Microsoft-Windows-WFP

40 events across 5 channels

Event ID	Title	Channel
1001	WFP: Packet Dropped - Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.	Analytic
1003	IPsec: Packet Dropped - Error Code: FailureStatus, Filter Run-Time ID: FilterId, …	Analytic
1005	IPsec: Main Mode Failure	Operational
1007	IPsec: Quick Mode Failure	Operational
1009	IPsec: Extended Mode Failure	Operational
1011	IPsec DoS Protection: Packet Dropped	Analytic
1013	IPsec: Main Mode SA Terminated	Operational
1013	IPsec: Main Mode SA Terminated	Debug
1014	IPsec: Main Mode SA Established	Debug
1015	IPsec: Main Mode SA Established	Debug
1016	IPsec: Extended Mode and Main Mode SAs Established	Debug
1017	IPsec: Extended Mode and Main Mode SAs Established	Debug
1018	IPsec: Extended Mode and Main Mode SAs Established	Debug
1019	IPsec: Extended Mode and Main Mode SAs Established	Debug
1020	IPsec DoS Protection Enabled	Operational
1021	IPsec DoS Protection Disabled	Operational
1022	IPsec DoS Protection failed to create state because the maximum number of …	Operational
1023	IPsec: Negotiation Request Initiated	Debug
1024	IPsec: Send ISAKMP Packet	Debug
1025	IPsec: Receive ISAKMP Packet	Debug
1026	WFP: User Mode Error	Debug
1027	An IPsec quick mode security association ended.	Operational
1027	An IPsec quick mode security association ended.	Debug
1028	An IPsec quick mode security association was established.	Operational
1029	WFP: Packet Dropped - Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.	Analytic
1030	Transaction Watchdog Timeout The filtering engine has exceeded the configured …	Operational
1031	File path trigger increment due to match for FilePath, counter value Counter.	Operational
1032	File path trigger decrement due to match for FilePath, counter value Counter.	Operational
1033	Modern app trigger increment due to match for AppSID, counter value Counter.	Operational
1034	Modern app trigger decrement due to match for AppSID, counter value Counter.	Operational
1035	Modern app trigger decrement due to match for SecurityDescriptor, counter value …	Operational
1036	Modern app trigger decrement due to match for SecurityDescriptor, counter value …	Operational
1037	Trigger increment due to NRPT lookup, counter value Counter.	Operational
1038	Trigger decrement due to NRPT idle, counter value Counter.	Operational
1039	Trigger increment due to flow creation, counter value: Counter, local address: …	Operational
1040	Trigger decrement due to flow deletion, counter value: Counter, local address: …	Operational
1041	Connect occurred due to unexpected disconnect, counter value Counter.	Operational
1042	Disconnecting after expiration of debounce interval	Operational
1043	IPsec: Main Mode SA Established	Operational
1044	Received the first packet on low power enabled IKE tunnel with SPI: SPI.	Operational

Event ID 1001 — WFP: Packet Dropped - Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.

Provider: Microsoft-Windows-WFP
Channel: Analytic
Opcode: Info

Description

WFP: Packet Dropped - Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.

Message #

WFP: Packet Dropped - Filter Run-Time ID: %14, Layer Run-Time ID: %15

Fields #

Name	Description
`Timestamp` FILETIME	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`ScopeId` UInt32	—
`AppId` UnicodeString	—
`UserSID` SID	—
`ReauthReason` UInt32	—
`OriginalProfile` UInt32	—
`CurrentProfile` UInt32	—
`PacketDirection` UInt32	—
`Loopback` Boolean	—
`FilterId` UInt64	—
`LayerId` UInt16	—
`vSwitchId` UnicodeString	—
`SourcevSwitchPort` UInt32	—
`DestinationvSwitchPort` UInt32	—
`EnterpriseId` UnicodeString	—
`PolicyFlags` UInt64	—
`EffectiveName` UnicodeString	—

Event ID 1003 — IPsec: Packet Dropped - Error Code: FailureStatus, Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.

Provider: Microsoft-Windows-WFP
Channel: Analytic
Opcode: Info

Description

IPsec: Packet Dropped - Error Code: FailureStatus, Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.

Message #

IPsec: Packet Dropped - Error Code: %9, Filter Run-Time ID: %12, Layer Run-Time ID: %13

Fields #

Name	Description
`Timestamp` FILETIME	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`ScopeId` UInt32	—
`AppId` UnicodeString	—
`UserSID` SID	—
`FailureStatus` UInt32	—
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional
`SPI` UInt32	—
`FilterId` UInt64	—
`LayerId` UInt16	—

Event ID 1005 — IPsec: Main Mode Failure

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

IPsec: Main Mode Failure.

Message #

IPsec: Main Mode Failure

Fields #

Name	Description
`Timestamp` FILETIME	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`ScopeId` UInt32	—
`AppId` UnicodeString	—
`UserSID` SID	—
`LocalSpn` UnicodeString	—
`PeerSpn` UnicodeString	—
`LocalGroupSidCount` UInt32	—
`LocalGroupSidLength` UInt32	—
`LocalGroupSids` UnicodeString	—
`RemoteGroupSidCount` UInt32	—
`RemoteGroupSidLength` UInt32	—
`RemoteGroupSids` UnicodeString	—
`FailureErrorCode` UInt32	—
`FailurePoint` UInt32	—
`Flags` UInt32	—
`KeyingModuleType` UInt32	—
`MmState` UInt32	—
`SaRole` UInt32	—
`MMAuthMethod` UInt32	—
`EndCertHash` Binary	—
`MMId` UInt64	—
`MMFilterId` UInt64	—
`ProviderContextKey` GUID	—

Event ID 1007 — IPsec: Quick Mode Failure

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

IPsec: Quick Mode Failure.

Message #

IPsec: Quick Mode Failure

Fields #

Name	Description
`Timestamp` FILETIME	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`ScopeId` UInt32	—
`AppId` UnicodeString	—
`UserSID` SID	—
`FailureErrorCode` UInt32	—
`FailurePoint` UInt32	—
`KeyingModuleType` UInt32	—
`QMState` UInt32	—
`SaRole` UInt32	—
`SaTrafficType` UInt32	—
`QMFilterId` UInt64	—
`MMSaLuid` UInt64	—
`MMProviderContextKey` GUID	—

Event ID 1009 — IPsec: Extended Mode Failure

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

IPsec: Extended Mode Failure.

Message #

IPsec: Extended Mode Failure

Fields #

Name	Description
`Timestamp` FILETIME	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`ScopeId` UInt32	—
`AppId` UnicodeString	—
`UserSID` SID	—
`LocalSpn` UnicodeString	—
`PeerSpn` UnicodeString	—
`LocalGroupSidCount` UInt32	—
`LocalGroupSidLength` UInt32	—
`LocalGroupSids` UnicodeString	—
`RemoteGroupSidCount` UInt32	—
`RemoteGroupSidLength` UInt32	—
`RemoteGroupSids` UnicodeString	—
`FailureErrorCode` UInt32	—
`FailurePoint` UInt32	—
`Flags` UInt32	—
`EMState` UInt32	—
`SaRole` UInt32	—
`EMAuthMethod` UInt32	—
`EndCertHash` Binary	—
`MMId` UInt64	—
`QMFilterId` UInt64	—

Event ID 1011 — IPsec DoS Protection: Packet Dropped

Provider: Microsoft-Windows-WFP
Channel: Analytic
Opcode: Info

Description

IPsec DoS Protection: Packet Dropped.

Message #

IPsec DoS Protection: Packet Dropped

Fields #

Name	Description
`Timestamp` FILETIME	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`ScopeId` UInt32	—
`AppId` UnicodeString	—
`UserSID` SID	—
`InternetHostAddress` UInt32	—
`CorpnetHostAddress` UInt32	—
`FailureStatus` UInt32	—
`Direction` UInt32	— Known values `%%14592` Inbound `%%14593` Outbound `%%14594` Forward `%%14595` Bidirectional

Event ID 1013 — IPsec: Main Mode SA Terminated

Provider: Microsoft-Windows-WFP
Channel: Operational
Level: Informational
Opcode: Info

Description

IPsec: Main Mode SA Terminated.

Fields #

Name	Description
`MainModeLocalAddressLength` UInt32	—
`MainModeLocalAddress` Binary	—
`MainModePeerAddressLength` UInt32	—
`MainModePeerAddress` Binary	—
`KeyingModule` UInt32	—
`SaLuid` UInt64	—
`ICookie` UInt64	—
`RCookie` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WFP",
    "guid": "0C478C5B-0351-41B1-8C58-4A6737DA32E3",
    "event_source_name": "",
    "event_id": 1013,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372174293729280,
    "time_created": "2026-03-13T20:18:51.253631+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 6452,
      "thread_id": 3736
    },
    "channel": "Microsoft-Windows-IKE/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "MainModeLocalAddressLength": 16,
    "MainModeLocalAddress": "020000000A020A0B0000000000000000",
    "MainModePeerAddressLength": 16,
    "MainModePeerAddress": "02000000A04F680A0000000000000000",
    "KeyingModule": 1,
    "SaLuid": 6,
    "ICookie": 3453738395519108605,
    "RCookie": 0
  },
  "message": ""
}

Event ID 1013 — IPsec: Main Mode SA Terminated

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Main Mode SA Terminated.

Message #

IPsec: Main Mode SA Terminated

Fields #

Name	Description
`MainModeLocalAddressLength` UInt32	—
`MainModeLocalAddress` Binary	—
`MainModePeerAddressLength` UInt32	—
`MainModePeerAddress` Binary	—
`KeyingModule` UInt32	—
`SaLuid` UInt64	—
`ICookie` UInt64	—
`RCookie` UInt64	—

Event ID 1014 — IPsec: Main Mode SA Established

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Main Mode SA Established.

Message #

IPsec: Main Mode SA Established

Fields #

Name	Description
`LocalSpn` UnicodeString	—
`PeerSpn` UnicodeString	—
`MainModeLocalAddressLength` UInt32	—
`MainModeLocalAddress` Binary	—
`MainModePeerAddressLength` UInt32	—
`MainModePeerAddress` Binary	—
`KeyingModule` UInt32	—
`AuthenticationMethodType` UInt32	—
`EncryptionAlgorithm` UInt32	—
`AuthenticationAlgorithm` UInt32	—
`DiffieHellmanGroup` UInt32	—
`LifetimeMinutes` UInt32	—
`QMLimit` UInt32	—
`Role` UInt32	—
`Impersonation` UInt32	—
`MMFilterId` UInt64	—
`SaLuid` UInt64	—

Event ID 1015 — IPsec: Main Mode SA Established

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Main Mode SA Established.

Message #

IPsec: Main Mode SA Established

Fields #

Name	Description
`LocalCertDnSubject` UnicodeString	—
`LocalCertShaThumbprintLength` UInt32	—
`LocalCertShaThumbprint` Binary	—
`LocalCertDnIssuer` UnicodeString	—
`LocalCertDnRoot` UnicodeString	—
`PeerCertDnSubject` UnicodeString	—
`PeerCertShaThumbprintLength` UInt32	—
`PeerCertShaThumbprint` Binary	—
`PeerCertDnIssuer` UnicodeString	—
`PeerCertDnRoot` UnicodeString	—
`MainModeLocalAddressLength` UInt32	—
`MainModeLocalAddress` Binary	—
`MainModePeerAddressLength` UInt32	—
`MainModePeerAddress` Binary	—
`KeyingModule` UInt32	—
`AuthenticationMethodType` UInt32	—
`EncryptionAlgorithm` UInt32	—
`AuthenticationAlgorithm` UInt32	—
`DiffieHellmanGroup` UInt32	—
`LifetimeMinutes` UInt32	—
`QMLimit` UInt32	—
`Role` UInt32	—
`Impersonation` UInt32	—
`MMFilterId` UInt64	—
`SaLuid` UInt64	—

Event ID 1016 — IPsec: Extended Mode and Main Mode SAs Established

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Extended Mode and Main Mode SAs Established.

Message #

IPsec: Extended Mode and Main Mode SAs Established

Fields #

Name	Description
`LocalCertDnSubject` UnicodeString	—
`LocalCertShaThumbprintLength` UInt32	—
`LocalCertShaThumbprint` Binary	—
`LocalCertDnIssuer` UnicodeString	—
`LocalCertDnRoot` UnicodeString	—
`PeerCertDnSubject` UnicodeString	—
`PeerCertShaThumbprintLength` UInt32	—
`PeerCertShaThumbprint` Binary	—
`PeerCertDnIssuer` UnicodeString	—
`PeerCertDnRoot` UnicodeString	—
`MainModeLocalAddressLength` UInt32	—
`MainModeLocalAddress` Binary	—
`MainModePeerAddressLength` UInt32	—
`MainModePeerAddress` Binary	—
`EncryptionAlgorithm` UInt32	—
`AuthenticationAlgorithm` UInt32	—
`DiffieHellmanGroup` UInt32	—
`LifetimeMinutes` UInt32	—
`QMLimit` UInt32	—
`Role` UInt32	—
`Impersonation` UInt32	—
`MMFilterId` UInt64	—
`SaLuid` UInt64	—
`LocalUmCertDnSubject` UnicodeString	—
`LocalUmCertShaThumbprintLength` UInt32	—
`LocalUmCertShaThumbprint` Binary	—
`LocalUmCertDnIssuer` UnicodeString	—
`LocalUmCertDnRoot` UnicodeString	—
`PeerUmCertDnSubject` UnicodeString	—
`PeerUmCertShaThumbprintLength` UInt32	—
`PeerUmCertShaThumbprint` Binary	—
`PeerUmCertDnIssuer` UnicodeString	—
`PeerUmCertDnRoot` UnicodeString	—
`UMImpersonation` UInt32	—
`QMFilterId` UInt64	—

Event ID 1017 — IPsec: Extended Mode and Main Mode SAs Established

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Extended Mode and Main Mode SAs Established.

Message #

IPsec: Extended Mode and Main Mode SAs Established

Fields #

Name	Description
`LocalCertDnSubject` UnicodeString	—
`LocalCertShaThumbprintLength` UInt32	—
`LocalCertShaThumbprint` Binary	—
`LocalCertDnIssuer` UnicodeString	—
`LocalCertDnRoot` UnicodeString	—
`PeerCertDnSubject` UnicodeString	—
`PeerCertShaThumbprintLength` UInt32	—
`PeerCertShaThumbprint` Binary	—
`PeerCertDnIssuer` UnicodeString	—
`PeerCertDnRoot` UnicodeString	—
`MainModeLocalAddressLength` UInt32	—
`MainModeLocalAddress` Binary	—
`MainModePeerAddressLength` UInt32	—
`MainModePeerAddress` Binary	—
`EncryptionAlgorithm` UInt32	—
`AuthenticationAlgorithm` UInt32	—
`DiffieHellmanGroup` UInt32	—
`LifetimeMinutes` UInt32	—
`QMLimit` UInt32	—
`Role` UInt32	—
`Impersonation` UInt32	—
`MMFilterId` UInt64	—
`SaLuid` UInt64	—
`UMLocalSPN` UnicodeString	—
`UMPeerSPN` UnicodeString	—
`UMAuthenticationMethodType` UInt32	—
`UMImpersonation` UInt32	—
`QMFilterId` UInt64	—

Event ID 1018 — IPsec: Extended Mode and Main Mode SAs Established

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Extended Mode and Main Mode SAs Established.

Message #

IPsec: Extended Mode and Main Mode SAs Established

Fields #

Name	Description
`LocalSPN` UnicodeString	—
`PeerSPN` UnicodeString	—
`MainModeLocalAddressLength` UInt32	—
`MainModeLocalAddress` Binary	—
`MainModePeerAddressLength` UInt32	—
`MainModePeerAddress` Binary	—
`AuthenticationMethodType` UInt32	—
`EncryptionAlgorithm` UInt32	—
`AuthenticationAlgorithm` UInt32	—
`DiffieHellmanGroup` UInt32	—
`LifetimeMinutes` UInt32	—
`QMLimit` UInt32	—
`Role` UInt32	—
`Impersonation` UInt32	—
`MMFilterId` UInt64	—
`SaLuid` UInt64	—
`LocalUmCertDnSubject` UnicodeString	—
`LocalUmCertShaThumbprintLength` UInt32	—
`LocalUmCertShaThumbprint` Binary	—
`LocalUmCertDnIssuer` UnicodeString	—
`LocalUmCertDnRoot` UnicodeString	—
`PeerUmCertDnSubject` UnicodeString	—
`PeerUmCertShaThumbprintLength` UInt32	—
`PeerUmCertShaThumbprint` Binary	—
`PeerUmCertDnIssuer` UnicodeString	—
`PeerUmCertDnRoot` UnicodeString	—
`UMImpersonation` UInt32	—
`QMFilterId` UInt64	—

Event ID 1019 — IPsec: Extended Mode and Main Mode SAs Established

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Extended Mode and Main Mode SAs Established.

Message #

IPsec: Extended Mode and Main Mode SAs Established

Fields #

Name	Description
`LocalSpn` UnicodeString	—
`PeerSpn` UnicodeString	—
`MainModeLocalAddressLength` UInt32	—
`MainModeLocalAddress` Binary	—
`MainModePeerAddressLength` UInt32	—
`MainModePeerAddress` Binary	—
`AuthenticationMethodType` UInt32	—
`EncryptionAlgorithm` UInt32	—
`AuthenticationAlgorithm` UInt32	—
`DiffieHellmanGroup` UInt32	—
`LifetimeMinutes` UInt32	—
`QMLimit` UInt32	—
`Role` UInt32	—
`Impersonation` UInt32	—
`MMFilterId` UInt64	—
`SaLuid` UInt64	—
`UMLocalSPN` UnicodeString	—
`UMPeerSPN` UnicodeString	—
`UMAuthenticationMethodType` UInt32	—
`UMImpersonation` UInt32	—
`QMFilterId` UInt64	—

Event ID 1020 — IPsec DoS Protection Enabled

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

IPsec DoS Protection Enabled.

Message #

IPsec DoS Protection Enabled

Event ID 1021 — IPsec DoS Protection Disabled

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

IPsec DoS Protection Disabled.

Message #

IPsec DoS Protection Disabled

Event ID 1022 — IPsec DoS Protection failed to create state because the maximum number of entries allowed by policy has been reached

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

IPsec DoS Protection failed to create state because the maximum number of entries allowed by policy has been reached.

Message #

IPsec DoS Protection failed to create state because the maximum number of entries allowed by policy has been reached

Event ID 1023 — IPsec: Negotiation Request Initiated

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Negotiation Request Initiated.

Message #

IPsec: Negotiation Request Initiated

Fields #

Name	Description
`KeyingModule` AnsiString	—
`AcquireContext` UInt64	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`Mode` UnicodeString	—
`FilterId` UInt64	—
`IPProtocol` UInt32	—
`InterfaceLuid` UInt64	—
`ProfileId` UInt32	—
`LocalUdpEncapPort` UInt16	—
`RemoteUdpEncapPort` UInt16	—
`MMTargetName` UnicodeString	—
`EMTargetName` UnicodeString	—
`NumTokens` UInt32	—
`Token1Type` UnicodeString	—
`Token1Principal` UnicodeString	—
`Token1Mode` UnicodeString	—
`Token1` UInt64	—
`Token2Type` UnicodeString	—
`Token2Principal` UnicodeString	—
`Token2Mode` UnicodeString	—
`Token2` UInt64	—
`Token3Type` UnicodeString	—
`Token3Principal` UnicodeString	—
`Token3Mode` UnicodeString	—
`Token3` UInt64	—
`Token4Type` UnicodeString	—
`Token4Principal` UnicodeString	—
`Token4Mode` UnicodeString	—
`Token4` UInt64	—
`VirtualIfTunnelId` UInt64	—
`TrafficSelectorId` UInt64	—
`Flags` UInt32	—
`RekeySPI` UInt32	—
`OrigVirtualIfTunnelId` UInt64	—
`PacketLocalAddressLength` UInt32	—
`PacketLocalAddress` Binary	—
`PacketRemoteAddressLength` UInt32	—
`PacketRemoteAddress` Binary	—
`PacketIPProtocol` UInt32	—
`PacketInterfaceLuid` UInt64	—
`PacketProfileId` UInt32	—

Event ID 1024 — IPsec: Send ISAKMP Packet

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Send ISAKMP Packet.

Message #

IPsec: Send ISAKMP Packet

Fields #

Name	Description
`ICookie` AnsiString	—
`RCookie` AnsiString	—
`ExchangeType` AnsiString	—
`Length` UInt32	—
`NextPayload` AnsiString	—
`Flags` UInt8	—
`MessageID` UInt32	—
`LocalAddress` UnicodeString	—
`LocalPort` UInt32	—
`LocalProtocol` UInt32	—
`RemoteAddress` UnicodeString	—
`RemotePort` UInt32	—
`RemoteProtocol` UInt32	—
`InterfaceLuid` UInt64	—

Event ID 1025 — IPsec: Receive ISAKMP Packet

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

IPsec: Receive ISAKMP Packet.

Message #

IPsec: Receive ISAKMP Packet

Fields #

Name	Description
`ICookie` AnsiString	—
`RCookie` AnsiString	—
`ExchangeType` AnsiString	—
`Length` UInt32	—
`NextPayload` AnsiString	—
`Flags` UInt8	—
`MessageID` UInt32	—
`LocalAddress` UnicodeString	—
`LocalPort` UInt32	—
`LocalProtocol` UInt32	—
`RemoteAddress` UnicodeString	—
`RemotePort` UInt32	—
`RemoteProtocol` UInt32	—
`InterfaceLuid` UInt64	—
`ProfileId` UInt32	—

Event ID 1026 — WFP: User Mode Error

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

WFP: User Mode Error.

Message #

WFP: User Mode Error

Fields #

Name	Description
`Function` AnsiString	—
`ErrorCode` UInt32	—

Event ID 1027 — An IPsec quick mode security association ended.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

An IPsec quick mode security association ended.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`LocalAddressMask` UnicodeString	—
`LocalTunnelEndpointLength` UInt32	—
`LocalTunnelEndpoint` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`RemoteAddressMask` UnicodeString	—
`RemoteTunnelEndpointLength` UInt32	—
`RemoteTunnelEndpoint` Binary	—
`IPProtocol` UInt32	—
`QMSaLuid` UInt64	—
`VirtualIFTunnelId` UInt64	—
`VirtualIFTrafficSelectorId` UInt64	—
`InboundSPI` UInt32	—
`OutboundSPI` UInt32	—

Event ID 1027 — An IPsec quick mode security association ended.

Provider: Microsoft-Windows-WFP
Channel: Debug
Opcode: Info

Description

An IPsec quick mode security association ended.

Message #

An IPsec quick mode security association ended.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`LocalAddressMask` UnicodeString	—
`LocalTunnelEndpointLength` UInt32	—
`LocalTunnelEndpoint` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`RemoteAddressMask` UnicodeString	—
`RemoteTunnelEndpointLength` UInt32	—
`RemoteTunnelEndpoint` Binary	—
`IPProtocol` UInt32	—
`QMSaLuid` UInt64	—
`VirtualIFTunnelId` UInt64	—
`VirtualIFTrafficSelectorId` UInt64	—
`InboundSPI` UInt32	—
`OutboundSPI` UInt32	—

Event ID 1028 — An IPsec quick mode security association was established.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

An IPsec quick mode security association was established.

Message #

An IPsec quick mode security association was established.

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`LocalAddressMask` UnicodeString	—
`LocalTunnelEndpointLength` UInt32	—
`LocalTunnelEndpoint` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`RemoteAddressMask` UnicodeString	—
`RemoteTunnelEndpointLength` UInt32	—
`RemoteTunnelEndpoint` Binary	—
`IPProtocol` UInt32	—
`KeyingModuleName` UInt8	—
`AHAuthType` UInt8	—
`ESPAuthType` UInt8	—
`ESPCipherType` UInt8	—
`LifetimeSeconds` UInt32	—
`LifetimeKilobytes` UInt32	—
`LifetimePackets` UInt32	—
`Mode` UInt8	—
`Role` UInt8	—
`TransportFilterId` UInt64	—
`MMSaLuid` UInt64	—
`QMSaLuid` UInt64	—
`InboundSPI` UInt32	—
`OutboundSPI` UInt32	—
`VirtualIFTunnelId` UInt64	—
`VirtualIFTrafficSelectorId` UInt64	—
`RekeySPI` UInt32	—

Event ID 1029 — WFP: Packet Dropped - Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.

Provider: Microsoft-Windows-WFP
Channel: Analytic
Opcode: Info

Description

WFP: Packet Dropped - Filter Run-Time ID: FilterId, Layer Run-Time ID: LayerId.

Message #

WFP: Packet Dropped - Filter Run-Time ID: %10, Layer Run-Time ID: %11

Fields #

Name	Description
`Timestamp` FILETIME	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`EtherType` UInt16	—
`MediaType` UInt32	—
`InterfaceType` UInt32	—
`VlanTag` UInt16	—
`FilterId` UInt64	—
`LayerId` UInt16	—
`vSwitchId` UnicodeString	—
`SourcevSwitchPort` UInt32	—
`DestinationvSwitchPort` UInt32	—

Event ID 1030 — Transaction Watchdog Timeout The filtering engine has exceeded the configured threshold to process a transaction.

Provider: Microsoft-Windows-WFP
Channel: Operational
Level: Warning
Opcode: Info

Description

Transaction Watchdog Timeout.

Message #

Transaction Watchdog Timeout
The filtering engine has exceeded the configured threshold to process a transaction. This could indicate a suboptimal policy configuration that may cause temporary network outages.
    Owning Process ID: %1
    Transaction Time (msec): %2
    Transaction Commit Time (msec): %3
    Configured Threshold (msec): %4

Fields #

Name	Description
`ProcessId` UInt32	—
`TxnTimeInMSec` UInt32	—
`CommitTimeInMSec` UInt32	—
`WatchdogTimeoutInMSec` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WFP",
    "guid": "0C478C5B-0351-41B1-8C58-4A6737DA32E3",
    "event_source_name": "",
    "event_id": 1030,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686293305294848,
    "time_created": "2023-11-06T00:38:29.619758+00:00",
    "event_record_id": 29,
    "correlation": {},
    "execution": {
      "process_id": 2896,
      "thread_id": 7680
    },
    "channel": "Microsoft-Windows-WFP/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-19"
    }
  },
  "event_data": {
    "ProcessId": 4940,
    "TxnTimeInMSec": 968,
    "CommitTimeInMSec": 0,
    "WatchdogTimeoutInMSec": 500
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1031 — File path trigger increment due to match for FilePath, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

File path trigger increment due to match for FilePath, counter value Counter.

Message #

File path trigger increment due to match for %2, counter value %1

Fields #

Name	Description
`Counter` UInt32	—
`FilePath` UnicodeString	—

Event ID 1032 — File path trigger decrement due to match for FilePath, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

File path trigger decrement due to match for FilePath, counter value Counter.

Message #

File path trigger decrement due to match for %2, counter value %1

Fields #

Name	Description
`Counter` UInt32	—
`FilePath` UnicodeString	—

Event ID 1033 — Modern app trigger increment due to match for AppSID, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Modern app trigger increment due to match for AppSID, counter value Counter.

Message #

Modern app trigger increment due to match for %2, counter value %1

Fields #

Name	Description
`Counter` UInt32	—
`AppSID` SID	—

Event ID 1034 — Modern app trigger decrement due to match for AppSID, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Modern app trigger decrement due to match for AppSID, counter value Counter.

Message #

Modern app trigger decrement due to match for %2, counter value %1

Fields #

Name	Description
`Counter` UInt32	—
`AppSID` SID	—

Event ID 1035 — Modern app trigger decrement due to match for SecurityDescriptor, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Modern app trigger decrement due to match for SecurityDescriptor, counter value Counter.

Message #

Modern app trigger decrement due to match for %2, counter value %1

Fields #

Name	Description
`Counter` UInt32	—
`SecurityDescriptor` UnicodeString	—

Event ID 1036 — Modern app trigger decrement due to match for SecurityDescriptor, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Modern app trigger decrement due to match for SecurityDescriptor, counter value Counter.

Message #

Modern app trigger decrement due to match for %2, counter value %1

Fields #

Name	Description
`Counter` UInt32	—
`SecurityDescriptor` UnicodeString	—

Event ID 1037 — Trigger increment due to NRPT lookup, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Trigger increment due to NRPT lookup, counter value Counter.

Message #

Trigger increment due to NRPT lookup, counter value %1

Fields #

Name	Description
`Counter` UInt32	—

Event ID 1038 — Trigger decrement due to NRPT idle, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Trigger decrement due to NRPT idle, counter value Counter.

Message #

Trigger decrement due to NRPT idle, counter value %1

Fields #

Name	Description
`Counter` UInt32	—

Event ID 1039 — Trigger increment due to flow creation, counter value: Counter, local address: LocalAddress, remote address: RemoteAddress, protocol IPProtocol.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Trigger increment due to flow creation, counter value: Counter, local address: LocalAddress, remote address: RemoteAddress, protocol IPProtocol.

Message #

Trigger increment due to flow creation, counter value: %1, local address: %3, remote address: %5, protocol %6

Fields #

Name	Description
`Counter` UInt32	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`IPProtocol` UInt32	—

Event ID 1040 — Trigger decrement due to flow deletion, counter value: Counter, local address: LocalAddress, remote address: RemoteAddress, protocol IPProtocol.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Trigger decrement due to flow deletion, counter value: Counter, local address: LocalAddress, remote address: RemoteAddress, protocol IPProtocol.

Message #

Trigger decrement due to flow deletion, counter value: %1, local address: %3, remote address: %5, protocol %6

Fields #

Name	Description
`Counter` UInt32	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`IPProtocol` UInt32	—

Event ID 1041 — Connect occurred due to unexpected disconnect, counter value Counter.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Connect occurred due to unexpected disconnect, counter value Counter.

Message #

Connect occurred due to unexpected disconnect, counter value %1

Fields #

Name	Description
`Counter` UInt32	—

Event ID 1042 — Disconnecting after expiration of debounce interval

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Disconnecting after expiration of debounce interval.

Message #

Disconnecting after expiration of debounce interval

Event ID 1043 — IPsec: Main Mode SA Established

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

IPsec: Main Mode SA Established.

Message #

IPsec: Main Mode SA Established

Fields #

Name	Description
`MainModeLocalAddressLength` UInt32	—
`MainModeLocalAddress` Binary	—
`MainModePeerAddressLength` UInt32	—
`MainModePeerAddress` Binary	—
`KeyingModule` UInt32	—
`AuthenticationMethodType` UInt32	—
`EncryptionAlgorithm` UInt32	—
`AuthenticationAlgorithm` UInt32	—
`DiffieHellmanGroup` UInt32	—
`LifetimeMinutes` UInt32	—
`QMLimit` UInt32	—
`Role` UInt32	—
`Impersonation` UInt32	—
`MMFilterId` UInt64	—
`SaLuid` UInt64	—
`ProviderContextKey` GUID	—
`VirtualIfTunnelId` UInt64	—
`ICookie` UInt64	—
`RCookie` UInt64	—

Event ID 1044 — Received the first packet on low power enabled IKE tunnel with SPI: SPI.

Provider: Microsoft-Windows-WFP
Channel: Operational
Opcode: Info

Description

Received the first packet on low power enabled IKE tunnel with SPI: SPI.

Message #

Received the first packet on low power enabled IKE tunnel with SPI: %9

Fields #

Name	Description
`Timestamp` FILETIME	—
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`ScopeId` UInt32	—
`AppId` UnicodeString	—
`UserSID` SID	—
`SPI` UInt32	—