NTLM Security Protocol

3 events across 1 channel

EventTitleChannel
0NTLM Server AcceptETW Trace
1NTLM Client InitializeETW Trace
2NTLM Validate CredentialsETW Trace

Event ID 0: NTLM Server Accept

#
Provider
NTLM Security Protocol
Channel
ETW Trace
Opcode
Info
Source
Trace

Message #

NTLM Server Accept

Fields #

NameDescription
StageHint mof:UInt32
InContext mof:UInt32
OutContext mof:UInt32
Flags mof:UInt32
UserName mof:String
DomainName mof:String
Workstation mof:String

Event ID 1: NTLM Client Initialize

#
Provider
NTLM Security Protocol
Channel
ETW Trace
Opcode
Start
Source
Trace

Message #

NTLM Validate Credentials

Fields #

NameDescription
StageHint mof:UInt32
InContext mof:UInt32

Event ID 2: NTLM Validate Credentials

#
Provider
NTLM Security Protocol
Channel
ETW Trace
Opcode
End
Source
Trace

Message #

NTLM Validate Credentials

Fields #

NameDescription
Success mof:UInt32
LogonServer mof:String
LogonDomain mof:String
UserName mof:String
Workstation mof:String

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {C92CF544-91B3-4DC0-8E11-C580339A0BF8}

Observed on:

  • WS2025-26100.0 · schema read from the WMI MOF class · captured 2026-02-26

    Taken from Windows installation media (build 26100.1), not a patched system, so the exact update level is unknown.

  • WS2022-20348.4893 · schema read from the WMI MOF class · captured 2026-06-02

    MOF class: MSV1_0Trace

  • Win11-26200.6584 · schema read from the WMI MOF class · captured 2026-06-02

    MOF class: MSV1_0Trace

Credits

  • Microsoft - authored the ETW manifests and PDBs the schema comes from
  • jdu2600 - the event-schema TSV format this catalog adopted
  • nasbench - the tool that dumps registered providers and manifests