Microsoft-Windows-WebAuthN
146 events across 4 channels
Event ID 1000 — WebAuthN Ctap MakeCredential started.
Event ID 1001 — WebAuthN Ctap MakeCredential completed.
Event ID 1002 — WebAuthN Ctap MakeCredential completed.
Event ID 1003 — WebAuthN Ctap GetAssertion started.
Event ID 1004 — WebAuthN Ctap GetAssertion completed.
Event ID 1005 — WebAuthN Ctap GetAssertion completed.
Event ID 1006 — WebAuthN Ctap SendCommand started.
Event ID 1007 — WebAuthN Ctap SendCommand completed.
Event ID 1008 — WebAuthN Ctap SendCommand completed.
Event ID 1020 — WebAuthN Ngc MakeCredential started.
Event ID 1021 — WebAuthN Ngc MakeCredential completed.
Event ID 1022 — WebAuthN Ngc MakeCredential completed.
Event ID 1023 — WebAuthN Ngc GetAssertion started.
Event ID 1024 — WebAuthN Ngc GetAssertion completed.
Event ID 1025 — WebAuthN Ngc GetAssertion completed.
Event ID 1040 — Ngc MakeCredential request.
Event ID 1041 — Ngc MakeCredential response.
Description
Ngc MakeCredential response.
Message #
Fields #
| Name | Description |
|---|---|
TransactionId GUID | — |
AttestationFormatType UnicodeString | — |
RpIdHashLength UInt32 | — |
RpIdHash Binary | — |
Flags HexInt32 | — |
SignCount HexInt32 | — |
AAGuid GUID | — |
CredentialIdLength UInt32 | — |
CredentialId Binary | — |
U2fPublicKey Boolean | — |
PublicKeyLength UInt32 | — |
PublicKey Binary | — |
ResponseLength UInt32 | — |
Response Binary | — |
Event ID 1042 — Ngc GetAssertion request.
Event ID 1043 — Ngc GetAssertion response.
Event ID 1050 — WebAuthN remote RPC request.
Description
WebAuthN remote RPC request.
Message #
Fields #
| Name | Description |
|---|---|
TransactionId GUID | — |
RemoteRpcRequestLength UInt32 | — |
RemoteRpcRequest Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WebAuthN",
"guid": "3AE1EA61-C002-47FB-B06C-4022A8C98929",
"event_source_name": "",
"event_id": 1050,
"version": 0,
"level": 4,
"task": 16,
"opcode": 12,
"keywords": 9223372036854776065,
"time_created": "2026-03-11T06:37:46.991338+00:00",
"event_record_id": 130,
"correlation": {},
"execution": {
"process_id": 8132,
"thread_id": 10968
},
"channel": "Microsoft-Windows-WebAuthN/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"TransactionId": "39B0A1B3-2EFB-4565-85F8-1963661CDCA3",
"RemoteRpcRequestLength": 57,
"RemoteRpcRequest": "A467636F6D6D616E640865666C616773006774696D656F7574006D7472616E73616374696F6E49645000000000000000000000000000000000"
},
"message": ""
}
Event ID 1052 — WebAuthN remote RPC response.
Description
WebAuthN remote RPC response.
Message #
Fields #
| Name | Description |
|---|---|
TransactionId GUID | — |
Error HexInt32 | — |
HResult Int32 | — |
RemoteRpcResponseLength UInt32 | — |
RemoteRpcResponse Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WebAuthN",
"guid": "3AE1EA61-C002-47FB-B06C-4022A8C98929",
"event_source_name": "",
"event_id": 1052,
"version": 0,
"level": 4,
"task": 17,
"opcode": 12,
"keywords": 9223372036854776065,
"time_created": "2026-03-11T06:37:46.994687+00:00",
"event_record_id": 131,
"correlation": {},
"execution": {
"process_id": 8132,
"thread_id": 10968
},
"channel": "Microsoft-Windows-WebAuthN/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"TransactionId": "39B0A1B3-2EFB-4565-85F8-1963661CDCA3",
"Error": "0x0",
"HResult": 0,
"RemoteRpcResponseLength": 0,
"RemoteRpcResponse": ""
},
"message": ""
}
Event ID 1060 — WebAuthN error at: Action.
Event ID 1070 — WebAuthN IsUserVerifyingPlatformAuthenticatorAvailale: value.
Event ID 1071 — WebAuthN ApiVersion: value.
#Description
WebAuthN ApiVersion: value.
Message #
Fields #
| Name | Description |
|---|---|
value Int32 | — |
Error HexInt32 | — |
HResult Int32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WebAuthN",
"guid": "3AE1EA61-C002-47FB-B06C-4022A8C98929",
"event_source_name": "",
"event_id": 1071,
"version": 0,
"level": 4,
"task": 19,
"opcode": 12,
"keywords": 9223372036854775873,
"time_created": "2023-11-06T01:55:31.345190+00:00",
"event_record_id": 39,
"correlation": {},
"execution": {
"process_id": 17736,
"thread_id": 9464
},
"channel": "Microsoft-Windows-WebAuthN/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"value": 4,
"Error": "0x0",
"HResult": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1072 — WebAuthN CancelCurrentOperation: value.
Event ID 1100 — Cbor decode error.
Event ID 1101 — Cbor encode MakeCredential request.
Description
Cbor encode MakeCredential request.
Message #
Fields #
| Name | Description |
|---|---|
TransactionId GUID | — |
RpId UnicodeString | — |
UserIdLength UInt32 | — |
UserId Binary | — |
ClientDataHashAlgId UnicodeString | — |
ClientDataLength UInt32 | — |
ClientDataHashLength UInt32 | — |
ClientDataHash Binary | — |
RequireResidentKey Boolean | — |
CredentialCount UInt32 | — |
CredentialParameterCount UInt32 | — |
RequestLength UInt32 | — |
Request Binary | — |
Event ID 1102 — Cbor decode MakeCredential response.
Description
Cbor decode MakeCredential response.
Message #
Fields #
| Name | Description |
|---|---|
TransactionId GUID | — |
AttestationFormatType UnicodeString | — |
RpIdHashLength UInt32 | — |
RpIdHash Binary | — |
Flags HexInt32 | — |
SignCount HexInt32 | — |
AAGuid GUID | — |
CredentialIdLength UInt32 | — |
CredentialId Binary | — |
U2fPublicKey Boolean | — |
PublicKeyLength UInt32 | — |
PublicKey Binary | — |
ResponseLength UInt32 | — |
Response Binary | — |
Event ID 1103 — Cbor encode GetAssertion request.
Event ID 1104 — Cbor decode GetAssertion response.
Event ID 2000 — Ctap service started successfully.
#Description
Ctap service started successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WebAuthN",
"guid": "3AE1EA61-C002-47FB-B06C-4022A8C98929",
"event_source_name": "",
"event_id": 2000,
"version": 0,
"level": 16,
"task": 500,
"opcode": 10,
"keywords": 9223372036854775810,
"time_created": "2023-11-06T06:25:39.214893+00:00",
"event_record_id": 19,
"correlation": {},
"execution": {
"process_id": 1872,
"thread_id": 2024
},
"channel": "Microsoft-Windows-WebAuthN/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2001 — Ctap service stopped successfully.
#Description
Ctap service stopped successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-WebAuthN",
"guid": "3AE1EA61-C002-47FB-B06C-4022A8C98929",
"event_source_name": "",
"event_id": 2001,
"version": 0,
"level": 16,
"task": 500,
"opcode": 11,
"keywords": 9223372036854775810,
"time_created": "2023-11-05T22:31:37.592001+00:00",
"event_record_id": 22,
"correlation": {},
"execution": {
"process_id": 1396,
"thread_id": 2416
},
"channel": "Microsoft-Windows-WebAuthN/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2100 — Ctap Command started.
Event ID 2101 — Ctap command started.
Event ID 2102 — Ctap Command completed.
Event ID 2103 — Ctap Command completed.
Event ID 2104 — Ctap device info.
Event ID 2105 — Ctap Function: Function Location: Location.
Event ID 2106 — Ctap Name: Name Value: Value.
Event ID 2107 —
Event ID 2110 — Ctap device device state info.
Event ID 2111 — Ctap device change notify info.
Event ID 2200 — Ctap Usb provider thread started.
Event ID 2201 — Ctap Usb provider thread completed.
Event ID 2202 — Ctap Usb provider thread completed.
Event ID 2203 — Ctap Usb provider thread completed.
Event ID 2210 — Ctap Usb device thread started.
Event ID 2211 — Ctap Usb device thread completed.
Event ID 2212 — Ctap Usb device thread completed.
Description
Ctap Usb device thread completed.
Message #
Fields #
| Name | Description |
|---|---|
TransactionId GUID | — |
DevicePath UnicodeString | — |
Manufacturer UnicodeString | — |
Product UnicodeString | — |
AAGuid GUID | — |
U2fProtocol Boolean | — |
State UInt32 | — |
Status HexInt32 | — NTSTATUS reference |
Error HexInt32 | — |
Win32Error HexInt32 | — |
Event ID 2213 — Ctap Usb device thread completed.
Description
Ctap Usb device thread completed.
Message #
Fields #
| Name | Description |
|---|---|
TransactionId GUID | — |
DevicePath UnicodeString | — |
Manufacturer UnicodeString | — |
Product UnicodeString | — |
AAGuid GUID | — |
U2fProtocol Boolean | — |
State UInt32 | — |
Status HexInt32 | — NTSTATUS reference |
Error HexInt32 | — |
Win32Error HexInt32 | — |
Event ID 2220 — Ctap Usb add device.
Event ID 2221 — Ctap Usb remove device.
Event ID 2222 — Ctap Usb device changes.
Event ID 2223 — Ctap Usb U2F device.
Event ID 2224 — Ctap Usb connect to device.
Description
Ctap Usb connect to device.
Message #
Fields #
| Name | Description |
|---|---|
TransactionId GUID | — |
DevicePath UnicodeString | — |
Manufacturer UnicodeString | — |
Product UnicodeString | — |
DeviceErr HexInt32 | — |
Status HexInt32 | — NTSTATUS reference |
Error HexInt32 | — |
Win32Error HexInt32 | — |
Event ID 2225 — Ctap Usb Send Receive.
Event ID 2226 — Ctap Usb Send Receive.
Event ID 2250 — Ctap Ble provider thread started.
Event ID 2251 — Ctap Ble provider thread completed.
Event ID 2252 — Ctap Ble provider thread completed.
Event ID 2253 — Ctap Ble provider thread completed.
Event ID 2260 — Ctap Ble device thread started.
Event ID 2261 — Ctap Ble device thread completed.
Event ID 2262 — Ctap Ble device thread completed.
Description
Ctap Ble device thread completed.
Message #
Fields #
| Name | Description |
|---|---|
TransactionId GUID | — |
DevicePath UnicodeString | — |
PairedName UnicodeString | — |
AAGuid GUID | — |
U2fProtocol Boolean | — |
State UInt32 | — |
Status HexInt32 | — NTSTATUS reference |
Error HexInt32 | — |
Win32Error HexInt32 | — |
Event ID 2263 — Ctap Ble device thread completed.
Description
Ctap Ble device thread completed.
Message #
Fields #
| Name | Description |
|---|---|
TransactionId GUID | — |
DevicePath UnicodeString | — |
PairedName UnicodeString | — |
AAGuid GUID | — |
U2fProtocol Boolean | — |
State UInt32 | — |
Status HexInt32 | — NTSTATUS reference |
Error HexInt32 | — |
Win32Error HexInt32 | — |
Event ID 2270 — Ctap Ble Function: Function Location: Location.
Event ID 2271 — Ctap Ble U2F device.
Event ID 2272 — Ctap Ble Send Receive.
Event ID 2273 — Ctap Ble Send Receive.
Event ID 2300 — Ctap Nfc provider thread started.
Event ID 2301 — Ctap Nfc provider thread completed.
Event ID 2302 — Ctap Nfc provider thread completed.
Event ID 2303 — Ctap Nfc provider thread completed.
Event ID 2310 — Ctap Nfc reader thread started.
Event ID 2311 — Ctap Nfc reader thread completed.
Event ID 2312 — Ctap Nfc reader thread completed.
Description
Ctap Nfc reader thread completed.
Message #
Fields #
| Name | Description |
|---|---|
TransactionId GUID | — |
Reader UnicodeString | — |
AAGuid GUID | — |
U2fProtocol Boolean | — |
State UInt32 | — |
Status HexInt32 | — NTSTATUS reference |
Error HexInt32 | — |
Win32Error HexInt32 | — |
Event ID 2313 — Ctap Nfc reader thread completed.
Description
Ctap Nfc reader thread completed.
Message #
Fields #
| Name | Description |
|---|---|
TransactionId GUID | — |
Reader UnicodeString | — |
AAGuid GUID | — |
U2fProtocol Boolean | — |
State UInt32 | — |
Status HexInt32 | — NTSTATUS reference |
Error HexInt32 | — |
Win32Error HexInt32 | — |
Event ID 2314 — Ctap Nfc reader manager thread started.
Event ID 2315 — Ctap Nfc reader manager thread completed.
Event ID 2316 — Cancelling Reader Threads.
Event ID 2320 — Ctap Nfc add reader.
Event ID 2321 — Ctap Nfc skip reader for: Action.
Event ID 2322 — Ctap Nfc transition reader for: Action.
Event ID 2323 — Ctap Nfc send message warning for: Action.
Event ID 2324 — Ctap Nfc send request error for: Action.
Event ID 2325 — Ctap Nfc U2F device.
Event ID 2326 — Ctap Nfc send message at: Action.
Event ID 2327 — Ctap Nfc SCardTransmit Request.
Event ID 2328 — Ctap Nfc SCardTransmit Request.
Event ID 2329 — Ctap Hybrid process Ctap command request callback started.
Event ID 2330 — Ctap Hybrid process Ctap command request callback completed.
Event ID 2331 — Ctap Hybrid process Ctap command request callback completed with error.
Event ID 2332 — Ctap Hybrid Write Message: Message.
Event ID 2333 — Ctap Hybrid Read Message: Message.
Event ID 2334 — Ctap Hybrid Protocol setup started.
Event ID 2335 — Ctap Hybrid Protocol setup completed.
Event ID 2336 — Ctap Hybrid Protocol setup completed with error.
Event ID 2337 — Ctap Hybrid Linked Device Saved.
Event ID 2400 — Ctap Test provider thread started.
Event ID 2401 — Ctap Test provider thread completed.
Event ID 2402 — Ctap Test provider thread completed.
Event ID 5002 —
Description
Trust group deletion synchronized.
Event ID 5002 — Trust group deletion synchronized.
Description
Trust group deletion synchronized.
Message #
Event ID 5009 —
Description
User storage created.
Fields #
| Name | Description |
|---|---|
StorageID GUID | — |
UserSid SID | — |
Event ID 5009 — User storage created.
Event ID 5010 —
Description
Synchronization state.
Fields #
| Name | Description |
|---|---|
SyncState UInt32 | — |
Event ID 5010 — Synchronization state: SyncState.
Event ID 6006 —
Description
Trust group deleted.
Event ID 6006 — Trust group deleted.
Description
Trust group deleted.
Message #
Event ID 6007 —
Description
Cleaned up Local Store.
Event ID 6007 — Cleaned up Local Store.
Description
Cleaned up Local Store.
Message #
Event ID 6011 —
Description
This Windows device was not found in the Trusted Device list, resetting local state.
Event ID 6011 — This Windows device was not found in the Trusted Device list, resetting local state.
Description
This Windows device was not found in the Trusted Device list, resetting local state.
Message #
Event ID 6250 —
Fields #
| Name | Description |
|---|---|
PluginClsId UnicodeString | — |
Event ID 6251 —
Fields #
| Name | Description |
|---|---|
PluginClsId UnicodeString | — |
KeyName UnicodeString | — |
NumKeysFound UInt32 | — |
Event ID 6254 —
Description
Error when trying to decode a plugin passkey. Some metadata fields may be missing or incorrect.
Fields #
| Name | Description |
|---|---|
PluginClsId UnicodeString | — |
Event ID 6254 — Error when trying to decode a plugin passkey.
Event ID 7000 —
Description
Key rotation failed.
Fields #
| Name | Description |
|---|---|
Error HexInt32 | — |
Event ID 7000 — Key rotation failed.
Event ID 7001 —
Description
Cloud store operation failed.
Fields #
| Name | Description |
|---|---|
OperationType UInt32 | — Known values
|
PropertyType UInt32 | — |
BackupId UnicodeString | — |
CorrelationVector AnsiString | — |
Error HexInt32 | — |
Event ID 7001 — Cloud store operation failed.
Description
Cloud store operation failed.
Message #
Fields #
| Name | Description |
|---|---|
OperationType UInt32 | — Known values
|
PropertyType UInt32 | — |
BackupId UnicodeString | — |
CorrelationVector AnsiString | — |
Error HexInt32 | — |
Event ID 7003 —
Description
Failed to add trusted device.
Fields #
| Name | Description |
|---|---|
Error HexInt32 | — |
Event ID 7003 — Failed to add trusted device.
Event ID 7004 —
Description
Failed to delete trusted device.
Fields #
| Name | Description |
|---|---|
Error HexInt32 | — |
Event ID 7004 — Failed to delete trusted device.
Event ID 7005 —
Description
Failed to rename trusted device.
Fields #
| Name | Description |
|---|---|
Error HexInt32 | — |
Event ID 7005 — Failed to rename trusted device.
Event ID 7008 —
Description
Local store operation failed.
Fields #
| Name | Description |
|---|---|
OperationType UInt32 | — Known values
|
PropertyType UInt32 | — |
BackupId UnicodeString | — |
CorrelationVector AnsiString | — |
Error HexInt32 | — |
Event ID 7008 — Local store operation failed.
Description
Local store operation failed.
Message #
Fields #
| Name | Description |
|---|---|
OperationType UInt32 | — Known values
|
PropertyType UInt32 | — |
BackupId UnicodeString | — |
CorrelationVector AnsiString | — |
Error HexInt32 | — |
Event ID 7251 —
Fields #
| Name | Description |
|---|---|
PluginClsId UnicodeString | — |
KeyName UnicodeString | — |
Error HexInt32 | — |
HResult Int32 | — |
Event ID 7252 —
Fields #
| Name | Description |
|---|---|
PluginClsId UnicodeString | — |
Error HexInt32 | — |
HResult Int32 | — |
Event ID 7253 —
Fields #
| Name | Description |
|---|---|
PluginClsId UnicodeString | — |
Error HexInt32 | — |
HResult Int32 | — |
Event ID 7254 —
Fields #
| Name | Description |
|---|---|
PluginClsId UnicodeString | — |
Error HexInt32 | — |
HResult Int32 | — |
Event ID 7255 —
Fields #
| Name | Description |
|---|---|
PluginClsId UnicodeString | — |
Error HexInt32 | — |
HResult Int32 | — |
Event ID 8000 —
Description
Key rotation succeeded.
Fields #
| Name | Description |
|---|---|
EncryptionKeyType UInt32 | — |
Event ID 8000 — Key rotation succeeded.
Event ID 8001 —
Description
Cloud store operation succeeded.
Fields #
| Name | Description |
|---|---|
OperationType UInt32 | — Known values
|
PropertyType UInt32 | — |
BackupId UnicodeString | — |
CorrelationVector AnsiString | — |
Event ID 8001 — Cloud store operation succeeded.
Description
Cloud store operation succeeded.
Message #
Fields #
| Name | Description |
|---|---|
OperationType UInt32 | — Known values
|
PropertyType UInt32 | — |
BackupId UnicodeString | — |
CorrelationVector AnsiString | — |
Event ID 8003 —
Description
Trusted device successfully added.
Fields #
| Name | Description |
|---|---|
DeviceID UInt32 | — |
Event ID 8003 — Trusted device successfully added.
Event ID 8004 —
Description
Trusted device deleted successfully.
Fields #
| Name | Description |
|---|---|
DeviceID UInt32 | — |
Event ID 8004 — Trusted device deleted successfully.
Event ID 8005 —
Description
Trusted device renamed successfully.
Fields #
| Name | Description |
|---|---|
DeviceID UInt32 | — |
Event ID 8005 — Trusted device renamed successfully.
Event ID 8008 —
Description
Local store operation succeeded.
Fields #
| Name | Description |
|---|---|
OperationType UInt32 | — Known values
|
PropertyType UInt32 | — |
BackupId UnicodeString | — |
CorrelationVector AnsiString | — |
Event ID 8008 — Local store operation succeeded.
Description
Local store operation succeeded.
Message #
Fields #
| Name | Description |
|---|---|
OperationType UInt32 | — Known values
|
PropertyType UInt32 | — |
BackupId UnicodeString | — |
CorrelationVector AnsiString | — |