Microsoft-Windows-Wcmsvc

67 events across 2 channels

Event ID	Title	Channel
1001	WCMSVC: Service Startup	Operational
1002	WCMSVC: Service Shutdown	Operational
1003	CDE reported a state change.	Operational
1004	A Group Policy change was processed	Operational
1005	A Power change was processed.	Operational
1006	A Terminal Services session change was processed.	Operational
1007	CDE reported a state change.	Diagnostic
1008	NLA interface property change.	Diagnostic
1009	CDE reported an L2 adapter arrival.	Operational
1010	CDE reported an L2 adapter removal.	Operational
1011	CDE reported a successful connection.	Diagnostic
1012	CDE reported a connection failure.	Operational
1013	CDE reported a disconnection.	Diagnostic
1014	WcmSetParameter Called.	Diagnostic
1015	Interface Token Applied.	Operational
1016	Interface Token Failed.	Operational
1017	Soft disconnect over thresholds for interface: InterfaceGUID.	Operational
1018	Soft disconnect under thresholds for interface: InterfaceGUID.	Operational
1019	CDE reported an unblocked profile.	Operational
1020	WCM Preferred Order List.	Operational
1022	WCM entered connected standby	Operational
1023	WCM exited connected standby	Operational
1024	Acquired NDIS NIC Active Reference for interface: InterfaceGUID.	Diagnostic
1025	Released NDIS NIC Active Reference for interface: InterfaceGUID.	Diagnostic
1026	CDE reported an NDIS adapter arrival.	Operational
1027	CDE reported an NDIS adapter removal.	Operational
1028	WCM entered net quiet mode	Operational
1029	WCM exited net quiet mode	Operational
1030	Billing Cycle Reset Successful	Operational
1031	Server Time Retrieval Failure	Operational
1032	Acquire NDIS NIC Active Reference Failed for interface: InterfaceGUID.	Operational
1033	Release NDIS NIC Active Reference Failed for interface: InterfaceGUID.	Operational
1034	OnDemandInterfaceStateChanged.	Operational
1035	OnDemand PDP Profile Created.	Diagnostic
1036	OnDemand PDP Profile Deleted.	Diagnostic
1037	OnDemand Request opened.	Operational
1038	OnDemand Request closed.	Operational
1039	OnDemand Request started.	Diagnostic
1040	OnDemand Request cancelled.	Diagnostic
1050	WcmSvc acquired the NIC reference for Interface: InterfaceGUID for reason: …	Diagnostic
1051	WcmSvc released the NIC reference for Interface: InterfaceGUID for reason: …	Diagnostic
1052	WcmSvc signalled disconnected standby	Operational
1053	WcmSvc signalled end of disconnected standby	Operational
1054	WcmSvc received power policy update for networking in standby - the new policy …	Operational
4020	End of Wwan Resume Reconnect	Diagnostic
4021	End of Wlan Resume Reconnect to Same Network	Diagnostic
4022	End of Wlan Resume Reconnect to Same Network OneX	Diagnostic
4023	End of Wlan Resume Reconnect to Different Network	Diagnostic
4024	End of Wlan Resume Reconnect to Different Network OneX	Diagnostic
4025	Cancel of Wlan Resume Reconnect2	Diagnostic
4026		Diagnostic
4027	WcmSvc CmPdcActivationClientRegister - Status [Status].	Operational
4028	WcmSvc CmPdcActivationClientUnregister - Status [Status].	Operational
4029	WcmSvc CmPdcActivationClientActivityRequest - Activate [Activity], Status …	Operational
4030	WcmSvc SetNetworkReference - Activate [Activate], Result [Result], …	Operational
4031	WcmSvc ReleaseNetworkReferenceInProcess - ProcessId [ProcessId], …	Operational
4032	WcmSvc AcquireNdisReference - Result [Result], TotalCmNdisRefCount …	Operational
4033	WcmSvc ReleaseNdisReference - Result [Result], TotalCmNdisRefCount …	Operational
4034	WcmSvc ReleaseNdisReferenceInProcess - ProcessId [ProcessId], …	Operational
4035	WcmSvc NdisReferenceError - [FunctionName]: Result [Error].	Operational
4036	CmService::NdisReference - [AcquireRelease] InterfaceLuid [InterfaceLuid], …	Operational
10001	WCMSVC: Start WCM Service Startup	Operational
10002	WCMSVC: Complete WCM Service Startup	Operational
10003	WCMSVC: Start Service Shutdown	Operational
10004	WCMSVC: Complete Service Shutdown	Operational
10005	Tethering Manager Loaded Successfully	Diagnostic
10006	Tethering Manager Unloaded Successfully	Diagnostic

Event ID 1001 — WCMSVC: Service Startup

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WCMSVC: Service Startup.

Message #

WCMSVC: Service Startup

Event ID 1002 — WCMSVC: Service Shutdown

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WCMSVC: Service Shutdown.

Message #

WCMSVC: Service Shutdown

Event ID 1003 — CDE reported a state change.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

CDE reported a state change.

Message #

CDE reported a state change 

 State: %1 

 Name: %2

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference
`Name` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 1003,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775840,
    "time_created": "2023-11-06T06:25:42.259570+00:00",
    "event_record_id": 100,
    "correlation": {},
    "execution": {
      "process_id": 2540,
      "thread_id": 3204
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Status": 1,
    "Name": 2
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1004 — A Group Policy change was processed

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

A Group Policy change was processed.

Message #

A Group Policy change was processed

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 1004,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-05T22:44:38.754171+00:00",
    "event_record_id": 124,
    "correlation": {},
    "execution": {
      "process_id": 2484,
      "thread_id": 6636
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1005 — A Power change was processed.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

A Power change was processed.

Message #

A Power change was processed. 

 Reason: %1

Fields #

Name	Description
`Reason` UInt32	—

Event ID 1006 — A Terminal Services session change was processed.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

A Terminal Services session change was processed.

Message #

A Terminal Services session change was processed. 

 Reason: %1

Fields #

Name	Description
`Reason` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 1006,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775840,
    "time_created": "2023-11-05T22:32:23.678433+00:00",
    "event_record_id": 123,
    "correlation": {},
    "execution": {
      "process_id": 2484,
      "thread_id": 2872
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "Reason": 5
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1007 — CDE reported a state change.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

CDE reported a state change.

Message #

CDE reported a state change 

 State: %1 

 Name: Nlasvc.

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 1008 — NLA interface property change.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

NLA interface property change.

Message #

NLA interface property change 

Interface: %1
Internet v4: %2
Internet v6: %3
Probe Complete v4: %4
Probe Complete v6: %5
Domain Authenticated: %6
Domain Probe Complete: %7

Fields #

Name	Description
`InterfaceGUID` GUID	—
`InternetConnectivityv4` Boolean	—
`InternetConnectivityv6` Boolean	—
`InternetProbeCompletev4` Boolean	—
`InternetProbeCompletev6` Boolean	—
`DomainConnectivity` Boolean	—
`DomainProbeComplete` Boolean	—

Event ID 1009 — CDE reported an L2 adapter arrival.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

CDE reported an L2 adapter arrival.

Message #

CDE reported an L2 adapter arrival 

 Interface: %1 

 Type: %2

Fields #

Name	Description
`InterfaceGuid` GUID	—
`MediaType` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 1009,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775840,
    "time_created": "2023-11-06T06:25:42.356663+00:00",
    "event_record_id": 103,
    "correlation": {},
    "execution": {
      "process_id": 2540,
      "thread_id": 3204
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "InterfaceGuid": "3D03B11E-98A0-4304-84E2-CD3AAE8EFE1D",
    "MediaType": 1
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1010 — CDE reported an L2 adapter removal.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

CDE reported an L2 adapter removal.

Message #

CDE reported an L2 adapter removal 

 Interface: %1 

 Type: %2

Fields #

Name	Description
`InterfaceGuid` GUID	—
`MediaType` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 1010,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775840,
    "time_created": "2026-03-13T20:18:51.255303+00:00",
    "event_record_id": 170,
    "correlation": {},
    "execution": {
      "process_id": 2572,
      "thread_id": 2756
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "InterfaceGuid": "2A7BD48E-DDC6-4641-9F41-682F29F1D76C",
    "MediaType": 1
  },
  "message": ""
}

Event ID 1011 — CDE reported a successful connection.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

CDE reported a successful connection.

Message #

CDE reported a successful connection 

 Interface: %1 

 Type: %2

Fields #

Name	Description
`InterfaceGuid` GUID	—
`MediaType` UInt32	—

Event ID 1012 — CDE reported a connection failure.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

CDE reported a connection failure.

Message #

CDE reported a connection failure 

 Interface: %1 

 Type: %2

 Status: %3

Fields #

Name	Description
`InterfaceGuid` GUID	—
`MediaType` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1013 — CDE reported a disconnection.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

CDE reported a disconnection.

Message #

CDE reported a disconnection 

 Interface: %1 

 Type: %2

Fields #

Name	Description
`InterfaceGuid` GUID	—
`MediaType` UInt32	—

Event ID 1014 — WcmSetParameter Called.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

WcmSetParameter Called.

Message #

WcmSetParameter Called

Interface: %1
Profile Name: %2
Wcm Opcode: %3
Data Length: %4
Caller Process ID: %5
Return Value: %6

Fields #

Name	Description
`InterfaceGUID` GUID	—
`ProfileName` UnicodeString	—
`WcmOpcode` UInt32	—
`Datalength` UInt32	—
`CallerProcessID` UInt32	—
`ReturnValue` UInt32	—

Event ID 1015 — Interface Token Applied.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Interface Token Applied.

Message #

Interface Token Applied

Interface: %1
Media Type: %2
Manual enabled: %3
Manual Filter: %4
Num Manual: %5
Manual Profiles: %6
Auto enabled: %7
Auto filter: %8
Num Auto: %9
Auto Profiles: %10

Fields #

Name	Description
`Interface GUID` GUID	—
`Mediatype` UInt32	—
`manualConnectEnabled` Boolean	—
`autoConnectEnabled` Boolean	—

Event ID 1016 — Interface Token Failed.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Interface Token Failed.

Message #

Interface Token Failed

Interface: %1
Media Type: %2
Manual enabled: %3
Manual Filter: %4
Num Manual: %5
Manual Profiles: %6
Auto enabled: %7
Auto filter: %8
Num Auto: %9
AutoProfiles: %10
Status: %11

Fields #

Name	Description
`Interface GUID` GUID	—
`Mediatype` UInt32	—
`manualConnectEnabled` Boolean	—
`autoConnectEnabled` Boolean	—
`Error` UInt32	—

Event ID 1017 — Soft disconnect over thresholds for interface: InterfaceGUID.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Soft disconnect over thresholds for interface: InterfaceGUID.

Message #

Soft disconnect over thresholds for interface: %1
AvgIn: %2 AvgOut: %3 SpikeIn: %4 SpikeOut: %5
Thresholds: AvgIn: %6 AvgOut: %7 SpikeIn: %8 SpikeOut:%9
All values are in bytes/second

Fields #

Name	Description
`InterfaceGUID` GUID	—
`AvgIn` UInt32	—
`AvgOut` UInt32	—
`SpikeIn` UInt32	—
`SpikeOut` UInt32	—
`ThresholdAvgIn` UInt32	—
`ThresholdAvgOut` UInt32	—
`ThresholdSpikeIn` UInt32	—
`ThresholdSpikeOut` UInt32	—

Event ID 1018 — Soft disconnect under thresholds for interface: InterfaceGUID.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Soft disconnect under thresholds for interface: InterfaceGUID.

Message #

Soft disconnect under thresholds for interface: %1
AvgIn: %2 AvgOut: %3 SpikeIn: %4 SpikeOut: %5
Thresholds: AvgIn: %6 AvgOut: %7 SpikeIn: %8 SpikeOut:%9
All values are in bytes/second

Fields #

Name	Description
`InterfaceGUID` GUID	—
`AvgIn` UInt32	—
`AvgOut` UInt32	—
`SpikeIn` UInt32	—
`SpikeOut` UInt32	—
`ThresholdAvgIn` UInt32	—
`ThresholdAvgOut` UInt32	—
`ThresholdSpikeIn` UInt32	—
`ThresholdSpikeOut` UInt32	—

Event ID 1019 — CDE reported an unblocked profile.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

CDE reported an unblocked profile.

Message #

CDE reported an unblocked profile 

 Interface: %1 

 Type: %2

 Profile: %3

Fields #

Name	Description
`InterfaceGuid` GUID	—
`MediaType` UInt32	—
`ProfileName` UnicodeString	—

Event ID 1020 — WCM Preferred Order List.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

WCM Preferred Order List.

Message #

WCM Preferred Order List:
%1

Fields #

Name	Description
`WCM Preferred Order List` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 1020,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775840,
    "time_created": "2023-10-26T04:17:43.215170+00:00",
    "event_record_id": 9,
    "correlation": {},
    "execution": {
      "process_id": 2288,
      "thread_id": 2612
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "WIN-OQ6R0RVA4NF",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "WCM Preferred Order List": "0: {3D03B11E-98A0-4304-84E2-CD3AAE8EFE1D}, Ethernet, 1\n1: {8E4162AD-6500-4899-BA95-24051405E207}, Ethernet, 1\n"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1022 — WCM entered connected standby

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WCM entered connected standby.

Message #

WCM entered connected standby

Event ID 1023 — WCM exited connected standby

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WCM exited connected standby.

Message #

WCM exited connected standby

Event ID 1024 — Acquired NDIS NIC Active Reference for interface: InterfaceGUID.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

Acquired NDIS NIC Active Reference for interface: InterfaceGUID.

Message #

Acquired NDIS NIC Active Reference for interface: %1

Fields #

Name	Description
`InterfaceGUID` GUID	—

Event ID 1025 — Released NDIS NIC Active Reference for interface: InterfaceGUID.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

Released NDIS NIC Active Reference for interface: InterfaceGUID.

Message #

Released NDIS NIC Active Reference for interface: %1

Fields #

Name	Description
`InterfaceGUID` GUID	—

Event ID 1026 — CDE reported an NDIS adapter arrival.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

CDE reported an NDIS adapter arrival.

Message #

CDE reported an NDIS adapter arrival 

 Interface: %1 

 Type: %2

Fields #

Name	Description
`InterfaceGuid` GUID	—
`MediaType` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 1026,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775840,
    "time_created": "2022-04-07T16:53:13.091504+00:00",
    "event_record_id": 39,
    "correlation": {},
    "execution": {
      "process_id": 1488,
      "thread_id": 1596
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "InterfaceGuid": "00C20B5F-2254-4D8F-9391-4EED3B6F783D",
    "MediaType": 1
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1027 — CDE reported an NDIS adapter removal.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

CDE reported an NDIS adapter removal.

Message #

CDE reported an NDIS adapter removal 

 Interface: %1 

 Type: %2

Fields #

Name	Description
`InterfaceGuid` GUID	—
`MediaType` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 1027,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775840,
    "time_created": "2026-03-13T20:18:51.255300+00:00",
    "event_record_id": 169,
    "correlation": {},
    "execution": {
      "process_id": 2572,
      "thread_id": 2756
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "InterfaceGuid": "2A7BD48E-DDC6-4641-9F41-682F29F1D76C",
    "MediaType": 1
  },
  "message": ""
}

Event ID 1028 — WCM entered net quiet mode

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WCM entered net quiet mode.

Message #

WCM entered net quiet mode

Event ID 1029 — WCM exited net quiet mode

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WCM exited net quiet mode.

Message #

WCM exited net quiet mode

Event ID 1030 — Billing Cycle Reset Successful

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Billing Cycle Reset Successful.

Message #

Billing Cycle Reset Successful

Fields #

Name	Description
`ProfileName` UnicodeString	—
`InterfaceGuid` GUID	—
`ProfileUpdatedorDeleted` UnicodeString	—

Event ID 1031 — Server Time Retrieval Failure

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Server Time Retrieval Failure.

Message #

Server Time Retrieval Failure

Fields #

Name	Description
`ConfigtoSyncWithTimeServer` Boolean	—
`TimeServerName` UnicodeString	—
`NumServerTimeRetries` UInt32	—
`ServerTimeRetrievalError` UInt32	—

Event ID 1032 — Acquire NDIS NIC Active Reference Failed for interface: InterfaceGUID.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Acquire NDIS NIC Active Reference Failed for interface: InterfaceGUID.

Message #

Acquire NDIS NIC Active Reference Failed for interface: %1

Fields #

Name	Description
`InterfaceGUID` GUID	—
`NdisRefError` UInt32	—

Event ID 1033 — Release NDIS NIC Active Reference Failed for interface: InterfaceGUID.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

Release NDIS NIC Active Reference Failed for interface: InterfaceGUID.

Message #

Release NDIS NIC Active Reference Failed for interface: %1

Fields #

Name	Description
`InterfaceGUID` GUID	—
`NdisRefError` UInt32	—

Event ID 1034 — OnDemandInterfaceStateChanged.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

OnDemandInterfaceStateChanged. OnDemandType:OnDemandType, Interface: InterfaceGUID, OnDemandInfo:OnDemandInfo, ProviderID:ProviderID, NewState:NewState, Ref counter:Refcount.

Message #

OnDemandInterfaceStateChanged. OnDemandType:%1, Interface: %2, OnDemandInfo:%3, ProviderID:%4, NewState:%5, Ref counter:%6

Fields #

Name	Description
`OnDemandType` UInt32	—
`InterfaceGUID` GUID	—
`OnDemandInfo` UnicodeString	—
`ProviderID` UnicodeString	—
`NewState` UInt32	—
`Refcount` UInt32	—

Event ID 1035 — OnDemand PDP Profile Created.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

OnDemand PDP Profile Created. OnDemandInfo:APNname, ProviderID:ProviderID, SubscriberID:SubscriberID, Profile Name:Profilename.

Message #

OnDemand PDP Profile Created. OnDemandInfo:%1, ProviderID:%2, SubscriberID:%3, Profile Name:%4

Fields #

Name	Description
`APNname` UnicodeString	—
`ProviderID` UnicodeString	—
`SubscriberID` UnicodeString	—
`Profilename` UnicodeString	—

Event ID 1036 — OnDemand PDP Profile Deleted.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

OnDemand PDP Profile Deleted. Profile Name:Profilename.

Message #

OnDemand PDP Profile Deleted. Profile Name:%1

Fields #

Name	Description
`Profilename` UnicodeString	—

Event ID 1037 — OnDemand Request opened.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

OnDemand Request opened. App ID:AppID, ProcessID:ProcessID,OnDemandType:OnDemandType, OnDemandInfo:OnDemandInfo, ProviderID:ProviderID, Error: Error.

Message #

OnDemand Request opened. App ID:%1, ProcessID:%2,OnDemandType:%3, OnDemandInfo:%4, ProviderID:%5, Error: %6

Fields #

Name	Description
`AppID` UnicodeString	—
`ProcessID` UInt32	—
`OnDemandType` UInt32	—
`OnDemandInfo` UnicodeString	—
`ProviderID` UnicodeString	—
`Error` UInt32	—

Event ID 1038 — OnDemand Request closed.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

OnDemand Request closed. App ID:AppID, ProcessID:ProcessID,OnDemandType:OnDemandType, OnDemandInfo:OnDemandInfo, ProviderID:ProviderID, Error: Error.

Message #

OnDemand Request closed. App ID:%1, ProcessID:%2,OnDemandType:%3, OnDemandInfo:%4, ProviderID:%5, Error: %6

Fields #

Name	Description
`AppID` UnicodeString	—
`ProcessID` UInt32	—
`OnDemandType` UInt32	—
`OnDemandInfo` UnicodeString	—
`ProviderID` UnicodeString	—
`Error` UInt32	—

Event ID 1039 — OnDemand Request started.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

OnDemand Request started. App ID:AppID, ProcessID:ProcessID,OnDemandType:OnDemandType, OnDemandInfo:OnDemandInfo, ProviderID:ProviderID, Error: Error.

Message #

OnDemand Request started. App ID:%1, ProcessID:%2,OnDemandType:%3, OnDemandInfo:%4, ProviderID:%5, Error: %6

Fields #

Name	Description
`AppID` UnicodeString	—
`ProcessID` UInt32	—
`OnDemandType` UInt32	—
`OnDemandInfo` UnicodeString	—
`ProviderID` UnicodeString	—
`Error` UInt32	—

Event ID 1040 — OnDemand Request cancelled.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

OnDemand Request cancelled. App ID:AppID, ProcessID:ProcessID,OnDemandType:OnDemandType, OnDemandInfo:OnDemandInfo, ProviderID:ProviderID, Error: Error.

Message #

OnDemand Request cancelled. App ID:%1, ProcessID:%2,OnDemandType:%3, OnDemandInfo:%4, ProviderID:%5, Error: %6

Fields #

Name	Description
`AppID` UnicodeString	—
`ProcessID` UInt32	—
`OnDemandType` UInt32	—
`OnDemandInfo` UnicodeString	—
`ProviderID` UnicodeString	—
`Error` UInt32	—

Event ID 1050 — WcmSvc acquired the NIC reference for Interface: InterfaceGUID for reason: ActionType.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

WcmSvc acquired the NIC reference for Interface: InterfaceGUID for reason: ActionType.

Message #

WcmSvc acquired the NIC reference for Interface: %1 for reason: %2

Fields #

Name	Description
`InterfaceGUID` GUID	—
`ActionType` UInt32	—

Event ID 1051 — WcmSvc released the NIC reference for Interface: InterfaceGUID for reason: ActionType.

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

WcmSvc released the NIC reference for Interface: InterfaceGUID for reason: ActionType.

Message #

WcmSvc released the NIC reference for Interface: %1 for reason: %2

Fields #

Name	Description
`InterfaceGUID` GUID	—
`ActionType` UInt32	—

Event ID 1052 — WcmSvc signalled disconnected standby

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc signalled disconnected standby.

Message #

WcmSvc signalled disconnected standby

Event ID 1053 — WcmSvc signalled end of disconnected standby

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc signalled end of disconnected standby.

Message #

WcmSvc signalled end of disconnected standby

Event ID 1054 — WcmSvc received power policy update for networking in standby - the new policy value is PolicyValue.

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc received power policy update for networking in standby - the new policy value is PolicyValue.

Message #

WcmSvc received power policy update for networking in standby - the new policy value is %1

Fields #

Name	Description
`PolicyValue` UInt32	—

Event ID 4020 — End of Wwan Resume Reconnect

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Task: MeasureWWANResumeReconnecttask
Opcode: Stop

Description

End of Wwan Resume Reconnect.

Message #

End of Wwan Resume Reconnect

Fields #

Name	Description
`InterfaceGuid` GUID	—

Event ID 4021 — End of Wlan Resume Reconnect to Same Network

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Task: MeasureWLANResumeReconnecttask
Opcode: Stop

Description

End of Wlan Resume Reconnect to Same Network.

Message #

End of Wlan Resume Reconnect to Same Network

Fields #

Name	Description
`InterfaceGuid` GUID	—

Event ID 4022 — End of Wlan Resume Reconnect to Same Network OneX

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Task: MeasureWLANResumeReconnecttask
Opcode: Stop

Description

End of Wlan Resume Reconnect to Same Network OneX.

Message #

End of Wlan Resume Reconnect to Same Network OneX

Fields #

Name	Description
`InterfaceGuid` GUID	—

Event ID 4023 — End of Wlan Resume Reconnect to Different Network

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Task: MeasureWLANResumeReconnecttask
Opcode: Stop

Description

End of Wlan Resume Reconnect to Different Network.

Message #

End of Wlan Resume Reconnect to Different Network

Fields #

Name	Description
`InterfaceGuid` GUID	—

Event ID 4024 — End of Wlan Resume Reconnect to Different Network OneX

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Task: MeasureWLANResumeReconnecttask
Opcode: Stop

Description

End of Wlan Resume Reconnect to Different Network OneX.

Message #

End of Wlan Resume Reconnect to Different Network OneX

Fields #

Name	Description
`InterfaceGuid` GUID	—

Event ID 4025 — Cancel of Wlan Resume Reconnect2

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Task: MeasureWLANResumeReconnecttask
Opcode: Stop

Description

Cancel of Wlan Resume Reconnect2.

Message #

Cancel of Wlan Resume Reconnect2

Fields #

Name	Description
`InterfaceGuid` GUID	—

Event ID 4026 —

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Task: MeasureWWANResumeReconnecttask
Opcode: Stop

Fields #

Name	Description
`InterfaceGuid` GUID	—

Event ID 4027 — WcmSvc CmPdcActivationClientRegister - Status [Status].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc CmPdcActivationClientRegister - Status [Status].

Message #

WcmSvc CmPdcActivationClientRegister - Status [%1]

Fields #

Name	Description
`Status` HexInt32	— NTSTATUS reference

Event ID 4028 — WcmSvc CmPdcActivationClientUnregister - Status [Status].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc CmPdcActivationClientUnregister - Status [Status].

Message #

WcmSvc CmPdcActivationClientUnregister - Status [%1]

Fields #

Name	Description
`Status` HexInt32	— NTSTATUS reference

Event ID 4029 — WcmSvc CmPdcActivationClientActivityRequest - Activate [Activity], Status [Status].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc CmPdcActivationClientActivityRequest - Activate [Activity], Status [Status].

Message #

WcmSvc CmPdcActivationClientActivityRequest - Activate [%1], Status [%2]

Fields #

Name	Description
`Activity` Boolean	—
`Status` HexInt32	— NTSTATUS reference

Event ID 4030 — WcmSvc SetNetworkReference - Activate [Activate], Result [Result], TotalNetworkRefCount [TotalNetworkRefCount], ProcessId [ProcessId], PerProcessNetworkRefCount [ProcessNetworkRefCount], App [AppNa...

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc SetNetworkReference - Activate [Activate], Result [Result], TotalNetworkRefCount [TotalNetworkRefCount], ProcessId [ProcessId], PerProcessNetworkRefCount [ProcessNetworkRefCount], App [AppName].

Message #

WcmSvc SetNetworkReference - Activate [%1], Result [%2], TotalNetworkRefCount [%3], ProcessId [%4], PerProcessNetworkRefCount [%5], App [%6]

Fields #

Name	Description
`Activate` Boolean	—
`Result` UInt32	—
`TotalNetworkRefCount` UInt32	—
`ProcessId` UInt32	—
`ProcessNetworkRefCount` UInt32	—
`AppName` UnicodeString	—

Event ID 4031 — WcmSvc ReleaseNetworkReferenceInProcess - ProcessId [ProcessId], PerProcessNetworkRefCount [ProcessNetworkRefCount], TotalNetworkRefCount [TotalNetworkRefCount].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc ReleaseNetworkReferenceInProcess - ProcessId [ProcessId], PerProcessNetworkRefCount [ProcessNetworkRefCount], TotalNetworkRefCount [TotalNetworkRefCount].

Message #

WcmSvc ReleaseNetworkReferenceInProcess - ProcessId [%1], PerProcessNetworkRefCount [%2], TotalNetworkRefCount [%3]

Fields #

Name	Description
`ProcessId` UInt32	—
`ProcessNetworkRefCount` UInt32	—
`TotalNetworkRefCount` UInt32	—

Event ID 4032 — WcmSvc AcquireNdisReference - Result [Result], TotalCmNdisRefCount [TotalCmNdisRefCount], ProcessId [ProcessId], PerProcessCmNdisRefCount [PerProcessCmNdisRefCount], App [AppName].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc AcquireNdisReference - Result [Result], TotalCmNdisRefCount [TotalCmNdisRefCount], ProcessId [ProcessId], PerProcessCmNdisRefCount [PerProcessCmNdisRefCount], App [AppName].

Message #

WcmSvc AcquireNdisReference - Result [%1], TotalCmNdisRefCount [%2], ProcessId [%3], PerProcessCmNdisRefCount [%4], App [%5]

Fields #

Name	Description
`Result` UInt32	—
`TotalCmNdisRefCount` UInt32	—
`ProcessId` UInt32	—
`PerProcessCmNdisRefCount` UInt32	—
`AppName` UnicodeString	—

Event ID 4033 — WcmSvc ReleaseNdisReference - Result [Result], TotalCmNdisRefCount [TotalCmNdisRefCount], ProcessId [ProcessId], PerProcessCmNdisRefCount [PerProcessCmNdisRefCount], App [AppName].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc ReleaseNdisReference - Result [Result], TotalCmNdisRefCount [TotalCmNdisRefCount], ProcessId [ProcessId], PerProcessCmNdisRefCount [PerProcessCmNdisRefCount], App [AppName].

Message #

WcmSvc ReleaseNdisReference - Result [%1], TotalCmNdisRefCount [%2], ProcessId [%3], PerProcessCmNdisRefCount [%4], App [%5]

Fields #

Name	Description
`Result` UInt32	—
`TotalCmNdisRefCount` UInt32	—
`ProcessId` UInt32	—
`PerProcessCmNdisRefCount` UInt32	—
`AppName` UnicodeString	—

Event ID 4034 — WcmSvc ReleaseNdisReferenceInProcess - ProcessId [ProcessId], PerProcessCmNdisRefCount [ProcessNetworkRefCount], TotalCmNdisRefCount [TotalNetworkRefCount].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc ReleaseNdisReferenceInProcess - ProcessId [ProcessId], PerProcessCmNdisRefCount [ProcessNetworkRefCount], TotalCmNdisRefCount [TotalNetworkRefCount].

Message #

WcmSvc ReleaseNdisReferenceInProcess - ProcessId [%1], PerProcessCmNdisRefCount [%2], TotalCmNdisRefCount [%3]

Fields #

Name	Description
`ProcessId` UInt32	—
`ProcessNetworkRefCount` UInt32	—
`TotalNetworkRefCount` UInt32	—

Event ID 4035 — WcmSvc NdisReferenceError - [FunctionName]: Result [Error].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

WcmSvc NdisReferenceError - [FunctionName]: Result [Error].

Message #

WcmSvc NdisReferenceError - [%1]: Result [%2]

Fields #

Name	Description
`FunctionName` UnicodeString	—
`Error` UInt32	—

Event ID 4036 — CmService::NdisReference - [AcquireRelease] InterfaceLuid [InterfaceLuid], Result [Result].

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Opcode: Info

Description

CmService::NdisReference - [AcquireRelease] InterfaceLuid [InterfaceLuid], Result [Result].

Message #

CmService::NdisReference - [%1] InterfaceLuid [%2], Result [%3]

Fields #

Name	Description
`AcquireRelease` UnicodeString	—
`InterfaceLuid` UInt64	—
`Result` UInt32	—

Event ID 10001 — WCMSVC: Start WCM Service Startup

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

WCMSVC: Start WCM Service Startup.

Message #

WCMSVC: Start WCM Service Startup

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 10001,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:41.759091+00:00",
    "event_record_id": 98,
    "correlation": {},
    "execution": {
      "process_id": 2540,
      "thread_id": 2940
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 10002 — WCMSVC: Complete WCM Service Startup

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

WCMSVC: Complete WCM Service Startup.

Message #

WCMSVC: Complete WCM Service Startup

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 10002,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:42.274933+00:00",
    "event_record_id": 102,
    "correlation": {},
    "execution": {
      "process_id": 2540,
      "thread_id": 2940
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 10003 — WCMSVC: Start Service Shutdown

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

WCMSVC: Start Service Shutdown.

Message #

WCMSVC: Start Service Shutdown

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 10003,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-05T22:31:36.633156+00:00",
    "event_record_id": 115,
    "correlation": {},
    "execution": {
      "process_id": 2584,
      "thread_id": 5648
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 10004 — WCMSVC: Complete Service Shutdown

Provider: Microsoft-Windows-Wcmsvc
Channel: Operational
Level: Informational
Opcode: Info

Description

WCMSVC: Complete Service Shutdown.

Message #

WCMSVC: Complete Service Shutdown

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Wcmsvc",
    "guid": "67D07935-283A-4791-8F8D-FA9117F3E6F2",
    "event_source_name": "",
    "event_id": 10004,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-05T22:31:37.882676+00:00",
    "event_record_id": 116,
    "correlation": {},
    "execution": {
      "process_id": 2584,
      "thread_id": 5648
    },
    "channel": "Microsoft-Windows-Wcmsvc/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 10005 — Tethering Manager Loaded Successfully

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

Tethering Manager Loaded Successfully.

Message #

Tethering Manager Loaded Successfully

Event ID 10006 — Tethering Manager Unloaded Successfully

Provider: Microsoft-Windows-Wcmsvc
Channel: Diagnostic
Opcode: Info

Description

Tethering Manager Unloaded Successfully.

Message #

Tethering Manager Unloaded Successfully