EventLog Auditing AD Get User IP - windows

Which auditing settings should be enabled in order to see AD logged in user's ip address?

On any Domain Server, in the event log, you can find the information you ask for
Here is the extraction of a user login Event "4624" and logout Event "4634" you can make a relation betwen the events by the data named TargetLogonId. The IP adress is in data named IpAdress.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2011-05-26T11:09:52.930000000Z" />
<EventRecordID>33354</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="3244" />
<Channel>Security</Channel>
<Computer>WM2008R2ENT.dom.fr</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-314535540-1235592268-145203568-1000</Data>
<Data Name="TargetUserName">WM2008R2ENT2$</Data>
<Data Name="TargetDomainName">MOD</Data>
<Data Name="TargetLogonId">0x6ded7f</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Kerberos</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName">
</Data>
<Data Name="LogonGuid">{7B3D7A34-80A9-F1B2-CCF1-7F783ED88C28}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">192.168.183.101</Data>
<Data Name="IpPort">51243</Data>
</EventData>
</Event>
Here is the extraction of a user logout Event "4634"
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4634</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2011-05-26T11:10:03.070625000Z" />
<EventRecordID>33355</EventRecordID>
<Correlation />
<Execution ProcessID="512" ThreadID="3244" />
<Channel>Security</Channel>
<Computer>WM2008R2ENT.dom.fr</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-314535540-1235592268-145203568-1000</Data>
<Data Name="TargetUserName">WM2008R2ENT2$</Data>
<Data Name="TargetDomainName">MOD</Data>
<Data Name="TargetLogonId">0x6ded7f</Data>
<Data Name="LogonType">3</Data>
</EventData>
</Event>

Related

Task scheduler-run for event with specific Result Code

I would like to trigger the task only if the login attempt is against a disabled account. This includes the Result Code 0x12. How can I add this to the trigger? Any help would be much appreciated. Thanks.
Link to Screen Cap Of Event Properties
Here is the event details XML View:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-04-19T16:40:04.842900000Z" />
<EventRecordID>562602120</EventRecordID>
<Correlation />
<Execution ProcessID="528" ThreadID="106016" />
<Channel>Security</Channel>
<Computer>XXXXXXXXXX</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">XXXXXXXX</Data>
<Data Name="TargetDomainName">XXXXXXX</Data>
<Data Name="TargetSid">S-1-0-0</Data>
<Data Name="ServiceName">krbtgt/mie</Data>
<Data Name="ServiceSid">S-1-0-0</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x12</Data>
<Data Name="TicketEncryptionType">0xffffffff</Data>
<Data Name="PreAuthType">-</Data>
<Data Name="IpAddress">::ffff:192.168.240.79</Data>
<Data Name="IpPort">50126</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>
Here is a task trigger that includes everything but the result code:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[band(Keywords,4503599627370496) and (EventID=4768)]]</Select>
</Query>
</QueryList>
Not sure where to put the Result Code 0x12
<Data Name="Status">0x12</Data>

Windows Task Scheduler XPath for filtering event on hour of day

I'm creating a custom event filter in order to trigger a task from Windows Task Scheduler. I'm needing to select my event only if it occurs before x o'clock.
Here's the portion of the event XML that I care about:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent" />
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T04:24:49.6333217Z" />
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
So far I have the following XPath, but it is missing the time constraint:
<QueryList>
<Query Id="0" Path="Cisco AnyConnect Secure Mobility Client">
<Select Path="Cisco AnyConnect Secure Mobility Client">*[System[Provider[#Name='acvpnagent'] and (EventID=2039)</Select>
</Query>
</QueryList>
Is it possible to add a condition for TimeCreated to satisfy my constraint? And am I still limited to XPath 1.0 on Windows 10?
This XPath 1.0 expression will select Event nodes as follows
//x:Event[./x:System/x:Provider/#Name="acvpnagent" and ./x:System/x:EventID=2039 and number(translate(substring-before(substring-after(./x:System/x:TimeCreated/#SystemTime,"T"),"."),":","")) < 110000]
This XPath will select nodes according to the criteria in the OP's sample
//x:Event[./x:System/x:Provider/#Name="acvpnagent" and ./x:System/x:EventID=2039]
While this XPath part will add a filter by time of day
number(translate(substring-before(substring-after(./x:System/x:TimeCreated/#SystemTime,"T"),"."),":","")) < 110000
Date handling
Given an ISO-8601 date as 2021-11-01T04:24:49.6333217Z, this would return the HH:mm:ss part
substring-before(substring-after(./x:System/x:TimeCreated/#SystemTime,"T"),".")
Result: 04:24:49
Let's remove semicolons:
translate(substring-before(substring-after(./x:System/x:TimeCreated/#SystemTime,"T"),"."),":","")
Result: 042449
Finally, make it a number and compare with desired limit
number(translate(substring-before(substring-after(./x:System/x:TimeCreated/#SystemTime,"T"),"."),":","")) < 110000
Given this XML sample
<root>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent" />
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T04:24:49.6333217Z" />
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent" />
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T08:24:49.6333217Z" />
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent" />
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T11:24:49.6333217Z" />
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent" />
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T22:24:49.6333217Z" />
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
</root>
Find events that match the criteria and occured before 11:00:00 using this XPath
//x:Event[./x:System/x:Provider/#Name="acvpnagent" and ./x:System/x:EventID=2039 and number(translate(substring-before(substring-after(./x:System/x:TimeCreated/#SystemTime,"T"),"."),":","")) < 110000]
Result:
echo -e 'setns x=http://schemas.microsoft.com/win/2004/08/events/event\ncat //x:Event[./x:System/x:Provider/#Name="acvpnagent" and ./x:System/x:EventID=2039 and number(translate(substring-before(substring-after(./x:System/x:TimeCreated/#SystemTime,"T"),"."),":","")) < 110000]' | xmllint --shell tmp.xml
/ > setns x=http://schemas.microsoft.com/win/2004/08/events/event
/ > cat //x:Event[./x:System/x:Provider/#Name="acvpnagent" and ./x:System/x:EventID=2039 and number(translate(substring-before(substring-after(./x:System/x:TimeCreated/#SystemTime,"T"),"."),":","")) < 110000]
-------
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent"/>
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T04:24:49.6333217Z"/>
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
-------
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="acvpnagent"/>
<EventID Qualifiers="25600">2039</EventID>
<TimeCreated SystemTime="2021-11-01T08:24:49.6333217Z"/>
<Channel>Cisco AnyConnect Secure Mobility Client</Channel>
</System>
</Event>
/ >
If a full date is used for comparison, this would be the XPath expression
//x:Event[./x:System/x:Provider/#Name="acvpnagent" and ./x:System/x:EventID=2039 and number(translate(substring-before(./x:System/x:TimeCreated/#SystemTime,"."),"T:-","")) < 20211101110000]
Note 1: expressions start with ./ to make evaluation in the current node context.
Note 2: I don't have Windows to test but XPath 1.0 is mostly independent of the language/OS so it should work. The OP would need to add namespace handling to his implementation or remove the x: namespace prefix from expressions in this answer.

NIFI - How can I get the value of the specific value in the xml file?

Using NIFI i'm monitoring windows sysmon events. The information is received is in XML format.
Using EvaluateXPath module, I need to extract the value from the first Channel parameter (Channel>Microsoft-Windows-Sysmon/Operational</Channel) and add it as an attribute
I'm trying to understand what should be the Value in the Channel1 property
XML
<?xml version="1.0" encoding="UTF-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon"
Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"/>
<EventID>10</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>10</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-12-03T14:23:35.660463800Z"/>
<EventRecordID>94211</EventRecordID>
<Correlation/>
<Execution ProcessID="10052" ThreadID="9516"/>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>workstation.test.com</Computer>
<Security UserID="S-1-5-18"/>
</System>
<EventData>
<Data Name="RuleName"/>
<Data Name="UtcTime">2020-12-03 14:23:35.659</Data>
<Data Name="SourceProcessGUID">{921b204f-2632-5fc2-0000-0010a0d20100}</Data>
<Data Name="SourceProcessId">3428</Data>
<Data Name="SourceThreadId">4072</Data>
<Data Name="SourceImage">C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MsMpEng.exe</Data>
<Data Name="TargetProcessGUID">{921b204f-2636-5fc2-0000-001085f80200}</Data>
<Data Name="TargetProcessId">4212</Data>
<Data Name="TargetImage">C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\NisSrv.exe</Data>
<Data Name="GrantedAccess">0x1400</Data>
<Data Name="CallTrace">C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\mpsvc.dll+1c606f|C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\mpsvc.dll+103572|C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\mpsvc.dll+1093e6|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Message>Process accessed:
RuleName:
UtcTime: 2020-12-03 14:23:35.659
SourceProcessGUID: {921b204f-2632-5fc2-0000-0010a0d20100}
SourceProcessId: 3428
SourceThreadId: 4072
SourceImage: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MsMpEng.exe
TargetProcessGUID: {921b204f-2636-5fc2-0000-001085f80200}
TargetProcessId: 4212
TargetImage: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\NisSrv.exe
GrantedAccess: 0x1400
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+9c584|C:\Windows\System32\KERNELBASE.dll+2730e|C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\mpsvc.dll+1c606f|C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\mpsvc.dll+103572|C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\mpsvc.dll+1093e6|C:\Windows\System32\ucrtbase.dll+20e72|C:\Windows\System32\KERNEL32.DLL+17bd4|C:\Windows\SYSTEM32\ntdll.dll+6ced1</Message>
<Level>Information</Level>
<Task>Process accessed (rule: ProcessAccess)</Task>
<Opcode>Info</Opcode>
<Channel/>
<Provider/>
<Keywords/>
</RenderingInfo>
</Event>
Since the xml include namespaces , so there are 2 options
 /:Event/:System/:Channel  or    //[local-name()='Channel']/text()

Xpath-filtering, trying to filter on text contains

I am using Xpath to filter Windows Event Logs using PowerShells Get-WinEvent (this question is not restricted to PowerShell, but rather is an XPath question)
My input data (example event) as as follows
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478- 4994-A5BA-3E3B0328C30D}" />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2017-08-14T09:03:17.496928900Z" />
<EventRecordID>787185775</EventRecordID>
<Correlation />
<Execution ProcessID="1220" ThreadID="6908" />
<Channel>Security</Channel>
<Computer>MyComputer.MyDomain.Local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-3674026133-984544165-2712361304-107629</Data>
<Data Name="SubjectUserName">svc-X</Data>
<Data Name="SubjectDomainName">GROUP</Data>
<Data Name="SubjectLogonId">0x35e0ae72d</Data>
<Data Name="ObjectServer">DS</Data>
<Data Name="ObjectType">%{19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
<Data Name="ObjectName">%{38f2636c-4bec-4029-aab6-a2ce69751d1a}</Data>
<Data Name="OperationType">Object Access</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%7688</Data>
<Data Name="AccessMask">0x100</Data>
<Data Name="Properties">%%7688 {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
<Data Name="AdditionalInfo">-</Data>
<Data Name="AdditionalInfo2" />
</EventData>
</Event>
Now if I save the following XPath statement to the variable $XpathQuery
$XpathQuery = "*[System[(EventID=4624)] and EventData[(Data`enter code here`[#Name='Properties'] )]]"
and run using the PowerShell Get-WinEvent cmdlet as follows
Get-WinEvent -LogName Security -ComputerName MyComputer.MyDomain.Local -FilterXPath $XpathQuery
I get the output I would expect e.g. I get all 4624 events where EventData has an attribute named Properties
I want to fine tune my XPath query to only select entries where the Properties element contains the text 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 as there my be a few hundred entries where only a handful contain 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2

How to correlate RPC calls in ETW traces?

I recorded a trace of an application performing Local RPC calls on Windows. I used xperf with the Microsoft-Windows-RPC provider enabled. After opening the trace, I realized that it's not that simple to correlate client and server calls. It will be easier to explain the problem on an example.
One of the RpcClientCall events sent by the client looks as follows:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-RPC" Guid="{6ad52b32-d609-4be9-ae07-ce8dae937e39}" />
<EventID>5</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>1</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2017-01-02T18:21:54.825009200+0059" />
<Correlation ActivityID="{f9ace53a-28fe-4129-ac24-8d04ea0a79a9}" />
<Execution ProcessID="10688" ThreadID="5384" ProcessorID="7" KernelTime="30" UserTime="15" />
<Channel>Microsoft-Windows-RPC/Debug</Channel>
<Computer />
</System>
<EventData>
<Data Name="InterfaceUuid">{e60c73e6-88f9-11cf-9af1-0020af6e72f4}</Data>
<Data Name="ProcNum">0x8</Data>
<Data Name="Protocol"> 3</Data>
<Data Name="NetworkAddress">NULL</Data>
<Data Name="Endpoint">epmapper</Data>
<Data Name="Options">NULL</Data>
<Data Name="AuthenticationLevel"> 6</Data>
<Data Name="AuthenticationService"> 20</Data>
<Data Name="ImpersonationLevel"> 3</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Level>Information </Level>
<Opcode>Start </Opcode>
<Task>RpcClientCall</Task>
<Message>Client RPC call started. InterfaceUuid: {e60c73e6-88f9-11cf-9af1-0020af6e72f4} OpNum: 0x8 Protocol: LRPC NetworkAddress NULL Endpoint epmapper Binding Options NULL Authentication Level 7 Authentication Service 8 Impersonation Level 9 </Message>
<Channel>Debug </Channel>
<Provider>Microsoft-Windows-RPC </Provider>
</RenderingInfo>
</Event>
Then comes a number of Debug events (with the same ActivityID), such as this one:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-RPC" Guid="{6ad52b32-d609-4be9-ae07-ce8dae937e39}" />
<EventID>4</EventID>
<Version>1</Version>
<Level>5</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2017-01-02T18:21:54.825028400+0059" />
<Correlation ActivityID="{f9ace53a-28fe-4129-ac24-8d04ea0a79a9}" />
<Execution ProcessID="10688" ThreadID="5384" ProcessorID="7" KernelTime="30" UserTime="15" />
<Channel>Microsoft-Windows-RPC/Debug</Channel>
<Computer />
</System>
<EventData>
<Data Name="Subject">76</Data>
<Data Name="Verb">75</Data>
<Data Name="SubjectPointer">0x24F9A52CAF0</Data>
<Data Name="ObjectPointer">0x180</Data>
<Data Name="DataPointer">0x22000130</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Level>Verbose </Level>
<Task>Debug</Task>
<Message>RPC Log Event.
Subject: ALPC Verb: PKT_OUT SubjectPointer: 0x24F9A52CAF0 ObjectPointer: 0x180 Data: 0x22000130 </Message>
<Channel>Debug </Channel>
<Provider>Microsoft-Windows-RPC </Provider>
</RenderingInfo>
</Event>
Later I may find the RpcServerCall event, which probably represents the response from the server:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-RPC" Guid="{6ad52b32-d609-4be9-ae07-ce8dae937e39}" />
<EventID>6</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>2</Task>
<Opcode>1</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2017-01-02T18:21:56.786737300+0059" />
<Correlation ActivityID="{11bb1d8d-336f-44e3-b853-b903f4fd2651}" />
<Execution ProcessID="652" ThreadID="15348" ProcessorID="4" KernelTime="90" UserTime="195" />
<Channel>Microsoft-Windows-RPC/Debug</Channel>
<Computer />
</System>
<EventData>
<Data Name="InterfaceUuid">{e60c73e6-88f9-11cf-9af1-0020af6e72f4}</Data>
<Data Name="ProcNum">0x8</Data>
<Data Name="Protocol"> 3</Data>
<Data Name="NetworkAddress">NULL</Data>
<Data Name="Endpoint">epmapper</Data>
<Data Name="Options">NULL</Data>
<Data Name="AuthenticationLevel"> 6</Data>
<Data Name="AuthenticationService"> 20</Data>
<Data Name="ImpersonationLevel"> 0</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Level>Information </Level>
<Opcode>Start </Opcode>
<Task>RpcServerCall</Task>
<Message>Server RPC call started. InterfaceUuid: {e60c73e6-88f9-11cf-9af1-0020af6e72f4} OpNum: 0x4 Protocol: LRPC Endpoint epmapper Authentication Level 7 Authentication Service 8 </Message>
<Channel>Debug </Channel>
<Provider>Microsoft-Windows-RPC </Provider>
</RenderingInfo>
</Event>
This event is again followed by a number of Debug events (with the same ActivityID):
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-RPC" Guid="{6ad52b32-d609-4be9-ae07-ce8dae937e39}" />
<EventID>4</EventID>
<Version>1</Version>
<Level>5</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2017-01-02T18:21:56.786747500+0059" />
<Correlation ActivityID="{11bb1d8d-336f-44e3-b853-b903f4fd2651}" />
<Execution ProcessID="652" ThreadID="15348" ProcessorID="4" KernelTime="90" UserTime="195" />
<Channel>Microsoft-Windows-RPC/Debug</Channel>
<Computer />
</System>
<EventData>
<Data Name="Subject">105</Data>
<Data Name="Verb">43</Data>
<Data Name="SubjectPointer">0x15B5283A110</Data>
<Data Name="ObjectPointer">0x0</Data>
<Data Name="DataPointer">0x1</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Level>Verbose </Level>
<Task>Debug</Task>
<Message>RPC Log Event.
Subject: IF Verb: INC SubjectPointer: 0x15B5283A110 ObjectPointer: 0x0 Data: 0x1 </Message>
<Channel>Debug </Channel>
<Provider>Microsoft-Windows-RPC </Provider>
</RenderingInfo>
</Event>
After the call is done, I can see a win:stop events on both the client and the server, but those events have only one field: Status and the ActivityID set to the same value as the win:start event, example:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-RPC" Guid="{6ad52b32-d609-4be9-ae07-ce8dae937e39}" />
<EventID>8</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>2</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2017-01-02T18:21:56.786835000+0059" />
<Correlation ActivityID="{11bb1d8d-336f-44e3-b853-b903f4fd2651}" />
<Execution ProcessID="652" ThreadID="15348" ProcessorID="4" KernelTime="90" UserTime="195" />
<Channel>Microsoft-Windows-RPC/Debug</Channel>
<Computer />
</System>
<EventData>
<Data Name="Status">0x0</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Level>Information </Level>
<Opcode>Stop </Opcode>
<Task>RpcServerCall</Task>
<Message>Server RPC call was completed. Status: 0x0 </Message>
<Channel>Debug </Channel>
<Provider>Microsoft-Windows-RPC </Provider>
</RenderingInfo>
</Event>
Question
Finally, my question is: how can I be 100% sure that a given RpcServerCall is a response to my initial RpcClientCall? I guess that matching by InterfaceUuid, ProcNum, Protocol and Endpoint is not enough, as there might be multiple calls to a given endpoint at the same time. I hope that maybe these Debug events can be in help here. Maybe there is another ETW provider which I should use? Or maybe there is a setting to enable RelativeActivityId?
You can correlate the events by enabling Microsoft-Windows-RPC and group by Activity Id which will be unique for every RPC call. You then only need to correltate the start/stop events for each activity id you can have the duration in the context of your client process to correlate the duration of any RPC call.
For each Acitivity many debug events can be logged but only one start/stop tuple will be there. That should do the trick.
To correlate RPC client and server calls you need first to find the corresponding RPC client and server calls by looking at the start/stop events witht the same activity guid. For a given RpcClient with a RpcServer call you can use Field 5 (Endpoint) to group by them. At least that is what I have found is looking like a reliable indicator if a given endpoint is serving calls synchronously only. Interface might also work but since there can be more than one COM server running at the same time with the same Interface GUID it is not a reliable indicator. I do not think it will get much better than that with the given data. Why are you so keen on the RPC server part? Normally you would only look at very long client times which is sufficient to trigger a deeper analysis anyway. Are you searching for issues inside the RPC infrastructure?

Resources