Microsoft-Windows-Wcmsvc

67 events across 2 channels

Event ID	Title	Channel
1001	WCMSVC: Service Startup	Operational
1002	WCMSVC: Service Shutdown	Operational
1003	CDE reported a state change State: %1 Name: %2.	Operational
1004	A Group Policy change was processed	Operational
1005	A Power change was processed.	Operational
1006	A Terminal Services session change was processed.	Operational
1007	CDE reported a state change State: %1 Name: Nlasvc.	Diagnostic
1008	NLA interface property change Interface: %1 Internet v4: %2 Internet v6: %3 …	Diagnostic
1009	CDE reported an L2 adapter arrival Interface: %1 Type: %2.	Operational
1010	CDE reported an L2 adapter removal Interface: %1 Type: %2.	Operational
1011	CDE reported a successful connection Interface: %1 Type: %2.	Diagnostic
1012	CDE reported a connection failure Interface: %1 Type: %2 Status: %3.	Operational
1013	CDE reported a disconnection Interface: %1 Type: %2.	Diagnostic
1014	WcmSetParameter Called Interface: %1 Profile Name: %2 Wcm Opcode: %3 Data …	Diagnostic
1015	Interface Token Applied Interface: %1 Media Type: %2 Manual enabled: %3 Manual …	Operational
1016	Interface Token Failed Interface: %1 Media Type: %2 Manual enabled: %3 Manual …	Operational
1017	Soft disconnect over thresholds for interface: %1 AvgIn: %2 AvgOut: %3 SpikeIn: …	Operational
1018	Soft disconnect under thresholds for interface: %1 AvgIn: %2 AvgOut: %3 SpikeIn: …	Operational
1019	CDE reported an unblocked profile Interface: %1 Type: %2 Profile: %3.	Operational
1020	WCM Preferred Order List.	Operational
1022	WCM entered connected standby	Operational
1023	WCM exited connected standby	Operational
1024	Acquired NDIS NIC Active Reference for interface.	Diagnostic
1025	Released NDIS NIC Active Reference for interface.	Diagnostic
1026	CDE reported an NDIS adapter arrival Interface: %1 Type: %2.	Operational
1027	CDE reported an NDIS adapter removal Interface: %1 Type: %2.	Operational
1028	WCM entered net quiet mode	Operational
1029	WCM exited net quiet mode	Operational
1030	Billing Cycle Reset Successful	Operational
1031	Server Time Retrieval Failure	Operational
1032	Acquire NDIS NIC Active Reference Failed for interface.	Operational
1033	Release NDIS NIC Active Reference Failed for interface.	Operational
1034	OnDemandInterfaceStateChanged.	Operational
1035	OnDemand PDP Profile Created.	Diagnostic
1036	OnDemand PDP Profile Deleted.	Diagnostic
1037	OnDemand Request opened.	Operational
1038	OnDemand Request closed.	Operational
1039	OnDemand Request started.	Diagnostic
1040	OnDemand Request cancelled.	Diagnostic
1050	WcmSvc acquired the NIC reference for Interface: %1 for reason: %2.	Diagnostic
1051	WcmSvc released the NIC reference for Interface: %1 for reason: %2.	Diagnostic
1052	WcmSvc signalled disconnected standby	Operational
1053	WcmSvc signalled end of disconnected standby	Operational
1054	WcmSvc received power policy update for networking in standby - the new policy …	Operational
4020	End of Wwan Resume Reconnect	Diagnostic
4021	End of Wlan Resume Reconnect to Same Network	Diagnostic
4022	End of Wlan Resume Reconnect to Same Network OneX	Diagnostic
4023	End of Wlan Resume Reconnect to Different Network	Diagnostic
4024	End of Wlan Resume Reconnect to Different Network OneX	Diagnostic
4025	Cancel of Wlan Resume Reconnect2	Diagnostic
4026		Diagnostic
4027	WcmSvc CmPdcActivationClientRegister - Status [.	Operational
4028	WcmSvc CmPdcActivationClientUnregister - Status [.	Operational
4029	WcmSvc CmPdcActivationClientActivityRequest - Activate [.	Operational
4030	WcmSvc SetNetworkReference - Activate [.	Operational
4031	WcmSvc ReleaseNetworkReferenceInProcess - ProcessId [.	Operational
4032	WcmSvc AcquireNdisReference - Result [.	Operational
4033	WcmSvc ReleaseNdisReference - Result [.	Operational
4034	WcmSvc ReleaseNdisReferenceInProcess - ProcessId [.	Operational
4035	WcmSvc NdisReferenceError - [.	Operational
4036	CmService::NdisReference - [.	Operational
10001	WCMSVC: Start WCM Service Startup	Operational
10002	WCMSVC: Complete WCM Service Startup	Operational
10003	WCMSVC: Start Service Shutdown	Operational
10004	WCMSVC: Complete Service Shutdown	Operational
10005	Tethering Manager Loaded Successfully	Diagnostic
10006	Tethering Manager Unloaded Successfully	Diagnostic

Event ID 1001 — WCMSVC: Service Startup

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WCMSVC: Service Startup

Event ID 1002 — WCMSVC: Service Shutdown

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WCMSVC: Service Shutdown

Event ID 1003 — CDE reported a state change State: %1 Name: %2.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: 4
Samples: 1

Message

CDE reported a state change 

 State: %1 

 Name: %2

Fields

Name	Description
`Status`	—
`Name`	—

Example Event

system:
  provider: Microsoft-Windows-Wcmsvc
  guid: 67D07935-283A-4791-8F8D-FA9117F3E6F2
  event_source_name: ''
  event_id: 1003
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775840
  time_created: '2023-11-06T06:25:42.259570+00:00'
  event_record_id: 100
  correlation: {}
  execution:
    process_id: 2540
    thread_id: 3204
  channel: Microsoft-Windows-Wcmsvc/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  Status: 1
  Name: 2
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1004 — A Group Policy change was processed

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: 4
Samples: 1

Message

A Group Policy change was processed

Example Event

system:
  provider: Microsoft-Windows-Wcmsvc
  guid: 67D07935-283A-4791-8F8D-FA9117F3E6F2
  event_source_name: ''
  event_id: 1004
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-05T22:44:38.754171+00:00'
  event_record_id: 124
  correlation: {}
  execution:
    process_id: 2484
    thread_id: 6636
  channel: Microsoft-Windows-Wcmsvc/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1005 — A Power change was processed.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

A Power change was processed. 

 Reason: %1

Fields

Name	Description
`Reason`	—

Event ID 1006 — A Terminal Services session change was processed.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: 4
Samples: 1

Message

A Terminal Services session change was processed. 

 Reason: %1

Fields

Name	Description
`Reason`	—

Example Event

system:
  provider: Microsoft-Windows-Wcmsvc
  guid: 67D07935-283A-4791-8F8D-FA9117F3E6F2
  event_source_name: ''
  event_id: 1006
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775840
  time_created: '2023-11-05T22:32:23.678433+00:00'
  event_record_id: 123
  correlation: {}
  execution:
    process_id: 2484
    thread_id: 2872
  channel: Microsoft-Windows-Wcmsvc/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  Reason: 5
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1007 — CDE reported a state change State: %1 Name: Nlasvc.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

CDE reported a state change 

 State: %1 

 Name: Nlasvc.

Fields

Name	Description
`Status`	—

Event ID 1008 — NLA interface property change Interface: %1 Internet v4: %2 Internet v6: %3 Probe Complete v4: %4 Probe Complete v6: %5 Domain Authenticated: %6 Do...

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

NLA interface property change 

Interface: %1
Internet v4: %2
Internet v6: %3
Probe Complete v4: %4
Probe Complete v6: %5
Domain Authenticated: %6
Domain Probe Complete: %7

Fields

Name	Description
`InterfaceGUID`	—
`InternetConnectivityv4`	—
`InternetConnectivityv6`	—
`InternetProbeCompletev4`	—
`InternetProbeCompletev6`	—
`DomainConnectivity`	—
`DomainProbeComplete`	—

Event ID 1009 — CDE reported an L2 adapter arrival Interface: %1 Type: %2.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: 4
Samples: 1

Message

CDE reported an L2 adapter arrival 

 Interface: %1 

 Type: %2

Fields

Name	Description
`InterfaceGuid`	—
`MediaType`	—

Example Event

system:
  provider: Microsoft-Windows-Wcmsvc
  guid: 67D07935-283A-4791-8F8D-FA9117F3E6F2
  event_source_name: ''
  event_id: 1009
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775840
  time_created: '2023-11-06T06:25:42.356663+00:00'
  event_record_id: 103
  correlation: {}
  execution:
    process_id: 2540
    thread_id: 3204
  channel: Microsoft-Windows-Wcmsvc/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  InterfaceGuid: 3D03B11E-98A0-4304-84E2-CD3AAE8EFE1D
  MediaType: 1
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1010 — CDE reported an L2 adapter removal Interface: %1 Type: %2.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

CDE reported an L2 adapter removal 

 Interface: %1 

 Type: %2

Fields

Name	Description
`InterfaceGuid`	—
`MediaType`	—

Event ID 1011 — CDE reported a successful connection Interface: %1 Type: %2.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

CDE reported a successful connection 

 Interface: %1 

 Type: %2

Fields

Name	Description
`InterfaceGuid`	—
`MediaType`	—

Event ID 1012 — CDE reported a connection failure Interface: %1 Type: %2 Status: %3.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

CDE reported a connection failure 

 Interface: %1 

 Type: %2

 Status: %3

Fields

Name	Description
`InterfaceGuid`	—
`MediaType`	—
`Status`	—

Event ID 1013 — CDE reported a disconnection Interface: %1 Type: %2.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

CDE reported a disconnection 

 Interface: %1 

 Type: %2

Fields

Name	Description
`InterfaceGuid`	—
`MediaType`	—

Event ID 1014 — WcmSetParameter Called Interface: %1 Profile Name: %2 Wcm Opcode: %3 Data Length: %4 Caller Process ID: %5 Return Value: %6.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

WcmSetParameter Called

Interface: %1
Profile Name: %2
Wcm Opcode: %3
Data Length: %4
Caller Process ID: %5
Return Value: %6

Fields

Name	Description
`InterfaceGUID`	—
`ProfileName`	—
`WcmOpcode`	—
`Datalength`	—
`CallerProcessID`	—
`ReturnValue`	—

Event ID 1015 — Interface Token Applied Interface: %1 Media Type: %2 Manual enabled: %3 Manual Filter: %4 Num Manual: %5 Manual Profiles: %6 Auto enabled: %7 Auto ...

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

Interface Token Applied

Interface: %1
Media Type: %2
Manual enabled: %3
Manual Filter: %4
Num Manual: %5
Manual Profiles: %6
Auto enabled: %7
Auto filter: %8
Num Auto: %9
Auto Profiles: %10

Fields

Name	Description
`Interface GUID`	—
`Mediatype`	—
`manualConnectEnabled`	—
`autoConnectEnabled`	—

Event ID 1016 — Interface Token Failed Interface: %1 Media Type: %2 Manual enabled: %3 Manual Filter: %4 Num Manual: %5 Manual Profiles: %6 Auto enabled: %7 Auto f...

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

Interface Token Failed

Interface: %1
Media Type: %2
Manual enabled: %3
Manual Filter: %4
Num Manual: %5
Manual Profiles: %6
Auto enabled: %7
Auto filter: %8
Num Auto: %9
AutoProfiles: %10
Status: %11

Fields

Name	Description
`Interface GUID`	—
`Mediatype`	—
`manualConnectEnabled`	—
`autoConnectEnabled`	—
`Error`	—

Event ID 1017 — Soft disconnect over thresholds for interface: %1 AvgIn: %2 AvgOut: %3 SpikeIn: %4 SpikeOut: %5 Thresholds: AvgIn: %6 AvgOut: %7 SpikeIn: %8 SpikeO...

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

Soft disconnect over thresholds for interface: %1
AvgIn: %2 AvgOut: %3 SpikeIn: %4 SpikeOut: %5
Thresholds: AvgIn: %6 AvgOut: %7 SpikeIn: %8 SpikeOut:%9
All values are in bytes/second

Fields

Name	Description
`InterfaceGUID`	—
`AvgIn`	—
`AvgOut`	—
`SpikeIn`	—
`SpikeOut`	—
`ThresholdAvgIn`	—
`ThresholdAvgOut`	—
`ThresholdSpikeIn`	—
`ThresholdSpikeOut`	—

Event ID 1018 — Soft disconnect under thresholds for interface: %1 AvgIn: %2 AvgOut: %3 SpikeIn: %4 SpikeOut: %5 Thresholds: AvgIn: %6 AvgOut: %7 SpikeIn: %8 Spike...

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

Soft disconnect under thresholds for interface: %1
AvgIn: %2 AvgOut: %3 SpikeIn: %4 SpikeOut: %5
Thresholds: AvgIn: %6 AvgOut: %7 SpikeIn: %8 SpikeOut:%9
All values are in bytes/second

Fields

Name	Description
`InterfaceGUID`	—
`AvgIn`	—
`AvgOut`	—
`SpikeIn`	—
`SpikeOut`	—
`ThresholdAvgIn`	—
`ThresholdAvgOut`	—
`ThresholdSpikeIn`	—
`ThresholdSpikeOut`	—

Event ID 1019 — CDE reported an unblocked profile Interface: %1 Type: %2 Profile: %3.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

CDE reported an unblocked profile 

 Interface: %1 

 Type: %2

 Profile: %3

Fields

Name	Description
`InterfaceGuid`	—
`MediaType`	—
`ProfileName`	—

Event ID 1020 — WCM Preferred Order List.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: 4
Samples: 1

Message

WCM Preferred Order List:
%1

Fields

Name	Description
`WCM Preferred Order List`	—

Example Event

system:
  provider: Microsoft-Windows-Wcmsvc
  guid: 67D07935-283A-4791-8F8D-FA9117F3E6F2
  event_source_name: ''
  event_id: 1020
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775840
  time_created: '2023-10-26T04:17:43.215170+00:00'
  event_record_id: 9
  correlation: {}
  execution:
    process_id: 2288
    thread_id: 2612
  channel: Microsoft-Windows-Wcmsvc/Operational
  computer: WIN-OQ6R0RVA4NF
  security:
    user_id: S-1-5-19
event_data:
  WCM Preferred Order List: '0: {3D03B11E-98A0-4304-84E2-CD3AAE8EFE1D}, Ethernet,
    1

    1: {8E4162AD-6500-4899-BA95-24051405E207}, Ethernet, 1

    '
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1022 — WCM entered connected standby

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WCM entered connected standby

Event ID 1023 — WCM exited connected standby

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WCM exited connected standby

Event ID 1024 — Acquired NDIS NIC Active Reference for interface.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

Acquired NDIS NIC Active Reference for interface: %1

Fields

Name	Description
`InterfaceGUID`	—

Event ID 1025 — Released NDIS NIC Active Reference for interface.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

Released NDIS NIC Active Reference for interface: %1

Fields

Name	Description
`InterfaceGUID`	—

Event ID 1026 — CDE reported an NDIS adapter arrival Interface: %1 Type: %2.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: 4
Samples: 1

Message

CDE reported an NDIS adapter arrival 

 Interface: %1 

 Type: %2

Fields

Name	Description
`InterfaceGuid`	—
`MediaType`	—

Example Event

system:
  provider: Microsoft-Windows-Wcmsvc
  guid: 67D07935-283A-4791-8F8D-FA9117F3E6F2
  event_source_name: ''
  event_id: 1026
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775840
  time_created: '2022-04-07T16:53:13.091504+00:00'
  event_record_id: 39
  correlation: {}
  execution:
    process_id: 1488
    thread_id: 1596
  channel: Microsoft-Windows-Wcmsvc/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-19
event_data:
  InterfaceGuid: 00C20B5F-2254-4D8F-9391-4EED3B6F783D
  MediaType: 1
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1027 — CDE reported an NDIS adapter removal Interface: %1 Type: %2.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

CDE reported an NDIS adapter removal 

 Interface: %1 

 Type: %2

Fields

Name	Description
`InterfaceGuid`	—
`MediaType`	—

Event ID 1028 — WCM entered net quiet mode

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WCM entered net quiet mode

Event ID 1029 — WCM exited net quiet mode

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WCM exited net quiet mode

Event ID 1030 — Billing Cycle Reset Successful

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

Billing Cycle Reset Successful

Fields

Name	Description
`ProfileName`	—
`InterfaceGuid`	—
`ProfileUpdatedorDeleted`	—

Event ID 1031 — Server Time Retrieval Failure

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

Server Time Retrieval Failure

Fields

Name	Description
`ConfigtoSyncWithTimeServer`	—
`TimeServerName`	—
`NumServerTimeRetries`	—
`ServerTimeRetrievalError`	—

Event ID 1032 — Acquire NDIS NIC Active Reference Failed for interface.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

Acquire NDIS NIC Active Reference Failed for interface: %1

Fields

Name	Description
`InterfaceGUID`	—
`NdisRefError`	—

Event ID 1033 — Release NDIS NIC Active Reference Failed for interface.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

Release NDIS NIC Active Reference Failed for interface: %1

Fields

Name	Description
`InterfaceGUID`	—
`NdisRefError`	—

Event ID 1034 — OnDemandInterfaceStateChanged.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

OnDemandInterfaceStateChanged. OnDemandType:%1, Interface: %2, OnDemandInfo:%3, ProviderID:%4, NewState:%5, Ref counter:%6

Fields

Name	Description
`OnDemandType`	—
`InterfaceGUID`	—
`OnDemandInfo`	—
`ProviderID`	—
`NewState`	—
`Refcount`	—

Event ID 1035 — OnDemand PDP Profile Created.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

OnDemand PDP Profile Created. OnDemandInfo:%1, ProviderID:%2, SubscriberID:%3, Profile Name:%4

Fields

Name	Description
`APNname`	—
`ProviderID`	—
`SubscriberID`	—
`Profilename`	—

Event ID 1036 — OnDemand PDP Profile Deleted.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

OnDemand PDP Profile Deleted. Profile Name:%1

Fields

Name	Description
`Profilename`	—

Event ID 1037 — OnDemand Request opened.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

OnDemand Request opened. App ID:%1, ProcessID:%2,OnDemandType:%3, OnDemandInfo:%4, ProviderID:%5, Error: %6

Fields

Name	Description
`AppID`	—
`ProcessID`	—
`OnDemandType`	—
`OnDemandInfo`	—
`ProviderID`	—
`Error`	—

Event ID 1038 — OnDemand Request closed.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

OnDemand Request closed. App ID:%1, ProcessID:%2,OnDemandType:%3, OnDemandInfo:%4, ProviderID:%5, Error: %6

Fields

Name	Description
`AppID`	—
`ProcessID`	—
`OnDemandType`	—
`OnDemandInfo`	—
`ProviderID`	—
`Error`	—

Event ID 1039 — OnDemand Request started.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

OnDemand Request started. App ID:%1, ProcessID:%2,OnDemandType:%3, OnDemandInfo:%4, ProviderID:%5, Error: %6

Fields

Name	Description
`AppID`	—
`ProcessID`	—
`OnDemandType`	—
`OnDemandInfo`	—
`ProviderID`	—
`Error`	—

Event ID 1040 — OnDemand Request cancelled.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

OnDemand Request cancelled. App ID:%1, ProcessID:%2,OnDemandType:%3, OnDemandInfo:%4, ProviderID:%5, Error: %6

Fields

Name	Description
`AppID`	—
`ProcessID`	—
`OnDemandType`	—
`OnDemandInfo`	—
`ProviderID`	—
`Error`	—

Event ID 1050 — WcmSvc acquired the NIC reference for Interface: %1 for reason: %2.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

WcmSvc acquired the NIC reference for Interface: %1 for reason: %2

Fields

Name	Description
`InterfaceGUID`	—
`ActionType`	—

Event ID 1051 — WcmSvc released the NIC reference for Interface: %1 for reason: %2.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

WcmSvc released the NIC reference for Interface: %1 for reason: %2

Fields

Name	Description
`InterfaceGUID`	—
`ActionType`	—

Event ID 1052 — WcmSvc signalled disconnected standby

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WcmSvc signalled disconnected standby

Event ID 1053 — WcmSvc signalled end of disconnected standby

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WcmSvc signalled end of disconnected standby

Event ID 1054 — WcmSvc received power policy update for networking in standby - the new policy value is %1.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WcmSvc received power policy update for networking in standby - the new policy value is %1

Fields

Name	Description
`PolicyValue`	—

Event ID 4020 — End of Wwan Resume Reconnect

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

End of Wwan Resume Reconnect

Fields

Name	Description
`InterfaceGuid`	—

Event ID 4021 — End of Wlan Resume Reconnect to Same Network

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

End of Wlan Resume Reconnect to Same Network

Fields

Name	Description
`InterfaceGuid`	—

Event ID 4022 — End of Wlan Resume Reconnect to Same Network OneX

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

End of Wlan Resume Reconnect to Same Network OneX

Fields

Name	Description
`InterfaceGuid`	—

Event ID 4023 — End of Wlan Resume Reconnect to Different Network

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

End of Wlan Resume Reconnect to Different Network

Fields

Name	Description
`InterfaceGuid`	—

Event ID 4024 — End of Wlan Resume Reconnect to Different Network OneX

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

End of Wlan Resume Reconnect to Different Network OneX

Fields

Name	Description
`InterfaceGuid`	—

Event ID 4025 — Cancel of Wlan Resume Reconnect2

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

Cancel of Wlan Resume Reconnect2

Fields

Name	Description
`InterfaceGuid`	—

Event ID 4026 —

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Fields

Name	Description
`InterfaceGuid`	—

Event ID 4027 — WcmSvc CmPdcActivationClientRegister - Status [.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WcmSvc CmPdcActivationClientRegister - Status [%1]

Fields

Name	Description
`Status`	—

Event ID 4028 — WcmSvc CmPdcActivationClientUnregister - Status [.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WcmSvc CmPdcActivationClientUnregister - Status [%1]

Fields

Name	Description
`Status`	—

Event ID 4029 — WcmSvc CmPdcActivationClientActivityRequest - Activate [.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WcmSvc CmPdcActivationClientActivityRequest - Activate [%1], Status [%2]

Fields

Name	Description
`Activity`	—
`Status`	—

Event ID 4030 — WcmSvc SetNetworkReference - Activate [.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WcmSvc SetNetworkReference - Activate [%1], Result [%2], TotalNetworkRefCount [%3], ProcessId [%4], PerProcessNetworkRefCount [%5], App [%6]

Fields

Name	Description
`Activate`	—
`Result`	—
`TotalNetworkRefCount`	—
`ProcessId`	—
`ProcessNetworkRefCount`	—
`AppName`	—

Event ID 4031 — WcmSvc ReleaseNetworkReferenceInProcess - ProcessId [.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WcmSvc ReleaseNetworkReferenceInProcess - ProcessId [%1], PerProcessNetworkRefCount [%2], TotalNetworkRefCount [%3]

Fields

Name	Description
`ProcessId`	—
`ProcessNetworkRefCount`	—
`TotalNetworkRefCount`	—

Event ID 4032 — WcmSvc AcquireNdisReference - Result [.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WcmSvc AcquireNdisReference - Result [%1], TotalCmNdisRefCount [%2], ProcessId [%3], PerProcessCmNdisRefCount [%4], App [%5]

Fields

Name	Description
`Result`	—
`TotalCmNdisRefCount`	—
`ProcessId`	—
`PerProcessCmNdisRefCount`	—
`AppName`	—

Event ID 4033 — WcmSvc ReleaseNdisReference - Result [.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WcmSvc ReleaseNdisReference - Result [%1], TotalCmNdisRefCount [%2], ProcessId [%3], PerProcessCmNdisRefCount [%4], App [%5]

Fields

Name	Description
`Result`	—
`TotalCmNdisRefCount`	—
`ProcessId`	—
`PerProcessCmNdisRefCount`	—
`AppName`	—

Event ID 4034 — WcmSvc ReleaseNdisReferenceInProcess - ProcessId [.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WcmSvc ReleaseNdisReferenceInProcess - ProcessId [%1], PerProcessCmNdisRefCount [%2], TotalCmNdisRefCount [%3]

Fields

Name	Description
`ProcessId`	—
`ProcessNetworkRefCount`	—
`TotalNetworkRefCount`	—

Event ID 4035 — WcmSvc NdisReferenceError - [.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

WcmSvc NdisReferenceError - [%1]: Result [%2]

Fields

Name	Description
`FunctionName`	—
`Error`	—

Event ID 4036 — CmService::NdisReference - [.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational

Message

CmService::NdisReference - [%1] InterfaceLuid [%2], Result [%3]

Fields

Name	Description
`AcquireRelease`	—
`InterfaceLuid`	—
`Result`	—

Event ID 10001 — WCMSVC: Start WCM Service Startup

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: 4
Samples: 1

Message

WCMSVC: Start WCM Service Startup

Example Event

system:
  provider: Microsoft-Windows-Wcmsvc
  guid: 67D07935-283A-4791-8F8D-FA9117F3E6F2
  event_source_name: ''
  event_id: 10001
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:41.759091+00:00'
  event_record_id: 98
  correlation: {}
  execution:
    process_id: 2540
    thread_id: 2940
  channel: Microsoft-Windows-Wcmsvc/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 10002 — WCMSVC: Complete WCM Service Startup

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: 4
Samples: 1

Message

WCMSVC: Complete WCM Service Startup

Example Event

system:
  provider: Microsoft-Windows-Wcmsvc
  guid: 67D07935-283A-4791-8F8D-FA9117F3E6F2
  event_source_name: ''
  event_id: 10002
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:42.274933+00:00'
  event_record_id: 102
  correlation: {}
  execution:
    process_id: 2540
    thread_id: 2940
  channel: Microsoft-Windows-Wcmsvc/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 10003 — WCMSVC: Start Service Shutdown

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: 4
Samples: 1

Message

WCMSVC: Start Service Shutdown

Example Event

system:
  provider: Microsoft-Windows-Wcmsvc
  guid: 67D07935-283A-4791-8F8D-FA9117F3E6F2
  event_source_name: ''
  event_id: 10003
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-05T22:31:36.633156+00:00'
  event_record_id: 115
  correlation: {}
  execution:
    process_id: 2584
    thread_id: 5648
  channel: Microsoft-Windows-Wcmsvc/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 10004 — WCMSVC: Complete Service Shutdown

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: 4
Samples: 1

Message

WCMSVC: Complete Service Shutdown

Example Event

system:
  provider: Microsoft-Windows-Wcmsvc
  guid: 67D07935-283A-4791-8F8D-FA9117F3E6F2
  event_source_name: ''
  event_id: 10004
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-05T22:31:37.882676+00:00'
  event_record_id: 116
  correlation: {}
  execution:
    process_id: 2584
    thread_id: 5648
  channel: Microsoft-Windows-Wcmsvc/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 10005 — Tethering Manager Loaded Successfully

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

Tethering Manager Loaded Successfully

Event ID 10006 — Tethering Manager Unloaded Successfully

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic

Message

Tethering Manager Unloaded Successfully