Microsoft-Windows-Bits-Client
114 events across 3 channels
Event ID 0: task_0Start
#Event ID 1: BITS job "Title" with ID JobGuid has been resumed.
#Event ID 2: BITS job "Title" with ID JobGuid has been suspended.
#Event ID 3: The BITS service created a new job: jobTitle, with owner jobId.
#Description
The BITS service created a new job: jobTitle, with owner jobId.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
jobTitle UnicodeString | Transfer job. | |
jobId GUID | ||
jobOwner UnicodeString | Owner. | |
processPath UnicodeString | 3 detection rules | |
processId UInt32 | ||
ClientProcessStartKey UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 3,
"version": 3,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T01:45:20.897391+00:00",
"event_record_id": 432,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-3588-E4E43710DA01"
},
"execution": {
"process_id": 16164,
"thread_id": 17248
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"jobTitle": "Chrome Component Updater",
"jobId": "9A25D168-24E6-4C66-AC78-5ED0E6007F1A",
"jobOwner": "WINDEV2310EVAL\\User",
"processPath": "C:\\Program Files\\WindowsApps\\SpotifyAB.SpotifyMusic_1.222.982.0_x64__zpdnekdrzrea0\\Spotify.exe",
"processId": 2208,
"ClientProcessStartKey": 3659174697241209
},
"message": ""
}
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4: The transfer job is complete.
#Description
The transfer job is complete.
Message #
Fields #
| Name | Description |
|---|---|
User UnicodeString | |
jobTitle UnicodeString | Transfer job. |
jobId GUID | |
jobOwner UnicodeString | Owner. |
fileCount UInt64 | |
bytesTransferred UInt64 | |
bytesTransferredFromPeer UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 4,
"version": 1,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T02:02:24.353689+00:00",
"event_record_id": 436,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-3588-E4E43710DA01"
},
"execution": {
"process_id": 16164,
"thread_id": 5192
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"User": "WINDEV2310EVAL\\User",
"jobTitle": "Edge Component Updater",
"jobId": "3C77FC9E-C30A-4FC3-804B-82E48B3059B6",
"jobOwner": "WINDEV2310EVAL\\User",
"fileCount": 1,
"bytesTransferred": 201001,
"bytesTransferredFromPeer": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5: Job cancelled.
#Description
Job cancelled. User: User, job: jobTitle, jobID: jobId, owner: jobOwner, filecount: fileCount.
Message #
Fields #
| Name | Description |
|---|---|
User UnicodeString | Job cancelled. User. |
jobTitle UnicodeString | |
jobId GUID | |
jobOwner UnicodeString | |
fileCount UInt64 | |
processId UInt32 | |
ClientProcessStartKey UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 5,
"version": 1,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-10-25T21:23:18.455184+00:00",
"event_record_id": 20,
"correlation": {
"ActivityID": "DE03B784-07C3-0003-32C2-03DEC307DA01"
},
"execution": {
"process_id": 4816,
"thread_id": 4860
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"User": "NT AUTHORITY\\LOCAL SERVICE",
"jobTitle": "Font Download",
"jobId": "BF87B9AA-D285-46CB-89FF-C6C111F0E4CB",
"jobOwner": "NT AUTHORITY\\LOCAL SERVICE",
"fileCount": 1,
"processId": 2948,
"ClientProcessStartKey": 562949953421373
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6: Command-line command set for job jobId with owner jobOwner.
#Description
Command-line command set for job jobId with owner jobOwner. Program: program Args: parameters.
Message #
Fields #
| Name | Description |
|---|---|
jobId GUID | |
jobOwner UnicodeString | |
program UnicodeString | 2. Program. |
parameters UnicodeString | Args. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 6,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-10-25T21:25:55.426533+00:00",
"event_record_id": 32,
"correlation": {
"ActivityID": "DE03B784-07C3-0003-E610-04DEC307DA01"
},
"execution": {
"process_id": 4940,
"thread_id": 5896
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"jobId": "F36CA3CE-3AEB-4592-B4ED-D23E59938DF9",
"jobOwner": "NT AUTHORITY\\SYSTEM",
"program": "C:\\Windows\\system32\\directxdatabaseupdater.exe",
"parameters": "C:\\Windows\\system32\\directxdatabaseupdater.exe -DatabaseComplete {F36CA3CE-3AEB-4592-B4ED-D23E59938DF9}"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 10: BITS started listening for peer-client requests.
#Event ID 11: BITS was not able to listen for peer-client requests.
#Event ID 12: BITS stopped listening for peer-client requests.
#Event ID 13: BITS started listening for peer-server announcements.
#Description
BITS started listening for peer-server announcements.
Message #
Event ID 14: BITS was not able to listen for peer-server announcements.
#Event ID 15: BITS stopped listening for peer-server announcements.
#Description
BITS stopped listening for peer-server announcements.
Message #
Event ID 16: BITS has sent an inquiry for peer servers.
#Description
BITS has sent an inquiry for peer servers.
Message #
Event ID 17: BITS has read the policy parameters for peer-caching.
#Description
BITS has read the policy parameters for peer-caching.
Message #
Fields #
| Name | Description |
|---|---|
peerCacheEnabled Boolean | |
peerClientEnabled Boolean | |
peerServerEnabled Boolean | |
maxPeers UInt32 | |
maxClients UInt32 | |
maxContentAge UInt32 | |
maxCacheSize UInt32 | |
minCacheDiskSize UInt32 | |
cacheDenyUrls UnicodeString | |
denyUrlCount UInt8 | |
denyUrls UnicodeString |
Event ID 18: The peer list rejected an incoming server announcement.
#Description
The peer list rejected an incoming server announcement. This event is generated if the request is not valid, not if the server is merely in a different Windows domain.
Message #
Fields #
| Name | Description |
|---|---|
packet UnicodeString | |
hr UInt32 | |
fqdn UnicodeString | |
sourceAddress Binary | |
addressCount UInt8 | |
addresses UnicodeString |
Event ID 19: A new peer was added.
#Event ID 20: A peer was updated.
#Event ID 21: A peer was removed from the peer list.
#Event ID 22: A cached peer was restored from disk.
#Event ID 23: An application cleared the peer list.
#Event ID 24: BITS has replied to a client's inquiry for peer servers.
#Event ID 25: The server received a peer inquiry but rejected it.
#Event ID 27: A peer search for an URL has begun.
#Event ID 28: A peer search ended.
#Event ID 29: A search request is being sent.
#Event ID 30: A search request has completed.
#Event ID 31: A search request has completed unsuccessfully.
#Event ID 32: The peer's record id matched the request.
#Event ID 33: BITS updated the set of IP addresses used for peer-caching.
#Event ID 34: Job cannot be transferred because job transfer cost policy preventing it.
#Description
Job cannot be transferred because job transfer cost policy preventing it. job: jobName, jobID: jobId, filecount: FileCount, jobs transfer policy: jobTransferPolicy, global transfer policy: globalTransferPolicy.
Message #
Fields #
| Name | Description |
|---|---|
jobName UnicodeString | |
jobId GUID | |
FileCount UInt64 | |
jobTransferPolicy UInt32 | |
globalTransferPolicy UInt32 |
Event ID 37: The cost state has changed.
#Event ID 59: BITS started the name transfer job that is associated with the url URL.
#Description
BITS started the name transfer job that is associated with the url URL.
Message #
Fields #
| Name | Description |
|---|---|
transferId GUID | |
name UnicodeString | |
Id GUID | |
url UnicodeString | |
peer UnicodeString | |
fileTime FILETIME | |
fileLength UInt64 | |
bytesTotal UInt64 | |
bytesTransferred UInt64 | |
bytesTransferredFromPeer UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 59,
"version": 1,
"level": 4,
"task": 0,
"opcode": 1,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T01:45:21.457190+00:00",
"event_record_id": 434,
"correlation": {
"ActivityID": "837C306A-427B-4022-ABDF-56DD359EB862"
},
"execution": {
"process_id": 16164,
"thread_id": 12700
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"transferId": "837C306A-427B-4022-ABDF-56DD359EB862",
"name": "Chrome Component Updater",
"Id": "9A25D168-24E6-4C66-AC78-5ED0E6007F1A",
"url": "http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3",
"peer": "",
"fileTime": "2023-09-22T20:52:50.000000Z",
"fileLength": 14317402,
"bytesTotal": 14317402,
"bytesTransferred": 0,
"bytesTransferredFromPeer": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 60: BITS stopped transferring the name transfer job that is associated with the url URL.
#Description
BITS stopped transferring the name transfer job that is associated with the url URL. The status code is hr.
Message #
Fields #
| Name | Description |
|---|---|
transferId GUID | |
name UnicodeString | |
Id GUID | |
url UnicodeString | |
peer UnicodeString | |
hr UInt32 | |
fileTime FILETIME | |
fileLength UInt64 | |
bytesTotal UInt64 | |
bytesTransferred UInt64 | |
proxy UnicodeString | |
peerProtocolFlags UInt64 | |
bytesTransferredFromPeer UInt64 | |
AdditionalInfoHr UInt32 | |
PeerContextInfo UInt32 | |
bandwidthLimit UInt64 | |
ignoreBandwidthLimitsOnLan Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 60,
"version": 1,
"level": 4,
"task": 0,
"opcode": 2,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T01:45:52.846707+00:00",
"event_record_id": 435,
"correlation": {
"ActivityID": "837C306A-427B-4022-ABDF-56DD359EB862"
},
"execution": {
"process_id": 16164,
"thread_id": 12832
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"transferId": "837C306A-427B-4022-ABDF-56DD359EB862",
"name": "Chrome Component Updater",
"Id": "9A25D168-24E6-4C66-AC78-5ED0E6007F1A",
"url": "http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3",
"peer": "",
"hr": 0,
"fileTime": "2023-09-22T20:52:50.000000Z",
"fileLength": 14317402,
"bytesTotal": 14317402,
"bytesTransferred": 14317402,
"proxy": "",
"peerProtocolFlags": 0,
"bytesTransferredFromPeer": 0,
"AdditionalInfoHr": 0,
"PeerContextInfo": 0,
"bandwidthLimit": 18446744073709551615,
"ignoreBandwidthLimitsOnLan": false
},
"message": ""
}
Community Notes #
Surfaces Background Intelligent Transfer Service misuse for exfil or downloads.
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 61: BITS stopped transferring the name transfer job that is associated with the url URL.
#Description
BITS stopped transferring the name transfer job that is associated with the url URL. The status code is hr.
Message #
Fields #
| Name | Description |
|---|---|
transferId GUID | |
name UnicodeString | |
Id GUID | |
url UnicodeString | |
peer UnicodeString | |
hr UInt32 | |
fileTime FILETIME | |
fileLength UInt64 | |
bytesTotal UInt64 | |
bytesTransferred UInt64 | |
proxy UnicodeString | |
peerProtocolFlags UInt64 | |
bytesTransferredFromPeer UInt64 | |
AdditionalInfoHr UInt32 | |
PeerContextInfo UInt32 | |
bandwidthLimit UInt64 | |
ignoreBandwidthLimitsOnLan Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 61,
"version": 1,
"level": 3,
"task": 0,
"opcode": 2,
"keywords": 4611686018427387904,
"time_created": "2023-10-25T21:23:18.535833+00:00",
"event_record_id": 25,
"correlation": {
"ActivityID": "B93FF5C2-FB5D-428C-88AE-EE3A7EE94E1C"
},
"execution": {
"process_id": 4816,
"thread_id": 2800
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"transferId": "B93FF5C2-FB5D-428C-88AE-EE3A7EE94E1C",
"name": "Font Download",
"Id": "0732C691-11CC-4489-AA3A-006D80128165",
"url": "https://fs.microsoft.com/fs/windows/fontset-2017-04.json",
"peer": "",
"hr": 2149580817,
"fileTime": "1601-01-01T00:00:00.000000Z",
"fileLength": 18446744073709551615,
"bytesTotal": 18446744073709551615,
"bytesTransferred": 0,
"proxy": "",
"peerProtocolFlags": 0,
"bytesTransferredFromPeer": 0,
"AdditionalInfoHr": 0,
"PeerContextInfo": 0,
"bandwidthLimit": 18446744073709551615,
"ignoreBandwidthLimitsOnLan": false
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 62: The BITS job named "Title" belonging to user Owner received inconsistent data while downloading.
#Description
The BITS job named "Title" belonging to user Owner received inconsistent data while downloading. The URL was "Url". The transfer will continue using a different server. If the problem occurs often, an administrator should scan the peer server for viruses or corruption in its hard drive.
Message #
Fields #
| Name | Description |
|---|---|
Title UnicodeString | |
Owner UnicodeString | |
Url UnicodeString | |
Id GUID |
Event ID 63: The BITS job Job is configured to launch Pgm after transfer of Url.
#Event ID 64: The BITS job Job is configured to launch Pgm after transfer of Url.
#Description
The BITS job Job is configured to launch Pgm after transfer of Url. The service failed to launch the program with error hr, BITS will continue trying to launch the program periodically until it succeeds.
Message #
Fields #
| Name | Description |
|---|---|
Job UnicodeString | |
Url UnicodeString | |
Pgm UnicodeString | |
hr UInt32 |
Event ID 70: BITS received a peer-cache request from a client at address clientAddress.
#Event ID 71: The client's search request is for "url" with timestamp timestamp.
#Event ID 72: The cache found a matching cache record with ID id.
#Event ID 73: While processing the client's request, BITS encountered error ErrorCode.
#Event ID 74: BITS rejected the client's request with HTTP status status.
#Description
BITS rejected the client's request with HTTP status status.
Message #
Fields #
| Name | Description |
|---|---|
status UInt16 | NTSTATUS reference |
Event ID 75: BITS has finished processing the client request.
#Description
BITS has finished processing the client request.
Message #
Event ID 76: The request includes the client's event-log activity ID.
#Description
The request includes the client's event-log activity ID.
Message #
Event ID 77: BITS search for peer-servers has started.
#Description
BITS search for peer-servers has started.
Message #
Event ID 78: BITS has encountered ErrorCode error while reading the peer-cache information.
#Event ID 79: BITS has successfully deleted the peer-cache.
#Description
BITS has successfully deleted the peer-cache. All the files cached until this point have been removed. The peer-cache will be re-created again as needed for handling the future requests.
Message #
Event ID 80: BITS has successfully enabled peer-client and/or peer-server related components.
#Description
BITS has successfully enabled peer-client and/or peer-server related components.
Message #
Event ID 81: BITS has encountered ErrorCode error while starting one or more peer-client or peer-server components.
#Event ID 82: BITS accessed group policy value Title : PolicyValue.
#Description
BITS accessed group policy value Title : PolicyValue.
Message #
Fields #
| Name | Description |
|---|---|
Title UnicodeString | |
PolicyValue UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 82,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.441395+00:00",
"event_record_id": 17,
"correlation": {},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Title": "MaxTransferRateOffSchedule",
"PolicyValue": 4294967295
},
"message": ""
}
Event ID 83: BITS defaulted group policy value Title : PolicyValue.
#Description
BITS defaulted group policy value Title : PolicyValue.
Message #
Fields #
| Name | Description |
|---|---|
Title UnicodeString | |
PolicyValue UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 83,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.345490+00:00",
"event_record_id": 4,
"correlation": {},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Title": "DisableBranchCache",
"PolicyValue": 0
},
"message": ""
}
Event ID 101: The peer's response to a search was invalid.
#Event ID 102: The file ranges associated with a transfer attempt
#Event ID 200: While transferring URL, BITS encountered error hr using owner as the HTTP proxy server.
#Description
While transferring url, BITS encountered error hr using proxy as the HTTP proxy server. This may indicate a problem with the proxy server or with the client's network configuration. If this error occurs frequently, then an administrator should investigate. Details: {Job: job}, {owner: owner}, {jobid: jobId}, {URL: url}, {xferId: xferId}, {proxyServerList: proxyServerList}, {hr: hr}.
Message #
Fields #
| Name | Description |
|---|---|
url UnicodeString | |
hr UInt32 | }, {hr. |
proxy UnicodeString | |
job UnicodeString | |
owner UnicodeString | 3 as the HTTP proxy server. This may indicate a problem with the proxy server or with the client's network configuration. If this error occurs frequently, then an administrator should investigate. Details: {Job. |
jobId GUID | |
xferId GUID | }, {jobid. |
proxyServerList UnicodeString | }, {xferId. |
Event ID 201: The BITS job named "job" was unable to contact any HTTP proxy server in its proxy list.
#Description
The BITS job named "job" was unable to contact any HTTP proxy server in its proxy list. This may indicate a problem with the proxy servers or with the client's network configuration. An administrator should verify whether the proxy list is correct. BITS will periodically try to transfer the job. The HTTP proxy list is "proxyServerList". The proxy-bypass list is "proxyBypassList".
Message #
Fields #
| Name | Description |
|---|---|
job UnicodeString | |
jobId GUID | |
jobOwner UnicodeString | |
url UnicodeString | |
transferId GUID | |
proxyServerList UnicodeString | |
proxyBypassList UnicodeString | |
error UInt32 |
Event ID 202: While transferring owner, BITS encountered error urlContentLength using hr as the HTTP proxy server.
#Description
While transferring jobName, BITS encountered error hr using proxy as the HTTP proxy server. The web server or proxy server does not support an HTTP feature required by BITS. This problem can only be corrected by the administrator of the web server or proxy server. Details: {job: jobName}, {owner: jobOwner}, {jobId: jobId}, {url: url}, {xferId: xferId}, {proxyServer: proxy}, {hr: hr}, {urlContentLength: fileLength}, {urlHttpVersion: HTTPVersion}, {urlRange: URLRange}
Message #
Fields #
| Name | Description |
|---|---|
jobName UnicodeString | |
jobOwner UnicodeString | |
jobId GUID | }, {jobId. |
url UnicodeString | }, {url. |
xferId GUID | }, {xferId. |
proxy UnicodeString | |
hr UInt32 | }, {hr. |
fileLength UInt64 | |
HTTPVersion UnicodeString | |
URLRange UnicodeString |
Event ID 203: The BITS service provided job credentials in response to an authentication challenge from the server server for the job transfer job that is associated ...
#Description
The BITS service provided job credentials in response to an authentication challenge from the server server for the job transfer job that is associated with the following URL: url.
Message #
Fields #
| Name | Description |
|---|---|
server UnicodeString | |
job UnicodeString | |
url UnicodeString | |
scheme UnicodeString | |
user UnicodeString |
Event ID 204: The BITS service provided job credentials in response to an authentication challenge from server for job job, url url.
#Description
The BITS service provided job credentials in response to an authentication challenge from server for job job, url url. The credentials were rejected.
Message #
Fields #
| Name | Description |
|---|---|
server UnicodeString | |
job UnicodeString | |
url UnicodeString | 2 transfer job that is associated with the following URL. |
scheme UnicodeString | |
user UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 204,
"version": 1,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-14T22:56:18.815891+00:00",
"event_record_id": 443,
"correlation": {},
"execution": {
"process_id": 9052,
"thread_id": 6016
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"server": "outlook.office365.com",
"job": "Microsoft Outlook Offline Address Book 9bcc1d66a60a9745b5d797f23d8b2f80",
"url": "/OAB/1e7ad0fe-e5d2-428b-a1de-bd1a0d0e6cb9/oab.xml",
"scheme": "UNIDENTIFIED",
"user": "S-1-5-21-1006758700-2167138679-1475694448-1105"
},
"message": ""
}
Event ID 205: A bandwidth slot transition occurred.
#Event ID 206: The URL "url" in BITS job "jobName" does not support the HTTP HEAD verb, which is required for BITS bandwidth throttling.
#Event ID 207: The URL "url" in BITS job "jobName" does not support the HTTP Content-Length header, which is required for BITS bandwidth throttling.
#Event ID 208: A flash-Crowd situation is detected for the URL "url" in BITS job "jobName".
#Event ID 209: High performance property for BITS job "jobName" with ID "jobId" isRoaming.
#Description
High performance property for BITS job "jobName" with ID "jobId" isRoaming.
Message #
Fields #
| Name | Description |
|---|---|
jobName UnicodeString | |
jobId GUID | |
isRoaming UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 209,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T22:27:06.012810+00:00",
"event_record_id": 121,
"correlation": {
"ActivityID": "F590C418-1079-0000-98E3-90F57910DA01"
},
"execution": {
"process_id": 5620,
"thread_id": 4004
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"jobName": "Font Download",
"jobId": "45827C8A-7310-400E-A51E-179189C5AC76",
"isRoaming": 1
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 210: The URL "url" in BITS job "jobName" does not support the HTTP Content-Range header, which is required for BITS bandwidth throttling.
#Event ID 211: BITS job "Title" with ID "JobGuid" encountered an error ErrorCode.
#Event ID 212: BITS service has detected a 'SystemEvent' system event.
#Description
BITS service has detected a 'SystemEvent' system event.
Message #
Fields #
| Name | Description |
|---|---|
SystemEvent UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 212,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.656795+00:00",
"event_record_id": 22,
"correlation": {},
"execution": {
"process_id": 11028,
"thread_id": 8132
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SystemEvent": 7
},
"message": ""
}
Event ID 213: Job is not currently transferring because one of its transfer policies conflicts with current system state.
#Description
Job is not currently transferring because one of its transfer policies conflicts with current system state. job: jobName, jobID: jobId, filecount: FileCount, block reason: BlockReasonErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
jobName UnicodeString | |
jobId GUID | |
FileCount UInt64 | |
BlockReasonErrorCode UInt32 |
Event ID 281: The service is generating its common global data.
#Description
The service is generating its common global data.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 281,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.303306+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 282: The service is reading its group policy settings.
#Description
The service is reading its group policy settings.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 282,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.344992+00:00",
"event_record_id": 3,
"correlation": {},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 283: The service is creating its performance counters.
#Description
The service is creating its performance counters.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 283,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.302664+00:00",
"event_record_id": 1,
"correlation": {},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 284: The service is searching for gateway devices.
#Description
The service is searching for gateway devices.
Message #
Event ID 285: The service is starting the peer-caching client.
#Description
The service is starting the peer-caching client.
Message #
Event ID 286: The service is starting the peer-caching server.
#Description
The service is starting the peer-caching server.
Message #
Event ID 287: The service is reading the job list from the disk.
#Description
The service is reading the job list from the disk.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 287,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.441546+00:00",
"event_record_id": 20,
"correlation": {},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 288: The service is updating its list of active network connections.
#Description
The service is updating its list of active network connections.
Message #
Event ID 289: The service is updating its list of logged-in users.
#Description
The service is updating its list of logged-in users.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 289,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.584106+00:00",
"event_record_id": 21,
"correlation": {
"ActivityID": "8B83AF9E-B321-0005-D06D-848B21B3DC01"
},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 290: The service is creating the Volume Shadow Copy writer.
#Description
The service is creating the Volume Shadow Copy writer.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 290,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.701261+00:00",
"event_record_id": 24,
"correlation": {
"ActivityID": "8B83AF9E-B321-0005-D06D-848B21B3DC01"
},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 291: The service is registering its COM objects.
#Description
The service is registering its COM objects.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 291,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.769863+00:00",
"event_record_id": 25,
"correlation": {
"ActivityID": "8B83AF9E-B321-0005-D06D-848B21B3DC01"
},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 301: The BITS service has started successfully.
#Description
The BITS service has started successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 301,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:23:56.781430+00:00",
"event_record_id": 29,
"correlation": {
"ActivityID": "8B83AF9E-B321-0005-D06D-848B21B3DC01"
},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 302: The BITS service has started successfully, but it was delayed long enough that there may be a problem.
#Description
The BITS service has started successfully, but it was delayed long enough that there may be a problem. For more information on the delay, enable the analytic log for BITS, then stop and restart the BITS service.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"event_id": 302,
"level": 3,
"task": 0,
"opcode": 0,
"time_created": "2026-04-18T00:33:38.2704794+00:00",
"computer": "WIN11-25H2-X64",
"channel": "Microsoft-Windows-Bits-Client"
},
"event_data": {}
}
Event ID 303: The peer-cache client startup phase of startup has completed.
#Description
The peer-cache client startup phase of startup has completed.
Message #
Event ID 304: The service is shutting down.
#Description
The service is shutting down.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 304,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T20:25:56.771683+00:00",
"event_record_id": 30,
"correlation": {
"ActivityID": "8B83AF9E-B321-0005-D06D-848B21B3DC01"
},
"execution": {
"process_id": 11028,
"thread_id": 8440
},
"channel": "Microsoft-Windows-Bits-Client/Analytic",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 305: The service shutdown is complete.
#Description
The service shutdown is complete.
Message #
Event ID 306: The BITS service loaded the job list from disk.
#Description
The BITS service loaded the job list from disk.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "{EF1CC15B-46C1-414E-BB95-E76B077BD51E}",
"event_source_name": "",
"event_id": 306,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-06-13T14:33:57.8159482+00:00",
"event_record_id": 10,
"correlation": {},
"execution": {
"process_id": 5384,
"thread_id": 5008
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "The BITS service loaded the job list from disk."
}
Event ID 307: It took number seconds to write a change file to the BITS job list.
#Description
It took number seconds to write a change file to the BITS job list. If this is excessive, the number of BITS jobs may be larger than this machine can handle quickly.
Message #
Fields #
| Name | Description |
|---|---|
number Double |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "{EF1CC15B-46C1-414E-BB95-E76B077BD51E}",
"event_source_name": "",
"event_id": 307,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-30T02:11:31.8564242+00:00",
"event_record_id": 62,
"correlation": {
"ActivityID": "{208980A3-EFD9-0001-BFB3-8920D9EFDC01}"
},
"execution": {
"process_id": 6468,
"thread_id": 7980
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WIN11-25H2-X64",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"number": "16.25"
},
"message": "It took 16.25 seconds to write a change file to the BITS job list. If this is excessive, the number of BITS jobs may be larger than this machine can handle quickly."
}
Event ID 308: The BITS service shut down successfully, but it was delayed for number seconds.
#Description
The BITS service shut down successfully, but it was delayed for number seconds. This might cause delays when you turn off your computer. For more information on the delay, enable the analytic log for BITS, then stop and restart the BITS service.
Message #
Fields #
| Name | Description |
|---|---|
number Double |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 308,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2021-06-13T06:19:28.351119Z",
"event_record_id": 17,
"correlation": {
"#attributes": {
"ActivityID": "9E13646C-6014-0001-5C6E-139E1460D701"
}
},
"execution": {
"process_id": 1140,
"thread_id": 356
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "sv-dc.hinokabegakure-no-sato.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"number": "3199.234"
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 309: The BITS peer cache was unable to find any peers in the network.
#Description
The BITS peer cache was unable to find any peers in the network.
Message #
Event ID 310: The initialization of the peer helper modules failed with the following error: ErrorCode.
#Description
The initialization of the peer helper modules failed with the following error: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 | The initialization of the peer helper modules failed with the following error. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 310,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T00:48:24.805665+00:00",
"event_record_id": 419,
"correlation": {},
"execution": {
"process_id": 16164,
"thread_id": 15644
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ErrorCode": 2147942450
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 311: The BITS peer transfer with the JobId ID for the JobName transfer job resulted in the following error: ErrorCode.
#Event ID 312: The Network List Manager Cost Interface is not available on this system.
#Event ID 313: The Network List Manager Cost Interface is reporting no network connectivity.
#Event ID 16384: The administrator User canceled job "Title" on behalf of Owner.
#Event ID 16385: While canceling job "Title", BITS was unable to remove some temporary files.
#Event ID 16386: While canceling job "Title", BITS was unable to remove some temporary files.
#Description
While canceling job "Title", BITS was unable to remove some temporary files. To recover disk space, delete the temporary files. Note: Due to space limitations, not all files are listed. Check for additional files of the form BITxxx.TMP in the same directory. The job ID was Id. FileList
Message #
Fields #
| Name | Description |
|---|---|
Id GUID | |
Title UnicodeString | |
FileList UnicodeString |
Event ID 16387: The administrator Owner modified the PropertyName property of job "Title".
#Event ID 16388: The administrator User took ownership of job "Title" from Owner.
#Event ID 16389: Job "Title" owned by Owner was canceled after being inactive for more than DayCount days.
#Event ID 16390: Job "Title" owned by Owner failed to notify its associated application.
#Event ID 16391: The BITS job list is not in a recognized format.
#Description
The BITS job list is not in a recognized format. It may have been created by a different version of BITS. The job list has been cleared.
Message #
Event ID 16392: The BITS service failed to start.
#Description
The BITS service failed to start. Error ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 16392,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2025-12-31T19:34:50.503454+00:00",
"event_record_id": 319,
"correlation": {
"ActivityID": "159FE9D7-7A73-0001-5538-A015737ADC01"
},
"execution": {
"process_id": 7452,
"thread_id": 1064
},
"channel": "System",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ErrorCode": 2147943515
},
"message": ""
}
Event ID 16393: BITS has encountered an error communicating with an Internet Gateway Device.
#Event ID 16395: Web Services-Discovery protocol
#Description
Web Services-Discovery protocol.
Message #
Event ID 16396: Error status occurred when BITS tried to change the state of firewall rule "rule" to enabled.
#Description
Error status occurred when BITS tried to change the state of firewall rule "rule" to enabled. Restarting the BITS service may correct the problem.
Message #
Fields #
| Name | Description |
|---|---|
rule UnicodeString | |
enabled Boolean | |
status UInt32 | NTSTATUS reference |
Event ID 16397: The Per-user job limit specified through Group Policy must be less than or equal to Per-computer job Limit.
#Description
The Per-user job limit (currentSize) specified through Group Policy must be less than or equal to Per-computer job Limit (currentLimit). To correct the problem, modify BITS Group Policy settings and restart the BITS service.
Message #
Fields #
| Name | Description |
|---|---|
entityName UnicodeString | |
currentSize UInt32 | |
currentLimit UInt32 |
Event ID 16398: A new BITS job could not be created.
#Description
A new BITS job could not be created. The current job count for the user entityName (currentSize) is equal to or greater than the job limit (currentLimit) specified through group policy. To correct the problem, complete or cancel the BITS jobs that haven't made progress by looking at the error, and restart the BITS service. If this error recurs, contact your system administrator and increate the per-user and per-computer Group Policy job limits.
Message #
Fields #
| Name | Description |
|---|---|
entityName UnicodeString | |
currentSize UInt32 | |
currentLimit UInt32 |
Event ID 16400: A new BITS job could not be created.
#Description
A new BITS job could not be created. The current job count for this computer (currentSize) is equal to or greater than the per-computer job limit (currentLimit) specified through Group Policy. To correct the problem, complete or cancel the BITS jobs that haven't made progress by looking at the error and restarting the BITS service. If this error recurs, contact your system administrator and increase the per-computer Group Policy job limits.
Message #
Fields #
| Name | Description |
|---|---|
entityName UnicodeString | |
currentSize UInt32 | |
currentLimit UInt32 |
Event ID 16401: BITS could not add file(s) to entityName job.
#Description
BITS could not add file(s) to entityName job. The file count for entityName job (currentSize) has exceeded the per-job file limit (currentLimit) specified through Group Policy. To correct the problem, increase the Computer’s per-job file limit Group Policy settings and restart the BITS service.
Message #
Fields #
| Name | Description |
|---|---|
entityName UnicodeString | |
currentSize UInt32 | |
currentLimit UInt32 |
Event ID 16402: BITS could not add ranges to entityName file.
#Description
BITS could not add ranges to entityName file. The range count for entityName file (currentSize) has exceeded the per-file range limit (currentLimit) specified through group policy. To correct the problem, increase the per-file range limit Group Policy setting and restart the BITS service.
Message #
Fields #
| Name | Description |
|---|---|
entityName UnicodeString | |
currentSize UInt32 | |
currentLimit UInt32 |
Event ID 16403: task_016403
#Fields #
| Name | Description | Rules |
|---|---|---|
User UnicodeString | ||
jobTitle UnicodeString | ||
jobId GUID | ||
jobOwner UnicodeString | ||
fileCount UInt64 | ||
RemoteName UnicodeString | 80 detection rules | |
LocalName UnicodeString | 13 detection rules | |
processId UInt32 | ||
ClientProcessStartKey UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Bits-Client",
"guid": "EF1CC15B-46C1-414E-BB95-E76B077BD51E",
"event_source_name": "",
"event_id": 16403,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T01:45:21.024078+00:00",
"event_record_id": 433,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-3588-E4E43710DA01"
},
"execution": {
"process_id": 16164,
"thread_id": 18264
},
"channel": "Microsoft-Windows-Bits-Client/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"User": "WINDEV2310EVAL\\User",
"jobTitle": "Chrome Component Updater",
"jobId": "9A25D168-24E6-4C66-AC78-5ED0E6007F1A",
"jobOwner": "WINDEV2310EVAL\\User",
"fileCount": 1,
"RemoteName": "http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acwcdm4bj7lx4xbm2ireywxlhvca_4.10.2710.0/oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3",
"LocalName": "C:\\Users\\User\\AppData\\Local\\Temp\\chrome_BITS_2208_583787314\\oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3",
"processId": 2208,
"ClientProcessStartKey": 3659174697241209
},
"message": ""
}
Community Notes #
May indicate download/staging. See this Google Cloud post Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Show 2 more (5 total)
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 16404: The BITS service has detected an exception, Function: function, Line: line Error code: hr.
#Event ID 16405: A bandwidth profile is not configured correctly.
#Description
A bandwidth profile is not configured correctly. The value of a Group Policy setting is missing or is not within the allowed range. Make sure that you configure the Group Policy settings correctly, and then try again.
Message #
Fields #
| Name | Description |
|---|---|
Key UnicodeString | |
SubKeyOrValueName UnicodeString |
Event ID 17005: The BITS service is configured to run as string.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {EF1CC15B-46C1-414E-BB95-E76B077BD51E}
Defined in qmgr.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 7.8.20348.1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 7.8.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 7.8.26100.1, captured 2026-06-02