Microsoft-Windows-ZTDNS

8 events across 3 channels

Event ID	Title	Channel
1	PERMIT - Connection [LocalAddress]:LocalPort -> [RemoteAddress]:RemotePort by …	PermittedConnections
2	BLOCK - Connection [LocalAddress]:LocalPort -> [RemoteAddress]:RemotePort by …	BlockedConnections
3	UPDATE - Trusted servers by process (ProcessId) ProcessPath.	Operational
4	REMOVE - ExceptionsUpdateTypeExceptionName by process (ProcessId) ProcessPath.	Operational
5	ADD - ExceptionsUpdateTypeExceptionName by process (ProcessId) ProcessPath.	Operational
6	UPDATE - State to ServiceState by process (ProcessId) ProcessPath.	Operational
7	START - ZTDNS service with status Status.	Operational
8	STOP - ZTDNS service with status Status.	Operational

Event ID 1 — PERMIT - Connection [LocalAddress]:LocalPort -> [RemoteAddress]:RemotePort by process (ProcessId) ProcessPath because of PermitType PermitInfo from service ServiceName.

Provider: Microsoft-Windows-ZTDNS
Channel: PermittedConnections
Task: Task_Classify
Opcode: Opcode_Classify

Description

PERMIT - Connection [LocalAddress]:LocalPort -> [RemoteAddress]:RemotePort by process (ProcessId) ProcessPath because of PermitType PermitInfo from service ServiceName.

Message #

PERMIT - Connection [%2]:%3 -> [%5]:%6 by process (%8) %9 because of %10 %11 from service %12

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`LocalPort` UInt32	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`RemotePort` UInt32	—
`Protocol` UInt32	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`ProcessId` UInt64	—
`ProcessPath` UnicodeString	—
`PermitType` UInt32	—
`PermitInfo` UnicodeString	—
`ServiceName` UnicodeString	—

Event ID 2 — BLOCK - Connection [LocalAddress]:LocalPort -> [RemoteAddress]:RemotePort by process (ProcessId) ProcessPath from service ServiceName.

Provider: Microsoft-Windows-ZTDNS
Channel: BlockedConnections
Task: Task_Classify
Opcode: Opcode_Classify

Description

BLOCK - Connection [LocalAddress]:LocalPort -> [RemoteAddress]:RemotePort by process (ProcessId) ProcessPath from service ServiceName.

Message #

BLOCK - Connection [%2]:%3 -> [%5]:%6 by process (%8) %9 from service %10

Fields #

Name	Description
`LocalAddressLength` UInt32	—
`LocalAddress` Binary	—
`LocalPort` UInt32	—
`RemoteAddressLength` UInt32	—
`RemoteAddress` Binary	—
`RemotePort` UInt32	—
`Protocol` UInt32	— Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`ProcessId` UInt64	—
`ProcessPath` UnicodeString	—
`ServiceName` UnicodeString	—

Event ID 3 — UPDATE - Trusted servers by process (ProcessId) ProcessPath.

Provider: Microsoft-Windows-ZTDNS
Channel: Operational
Task: Task_Notify
Opcode: Opcode_Notify

Description

UPDATE - Trusted servers by process (ProcessId) ProcessPath.

Message #

UPDATE - Trusted servers by process (%1) %2

Fields #

Name	Description
`ProcessId` UInt64	—
`ProcessPath` UnicodeString	—

Event ID 4 — REMOVE - ExceptionsUpdateTypeExceptionName by process (ProcessId) ProcessPath.

Provider: Microsoft-Windows-ZTDNS
Channel: Operational
Task: Task_Notify
Opcode: Opcode_Notify

Description

REMOVE - ExceptionsUpdateTypeExceptionName by process (ProcessId) ProcessPath.

Message #

REMOVE - %1%2 by process (%3) %4

Fields #

Name	Description
`ExceptionsUpdateType` UInt32	—
`ExceptionName` UnicodeString	—
`ProcessId` UInt64	—
`ProcessPath` UnicodeString	—

Event ID 5 — ADD - ExceptionsUpdateTypeExceptionName by process (ProcessId) ProcessPath.

Provider: Microsoft-Windows-ZTDNS
Channel: Operational
Task: Task_Notify
Opcode: Opcode_Notify

Description

ADD - ExceptionsUpdateTypeExceptionName by process (ProcessId) ProcessPath.

Message #

ADD - %1%2 by process (%3) %4

Fields #

Name	Description
`ExceptionsUpdateType` UInt32	—
`ExceptionName` UnicodeString	—
`ProcessId` UInt64	—
`ProcessPath` UnicodeString	—

Event ID 6 — UPDATE - State to ServiceState by process (ProcessId) ProcessPath.

Provider: Microsoft-Windows-ZTDNS
Channel: Operational
Task: Task_Notify
Opcode: Opcode_Notify

Description

UPDATE - State to ServiceState by process (ProcessId) ProcessPath.

Message #

UPDATE - State to %1 by process (%2) %3

Fields #

Name	Description
`ServiceState` UInt32	—
`ProcessId` UInt64	—
`ProcessPath` UnicodeString	—

Event ID 7 — START - ZTDNS service with status Status.

Provider: Microsoft-Windows-ZTDNS
Channel: Operational
Task: Task_Notify
Opcode: Opcode_Notify

Description

START - ZTDNS service with status Status.

Message #

START - ZTDNS service with status %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference

Event ID 8 — STOP - ZTDNS service with status Status.

Provider: Microsoft-Windows-ZTDNS
Channel: Operational
Task: Task_Notify
Opcode: Opcode_Notify

Description

STOP - ZTDNS service with status Status.

Message #

STOP - ZTDNS service with status %1

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference