Microsoft-Windows-URLMon

8 events across 1 channel

EventTitleChannel
801URLMON_Queue_MsgAnalytic
802URLMON_Process_Queued_MsgAnalytic
803URLMON_CINet_ReadAnalytic
804URLMON_CINet_Read804Analytic
805URLMON_CInet_StartAnalytic
806URLMON_CINet_AbortAnalytic
807URLMON_CINet_BindingAnalytic
808URLMON_CINet_WriteAnalytic

Event ID 801: URLMON_Queue_Msg

#
Provider
Microsoft-Windows-URLMon
Channel
Analytic
Task
URLMON_Queue_Msg

Fields #

NameDescription
Msg UInt32
URL UnicodeString

Event ID 802: URLMON_Process_Queued_Msg

#
Provider
Microsoft-Windows-URLMon
Channel
Analytic
Task
URLMON_Process_Queued_Msg

Fields #

NameDescription
Msg UInt32
URL UnicodeString

Event ID 803: URLMON_CINet_Read

#
Provider
Microsoft-Windows-URLMon
Channel
Analytic
Task
URLMON_CINet_Read

Fields #

NameDescription
Msg UInt32
URL UnicodeString
Bytes UInt32

Event ID 804: URLMON_CINet_Read804

#
Provider
Microsoft-Windows-URLMon
Channel
Analytic
Task
URLMON_CINet_Read

Fields #

NameDescription
Bytes UInt32
URL UnicodeString

Event ID 805: URLMON_CInet_Start

#
Provider
Microsoft-Windows-URLMon
Channel
Analytic
Task
URLMON_CInet_Start

Fields #

NameDescription
Flags UInt32
URL UnicodeString

Event ID 806: URLMON_CINet_Abort

#
Provider
Microsoft-Windows-URLMon
Channel
Analytic
Task
URLMON_CINet_Abort

Fields #

NameDescription
Reason UInt32
URL UnicodeString

Event ID 807: URLMON_CINet_Binding

#
Provider
Microsoft-Windows-URLMon
Channel
Analytic
Task
URLMON_CINet_Binding

Fields #

NameDescription
CInet Pointer
Binding Pointer

Event ID 808: URLMON_CINet_Write

#
Provider
Microsoft-Windows-URLMon
Channel
Analytic
Task
URLMON_CINet_Write

Fields #

NameDescription
Operation UInt32
Known values
%%2456
Open key file.
%%2457
Delete key file.
%%2458
Read persisted key from file.
%%2459
Write persisted key to file.
%%2464
Export of persistent cryptographic key.
%%2465
Import of persistent cryptographic key.
%%2480
Open Key.
%%2481
Create Key.
%%2482
Delete Key.
%%2483
Encrypt.
%%2484
Decrypt.
%%2485
Sign hash.
%%2486
Secret agreement.
%%2487
Domain settings.
%%2488
Local settings.
%%2489
Add provider.
%%2490
Remove provider.
%%2491
Add context.
%%2492
Remove context.
%%2493
Add function.
%%2494
Remove function.
%%2495
Add function provider.
%%2496
Remove function provider.
%%2497
Add function property.
%%2498
Remove function property.
%%2499
Machine key.
%%2500
User key.
%%2501
Key Derivation.
%%2502
Claim Creation.
%%2503
Claim Verification.
Bytes UInt32
URL UnicodeString
CInet Pointer

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 245f975d-909d-49ed-b8f9-9a75691d6b6b

Defined in urlmon.dll, which carries the event manifest.

Observed on:

  • WS2022-20348.4893 · schema read from the registered manifest · binary version 11.00.20348.2849 · captured 2026-06-02
  • Win11-26200.6584 · schema read from the registered manifest · binary version 11.00.26100.1 · captured 2026-06-02

Downloads

Credits

  • Microsoft - authored the ETW manifests and PDBs the schema comes from
  • jdu2600 - the event-schema TSV format this catalog adopted
  • nasbench - the tool that dumps registered providers and manifests