %7.

Fields #

Name	Description
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`NetworkCategory` UInt32	—
`DomainNetworkLocation` UInt32	—
`DomainType` UInt32	—
`NetworkSignature` GUID	—

Event ID 1433 — IP: Interface creation.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceCreation

Description

IP: Interface creation. Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily, PhysicalMediumType = PhysicalMediumType, Status = Status.

Message #

IP: Interface creation. Interface = %1, Compartment = %2, Protocol = %3, PhysicalMediumType = %4, Status = %5.

Fields #

Name	Description
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`PhysicalMediumType` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1434 — IP: Interface deletion.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceDeletion

Description

IP: Interface deletion. Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily.

Message #

IP: Interface deletion. Interface = %1, Compartment = %2, Protocol = %3.

Fields #

Name	Description
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`PhysicalMediumType` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1435 — IP: Interface cleanup.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceCleanup

Description

IP: Interface cleanup. Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily.

Message #

IP: Interface cleanup. Interface = %1, Compartment = %2, Protocol = %3.

Fields #

Name	Description
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`PhysicalMediumType` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1436 — IP: SubInterface creation.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSubInterfaceCreation

Description

IP: SubInterface creation. SubInterface = SubIfIndex, Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily, Status = Status.

Message #

IP: SubInterface creation. SubInterface = %1, Interface = %2, Compartment = %3, Protocol = %4, Status = %5.

Fields #

Name	Description
`SubIfIndex` UInt32	—
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1437 — IP: SubInterface deletion.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSubInterfaceDeletion

Description

IP: SubInterface deletion. SubInterface = SubIfIndex, Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily.

Message #

IP: SubInterface deletion. SubInterface = %1, Interface = %2, Compartment = %3, Protocol = %4.

Fields #

Name	Description
`SubIfIndex` UInt32	—
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1438 — IP: SubInterface cleanup.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSubInterfaceCleanup

Description

IP: SubInterface cleanup. SubInterface = SubIfIndex, Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily.

Message #

IP: SubInterface cleanup. SubInterface = %1, Interface = %2, Compartment = %3, Protocol = %4.

Fields #

Name	Description
`SubIfIndex` UInt32	—
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1439 — IP: Interface change Notification.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceChangeNotification

Description

IP: Interface change Notification. Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily, Reason = Reason.

Message #

IP: Interface change Notification. Interface = %1, Compartment = %2, Protocol = %3, Reason = %4.

Fields #

Name	Description
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`Reason` UInt32	—
`State` UInt32	—
`NotificationType` UInt32	—

Event ID 1440 — IP: Interface internet connectivity status change.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceInternetConnectivityStatus

Description

IP: Interface internet connectivity status change. Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily, OldConnectivityStatus = OldConnectivityStatus, NewConnectivityStatus = NewConnectivityStatus.

Message #

IP: Interface internet connectivity status change. Interface = %1, Compartment = %2, Protocol = %3, OldConnectivityStatus = %4, NewConnectivityStatus = %5.

Fields #

Name	Description
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`OldConnectivityStatus` UInt32	—
`NewConnectivityStatus` UInt32	—

Event ID 1441 — IP: Address change notification.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressChangeNotification

Description

IP: Address change notification. Address = SourceAddress, Interface = IfIndex, Compartment = CompartmentId, Protocol = Protocol, Reason = Reason.

Message #

IP: Address change notification. Address = %2, Interface = %3, Compartment = %4, Protocol = %5, Reason = %6.

Fields #

Name	Description
`SourceAddressLength` UInt32	—
`SourceAddress` Binary	—
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`Protocol` AnsiString	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Reason` UInt32	—
`State` UInt32	—
`NotificationType` UInt32	—
`DadState` UInt32	—

Event ID 1442 — IP: Route change notification.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouteChangeNotification

Description

IP: Route change notification. DestinationPrefix = DestinationPrefix/DestinationPrefixLength, NextHop = NextHopAddress, Interface = IfIndex, Compartment = CompartmentId, NotifyFlags = NotifyFlags.

Message #

IP: Route change notification. DestinationPrefix = %2/%5, NextHop = %4, Interface = %7, Compartment = %6, NotifyFlags = %8.

Fields #

Name	Description
`DestinationPrefixAddressLength` UInt32	—
`DestinationPrefix` Binary	—
`NextHopAddressLength` UInt32	—
`NextHopAddress` Binary	—
`DestinationPrefixLength` UInt32	—
`CompartmentId` UInt32	—
`IfIndex` UInt32	—
`NotifyFlags` UInt64	—
`State` UInt32	—
`NotificationType` UInt32	—

Event ID 1443 — IP: Neighbor change notification.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpNeighborChangeNotification

Description

IP: Neighbor change notification. IpAddress = IPAddress, DlAddress = DLAddress, Interface = IfIndex, Compartment = CompartmentId, State = NeighborState, Reason = Reason.

Message #

IP: Neighbor change notification. IpAddress = %2, DlAddress = %4, Interface = %5, Compartment = %6, State = %7, Reason = %8.

Fields #

Name	Description
`IpAddrLength` UInt32	—
`IPAddress` Binary	—
`DlAddrLength` UInt32	—
`DLAddress` Binary	—
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`NeighborState` UInt32	—
`Reason` UInt32	—
`NotificationState` UInt32	—
`NotificationType` UInt32	—

Event ID 1444 — IP: Address DAD state change.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressDadStateChange

Description

IP: Address DAD state change. Address = SourceAddress, Interface = IfIndex, Compartment = CompartmentId, OldState = OldDadState, NewState = NewDadState, Reason = Reason.

Message #

IP: Address DAD state change. Address = %2, Interface = %3, Compartment = %4, OldState = %5, NewState = %6, Reason = %7.

Fields #

Name	Description
`SourceAddressLength` UInt32	—
`SourceAddress` Binary	—
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`OldDadState` UInt32	—
`NewDadState` UInt32	—
`Reason` UInt32	—

Event ID 1445 — IP: Route Dead Gateway Detection state change.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouteDGDStateChange

Message #

IP: Route Dead Gateway Detection state change. DestinationPrefix = %2/%5, NextHop = %4, Interface = %7, Compartment = %6, OldState = %8, NewState = %9, OldProbeCount = %10, NewProbeCount = %11, OldUnreachablePaths = %12, NewUnreachablePaths = %13, OldMovedPaths = %14, NewMovedPaths = %15, TotalPaths = %16, OldStateChangeTick = %17, NewStateChangeTick = %18, DgdNeedsReset = %19, Reason = %20.

Fields #

Name	Description
`DestinationPrefixAddressLength` UInt32	—
`DestinationPrefix` Binary	—
`NextHopAddressLength` UInt32	—
`NextHopAddress` Binary	—
`DestinationPrefixLength` UInt32	—
`CompartmentId` UInt32	—
`IfIndex` UInt32	—
`OldState` UInt32	—
`NewState` UInt32	—
`OldProbeCount` UInt32	—
`NewProbeCount` UInt32	—
`OldUnreachablePaths` UInt32	—
`NewUnreachablePaths` UInt32	—
`OldMovedPaths` UInt32	—
`NewMovedPaths` UInt32	—
`TotalPaths` UInt32	—
`OldStateChangeTick` UInt32	—
`NewStateChangeTick` UInt32	—
`DgdNeedsReset` UInt32	—
`Reason` UInt32	—

Event ID 1446 — IP: Disconnecting TCP connections with Address = Address, Interface = IfIndex, Compartment = CompartmentId, SkipLocal = SkipLocal, SkipOnLink = SkipOnLink.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceDisconnect

Description

IP: Disconnecting TCP connections with Address = Address, Interface = IfIndex, Compartment = CompartmentId, SkipLocal = SkipLocal, SkipOnLink = SkipOnLink.

Message #

IP: Disconnecting TCP connections with Address = %2, Interface = %3, Compartment = %4, SkipLocal = %5, SkipOnLink = %6.

Fields #

Name	Description
`AddressLength` UInt32	—
`Address` Binary	—
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`SkipLocal` UInt32	—
`SkipOnLink` UInt32	—

Event ID 1447 — TCP: connection Tcb: Sending paced chunk of QuantizedAllowance bytes with CWnd = Cwnd, SndWnd = SndWnd, BytesAvailable = BytesAvailable, BytesOutstanding = BytesOutstanding.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpPacingSend

Description

TCP: connection Tcb: Sending paced chunk of QuantizedAllowance bytes with CWnd = Cwnd, SndWnd = SndWnd, BytesAvailable = BytesAvailable, BytesOutstanding = BytesOutstanding.

Message #

TCP: connection %1: Sending paced chunk of %6 bytes with CWnd = %2, SndWnd = %3, BytesAvailable = %4, BytesOutstanding = %5

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SndWnd` UInt32	—
`BytesAvailable` UInt32	—
`BytesOutstanding` UInt32	—
`QuantizedAllowance` UInt32	—
`Allowance` UInt32	—
`OriginalBytesToSend` UInt32	—

Event ID 1448 — Fallback: Context = Fallback, Feature = Feature, TraceReason = Reason, Confidence = Confidence, Successes = Successes, Failures = Failures.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallback

Description

Fallback: Context = Fallback, Feature = Feature, TraceReason = Reason, Confidence = Confidence, Successes = Successes, Failures = Failures.

Message #

Fallback: Context = %1, Feature = %2, TraceReason = %3, Confidence = %4, Successes = %5, Failures = %6

Fields #

Name	Description
`Fallback` Pointer	—
`Feature` UInt32	—
`Reason` UInt32	—
`Confidence` Int32	—
`Successes` UInt32	—
`Failures` UInt32	—

Event ID 1449 — TCPIP: TCB Tcb using fast loopback.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpLoopbackFastPathSuccess

Description

TCPIP: TCB Tcb using fast loopback.

Message #

TCPIP: TCB %1 using fast loopback

Fields #

Name	Description
`Tcb` Pointer	—

Event ID 1450 — IP: Router information change notification.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouterInformationChangeNotification

Description

IP: Router information change notification. Interface = IfIndex, Compartment = CompartmentId, Protocol = AddressFamily, Reason = Reason.

Message #

IP: Router information change notification. Interface = %1, Compartment = %2, Protocol = %3, Reason = %4.

Fields #

Name	Description
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`Reason` UInt32	—

Event ID 1451 — IP: Event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRaDnsEvent

Description

IP: Event. Interface = Interface, Compartment = CompartmentId, RouterAddress = RouterAddress, DNS Server/Suffix: DNSServerAddress DNSSuffix, Lifetime = Lifetime.

Message #

IP: %1. Interface = %2, Compartment = %3, RouterAddress = %5, DNS Server/Suffix: %7 %8, Lifetime = %9.

Fields #

Name	Description
`Event` UInt32	—
`Interface` UInt32	—
`CompartmentId` UInt32	—
`RouterAddrLength` UInt32	—
`RouterAddress` Binary	—
`DnsAddrLength` UInt32	—
`DNSServerAddress` Binary	—
`DNSSuffix` AnsiString	—
`Lifetime` UInt32	—

Event ID 1452 — IP: Route rundown.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: IpRouteRundown

Description

IP: Route rundown. Interface = Interface, Compartment = Compartment, Prefix = DestinationPrefix/DestinationPrefixLength, NextHop = NextHopAddress, Metric = Metric, State = State, Origin = Origin, Age = Age, ValidLifetime = ValidLifetime, PreferredLifetime = PreferredLifetime, Flags = Flags.

Message #

IP: Route rundown. Interface = %1, Compartment = %2, Prefix = %4/%5, NextHop = %7, Metric = %8, State = %9, Origin = %10, Age = %11, ValidLifetime = %12, PreferredLifetime = %13, Flags = %14.

Fields #

Name	Description
`Interface` UInt32	—
`Compartment` UInt32	—
`DestinationPrefixAddressLength` UInt32	—
`DestinationPrefix` Binary	—
`DestinationPrefixLength` UInt32	—
`NextHopAddressLength` UInt32	—
`NextHopAddress` Binary	—
`Metric` UInt32	—
`State` UInt32	—
`Origin` UInt32	—
`Age` UInt64	—
`ValidLifetime` UInt64	—
`PreferredLifetime` UInt64	—
`Flags` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1452",
    "version": "0",
    "level": "4",
    "task": "1443",
    "opcode": "0",
    "keywords": 9223372586610589856,
    "time_created": "2026-03-16T00:21:34.295267700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "9132",
      "thread_id": "4236"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Interface": "       6",
    "Compartment": "       1",
    "DestinationPrefixAddressLength": "      16",
    "DestinationPrefix": "0.0.0.0",
    "DestinationPrefixLength": "       0",
    "NextHopAddressLength": "      16",
    "NextHopAddress": "10.2.10.254",
    "Metric": "     256",
    "State": "       0",
    "Origin": "       0",
    "Age": "0x1A11",
    "ValidLifetime": "0xFFFFFFFF",
    "PreferredLifetime": "0xFFFFFFFF",
    "Flags": "0x388"
  },
  "message": ""
}

Event ID 1453 — TCP: CUBIC ECN event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCubicDataTransferEcn

Description

TCP: CUBIC ECN event. Connection Tcb, CWnd Cwnd, SSThresh = SSThresh, SndUna = SndUna.

Message #

TCP: CUBIC ECN event. Connection %1, CWnd %2, SSThresh = %3, SndUna = %4

Fields #

Name	Description
`Tcb` Pointer	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—
`SndUna` UInt32	—

Event ID 1454 — INETINSPECT: Owner = Owner, InspectHandle = InspectHandle, InspectType = InspectType, Action = InspectAction, Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: InetInspect

Description

INETINSPECT: Owner = Owner, InspectHandle = InspectHandle, InspectType = InspectType, Action = InspectAction, Status = Status.

Message #

INETINSPECT: Owner = %1, InspectHandle = %2, InspectType = %3, Action = %4, Status = %5

Fields #

Name	Description
`Owner` Pointer	—
`InspectHandle` Pointer	—
`InspectType` UInt32	—
`InspectAction` UInt32	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1454",
    "version": "0",
    "level": "4",
    "task": "1445",
    "opcode": "0",
    "keywords": 9223372036854775936,
    "time_created": "2026-03-16T00:21:34.388718700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{1018b560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6880"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Owner": "0xFFFF980A1018B560",
    "InspectHandle": "0xFFFF980A17030CE0",
    "InspectType": "       0",
    "InspectAction": "       1",
    "Status": "0x0"
  },
  "message": ""
}

Event ID 1455 — INETINSPECT: Owner = Owner, InspectHandle = InspectHandle, InspectType = InspectType, Action = InspectPort, Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: InetInspect

Description

INETINSPECT: Owner = Owner, InspectHandle = InspectHandle, InspectType = InspectType, Action = InspectPort, Status = Status.

Message #

INETINSPECT: Owner = %1, InspectHandle = %2, InspectType = %3, Action = %4, Status = %5

Fields #

Name	Description
`Owner` Pointer	—
`InspectHandle` Pointer	—
`InspectType` UInt32	—
`InspectPort` UInt32	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1455",
    "version": "0",
    "level": "4",
    "task": "1445",
    "opcode": "0",
    "keywords": 9223372036854775936,
    "time_created": "2026-03-16T00:21:40.077855500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0b1c4090-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Owner": "0xFFFF980A0B1C4090",
    "InspectHandle": "0xFFFF980A13FE6CC0",
    "InspectType": "      17",
    "InspectPort": "       0",
    "Status": "0x0"
  },
  "message": ""
}

Event ID 1456 — FallbackCheck: Ctx = Fallback, Feature = Feature, Failed = Failed, Succeeeded = Succeeded, InProbe = InProbe, PathsProbed = PathsProbed, Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallback

Description

FallbackCheck: Ctx = Fallback, Feature = Feature, Failed = Failed, Succeeeded = Succeeded, InProbe = InProbe, PathsProbed = PathsProbed, Status = Status.

Message #

FallbackCheck: Ctx = %1, Feature = %2, Failed = %3, Succeeeded = %4, InProbe = %5, PathsProbed = %6, Status = %7

Fields #

Name	Description
`Fallback` Pointer	—
`Feature` UInt32	—
`Failed` UInt32	—
`Succeeded` UInt32	—
`InProbe` UInt32	—
`PathsProbed` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1457 — FallbackUpdate: Ctx = Fallback, Feature = Feature, Failed = Failed, Succeeeded = Succeeded, InProbe = InProbe, PathsProbed = PathsProbed, Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallback

Description

FallbackUpdate: Ctx = Fallback, Feature = Feature, Failed = Failed, Succeeeded = Succeeded, InProbe = InProbe, PathsProbed = PathsProbed, Status = Status.

Message #

FallbackUpdate: Ctx = %1, Feature = %2, Failed = %3, Succeeeded = %4, InProbe = %5, PathsProbed = %6, Status = %7

Fields #

Name	Description
`Fallback` Pointer	—
`Feature` UInt32	—
`Failed` UInt32	—
`Succeeded` UInt32	—
`InProbe` UInt32	—
`PathsProbed` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1458 — Fallback: Permanently disabling feature, Ctx = Fallback, Feature = Feature, PathsProbed = PathsProbed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallback

Description

Fallback: Permanently disabling feature, Ctx = Fallback, Feature = Feature, PathsProbed = PathsProbed.

Message #

Fallback: Permanently disabling feature, Ctx = %1, Feature = %2, PathsProbed = %6

Fields #

Name	Description
`Fallback` Pointer	—
`Feature` UInt32	—
`Failed` UInt32	—
`Succeeded` UInt32	—
`InProbe` UInt32	—
`PathsProbed` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1459 — Fallback: Enabling feature for this boot session, Ctx = Fallback, Feature = Feature, PathsProbed = PathsProbed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallback

Description

Fallback: Enabling feature for this boot session, Ctx = Fallback, Feature = Feature, PathsProbed = PathsProbed.

Message #

Fallback: Enabling feature for this boot session, Ctx = %1, Feature = %2, PathsProbed = %6

Fields #

Name	Description
`Fallback` Pointer	—
`Feature` UInt32	—
`Failed` UInt32	—
`Succeeded` UInt32	—
`InProbe` UInt32	—
`PathsProbed` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1460 — Fallback: Feature previously disabled, Ctx = Fallback, Feature = Feature, PathsProbed = PathsProbed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallback

Description

Fallback: Feature previously disabled, Ctx = Fallback, Feature = Feature, PathsProbed = PathsProbed.

Message #

Fallback: Feature previously disabled, Ctx = %1, Feature = %2, PathsProbed = %6

Fields #

Name	Description
`Fallback` Pointer	—
`Feature` UInt32	—
`Failed` UInt32	—
`Succeeded` UInt32	—
`InProbe` UInt32	—
`PathsProbed` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1461 — TCP Fastopen fallback update: Tcb = Tcb, FastopenState = FastopenState, DataBytesIn = DataBytesIn, ShutdownStatus = ShutdownStatus, ProbeStatus = ProbeStatus.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFastopenFallbackUpdate

Description

TCP Fastopen fallback update: Tcb = Tcb, FastopenState = FastopenState, DataBytesIn = DataBytesIn, ShutdownStatus = ShutdownStatus, ProbeStatus = ProbeStatus.

Message #

TCP Fastopen fallback update: Tcb = %1, FastopenState = %2, DataBytesIn = %3, ShutdownStatus = %4, ProbeStatus = %5

Fields #

Name	Description
`Tcb` Pointer	—
`FastopenState` UInt32	—
`DataBytesIn` UInt64	—
`ShutdownStatus` UInt32	—
`ProbeStatus` UInt32	—

Event ID 1462 — Disabling feature until connectivity is established: CompartmentId =CompartmentId, IfIndex = IfIndex, Feature = Feature, ConnectivityStatus = ConnectivityStatus.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallbackNcsiNoConnectivity

Description

Disabling feature until connectivity is established: CompartmentId =CompartmentId, IfIndex = IfIndex, Feature = Feature, ConnectivityStatus = ConnectivityStatus.

Message #

Disabling feature until connectivity is established: CompartmentId =%1, IfIndex = %2, Feature = %3, ConnectivityStatus = %4

Fields #

Name	Description
`CompartmentId` UInt32	—
`IfIndex` UInt32	—
`Feature` UInt32	—
`ConnectivityStatus` UInt32	—

Event ID 1463 — Disabling Feature for loopback connection.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallbackLoopback

Description

Disabling Feature for loopback connection.

Message #

Disabling %1 for loopback connection

Fields #

Name	Description
`Feature` UInt32	—

Event ID 1464 — Disabling TCP Fastopen for BaseEndpoint = BaseEndpoint because an incompatible WFP callout is installed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFastopenIncompatCallout

Description

Disabling TCP Fastopen for BaseEndpoint = BaseEndpoint because an incompatible WFP callout is installed.

Message #

Disabling TCP Fastopen for BaseEndpoint = %1 because an incompatible WFP callout is installed

Fields #

Name	Description
`BaseEndpoint` Pointer	—

Event ID 1465 — IP: Setting source constraint for route lookup - Compartment: Compartment DstAddr: DestinationAddress ConstrainSrcAddr: ConstrainSourceAddress ConstrainIfIndex: ConstrainInterfaceIndex ConstraintFl...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpipSourceConstraint

Description

IP: Setting source constraint for route lookup - Compartment: Compartment DstAddr: DestinationAddress ConstrainSrcAddr: ConstrainSourceAddress ConstrainIfIndex: ConstrainInterfaceIndex ConstraintFlags: ConstraintFlags.

Message #

IP: Setting source constraint for route lookup - Compartment: %1 DstAddr: %3 ConstrainSrcAddr: %5 ConstrainIfIndex: %6 ConstraintFlags: %7

Fields #

Name	Description
`Compartment` UInt32	—
`DestinationAddrLength` UInt32	—
`DestinationAddress` Binary	—
`ConstrainSourceAddrLength` UInt32	—
`ConstrainSourceAddress` Binary	—
`ConstrainInterfaceIndex` UInt32	—
`ConstraintFlags` UInt32	—
`TransportProtocol` UInt32	—
`IcmpType` UInt8	—
`IcmpCode` UInt8	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1465",
    "version": "0",
    "level": "5",
    "task": "1450",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:38.719138100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Compartment": "       1",
    "DestinationAddrLength": "      16",
    "DestinationAddress": "10.2.10.11",
    "ConstrainSourceAddrLength": "      16",
    "ConstrainSourceAddress": "10.2.10.21",
    "ConstrainInterfaceIndex": "       6",
    "ConstraintFlags": "0x1"
  },
  "message": ""
}

Event ID 1466 — WFP-ALE: RemoteEndPoint Insertion: (local=LocalAddress remote=RemoteAddress) PartitionId=PartitionId PartitionNumEntries=NumEntries.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: RemoteEndpoint

Description

WFP-ALE: RemoteEndPoint Insertion: (local=LocalAddress remote=RemoteAddress) PartitionId=PartitionId PartitionNumEntries=NumEntries.

Message #

WFP-ALE: RemoteEndPoint Insertion: (local=%2 remote=%3) PartitionId=%4 PartitionNumEntries=%5

Fields #

Name	Description
`AddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddress` Binary	—
`PartitionId` UInt64	—
`NumEntries` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1466",
    "version": "0",
    "level": "4",
    "task": "1372",
    "opcode": "0",
    "keywords": 9223372036854808576,
    "time_created": "2026-03-16T00:21:40.078425500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AddressLength": "      16",
    "LocalAddress": "10.2.10.21:53893",
    "RemoteAddress": "10.2.10.11:53",
    "PartitionId": "4",
    "NumEntries": "4"
  },
  "message": ""
}

Event ID 1467 — WFP-ALE: RemoteEndPoint Deletion: (local=LocalAddress remote=RemoteAddress) PartitionId=PartitionId PartitionNumEntries=NumEntries.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: RemoteEndpoint

Description

WFP-ALE: RemoteEndPoint Deletion: (local=LocalAddress remote=RemoteAddress) PartitionId=PartitionId PartitionNumEntries=NumEntries.

Message #

WFP-ALE: RemoteEndPoint Deletion: (local=%2 remote=%3) PartitionId=%4 PartitionNumEntries=%5

Fields #

Name	Description
`AddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddress` Binary	—
`PartitionId` UInt64	—
`NumEntries` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1467",
    "version": "0",
    "level": "4",
    "task": "1372",
    "opcode": "0",
    "keywords": 9223372036854808576,
    "time_created": "2026-03-16T00:21:40.078776800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AddressLength": "      16",
    "LocalAddress": "10.2.10.21",
    "RemoteAddress": "8.8.8.8:1",
    "PartitionId": "4",
    "NumEntries": "3"
  },
  "message": ""
}

Event ID 1468 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) system abort.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSystemAbortTcb

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress) system abort. PID = ProcessId.

Message #

TCP: connection %8 (local=%2 remote=%4) system abort. PID = %6.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—
`Reason` UInt32	—

Event ID 1469 — Disabling Feature due to no next hop.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FeatureFallbackNoNextHop

Description

Disabling Feature due to no next hop.

Message #

Disabling %1 due to no next hop

Fields #

Name	Description
`Feature` UInt32	—

Event ID 1470 — TCP: endpoint (sockaddr=LocalAddressLength) bind failed: wake status = LocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBindEndpointWakeFailure

Description

TCP: endpoint (sockaddr=LocalAddressLength) bind failed: wake status = LocalAddress.

Message #

TCP: endpoint (sockaddr=%2) bind failed: wake status = %3.

Fields #

Name	Description
`Endpoint` Pointer	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference

Event ID 1471 — UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: wake status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpBindEndpointWakeFailure

Description

UDP: endpoint Endpoint (sockaddr=LocalAddress) bind failed: wake status = Status.

Message #

UDP: endpoint %4 (sockaddr=%2) bind failed: wake status = %3

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`Endpoint` Pointer	—

Event ID 1472 — Acquire wake port Port, type=AcquireType, family=AddressFamily, IF=Interface, compartment=Compartment.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: InetWakeAcquirePort

Description

Acquire wake port Port, type=AcquireType, family=AddressFamily, IF=Interface, compartment=Compartment.

Message #

Acquire wake port %2, type=%1, family=%3, IF=%4, compartment=%5

Fields #

Name	Description
`AcquireType` UInt32	—
`Port` UInt16	—
`AddressFamily` UInt32	—
`Interface` UInt32	—
`Compartment` UInt32	—

Event ID 1473 — TCP: Connection Tcb reached max SACK queue length.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSackUpdateLimitReached

Description

TCP: Connection Tcb reached max SACK queue length.

Message #

TCP: Connection %1 reached max SACK queue length

Fields #

Name	Description
`Tcb` Pointer	—
`Location` UInt32	—

Event ID 1474 — TCP: Connection Tcb requested fast open.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFastopenRequested

Description

TCP: Connection Tcb requested fast open.

Message #

TCP: Connection %1 requested fast open

Fields #

Name	Description
`Tcb` Pointer	—

Event ID 1475 — TCP: CUBIC Hystart state change event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpCubicHystartStateChange

Description

TCP: CUBIC Hystart state change event. Connection Tcb, State State, CWnd Cwnd, SSThresh = SSThresh.

Message #

TCP: CUBIC Hystart state change event. Connection %1, State %2, CWnd %3, SSThresh = %4.

Fields #

Name	Description
`Tcb` Pointer	—
`State` UInt16	—
`Cwnd` UInt32	—
`SSThresh` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1475",
    "version": "0",
    "level": "4",
    "task": "1463",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.489856100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "State": "2",
    "Cwnd": "   16734",
    "SSThresh": "4294967295"
  },
  "message": ""
}

Event ID 1476 — IP: Transmitting loopback Nbl Nbl.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: 17
Task: TcpipLoopbackPacketTransmit
Opcode: Info

Description

IP: Transmitting loopback Nbl Nbl. Interface=Interface, Compartment=Compartment, Src=SourceAddress, Dst=DestinationAddress, Proto=IPTransportProtocol.

Message #

IP: Transmitting loopback Nbl %1. Interface=%2, Compartment=%3, Src=%6, Dst=%5, Proto=%7.

Fields #

Name	Description
`Nbl` Pointer	—
`Interface` UInt32	—
`Compartment` UInt32	—
`AddressLength` UInt32	—
`DestinationAddress` Binary	—
`SourceAddress` Binary	—
`IPTransportProtocol` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1476",
    "version": "0",
    "level": "17",
    "task": "1464",
    "opcode": "0",
    "keywords": 9223372036858970112,
    "time_created": "2026-03-16T00:23:11.240868900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "11564"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Nbl": "0xFFFF980A1A0CE070",
    "Interface": "       6",
    "Compartment": "       1",
    "AddressLength": "      16",
    "DestinationAddress": "224.0.0.251:5353",
    "SourceAddress": "10.2.10.21:5353",
    "IPTransportProtocol": "      17"
  },
  "message": ""
}

Event ID 1477 — TCP: Connection Tcb Summary: DataBytesOut DataBytesOut DataBytesIn DataBytesIn DataSegmentsOut DataSegmentsOut DataSegmentsIn DataSegmentsIn SegmentsOut SegmentsOut SegmentsIn SegmentsIn NonRecovDa...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: 16
Task: TcpConnectionSummary
Opcode: Info

Message #

TCP: Connection %1 Summary: DataBytesOut %2 DataBytesIn %3 DataSegmentsOut %4 DataSegmentsIn %5 SegmentsOut %6 SegmentsIn %7 NonRecovDa \   %8 NonRecovDaEpisodes %9 DupAcksIn %10 BytesRetrans %11 Timeouts %12 SpuriousRtoDetections %13 FastRetran %14 MaxSsthresh %15 MaxSsCwnd %16 \   MaxCaCwnd %17 SndLimTransRwin %18 SndLimTimeRwin %19 SndLimBytesRwin %20 SndLimTransCwnd %21 SndLimTimeCwnd %22 SndLimBytesCwnd %23 \   SndLimTransSnd %24 SndLimTimeSnd %25 SndLimBytesSnd %26 ConnectionTimeMs %27 Timestamps %28 RttUs %29 MinRtt %30 MaxRtt %31 SynRetrans %32 CongestionAlgorithm %33 \   State %34 Local %36 Remote %38 CWnd %39 SsThresh %40 RcvWnd %41 RcvBuf %42 SndWnd %43.

Fields #

Name	Description
`Tcb` Pointer	—
`DataBytesOut` UInt64	—
`DataBytesIn` UInt64	—
`DataSegmentsOut` UInt64	—
`DataSegmentsIn` UInt64	—
`SegmentsOut` UInt64	—
`SegmentsIn` UInt64	—
`NonRecovDa` UInt32	—
`NonRecovDaEpisodes` UInt32	—
`DupAcksIn` UInt32	—
`BytesRetrans` UInt32	—
`Timeouts` UInt32	—
`SpuriousRtoDetections` UInt32	—
`FastRetran` UInt32	—
`MaxSsthresh` UInt32	—
`MaxSsCwnd` UInt32	—
`MaxCaCwnd` UInt32	—
`SndLimTransRwin` UInt32	—
`SndLimTimeRwin` UInt32	—
`SndLimBytesRwin` UInt64	—
`SndLimTransCwnd` UInt32	—
`SndLimTimeCwnd` UInt32	—
`SndLimBytesCwnd` UInt64	—
`SndLimTransSnd` UInt32	—
`SndLimTimeRSnd` UInt32	—
`SndLimBytesRSnd` UInt64	—
`ConnectionTimeMs` UInt64	—
`TimestampsEnabled` UInt32	—
`RttUs` UInt32	—
`MinRttUs` UInt32	—
`MaxRttUs` UInt32	—
`SynRetrans` UInt32	—
`CongestionAlgorithm` UInt32	—
`State` UInt32	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`CWnd` UInt32	—
`SsThresh` UInt32	—
`RcvWnd` UInt32	—
`RcvBuf` UInt32	—
`SndWnd` UInt32	—
`InterfaceIndex` UInt32	—
`LocalPort` UInt32	—
`IsLoopback` Boolean	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1477",
    "version": "1",
    "level": "16",
    "task": "1341",
    "opcode": "0",
    "keywords": 9223407221226864640,
    "time_created": "2026-03-16T00:21:38.733329900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0eee7560-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "7444"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0EEE7560",
    "DataBytesOut": "426",
    "DataBytesIn": "5091",
    "DataSegmentsOut": "2",
    "DataSegmentsIn": "5",
    "SegmentsOut": "6",
    "SegmentsIn": "8",
    "NonRecovDa": "       0",
    "NonRecovDaEpisodes": "       0",
    "DupAcksIn": "       0",
    "BytesRetrans": "       0",
    "Timeouts": "       0",
    "SpuriousRtoDetections": "       0",
    "FastRetran": "       0",
    "MaxSsthresh": "4294967295",
    "MaxSsCwnd": "   15027",
    "MaxCaCwnd": "       0",
    "SndLimTransRwin": "       0",
    "SndLimTimeRwin": "       0",
    "SndLimBytesRwin": "0",
    "SndLimTransCwnd": "       0",
    "SndLimTimeCwnd": "       0",
    "SndLimBytesCwnd": "0",
    "SndLimTransSnd": "       1",
    "SndLimTimeRSnd": "       0",
    "SndLimBytesRSnd": "430",
    "ConnectionTimeMs": "14",
    "TimestampsEnabled": "       0",
    "RttUs": "    1146",
    "MinRttUs": "     982",
    "MaxRttUs": "    1717",
    "SynRetrans": "       0",
    "CongestionAlgorithm": "       5",
    "State": "       0",
    "LocalAddressLength": "      28",
    "LocalAddress": "[::ffff:10.2.10.21]:5985",
    "RemoteAddressLength": "      28",
    "RemoteAddress": "[::ffff:10.2.10.11]:51201",
    "CWnd": "   15027",
    "SsThresh": "4294967295",
    "RcvWnd": " 2098020",
    "RcvBuf": " 2098020",
    "SndWnd": "  262144",
    "InterfaceIndex": "       6",
    "LocalPort": "   24855",
    "IsLoopback": "false"
  },
  "message": ""
}

Event ID 1478 — TCPIP: Framing layer PathDirection (AddressFamily=AddressFamily) dropped PacketCount packet(s) on interface=Interface, Reason=Reason, Data=Data.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingPacketDrops

Description

TCPIP: Framing layer PathDirection (AddressFamily=AddressFamily) dropped PacketCount packet(s) on interface=Interface, Reason=Reason, Data=Data.

Message #

TCPIP: Framing layer %1 (AddressFamily=%2) dropped %4 packet(s) on interface=%3, Reason=%5, Data=%6.

Fields #

Name	Description
`PathDirection` UInt32	—
`AddressFamily` UInt32	—
`Interface` UInt32	—
`PacketCount` UInt32	—
`Reason` UInt32	—
`Data` UInt32	—

Event ID 1479 — TCP: Connection Tcb Transport (Protocol IPTransportProtocol, AddressFamily = AddressFamily) sent RST with Local = LocalSockAddr, Remote = RemoteSockAddr.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpRstSend

Description

TCP: Connection Tcb Transport (Protocol IPTransportProtocol, AddressFamily = AddressFamily) sent RST with Local = LocalSockAddr, Remote = RemoteSockAddr. Reason = Reason.

Message #

TCP: Connection %1 Transport (Protocol %2, AddressFamily = %3) sent RST with Local = %5, Remote = %7. Reason = %8.

Fields #

Name	Description
`Tcb` Pointer	—
`IPTransportProtocol` UInt32	—
`AddressFamily` UInt32	—
`LocalSockAddrLength` UInt32	—
`LocalSockAddr` Binary	—
`RemoteSockAddrLength` UInt32	—
`RemoteSockAddr` Binary	—
`Reason` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1479",
    "version": "0",
    "level": "4",
    "task": "1466",
    "opcode": "0",
    "keywords": 9223372586610589824,
    "time_created": "2026-03-16T00:22:37.889812500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A0E584560",
    "IPTransportProtocol": "       6",
    "AddressFamily": "       2",
    "LocalSockAddrLength": "      16",
    "LocalSockAddr": "10.2.10.21:52990",
    "RemoteSockAddrLength": "      16",
    "RemoteSockAddr": "52.159.108.190:443",
    "Reason": "      10"
  },
  "message": ""
}

Event ID 1480 — TCP connection failed with Status = Status, Local = LocalSockAddr, Remote = RemoteSockAddr, ProcessId = TcpState, TcpState = ProcessId at Hour:Minute:Second Reason = Reason.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: 16
Task: TcpRecentConnectionFailure
Opcode: Info

Description

TCP connection failed with Status = Status, Local = LocalSockAddr, Remote = RemoteSockAddr, ProcessId = TcpState, TcpState = ProcessId at Hour:Minute:Second Reason = Reason.

Message #

TCP connection failed with Status = %1, Local = %3, Remote = %5, ProcessId = %6, TcpState = %7 at %8:%9:%10 Reason = %11.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`LocalSockAddrLength` UInt32	—
`LocalSockAddr` Binary	—
`RemoteSockAddrLength` UInt32	—
`RemoteSockAddr` Binary	—
`TcpState` UInt32	—
`ProcessId` UInt32	—
`Hour` UInt16	—
`Minute` UInt16	—
`Second` UInt16	—
`Reason` UInt32	—
`ProcessStartKey` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1480",
    "version": "1",
    "level": "16",
    "task": "1467",
    "opcode": "0",
    "keywords": 9223407221226864640,
    "time_created": "2026-03-16T00:21:34.294926800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "9132",
      "thread_id": "4236"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Status": "0xC0000241",
    "LocalSockAddrLength": "      16",
    "LocalSockAddr": "10.2.10.21:50542",
    "RemoteSockAddrLength": "      16",
    "RemoteSockAddr": "20.42.65.85:443",
    "TcpState": "       6",
    "ProcessId": "    3688",
    "Hour": "0",
    "Minute": "17",
    "Second": "1",
    "Reason": "      14",
    "ProcessStartKey": "2814749767106643"
  },
  "message": ""
}

Event ID 1481 — TCP: Connection Tcb PRR send SackIsLostSeq SackIsLostSeq SackInFlight SackInFlight SackBytes SackBytes SackIsLost SackIsLost SsThresh SsThresh RecoveryFS HeadSeq AckedData AckedData BytesInFlight B...

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: TcpPrrSend

Description

TCP: Connection Tcb PRR send SackIsLostSeq SackIsLostSeq SackInFlight SackInFlight SackBytes SackBytes SackIsLost SackIsLost SsThresh SsThresh RecoveryFS HeadSeq AckedData AckedData BytesInFlight BytesInFlight BytesToSend BytesToSend PrrDelivered PrrDelivered PrrOut PrrOut.

Message #

TCP: Connection %1 PRR send SackIsLostSeq %2 SackInFlight %3 SackBytes %4 SackIsLost %5 SsThresh %6 RecoveryFS %7 AckedData %8 BytesInFlight %9 BytesToSend %10 PrrDelivered %11 PrrOut %12.

Fields #

Name	Description
`Tcb` Pointer	—
`SackIsLostSeq` UInt32	—
`SackInFlight` UInt32	—
`SackBytes` UInt32	—
`SackIsLost` UInt32	—
`SsThresh` UInt32	—
`HeadSeq` UInt32	—
`AckedData` UInt32	—
`BytesInFlight` UInt32	—
`BytesToSend` Int64	—
`PrrDelivered` UInt32	—
`PrrOut` UInt32	—

Event ID 1482 — UDP: Endpoint Endpoint segment message.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: UdpSegmentMessage

Description

UDP: Endpoint Endpoint segment message. SegmentSize = SegmentSize (0 == No Segmentation) MessageLength = MessageLength HwDatagrams = HwDatagrams HwSegments = HwSegments SwSegments = SwSegments Status = SubMssSegments.

Message #

UDP: Endpoint %1 segment message. SegmentSize = %2 (0 == No Segmentation) MessageLength = %3 HwDatagrams = %4 HwSegments = %5 SwSegments = %6 Status = %7.

Fields #

Name	Description
`Endpoint` Pointer	—
`SegmentSize` UInt32	—
`MessageLength` UInt64	—
`HwDatagrams` UInt32	—
`HwSegments` UInt32	—
`SwSegments` UInt32	—
`SubMssSegments` UInt32	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1482",
    "version": "1",
    "level": "5",
    "task": "1469",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.078220100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{11735e80-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "8220"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A11735E80",
    "SegmentSize": "       0",
    "MessageLength": "63",
    "HwDatagrams": "       0",
    "HwSegments": "       0",
    "SwSegments": "       0",
    "SubMssSegments": "       0",
    "Status": "0x0"
  },
  "message": ""
}

Event ID 1483 — UDP: Endpoint Endpoint segmentation offload unavailable.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpUsoFallback

Description

UDP: Endpoint Endpoint segmentation offload unavailable. Reason = FailureReason SegmentSize = SegmentSize LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr.

Message #

UDP: Endpoint %1 segmentation offload unavailable. Reason = %2 SegmentSize = %3 LocalAddress = %5, RemoteAddress = %7.

Fields #

Name	Description
`Endpoint` Pointer	—
`FailureReason` UInt32	— Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`SegmentSize` UInt32	—
`LocalSockAddrLength` UInt32	—
`LocalSockAddr` Binary	—
`RemoteSockAddrLength` UInt32	—
`RemoteSockAddr` Binary	—

Event ID 1484 — TCPIP: Framing layer interface IfIndex (AddressFamily = AddressFamily) failed to bind to its provider.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingInterfaceStatus

Description

TCPIP: Framing layer interface IfIndex (AddressFamily = AddressFamily) failed to bind to its provider. Code = FailureCode. Status = Status.

Message #

TCPIP: Framing layer interface %1 (AddressFamily = %2) failed to bind to its provider. Code = %3. Status = %4.

Fields #

Name	Description
`IfIndex` UInt32	—
`AddressFamily` UInt32	—
`FailureCode` UInt32	— NTSTATUS reference
`Status` UInt32	— NTSTATUS reference

Event ID 1485 — TCPIP: OID request from framing layer interface IfIndex (AddressFamily = AddressFamily) failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingOidFailure

Description

TCPIP: OID request from framing layer interface IfIndex (AddressFamily = AddressFamily) failed. OID = OID. Status = Status.

Message #

TCPIP: OID request from framing layer interface %1 (AddressFamily = %2) failed. OID = %3. Status = %4.

Fields #

Name	Description
`IfIndex` UInt32	—
`AddressFamily` UInt32	—
`OID` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1486 — TCPIP received a status indication on interface IfIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipStatusIndication

Description

TCPIP received a status indication on interface IfIndex. AddressFamily = AddressFamily. NdisStatus = NdisStatus.

Message #

TCPIP received a status indication on interface %1. AddressFamily = %2. NdisStatus = %3.

Fields #

Name	Description
`IfIndex` UInt32	—
`AddressFamily` UInt32	—
`NdisStatus` UInt32	—

Event ID 1487 — IP: Failed to set socket option.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Error
Task: IpSessionFailure

Description

IP: Failed to set socket option. Level = SocketOptionLevel. Option = SocketOptionValue. Status = Status.

Message #

IP: Failed to set socket option. Level = %1. Option = %2. Status = %3.

Fields #

Name	Description
`SocketOptionLevel` UInt32	—
`SocketOptionValue` UInt32	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1487",
    "version": "0",
    "level": "2",
    "task": "1474",
    "opcode": "0",
    "keywords": 9223372036854775952,
    "time_created": "2026-03-16T00:23:11.242873300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "228",
      "thread_id": "2612"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SocketOptionLevel": "      41",
    "SocketOptionValue": "       9",
    "Status": "0xC0000225"
  },
  "message": ""
}

Event ID 1488 — IP: Failed to set socket IOCTL.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSessionFailure

Description

IP: Failed to set socket IOCTL. IOCTL = SocketIoctl. Status = Status.

Message #

IP: Failed to set socket IOCTL. IOCTL = %1. Status = %2.

Fields #

Name	Description
`SocketIoctl` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1489 — Failed to process multicast RequestType request.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSessionMulticastOperation

Description

Failed to process multicast RequestType request. Address = IPv4Address IPv6Address. Source Address = IPv4SourceAddress IPv6SourceAddress. Reason = FailureReason. Status = Status.

Message #

Failed to process multicast %1 request. Address = %2 %6. Source Address = %3 %7. Reason = %8. Status = %9.

Fields #

Name	Description
`RequestType` UInt32	—
`IPv4Address` UInt32	—
`IPv4SourceAddress` UInt32	—
`IpAddrLength` UInt32	—
`IpSourceAddrLength` UInt32	—
`IPv6Address` Binary	—
`IPv6SourceAddress` Binary	—
`FailureReason` UInt32	— Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`Status` UInt32	— NTSTATUS reference

Event ID 1490 — Processed multicast RequestType request successfully.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSessionMulticastOperation

Description

Processed multicast RequestType request successfully. Address = IPv4Address IPv6Address. Source Address = IPv4SourceAddress IPv6SourceAddress.

Message #

Processed multicast %1 request successfully. Address = %2 %6. Source Address = %3 %7.

Fields #

Name	Description
`RequestType` UInt32	—
`IPv4Address` UInt32	—
`IPv4SourceAddress` UInt32	—
`IpAddrLength` UInt32	—
`IpSourceAddrLength` UInt32	—
`IPv6Address` Binary	—
`IPv6SourceAddress` Binary	—

Event ID 1491 — MessageType.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpMulticast

Description

MessageType. Interface = IfIndex. Address = IPv4Address IPv6Address. Data = Data.

Message #

%1. Interface = %2. Address = %3 %5. Data = %6.

Fields #

Name	Description
`MessageType` UInt32	—
`IfIndex` UInt32	—
`IPv4Address` UInt32	—
`IpAddrLength` UInt32	—
`IPv6Address` Binary	—
`Data` UInt32	—

Event ID 1492 — MessageType.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpMulticast

Description

MessageType. Interface = IfIndex. Address = IPv4Address IPv6Address. Data = Data. Status = Status.

Message #

%1. Interface = %2. Address = %3 %5. Data = %6. Status = %7.

Fields #

Name	Description
`MessageType` UInt32	—
`IfIndex` UInt32	—
`IPv4Address` UInt32	—
`IpAddrLength` UInt32	—
`IPv6Address` Binary	—
`Data` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1493 — Invalid ECN codepoints in reassembly.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpReassembly

Description

Invalid ECN codepoints in reassembly. Ce = Ce. Ect0 = Ect0. Ect1 = Ect1. NotEct = NotEct.

Message #

Invalid ECN codepoints in reassembly. Ce = %1. Ect0 = %2. Ect1 = %3. NotEct = %4.

Fields #

Name	Description
`Ce` UInt32	—
`Ect0` UInt32	—
`Ect1` UInt32	—
`NotEct` UInt32	—

Event ID 1494 — Reassembly failure: packets do not add up correctly.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpReassembly

Description

Reassembly failure: packets do not add up correctly. Interface = InterfaceIndex. Address family = AddressFamily.

Message #

Reassembly failure: packets do not add up correctly.  Interface = %1. Address family = %2.

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`AddressFamily` UInt32	—

Event ID 1495 — Reassembly failure: failed to restore IPSec packet history.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpReassembly

Description

Reassembly failure: failed to restore IPSec packet history. Interface = IfIndex. Address family = AddressFamily. Status = Status.

Message #

Reassembly failure: failed to restore IPSec packet history.  Interface = %1. Address family = %2. Status = %3.

Fields #

Name	Description
`IfIndex` UInt32	—
`AddressFamily` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1496 — Could not transfer FragmentContextDirection.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpReassembly

Description

Could not transfer FragmentContextDirection. Interface = IfIndex. Address family = AddressFamily.

Message #

Could not transfer %1.  Interface = %2. Address family = %3.

Fields #

Name	Description
`FragmentContextDirection` UInt32	—
`IfIndex` UInt32	—
`AddressFamily` UInt32	—

Event ID 1497 — Attempting to GroupChangeType the multicast group at FL.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpMulticast

Description

Attempting to GroupChangeType the multicast group at FL. Interface = IfIndex. Address = IPv4Address IPv6Address. Data = Data. Status = Status.

Message #

Attempting to %1 the multicast group at FL.  Interface = %2. Address = %3 %5. Data = %6. Status = %7.

Fields #

Name	Description
`GroupChangeType` UInt32	—
`IfIndex` UInt32	—
`IPv4Address` UInt32	—
`IpAddrLength` UInt32	—
`IPv6Address` Binary	—
`Data` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1498 — Failed to update address list at FL.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpFlUpdateAddressList

Description

Failed to update address list at FL. Interface = IfIndex. Address Family = AddressFamily. Status = Status.

Message #

Failed to update address list at FL. Interface = %1. Address Family = %2. Status = %3.

Fields #

Name	Description
`IfIndex` UInt32	—
`AddressFamily` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1499 — Too many DAD failures, so will not create temporary address.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpTemporaryAddressCreation

Description

Too many DAD failures, so will not create temporary address. Interface = IfIndex. Address = IPv4Address IPv6Address.

Message #

Too many DAD failures, so will not create temporary address. Interface = %1. Address = %2 %4.

Fields #

Name	Description
`IfIndex` UInt32	—
`IPv4Address` UInt32	—
`IpAddrLength` UInt32	—
`IPv6Address` Binary	—

Event ID 1500 — Failed to address interface; deleting it.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSubInterfaceCreation

Description

Failed to address interface; deleting it. Interface = IfIndex. Status = Status.

Message #

Failed to address interface; deleting it. Interface = %1. Status = %2.

Fields #

Name	Description
`IfIndex` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1501 — Failed to reach default gateway after reconnect; cleaning settings.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipMediaReconnect

Description

Failed to reach default gateway after reconnect; cleaning settings. Interface = IfIndex.

Message #

Failed to reach default gateway after reconnect; cleaning settings.  Interface = %1.

Fields #

Name	Description
`IfIndex` UInt32	—

Event ID 1502 — Failed to sync interface with registry.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipRegSyncInterface

Description

Failed to sync interface with registry. Interface = IfIndex. Field = Field. Status = Status.

Message #

Failed to sync interface with registry.  Interface = %1. Field = %2. Status = %3.

Fields #

Name	Description
`IfIndex` UInt32	—
`Field` UnicodeString	—
`Status` UInt32	— NTSTATUS reference

Event ID 1503 — Failed to Release an active reference on the interface.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipActiveRefFailure

Description

Failed to Release an active reference on the interface. Interface = IfIndex. Reference Reason = Subtask. Status = Status.

Message #

Failed to %1 an active reference on the interface.  Interface = %2. Reference Reason = %3. Status = %4.

Fields #

Name	Description
`Release` UInt32	—
`IfIndex` UInt32	—
`Subtask` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1504 — Redirect path hijack for destination IPv4DestinationAddress IPv4NextHop from IPv6DestinationAddress IPv6NextHop.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipIpRedirectPath

Description

Redirect path hijack for destination IPv4DestinationAddress IPv4NextHop from IPv6DestinationAddress IPv6NextHop. Interface = IfIndex.

Message #

Redirect path hijack for destination %2 %3 from %5 %6. Interface = %1.

Fields #

Name	Description
`IfIndex` UInt32	—
`IPv4DestinationAddress` UInt32	—
`IPv4NextHop` UInt32	—
`IpAddrLength` UInt32	—
`IPv6DestinationAddress` Binary	—
`IPv6NextHop` Binary	—

Event ID 1505 — Redirect path rate limit for IPv6 source address IPv6Address.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipIpRedirectPath

Description

Redirect path rate limit for IPv6 source address IPv6Address. Interface = IfIndex.

Message #

Redirect path rate limit for IPv6 source address %3. Interface = %1.

Fields #

Name	Description
`IfIndex` UInt32	—
`IpAddrLength` UInt32	—
`IPv6Address` Binary	—

Event ID 1506 — Dropped AddressFamily fragment.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpReassembly

Description

Dropped AddressFamily fragment. Interface = IfIndex. Reason = Release.

Message #

Dropped %2 fragment. Interface = %3. Reason = %1.

Fields #

Name	Description
`Release` UInt32	—
`AddressFamily` UInt32	—
`IfIndex` UInt32	—

Event ID 1507 — Reassembly timeout.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpReassembly

Description

Reassembly timeout. Interface = IfIndex. Id = ReassemblyId. Source Address = IPv4SourceAddress IPv6SourceAddress. Destination Address = IPv4DestinationAddress IPv6DestinationAddress.

Message #

Reassembly timeout. Interface = %1. Id = %2. Source Address = %3 %6.  Destination Address = %4 %7.

Fields #

Name	Description
`IfIndex` UInt32	—
`ReassemblyId` UInt32	—
`IPv4SourceAddress` UInt32	—
`IPv4DestinationAddress` UInt32	—
`IpAddrLength` UInt32	—
`IPv6SourceAddress` Binary	—
`IPv6DestinationAddress` Binary	—

Event ID 1508 — Invalid IP option.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAncillaryData

Description

Invalid IP option. Option = SocketOption. Level = SocketLevel. Reason = Reason.

Message #

Invalid IP option. Option = %3. Level = %2. Reason = %1.

Fields #

Name	Description
`Reason` UInt32	—
`SocketLevel` UInt32	—
`SocketOption` UInt32	—

Event ID 1509 — Invalid IP hop-by-hop option.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAncillaryData

Description

Invalid IP hop-by-hop option. Option = Option. Reason = Reason.

Message #

Invalid IP hop-by-hop option.  Option = %2. Reason = %1.

Fields #

Name	Description
`Reason` UInt32	—
`Option` UInt32	—

Event ID 1510 — Invalid IP hop-by-hop option.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAncillaryData

Description

Invalid IP hop-by-hop option. Option = Option. Reason = Reason.

Message #

Invalid IP hop-by-hop option.  Option = %2. Reason = %1.

Fields #

Name	Description
`Reason` UInt32	—
`Option` UInt32	—

Event ID 1511 — Invalid IP routing header option.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAncillaryData

Description

Invalid IP routing header option. Reason = Reason.

Message #

Invalid IP routing header option. Reason = %1.

Fields #

Name	Description
`Reason` UInt32	—

Event ID 1512 — Invalid IP routing header option.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAncillaryData

Description

Invalid IP routing header option. Reason = Reason.

Message #

Invalid IP routing header option. Reason = %1.

Fields #

Name	Description
`Reason` UInt32	—

Event ID 1513 — This option cannot be specified by the user

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAncillaryData

Description

This option cannot be specified by the user.

Message #

This option cannot be specified by the user

Fields #

Name	Description
`Reason` UInt32	—

Event ID 1514 — TCP: interface IfIndex: received potential RSC status indication.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpInterfaceRscStateChange

Description

TCP: interface IfIndex: received potential RSC status indication. Current IPv4 State = TcpRscEnabledIpv4, Offload IPv4 State = OffloadRscEnabledIpv4, Current IPv6 State = TcpRscEnabledIpv6, Offload IPv6 State = OffloadRscEnabledIpv6.

Message #

TCP: interface %1: received potential RSC status indication. Current IPv4 State = %2, Offload IPv4 State = %3, Current IPv6 State = %4, Offload IPv6 State = %5.

Fields #

Name	Description
`IfIndex` UInt32	—
`TcpRscEnabledIpv4` UInt32	—
`OffloadRscEnabledIpv4` UInt32	—
`TcpRscEnabledIpv6` UInt32	—
`OffloadRscEnabledIpv6` UInt32	—

Event ID 1515 — UDP: endpoint Endpoint: URO SCU received.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpUroNblOobInfo

Description

UDP: endpoint Endpoint: URO SCU received. SegCount = SegCount, SegSize = SegSize, DataLength = DataLength.

Message #

UDP: endpoint %1: URO SCU received. SegCount = %2, SegSize = %3, DataLength = %4.

Fields #

Name	Description
`Endpoint` Pointer	—
`SegCount` UInt16	—
`SegSize` UInt16	—
`DataLength` UInt32	—

Event ID 1516 — TCP software RSC global disabled mask = TcpRscDisabledMask, UDP software URO global disabled mask = UdpUroDisabledMask.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: SoftwareReceiveOffloadGlobalState

Description

TCP software RSC global disabled mask = TcpRscDisabledMask, UDP software URO global disabled mask = UdpUroDisabledMask.

Message #

TCP software RSC global disabled mask = %1, UDP software URO global disabled mask = %2.

Fields #

Name	Description
`TcpRscDisabledMask` Int32	—
`UdpUroDisabledMask` Int32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1516",
    "version": "0",
    "level": "4",
    "task": "1486",
    "opcode": "0",
    "keywords": 9223372586610589824,
    "time_created": "2026-03-16T00:21:34.295804400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "9132",
      "thread_id": "4236"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "TcpRscDisabledMask": "0",
    "UdpUroDisabledMask": "48"
  },
  "message": ""
}

Event ID 1517 — UDP: Global parameters updated for Address Family AddressFamily: DisableUro = DisableUro.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpGlobalParameters

Description

UDP: Global parameters updated for Address Family AddressFamily: DisableUro = DisableUro.

Message #

UDP: Global parameters updated for Address Family %1: DisableUro = %2.

Fields #

Name	Description
`AddressFamily` UInt32	—
`DisableUro` UInt8	—
`DisableUso` UInt8	—

Event ID 1518 — IP: IPSNPI client rundown.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: InterfaceRundown

Description

IP: IPSNPI client rundown. AddressFamily Interface = IfIndex, Compartment = CompartmentId, Client = ClientName.

Message #

IP: IPSNPI client rundown. %3 Interface = %1, Compartment = %2, Client = %4.

Fields #

Name	Description
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ClientName` UnicodeString	—

Event ID 1519 — TCPIP: Process with PID=ProcessId, ProcessSeqNum=ProcessSequenceNumber acquired port tracker reservation of type ReservationType, Protocol IPTransportProtocol for NumberOfPorts ports starting at St...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalPortReservation

Description

TCPIP: Process with PID=ProcessId, ProcessSeqNum=ProcessSequenceNumber acquired port tracker reservation of type ReservationType, Protocol IPTransportProtocol for NumberOfPorts ports starting at StartPort with status = Status.

Message #

TCPIP: Process with PID=%1, ProcessSeqNum=%7 acquired port tracker reservation of type %3, Protocol %4 for %6 ports starting at %5 with status = %2.

Fields #

Name	Description
`ProcessId` UInt32	—
`Status` UInt32	— NTSTATUS reference
`ReservationType` UInt32	—
`IPTransportProtocol` UInt32	—
`StartPort` UInt16	—
`NumberOfPorts` UInt16	—
`ProcessSequenceNumber` UInt64	—

Event ID 1520 — Illegal tunnel.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingTunnels

Description

Illegal tunnel. Interface: IfIndex, Tunnel type: TunnelType. Reason: Reason.

Message #

Illegal tunnel. Interface: %1, Tunnel type: %2. Reason: %3.

Fields #

Name	Description
`IfIndex` UInt32	—
`TunnelType` UInt32	—
`Reason` UInt32	—

Event ID 1521 — Framing: Interface change in progress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingInterfaceStatus

Description

Framing: Interface change in progress. Interface: IfIndex. Address Family: AddressFamily. Current progress: CurrentProgress. Status: NtStatus.

Message #

Framing: Interface change in progress. Interface: %1. Address Family: %2. Current progress: %3. Status: %4.

Fields #

Name	Description
`IfIndex` UInt32	—
`AddressFamily` UInt32	—
`CurrentProgress` UInt32	—
`NtStatus` UInt32	—

Event ID 1522 — Framing: Isolation is not supported on this network adapter.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingIsolation

Description

Framing: Isolation is not supported on this network adapter. Interface: IfIndex. Address Family: AddressFamily. Reason: Reason.

Message #

Framing: Isolation is not supported on this network adapter. Interface: %1. Address Family: %2. Reason: %3.

Fields #

Name	Description
`IfIndex` UInt32	—
`AddressFamily` UInt32	—
`Reason` UInt32	—

Event ID 1523 — Framing: Failed to set pattern.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingPatterns

Description

Framing: Failed to set pattern. Interface: IfIndex. Address Family: AddressFamily. Pattern type: FailureType. Status: NtStatus.

Message #

Framing: Failed to set pattern. Interface: %1. Address Family: %2. Pattern type: %3. Status: %4.

Fields #

Name	Description
`IfIndex` UInt32	—
`AddressFamily` UInt32	—
`FailureType` UInt32	—
`NtStatus` UInt32	—

Event ID 1524 — Framing: Interface management request.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpipFramingInterfaceMgmt

Description

Framing: Interface management request. Interface: IfIndex. Address Family: AddressFamily. Request code: FlicCode. Status: NtStatus.

Message #

Framing: Interface management request. Interface: %1. Address Family: %2. Request code: %3. Status: %4.

Fields #

Name	Description
`IfIndex` UInt32	—
`AddressFamily` UInt32	—
`FlicCode` UInt32	—
`NtStatus` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1524",
    "version": "0",
    "level": "4",
    "task": "1491",
    "opcode": "0",
    "keywords": 9223372586610589712,
    "time_created": "2026-03-15T23:27:10.979455500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "7392",
      "thread_id": "7388"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IfIndex": "       4",
    "AddressFamily": "       2",
    "FlicCode": "0x7",
    "NtStatus": "0x0"
  },
  "message": ""
}

Event ID 1525 — Framing: WOL capabilities update in progress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingPatterns

Description

Framing: WOL capabilities update in progress. Interface: IfIndex. Address Family: AddressFamily. Current progress: CurrentProgress. Status: NtStatus.

Message #

Framing: WOL capabilities update in progress. Interface: %1. Address Family: %2. Current progress: %3. Status: %4.

Fields #

Name	Description
`IfIndex` UInt32	—
`AddressFamily` UInt32	—
`CurrentProgress` UInt32	—
`NtStatus` UInt32	—

Event ID 1526 — Framing: A PNP event has been indicated.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingPnp

Description

Framing: A PNP event has been indicated. Interface: IfIndex. Address Family: AddressFamily. Compartment: Compartment. Event: Event. Data: Data.

Message #

Framing: A PNP event has been indicated. Interface: %1. Address Family: %2. Compartment: %3. Event: %4. Data: %5.

Fields #

Name	Description
`IfIndex` UInt32	—
`AddressFamily` UInt32	—
`Compartment` UInt32	—
`Event` UInt32	—
`Data` UInt32	—

Event ID 1527 — Framing: interface rundown: Interface = IfIndex, Luid = IfLuid, Address family = AddressFamily, Compartment = Compartment, Isolation mode = IsolationMode, Isolation ID = IsolalationId, DL address =...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: InterfaceRundown

Message #

Framing: interface rundown: Interface = %1, Luid = %2, Address family = %3, Compartment = %4, Isolation mode = %5, Isolation ID = %6, DL address = %8, Interface type = %9, Physical medium type = %10, SW RSC/URO applicable = %11, SW RSC enabled = %12, Alias = %13.

Fields #

Name	Description
`IfIndex` UInt32	—
`IfLuid` UInt64	—
`AddressFamily` UInt32	—
`Compartment` UInt32	—
`IsolationMode` UInt32	—
`IsolalationId` UInt32	—
`DlAddrLength` UInt32	—
`DLAddress` Binary	—
`InterfaceType` UInt32	—
`PhysicalMediumType` UInt32	—
`SwRscUroApplicable` UInt32	—
`SwRscEnabled` UInt32	—
`IfAlias` UnicodeString	—
`SwUroEnabled` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1527",
    "version": "0",
    "level": "4",
    "task": "1202",
    "opcode": "0",
    "keywords": 9223372586610589712,
    "time_created": "2026-03-16T00:21:34.295249100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "9132",
      "thread_id": "4236"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IfIndex": "       6",
    "IfLuid": "0x6008001000000",
    "AddressFamily": "       2",
    "Compartment": "       1",
    "IsolationMode": "       0",
    "IsolalationId": "       0",
    "DlAddrLength": "       6",
    "DLAddress": "0xBC24119A4DC2",
    "InterfaceType": "       6",
    "PhysicalMediumType": "       0",
    "SwRscUroApplicable": "       1",
    "SwRscEnabled": "       0",
    "IfAlias": "Ethernet"
  },
  "message": ""
}

Event ID 1528 — RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) sending NumMessages messages and a total of NumBytes bytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) sending NumMessages messages and a total of NumBytes bytes.

Message #

RAW: endpoint %1 (Proto = %2, LocalAddress = %6, RemoteAddress = %8) sending %3 messages and a total of %4 bytes.

Fields #

Name	Description
`Endpoint` Pointer	—
`IPTransportProtocol` UInt32	—
`NumMessages` UInt32	—
`NumBytes` UInt32	—
`LocalSockAddrLength` UInt32	—
`LocalSockAddr` Binary	—
`RemoteSockAddrLength` UInt32	—
`RemoteSockAddr` Binary	—

Event ID 1529 — RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) delivering NumBytes bytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr, RemoteAddress = RemoteSockAddr) delivering NumBytes bytes.

Message #

RAW: endpoint %1 (Proto = %2, LocalAddress = %6, RemoteAddress = %8) delivering %4 bytes.

Fields #

Name	Description
`Endpoint` Pointer	—
`IPTransportProtocol` UInt32	—
`NumMessages` UInt32	—
`NumBytes` UInt32	—
`LocalSockAddrLength` UInt32	—
`LocalSockAddr` Binary	—
`RemoteSockAddrLength` UInt32	—
`RemoteSockAddr` Binary	—

Event ID 1530 — RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = EndpointAddress, RemoteAddress = SendAddress) send failed with reason = Reason status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = EndpointAddress, RemoteAddress = SendAddress) send failed with reason = Reason status = Status.

Message #

RAW: endpoint %1 (Proto = %2, LocalAddress = %4, RemoteAddress = %6) send failed with reason = %7 status = %8.

Fields #

Name	Description
`Endpoint` Pointer	—
`IPTransportProtocol` UInt32	—
`EndpointAddressLength` UInt32	—
`EndpointAddress` Binary	—
`SendAddressLength` UInt32	—
`SendAddress` Binary	—
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1531 — RAW: endpoint Endpoint (Family = AddressFamily, Proto = IPTransportProtocol, Compartment = Compartment, PID = ProcessId, ProcessSeqNum = ProcessSequenceNumber) created.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint Endpoint (Family = AddressFamily, Proto = IPTransportProtocol, Compartment = Compartment, PID = ProcessId, ProcessSeqNum = ProcessSequenceNumber) created.

Message #

RAW: endpoint %1 (Family = %2, Proto = %3, Compartment = %4, PID = %5, ProcessSeqNum = %6) created.

Fields #

Name	Description
`Endpoint` Pointer	—
`AddressFamily` UInt32	—
`IPTransportProtocol` UInt32	—
`Compartment` UInt32	—
`ProcessId` UInt32	—
`ProcessSequenceNumber` UInt64	—
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1532 — RAW: endpoint (Family = AddressFamily, Proto = IPTransportProtocol, Compartment = Compartment, PID = ProcessId, ProcessSeqNum = ProcessSequenceNumber) create failed with reason Reason status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint (Family = AddressFamily, Proto = IPTransportProtocol, Compartment = Compartment, PID = ProcessId, ProcessSeqNum = ProcessSequenceNumber) create failed with reason Reason status Status.

Message #

RAW: endpoint (Family = %2, Proto = %3, Compartment = %4, PID = %5, ProcessSeqNum = %6) create failed with reason %7 status %8.

Fields #

Name	Description
`Endpoint` Pointer	—
`AddressFamily` UInt32	—
`IPTransportProtocol` UInt32	—
`Compartment` UInt32	—
`ProcessId` UInt32	—
`ProcessSequenceNumber` UInt64	—
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1533 — RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr) bound.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr) bound.

Message #

RAW: endpoint %1 (Proto = %2, LocalAddress = %4) bound.

Fields #

Name	Description
`Endpoint` Pointer	—
`IPTransportProtocol` UInt32	—
`LocalSockAddrLength` UInt32	—
`LocalSockAddr` Binary	—
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1534 — RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr) bind failed with reason Reason status Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint Endpoint (Proto = IPTransportProtocol, LocalAddress = LocalSockAddr) bind failed with reason Reason status Status.

Message #

RAW: endpoint %1 (Proto = %2, LocalAddress = %4) bind failed with reason %5 status %6.

Fields #

Name	Description
`Endpoint` Pointer	—
`IPTransportProtocol` UInt32	—
`LocalSockAddrLength` UInt32	—
`LocalSockAddr` Binary	—
`Reason` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1535 — RAW: endpoint Endpoint closed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RawEndpoint

Description

RAW: endpoint Endpoint closed.

Message #

RAW: endpoint %1 closed.

Fields #

Name	Description
`Endpoint` Pointer	—

Event ID 1536 — TCPIP: Error processing router advertisement on interface index IfIndex - Preferred lifetime of PreferredLifetime should not be greater than the valid lifetime of ValidLifetime.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IcmpRouterAdvertisement

Description

TCPIP: Error processing router advertisement on interface index IfIndex - Preferred lifetime of PreferredLifetime should not be greater than the valid lifetime of ValidLifetime.

Message #

TCPIP: Error processing router advertisement on interface index %1 - Preferred lifetime of %2 should not be greater than the valid lifetime of %3.

Fields #

Name	Description
`IfIndex` UInt32	—
`PreferredLifetime` UInt32	—
`ValidLifetime` UInt32	—

Event ID 1537 — TCPIP: Error processing router advertisement on interface index IfIndex - Prefix length of PrefixLength and identifier of IdentifierLength must add up to the size of an IPv6 ad...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IcmpRouterAdvertisement

Description

TCPIP: Error processing router advertisement on interface index IfIndex - Prefix length of PrefixLength and identifier of IdentifierLength must add up to the size of an IPv6 address (128 bits).

Message #

TCPIP: Error processing router advertisement on interface index %1 - Prefix length of %2 and identifier of %3 must add up to the size of an IPv6 address (128 bits).

Fields #

Name	Description
`IfIndex` UInt32	—
`PrefixLength` UInt32	—
`IdentifierLength` UInt32	—

Event ID 1538 — TCPIP: An ARP request was dropped on interface IfIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: ArpPacketDrops

Description

TCPIP: An ARP request was dropped on interface IfIndex. Physical address = DlSourceAddress, IP source address = IpSourceAddress, IP target address = IpTargetAddress, Reason = DropReason.

Message #

TCPIP: An ARP request was dropped on interface %1. Physical address = %3, IP source address = %4, IP target address = %5, Reason = %6.

Fields #

Name	Description
`IfIndex` UInt32	—
`DlAddrLength` UInt32	—
`DlSourceAddress` Binary	—
`IpSourceAddress` UInt32	—
`IpTargetAddress` UInt32	—
`DropReason` UInt32	—

Event ID 1539 — TCPIP: An ARP reply was dropped on interface IfIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: ArpPacketDrops

Description

TCPIP: An ARP reply was dropped on interface IfIndex. Physical address = DlSourceAddress, IP source address = IpSourceAddress, Directed to this interface = Directed, Reason = DropReason.

Message #

TCPIP: An ARP reply was dropped on interface %1. Physical address = %3, IP source address = %4, Directed to this interface = %5, Reason = %6.

Fields #

Name	Description
`IfIndex` UInt32	—
`DlAddrLength` UInt32	—
`DlSourceAddress` Binary	—
`IpSourceAddress` UInt32	—
`Directed` UInt32	—
`DropReason` UInt32	—

Event ID 1540 — TCPIP: No handler found for an AddressFamily packet with upper layer protocol IPTransportProtocol.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UpperLayerProtocolFailure

Description

TCPIP: No handler found for an AddressFamily packet with upper layer protocol IPTransportProtocol.

Message #

TCPIP: No handler found for an %1 packet with upper layer protocol %2

Fields #

Name	Description
`AddressFamily` UInt32	—
`IPTransportProtocol` UInt32	—

Event ID 1541 — TCPIP: Handler for upper layer protocol IPTransportProtocol for an AddressFamily packet returned with error Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: UpperLayerProtocolFailure

Description

TCPIP: Handler for upper layer protocol IPTransportProtocol for an AddressFamily packet returned with error Status.

Message #

TCPIP: Handler for upper layer protocol %2 for an %1 packet returned with error %3

Fields #

Name	Description
`AddressFamily` UInt32	—
`IPTransportProtocol` UInt32	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1541",
    "version": "0",
    "level": "5",
    "task": "1496",
    "opcode": "0",
    "keywords": 9223372045444710400,
    "time_created": "2026-03-15T23:27:12.462571400+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AddressFamily": "       2",
    "IPTransportProtocol": "       6",
    "Status": "0x40000026"
  },
  "message": ""
}

Event ID 1542 — IP: neighbor rundown: Interface = IfIndex, Compartment = CompartmentId, IpAddress = IPAddress, DlAddress = DLAddress, State = Neighbor State, LastReachable = LastReachableInMs ms, IsUnreachable = I...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: NeighborRundown

Description

IP: neighbor rundown: Interface = IfIndex, Compartment = CompartmentId, IpAddress = IPAddress, DlAddress = DLAddress, State = Neighbor State, LastReachable = LastReachableInMs ms, IsUnreachable = IsUnreachable, Flags = Flags.

Message #

IP: neighbor rundown: Interface = %1, Compartment = %2, IpAddress = %4, DlAddress = %6, State = %7, LastReachable = %8 ms, IsUnreachable = %9, Flags = %10.

Fields #

Name	Description
`IfIndex` UInt32	—
`CompartmentId` UInt32	—
`IpAddrLength` UInt32	—
`IPAddress` Binary	—
`DlAddrLength` UInt32	—
`DLAddress` Binary	—
`Neighbor State`	—
`LastReachableInMs` UInt32	—
`IsUnreachable` UInt32	—
`Flags` UInt32	—
`NeighborState` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1542",
    "version": "0",
    "level": "4",
    "task": "1497",
    "opcode": "0",
    "keywords": 9223372586610589728,
    "time_created": "2026-03-16T00:21:34.295470700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}"
    },
    "execution": {
      "process_id": "9132",
      "thread_id": "4236"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IfIndex": "       1",
    "CompartmentId": "       1",
    "IpAddrLength": "      16",
    "IPAddress": "224.0.0.22",
    "DlAddrLength": "       0",
    "DLAddress": "",
    "Neighbor State": "       6",
    "LastReachableInMs": "57839000",
    "IsUnreachable": "       0",
    "Flags": "0xAC"
  },
  "message": ""
}

Event ID 1543 — TCPIP: An ARP request was dropped on interface IfIndex.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: ArpPacketDrops
Opcode: Info

Description

TCPIP: An ARP request was dropped on interface IfIndex. Physical address = DlSourceAddress, IP source address = IpSourceAddress, IP target address = IpTargetAddress, Reason = DropReason.

Message #

TCPIP: An ARP request was dropped on interface %1. Physical address = %3, IP source address = %4, IP target address = %5, Reason = %6.

Fields #

Name	Description
`IfIndex` UInt32	—
`DlAddrLength` UInt32	—
`DlSourceAddress` Binary	—
`IpSourceAddress` UInt32	—
`IpTargetAddress` UInt32	—
`DropReason` UInt32	—

Event ID 1544 — Endpoint Endpoint socket option set with level Level, name Name, value Value.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpipSetSockOpt

Description

Endpoint Endpoint socket option set with level Level, name Name, value Value.

Message #

Endpoint %1 socket option set with level %2, name %3, value %5.

Fields #

Name	Description
`Endpoint` Pointer	—
`Level` UInt32	—
`Name` UInt32	—
`Length` UInt32	—
`Value` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1544",
    "version": "0",
    "level": "4",
    "task": "1498",
    "opcode": "0",
    "keywords": 9223372036854775936,
    "time_created": "2026-03-16T00:21:40.064415100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15f74b50-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "7552"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Endpoint": "0xFFFF980A15F74B50",
    "Level": "      41",
    "Name": "      27",
    "Length": "       4",
    "Value": "0x00000000"
  },
  "message": ""
}

Event ID 1545 — TCP: connection = Tcb RACK timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRackTimeout

Description

TCP: connection = Tcb RACK timeout expired. SndUna = SndUna, SndMax = SndMax, SackedBytes = SackedBytes, LossDetected = LossDetected, InRecovery = InRecovery.

Message #

TCP: connection = %1 RACK timeout expired. SndUna = %2, SndMax = %3, SackedBytes = %4, LossDetected = %5, InRecovery = %6.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—
`SackedBytes` UInt32	—
`LossDetected` UInt32	—
`InRecovery` UInt32	—

Event ID 1546 — TCP: connection = Tcb armed RACK timer.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpArmRackTimer

Description

TCP: connection = Tcb armed RACK timer. SndUna = SndUna, SndMax = SndMax, SackedBytes = SackedBytes, LossDetected = LossDetected, InRecovery = InRecovery, DeltaTicks = DeltaTicks.

Message #

TCP: connection = %1 armed RACK timer. SndUna = %2, SndMax = %3, SackedBytes = %4, LossDetected = %5, InRecovery = %6, DeltaTicks = %7.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—
`SackedBytes` UInt32	—
`LossDetected` UInt32	—
`InRecovery` UInt32	—
`DeltaTicks` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1546",
    "version": "0",
    "level": "4",
    "task": "1501",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.488186800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "SndUna": "155002622",
    "SndMax": "155007102",
    "SackedBytes": "    1440",
    "LossDetected": "       0",
    "InRecovery": "       0",
    "DeltaTicks": "      18"
  },
  "message": ""
}

Event ID 1547 — TCP: connection = Tcb received a SACK block.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpReceiveSackBlock

Description

TCP: connection = Tcb received a SACK block. SndUna = SndUna, SndMax = SndMax, Ack = Ack, SLE = SLE, SRE = SRE.

Message #

TCP: connection = %1 received a SACK block. SndUna = %2, SndMax = %3, Ack = %4, SLE = %5, SRE = %6.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—
`Ack` UInt32	—
`SLE` UInt32	—
`SRE` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1547",
    "version": "0",
    "level": "5",
    "task": "1502",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.488113200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "SndUna": "155002622",
    "SndMax": "155007102",
    "Ack": "155002622",
    "SLE": "155004100",
    "SRE": "155005540"
  },
  "message": ""
}

Event ID 1548 — TCP: connection = Tcb received a SACK.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpReceiveSack

Description

TCP: connection = received a SACK. SndUna = , SndMax = , Ack = , SackedBytes = , LossDetected = , InRecovery = , NumSackBlocks = , DSackCount = , NewSackInfo = , RecoveryMax = .

Message #

TCP: connection = %1 received a SACK. SndUna = %2, SndMax = %3, Ack = %4, SackedBytes = %5, LossDetected = %6, InRecovery = %7, NumSackBlocks = %8, DSackCount = %9, NewSackInfo = %10, RecoveryMax = %11.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—
`Ack` UInt32	—
`SackedBytes` UInt32	—
`LossDetected` UInt32	—
`InRecovery` UInt32	—
`NumSackBlocks` UInt32	—
`DSackCount` UInt32	—
`NewSackInfo` UInt32	—
`RecoveryMax` UInt32	—
`NewSackedBytes` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1548",
    "version": "0",
    "level": "4",
    "task": "1503",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:27:12.440654000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{fd182260-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFD182260",
    "SndUna": "4068749001",
    "SndMax": "4068767248",
    "Ack": "4068749001",
    "SackedBytes": "    1460",
    "LossDetected": "       1",
    "InRecovery": "       0",
    "NumSackBlocks": "       1",
    "DSackCount": "       0",
    "NewSackInfo": "       1",
    "RecoveryMax": "4068565828"
  },
  "message": ""
}

Event ID 1549 — TCP: connection = Tcb enabled send tracker.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Informational
Task: TcpSendTrackerEnabled

Description

TCP: connection = Tcb enabled send tracker.

Message #

TCP: connection = %1 enabled send tracker.

Fields #

Name	Description
`Tcb` Pointer	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1549",
    "version": "0",
    "level": "4",
    "task": "1504",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.119290700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6ae0-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "3688",
      "thread_id": "12888"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0"
  },
  "message": ""
}

Event ID 1550 — TCP: connection = Tcb send tracker acked a transmit.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpSendTrackerAck

Description

TCP: connection = Tcb send tracker acked a transmit. AckNo = AckNo, Start = Start, End = End, Timestamp = Timestamps, EverTransmitted = EverRetransmitted, SackedBytes = SackedBytes, BytesInFlight = BytesInFlight.

Message #

TCP: connection = %1 send tracker acked a transmit. AckNo = %2, Start = %3, End = %4, Timestamp = %5, EverTransmitted = %6, SackedBytes = %7, BytesInFlight = %8.

Fields #

Name	Description
`Tcb` Pointer	—
`AckNo` UInt32	—
`Start` UInt32	—
`End` UInt32	—
`Timestamps` UInt32	—
`EverRetransmitted` UInt32	—
`SackedBytes` UInt32	—
`BytesInFlight` UInt32	—
`State` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1550",
    "version": "0",
    "level": "5",
    "task": "1505",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:26:13.268229900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{ff7afb40-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4200",
      "thread_id": "7084"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFF7AF7E0",
    "AckNo": "644687492",
    "Start": "644684595",
    "End": "644687492",
    "Timestamps": "2483305555",
    "EverRetransmitted": "       0",
    "SackedBytes": "       0",
    "BytesInFlight": "       0"
  },
  "message": ""
}

Event ID 1551 — TCP: connection = Tcb send tracker enqueued a transmit.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpSendTrackerSend

Description

TCP: connection = Tcb send tracker enqueued a transmit. Start = Start, End = End, Timestamp = Timestamps, SackedBytes = SackedBytes, BytesInFlight = BytesInFlight.

Message #

TCP: connection = %1 send tracker enqueued a transmit. Start = %2, End = %3, Timestamp = %4, SackedBytes = %5, BytesInFlight = %6.

Fields #

Name	Description
`Tcb` Pointer	—
`Start` UInt32	—
`End` UInt32	—
`Timestamps` UInt32	—
`SackedBytes` UInt32	—
`BytesInFlight` UInt32	—
`NoNewTransmitCreated` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1551",
    "version": "0",
    "level": "5",
    "task": "1506",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-15T23:26:13.267679100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{ff7afb40-d78f-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "4200",
      "thread_id": "7948"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFFD78FFF7AF7E0",
    "Start": "644684595",
    "End": "644687492",
    "Timestamps": "2483305555",
    "SackedBytes": "       0",
    "BytesInFlight": "    2897"
  },
  "message": ""
}

Event ID 1552 — TCP: connection = Tcb send tracker marked a transmit as lost.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpSendTrackerDetectLoss

Description

TCP: connection = Tcb send tracker marked a transmit as lost. Start = Start, End = End, Timestamp = Timestamps, EverTransmitted = EverRetransmitted, InFlightCount = InFlightCount, SackedBytes = SackedBytes, BytesInFlight = BytesInFlight.

Message #

TCP: connection = %1 send tracker marked a transmit as lost. Start = %2, End = %3, Timestamp = %4, EverTransmitted = %5, InFlightCount = %6, SackedBytes = %7, BytesInFlight = %8.

Fields #

Name	Description
`Tcb` Pointer	—
`Start` UInt32	—
`End` UInt32	—
`Timestamps` UInt32	—
`EverRetransmitted` UInt32	—
`InFlightCount` UInt32	—
`SackedBytes` UInt32	—
`BytesInFlight` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1552",
    "version": "0",
    "level": "5",
    "task": "1507",
    "opcode": "0",
    "keywords": 9223372041149743104,
    "time_created": "2026-03-16T00:21:40.490313500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{15ce6eb8-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Tcb": "0xFFFF980A15CE6AE0",
    "Start": "155004062",
    "End": "155004100",
    "Timestamps": "1924745937",
    "EverRetransmitted": "       0",
    "InFlightCount": "       0",
    "SackedBytes": "    3002",
    "BytesInFlight": "    2804"
  },
  "message": ""
}

Event ID 1553 — TCP: accept redirection: original listener = OriginalListener, redirected listener = RedirectedListener, succeeded = Succeeded, redirected = Redirected, codepath = CodePath, local address = SockAdd...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Level: Verbose
Task: TcpAcceptRedirect

Description

TCP: accept redirection: original listener = OriginalListener, redirected listener = RedirectedListener, succeeded = Succeeded, redirected = Redirected, codepath = CodePath, local address = SockAddrLength, remote address = LocalSockAddr, redirected address = RemoteSockAddr.

Message #

TCP: accept redirection: original listener = %1, redirected listener = %2, succeeded = %3, redirected = %4, codepath = %5, local address = %6, remote address = %7, redirected address = %8

Fields #

Name	Description
`OriginalListener` Pointer	—
`RedirectedListener` Pointer	—
`Succeeded` UInt32	—
`Redirected` UInt32	—
`CodePath` UInt32	—
`SockAddrLength` UInt32	—
`LocalSockAddr` Binary	—
`RemoteSockAddr` Binary	—
`RedirectSockAddr` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TCPIP",
    "guid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "event_source_name": "",
    "event_id": "1553",
    "version": "0",
    "level": "5",
    "task": "1508",
    "opcode": "0",
    "keywords": 9223372045444710528,
    "time_created": "2026-03-16T00:21:38.718862500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{0ef4b580-980a-ffff-0000-000000000000}"
    },
    "execution": {
      "process_id": "0",
      "thread_id": "0"
    },
    "channel": "Microsoft-Windows-TCPIP/Diagnostic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "OriginalListener": "0xFFFF980A0EF4B580",
    "RedirectedListener": "0x0",
    "Succeeded": "       1",
    "Redirected": "       0",
    "CodePath": "       2",
    "SockAddrLength": "      16",
    "LocalSockAddr": "10.2.10.21:5985",
    "RemoteSockAddr": "10.2.10.11:51201",
    "RedirectSockAddr": "0x00000000000000000000000000000000"
  },
  "message": ""
}

Event ID 1554 — TCP: connection = Tcb dropped a SACK block due to SACK limit reached.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSendTrackerSackLimitReached

Description

TCP: connection = Tcb dropped a SACK block due to SACK limit reached. SndUna = SndUna, SndMax = SndMax, Ack = Ack, SLE = SLE, SRE = SRE, NumSackedTransmits = NumSackTransmits, limit = Limit.

Message #

TCP: connection = %1 dropped a SACK block due to SACK limit reached. SndUna = %2, SndMax = %3, Ack = %4, SLE = %5, SRE = %6, NumSackedTransmits = %7, limit = %8.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—
`Ack` UInt32	—
`SLE` UInt32	—
`SRE` UInt32	—
`NumSackTransmits` UInt32	—
`Limit` UInt32	—

Event ID 1555 — TCP: connection Tcb terminated by NSI.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectionTerminatedByNsi

Description

TCP: connection Tcb terminated by NSI. State = State, PID = Pid, ProcessSeqNum = ProcessStartKey, Shutdown = Shutdown.

Message #

TCP: connection %1 terminated by NSI. State = %2, PID = %3, ProcessSeqNum = %4, Shutdown = %5.

Fields #

Name	Description
`Tcb` Pointer	—
`State` UInt32	—
`Pid` UInt32	—
`ProcessStartKey` UInt64	—
`Shutdown` UInt32	—

Event ID 1556 — TCP: connection = Tcb rate-based pacing timeout expired.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRateBasedPacingTimeout

Description

TCP: connection = Tcb rate-based pacing timeout expired. SndUna = SndUna, SndMax = SndMax, PacingAllowance = PacingAllowance B, PacingRate = PacingRate B/ms.

Message #

TCP: connection = %1 rate-based pacing timeout expired. SndUna = %2, SndMax = %3, PacingAllowance = %4 B, PacingRate = %5 B/ms.

Fields #

Name	Description
`Tcb` Pointer	—
`SndUna` UInt32	—
`SndMax` UInt32	—
`PacingAllowance` UInt32	—
`PacingRate` UInt32	—

Event ID 1557 — TCP RLedbat connection = Tcb.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRLedbatState

Description

TCP RLedbat connection = . Type = , SSThresh = , Wnd = , WndWs = , DrainedBytes = , ReceiveHigh = , TsHigh = , LastRollOverTimeMs = , EndReductionTimeMs = , MinDelaySampleMs = , MinBaseDelayMs =.

Message #

TCP RLedbat connection = %1. Type = %2, SSThresh = %3, Wnd = %4, WndWs = %5, DrainedBytes = %6, ReceiveHigh = %7, TsHigh = %8, LastRollOverTimeMs = %9, EndReductionTimeMs = %10, MinDelaySampleMs = %11, MinBaseDelayMs = %12

Fields #

Name	Description
`Tcb` Pointer	—
`EventType` UInt32	—
`SsThresh` UInt32	—
`Wnd` UInt32	—
`WndWs` UInt32	—
`DrainedBytes` UInt32	—
`ReceiveHigh` UInt32	—
`TsHigh` UInt32	—
`LastRollOverTimeMs` UInt32	—
`EndReductionTimeMs` UInt32	—
`MinDelaySampleMs` UInt32	—
`MinBaseDelayMs` UInt32	—

Event ID 1558 — UDP: endpoint Endpoint rebind initiated: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic

Description

UDP: endpoint Endpoint rebind initiated: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress.

Message #

UDP: endpoint %5 rebind initiated: current address = %2, modified address = %4

Fields #

Name	Description
`CurrentLocalAddressLength` UInt32	—
`CurrentLocalAddress` Binary	—
`ModifiedLocalAddressLength` UInt32	—
`ModifiedLocalAddress` Binary	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference
`EndpointRestored` Boolean	—

Event ID 1559 — UDP: endpoint Endpoint rebind failed: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress, port-switch status = Status, endpoint-restored = EndpointRestored.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic

Description

UDP: endpoint Endpoint rebind failed: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress, port-switch status = Status, endpoint-restored = EndpointRestored.

Message #

UDP: endpoint %5 rebind failed: current address = %2, modified address = %4, port-switch status = %6, endpoint-restored = %7

Fields #

Name	Description
`CurrentLocalAddressLength` UInt32	—
`CurrentLocalAddress` Binary	—
`ModifiedLocalAddressLength` UInt32	—
`ModifiedLocalAddress` Binary	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference
`EndpointRestored` Boolean	—

Event ID 1560 — TCP: endpoint Endpoint rebind initiated: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic

Description

TCP: endpoint Endpoint rebind initiated: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress.

Message #

TCP: endpoint %5 rebind initiated: current address = %2, modified address = %4

Fields #

Name	Description
`CurrentLocalAddressLength` UInt32	—
`CurrentLocalAddress` Binary	—
`ModifiedLocalAddressLength` UInt32	—
`ModifiedLocalAddress` Binary	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference
`EndpointRestored` Boolean	—

Event ID 1561 — TCP: endpoint Endpoint rebind failed: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress, port-switch status = Status, endpoint-restored = EndpointRestored.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic

Description

TCP: endpoint Endpoint rebind failed: current address = CurrentLocalAddress, modified address = ModifiedLocalAddress, port-switch status = Status, endpoint-restored = EndpointRestored.

Message #

TCP: endpoint %5 rebind failed: current address = %2, modified address = %4, port-switch status = %6, endpoint-restored = %7

Fields #

Name	Description
`CurrentLocalAddressLength` UInt32	—
`CurrentLocalAddress` Binary	—
`ModifiedLocalAddressLength` UInt32	—
`ModifiedLocalAddress` Binary	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference
`EndpointRestored` Boolean	—

Event ID 1562 — TCP: endpoint (PID=ProcessId ProcessSeqNum=ProcessStartKey) create failed: access denied.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCreateEndpointAccessFailure

Description

TCP: endpoint (PID=ProcessId ProcessSeqNum=ProcessStartKey) create failed: access denied.

Message #

TCP: endpoint (PID=%4 ProcessSeqNum=%7) create failed: access denied.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1563 — UDP: endpoint (PID=ProcessId ProcessSeqNum=ProcessStartKey) create failed: access denied.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpCreateEndpointAccessFailure

Description

UDP: endpoint (PID=ProcessId ProcessSeqNum=ProcessStartKey) create failed: access denied.

Message #

UDP: endpoint (PID=%3 ProcessSeqNum=%6) create failed: access denied.

Fields #

Name	Description
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`ProcessStartKey` UInt64	—

Event ID 1564 — TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId ProcessSeqNum=ProcessStartKey) connect failed: access denied.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpConnectTcbFailedAccess

Description

TCP: connection Tcb (local=LocalAddress remote=RemoteAddress PID=ProcessId ProcessSeqNum=ProcessStartKey) connect failed: access denied.

Message #

TCP: connection %8 (local=%2 remote=%4 PID=%6 ProcessSeqNum=%9) connect failed: access denied.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`ProcessId` UInt32	—
`Compartment` UInt32	—
`Tcb` Pointer	—
`ProcessStartKey` UInt64	—

Event ID 1565 — TCP: Congestion state changed for connection = Tcb from OldState = OldState to NewState = NewState.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCongestionStateChange

Description

TCP: Congestion state changed for connection = Tcb from OldState = OldState to NewState = NewState.

Message #

TCP: Congestion state changed for connection = %1 from OldState = %2 to NewState = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`OldState` UInt32	—
`NewState` UInt32	—

Event ID 1566 — TCP: connection = Tcb detected reordering.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSendTrackerSackReorderingDetected

Description

TCP: connection = Tcb detected reordering. MaxReorderingBytes = MaxReorderingBytes, Fack = Fack, EndSeq = EndSeq.

Message #

TCP: connection = %1 detected reordering. MaxReorderingBytes = %2, Fack = %3, EndSeq = %4.

Fields #

Name	Description
`Tcb` Pointer	—
`MaxReorderingBytes` UInt32	—
`Fack` UInt32	—
`EndSeq` UInt32	—

Event ID 1577 — TCP: connection = Tcb updated reownd.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSendTrackerUpdateReoWnd

Description

TCP: connection = updated reownd. Multiplier = , Persist = , Reownd = , ReorderingSeen = , DSackSeenOnLatestAck = , InLossRecovery = , DupAckCountReached = , DSackRound = , DSackRoundValid = .

Message #

TCP: connection = %1 updated reownd. Multiplier = %2, Persist = %3, Reownd = %4, ReorderingSeen = %5, DSackSeenOnLatestAck = %6, InLossRecovery = %7, DupAckCountReached = %8, DSackRound = %9, DSackRoundValid = %10.

Fields #

Name	Description
`Tcb` Pointer	—
`Multiplier` UInt32	—
`Persist` UInt32	—
`Reownd` UInt32	—
`ReorderingSeen` UInt32	—
`DSackSeenOnLatestAck` UInt32	—
`InLossRecovery` UInt32	—
`DupAckCountReached` UInt32	—
`DSackRound` UInt32	—
`DSackRoundValid` UInt32	—

Event ID 1578 — IP: Injecting NBL Nbl on send path.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInjectNbl

Description

IP: Injecting NBL Nbl on send path. Family = AddressFamily, Compartment = CompartmentId, Protocol = IPTransportProtocol.

Message #

IP: Injecting NBL %1 on send path. Family = %2, Compartment = %3, Protocol = %5

Fields #

Name	Description
`Nbl` Pointer	—
`AddressFamily` UInt32	—
`CompartmentId` UInt32	—
`Interface` UInt32	—
`IPTransportProtocol` UInt32	—

Event ID 1579 — IP: Injecting NBL Nbl on raw send path.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInjectNbl

Description

IP: Injecting NBL Nbl on raw send path. Family = AddressFamily, Compartment = CompartmentId.

Message #

IP: Injecting NBL %1 on raw send path. Family = %2, Compartment = %3

Fields #

Name	Description
`Nbl` Pointer	—
`AddressFamily` UInt32	—
`CompartmentId` UInt32	—
`Interface` UInt32	—
`IPTransportProtocol` UInt32	—

Event ID 1580 — IP: Injecting NBL Nbl on receive path.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInjectNbl

Description

IP: Injecting NBL Nbl on receive path. Family = AddressFamily, Compartment = CompartmentId, Interface = Interface.

Message #

IP: Injecting NBL %1 on receive path. Family = %2, Compartment = %3, Interface = %4

Fields #

Name	Description
`Nbl` Pointer	—
`AddressFamily` UInt32	—
`CompartmentId` UInt32	—
`Interface` UInt32	—
`IPTransportProtocol` UInt32	—

Event ID 1581 — IP: Injecting NBL Nbl on forward path.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInjectNbl

Description

IP: Injecting NBL Nbl on forward path. Family = AddressFamily, Compartment = CompartmentId, Interface = Interface.

Message #

IP: Injecting NBL %1 on forward path. Family = %2, Compartment = %3, Interface = %4

Fields #

Name	Description
`Nbl` Pointer	—
`AddressFamily` UInt32	—
`CompartmentId` UInt32	—
`Interface` UInt32	—
`IPTransportProtocol` UInt32	—

Event ID 1582 — IP: Indication filtered because destination interface IfIndex is not contained in IF list.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipIndicationFilteredForIflist

Description

IP: Indication filtered because destination interface IfIndex is not contained in IF list.

Message #

IP: Indication filtered because destination interface %1 is not contained in IF list

Fields #

Name	Description
`IfIndex` UInt32	—

Event ID 1583 — BBR2: TCB Tcb bbr_bw bbr_bw min_rtt_us min_rtt_us mode mode cycle_idx cycle_idx CWnd CWnd PacingRate PacingRate BytesSent BytesSent SRtt SRtt.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpBbr2

Description

BBR2: TCB Tcb bbr_bw bbr_bw min_rtt_us min_rtt_us mode mode cycle_idx cycle_idx CWnd CWnd PacingRate PacingRate BytesSent BytesSent SRtt SRtt.

Message #

BBR2: TCB %1 bbr_bw %2 min_rtt_us %3 mode %4 cycle_idx %5 CWnd %6 PacingRate %7 BytesSent %8 SRtt %9

Fields #

Name	Description
`Tcb` Pointer	—
`bbr_bw` UInt32	—
`min_rtt_us` UInt32	—
`mode` UInt32	—
`cycle_idx` UInt32	—
`CWnd` UInt32	—
`PacingRate` UInt32	—
`BytesSent` UInt32	—
`SRtt` UInt32	—

Event ID 1584 — TCP: connection = Tcb send tracker marked a transmit as rexmit.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSendTrackerMarkRexmit

Description

TCP: connection = Tcb send tracker marked a transmit as rexmit. Start = Start, End = End, Timestamp = Timestamps, InFlightCount = InFlightCount, SackedBytes = SackedBytes, BytesInFlight = BytesInFlight.

Message #

TCP: connection = %1 send tracker marked a transmit as rexmit. Start = %2, End = %3, Timestamp = %4, InFlightCount = %5, SackedBytes = %6, BytesInFlight = %7.

Fields #

Name	Description
`Tcb` Pointer	—
`Start` UInt32	—
`End` UInt32	—
`Timestamps` UInt32	—
`InFlightCount` UInt32	—
`SackedBytes` UInt32	—
`BytesInFlight` UInt32	—

Event ID 1585 — TCP: connection = Tcb send tracker update RACK info.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSendTrackerRackUpdate

Description

TCP: connection = Tcb send tracker update RACK info. RackXmitTimeStampValid = RackXmitTimeStampValid, RackXmitTimeStampInUs = RackXmitTimeStampInUs, RackEndSeq = RackEndSeq, RackRttInUs = RackRttInUs, NowInUs = NowInUs, TimeStampInUs = TimeStampInUs.

Message #

TCP: connection = %1 send tracker update RACK info. RackXmitTimeStampValid = %2, RackXmitTimeStampInUs = %3, RackEndSeq = %4, RackRttInUs = %5, NowInUs = %6, TimeStampInUs = %7.

Fields #

Name	Description
`Tcb` Pointer	—
`RackXmitTimeStampValid` UInt32	—
`RackXmitTimeStampInUs` UInt32	—
`RackEndSeq` UInt32	—
`RackRttInUs` UInt32	—
`NowInUs` UInt32	—
`TimeStampInUs` UInt32	—

Event ID 1586 — IP: Prefix sharing now PrefixSharing on Interface = Interface, Compartment = CompartmentId, Family = AddressFamily.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceChange

Description

IP: Prefix sharing now PrefixSharing on Interface = Interface, Compartment = CompartmentId, Family = AddressFamily. Updating shared prefixes and resetting autoconfigured state, such as addresses and routes.

Message #

IP: Prefix sharing now %4 on Interface = %3, Compartment = %2, Family = %1. Updating shared prefixes and resetting autoconfigured state, such as addresses and routes.

Fields #

Name	Description
`AddressFamily` UInt32	—
`CompartmentId` UInt32	—
`Interface` UInt32	—
`PrefixSharing` UInt32	—

Event ID 1587 — TCP: connection Tcb received a careful ACK.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCarefulAck

Description

TCP: connection Tcb received a careful ACK. ThAck = ThAck, SndUna = SndUna, SndMax = SndMax, RecoveryMax = RecoveryMax, SndWnd = SndWnd, SndWndChanged = SndWndChanged, SackUpdated = SackUpdated, State = TcpState, CongestionState = CongestionState, F-RTO = Frto.

Message #

TCP: connection %1 received a careful ACK. ThAck = %2, SndUna = %3, SndMax = %4, RecoveryMax = %5, SndWnd = %6, SndWndChanged = %7, SackUpdated = %8, State = %9, CongestionState = %10, F-RTO = %11.

Fields #

Name	Description
`Tcb` Pointer	—
`ThAck` UInt32	—
`SndUna` UInt32	—
`SndMax` UInt32	—
`RecoveryMax` UInt32	—
`SndWnd` UInt32	—
`SndWndChanged` UInt32	—
`SackUpdated` UInt32	—
`TcpState` UInt32	—
`CongestionState` UInt32	—
`Frto` UInt32	—

Event ID 1588 — IP: Forwarding tag on Interface = Interface, Compartment = CompartmentId, Family = AddressFamily changed from OldForwardingTag to NewForwardingTag.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpInterfaceChange

Description

IP: Forwarding tag on Interface = Interface, Compartment = CompartmentId, Family = AddressFamily changed from OldForwardingTag to NewForwardingTag.

Message #

IP: Forwarding tag on Interface = %3, Compartment = %2, Family = %1 changed from %4 to %5.

Fields #

Name	Description
`AddressFamily` UInt32	—
`CompartmentId` UInt32	—
`Interface` UInt32	—
`OldForwardingTag` UInt32	—
`NewForwardingTag` UInt32	—

Event ID 1589 — TCP: AF AddressFamily, RssEnabled = RssEnabled .

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAfRundown

Description

TCP: AF AddressFamily, RssEnabled = RssEnabled .

Message #

TCP: AF %1, RssEnabled = %2 .

Fields #

Name	Description
`AddressFamily` UInt32	—
`RssEnabled` UInt32	—

Event ID 1590 — TCP: connection = Tcb send completion failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSendCompletionFailure

Description

TCP: connection = Tcb send completion failed. NBL = Nbl, Status = Status.

Message #

TCP: connection = %1 send completion failed. NBL = %2, Status = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`Nbl` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 1591 — TCPIP: Alloc hooks setup: Status = Status.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipAllocHooksSetup

Description

TCPIP: Alloc hooks setup: Status = Status.

Message #

TCPIP: Alloc hooks setup: Status = %1.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 1592 — IP: Neighbor with IpAddress = IPAddress DlAddress = DLAddress on Interface = Interface was reset while in state OldNeighborState due to Reason = ResetReason.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpNeighborReset

Description

IP: Neighbor with IpAddress = IPAddress DlAddress = DLAddress on Interface = Interface was reset while in state OldNeighborState due to Reason = ResetReason.

Message #

IP: Neighbor with IpAddress = %3 DlAddress = %5 on Interface = %1 was reset while in state %6 due to Reason = %7.

Fields #

Name	Description
`Interface` UInt32	—
`IpAddrLength` UInt32	—
`IPAddress` Binary	—
`DlAddrLength` UInt32	—
`DLAddress` Binary	—
`OldNeighborState` UInt32	—
`ResetReason` UInt32	—
`CompartmentId` UInt32	—

Event ID 1593 — TCP: Global timer fired, Processor = Processor, Tick = Tick.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalTimerFired

Description

TCP: Global timer fired, Processor = Processor, Tick = Tick.

Message #

TCP: Global timer fired, Processor = %1, Tick = %2

Fields #

Name	Description
`Processor` UInt32	—
`Tick` UInt32	—

Event ID 1594 — TCP: Global timer armed, NextToExpire = NextToExpire, Period = Period.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalTimerArmed

Description

TCP: Global timer armed, NextToExpire = NextToExpire, Period = Period.

Message #

TCP: Global timer armed, NextToExpire = %1, Period = %2

Fields #

Name	Description
`NextToExpire` UInt32	—
`Period` UInt32	—

Event ID 1595 — TCP: Global timer cancelled

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpGlobalTimerCancelled

Description

TCP: Global timer cancelled.

Message #

TCP: Global timer cancelled

Event ID 1596 — TCP: Updating Fastopen Key

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFastopenKeyUpdate

Description

TCP: Updating Fastopen Key.

Message #

TCP: Updating Fastopen Key

Event ID 1597 — TCP: paused receive buffer growth for high memory usage, AF = AddressFamily, TCB = Tcb, TotalBytesBuffered = TotalBytesBuffered, UpperLimit = UpperLimit.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpAutoTuningPausedForMemoryUsage

Description

TCP: paused receive buffer growth for high memory usage, AF = AddressFamily, TCB = Tcb, TotalBytesBuffered = TotalBytesBuffered, UpperLimit = UpperLimit.

Message #

TCP: paused receive buffer growth for high memory usage, AF = %1, TCB = %2, TotalBytesBuffered = %3, UpperLimit = %4

Fields #

Name	Description
`AddressFamily` UInt32	—
`Tcb` Pointer	—
`TotalBytesBuffered` UInt64	—
`UpperLimit` UInt64	—

Event ID 1598 — IP: Autoconfigured address creation failed due to autoconfiguration limit, Address = IPv4Address IPProtocol IPv6Address, Interface = Interface, Compartment = CompartmentId, Protocol = Protocol.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpAddressAutoConfigurationLimitFailure

Description

IP: Autoconfigured address creation failed due to autoconfiguration limit, Address = IPv4Address IPProtocol IPv6Address, Interface = Interface, Compartment = CompartmentId, Protocol = Protocol.

Message #

IP: Autoconfigured address creation failed due to autoconfiguration limit, Address = %5 %7 %6, Interface = %1, Compartment = %2, Protocol = %3

Fields #

Name	Description
`Interface` UInt32	—
`CompartmentId` UInt32	—
`Protocol` AnsiString	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`IpAddrLength` UInt32	—
`IPv4Address` UInt32	—
`IPv6Address` Binary	—
`IPProtocol` UInt32	—

Event ID 1599 — IP: Autoconfigured route creation failed due to autoconfiguration limit, DestinationPrefix = IPv4DestinationPrefix IPProtocol DestinationPrefix /DestinationPrefixLength, Nexthop = IPv4NextHopAddres...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRouteAutoConfigurationLimitFailure

Description

IP: Autoconfigured route creation failed due to autoconfiguration limit, DestinationPrefix = IPv4DestinationPrefix IPProtocol DestinationPrefix /DestinationPrefixLength, Nexthop = IPv4NextHopAddress IPProtocol NextHopAddress, Interface = Interface, Compartment = CompartmentId, Protocol = Protocol.

Message #

IP: Autoconfigured route creation failed due to autoconfiguration limit, DestinationPrefix = %9 %11 %7 /%6, Nexthop = %10 %11 %8, Interface = %1, Compartment = %2, Protocol = %3

Fields #

Name	Description
`Interface` UInt32	—
`CompartmentId` UInt32	—
`Protocol` AnsiString	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`DestinationPrefixAddressLength` UInt32	—
`NextHopAddressLength` UInt32	—
`DestinationPrefixLength` UInt32	—
`DestinationPrefix` Binary	—
`NextHopAddress` Binary	—
`IPv4DestinationPrefix` UInt32	—
`IPv4NextHopAddress` UInt32	—
`IPProtocol` UInt32	—

Event ID 1600 — IP: Policy based routing failed - Compartment: Compartment DstAddr: DestinationAddress SrcAddr: SourceAddress TransProto: TransportProtocol IcmpType: IcmpType IcmpCode: IcmpCode PolicySrcAddr: Poli...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipPBRFailure

Description

IP: Policy based routing failed - Compartment: DstAddr: SrcAddr: TransProto: IcmpType: IcmpCode: PolicySrcAddr: PolicyNextHopAddr: PolicyIfIndex: FailureReason: Status.

Message #

IP: Policy based routing failed - Compartment: %1 DstAddr: %3 SrcAddr: %5 TransProto: %6 IcmpType: %7 IcmpCode: %8 PolicySrcAddr: %10 PolicyNextHopAddr: %12 PolicyIfIndex: %13 FailureReason: %14 Status: %15

Fields #

Name	Description
`Compartment` UInt32	—
`DestinationAddrLength` UInt32	—
`DestinationAddress` Binary	—
`SourceAddrLength` UInt32	—
`SourceAddress` Binary	—
`TransportProtocol` UInt32	—
`IcmpType` UInt8	—
`IcmpCode` UInt8	—
`PolicySourceAddrLength` UInt32	—
`PolicySourceAddress` Binary	—
`PolicyNextHopAddrLength` UInt32	—
`PolicyNextHopAddress` Binary	—
`PolicyInterfaceLuid` UInt64	—
`FailureReason` UInt32	— Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`Status` UInt32	— NTSTATUS reference

Event ID 1601 — TCP: connection Tcb in NewState received NBL NBL in FastPath = FastPath Seq = ThSeq Ack = ThAck Flags = ThFlags RSC = RSC CoalescedSegCount = CoalescedSegCount RscTcpTimestampDelta = RscTcpTimestam...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpRx

Description

TCP: connection Tcb in NewState received NBL NBL in FastPath = FastPath Seq = ThSeq Ack = ThAck Flags = ThFlags RSC = RSC CoalescedSegCount = CoalescedSegCount RscTcpTimestampDelta = RscTcpTimestampDelta EcnCePresent = EcnCePresent.

Message #

TCP: connection %1 in %2 received NBL %4 in FastPath = %3 Seq = %5 Ack = %6 Flags = %7 RSC = %8 CoalescedSegCount = %9 RscTcpTimestampDelta = %10 EcnCePresent = %11.

Fields #

Name	Description
`Tcb` Pointer	—
`NewState` UInt32	—
`FastPath` UInt32	—
`NBL` Pointer	—
`ThSeq` UInt32	—
`ThAck` UInt32	—
`ThFlags` UInt8	—
`RSC` UInt32	—
`CoalescedSegCount` UInt16	—
`RscTcpTimestampDelta` UInt32	—
`EcnCePresent` UInt32	—

Event ID 1602 — TCP: connection Tcb process fast RX batch SegmentCount = SegmentCount NumBytes = NumBytes NblHead = NblHead NblTail = NblTail Inspect = Inspect.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpProcessFastRxBatch

Description

TCP: connection Tcb process fast RX batch SegmentCount = SegmentCount NumBytes = NumBytes NblHead = NblHead NblTail = NblTail Inspect = Inspect.

Message #

TCP: connection %1 process fast RX batch SegmentCount = %2 NumBytes = %3 NblHead = %4 NblTail = %5 Inspect = %6.

Fields #

Name	Description
`Tcb` Pointer	—
`SegmentCount` UInt32	—
`NumBytes` UInt32	—
`NblHead` Pointer	—
`NblTail` Pointer	—
`Inspect` UInt32	—

Event ID 1603 — TCP: connection Tcb in State Injected disconnect DataLength=DataLength.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpDisconnect

Description

TCP: connection Tcb in State Injected disconnect DataLength=DataLength.

Message #

TCP: connection %1 in %2 %3 disconnect DataLength=%4.

Fields #

Name	Description
`Tcb` Pointer	—
`State` UInt32	—
`Injected` UnicodeString	—
`DataLength` UInt64	—

Event ID 1604 — NDKPI Disconnect Event CallbackEx: DisconnectEventContext DisconnectEventContext ProviderDisconnectReason ProviderDisconnectReason.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Disconnect_Event_Callback_Ex

Description

NDKPI Disconnect Event CallbackEx: DisconnectEventContext DisconnectEventContext ProviderDisconnectReason ProviderDisconnectReason.

Message #

NDKPI Disconnect Event CallbackEx: DisconnectEventContext %1 ProviderDisconnectReason %2

Fields #

Name	Description
`DisconnectEventContext` Pointer	—
`ProviderDisconnectReason` UInt32	—

Event ID 1605 — NDKPI AcceptEx: RequestContext RequestContext Connector NdkConnector QP NdkQp IRD IRD ORD ORD PrivateDataLength PrivateDataLength DisconnectEventContext DisconnectEventContext.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Accept_Ex

Description

NDKPI AcceptEx: RequestContext RequestContext Connector NdkConnector QP NdkQp IRD IRD ORD ORD PrivateDataLength PrivateDataLength DisconnectEventContext DisconnectEventContext.

Message #

NDKPI AcceptEx: RequestContext %6 Connector %1 QP %2 IRD %3 ORD %4 PrivateDataLength %7 DisconnectEventContext %5

Fields #

Name	Description
`NdkConnector` Pointer	—
`NdkQp` Pointer	—
`IRD` UInt32	—
`ORD` UInt32	—
`DisconnectEventContext` Pointer	—
`RequestContext` Pointer	—
`PrivateDataLength` UInt32	—

Event ID 1606 — NDKPI CompleteConnectEx: RequestContext RequestContext Connector NdkConnector DisconnectEventContext DisconnectEventContext.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Complete_Connect_Ex

Description

NDKPI CompleteConnectEx: RequestContext RequestContext Connector NdkConnector DisconnectEventContext DisconnectEventContext.

Message #

NDKPI CompleteConnectEx: RequestContext %3 Connector %1 DisconnectEventContext %2

Fields #

Name	Description
`NdkConnector` Pointer	—
`DisconnectEventContext` Pointer	—
`RequestContext` Pointer	—

Event ID 1607 — NDKPI Open Adapter Version Override: IF_INDEX IF_INDEX ProviderSupportedNDKVersion {ProviderSupportedNDKVersionMajor.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Open_Adapter_Version_Override

Description

NDKPI Open Adapter Version Override: IF_INDEX ProviderSupportedNDKVersion {.} FlConfiguredNdkpiVersion {.} ActualSupportedVersion {.}.

Message #

NDKPI Open Adapter Version Override: IF_INDEX %7 ProviderSupportedNDKVersion {%1.%2} FlConfiguredNdkpiVersion {%3.%4} ActualSupportedVersion {%5.%6}

Fields #

Name	Description
`ProviderSupportedNDKVersionMajor` UInt16	—
`ProviderSupportedNDKVersionMinor` UInt16	—
`FlConfiguredNdkpiVersionMajor` UInt16	—
`FlConfiguredNdkpiVersionMinor` UInt16	—
`ActualSupportedNDKVersionMajor` UInt16	—
`ActualSupportedNDKVersionMinor` UInt16	—
`IF_INDEX` UInt32	—

Event ID 1608 — Fl Reload Registry Config: Override Status: OverrideStatus OldFlConfiguredVersion {OldFlVersionMajor.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Fl_Version_Config_Registry_Override

Description

Fl Reload Registry Config: Override Status: OverrideStatus OldFlConfiguredVersion {OldFlVersionMajor.OldFlVersionMinor} NewFlConfiguredVersion {NewFlVersionMajor.NewFlVersionMinor}.

Message #

Fl Reload Registry Config: Override Status: %5 OldFlConfiguredVersion {%1.%2} NewFlConfiguredVersion {%3.%4}

Fields #

Name	Description
`OldFlVersionMajor` UInt16	—
`OldFlVersionMinor` UInt16	—
`NewFlVersionMajor` UInt16	—
`NewFlVersionMinor` UInt16	—
`OverrideStatus` UnicodeString	—

Event ID 1609 — NDKPI Open Adapter: Unexpected version returned by provider, IF_INDEX IF_INDEX ProviderSupportedNDKVersion {ProviderSupportedNDKVersionMajor.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: Ndkpi_Open_Adapter_Unexpected_Provider_Version

Description

NDKPI Open Adapter: Unexpected version returned by provider, IF_INDEX IF_INDEX ProviderSupportedNDKVersion {ProviderSupportedNDKVersionMajor.ProviderSupportedNDKVersionMinor} ConsumerSpecifiedVersion {ConsumerSpecifiedNdkpiVersionMajor.ConsumerSpecifiedNdkpiVersionMinor}.

Message #

NDKPI Open Adapter: Unexpected version returned by provider, IF_INDEX %5 ProviderSupportedNDKVersion {%1.%2} ConsumerSpecifiedVersion {%3.%4}

Fields #

Name	Description
`ProviderSupportedNDKVersionMajor` UInt16	—
`ProviderSupportedNDKVersionMinor` UInt16	—
`ConsumerSpecifiedNdkpiVersionMajor` UInt16	—
`ConsumerSpecifiedNdkpiVersionMinor` UInt16	—
`IF_INDEX` UInt32	—

Event ID 1610 — TCPIP: Disconnected Standby traffic.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipDsDetectTraffic

Description

TCPIP: Disconnected Standby traffic. Event = StandbyEvent AddressFamily = AddressFamily.

Message #

TCPIP: Disconnected Standby traffic. Event = %1 AddressFamily = %2

Fields #

Name	Description
`StandbyEvent` UInt32	—
`AddressFamily` UInt32	—

Event ID 1611 — TCPIP: Disconnected Standby (DS) transition detected.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipDsStateChange

Description

TCPIP: Disconnected Standby (DS) transition detected. IsSystemInDs=DSState.

Message #

TCPIP: Disconnected Standby (DS) transition detected. IsSystemInDs=%1

Fields #

Name	Description
`DSState` UInt32	—

Event ID 1612 — ResetResolve API call: ProcessName API.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipDsResolveApi

Description

ResetResolve API call: ProcessName API.

Message #

ResetResolve API call: ProcessName %1

Fields #

Name	Description
`API` AnsiString	—

Event ID 1613 — USO global disabled mask = UdpUsoDisabledMask.

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: SendOffloadGlobalState

Description

USO global disabled mask = UdpUsoDisabledMask.

Message #

USO global disabled mask = %1.

Fields #

Name	Description
`UdpUsoDisabledMask` Int32	—

Event ID 1614 — Framing: SW URO SwUroEnabled, HW URO HwUroEnabled.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipFramingUroStatus

Description

Framing: SW URO SwUroEnabled, HW URO HwUroEnabled.

Message #

Framing: SW URO %1, HW URO %2

Fields #

Name	Description
`SwUroEnabled` UInt32	—
`HwUroEnabled` UInt32	—

Event ID 1615 — Tcpip Power Policy set to: PowerPolicy.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipGlobalPowerPolicyChange

Description

Tcpip Power Policy set to: PowerPolicy.

Message #

Tcpip Power Policy set to: %1

Fields #

Name	Description
`PowerPolicy` UInt32	—

Event ID 1616 — Router Solicitation sent.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipGlobalPowerPolicySendRS

Description

Router Solicitation sent. Interface: InterfaceIndex, Reason: RouterSolicitationReason, Tcpip Power Policy: PowerPolicy.

Message #

Router Solicitation sent. Interface: %1, Reason: %2, Tcpip Power Policy: %3

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`RouterSolicitationReason` UInt32	—
`PowerPolicy` UInt32	—

Event ID 1617 — Router Solicitation requested on dormant interface.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipGlobalPowerPolicyRequestRS

Description

Router Solicitation requested on dormant interface. Interface: InterfaceIndex, Reason: RouterSolicitationReason, Tcpip Power Policy: PowerPolicy.

Message #

Router Solicitation requested on dormant interface. Interface: %1, Reason: %2, Tcpip Power Policy: %3

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`RouterSolicitationReason` UInt32	—
`PowerPolicy` UInt32	—

Event ID 1618 — IP: Route lifetime refresh.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipIpRouteLifetime

Message #

IP: Route lifetime refresh. Interface = %1, Protocol = %2, Compartment = %3, Prefix = %5/%6, NextHop = %8, Metric = %9, Origin = %10, CurrentTime = %11, Old BaseTime = %12, Old ValidTime = %13, Old PreferredTime = %14, New BaseTime = %15, New ValidTime = %16, New PreferredTime = %17.

Fields #

Name	Description
`Interface` UInt32	—
`Protocol` AnsiString	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`Compartment` UInt32	—
`DestinationPrefixAddressLength` UInt32	—
`DestinationPrefix` Binary	—
`DestinationPrefixLength` UInt32	—
`NextHopAddressLength` UInt32	—
`NextHopAddress` Binary	—
`Metric` UInt32	—
`Origin` UInt32	—
`CurrentTime` UInt32	—
`OldBasetime` UInt32	—
`OldValidTime` UInt32	—
`OldPreferredTime` UInt32	—
`NewBasetime` UInt32	—
`NewValidTime` UInt32	—
`NewPreferredTime` UInt32	—

Event ID 1619 — IP: Constraint computation (unused) - Source address PreferredSourceIPAddress is preferred over NonPreferredSourceIPAddress for Destination DestinationIPAddress in Compartment CompartmentId, Reason...

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpSourceAddressSelection

Description

IP: Constraint computation (unused) - Source address PreferredSourceIPAddress is preferred over NonPreferredSourceIPAddress for Destination DestinationIPAddress in Compartment CompartmentId, Reason: RuleName (Rule Rule.RuleExtension).

Message #

IP: Constraint computation (unused) - Source address %2 is preferred over %3 for Destination %4 in Compartment %5, Reason: %8 (Rule %6.%7).

Fields #

Name	Description
`IpAddrLength` UInt32	—
`PreferredSourceIPAddress` Binary	—
`NonPreferredSourceIPAddress` Binary	—
`DestinationIPAddress` Binary	—
`CompartmentId` UInt32	—
`Rule` UInt32	—
`RuleExtension` UInt32	—
`RuleName` UInt32	—

Event ID 1620 — WFP-ALE: RemoteEndPoint Cleanup: (local=LocalAddress remote=RemoteAddress) currentTick=CurrentTick lastTick=LastTick lifeTime=LifeTime LifetimeFactor=LifetimeFactor.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: RemoteEndpointCleanup

Description

WFP-ALE: RemoteEndPoint Cleanup: (local=LocalAddress remote=RemoteAddress) currentTick=CurrentTick lastTick=LastTick lifeTime=LifeTime LifetimeFactor=LifetimeFactor.

Message #

WFP-ALE: RemoteEndPoint Cleanup: (local=%2 remote=%3) currentTick=%4 lastTick=%5 lifeTime=%6 LifetimeFactor=%7

Fields #

Name	Description
`AddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddress` Binary	—
`CurrentTick` UInt64	—
`LastTick` UInt64	—
`LifeTime` UInt32	—
`LifetimeFactor` UInt16	—

Event ID 1621 — FL: Virtual interface creation.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlVirtualInterfaceCreation

Description

FL: Virtual interface creation. Interface = IfLuid, Family = AddressFamily, CompartmentGuid = CompartmentGuid, CompartmentId = CompartmentId, IsolationMode = IsolationMode, IsolationId = IsolalationId, Origin = Origin, VirtualIfLuid = VirtualIfLuid, VirtualIfIndex = VirtualIfIndex.

Message #

FL: Virtual interface creation. Interface = %1, Family = %2, CompartmentGuid = %3, CompartmentId = %4, IsolationMode = %5, IsolationId = %6, Origin = %7, VirtualIfLuid = %8, VirtualIfIndex = %9

Fields #

Name	Description
`IfLuid` UInt64	—
`AddressFamily` UInt32	—
`CompartmentGuid` GUID	—
`CompartmentId` UInt32	—
`IsolationMode` UInt32	—
`IsolalationId` UInt32	—
`Origin` UInt32	—
`VirtualIfLuid` UInt64	—
`VirtualIfIndex` UInt32	—

Event ID 1622 — FL: Virtual interface deletion.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlVirtualInterfaceDeletion

Description

FL: Virtual interface deletion. Interface = IfLuid, Family = AddressFamily, CompartmentGuid = CompartmentGuid, CompartmentId = CompartmentId, IsolationMode = IsolationMode, IsolationId = IsolalationId, Origin = Origin, VirtualIfLuid = VirtualIfLuid, VirtualIfIndex = VirtualIfIndex.

Message #

FL: Virtual interface deletion. Interface = %1, Family = %2, CompartmentGuid = %3, CompartmentId = %4, IsolationMode = %5, IsolationId = %6, Origin = %7, VirtualIfLuid = %8, VirtualIfIndex = %9

Fields #

Name	Description
`IfLuid` UInt64	—
`AddressFamily` UInt32	—
`CompartmentGuid` GUID	—
`CompartmentId` UInt32	—
`IsolationMode` UInt32	—
`IsolalationId` UInt32	—
`Origin` UInt32	—
`VirtualIfLuid` UInt64	—
`VirtualIfIndex` UInt32	—

Event ID 1623 — Tcpip Power Policy Standby-to-Full-Power transition detected.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipGlobalPowerPolicyTransitionAdjustment

Message #

Tcpip Power Policy Standby-to-Full-Power transition detected. Lifetimes adjusted for Interface:%1, DestinationPrefix:%3/%4, NextHopAddress:%6, EnteredStandbySystemTickCount:%7, CurrentTickCount:%8, ValidLifetimeHighWaterTickCount:%9

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`DestinationPrefixAddressLength` UInt32	—
`DestinationPrefix` Binary	—
`DestinationPrefixLength` UInt32	—
`NextHopAddressLength` UInt32	—
`NextHopAddress` Binary	—
`EnteredStandbySystemTickCount` UInt64	—
`CurrentTickCount` UInt32	—
`ValidLifetimeHighWaterTickCount` UInt32	—

Event ID 1624 — TCP: connection Tcb: flow label refreshed, old = OldFlowLabel new = NewFlowLabel.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpFlowLabelRefresh

Description

TCP: connection Tcb: flow label refreshed, old = OldFlowLabel new = NewFlowLabel.

Message #

TCP: connection %1: flow label refreshed, old = %2 new = %3.

Fields #

Name	Description
`Tcb` Pointer	—
`OldFlowLabel` UInt32	—
`NewFlowLabel` UInt32	—

Event ID 1625 — TCP: Connection Tcb send idle triggered.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpCwndRestart

Description

TCP: Connection Tcb send idle triggered. OldCwnd = OldCwnd, NewCwnd = NewCwnd, CurrentTick = CurrentTick, IdleTick = IdleTick, RTO = Rto.

Message #

TCP: Connection %1 send idle triggered. OldCwnd = %2, NewCwnd = %3, CurrentTick = %5, IdleTick = %6, RTO = %7

Fields #

Name	Description
`Tcb` Pointer	—
`OldCwnd` UInt32	—
`NewCwnd` UInt32	—
`Processor` UInt32	—
`CurrentTick` UInt32	—
`IdleTick` UInt32	—
`Rto` UInt32	—

Event ID 1626 — TCP: connection Tcb: bytes limited by sender = SenderLimitedBytes receiver = ReceiverLimitedBytes congestion = CongestionLimitedBytes.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpLimitingFactor

Description

TCP: connection Tcb: bytes limited by sender = SenderLimitedBytes receiver = ReceiverLimitedBytes congestion = CongestionLimitedBytes.

Message #

TCP: connection %1: bytes limited by sender = %2 receiver = %3 congestion = %4.

Fields #

Name	Description
`Tcb` Pointer	—
`SenderLimitedBytes` UInt64	—
`ReceiverLimitedBytes` UInt64	—
`CongestionLimitedBytes` UInt64	—

Event ID 1627 — UDP: ChangeReason scheduled HW URO to be NewUroState on interface IfLuid.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpOffloadHwUroChangeScheduled

Description

UDP: ChangeReason scheduled HW URO to be NewUroState on interface IfLuid. CurrentState:CurrentUroState. Last scheduled state: LastScheduledState.

Message #

UDP: %2 scheduled HW URO to be %3 on interface %1. CurrentState:%4. Last scheduled state: %5

Fields #

Name	Description
`IfLuid` UInt64	—
`ChangeReason` UInt32	—
`NewUroState` UInt32	—
`CurrentUroState` UInt32	—
`LastScheduledState` UInt32	—
`FailureReasonFlags` UInt32	—

Event ID 1628 — UDP: ChangeReason NewUroState HW URO on interface IfLuid.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: UdpOffloadHwUroChangeComplete

Description

UDP: ChangeReason NewUroState HW URO on interface IfLuid. Status: Status.

Message #

UDP: %2 %3 HW URO on interface %1. Status: %4

Fields #

Name	Description
`IfLuid` UInt64	—
`ChangeReason` UInt32	—
`NewUroState` UInt32	—
`Status` UInt32	— NTSTATUS reference
`FailureReasonFlags` UInt32	—

Event ID 1629 — FL: FLSNPI client attach.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlsnpiClientAttach

Description

FL: FLSNPI client attach. Client: ClientName, AddressFamily: AddressFamily, NpiVersion: ClientNpiVersion, NblContextSize: NblContextSize, FailureReason: FailureReason, Status: Status.

Message #

FL: FLSNPI client attach. Client: %1, AddressFamily: %2, NpiVersion: %3, NblContextSize: %4, FailureReason: %5, Status: %6.

Fields #

Name	Description
`ClientName` UnicodeString	—
`AddressFamily` UInt32	—
`ClientNpiVersion` UInt32	—
`NblContextSize` UInt32	—
`FailureReason` UInt32	— Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`Status` UInt32	— NTSTATUS reference

Event ID 1630 — FL: FLSNPI client detach.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlsnpiClientDetach

Description

FL: FLSNPI client detach. Client: ClientName, AddressFamily: AddressFamily.

Message #

FL: FLSNPI client detach. Client: %1, AddressFamily: %2.

Fields #

Name	Description
`ClientName` UnicodeString	—
`AddressFamily` UInt32	—

Event ID 1631 — FL: FLSNPI client interface attach.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlsnpiClientInterfaceAttach

Description

FL: FLSNPI client interface attach. Client: ClientName, AddressFamily: AddressFamily, CompartmentId: CompartmentId, IfIndex: IfIndex, VirtualIfId: VirtualIfId, Flags: Flags, FailureReason: FailureReason, Status: Status.

Message #

FL: FLSNPI client interface attach. Client: %1, AddressFamily: %2, CompartmentId: %3, IfIndex: %4, VirtualIfId: %5, Flags: %6, FailureReason: %7, Status: %8.

Fields #

Name	Description
`ClientName` UnicodeString	—
`AddressFamily` UInt32	—
`CompartmentId` UInt32	—
`IfIndex` UInt32	—
`VirtualIfId` UInt32	—
`Flags` UInt32	—
`FailureReason` UInt32	— Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`Status` UInt32	— NTSTATUS reference

Event ID 1632 — FL: FLSNPI client interface detach.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlsnpiClientInterfaceDetach

Description

FL: FLSNPI client interface detach. Client: ClientName, AddressFamily: AddressFamily, CompartmentId: CompartmentId, IfIndex: IfIndex, VirtualIfId: VirtualIfId, Flags: Flags, FailureReason: FailureReason, Status: Status.

Message #

FL: FLSNPI client interface detach. Client: %1,  AddressFamily: %2, CompartmentId: %3, IfIndex: %4, VirtualIfId: %5, Flags: %8, FailureReason: %6, Status: %7.

Fields #

Name	Description
`ClientName` UnicodeString	—
`AddressFamily` UInt32	—
`CompartmentId` UInt32	—
`IfIndex` UInt32	—
`VirtualIfId` UInt32	—
`FailureReason` UInt32	— Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`Status` UInt32	— NTSTATUS reference
`Flags` UInt32	—

Event ID 1633 — FL: FLSNPI datapath failure.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlsnpiDataPathFailure

Description

FL: FLSNPI datapath failure. Operation: Operation, AddressFamily: AddressFamily, Direction: PathDirection, Client:ClientName, CompartmentId: CompartmentId, IfIndex: IfIndex, VirtualIfId: VirtualIfId, Flags: Flags, InjectIfIndex: InjectionIfIndex, FailureReason: FailureReason, Status: Status.

Message #

FL: FLSNPI datapath failure. Operation: %1, AddressFamily: %2, Direction: %3, Client:%4, CompartmentId: %5, IfIndex: %6, VirtualIfId: %7, Flags: %8, InjectIfIndex: %11, FailureReason: %9, Status: %10

Fields #

Name	Description
`Operation` UInt32	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`AddressFamily` UInt32	—
`PathDirection` UInt32	—
`ClientName` UnicodeString	—
`CompartmentId` UInt32	—
`IfIndex` UInt32	—
`VirtualIfId` UInt32	—
`Flags` UInt32	—
`FailureReason` UInt32	— Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.
`Status` UInt32	— NTSTATUS reference
`InjectionIfIndex` UInt32	—

Event ID 1634 — FL: FLSNPI client silent drop.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlsnpiClientSilentDrop

Description

FL: FLSNPI client silent drop. Direction: PathDirection, AddressFamily:AddressFamily, Client: ClientName, CompartmentId: CompartmentId, IfIndex: InterfaceIndex, VirtualIfId: VirtualIfId, PacketCount: PacketCount.

Message #

FL: FLSNPI client silent drop. Direction: %1, AddressFamily:%2, Client: %3, CompartmentId: %4, IfIndex: %5, VirtualIfId: %6, PacketCount: %7.

Fields #

Name	Description
`PathDirection` UInt32	—
`AddressFamily` UInt32	—
`ClientName` UnicodeString	—
`CompartmentId` UInt32	—
`InterfaceIndex` UInt32	—
`VirtualIfId` UInt32	—
`PacketCount` UInt32	—

Event ID 1635 — FL: FLSNPI indication stats.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic

Message #

FL: FLSNPI indication  stats. Direction: %1, AddressFamily:%2, CompartmentId: %3, IfIndex: %4, VirtualIfId: %5, PacketsIndicated: %6, PacketsReturned: %7, PacketsInjected: %8, PacketsCloned: %9, PacketsClonedForSplitNB: %10, PacketsDropped: %11, PacketsSilentlyDropped: %12.

Fields #

Name	Description
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`AddressFamily` UInt32	—
`CompartmentId` UInt32	—
`InterfaceIndex` UInt32	—
`VirtualIfId` UInt32	—
`PacketsIndicated` UInt32	—
`PacketsReturned` UInt32	—
`PacketsInjected` UInt32	—
`PacketsCloned` UInt32	—
`PacketsClonedWithNBSplit` UInt32	—
`PacketsDropped` UInt32	—
`PacketsSilentlyDropped` UInt32	—

Event ID 1636 — TCPIP: Current Power Policy : PowerPolicy.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpipPowerPolicyRundown

Description

TCPIP: Current Power Policy : PowerPolicy.

Message #

TCPIP: Current Power Policy : %1.

Fields #

Name	Description
`PowerPolicy` UInt32	—

Event ID 1637 — TCP: connection Tcb send acked NumBytes bytes starting from SndNxt ActivityID = ActivityID.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: TcpSendAcked

Description

TCP: connection Tcb send acked NumBytes bytes starting from SndNxt ActivityID = ActivityID.

Message #

TCP: connection %1 send acked %2 bytes starting from %3 ActivityID = %4.

Fields #

Name	Description
`Tcb` Pointer	—
`NumBytes` UInt32	—
`SndNxt` UInt32	—
`ActivityID` Pointer	—
`SndLimBytesSnd` UInt64	—
`SndLimBytesRwin` UInt64	—
`SndLimBytesCwnd` UInt64	—
`CWnd` UInt32	—
`SRtt` UInt32	—
`LossRecoveryEpisodes` UInt32	—
`RtoEpisodes` UInt32	—
`PtoEpisodes` UInt32	—

Event ID 1638 — IP: Event.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRaPref64Event

Description

IP: Event. Interface = Interface, Compartment = CompartmentId, RouterAddress = RouterAddress, Prefix = Prefix/PrefixLength, Lifetime = Lifetime.

Message #

IP: %1. Interface = %2, Compartment = %3, RouterAddress = %5, Prefix = %7/%8, Lifetime = %9.

Fields #

Name	Description
`Event` UInt32	—
`Interface` UInt32	—
`CompartmentId` UInt32	—
`RouterAddrLength` UInt32	—
`RouterAddress` Binary	—
`PrefixAddrLength` UInt32	—
`Prefix` Binary	—
`PrefixLength` UInt32	—
`Lifetime` UInt32	—

Event ID 1638 —

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: IpRaPref64Event

Description

IP: . Interface = , Compartment = , RouterAddress = , Prefix = /, Lifetime = .

Fields #

Name	Description
`Event` UInt32	—
`Interface` UInt32	—
`CompartmentId` UInt32	—
`RouterAddrLength` UInt32	—
`RouterAddress` Binary	—
`PrefixAddrLength` UInt32	—
`Prefix` Binary	—
`PrefixLength` UInt32	—
`Lifetime` UInt32	—

Event ID 1639 — IP: Destination cache invalidated.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpDestinationCacheInvalidation

Description

IP: Destination cache invalidated. Compartment = CompartmentId, Family = AddressFamily, RoutingEpoch = RoutingEpoch.

Message #

IP: Destination cache invalidated. Compartment = %1, Family = %2, RoutingEpoch = %3.

Fields #

Name	Description
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`RoutingEpoch` Int32	—

Event ID 1639 —

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: IpDestinationCacheInvalidation

Description

IP: Destination cache invalidated. Compartment = , Family = , RoutingEpoch = .

Fields #

Name	Description
`CompartmentId` UInt32	—
`AddressFamily` UInt32	—
`RoutingEpoch` Int32	—

Event ID 1640 — FL: Virtual interface set failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlVirtualIfSetError

Description

FL: Virtual interface set failed. NsiAction = NsiAction, Family AddressFamily, IfLuid = IfLuid, CompartmentGuid = CompartmentGuid, VirtualIfId = VirtualIfId, IsolationMode = IsolationMode, Status = Status, Reason = FailureReason.

Message #

FL: Virtual interface set failed. NsiAction = %1, Family %2, IfLuid = %3, CompartmentGuid = %4, VirtualIfId = %5, IsolationMode = %6, Status = %7, Reason = %8

Fields #

Name	Description
`NsiAction` UInt32	—
`AddressFamily` UInt32	—
`IfLuid` UInt64	—
`CompartmentGuid` GUID	—
`VirtualIfId` UInt32	—
`IsolationMode` UInt32	—
`Status` UInt32	— NTSTATUS reference
`FailureReason` UInt32	— Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.

Event ID 1640 —

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: FlVirtualIfSetError

Description

FL: Virtual interface set failed. NsiAction = , Family , IfLuid = , CompartmentGuid = , VirtualIfId = , IsolationMode = , Status = , Reason =.

Fields #

Name	Description
`NsiAction` UInt32	—
`AddressFamily` UInt32	—
`IfLuid` UInt64	—
`CompartmentGuid` GUID	—
`VirtualIfId` UInt32	—
`IsolationMode` UInt32	—
`Status` UInt32	— NTSTATUS reference
`FailureReason` UInt32	— Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.

Event ID 1641 — FL: Virtual interface get failed.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: FlVirtualIfGetError

Description

FL: Virtual interface get failed. NsiAction = NsiAction, Family AddressFamily, IfLuid = IfLuid, CompartmentGuid = CompartmentGuid, VirtualIfId = VirtualIfId, IsolationMode = IsolationMode, Status = Status, Reason = FailureReason.

Message #

FL: Virtual interface get failed. NsiAction = %1, Family %2, IfLuid = %3, CompartmentGuid = %4, VirtualIfId = %5, IsolationMode = %6, Status = %7, Reason = %8

Fields #

Name	Description
`NsiAction` UInt32	—
`AddressFamily` UInt32	—
`IfLuid` UInt64	—
`CompartmentGuid` GUID	—
`VirtualIfId` UInt32	—
`IsolationMode` UInt32	—
`Status` UInt32	— NTSTATUS reference
`FailureReason` UInt32	— Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.

Event ID 1641 —

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: FlVirtualIfGetError

Description

FL: Virtual interface get failed. NsiAction = , Family , IfLuid = , CompartmentGuid = , VirtualIfId = , IsolationMode = , Status = , Reason =.

Fields #

Name	Description
`NsiAction` UInt32	—
`AddressFamily` UInt32	—
`IfLuid` UInt64	—
`CompartmentGuid` GUID	—
`VirtualIfId` UInt32	—
`IsolationMode` UInt32	—
`Status` UInt32	— NTSTATUS reference
`FailureReason` UInt32	— Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.

Event ID 1642 — IP: Received Prefix Option in Router Advertisement.

Provider: Microsoft-Windows-TCPIP
Channel: Diagnostic
Task: IpRecvPrefixOptionInRouterAdvertisement

Message #

IP: Received Prefix Option in Router Advertisement. Interface(Index/GUID) = %1/%2, Compartment = %3, SourceIpAddress = %5, Prefix(Value/Length) = %6/%7, Lifetimes(Valid/Preferred) = %8/%9, Flags = %10 (Route = %11, SitePrefix = %12, RouterAddress = %13, Autonomous = %14, OnLink = %15)

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`InterfaceGuid` GUID	—
`CompartmentId` UInt32	—
`AddressLength` UInt32	—
`SourceIpAddress` Binary	—
`PrefixValue` Binary	—
`PrefixLength` UInt32	—
`ValidLifetime` UInt32	—
`PreferredLifetime` UInt32	—
`FlagsValue` UInt8	—
`IsRoute` Boolean	—
`IsSitePrefix` Boolean	—
`IsRouterAddress` Boolean	—
`IsAutonomous` Boolean	—
`IsOnLink` Boolean	—

Event ID 1642 —

Provider: Microsoft-Windows-TCPIP
Channel: Operational
Task: IpRecvPrefixOptionInRouterAdvertisement

Fields #

Name	Description
`InterfaceIndex` UInt32	—
`InterfaceGuid` GUID	—
`CompartmentId` UInt32	—
`AddressLength` UInt32	—
`SourceIpAddress` Binary	—
`PrefixValue` Binary	—
`PrefixLength` UInt32	—
`ValidLifetime` UInt32	—
`PreferredLifetime` UInt32	—
`FlagsValue` UInt8	—
`IsRoute` Boolean	—
`IsSitePrefix` Boolean	—
`IsRouterAddress` Boolean	—
`IsAutonomous` Boolean	—
`IsOnLink` Boolean	—