Microsoft-Windows-Winsock-AFD

96 events across 1 channel

Event ID	Title	Channel
1	Socket creation: Process Endpoint AddressFamily SocketType Protocol.	Operational
2	Socket bind: Process Endpoint Address Port Status.	Operational
3	Socket bind: Process Endpoint Address Port Status.	Operational
4	Socket connect: Process Endpoint Address Port.	Operational
5	Socket connect: Process Endpoint Address Port.	Operational
6	Connect completed: Process Endpoint Error.	Operational
7	AFD initiated abort: Process Endpoint Reason.	Operational
8	Transport initiated abort: Process Endpoint Reason.	Operational
9	Failed send request: Process Endpoint Error.	Operational
10	Failed WSASendMsg request: Process Endpoint Error.	Operational
11	Failed recv request: Process Endpoint Error.	Operational
12	Failed recvfrom request: Process Endpoint Error.	Operational
13	Socket close: Process Endpoint Error.	Operational
14	Socket cleanup (all references removed): Process Endpoint Error.	Operational
15	Socket accept: Process Endpoint Address Port Status.	Operational
16	Socket accept: Process Endpoint Address Port Status.	Operational
17	Accept failed: Process Endpoint Error.	Operational
18	Send posted: Process Endpoint FastPath BufferCount Buffer BufferLength.	Operational
19	Receive posted: Process Endpoint FastPath BufferCount Buffer BufferLength.	Operational
20	RecvFrom posted: Process Endpoint FastPath BufferCount Buffer BufferLength.	Operational
21	SendTo posted: Process Endpoint FastPath BufferCount Buffer BufferLength Address …	Operational
22	SendTo posted: Process Endpoint FastPath BufferCount Buffer BufferLength Address …	Operational
23	Recv completed: Process Endpoint Buffer BufferLength.	Operational
24	Send completed: Process Endpoint Buffer BufferLength.	Operational
25	SendMsg completed: Process Endpoint Buffer BufferLength.	Operational
26	RecvFrom completed: Process Endpoint BufferCount Buffer BufferLength Address …	Operational
27	RecvFrom completed: Process Endpoint BufferCount Buffer BufferLength Address …	Operational
28	SendTo completed: Process Endpoint Buffer BufferLength.	Operational
29	Socket option set: Process Endpoint Option Value.	Operational
30	Select/Poll posted: Process HandleCount Timeout.	Operational
31	Select/Poll completed: Process Endpoint Error.	Operational
32	WSAEventSelect: Process Endpoint EventMask.	Operational
33	Datagram dropped: Process Endpoint PacketSize Address Port Reason.	Operational
34	Datagram dropped: Process Endpoint PacketSize Address Port Reason.	Operational
35	Connection indicated: Process ListenEndpoint Address Port.	Operational
36	Connection indicated: Process ListenEndpoint Address Port.	Operational
37	Data indicated from transport: Process Endpoint BytesIndicated.	Operational
38	Data indicated from transport: Process Endpoint Address Port BytesIndicated.	Operational
39	Data indicated from transport: Process Endpoint Address Port BytesIndicated.	Operational
40	Failed bind: Process Endpoint Error.	Operational
41	Disconnect indicated from transport: Process Endpoint.	Operational
1000	socket: EnterExit: Process Process (ProcessId), Endpoint Endpoint, Family …	Operational
1001	closesocket: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status …	Operational
1002	socket cleanup: EnterExit: Process Process, Endpoint Endpoint, Seq Location, …	Operational
1003	send: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, …	Operational
1004	recv: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, …	Operational
1005	sendto: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, …	Operational
1006	recvfrom: EnterExit: Process Process, Endpoint Endpoint, Buffer Count …	Operational
1007	sendto: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, …	Operational
1009	recvfrom: EnterExit: Process Process, Endpoint Endpoint, Buffer Count …	Operational
1011	sendmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count …	Operational
1012	recvmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count …	Operational
1013	sendmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count …	Operational
1015	recvmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count …	Operational
1017	connect: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status …	Operational
1018	connect: EnterExit: Process Process, Endpoint Endpoint, Address Address, Seq …	Operational
1020	ConnectEx: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status …	Operational
1021	ConnectEx: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length …	Operational
1023	accept: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status …	Operational
1024	accept: EnterExit: Process Process, Endpoint Endpoint, Address Address, Accept …	Operational
1026	AcceptEx: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status …	Operational
1027	AcceptEx: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length …	Operational
1029	bind: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status …	Operational
1030	bind: EnterExit: Process Process, Endpoint Endpoint, Address Address, Seq …	Operational
1032	connection aborted: EnterExit: Process Process, Endpoint Endpoint, Seq Location, …	Operational
1033	datagram dropped: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, …	Operational
1035	Socket option: EnterExit: Process Process, Endpoint Endpoint, Option Option, …	Operational
1036	Wait for listen: EnterExit: Process Process, Endpoint Endpoint, Seq Location, …	Operational
1037	Listen: EnterExit: Process Process, Endpoint Endpoint, Backlog Backlog, Seq …	Operational
3000	Connect indication: EnterExit: Process Process, Endpoint Endpoint, Seq Location, …	Operational
3001	Connect indication: EnterExit: Process Process, Endpoint Endpoint, Address …	Operational
3003	Data indication: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, …	Operational
3004	Data indication: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, …	Operational
3006	disconnect indicated: EnterExit: Process Process, Endpoint Endpoint, Seq …	Operational
3007	Transport send backlog: Process EnterExit, Endpoint Location, Send Backlog …	Operational
4000	Registration domain RegistrationDomain create status Status.	Operational
4001	Registration domain RegistrationDomain closed.	Operational
4002	CQ Cq created with EntryCount entries, index CqIndex and notification type …	Operational
4003	CQ Cq closed with Commit commit.	Operational
4004	CQ Cq cleaned up.	Operational
4005	CQ Cq with Commit commit resized from OriginalEntryCount to RequestedEntryCount, …	Operational
4006	RQ RioState created on endpoint Endpoint with ReceiveEntryCount receive and …	Operational
4007	RQ RioState closed, receive = (ReceiveQueueStart,ReceiveQueueEnd) send = …	Operational
4008	RQ RioState cleaned up.	Operational
4009	RQ RioState resized from (OriginalReceiveEntryCount,OriginalSendEntryCount) to …	Operational
4010	Buffer Buffer registered with address UserAddress and length BufferSize, system …	Operational
4011	Buffer Buffer deregistered with References references.	Operational
4012	Buffer Buffer cleaned up.	Operational
4013	RQ RioState using invalid buffer ID BufferId.	Operational
4014	RQ RioState invalid use of buffer Buffer, offset = BufferOffset, length = …	Operational
4015	RQ RioState using invalid buffer size for BufferType, specified = …	Operational
4016	NRT Create: Handle = NameResolutionHandle Process = Process Status = Status.	Operational
4017	NRT Close: Handle = NameResolutionHandle Process = Process.	Operational
4018	CQ Cq notify EnterExit Seq Location Status Status.	Operational
4019	accept EnterExit [1 = Pause, 0 = Unpause] PauseUnPause Seq Location Endpoint …	Operational
4020	RQ RioState invalid buffer sharing ID BufferId sharing type BufferSharingType.	Operational

Event ID 1 — Socket creation: Process Endpoint AddressFamily SocketType Protocol.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Socket creation: Process Endpoint AddressFamily SocketType Protocol.

Message #

Socket creation: %1 %2 %3 %4 %5

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`AddressFamily` UInt32	—
`SocketType` UInt32	—
`Protocol` UInt32	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`UserModePid` Pointer	—

Event ID 2 — Socket bind: Process Endpoint Address Port Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Socket bind: Process Endpoint Address Port Status.

Message #

Socket bind: %1 %2 %3 %4 %5

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Address` UInt32	—
`Port` UInt16	—
`Status` UInt32	— NTSTATUS reference

Event ID 3 — Socket bind: Process Endpoint Address Port Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Socket bind: Process Endpoint Address Port Status.

Message #

Socket bind: %1 %2 %3 %4 %5

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Address` Binary	—
`Port` UInt16	—
`Status` UInt32	— NTSTATUS reference

Event ID 4 — Socket connect: Process Endpoint Address Port.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Socket connect: Process Endpoint Address Port.

Message #

Socket connect: %1 %2 %3 %4

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Address` UInt32	—
`Port` UInt16	—

Event ID 5 — Socket connect: Process Endpoint Address Port.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Socket connect: Process Endpoint Address Port.

Message #

Socket connect: %1 %2 %3 %4

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Address` Binary	—
`Port` UInt16	—

Event ID 6 — Connect completed: Process Endpoint Error.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Connect completed: Process Endpoint Error.

Message #

Connect completed: %1 %2 %3

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Error` UInt32	—

Event ID 7 — AFD initiated abort: Process Endpoint Reason.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

AFD initiated abort: Process Endpoint Reason.

Message #

AFD initiated abort: %1 %2 %3

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Reason` Int32	—

Event ID 8 — Transport initiated abort: Process Endpoint Reason.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Transport initiated abort: Process Endpoint Reason.

Message #

Transport initiated abort: %1 %2 %3

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Reason` Int32	—

Event ID 9 — Failed send request: Process Endpoint Error.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Failed send request: Process Endpoint Error.

Message #

Failed send request: %1 %2 %3

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Error` UInt32	—

Event ID 10 — Failed WSASendMsg request: Process Endpoint Error.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Failed WSASendMsg request: Process Endpoint Error.

Message #

Failed WSASendMsg request: %1 %2 %3

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Error` UInt32	—

Event ID 11 — Failed recv request: Process Endpoint Error.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Failed recv request: Process Endpoint Error.

Message #

Failed recv request: %1 %2 %3

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Error` UInt32	—

Event ID 12 — Failed recvfrom request: Process Endpoint Error.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Failed recvfrom request: Process Endpoint Error.

Message #

Failed recvfrom request: %1 %2 %3

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Error` UInt32	—

Event ID 13 — Socket close: Process Endpoint Error.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Socket close: Process Endpoint Error.

Message #

Socket close: %1 %2 %3

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Error` UInt32	—

Event ID 14 — Socket cleanup (all references removed): Process Endpoint Error.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Socket cleanup (all references removed): Process Endpoint Error.

Message #

Socket cleanup (all references removed): %1 %2 %3

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Error` UInt32	—

Event ID 15 — Socket accept: Process Endpoint Address Port Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Socket accept: Process Endpoint Address Port Status.

Message #

Socket accept: %1 %2 %3 %4 %5

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Address` UInt32	—
`Port` UInt16	—
`Status` UInt32	— NTSTATUS reference

Event ID 16 — Socket accept: Process Endpoint Address Port Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Socket accept: Process Endpoint Address Port Status.

Message #

Socket accept: %1 %2 %3 %4 %5

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Address` Binary	—
`Port` UInt16	—
`Status` UInt32	— NTSTATUS reference

Event ID 17 — Accept failed: Process Endpoint Error.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Accept failed: Process Endpoint Error.

Message #

Accept failed: %1 %2 %3

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Error` UInt32	—

Event ID 18 — Send posted: Process Endpoint FastPath BufferCount Buffer BufferLength.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Send posted: Process Endpoint FastPath BufferCount Buffer BufferLength.

Message #

Send posted: %1 %2 %3 %4 %5 %6

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`FastPath` Boolean	—
`BufferCount` Int32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—

Event ID 19 — Receive posted: Process Endpoint FastPath BufferCount Buffer BufferLength.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Receive posted: Process Endpoint FastPath BufferCount Buffer BufferLength.

Message #

Receive posted: %1 %2 %3 %4 %5 %6

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`FastPath` Boolean	—
`BufferCount` Int32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—

Event ID 20 — RecvFrom posted: Process Endpoint FastPath BufferCount Buffer BufferLength.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

RecvFrom posted: Process Endpoint FastPath BufferCount Buffer BufferLength.

Message #

RecvFrom posted: %1 %2 %3 %4 %5 %6

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`FastPath` Boolean	—
`BufferCount` Int32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—

Event ID 21 — SendTo posted: Process Endpoint FastPath BufferCount Buffer BufferLength Address Port.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

SendTo posted: Process Endpoint FastPath BufferCount Buffer BufferLength Address Port.

Message #

SendTo posted: %1 %2 %3 %4 %5 %6 %7 %8

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`FastPath` Boolean	—
`BufferCount` Int32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Address` UInt32	—
`Port` UInt16	—

Event ID 22 — SendTo posted: Process Endpoint FastPath BufferCount Buffer BufferLength Address Port.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

SendTo posted: Process Endpoint FastPath BufferCount Buffer BufferLength Address Port.

Message #

SendTo posted: %1 %2 %3 %4 %5 %6 %7 %8

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`FastPath` Boolean	—
`BufferCount` Int32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Address` Binary	—
`Port` UInt16	—

Event ID 23 — Recv completed: Process Endpoint Buffer BufferLength.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Recv completed: Process Endpoint Buffer BufferLength.

Message #

Recv completed: %1 %2 %3 %4

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Buffer` Pointer	—
`BufferLength` UInt32	—

Event ID 24 — Send completed: Process Endpoint Buffer BufferLength.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Send completed: Process Endpoint Buffer BufferLength.

Message #

Send completed: %1 %2 %3 %4

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Buffer` Pointer	—
`BufferLength` UInt32	—

Event ID 25 — SendMsg completed: Process Endpoint Buffer BufferLength.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

SendMsg completed: Process Endpoint Buffer BufferLength.

Message #

SendMsg completed: %1 %2 %3 %4

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Buffer` Pointer	—
`BufferLength` UInt32	—

Event ID 26 — RecvFrom completed: Process Endpoint BufferCount Buffer BufferLength Address Port.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

RecvFrom completed: Process Endpoint BufferCount Buffer BufferLength Address Port.

Message #

RecvFrom completed: %1 %2 %3 %4 %5 %6 %7

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`BufferCount` Int32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Address` UInt32	—
`Port` UInt16	—

Event ID 27 — RecvFrom completed: Process Endpoint BufferCount Buffer BufferLength Address Port.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

RecvFrom completed: Process Endpoint BufferCount Buffer BufferLength Address Port.

Message #

RecvFrom completed: %1 %2 %3 %4 %5 %6 %7

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`BufferCount` Int32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Address` Binary	—
`Port` UInt16	—

Event ID 28 — SendTo completed: Process Endpoint Buffer BufferLength.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

SendTo completed: Process Endpoint Buffer BufferLength.

Message #

SendTo completed: %1 %2 %3 %4

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Buffer` Pointer	—
`BufferLength` UInt32	—

Event ID 29 — Socket option set: Process Endpoint Option Value.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Socket option set: Process Endpoint Option Value.

Message #

Socket option set: %1 %2 %3 %4

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Option` UInt32	—
`Value` UInt32	—

Event ID 30 — Select/Poll posted: Process HandleCount Timeout.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Select/Poll posted: Process HandleCount Timeout.

Message #

Select/Poll posted: %1 %2 %3

Fields #

Name	Description
`Process` Pointer	—
`HandleCount` Int32	—
`Timeout` Int32	—

Event ID 31 — Select/Poll completed: Process Endpoint Error.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Select/Poll completed: Process Endpoint Error.

Message #

Select/Poll completed: %1 %2 %3

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Error` UInt32	—

Event ID 32 — WSAEventSelect: Process Endpoint EventMask.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

WSAEventSelect: Process Endpoint EventMask.

Message #

WSAEventSelect: %1 %2 %3

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`EventMask` UInt32	—

Event ID 33 — Datagram dropped: Process Endpoint PacketSize Address Port Reason.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Datagram dropped: Process Endpoint PacketSize Address Port Reason.

Message #

Datagram dropped: %1 %2 %3 %4 %5 %6

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`PacketSize` Int32	—
`Address` UInt32	—
`Port` UInt16	—
`Reason` Int32	—

Event ID 34 — Datagram dropped: Process Endpoint PacketSize Address Port Reason.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Datagram dropped: Process Endpoint PacketSize Address Port Reason.

Message #

Datagram dropped: %1 %2 %3 %4 %5 %6

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`PacketSize` Int32	—
`Address` Binary	—
`Port` UInt16	—
`Reason` Int32	—

Event ID 35 — Connection indicated: Process ListenEndpoint Address Port.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Connection indicated: Process ListenEndpoint Address Port.

Message #

Connection indicated: %1 %2 %3 %4

Fields #

Name	Description
`Process` Pointer	—
`ListenEndpoint` Pointer	—
`Address` UInt32	—
`Port` UInt16	—

Event ID 36 — Connection indicated: Process ListenEndpoint Address Port.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Connection indicated: Process ListenEndpoint Address Port.

Message #

Connection indicated: %1 %2 %3 %4

Fields #

Name	Description
`Process` Pointer	—
`ListenEndpoint` Pointer	—
`Address` Binary	—
`Port` UInt16	—

Event ID 37 — Data indicated from transport: Process Endpoint BytesIndicated.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Data indicated from transport: Process Endpoint BytesIndicated.

Message #

Data indicated from transport: %1 %2 %3

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`BytesIndicated` Int32	—

Event ID 38 — Data indicated from transport: Process Endpoint Address Port BytesIndicated.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Data indicated from transport: Process Endpoint Address Port BytesIndicated.

Message #

Data indicated from transport: %1 %2 %3 %4 %5

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Address` UInt32	—
`Port` UInt16	—
`BytesIndicated` Int32	—

Event ID 39 — Data indicated from transport: Process Endpoint Address Port BytesIndicated.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Data indicated from transport: Process Endpoint Address Port BytesIndicated.

Message #

Data indicated from transport: %1 %2 %3 %4 %5

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Address` Binary	—
`Port` UInt16	—
`BytesIndicated` Int32	—

Event ID 40 — Failed bind: Process Endpoint Error.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Failed bind: Process Endpoint Error.

Message #

Failed bind: %1 %2 %3

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—
`Error` UInt32	—

Event ID 41 — Disconnect indicated from transport: Process Endpoint.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational

Description

Disconnect indicated from transport: Process Endpoint.

Message #

Disconnect indicated from transport: %1 %2

Fields #

Name	Description
`Process` Pointer	—
`Endpoint` Pointer	—

Event ID 1000 — socket: EnterExit: Process Process (ProcessId), Endpoint Endpoint, Family AddressFamily, Type SocketType, Protocol Protocol, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdCreate
Opcode: Open

Description

socket: EnterExit: Process Process (ProcessId), Endpoint Endpoint, Family AddressFamily, Type SocketType, Protocol Protocol, Seq Location, Status Status.

Message #

socket: %1: Process %3 (%8), Endpoint %4, Family %5, Type %6, Protocol %7, Seq %2, Status %9

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`AddressFamily` UInt32	—
`SocketType` UInt32	—
`Protocol` UInt32	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`ProcessId` Pointer	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1000,
    "version": 0,
    "level": 4,
    "task": 1000,
    "opcode": 10,
    "keywords": 9223372036854775814,
    "time_created": "2026-03-13T19:59:51.602757+00:00",
    "event_record_id": 3153,
    "correlation": {
      "ActivityID": "D9AB9B70-D189-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 3464,
      "thread_id": 6604
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EnterExit": 0,
    "Location": 1006,
    "Process": "0xffffd189daf16080",
    "Endpoint": "0xffffd189d9ab9b70",
    "AddressFamily": 2,
    "SocketType": 1,
    "Protocol": 6,
    "ProcessId": "0xd88",
    "Status": 0
  },
  "message": ""
}

Event ID 1001 — closesocket: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdClose
Opcode: Closed

Description

closesocket: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Message #

closesocket: %1: Process %3, Endpoint %4, Seq %2, Status %5

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1001,
    "version": 0,
    "level": 4,
    "task": 1001,
    "opcode": 15,
    "keywords": 9223372036854775814,
    "time_created": "2026-03-13T19:59:57.027445+00:00",
    "event_record_id": 4358,
    "correlation": {
      "ActivityID": "D9AFF980-D189-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 3384,
      "thread_id": 428
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EnterExit": 0,
    "Location": 2000,
    "Process": "0xffffd189daf44080",
    "Endpoint": "0xffffd189d9aff980",
    "Status": 0
  },
  "message": ""
}

Event ID 1002 — socket cleanup: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdCleanup
Opcode: Freed

Description

socket cleanup: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Message #

socket cleanup: %1: Process %3, Endpoint %4, Seq %2, Status %5

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1002,
    "version": 0,
    "level": 4,
    "task": 1002,
    "opcode": 16,
    "keywords": 9223372036854775814,
    "time_created": "2026-03-13T19:59:57.027436+00:00",
    "event_record_id": 4356,
    "correlation": {
      "ActivityID": "D9AFF980-D189-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 3384,
      "thread_id": 428
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EnterExit": 0,
    "Location": 2002,
    "Process": "0xffffd189daf44080",
    "Endpoint": "0xffffd189d9aff980",
    "Status": 0
  },
  "message": ""
}

Event ID 1003 — send: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdSend
Opcode: Connected

Description

send: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.

Message #

send: %1: Process %3, Endpoint %4, Buffer Count %5, Buffer %6, Length %7, Seq %2, Status %8

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`BufferCount` UInt32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1003,
    "version": 0,
    "level": 4,
    "task": 1003,
    "opcode": 12,
    "keywords": 9223372036854775830,
    "time_created": "2026-03-13T19:59:49.323034+00:00",
    "event_record_id": 2612,
    "correlation": {
      "ActivityID": "D2F886E0-D189-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 3676,
      "thread_id": 5656
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EnterExit": 1,
    "Location": 3051,
    "Process": "0xffffd189dc00f080",
    "Endpoint": "0xffffd189da6fede0",
    "BufferCount": 1,
    "Buffer": "0xffffd189d2f88f28",
    "BufferLength": 969,
    "Status": 0
  },
  "message": ""
}

Event ID 1004 — recv: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdReceive
Opcode: Connected

Description

recv: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.

Message #

recv: %1: Process %3, Endpoint %4, Buffer Count %5, Buffer %6, Length %7, Seq %2, Status %8

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`BufferCount` UInt32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1004,
    "version": 0,
    "level": 4,
    "task": 1004,
    "opcode": 12,
    "keywords": 9223372036854775814,
    "time_created": "2026-03-13T19:59:49.323097+00:00",
    "event_record_id": 2613,
    "correlation": {
      "ActivityID": "DDDD9B70-D189-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 3676,
      "thread_id": 5620
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EnterExit": 0,
    "Location": 4107,
    "Process": "0xffffd189dc00f080",
    "Endpoint": "0xffffd189da6fede0",
    "BufferCount": 1,
    "Buffer": "0xffffd189e0f16e50",
    "BufferLength": 6,
    "Status": 0
  },
  "message": ""
}

Event ID 1005 — sendto: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdSendTo
Opcode: Connected

Description

sendto: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.

Message #

sendto: %1: Process %3, Endpoint %4, Buffer Count %5, Buffer %6, Length %7, Seq %2, Status %8

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`BufferCount` UInt32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1006 — recvfrom: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdReceiveFrom
Opcode: Connected

Description

recvfrom: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.

Message #

recvfrom: %1: Process %3, Endpoint %4, Buffer Count %5, Buffer %6, Length %7, Seq %2, Status %8

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`BufferCount` UInt32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1006,
    "version": 0,
    "level": 4,
    "task": 1006,
    "opcode": 12,
    "keywords": 9223372036854775813,
    "time_created": "2026-03-13T20:31:42.532206+00:00",
    "event_record_id": 663422,
    "correlation": {
      "ActivityID": "A5139320-800F-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 3936,
      "thread_id": 5944
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EnterExit": 0,
    "Location": 4049,
    "Process": "0xffff800fa5579080",
    "Endpoint": "0xffff800faa88c810",
    "BufferCount": 1,
    "Buffer": "0xffff800facc0b9f0",
    "BufferLength": 4000,
    "Status": 0
  },
  "message": ""
}

Event ID 1007 — sendto: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdSendToWithAddress
Opcode: Connected

Description

sendto: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.

Message #

sendto: %1: Process %3, Endpoint %4, Buffer Count %5, Buffer %6, Length %7, Addr %10, Seq %2, Status %8

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`BufferCount` UInt32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Status` UInt32	— NTSTATUS reference
`AddressLen` UInt32	—
`Address` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1007,
    "version": 0,
    "level": 4,
    "task": 1007,
    "opcode": 12,
    "keywords": 9223372036854775829,
    "time_created": "2026-03-13T20:31:42.532271+00:00",
    "event_record_id": 663423,
    "correlation": {
      "ActivityID": "9F2EAA00-800F-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 3936,
      "thread_id": 5944
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EnterExit": 0,
    "Location": 3100,
    "Process": "0xffff800fa5579080",
    "Endpoint": "0xffff800fa62e1a70",
    "BufferCount": 1,
    "Buffer": "0xffff800f9f2ea940",
    "BufferLength": 72,
    "Status": 0,
    "AddressLen": 16,
    "Address": "020000350A020AFE0000000000000000"
  },
  "message": ""
}

Event ID 1009 — recvfrom: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdReceiveFromWithAddress
Opcode: Connected

Description

recvfrom: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.

Message #

recvfrom: %1: Process %3, Endpoint %4, Buffer Count %5, Buffer %6, Length %7, Addr %10, Seq %2, Status %8

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`BufferCount` UInt32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Status` UInt32	— NTSTATUS reference
`AddressLen` UInt32	—
`Address` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1009,
    "version": 0,
    "level": 4,
    "task": 1009,
    "opcode": 12,
    "keywords": 9223372036854775813,
    "time_created": "2026-03-13T20:31:42.532160+00:00",
    "event_record_id": 663421,
    "correlation": {
      "ActivityID": "AD936A20-800F-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EnterExit": 1,
    "Location": 4052,
    "Process": "0xffff800fa5579080",
    "Endpoint": "0xffff800faa88c810",
    "BufferCount": 1,
    "Buffer": "0xffff800faa5c8dc0",
    "BufferLength": 61,
    "Status": 0,
    "AddressLen": 16,
    "Address": "0200F1B40A020A150000000000000000"
  },
  "message": ""
}

Event ID 1011 — sendmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdSendMessage
Opcode: Connected

Description

sendmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.

Message #

sendmsg: %1: Process %3, Endpoint %4, Buffer Count %5, Buffer %6, Length %7, Seq %2, Status %8

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`BufferCount` UInt32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 1012 — recvmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdReceiveMessage
Opcode: Connected

Description

recvmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Seq Location, Status Status.

Message #

recvmsg: %1: Process %3, Endpoint %4, Buffer Count %5, Buffer %6, Length %7, Seq %2, Status %8

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`BufferCount` UInt32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1012,
    "version": 0,
    "level": 4,
    "task": 1012,
    "opcode": 12,
    "keywords": 9223372036854775813,
    "time_created": "2026-03-13T19:59:57.037247+00:00",
    "event_record_id": 4361,
    "correlation": {
      "ActivityID": "D7C4C410-D189-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 1732,
      "thread_id": 8072
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "EnterExit": 0,
    "Location": 4049,
    "Process": "0xffffd189dac41080",
    "Endpoint": "0xffffd189da6fe240",
    "BufferCount": 1,
    "Buffer": "0xffffd189e2457150",
    "BufferLength": 4096,
    "Status": 0
  },
  "message": ""
}

Event ID 1013 — sendmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdSendMessageWithAddress
Opcode: Connected

Description

sendmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.

Message #

sendmsg: %1: Process %3, Endpoint %4, Buffer Count %5, Buffer %6, Length %7, Addr %10, Seq %2, Status %8

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`BufferCount` UInt32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Status` UInt32	— NTSTATUS reference
`AddressLen` UInt32	—
`Address` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1013,
    "version": 0,
    "level": 4,
    "task": 1013,
    "opcode": 12,
    "keywords": 9223372036854775829,
    "time_created": "2026-03-13T19:59:57.037177+00:00",
    "event_record_id": 4360,
    "correlation": {
      "ActivityID": "DC276560-D189-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 1732,
      "thread_id": 8072
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "EnterExit": 0,
    "Location": 3100,
    "Process": "0xffffd189dac41080",
    "Endpoint": "0xffffd189da6fe240",
    "BufferCount": 1,
    "Buffer": "0xffffd189dc2767e8",
    "BufferLength": 63,
    "Status": 0,
    "AddressLen": 28,
    "Address": "170000350A020A0B00000000000000000000FFFF0A020A0B00000000"
  },
  "message": ""
}

Event ID 1015 — recvmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdReceiveMessageWithAddress
Opcode: Connected

Description

recvmsg: EnterExit: Process Process, Endpoint Endpoint, Buffer Count BufferCount, Buffer Buffer, Length BufferLength, Addr Address, Seq Location, Status Status.

Message #

recvmsg: %1: Process %3, Endpoint %4, Buffer Count %5, Buffer %6, Length %7, Addr %10, Seq %2, Status %8

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`BufferCount` UInt32	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Status` UInt32	— NTSTATUS reference
`AddressLen` UInt32	—
`Address` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1015,
    "version": 0,
    "level": 4,
    "task": 1015,
    "opcode": 12,
    "keywords": 9223372036854775813,
    "time_created": "2026-03-13T19:59:57.072482+00:00",
    "event_record_id": 4366,
    "correlation": {
      "ActivityID": "D7C4C410-D189-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 3464,
      "thread_id": 5140
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EnterExit": 1,
    "Location": 4052,
    "Process": "0xffffd189dac41080",
    "Endpoint": "0xffffd189da6fe240",
    "BufferCount": 1,
    "Buffer": "0xffffd189e2457150",
    "BufferLength": 183,
    "Status": 0,
    "AddressLen": 28,
    "Address": "170000350000000000000000000000000000FFFF0A020A0B00000000"
  },
  "message": ""
}

Event ID 1017 — connect: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdConnect
Opcode: Connected

Description

connect: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Message #

connect: %1: Process %3, Endpoint %4, Seq %2, Status %5

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1017,
    "version": 0,
    "level": 4,
    "task": 1017,
    "opcode": 12,
    "keywords": 9223372036854775814,
    "time_created": "2026-03-13T21:07:29.053448+00:00",
    "event_record_id": 1134177,
    "correlation": {
      "ActivityID": "A3A895B0-800F-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 3852,
      "thread_id": 2396
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EnterExit": 1,
    "Location": 5024,
    "Process": "0xffff800f9f29a080",
    "Endpoint": "0xffff800fa3a895b0",
    "Status": 0
  },
  "message": ""
}

Event ID 1018 — connect: EnterExit: Process Process, Endpoint Endpoint, Address Address, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdConnectWithAddress
Opcode: Connected

Description

connect: EnterExit: Process Process, Endpoint Endpoint, Address Address, Seq Location, Status Status.

Message #

connect: %1: Process %3, Endpoint %4, Address %9, Seq %2, Status %7

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Status` UInt32	— NTSTATUS reference
`AddressLen` UInt32	—
`Address` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1018,
    "version": 0,
    "level": 4,
    "task": 1018,
    "opcode": 11,
    "keywords": 9223372036854775814,
    "time_created": "2026-03-13T21:07:28.945199+00:00",
    "event_record_id": 1134164,
    "correlation": {
      "ActivityID": "A3A8C0D0-800F-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 3852,
      "thread_id": 2396
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EnterExit": 0,
    "Location": 5023,
    "Process": "0xffff800f9f29a080",
    "Endpoint": "0xffff800fa3a8c0d0",
    "Buffer": "0x0",
    "BufferLength": 0,
    "Status": 0,
    "AddressLen": 28,
    "Address": "17000185000000000000000000000000000000000000000100000000"
  },
  "message": ""
}

Event ID 1020 — ConnectEx: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdConnectEx
Opcode: Connected

Description

ConnectEx: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Message #

ConnectEx: %1: Process %3, Endpoint %4, Seq %2, Status %5

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1020,
    "version": 0,
    "level": 4,
    "task": 1020,
    "opcode": 12,
    "keywords": 9223372036854775814,
    "time_created": "2026-03-13T19:59:51.691774+00:00",
    "event_record_id": 3160,
    "correlation": {
      "ActivityID": "D9AB9B70-D189-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EnterExit": 1,
    "Location": 5032,
    "Process": "0xffffd189daf16080",
    "Endpoint": "0xffffd189d9ab9b70",
    "Status": 0
  },
  "message": ""
}

Event ID 1021 — ConnectEx: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdConnectExWithAddress
Opcode: Connected

Description

ConnectEx: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Seq Location, Status Status.

Message #

ConnectEx: %1: Process %3, Endpoint %4, Buffer %5, Length %6, Address %9, Seq %2, Status %7

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Status` UInt32	— NTSTATUS reference
`AddressLen` UInt32	—
`Address` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1021,
    "version": 0,
    "level": 4,
    "task": 1021,
    "opcode": 11,
    "keywords": 9223372036854775814,
    "time_created": "2026-03-13T19:59:51.602921+00:00",
    "event_record_id": 3157,
    "correlation": {
      "ActivityID": "D9AB9B70-D189-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 3464,
      "thread_id": 6604
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EnterExit": 0,
    "Location": 5031,
    "Process": "0xffffd189daf16080",
    "Endpoint": "0xffffd189d9ab9b70",
    "Buffer": "0xffffd189de5e8b80",
    "BufferLength": 0,
    "Status": 0,
    "AddressLen": 16,
    "Address": "020001BB14F2B5010000000000000000"
  },
  "message": ""
}

Event ID 1023 — accept: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdAccept
Opcode: Connected

Description

accept: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Message #

accept: %1: Process %3, Endpoint %4, Seq %2, Status %5

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 1024 — accept: EnterExit: Process Process, Endpoint Endpoint, Address Address, Accept Endpoint AcceptEndpoint, Current Backlog CurrentBacklog, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdAcceptWithAddress
Opcode: Connected

Description

accept: EnterExit: Process Process, Endpoint Endpoint, Address Address, Accept Endpoint AcceptEndpoint, Current Backlog CurrentBacklog, Seq Location, Status Status.

Message #

accept: %1: Process %3, Endpoint %4, Address %9, Accept Endpoint %10, Current Backlog %11, Seq %2, Status %7

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Status` UInt32	— NTSTATUS reference
`AddressLen` UInt32	—
`Address` Binary	—
`AcceptEndpoint` Pointer	—
`CurrentBacklog` UInt32	—

Event ID 1026 — AcceptEx: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdAcceptEx
Opcode: Connected

Description

AcceptEx: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Message #

AcceptEx: %1: Process %3, Endpoint %4, Seq %2, Status %5

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1026,
    "version": 0,
    "level": 4,
    "task": 1026,
    "opcode": 11,
    "keywords": 9223372036854775814,
    "time_created": "2026-03-13T21:07:29.060306+00:00",
    "event_record_id": 1134266,
    "correlation": {
      "ActivityID": "A58F82D0-800F-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 968,
      "thread_id": 1756
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EnterExit": 0,
    "Location": 6024,
    "Process": "0xffff800fa40450c0",
    "Endpoint": "0xffff800fa58f82d0",
    "Status": 0
  },
  "message": ""
}

Event ID 1027 — AcceptEx: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Accept Endpoint AcceptEndpoint, Current Backlog CurrentBacklog, Seq Location, Status St...

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdAcceptExWithAddress
Opcode: Connected

Description

AcceptEx: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Accept Endpoint AcceptEndpoint, Current Backlog CurrentBacklog, Seq Location, Status Status.

Message #

AcceptEx: %1: Process %3, Endpoint %4, Buffer %5, Length %6, Address %9, Accept Endpoint %10, Current Backlog %11, Seq %2, Status %7

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`Status` UInt32	— NTSTATUS reference
`AddressLen` UInt32	—
`Address` Binary	—
`AcceptEndpoint` Pointer	—
`CurrentBacklog` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1027,
    "version": 0,
    "level": 4,
    "task": 1027,
    "opcode": 12,
    "keywords": 9223372036854775814,
    "time_created": "2026-03-13T21:07:29.053439+00:00",
    "event_record_id": 1134176,
    "correlation": {
      "ActivityID": "A58F82D0-800F-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 3852,
      "thread_id": 2396
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EnterExit": 1,
    "Location": 6101,
    "Process": "0xffff800fa40450c0",
    "Endpoint": "0xffff800fa58f82d0",
    "Buffer": "0xffff800fad6a0660",
    "BufferLength": 0,
    "Status": 0,
    "AddressLen": 16,
    "Address": "0200F1857F0000010000000000000000",
    "AcceptEndpoint": "0xffff800fa3a89010",
    "CurrentBacklog": 0
  },
  "message": ""
}

Event ID 1029 — bind: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdBind
Opcode: Connected

Description

bind: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Message #

bind: %1: Process %3, Endpoint %4, Seq %2, Status %5

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 1030 — bind: EnterExit: Process Process, Endpoint Endpoint, Address Address, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdBindWithAddress
Opcode: Connected

Description

bind: EnterExit: Process Process, Endpoint Endpoint, Address Address, Seq Location, Status Status.

Message #

bind: %1: Process %3, Endpoint %4, Address %7, Seq %2, Status %5

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference
`AddressLen` UInt32	—
`Address` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1030,
    "version": 0,
    "level": 4,
    "task": 1030,
    "opcode": 10,
    "keywords": 9223372036854775814,
    "time_created": "2026-03-13T19:59:51.602810+00:00",
    "event_record_id": 3155,
    "correlation": {
      "ActivityID": "D9AB9B70-D189-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 3464,
      "thread_id": 6604
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EnterExit": 0,
    "Location": 7010,
    "Process": "0xffffd189daf16080",
    "Endpoint": "0xffffd189d9ab9b70",
    "Status": 0,
    "AddressLen": 16,
    "Address": "02000000000000000000000000000000"
  },
  "message": ""
}

Event ID 1032 — connection aborted: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Reason Reason.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Error
Task: AfdAbort
Opcode: Aborted

Description

connection aborted: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Reason Reason.

Message #

connection aborted: %1: Process %3, Endpoint %4, Seq %2, Reason %5

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Reason` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1032,
    "version": 0,
    "level": 2,
    "task": 1032,
    "opcode": 14,
    "keywords": 9223372036854775814,
    "time_created": "2026-03-13T19:59:59.025920+00:00",
    "event_record_id": 4800,
    "correlation": {
      "ActivityID": "DA6FFB70-D189-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EnterExit": 2,
    "Location": 8016,
    "Process": "0xffffd189daf44080",
    "Endpoint": "0xffffd189da6ffb70",
    "Reason": 13
  },
  "message": ""
}

Event ID 1033 — datagram dropped: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Seq Location, Reason Reason.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdDatagramDropWithAddress
Opcode: Connected

Description

datagram dropped: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Seq Location, Reason Reason.

Message #

datagram dropped: %1: Process %3, Endpoint %4, Buffer %5, Length %6, Address %8, Seq %2, Reason %9

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`AddressLen` UInt32	—
`Address` Binary	—
`Reason` UInt32	—

Event ID 1035 — Socket option: EnterExit: Process Process, Endpoint Endpoint, Option Option, Value Value, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdOption

Description

Socket option: EnterExit: Process Process, Endpoint Endpoint, Option Option, Value Value, Seq Location, Status Status.

Message #

Socket option: %1: Process %3, Endpoint %4, Option %5, Value %6, Seq %2, Status %7

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Option` UInt32	—
`Value` UInt32	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 1035,
    "version": 0,
    "level": 4,
    "task": 1035,
    "opcode": 0,
    "keywords": 9223372036854775814,
    "time_created": "2026-03-13T20:32:26.825957+00:00",
    "event_record_id": 394421,
    "correlation": {
      "ActivityID": "97549A70-920B-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 984,
      "thread_id": 10204
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "EnterExit": 4,
    "Location": 11015,
    "Process": "0xffff920b97fd1100",
    "Endpoint": "0xffff920b97549a70",
    "Option": 7,
    "Value": 65536,
    "Status": 0
  },
  "message": ""
}

Event ID 1036 — Wait for listen: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdWaitForListen

Description

Wait for listen: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Message #

Wait for listen: %1: Process %3, Endpoint %4, Seq %2, Status %5

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 1037 — Listen: EnterExit: Process Process, Endpoint Endpoint, Backlog Backlog, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdListen

Description

Listen: EnterExit: Process Process, Endpoint Endpoint, Backlog Backlog, Seq Location, Status Status.

Message #

Listen: %1: Process %3, Endpoint %4, Backlog %5, Seq %2, Status %6

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Backlog` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 3000 — Connect indication: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdConnectIndication

Description

Connect indication: EnterExit: Process Process, Endpoint Endpoint, Seq Location, Status Status.

Message #

Connect indication: %1: Process %3, Endpoint %4, Seq %2, Status %5

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 3001 — Connect indication: EnterExit: Process Process, Endpoint Endpoint, Address Address, Backlog Count CurrentBacklog, Seq Location, Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdConnectIndicationWithAddress

Description

Connect indication: EnterExit: Process Process, Endpoint Endpoint, Address Address, Backlog Count CurrentBacklog, Seq Location, Status Status.

Message #

Connect indication: %1: Process %3, Endpoint %4, Address %7, Backlog Count %8, Seq %2, Status %5

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference
`AddressLen` UInt32	—
`Address` Binary	—
`CurrentBacklog` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 3001,
    "version": 0,
    "level": 4,
    "task": 3001,
    "opcode": 0,
    "keywords": 9223372036854775818,
    "time_created": "2026-03-13T21:07:29.053422+00:00",
    "event_record_id": 1134175,
    "correlation": {
      "ActivityID": "A58F82D0-800F-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 3852,
      "thread_id": 2396
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EnterExit": 3,
    "Location": 6501,
    "Process": "0xffff800fa40450c0",
    "Endpoint": "0xffff800fa58f82d0",
    "Status": 0,
    "AddressLen": 16,
    "Address": "0200F1857F0000010000000000000000",
    "CurrentBacklog": 0
  },
  "message": ""
}

Event ID 3003 — Data indication: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Seq Location.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdDataIndication

Description

Data indication: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Seq Location.

Message #

Data indication: %1: Process %3, Endpoint %4, Buffer %5, Length %6, Seq %2

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Buffer` Pointer	—
`BufferLength` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 3003,
    "version": 0,
    "level": 4,
    "task": 3003,
    "opcode": 0,
    "keywords": 9223372036854775818,
    "time_created": "2026-03-13T19:59:49.505141+00:00",
    "event_record_id": 2654,
    "correlation": {
      "ActivityID": "DA6FEDE0-D189-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EnterExit": 3,
    "Location": 9000,
    "Process": "0xffffd189dc00f080",
    "Endpoint": "0xffffd189da6fede0",
    "Buffer": "0xffffd189dcf85eb0",
    "BufferLength": 6
  },
  "message": ""
}

Event ID 3004 — Data indication: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Seq Location.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdDataIndicationWithAddress

Description

Data indication: EnterExit: Process Process, Endpoint Endpoint, Buffer Buffer, Length BufferLength, Address Address, Seq Location.

Message #

Data indication: %1: Process %3, Endpoint %4, Buffer %5, Length %6, Address %8, Seq %2

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Buffer` Pointer	—
`BufferLength` UInt32	—
`AddressLen` UInt32	—
`Address` Binary	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 3004,
    "version": 0,
    "level": 4,
    "task": 3004,
    "opcode": 0,
    "keywords": 9223372036854775817,
    "time_created": "2026-03-13T19:59:57.072475+00:00",
    "event_record_id": 4365,
    "correlation": {
      "ActivityID": "DA6FE240-D189-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 3464,
      "thread_id": 5140
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EnterExit": 3,
    "Location": 9001,
    "Process": "0xffffd189dac41080",
    "Endpoint": "0xffffd189da6fe240",
    "Buffer": "0xffffd189d87d16d0",
    "BufferLength": 183,
    "AddressLen": 28,
    "Address": "170000350000000000000000000000000000FFFF0A020A0B00000000"
  },
  "message": ""
}

Event ID 3006 — disconnect indicated: EnterExit: Process Process, Endpoint Endpoint, Seq Location.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Level: Informational
Task: AfdDisconnect
Opcode: Disconnected

Description

disconnect indicated: EnterExit: Process Process, Endpoint Endpoint, Seq Location.

Message #

disconnect indicated: %1: Process %3, Endpoint %4, Seq %2

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`Status` UInt32	— NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Winsock-AFD",
    "guid": "E53C6823-7BB8-44BB-90DC-3F86090D48A6",
    "event_source_name": "",
    "event_id": 3006,
    "version": 0,
    "level": 4,
    "task": 3006,
    "opcode": 13,
    "keywords": 9223372036854775818,
    "time_created": "2026-03-13T19:59:59.438556+00:00",
    "event_record_id": 4914,
    "correlation": {
      "ActivityID": "D9AB9790-D189-FFFF-0000-000000000000"
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Microsoft-Windows-Winsock-AFD/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "EnterExit": 3,
    "Location": 12001,
    "Process": "0xffffd189da51f140",
    "Endpoint": "0xffffd189d9ab9790",
    "Status": 0
  },
  "message": ""
}

Event ID 3007 — Transport send backlog: Process EnterExit, Endpoint Location, Send Backlog SendBacklog.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdSendBackLog

Description

Transport send backlog: Process EnterExit, Endpoint Location, Send Backlog SendBacklog.

Message #

Transport send backlog: Process %1, Endpoint %2, Send Backlog %5

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`SendBacklog` UInt32	—

Event ID 4000 — Registration domain RegistrationDomain create status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioCreateRegistrationDomain
Opcode: Open

Description

Registration domain RegistrationDomain create status Status.

Message #

Registration domain %1 create status %2

Fields #

Name	Description
`RegistrationDomain` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 4001 — Registration domain RegistrationDomain closed.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioCleanupRegistrationDomain
Opcode: Closed

Description

Registration domain RegistrationDomain closed.

Message #

Registration domain %1 closed

Fields #

Name	Description
`RegistrationDomain` Pointer	—

Event ID 4002 — CQ Cq created with EntryCount entries, index CqIndex and notification type NotificationType, status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioCreateCq
Opcode: Open

Description

CQ Cq created with EntryCount entries, index CqIndex and notification type NotificationType, status Status.

Message #

CQ %1 created with %3 entries, index %7 and notification type %8, status %13

Fields #

Name	Description
`Cq` Pointer	—
`RegistrationDomain` Pointer	—
`EntryCount` UInt32	—
`UserAddress` Pointer	—
`SystemAddress` Pointer	—
`BufferSize` UInt32	—
`CqIndex` UInt32	—
`NotificationType` UInt32	—
`NotificationHandle` Pointer	—
`NotificationObject` Pointer	—
`NotificationContext1` Pointer	—
`NotificationContext2` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 4003 — CQ Cq closed with Commit commit.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioDestroyCq
Opcode: Closed

Description

CQ Cq closed with Commit commit.

Message #

CQ %1 closed with %2 commit

Fields #

Name	Description
`Cq` Pointer	—
`Commit` UInt32	—

Event ID 4004 — CQ Cq cleaned up.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioCleanupCq
Opcode: Freed

Description

CQ Cq cleaned up.

Message #

CQ %1 cleaned up

Fields #

Name	Description
`Cq` Pointer	—

Event ID 4005 — CQ Cq with Commit commit resized from OriginalEntryCount to RequestedEntryCount, status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioResizeCq
Opcode: Modified

Description

CQ Cq with Commit commit resized from OriginalEntryCount to RequestedEntryCount, status Status.

Message #

CQ %1 with %5 commit resized from %2 to %6, status %10

Fields #

Name	Description
`Cq` Pointer	—
`OriginalEntryCount` UInt32	—
`OriginalStart` UInt32	—
`OriginalEnd` UInt32	—
`Commit` UInt32	—
`RequestedEntryCount` UInt32	—
`UserAddress` Pointer	—
`SystemAddress` Pointer	—
`BufferSize` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 4006 — RQ RioState created on endpoint Endpoint with ReceiveEntryCount receive and SendEntryCount send entries, using receive CQ ReceiveCqIndex and send CQ SendCqIndex, status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioCreateRqPair
Opcode: Open

Description

RQ RioState created on endpoint Endpoint with ReceiveEntryCount receive and SendEntryCount send entries, using receive CQ ReceiveCqIndex and send CQ SendCqIndex, status Status.

Message #

RQ %2 created on endpoint %1 with %8 receive and %4 send entries, using receive CQ %13 and send CQ %12, status %14

Fields #

Name	Description
`Endpoint` Pointer	—
`RioState` Pointer	—
`RegistrationDomain` Pointer	—
`SendEntryCount` UInt32	—
`SendUserAddress` Pointer	—
`SendSystemAddress` Pointer	—
`SendBufferSize` UInt32	—
`ReceiveEntryCount` UInt32	—
`ReceiveUserAddress` Pointer	—
`ReceiveSystemAddress` Pointer	—
`ReceiveBufferSize` UInt32	—
`SendCqIndex` UInt32	—
`ReceiveCqIndex` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 4007 — RQ RioState closed, receive = (ReceiveQueueStart,ReceiveQueueEnd) send = (SendQueueStart,SendQueueEnd).

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioCloseRioState
Opcode: Closed

Description

RQ RioState closed, receive = (ReceiveQueueStart,ReceiveQueueEnd) send = (SendQueueStart,SendQueueEnd).

Message #

RQ %1 closed, receive = (%2,%3) send = (%4,%5)

Fields #

Name	Description
`RioState` Pointer	—
`ReceiveQueueStart` UInt32	—
`ReceiveQueueEnd` UInt32	—
`SendQueueStart` UInt32	—
`SendQueueEnd` UInt32	—

Event ID 4008 — RQ RioState cleaned up.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioCleanupRioState
Opcode: Freed

Description

RQ RioState cleaned up.

Message #

RQ %1 cleaned up

Fields #

Name	Description
`RioState` Pointer	—

Event ID 4009 — RQ RioState resized from (OriginalReceiveEntryCount,OriginalSendEntryCount) to (RequestedReceiveEntryCount,RequestedSendEntryCount), status = Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioResizeRqPair
Opcode: Modified

Description

RQ RioState resized from (OriginalReceiveEntryCount,OriginalSendEntryCount) to (RequestedReceiveEntryCount,RequestedSendEntryCount), status = Status.

Message #

RQ %1 resized from (%9,%2) to (%12,%5), status = %16

Fields #

Name	Description
`RioState` Pointer	—
`OriginalSendEntryCount` UInt32	—
`OriginalSendQueueStart` UInt32	—
`OriginalSendQueueEnd` UInt32	—
`RequestedSendEntryCount` UInt32	—
`SendUserAddress` Pointer	—
`SendSystemAddress` Pointer	—
`SendBufferSize` UInt32	—
`OriginalReceiveEntryCount` UInt32	—
`OriginalReceiveQueueStart` UInt32	—
`OriginalReceiveQueueEnd` UInt32	—
`RequestedReceiveEntryCount` UInt32	—
`ReceiveUserAddress` Pointer	—
`ReceiveSystemAddress` Pointer	—
`ReceiveBufferSize` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 4010 — Buffer Buffer registered with address UserAddress and length BufferSize, system address = SystemAddress, ID = BufferId, status = Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioRegisterBuffer
Opcode: Open

Description

Buffer Buffer registered with address UserAddress and length BufferSize, system address = SystemAddress, ID = BufferId, status = Status.

Message #

Buffer %1 registered with address %3 and length %5, system address = %4, ID = %6, status = %7

Fields #

Name	Description
`Buffer` Pointer	—
`RegistrationDomain` Pointer	—
`UserAddress` Pointer	—
`SystemAddress` Pointer	—
`BufferSize` UInt32	—
`BufferId` UInt32	—
`Status` UInt32	— NTSTATUS reference

Event ID 4011 — Buffer Buffer deregistered with References references.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioDeregisterBuffer
Opcode: Closed

Description

Buffer Buffer deregistered with References references.

Message #

Buffer %1 deregistered with %2 references

Fields #

Name	Description
`Buffer` Pointer	—
`References` UInt32	—

Event ID 4012 — Buffer Buffer cleaned up.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioCleanupBuffer
Opcode: Freed

Description

Buffer Buffer cleaned up.

Message #

Buffer %1 cleaned up

Fields #

Name	Description
`Buffer` Pointer	—

Event ID 4013 — RQ RioState using invalid buffer ID BufferId.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioValidateBufferId

Description

RQ RioState using invalid buffer ID BufferId.

Message #

RQ %2 using invalid buffer ID %3

Fields #

Name	Description
`RegistrationDomain` Pointer	—
`RioState` Pointer	—
`BufferId` UInt32	—

Event ID 4014 — RQ RioState invalid use of buffer Buffer, offset = BufferOffset, length = BufferLength.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioRangeCheck

Description

RQ RioState invalid use of buffer Buffer, offset = BufferOffset, length = BufferLength.

Message #

RQ %2 invalid use of buffer %3, offset = %4, length = %5

Fields #

Name	Description
`RegistrationDomain` Pointer	—
`RioState` Pointer	—
`Buffer` Pointer	—
`BufferOffset` UInt32	—
`BufferLength` UInt32	—

Event ID 4015 — RQ RioState using invalid buffer size for BufferType, specified = SpecifiedLength, required = RequiredLength.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioSendReceive

Description

RQ RioState using invalid buffer size for BufferType, specified = SpecifiedLength, required = RequiredLength.

Message #

RQ %1 using invalid buffer size for %2, specified = %3, required = %4

Fields #

Name	Description
`RioState` Pointer	—
`BufferType` UInt32	—
`SpecifiedLength` UInt32	—
`RequiredLength` UInt32	—

Event ID 4016 — NRT Create: Handle = NameResolutionHandle Process = Process Status = Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdNrtCreate
Opcode: Open

Description

NRT Create: Handle = NameResolutionHandle Process = Process Status = Status.

Message #

NRT Create: Handle = %1 Process = %2 Status = %3

Fields #

Name	Description
`NameResolutionHandle` Pointer	—
`Process` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 4017 — NRT Close: Handle = NameResolutionHandle Process = Process.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdNrtClose
Opcode: Closed

Description

NRT Close: Handle = NameResolutionHandle Process = Process.

Message #

NRT Close: Handle = %1 Process = %2

Fields #

Name	Description
`NameResolutionHandle` Pointer	—
`Process` Pointer	—

Event ID 4018 — CQ Cq notify EnterExit Seq Location Status Status.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioNotifyCq

Description

CQ Cq notify EnterExit Seq Location Status Status.

Message #

CQ %5 notify %1 Seq %2 Status %6

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`RegDomain` Pointer	—
`Cq` Pointer	—
`Status` UInt32	— NTSTATUS reference

Event ID 4019 — accept EnterExit [1 = Pause, 0 = Unpause] PauseUnPause Seq Location Endpoint Process Process Endpoint TlBacklogCount TLBacklogCount.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdAcceptPause

Description

accept EnterExit [1 = Pause, 0 = Unpause] PauseUnPause Seq Location Endpoint Process Process Endpoint TlBacklogCount TLBacklogCount.

Message #

accept %1 [1 = Pause, 0 = Unpause] %5 Seq %2 Endpoint %3 Process %4 TlBacklogCount %6.

Fields #

Name	Description
`EnterExit` UInt32	—
`Location` UInt32	—
`Process` Pointer	—
`Endpoint` Pointer	—
`PauseUnPause` UInt8	—
`TLBacklogCount` Int32	—

Event ID 4020 — RQ RioState invalid buffer sharing ID BufferId sharing type BufferSharingType.

Provider: Microsoft-Windows-Winsock-AFD
Channel: Operational
Task: AfdRioValidateBufferSharing

Description

RQ RioState invalid buffer sharing ID BufferId sharing type BufferSharingType.

Message #

RQ %2 invalid buffer sharing ID %3 sharing type %4

Fields #

Name	Description
`RegistrationDomain` Pointer	—
`RioState` Pointer	—
`BufferId` UInt32	—
`BufferSharingType` UInt32	—