Microsoft-Windows-PowerShell

189 events across 3 channels

Event	Title	Channel	Sample
4097	Computer Name $null or.	Operational	N
4098	Resolving to default scheme http	Operational	N
4099	Remote shell name resolved to default Microsoft.	Operational	N
4100	Payload Context: ContextInfo User Data: UserData.	Operational	Y
4101	Payload Context: ContextInfo User Data: UserData.	Operational	Y
4102	Payload Context: ContextInfo User Data: UserData.	Operational	Y
4103	Payload Context: ContextInfo User Data: UserData.	Operational	Y
4104	Creating Scriptblock text (MessageNumber of MessageTotal).	Operational	Y
4105	Started invocation of ScriptBlock ID: ScriptBlockId.	Operational	Y
4106	Completed invocation of ScriptBlock ID: ScriptBlockId.	Operational	Y
7937	ContextInfo Context: Context User Data: User_Data.	Analytic	Y
7938	Payload Context: ContextInfo User Data: UserData.	Analytic	Y
7939	Payload Context: ContextInfo User Data: UserData.	Analytic	Y
7940	ContextInfo Context: Context User Data: User_Data.	Analytic	N
7941	Correlating activity id's.	Analytic	N
7942	Class Name = ClassName.	Analytic	Y
8193	Creating Runspace object Instance Id.	Operational	Y
8194	Creating RunspacePool object.	Operational	Y
8195	Opening RunspacePool	Operational	Y
8196	Modifying activity Id and correlating	Operational	Y
8197	Runspace state changed to param1.	Operational	Y
8198	Attempting session creation retry param1 for error code param2 on session Id …	Operational	N
12033	Port resolved to param1.	Analytic	N
12034	AppName resolved to param1.	Analytic	N
12035	ComputerName resolved to param1.	Analytic	N
12036	Scheme is param1.	Analytic	N
12037	Test analytic message	Analytic	N
12038	Connection Paramters are Connection URI: Connection_URI Resource URI: …	Analytic	N
12039	Modifying activity Id and correlating	Operational	Y
16385	AmsiUtil state.	Analytic	Y
24577	Windows PowerShell ISE has started to run script file FileName.	Operational	N
24578	Windows PowerShell ISE has started to run a user-selected script from file …	Operational	N
24579	Windows PowerShell ISE is stopping the current command.	Operational	N
24580	Windows PowerShell ISE is resuming the debugger.	Operational	N
24581	Windows PowerShell ISE is stopping the debugger.	Operational	N
24582	Windows PowerShell ISE is stepping into debugging.	Operational	N
24583	Windows PowerShell ISE is stepping over debugging.	Operational	N
24584	Windows PowerShell ISE is stepping out of debugging.	Operational	N
24592	Windows PowerShell ISE is enabling all breakpoints.	Operational	N
24593	Windows PowerShell ISE is disabling all breakpoints.	Operational	N
24594	Windows PowerShell ISE is removing all breakpoints.	Operational	N
24595	Windows PowerShell ISE is setting the breakpoint at line #: CurrentLine of file …	Operational	N
24596	Windows PowerShell ISE is removing the breakpoint on line #: CurrentLine of file …	Operational	N
24597	Windows PowerShell ISE is enabling the breakpoint on line #: CurrentLine of file …	Operational	N
24598	Windows PowerShell ISE is disabling the breakpoint on line #: CurrentLine of …	Operational	N
24599	Windows PowerShell ISE has hit a breakpoint on line #: CurrentLine of file …	Operational	N
28673	Successfully rehydrated an object.	Analytic	Y
28674	Failed to rehydrated an object.	Analytic	N
28675	Serialization depth has been overriden.	Analytic	N
28676	Serialization mode has been overriden.	Analytic	N
28677	Serialization of a script property has been skipped, because there is no …	Analytic	N
28678	Serialization of a property has been skipped, because property getter failed.	Analytic	N
28679	Serialization of an enumerable object might not be complete, because object …	Analytic	N
28680	Serialization called object's ToString method which failed.	Analytic	N
28682	Maximum depth below top level has been reached, forcing object to be serialized …	Analytic	N
28683	XmlException has been thrown by the deserializer (most likely indicating …	Analytic	N
28684	Serialization of specified properties failed, because one of the specified …	Analytic	N
32769	Received object with Runspace Id: Runspace_InstanceId Command Id: …	Analytic	Y
32775	An unhandled exception occurred in the appdomain.	Analytic	N
32776	Runspace Id: SessionId Pipeline Id: PipelineId.	Analytic	N
32777	An unhandled exception occurred in the appdomain.	Operational	N
32784	Runspace Id: SessionId Pipeline Id: PipelineId.	Operational	Y
32785	Runspace Id param1.	Analytic	Y
32786	Runspace Id param1.	Analytic	N
32787	Runspace Id: RunspaceId.	Analytic	N
32788	Runspace Id: RunspaceId.	Analytic	N
32789	Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.	Analytic	Y
32790	Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.	Analytic	Y
32791	Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.	Analytic	N
32792	Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.	Analytic	Y
32793	Runspace Id SessionId Pipeline Id PipelineId.	Analytic	Y
32800	Runspace Id SessionId Pipeline Id PipelineId.	Analytic	Y
32801	Runspace Id: Runspace_Id Pipeline Id SessionId.	Analytic	Y
32802	Runspace Id: Runspace_Id Pipeline Id SessionId.	Analytic	Y
32803	Runspace Id: Runspace_Id Pipeline Id SessionId.	Analytic	N
32804	Runspace Id: Runspace_Id Pipeline Id SessionId.	Analytic	N
32805	Runspace Id: SessionId.	Analytic	N
32849	Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.	Analytic	Y
32850	Request param1.	Analytic	N
32851	Reporting context for request: ReportingContextForRequest Context Reported: …	Analytic	Y
32852	Reporting operation complete for request: ReportingOperationCompleteForRequest.	Analytic	Y
32853	Shell Context param1.	Analytic	Y
32854	Shell Context param1 Command Context param2 Request Id param3.	Analytic	N
32855	Shell Context param1 Command Context param2 Request Id param3.	Analytic	Y
32856	Shell Context param1 Command Context param2 Request Id param3.	Analytic	Y
32857	Shell Context param1 Command Context param2 IsReceiveOperation param3.	Analytic	N
32865	Loading assembly param1 for custom shell with shell Id param2.	Analytic	N
32866	Loading type param1 for custom shell with shell Id param2.	Analytic	N
32867	Received remoting fragment.	Analytic	Y
32868	Sent remoting fragment.	Analytic	Y
32869	Shutting down winrm service.	Analytic	N
40961	PowerShell console is starting up	Operational	Y
40962	PowerShell console is ready for user input	Operational	Y
45057	Tracing ErrorRecord.	Debug	N
45058	Exception: Message: Message StackTrace: StackTrace InnerException : …	Debug	N
45059	Tracing PSObject	Debug	N
45060	Tracing Job: Id: Id InstanceId: InstanceId Name: Name Location: Location State: …	Debug	N
45061	Trace Information.	Debug	Y
45062	Connection Paramters are Connection URI: Connection_URI Resource URI: …	Debug	N
45063	Workflow plugin loaded.	Analytic	N
45064	Workflow execution started.	Analytic	N
45065	Workflow state changed.	Analytic	N
45072	Workflow plugin has been requested for a shutdown.	Analytic	N
45073	Workflow plugin restarted.	Analytic	N
45074	Workflow is resuming.	Analytic	N
45075	A quota limit that was set for the endpoint was exceeded.	Analytic	N
45076	Workflow has resumed.	Analytic	N
45078	Workflow runspace pool was created.	Analytic	N
45079	Activity was queued for execution.	Analytic	N
45080	Activity execution started.	Analytic	N
45081	Workflow is being imported from a XAML file.	Analytic	N
45082	Workflow has been imported from a XAML file.	Analytic	N
45083	Workflow could not be imported from a XAML file because of an error.	Analytic	N
45084	Workflow validation started.	Analytic	N
45085	Workflow validation succeeded.	Analytic	N
45086	Workflow validation failed with error.	Analytic	N
45087	Workflow activity validated.	Analytic	N
45088	Workflow activity could not be validated.	Analytic	N
45089	Activity execution failed.	Analytic	N
45090	Runspace availability changed.	Analytic	N
45091	Runspace state changed.	Analytic	N
45092	Workflow loaded for execution.	Analytic	N
45093	Workflow unloaded.	Analytic	N
45094	Workflow execution cancelled.	Analytic	N
45095	Workflow execution aborted.	Analytic	N
45096	Workflow cleanup operation executed.	Analytic	N
45097	Persisted workflow loaded from disk.	Analytic	N
45098	Workflow data was deleted from disk.	Analytic	N
45100	Starting remove job.	Analytic	N
45101	Job state changed.	Analytic	N
45102	Job error.	Analytic	N
45104	Job created for workflow (child job).	Analytic	N
45105	Parent job created for workflow.	Analytic	N
45106	All required jobs were created for workflow execution.	Analytic	N
45107	Child job removed for workflow.	Analytic	N
45108	An error occurred while removing job.	Analytic	N
45109	Loading workflow for execution.	Analytic	N
45110	Workflow execution finished.	Analytic	N
45111	Cancelling workflow execution.	Analytic	N
45112	Aborting workflow execution.	Analytic	N
45113	Unloading workflow.	Analytic	N
45114	Forced workflow shutdown started.	Analytic	N
45115	Forced workflow shutdown finished.	Analytic	N
45116	An error occurred while forcefully shutting down a workflow.	Analytic	N
45117	Persisting workflow to disk.	Analytic	N
45118	Workflow persisted to disk.	Analytic	N
45119	Activity execution finished.	Analytic	N
45120	Workflow execution error.	Analytic	N
45121	A new PowerShell endpoint was registered.	Analytic	N
45122	Endpoint configuration modified.	Analytic	N
45123	Endpoint configuration unregistered.	Analytic	N
45124	Endpoint configuration disabled.	Analytic	N
45125	Endpoint configuration enabled.	Analytic	N
45126	Out of process runspace started.	Analytic	N
45127	Parameter splatting was performed during workflow execution.	Analytic	N
45128	Workflow engine started.	Analytic	N
45129	Workflow manager instantiated with CheckpointPath: CheckpointPath …	Debug	N
46337	BEGIN ImportWorkflowCommand::StartWorkflowApplication.	Debug	N
46338	END ImportWorkflowCommand::StartWorkflowApplication.	Debug	N
46339	BEGIN Creating new job in ImportWorkflowCommand::StartWorkflowApplication.	Debug	N
46340	END Creating new job in ImportWorkflowCommand::StartWorkflowApplication.	Debug	N
46341	END Creating new job in ImportWorkflowCommand::StartWorkflowApplication.	Debug	N
46342	BEGIN JobLogic ContainerParentJob Guid WorkflowJobJobInstanceId.	Debug	N
46343	END JobLogic ContainerParentJob Guid WorkflowJobJobInstanceId.	Debug	N
46344	BEGIN WorkflowExecution ContainerParentJob Guid WorkflowJobJobInstanceId.	Debug	N
46345	END WorkflowExecution ContainerParentJob Guid WorkflowJobJobInstanceId.	Debug	N
46346	WorkflowJob with Guid WorkflowJobInstanceId added to ContainerParentJob with …	Debug	N
46347	ProxyJob with Guid ProxyJobInstanceId associated with remote ContainerParentJob …	Debug	N
46348	BEGIN Execution of ContainerParentJob with Guid ContainerParentJobInstanceId.	Debug	N
46349	END Execution of ContainerParentJob with Guid ContainerParentJobInstanceId.	Debug	N
46350	BEGIN Execution of Proxy Job with Guid ProxyJobInstanceId.	Debug	N
46351	END Execution of Proxy Job with Guid ProxyJobInstanceId.	Debug	N
46352	BEGIN StateChanged event handler for Proxy Job with Guid ProxyJobInstanceId.	Debug	N
46353	END StateChanged event handler for Proxy Job with Guid ProxyJobInstanceId.	Debug	N
46354	BEGIN StateChanged event handler for Proxy Child Job with Guid …	Debug	N
46355	END StateChanged event handler for Proxy Child Job with Guid …	Debug	N
46356	BEGIN Running garbage collection	Debug	N
46357	END Running garbage collection	Debug	N
46358	Persistence store has reached its maximum specified size	Operational	N
49152	message.	Debug	N
49153	Trace Information.	Debug	N
53249	Scheduled Job ScheduledJobDefName started at StartTime.	Operational	N
53250	Scheduled Job ScheduledJobDefName completed at StopTime with state State.	Operational	N
53251	Scheduled Job Exception Message.	Operational	N
53504	Windows PowerShell has started an IPC listening thread on process: param1 in …	Operational	Y
53505	Windows PowerShell has ended an IPC listening thread on process: param1 in …	Operational	N
53506	An error has occurred in Windows PowerShell IPC listening thread on process: …	Operational	N
53507	Windows PowerShell IPC connect on process: param1 in AppDomain: param2 for User: …	Operational	N
53508	Windows PowerShell IPC disconnect on process: param1 in AppDomain: param2 for …	Operational	N

Event ID 4097: Computer Name $null or.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: Connect
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Computer Name $null or . resolve to LocalHost.

Message #

Computer Name $null or . resolve to LocalHost

Event ID 4098: Resolving to default scheme http

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: Connect
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Resolving to default scheme http.

Message #

Resolving to default scheme http

Event ID 4099: Remote shell name resolved to default Microsoft.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: Connect
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Remote shell name resolved to default Microsoft.PowerShell.

Message #

Remote shell name resolved to default Microsoft.PowerShell

Event ID 4100: Payload Context: ContextInfo User Data: UserData.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Level: Warning
Collection Priority: Recommended (Yamato Security, others)
Opcode: Tobeusedwhenanexceptionisraised

Description

Payload Context: ContextInfo User Data: UserData

Message #

%3

Context:
%1

User Data:
%2

Fields #

Name	Description
`ContextInfo` UnicodeString	Context
`UserData` UnicodeString
`Payload` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 4100,
    "version": 1,
    "level": 3,
    "task": 106,
    "opcode": 19,
    "keywords": 0,
    "time_created": "2026-06-13T05:24:22.6461352+00:00",
    "event_record_id": 164816,
    "correlation": {
      "ActivityID": "{AA583517-FAF4-0001-383A-58AAF4FADC01}"
    },
    "execution": {
      "process_id": 7180,
      "thread_id": 7444
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "ContextInfo": "        Severity = Warning\n        Host Name = ConsoleHost\n        Host Version = 5.1.20348.558\n        Host ID = f5117d22-3ce1-45ff-8086-de5eb4591327\n        Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -NonInteractive -File C:\\ludus\\background\\set-bg.ps1\n        Engine Version = 5.1.20348.558\n        Runspace ID = d45fbe4a-06f2-475d-a9db-ab9fc6584c17\n        Pipeline ID = 1\n        Command Name = \n        Command Type = \n        Script Name = \n        Command Path = \n        Sequence Number = 19\n        User = cell-c\\domainadmin\n        Connected User = \n        Shell ID = Microsoft.PowerShell\n",
    "UserData": "",
    "Payload": "Error Message = System error.\n"
  },
  "message": "Error Message = System error.\r\n\r\n\r\nContext:\r\n        Severity = Warning\r\n        Host Name = ConsoleHost\r\n        Host Version = 5.1.20348.558\r\n        Host ID = f5117d22-3ce1-45ff-8086-de5eb4591327\r\n        Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -NonInteractive -File C:\\ludus\\background\\set-bg.ps1\r\n        Engine Version = 5.1.20348.558\r\n        Runspace ID = d45fbe4a-06f2-475d-a9db-ab9fc6584c17\r\n        Pipeline ID = 1\r\n        Command Name = \r\n        Command Type = \r\n        Script Name = \r\n        Command Path = \r\n        Sequence Number = 19\r\n        User = cell-c\\domainadmin\r\n        Connected User = \r\n        Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n"
}

Event ID 4101: Payload Context: ContextInfo User Data: UserData.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security, others)
Opcode: Tobeusedwhenanexceptionisraised

Description

Payload Context: ContextInfo User Data: UserData

Message #

%3

Context:
%1

User Data:
%2

Fields #

Name	Description
`ContextInfo` UnicodeString
`UserData` UnicodeString
`Payload` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
    "event_source_name": "",
    "event_id": 4101,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 19,
    "keywords": 9223372036854775840,
    "time_created": "2026-03-13T19:32:29.608586+00:00",
    "event_record_id": 149117,
    "correlation": {
      "ActivityID": "DF92C490-B30B-000C-6802-93DF0BB3DC01"
    },
    "execution": {
      "process_id": 4068,
      "thread_id": 956
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "ContextInfo": "Install",
    "UserData": "Package=nuget, Version=2.8.5.208, Provider=Bootstrap, Source=https://cdn.oneget.org/providers/nuget-2.8.5.208.package.swidtag, Status=Installed, DestinationPath=",
    "Payload": "PackageManagement: A package is installed."
  },
  "message": ""
}

Event ID 4102: Payload Context: ContextInfo User Data: UserData.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Level: Warning
Collection Priority: Recommended (Yamato Security, others)
Opcode: Tobeusedwhenanexceptionisraised

Description

Payload Context: ContextInfo User Data: UserData

Message #

%3

Context:
%1

User Data:
%2

Fields #

Name	Description
`ContextInfo` UnicodeString	Context
`UserData` UnicodeString
`Payload` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 4102,
    "version": 1,
    "level": 3,
    "task": 106,
    "opcode": 19,
    "keywords": 0,
    "time_created": "2026-06-13T14:36:40.9609813+00:00",
    "event_record_id": 291397,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0004-5018-83C688EFDC01}"
    },
    "execution": {
      "process_id": 1152,
      "thread_id": 8008
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "ContextInfo": "        Severity = Warning\n        Host Name = ServerRemoteHost\n        Host Version = 1.0.0.0\n        Host ID = e8ecf392-16f7-461a-9e04-2cf3b693e616\n        Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n        Engine Version = 5.1.20348.558\n        Runspace ID = 7d22a55e-f35a-436b-aadc-c65ab73a8891\n        Pipeline ID = 4684\n        Command Name = \n        Command Type = \n        Script Name = \n        Command Path = \n        Sequence Number = 82234\n        User = cell-a\\domainadmin\n        Connected User = cell-a\\domainadmin\n        Shell ID = Microsoft.PowerShell\n",
    "UserData": "",
    "Payload": "Error Message = Could not find the drive 'Z:\\'. The drive might not be ready or might not be mapped.\n\nProvider name = Microsoft.PowerShell.Core\\FileSystem\n"
  },
  "message": "Error Message = Could not find the drive 'Z:\\'. The drive might not be ready or might not be mapped.\r\n\r\nProvider name = Microsoft.PowerShell.Core\\FileSystem\r\n\r\n\r\nContext:\r\n        Severity = Warning\r\n        Host Name = ServerRemoteHost\r\n        Host Version = 1.0.0.0\r\n        Host ID = e8ecf392-16f7-461a-9e04-2cf3b693e616\r\n        Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n        Engine Version = 5.1.20348.558\r\n        Runspace ID = 7d22a55e-f35a-436b-aadc-c65ab73a8891\r\n        Pipeline ID = 4684\r\n        Command Name = \r\n        Command Type = \r\n        Script Name = \r\n        Command Path = \r\n        Sequence Number = 82234\r\n        User = cell-a\\domainadmin\r\n        Connected User = cell-a\\domainadmin\r\n        Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n"
}

Event ID 4103: Payload Context: ContextInfo User Data: UserData.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Collection Priority: Recommended (Yamato Security, others)
Opcode: Tobeusedwhenanexceptionisraised

Description

Payload Context: ContextInfo User Data: UserData

Message #

%3

Context:
%1

User Data:
%2

Fields #

Name	Description	Rules
`ContextInfo` UnicodeString	Context	315 detection rules
`UserData` UnicodeString
`Payload` UnicodeString		400 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 4103,
    "version": 1,
    "level": 4,
    "task": 106,
    "opcode": 20,
    "keywords": 0,
    "time_created": "2026-06-13T14:11:14.9015833+00:00",
    "event_record_id": 168285,
    "correlation": {
      "ActivityID": "{AA583517-FAF4-0000-BF5D-58AAF4FADC01}"
    },
    "execution": {
      "process_id": 7864,
      "thread_id": 1248
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "ContextInfo": "        Severity = Informational\n        Host Name = ServerRemoteHost\n        Host Version = 1.0.0.0\n        Host ID = aa212afc-f66e-4e09-a428-4989b19010a1\n        Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n        Engine Version = 5.1.20348.558\n        Runspace ID = 55ce38e0-81ea-44db-9a08-0c9965b78525\n        Pipeline ID = 10\n        Command Name = ConvertTo-Json\n        Command Type = Cmdlet\n        Script Name = \n        Command Path = \n        Sequence Number = 52\n        User = cell-c\\domainadmin\n        Connected User = cell-c\\domainadmin\n        Shell ID = Microsoft.PowerShell\n",
    "UserData": "",
    "Payload": "CommandInvocation(ConvertTo-Json): \"ConvertTo-Json\"\nParameterBinding(ConvertTo-Json): name=\"Depth\"; value=\"14\"\nParameterBinding(ConvertTo-Json): name=\"Compress\"; value=\"True\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\n"
  },
  "message": "CommandInvocation(ConvertTo-Json): \"ConvertTo-Json\"\r\nParameterBinding(ConvertTo-Json): name=\"Depth\"; value=\"14\"\r\nParameterBinding(ConvertTo-Json): name=\"Compress\"; value=\"True\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\nParameterBinding(ConvertTo-Json): name=\"InputObject\"; value=\"System.Collections.Specialized.OrderedDictionary\"\r\n\r\n\r\nContext:\r\n        Severity = Informational\r\n        Host Name = ServerRemoteHost\r\n        Host Version = 1.0.0.0\r\n        Host ID = aa212afc-f66e-4e09-a428-4989b19010a1\r\n        Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\r\n        Engine Version = 5.1.20348.558\r\n        Runspace ID = 55ce38e0-81ea-44db-9a08-0c9965b78525\r\n        Pipeline ID = 10\r\n        Command Name = ConvertTo-Json\r\n        Command Type = Cmdlet\r\n        Script Name = \r\n        Command Path = \r\n        Sequence Number = 52\r\n        User = cell-c\\domainadmin\r\n        Connected User = cell-c\\domainadmin\r\n        Shell ID = Microsoft.PowerShell\r\n\r\n\r\nUser Data:\r\n\r\n"
}

Detection Patterns #

PowerShell Event ID 4103: Payload Context: ContextInfo User Data: UserData.OREvent ID 4104: Creating Scriptblock text (MessageNumber of MessageTotal).

128 rules

Sigma

PipeShell exfiltration over named pipes (source)

mdecrevoisier

Payload downloaded via PowerShell (source)

mdecrevoisier

Encoded PowerShell payload deployed (PowerShell) (source)

mdecrevoisier

Show 23 more (26 total) on the rules page

Splunk

Remote WMIC Query (PowerShell) (source)

Create_Modify Schtasks (PowerShell) (source)

Scheduled Task with Potential SSH Tunnel - Windows (PowerShell) (source)

Show 99 more (102 total) on the rules page

PowerShell Event ID 4103: Payload Context: ContextInfo User Data: UserData.OREvent ID 4104: Creating Scriptblock text (MessageNumber of MessageTotal).ORPowerShell Event ID 800

98 rules

Sigma

PipeShell exfiltration over named pipes (source)

mdecrevoisier

Payload downloaded via PowerShell (source)

mdecrevoisier

Encoded PowerShell payload deployed (PowerShell) (source)

mdecrevoisier

Show 32 more (35 total) on the rules page

Splunk

AutoHotkey Execution (PowerShell) (source)

Bypass or Unrestricted PowerShell Execution (PowerShell) (source)

Common Exchange Recon cmdlets (PowerShell) (source)

Show 60 more (63 total) on the rules page

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventData`	contains	`-itemproperty`	5 rules	sigma
`EventData`	contains	`.dll`	3 rules	sigma
`EventData`	contains	`name`	3 rules	sigma
`EventData`	contains	`set-mppreference`	3 rules	sigma
`EventData`	contains	`\system\currentcontrolset\services\`	2 rules	sigma
`EventData`	contains	`add-mppreference`	2 rules	sigma
`EventData`	contains	`ftp://`	2 rules	sigma
`Payload`	contains	`-itemproperty`	5 rules	sigma
`Payload`	contains	`.dll`	3 rules	sigma
`Payload`	contains	`name`	3 rules	sigma
`ScriptBlockText`	contains	`-itemproperty`	5 rules	sigma
`ScriptBlockText`	contains	`.dll`	3 rules	sigma
`ScriptBlockText`	contains	`name`	3 rules	sigma
`CommandLine`	match	`(?i)\w+tps?://\S+\.msi`	2 rules	splunk
`ContextInfo`	contains	`system.net.webclient`	2 rules	sigma

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

Potential Active Directory Enumeration Using AD Module - PsModule source medium: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Alternate PowerShell Hosts - PowerShell Module source medium: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
Bad Opsec Powershell Code Artifacts source critical: focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.

Show 17 more (34 total)

Clear PowerShell History - PowerShell Module source medium: Detects keywords that could indicate clearing PowerShell history
PowerShell Decompress Commands source informational: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
Malicious PowerShell Scripts - PoshModule source high: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
Suspicious Get-ADDBAccount Usage source high: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
PowerShell Get Clipboard source medium: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
HackTool - Evil-WinRm Execution - PowerShell Module source high: Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module source high: Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module source high: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module source high: Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - PowerShell Module source high: Detects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module source medium: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module source medium: Detects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - PowerShell Module source high: Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - PowerShell Module source high: Detects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - PowerShell Module source high: Detects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module source high: Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module source high: Detects Obfuscated Powershell via VAR++ LAUNCHER

Splunk # view in coverage

Command-Line Interface Execution (PowerShell) source: Detects when a Command-Line Interface executes on a host
Command Line Utility Added to Accessibility Features (PowerShell) source: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has…
MSHTA.exe execution (PowerShell) source: Detect use of MSHTA

Show 6 more (9 total)

Obfuscated Powershell Techniques (PowerShell) source: Attackers and commodity malware have started using extremely basic obfuscation techniques to hide the majority of the command from the command line arguments of powershell.exe. This use case relies on URL Toolbox to function
PowerHuntShares Commands (PowerShell) source: Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks…
Powershell ICMP Data Exfiltration (PowerShell) source: Adversaries may steal data by exfiltrating it over an existing command and control channel. Use case attempts to detect powershell scripts with specific ICMP calls that may be attributed to data exfil
Suspicious AteraAgent Installation - Windows (PowerShell) source: An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These remote monitoring and management (RMM) tools, such as AteraAgent,…
Suspicious Powershell (PowerShell) source: PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary. This use case attempts to identify those powershell executions launched by a binary other than powershell
WebLogic CVE-2017-10271 (PowerShell) source: A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the local host and in this case the session is created using the vulnerability of Weblogic app - wls-wsat Component…

References #

Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows

Event ID 4104: Creating Scriptblock text (MessageNumber of MessageTotal).

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Collection Priority: Recommended (Yamato Security, others)
Task: StartingCommand
Opcode: Oncreatecalls

Description

Creating Scriptblock text (MessageNumber of MessageTotal).

Message #

Creating Scriptblock text (%1 of %2):
%3

ScriptBlock ID: %4
Path: %5

Fields #

Name	Description	Rules
`MessageNumber` Int32	Part number of the current script block fragment (large scripts are split across multiple events)
`MessageTotal` Int32	Total number of script block fragments for the complete script
`ScriptBlockText` UnicodeString	Content of the executed PowerShell script block	1883 detection rules
`ScriptBlockId` UnicodeString	ScriptBlock ID.
`Path` UnicodeString	Full path to the executed script file	3 detection rules

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 4104,
    "version": 1,
    "level": 5,
    "task": 2,
    "opcode": 15,
    "keywords": 0,
    "time_created": "2026-06-13T14:11:14.9274534+00:00",
    "event_record_id": 168286,
    "correlation": {
      "ActivityID": "{AA583517-FAF4-0004-3DE7-58AAF4FADC01}"
    },
    "execution": {
      "process_id": 7864,
      "thread_id": 7844
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "MessageNumber": "1",
    "MessageTotal": "1",
    "ScriptBlockText": "Export-XmlVrecEvents -Channel 'Microsoft-Windows-LSA/Operational' -Max 8000",
    "ScriptBlockId": "f8e011c2-f02d-4ac3-9cd6-a7d76a3309eb",
    "Path": ""
  },
  "message": "Creating Scriptblock text (1 of 1):\r\nExport-XmlVrecEvents -Channel 'Microsoft-Windows-LSA/Operational' -Max 8000\r\n\r\nScriptBlock ID: f8e011c2-f02d-4ac3-9cd6-a7d76a3309eb\r\nPath: "
}

Detection Patterns #

PowerShell Event ID 4103: Payload Context: ContextInfo User Data: UserData.OREvent ID 4104: Creating Scriptblock text (MessageNumber of MessageTotal).

128 rules

Sigma

PipeShell exfiltration over named pipes (source)

mdecrevoisier

Payload downloaded via PowerShell (source)

mdecrevoisier

Encoded PowerShell payload deployed (PowerShell) (source)

mdecrevoisier

Show 23 more (26 total) on the rules page

Splunk

Remote WMIC Query (PowerShell) (source)

Create_Modify Schtasks (PowerShell) (source)

Scheduled Task with Potential SSH Tunnel - Windows (PowerShell) (source)

Show 99 more (102 total) on the rules page

PowerShell Event ID 4103: Payload Context: ContextInfo User Data: UserData.OREvent ID 4104: Creating Scriptblock text (MessageNumber of MessageTotal).ORPowerShell Event ID 800

100 rules

Sigma

PipeShell exfiltration over named pipes (source)

mdecrevoisier

Payload downloaded via PowerShell (source)

mdecrevoisier

Encoded PowerShell payload deployed (PowerShell) (source)

mdecrevoisier

Show 34 more (37 total) on the rules page

Splunk

AutoHotkey Execution (PowerShell) (source)

Bypass or Unrestricted PowerShell Execution (PowerShell) (source)

Common Exchange Recon cmdlets (PowerShell) (source)

Show 60 more (63 total) on the rules page

Group Membership Change

PowerShell Event ID 4104: Creating Scriptblock text (MessageNumber of MessageTotal).ORPowerShell Event ID 800

3 rules

Sigma

DSRM password changed (Reg via PowerShell) (source)

mdecrevoisier

Domain group membership change (source)

mdecrevoisier

Local group membership change (source)

mdecrevoisier

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`ScriptBlockText`	contains	`new-object`	8 rules	sigma, splunk
`ScriptBlockText`	contains	`get-wmiobject`	7 rules	sigma, splunk
`ScriptBlockText`	contains	`-itemproperty`	5 rules	sigma
`ScriptBlockText`	contains	`frombase64string`	4 rules	sigma, splunk
`ScriptBlockText`	contains	`get-aduser`	4 rules	sigma, splunk
`ScriptBlockText`	contains	`get-childitem`	4 rules	sigma
`ScriptBlockText`	contains	`get-netuser`	4 rules	splunk
`ScriptBlockText`	contains	`invoke-restmethod`	4 rules	sigma, splunk
`ScriptBlockText`	contains	`name`	4 rules	sigma
`ScriptBlockText`	eq	`[adsisearcher]`	4 rules	splunk
`Esql.script_block_length`	gt	`500`	6 rules	elastic
`Esql.script_block_pattern_count`	ge	`1`	6 rules	elastic
`EventData`	contains	`-itemproperty`	5 rules	sigma
`Payload`	contains	`-itemproperty`	5 rules	sigma
`file.directory`	is_null		5 rules	elastic

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

AADInternals PowerShell Cmdlets Execution - PsScript source high: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Access to Browser Login Data source medium: Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Potential Active Directory Enumeration Using AD Module - PsScript source medium: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Show 17 more (179 total)

Powershell Add Name Resolution Policy Table Rule source high: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
Add Windows Capability Via PowerShell Script source medium: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
PowerShell ADRecon Execution source high: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
AMSI Bypass Pattern Assembly GetType source high: Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
Potential AMSI Bypass Script Using NULL Bits source medium: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
Silence.EDA Detection source critical: Detects Silence EmpireDNSAgent as described in the Group-IP report
Get-ADUser Enumeration Using UserAccountControl Flags source medium: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
Potential Data Exfiltration Via Audio File source medium: Detects potential exfiltration attempt via audio file using PowerShell
Automated Collection Command PowerShell source medium: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Windows Screen Capture with CopyFromScreen source medium: Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
Clear PowerShell History - PowerShell source medium: Detects keywords that could indicate clearing PowerShell history
Clearing Windows Console History source high: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
Powershell Create Scheduled Task source medium: Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell source medium: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
Powershell Install a DLL in System Directory source high: Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
Registry-Free Process Scope COR_PROFILER source medium: Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)
PowerShell Create Local User source medium: Detects creation of a local user via PowerShell

Elastic # view in coverage

Potential PowerShell Obfuscation via Invalid Escape Sequences source medium: Detects PowerShell scripts with repeated invalid backtick escapes between word characters (letters, digits, underscore, or dash), splitting tokens while preserving execution. Attackers use this obfuscation to fragment keywords and evade pattern-based detection and AMSI.
Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion source high: Detects PowerShell scripts that use backtick-escaped characters inside ${} variable expansion (multiple backticks between word characters) to reconstruct strings at runtime. Attackers use variable-expansion obfuscation to split keywords, hide commands, and evade static analysis and AMSI.
Potential PowerShell Obfuscation via Character Array Reconstruction source high: Detects PowerShell scripts that reconstructs strings from char[] arrays, index lookups, or repeated ([char]NN)+ concatenation/join logic. Attackers use character-array reconstruction to hide commands, URLs, or payloads and evade static analysis and AMSI.

Show 10 more (13 total)

Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation source high: Detects PowerShell scripts that builds commands from concatenated string literals inside dynamic invocation constructs like &() or .(). Attackers use concatenated dynamic invocation to obscure execution intent, bypass keyword-based detections, and evade AMSI.
Potential PowerShell Obfuscation via High Numeric Character Proportion source low: Detects long PowerShell script block content with unusually high numeric character density (high digit-to-length ratio), often produced by byte arrays, character-code reconstruction, or embedded encoded blobs. Attackers use numeric-heavy obfuscation to conceal payloads and rebuild them at runtime to avoid static inspection.
Potential Dynamic IEX Reconstruction via Environment Variables source medium: Detects PowerShell scripts that reconstructs IEX (Invoke-Expression) by indexing environment variable strings (for example, $env:VAR[1,2,3]) or related .name[...] slices and joining characters at runtime. Attackers use environment-variable slicing to hide dynamic execution and evade keyword-based detections and AMSI.
Dynamic IEX Reconstruction via Method String Access source low: Detects PowerShell scripts that rebuilds IEX by converting method references to strings (for example, ''.IndexOf.ToString()) and extracting multiple indexed characters (for example, [n,n,n]). Attackers use method-string reconstruction to conceal dynamic execution and bypass static detections and AMSI.
PowerShell Obfuscation via Negative Index String Reversal source low: Detects PowerShell scripts that uses negative index ranges (for example, $var[-1..0]) to reverse strings or arrays and rebuild content at runtime. Attackers use index reversal to reconstruct hidden commands or payloads and evade static analysis and AMSI.
Potential PowerShell Obfuscation via Reverse Keywords source low: Detects PowerShell scripts containing reversed keyword strings associated with execution or network activity (for example, ekovni, noisserpxe, daolnwod, tcejbo-wen, tcejboimw, etc.). Attackers reverse keywords and reconstruct them at runtime to hide intent and evade static detection and AMSI.
Potential PowerShell Obfuscation via String Concatenation source high: Detects PowerShell scripts that repeatedly concatenate multiple quoted string literals with + to assemble commands or tokens at runtime. Attackers use string concatenation to fragment keywords or URLs and evade static analysis and AMSI.
Potential PowerShell Obfuscation via String Reordering source medium: Detects PowerShell scripts that uses format placeholders like "{0}{1}" with the -f operator or ::Format to reorder strings at runtime. Attackers use format-based reconstruction to hide commands or payload strings and evade static analysis and AMSI.
Potential PowerShell Obfuscation via Special Character Overuse source medium: Detects PowerShell scripts dominated by whitespace and special characters with low symbol diversity, a profile often produced by formatting or encoding obfuscation. Attackers use symbol-heavy encoding or formatting (for example, SecureString-style blobs or character-level transforms) to hide payloads and evade static analysis and AMSI.
Potential PowerShell Obfuscation via High Special Character Proportion source low: Identifies PowerShell script block content with an unusually high proportion of non-alphanumeric characters, often produced by encoding, string mangling, or dynamic code generation. Attackers use special-character heavy obfuscation to conceal payloads and hinder static analysis and AMSI.

Splunk # view in coverage

AdsiSearcher Account Discovery source: The following analytic detects the use of the [Adsisearcher] type accelerator in PowerShell to query Active Directory for domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify script blocks containing…
Allow Inbound Traffic In Firewall Rule source: The following analytic detects a suspicious PowerShell command that allows inbound traffic to a specific local port within the public profile. It leverages PowerShell script block logging (EventCode 4104) to identify commands containing…
Delete ShadowCopy With PowerShell source: The following analytic detects the use of PowerShell to delete shadow copies via the WMIC PowerShell module. It leverages EventCode 4104 and searches for specific keywords like "ShadowCopy," "Delete," or "Remove" within the…

Show 17 more (177 total)

Detect Certify With PowerShell Script Block Logging source: The following analytic detects the use of the Certify tool via an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. It leverages PowerShell Script Block Logging (EventCode 4104) to…
Detect Copy of ShadowCopy with Script Block Logging source: The following analytic detects the use of PowerShell commands to copy the SAM, SYSTEM, or SECURITY hives, which are critical for credential theft. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the…
Detect Empire with PowerShell Script Block Logging source: The following analytic detects suspicious PowerShell execution indicative of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze commands sent to PowerShell, specifically looking…
Detect Mimikatz With PowerShell Script Block Logging source: The following analytic detects the execution of Mimikatz commands via PowerShell by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the…
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser source: The following analytic detects the execution of the Get-ADUser PowerShell cmdlet with parameters indicating a search for domain accounts with Kerberos Pre-Authentication disabled. It leverages PowerShell Script Block Logging…
Disabled Kerberos Pre-Authentication Discovery With PowerView source: The following analytic detects the execution of the Get-DomainUser commandlet with the -PreauthNotRequired parameter using PowerShell Script Block Logging (EventCode=4104). This command is part of PowerView, a tool used for enumerating…
Domain Group Discovery with Adsisearcher source: The following analytic detects the use of the [Adsisearcher] type accelerator in PowerShell to query Active Directory for domain groups. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks…
Elevated Group Discovery with PowerView source: The following analytic detects the execution of the Get-DomainGroupMember cmdlet from PowerView, identified through PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate members of elevated domain groups such…
Exchange PowerShell Module Usage source: The following analytic detects the usage of specific Exchange PowerShell modules, such as New-MailboxExportRequest, New-ManagementRoleAssignment, New-MailboxSearch, and Get-Recipient. It leverages PowerShell Script Block Logging (EventCode…
Get ADDefaultDomainPasswordPolicy with Powershell Script Block source: The following analytic detects the execution of the Get-ADDefaultDomainPasswordPolicy PowerShell cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages PowerShell Script Block Logging…
Get ADUser with PowerShell Script Block source: The following analytic detects the execution of the Get-AdUser PowerShell cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify instances where this command is…
Get ADUserResultantPasswordPolicy with Powershell Script Block source: The following analytic detects the execution of the Get-ADUserResultantPasswordPolicy PowerShell cmdlet, which is used to obtain the password policy in a Windows domain. It leverages PowerShell Script Block Logging (EventCode=4104) to…
Get DomainPolicy with Powershell Script Block source: The following analytic detects the execution of the Get-DomainPolicy cmdlet using PowerShell Script Block Logging (EventCode=4104). It leverages logs capturing script block text to identify attempts to obtain the password policy in a…
Get-DomainTrust with PowerShell Script Block source: The following analytic detects the execution of the Get-DomainTrust command from PowerView using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed inspection.…
Get DomainUser with PowerShell Script Block source: The following analytic detects the execution of the Get-DomainUser cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a tool often used for domain enumeration. The detection leverages…
Get-ForestTrust with PowerShell Script Block source: The following analytic detects the execution of the Get-ForestTrust command from PowerSploit using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility…
Get WMIObject Group Discovery with Script Block Logging source: The following analytic detects the execution of the Get-WMIObject Win32_Group command using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed analysis.…

Kusto # view in coverage

Suspicious Powershell Commandlet Executed source medium: This analytic rule detects when a suspicious PowerShell commandlet is executed on a host. Threat actors often use PowerShell to execute commands and scripts to move laterally, escalate privileges, and exfiltrate data.

References #

Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/evtx-4104-script-block-logging.md

Event ID 4105: Started invocation of ScriptBlock ID: ScriptBlockId.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Collection Priority: Recommended (Microsoft-WEF, others)
Task: StartingCommand
Opcode: Open(async)

Description

Started invocation of ScriptBlock ID: ScriptBlockId.

Message #

Started invocation of ScriptBlock ID: %1
Runspace ID: %2

Fields #

Name	Description
`ScriptBlockId` UnicodeString	Started invocation of ScriptBlock ID.
`RunspaceId` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 4105,
    "version": 1,
    "level": 5,
    "task": 102,
    "opcode": 15,
    "keywords": 0,
    "time_created": "2026-06-13T14:36:52.9762883+00:00",
    "event_record_id": 292345,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0000-CDB8-82C688EFDC01}"
    },
    "execution": {
      "process_id": 4440,
      "thread_id": 3676
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "ScriptBlockId": "04d49ce2-3f05-45a9-957c-5758c9f59afd",
    "RunspaceId": "433997d9-ccc4-4c0d-bc9b-e1f7f9b3ed04"
  },
  "message": "Started invocation of ScriptBlock ID: 04d49ce2-3f05-45a9-957c-5758c9f59afd\r\nRunspace ID: 433997d9-ccc4-4c0d-bc9b-e1f7f9b3ed04"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows

Event ID 4106: Completed invocation of ScriptBlock ID: ScriptBlockId.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Collection Priority: Recommended (Microsoft-WEF, others)
Task: StoppingCommand
Opcode: Close(Async)

Description

Completed invocation of ScriptBlock ID: ScriptBlockId.

Message #

Completed invocation of ScriptBlock ID: %1
Runspace ID: %2

Fields #

Name	Description
`ScriptBlockId` UnicodeString	Completed invocation of ScriptBlock ID.
`RunspaceId` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 4106,
    "version": 1,
    "level": 5,
    "task": 103,
    "opcode": 15,
    "keywords": 0,
    "time_created": "2026-06-13T14:36:52.9776346+00:00",
    "event_record_id": 292349,
    "correlation": {
      "ActivityID": "{C6821FB2-EF88-0006-879F-82C688EFDC01}"
    },
    "execution": {
      "process_id": 4440,
      "thread_id": 7812
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "ScriptBlockId": "cfd3b61c-5457-44b3-aee3-bbfbd9689340",
    "RunspaceId": "b4551755-8da0-496c-9c88-6bf2955ba423"
  },
  "message": "Completed invocation of ScriptBlock ID: cfd3b61c-5457-44b3-aee3-bbfbd9689340\r\nRunspace ID: b4551755-8da0-496c-9c88-6bf2955ba423"
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows

Event ID 7937: ContextInfo Context: Context User Data: User_Data.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Payload Context: ContextInfo User Data: UserData

Message #

%3

Context:
%1

User Data:
%2

Fields #

Name	Description
`ContextInfo` UnicodeString
`UserData` UnicodeString
`Payload` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 7937,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 20,
    "keywords": "0x4000000000000020",
    "time_created": "2026-06-02T04:29:47.997+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0003-4D12-848753F0DC01}"
    },
    "execution": {
      "process_id": 7868,
      "thread_id": 3636
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ContextInfo": "        Severity = Informational\r\n        Host Name = ConsoleHost\r\n        Host Version = 5.1.20348.4294\r\n        Host ID = 2b5c509a-8716-4b8e-9e7b-d73a2aa98dcd\r\n        Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\\Tools\\Sealighter\\drv\\drv04.ps1\r\n        Engine Version = 5.1.20348.4294\r\n        Runspace ID = 2d8a8c17-0da2-4dfe-a42d-bebe964bcedb\r\n        Pipeline ID = 1\r\n        Command Name = Start-Job\r\n        Command Type = Cmdlet\r\n        Script Name = C:\\Tools\\Sealighter\\drv\\drv04.ps1\r\n        Command Path = \r\n        Sequence Number = 721\r\n        User = ludus\\domainadmin\r\n        Connected User = \r\n        Shell ID = Microsoft.PowerShell\r\n",
    "Payload": "Command System.Management.Automation.LogContext is Stopped.\r\n",
    "UserData": ""
  },
  "message": "win:None"
}

Event ID 7938: Payload Context: ContextInfo User Data: UserData.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Payload Context: ContextInfo User Data: UserData

Message #

%3

Context:
%1

User Data:
%2

Fields #

Name	Description
`ContextInfo` UnicodeString
`UserData` UnicodeString
`Payload` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
    "event_source_name": "",
    "event_id": "7938",
    "version": "1",
    "level": "4",
    "task": "100",
    "opcode": "20",
    "keywords": 0,
    "time_created": "2026-03-15T04:33:37.067269800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{d73f5340-b345-0001-748f-44d745b3dc01}"
    },
    "execution": {
      "process_id": "5820",
      "thread_id": "12172"
    },
    "channel": "Microsoft-Windows-PowerShell/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ContextInfo": "        Severity = Informational\n        Host Name = ConsoleHost\n        Host Version = 5.1.20348.558\n        Host ID = 247af873-a1bf-4dba-9ce9-5140eb54ab09\n        Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -File C:\\Users\\domainadmin\\Desktop\\automaton\\onedrive_etw_capture.ps1 -Action stop\n        Engine Version = 5.1.20348.558\n        Runspace ID = 83d77211-d444-44c5-9530-51739db0c2f4\n        Pipeline ID = \n        Command Name = \n        Command Type = \n        Script Name = \n        Command Path = \n        Sequence Number = 14\n        User = ludus\\domainadmin\n        Connected User = \n        Shell ID = Microsoft.PowerShell\n",
    "UserData": "",
    "Payload": "Engine state changed from None to Available.\n"
  },
  "message": ""
}

Event ID 7939: Payload Context: ContextInfo User Data: UserData.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Payload Context: ContextInfo User Data: UserData

Message #

%3

Context:
%1

User Data:
%2

Fields #

Name	Description
`ContextInfo` UnicodeString
`UserData` UnicodeString
`Payload` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
    "event_source_name": "",
    "event_id": "7939",
    "version": "1",
    "level": "4",
    "task": "104",
    "opcode": "20",
    "keywords": 0,
    "time_created": "2026-03-15T04:33:36.400594000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{d73f5340-b345-0001-748f-44d745b3dc01}"
    },
    "execution": {
      "process_id": "5820",
      "thread_id": "8064"
    },
    "channel": "Microsoft-Windows-PowerShell/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ContextInfo": "        Severity = Informational\n        Host Name = ConsoleHost\n        Host Version = 5.1.20348.558\n        Host ID = 247af873-a1bf-4dba-9ce9-5140eb54ab09\n        Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -File C:\\Users\\domainadmin\\Desktop\\automaton\\onedrive_etw_capture.ps1 -Action stop\n        Engine Version = \n        Runspace ID = \n        Pipeline ID = \n        Command Name = \n        Command Type = \n        Script Name = \n        Command Path = \n        Sequence Number = 2\n        User = ludus\\domainadmin\n        Connected User = \n        Shell ID = Microsoft.PowerShell\n",
    "UserData": "",
    "Payload": "Provider Registry changed state to Started.\n"
  },
  "message": ""
}

Event ID 7940: ContextInfo Context: Context User Data: User_Data.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Payload Context: ContextInfo User Data: UserData

Message #

%3

Context:
%1

User Data:
%2

Fields #

Name	Description
`ContextInfo` UnicodeString
`UserData` UnicodeString
`Payload` UnicodeString

Event ID 7941: Correlating activity id's.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Correlating activity id's.

Message #

Correlating activity id's. 
 	 CurrentActivityId: %1 
 	 ParentActivityId: %2

Fields #

Name	Description
`currentActivityId` GUID
`parentActivityId` GUID

Event ID 7942: Class Name = ClassName.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Verbose
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Class Name = ClassName.

Message #

Class Name = %1
Method Name = %2
Workflow GUID = %3
Message = %4
%5
Activity Name = %6
Activity GUID = %7
Parameters = %8

Fields #

Name	Description
`ClassName` UnicodeString
`MethodName` UnicodeString
`WorkflowGuid` UnicodeString
`Message` UnicodeString
`JobData` UnicodeString
`ActivityName` UnicodeString
`ActivityGuid` UnicodeString
`Parameters` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
    "event_source_name": "",
    "event_id": "7942",
    "version": "1",
    "level": "5",
    "task": "0",
    "opcode": "20",
    "keywords": 0,
    "time_created": "2026-03-15T04:33:36.215006100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{d73f5340-b345-0001-748f-44d745b3dc01}"
    },
    "execution": {
      "process_id": "5820",
      "thread_id": "12008"
    },
    "channel": "Microsoft-Windows-PowerShell/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ClassName": "RemoteSessionNamedPipeServer",
    "MethodName": "StartListening",
    "WorkflowGuid": "00000000-0000-0000-0000-000000000000",
    "Message": "Listener thread started on Process 5820 in AppDomainName DefaultAppDomain.",
    "JobData": "",
    "ActivityName": "",
    "ActivityGuid": "",
    "Parameters": ""
  },
  "message": ""
}

Event ID 8193: Creating Runspace object Instance Id.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Level: Verbose
Collection Priority: Recommended (Yamato Security)
Task: Connect
Opcode: tobeusedwhenanobjectisconstructed

Description

Creating Runspace object.

Message #

Creating Runspace object 
 	 Instance Id: %1

Fields #

Name	Description
`param1`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 8193,
    "version": 1,
    "level": 5,
    "task": 1,
    "opcode": 16,
    "keywords": 0,
    "time_created": "2026-06-13T14:36:52.2119349+00:00",
    "event_record_id": 292217,
    "correlation": {
      "ActivityID": "{423FC9FF-BB95-4958-9E72-EC0DE8F5F539}"
    },
    "execution": {
      "process_id": 1152,
      "thread_id": 8008
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "param1": "423fc9ff-bb95-4958-9e72-ec0de8f5f539"
  },
  "message": "Creating Runspace object \r\n \t Instance Id: 423fc9ff-bb95-4958-9e72-ec0de8f5f539"
}

Event ID 8194: Creating RunspacePool object.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Level: Verbose
Collection Priority: Recommended (Yamato Security)
Task: Connect
Opcode: tobeusedwhenanobjectisconstructed

Description

Creating RunspacePool object.

Message #

Creating RunspacePool object 
 	 InstanceId %1 
 	 MinRunspaces %2 
 	 MaxRunspaces %3

Fields #

Name	Description
`InstanceId` UnicodeString
`MaxRunspaces` UnicodeString
`MinRunspaces` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 8194,
    "version": 1,
    "level": 5,
    "task": 1,
    "opcode": 16,
    "keywords": 0,
    "time_created": "2026-06-13T14:36:52.2119503+00:00",
    "event_record_id": 292218,
    "correlation": {
      "ActivityID": "{93B2B5D3-AD4A-47FD-88FE-256547248572}"
    },
    "execution": {
      "process_id": 1152,
      "thread_id": 8008
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "InstanceId": "93b2b5d3-ad4a-47fd-88fe-256547248572",
    "MaxRunspaces": "1",
    "MinRunspaces": "1"
  },
  "message": "Creating RunspacePool object \r\n \t InstanceId 93b2b5d3-ad4a-47fd-88fe-256547248572 \r\n \t MinRunspaces 1 \r\n \t MaxRunspaces 1"
}

Event ID 8195: Opening RunspacePool

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Level: Verbose
Collection Priority: Recommended (Yamato Security)
Task: Connect
Opcode: Open(async)

Description

Opening RunspacePool.

Message #

Opening RunspacePool

Fields #

Name	Description
`async)_V1(`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 8195,
    "version": 1,
    "level": 5,
    "task": 1,
    "opcode": 10,
    "keywords": 0,
    "time_created": "2026-06-13T14:36:52.2121570+00:00",
    "event_record_id": 292219,
    "correlation": {
      "ActivityID": "{93B2B5D3-AD4A-47FD-88FE-256547248572}"
    },
    "execution": {
      "process_id": 1152,
      "thread_id": 8008
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": "Opening RunspacePool"
}

Event ID 8196: Modifying activity Id and correlating

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Collection Priority: Recommended (Yamato Security)
Task: Connect
Opcode: Open(async)

Description

Modifying activity Id and correlating.

Message #

Modifying activity Id and correlating

Fields #

Name	Description
`async)8196_V1(`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 8196,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 20,
    "keywords": 0,
    "time_created": "2026-06-13T14:36:52.9782661+00:00",
    "event_record_id": 292350,
    "correlation": {
      "ActivityID": "{93B2B5D3-AD4A-47FD-88FE-256547248572}"
    },
    "execution": {
      "process_id": 1152,
      "thread_id": 1496
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": "Modifying activity Id and correlating"
}

Event ID 8197: Runspace state changed to param1.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Also via: realtime ETW trace
Level: Verbose
Collection Priority: Recommended (Yamato Security)
Task: Connect
Opcode: Open(async)

Description

Runspace state changed to param1.

Message #

Runspace state changed to %1

Fields #

Name	Description
`param1` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
    "event_source_name": "",
    "event_id": 8197,
    "version": 1,
    "level": 5,
    "task": 1,
    "opcode": 10,
    "keywords": 0,
    "time_created": "2026-03-13T19:06:18.830885+00:00",
    "event_record_id": 451785,
    "correlation": {
      "ActivityID": "E345B8F4-8ABD-45C2-9C94-77A035AE705C"
    },
    "execution": {
      "process_id": 8572,
      "thread_id": 13812
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "param1": "Closing"
  },
  "message": ""
}

Event ID 8198: Attempting session creation retry param1 for error code param2 on session Id param3.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: Connect
Opcode: Open(async)

Description

Attempting session creation retry param1 for error code param2 on session Id param3.

Message #

Attempting session creation retry %1 for error code %2 on session Id %3

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 12033: Port resolved to param1.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Connect
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Port resolved to param1.

Message #

Port resolved to %1

Fields #

Name	Description
`param1` UnicodeString

Event ID 12034: AppName resolved to param1.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Connect
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

AppName resolved to param1.

Message #

AppName resolved to %1

Fields #

Name	Description
`param1` UnicodeString

Event ID 12035: ComputerName resolved to param1.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Connect
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

ComputerName resolved to param1.

Message #

ComputerName resolved to %1

Fields #

Name	Description
`param1` UnicodeString

Event ID 12036: Scheme is param1.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Connect
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Scheme is param1.

Message #

Scheme is %1

Fields #

Name	Description
`param1` UnicodeString

Event ID 12037: Test analytic message

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Connect
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Test analytic message.

Message #

Test analytic message

Event ID 12038: Connection Paramters are Connection URI: Connection_URI Resource URI: Resource_URI User: User OpenTimeout: OpenTimeout IdleTimeout: IdleTimeout CancelTimeout: CancelTimeout AuthenticationMechanism:...

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Connect
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Connection Paramters are.

Message #

Connection Paramters are 
 Connection URI: %1 
 Resource URI: %2 
 User: %3 
 OpenTimeout: %4 
 IdleTimeout: %5 
 CancelTimeout: %6 
 AuthenticationMechanism: %7 
 Thumb Print: %8 
 MaxUriRedirectionCount: %9 
 MaxReceivedDataSizePerCommand: %10 
 MaxReceivedObjectSize: %11

Fields #

Name	Description
`uri` UnicodeString
`shell` UnicodeString
`userName` UnicodeString
`opentimeout` UnicodeString
`idletimeout` UnicodeString
`canceltimeout` UnicodeString
`auth` UInt32	Known values `0` Default - use the default authentication defined by the underlying protocol `1` Basic - use Basic authentication (credentials sent in clear text) `2` Negotiate - use Negotiate authentication for the remote connection `3` NegotiateWithImplicitCredential - use Negotiate with implicit credentials `4` CredSSP - use Credential Security Support Provider authentication `5` Digest - use Digest authentication (credentials sent as a hash value) `6` Kerberos - use Kerberos mutual authentication with certificates
`thumbPrint` UnicodeString
`redircount` UnicodeString
`recvdDataSize` UnicodeString
`recvdObjSize` UnicodeString

Event ID 12039: Modifying activity Id and correlating

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Collection Priority: Recommended (Yamato Security)
Task: Connect
Opcode: Open(async)

Description

Modifying activity Id and correlating.

Message #

Modifying activity Id and correlating

Fields #

Name	Description
`async)12039_V1(`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 12039,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 20,
    "keywords": 0,
    "time_created": "2026-06-13T14:36:52.9782673+00:00",
    "event_record_id": 292351,
    "correlation": {
      "ActivityID": "{93B2B5D3-AD4A-47FD-88FE-256547248572}"
    },
    "execution": {
      "process_id": 1152,
      "thread_id": 1496
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": "Modifying activity Id and correlating"
}

Event ID 16385: AmsiUtil state.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Verbose
Task: AmsiState
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

AmsiUtil state.

Message #

AmsiUtil state. 
 	 state: %1 
 	 Context: %2

Fields #

Name	Description
`Action` UnicodeString
`AmsiContext` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 16385,
    "version": 1,
    "level": 5,
    "task": 130,
    "opcode": 20,
    "keywords": "0x4000000000000400",
    "time_created": "2026-06-02T04:29:48.009+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 12528,
      "thread_id": 15844
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Action": "init-False",
    "AmsiContext": "1776513328784-26365"
  },
  "message": "Amsi"
}

Event ID 24577: Windows PowerShell ISE has started to run script file FileName.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellISEOperation

Description

Windows PowerShell ISE has started to run script file FileName.

Message #

Windows PowerShell ISE has started to run script file %1.

Fields #

Name	Description
`FileName` UnicodeString

Event ID 24578: Windows PowerShell ISE has started to run a user-selected script from file FileName.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellISEOperation

Description

Windows PowerShell ISE has started to run a user-selected script from file FileName.

Message #

Windows PowerShell ISE has started to run a user-selected script from file %1.

Fields #

Name	Description
`FileName` UnicodeString

Event ID 24579: Windows PowerShell ISE is stopping the current command.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellISEOperation

Description

Windows PowerShell ISE is stopping the current command.

Message #

Windows PowerShell ISE is stopping the current command.

Event ID 24580: Windows PowerShell ISE is resuming the debugger.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellISEOperation

Description

Windows PowerShell ISE is resuming the debugger.

Message #

Windows PowerShell ISE is resuming the debugger.

Event ID 24581: Windows PowerShell ISE is stopping the debugger.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellISEOperation

Description

Windows PowerShell ISE is stopping the debugger.

Message #

Windows PowerShell ISE is stopping the debugger.

Event ID 24582: Windows PowerShell ISE is stepping into debugging.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellISEOperation

Description

Windows PowerShell ISE is stepping into debugging.

Message #

Windows PowerShell ISE is stepping into debugging.

Event ID 24583: Windows PowerShell ISE is stepping over debugging.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellISEOperation

Description

Windows PowerShell ISE is stepping over debugging.

Message #

Windows PowerShell ISE is stepping over debugging.

Event ID 24584: Windows PowerShell ISE is stepping out of debugging.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellISEOperation

Description

Windows PowerShell ISE is stepping out of debugging.

Message #

Windows PowerShell ISE is stepping out of debugging.

Event ID 24592: Windows PowerShell ISE is enabling all breakpoints.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellISEOperation

Description

Windows PowerShell ISE is enabling all breakpoints.

Message #

Windows PowerShell ISE is enabling all breakpoints.

Event ID 24593: Windows PowerShell ISE is disabling all breakpoints.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Windows PowerShell ISE is disabling all breakpoints.

Message #

Windows PowerShell ISE is disabling all breakpoints.

Event ID 24594: Windows PowerShell ISE is removing all breakpoints.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellISEOperation

Description

Windows PowerShell ISE is removing all breakpoints.

Message #

Windows PowerShell ISE is removing all breakpoints.

Event ID 24595: Windows PowerShell ISE is setting the breakpoint at line #: CurrentLine of file FileName.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellISEOperation

Description

Windows PowerShell ISE is setting the breakpoint at line #: CurrentLine of file FileName.

Message #

Windows PowerShell ISE is setting the breakpoint at line #: %1 of file %2.

Fields #

Name	Description
`CurrentLine` Int32
`FileName` UnicodeString

Event ID 24596: Windows PowerShell ISE is removing the breakpoint on line #: CurrentLine of file FileName.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellISEOperation

Description

Windows PowerShell ISE is removing the breakpoint on line #: CurrentLine of file FileName.

Message #

Windows PowerShell ISE is removing the breakpoint on line #: %1 of file %2.

Fields #

Name	Description
`CurrentLine` Int32
`FileName` UnicodeString

Event ID 24597: Windows PowerShell ISE is enabling the breakpoint on line #: CurrentLine of file FileName.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellISEOperation

Description

Windows PowerShell ISE is enabling the breakpoint on line #: CurrentLine of file FileName.

Message #

Windows PowerShell ISE is enabling the breakpoint on line #: %1 of file %2.

Fields #

Name	Description
`CurrentLine` Int32
`FileName` UnicodeString

Event ID 24598: Windows PowerShell ISE is disabling the breakpoint on line #: CurrentLine of file FileName.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellISEOperation

Description

Windows PowerShell ISE is disabling the breakpoint on line #: CurrentLine of file FileName.

Message #

Windows PowerShell ISE is disabling the breakpoint on line #: %1 of file %2.

Fields #

Name	Description
`CurrentLine` Int32
`FileName` UnicodeString

Event ID 24599: Windows PowerShell ISE has hit a breakpoint on line #: CurrentLine of file FileName.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellISEOperation

Description

Windows PowerShell ISE has hit a breakpoint on line #: CurrentLine of file FileName.

Message #

Windows PowerShell ISE has hit a breakpoint on line #: %1 of file %2.

Fields #

Name	Description
`CurrentLine` Int32
`FileName` UnicodeString

Event ID 28673: Successfully rehydrated an object.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Verbose
Task: Serializeordeserializeremotingpayload
Opcode: Rehydration

Description

Successfully rehydrated an object.

Message #

Successfully rehydrated an object. 
 	 Deserialized type name: %1 
 	 Rehydrated by casting to type: %2 
 	 Rehydrated object is of type: %3

Fields #

Name	Description
`DeserializedType` UnicodeString
`CastedToType` UnicodeString
`RehydratedType` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 28673,
    "version": 1,
    "level": 5,
    "task": 3,
    "opcode": 23,
    "keywords": "0x4000000000000040",
    "time_created": "2026-06-02T04:29:48.126+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
    },
    "execution": {
      "process_id": 7868,
      "thread_id": 7116
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "CastedToType": "Microsoft.PowerShell.DeserializingTypeConverter",
    "DeserializedType": "Deserialized.System.Management.Automation.PSPrimitiveDictionary@@@Deserialized.System.Collections.Hashtable@@@Deserialized.System.Object",
    "RehydratedType": "System.Management.Automation.PSPrimitiveDictionary"
  },
  "message": "Serialization"
}

Event ID 28674: Failed to rehydrated an object.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Serializeordeserializeremotingpayload
Opcode: Rehydration

Description

Failed to rehydrated an object.

Message #

Failed to rehydrated an object. 
 	 Deserialized type name: %1 
 	 Rehydrated by casting to type: %2 
 	 Type cast exception: %3 
 	 Type cast inner exception: %4

Fields #

Name	Description
`DeserializedType` UnicodeString
`CastedToType` UnicodeString
`TypeCastException` UnicodeString
`TypeCastInnerException` UnicodeString

Event ID 28675: Serialization depth has been overriden.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Serializeordeserializeremotingpayload
Opcode: Serializationsettings

Description

Serialization depth has been overriden.

Message #

Serialization depth has been overriden. 
 	 Serialized type name: %1 
 	 Original depth: %2 
 	 Overriden depth: %3 
 	 Current depth below top level: %4

Fields #

Name	Description
`SerializedType` UnicodeString
`OriginalDepth` Int32
`OverridenDepth` Int32
`CurrentDepthBelowTopLevel` Int32

Event ID 28676: Serialization mode has been overriden.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Serializeordeserializeremotingpayload
Opcode: Serializationsettings

Description

Serialization mode has been overriden.

Message #

Serialization mode has been overriden. 
 	 Serialized type name: %1 
 	 Overriden mode: %2

Fields #

Name	Description
`SerializedType` UnicodeString
`OverridenMode` UInt32

Event ID 28677: Serialization of a script property has been skipped, because there is no runspace to use for evaluation of the property.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Serializeordeserializeremotingpayload
Opcode: Tobeusedwhenanexceptionisraised

Description

Serialization of a script property has been skipped, because there is no runspace to use for evaluation of the property.

Message #

Serialization of a script property has been skipped, because there is no runspace to use for evaluation of the property. 
 	 Property name: %1 
 	 Property owner's type name: %2 
 	 Getter script: %3

Fields #

Name	Description
`PropertyName` UnicodeString
`PropertyOwnerType` UnicodeString
`GetterScript` UnicodeString

Event ID 28678: Serialization of a property has been skipped, because property getter failed.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Serializeordeserializeremotingpayload
Opcode: Tobeusedwhenanexceptionisraised

Description

Serialization of a property has been skipped, because property getter failed.

Message #

Serialization of a property has been skipped, because property getter failed. 
 	 Property name: %1 
 	 Property owner's type name: %2 
 	 Exception from property getter: %3 
 	 Inner exception from property getter: %4

Fields #

Name	Description
`PropertyName` UnicodeString
`PropertyOwnerType` UnicodeString
`Exception` UnicodeString
`InnerException` UnicodeString

Event ID 28679: Serialization of an enumerable object might not be complete, because object being enumerated threw an exception.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Serializeordeserializeremotingpayload
Opcode: Tobeusedwhenanexceptionisraised

Description

Serialization of an enumerable object might not be complete, because object being enumerated threw an exception.

Message #

Serialization of an enumerable object might not be complete, because object being enumerated threw an exception. 
 	 Type of object being enumerated: %1 
 	 Exception: %2

Fields #

Name	Description
`TypeBeingEnumerated` UnicodeString
`Exception` UnicodeString

Event ID 28680: Serialization called object's ToString method which failed.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Serializeordeserializeremotingpayload
Opcode: Tobeusedwhenanexceptionisraised

Description

Serialization called object's ToString method which failed.

Message #

Serialization called object's ToString method which failed. 
 	 Type of object: %1 
 	 Exception: %2

Fields #

Name	Description
`Type` UnicodeString
`Exception` UnicodeString

Event ID 28682: Maximum depth below top level has been reached, forcing object to be serialized as strings.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Serializeordeserializeremotingpayload
Opcode: Tobeusedwhenanexceptionisraised

Description

Maximum depth below top level has been reached, forcing object to be serialized as strings.

Message #

Maximum depth below top level has been reached, forcing object to be serialized as strings. 
 	 Object type at max depth: %1 
 	 Property name at max depth: %2 
 	 Depth: %3

Fields #

Name	Description
`TypeOfObjectAtMaxDepth` UnicodeString
`PropertyNameAtMaxDepth` UnicodeString
`Depth` Int32

Event ID 28683: XmlException has been thrown by the deserializer (most likely indicating incorrect clixml format).

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Serializeordeserializeremotingpayload
Opcode: Tobeusedwhenanexceptionisraised

Description

XmlException has been thrown by the deserializer (most likely indicating incorrect clixml format).

Message #

XmlException has been thrown by the deserializer (most likely indicating incorrect clixml format). 
 	 Line number: %1 Line position: %2 
 	 Exception: %3

Fields #

Name	Description
`LineNumber` Int32
`LinePosition` Int32
`Exception` UnicodeString

Event ID 28684: Serialization of specified properties failed, because one of the specified properties was missing.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Serializeordeserializeremotingpayload
Opcode: Tobeusedwhenanexceptionisraised

Description

Serialization of specified properties failed, because one of the specified properties was missing.

Message #

Serialization of specified properties failed, because one of the specified properties was missing. 
 	 Type of object: %1 
 	 Property name: %2

Fields #

Name	Description
`TypeOfObjectWithMissingProperty` UnicodeString
`PropertyName` UnicodeString

Event ID 32769: Received object with Runspace Id: Runspace_InstanceId Command Id: PowerShell_InstanceId Destination: Destination DataType: DataType TargetInterface: TargetInterface.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: win:None
Opcode: Receive(Async)

Description

Received object with Runspace Id: Runspace_InstanceId Command Id: PowerShell_InstanceId Destination: Destination DataType: DataType TargetInterface: TargetInterface.

Message #

Received object with Runspace Id: %1 Command Id: %2 Destination: %3 DataType: %4 TargetInterface: %5

Fields #

Name	Description
`Runspace_InstanceId` UnicodeString
`PowerShell_InstanceId` UnicodeString
`Destination` UInt32	Known values `1` Client - message is targeted to the client (sent by server) `2` Server - message is targeted to the server (sent by client)
`DataType` UInt32	Known values `65538` SESSION_CAPABILITY (0x00010002) - Session capability; bidirectional `65540` INIT_RUNSPACEPOOL (0x00010004) - Initialize RunspacePool; client to server `65541` PUBLIC_KEY (0x00010005) - Public key; client to server `65542` ENCRYPTED_SESSION_KEY (0x00010006) - Encrypted session key; server to client `65543` PUBLIC_KEY_REQUEST (0x00010007) - Public key request; server to client `65544` CONNECT_RUNSPACEPOOL (0x00010008) - Connect to a RunspacePool; client to server `135170` SET_MAX_RUNSPACES (0x00021002) - Set maximum runspaces; client to server `135171` SET_MIN_RUNSPACES (0x00021003) - Set minimum runspaces; client to server `135172` RUNSPACE_AVAILABILITY (0x00021004) - Runspace availability response; server to client `135173` RUNSPACEPOOL_STATE (0x00021005) - RunspacePool state info; server to client `135174` CREATE_PIPELINE (0x00021006) - Create and invoke pipeline; client to server `135175` GET_AVAILABLE_RUNSPACES (0x00021007) - Get available runspace count; client to server `135176` USER_EVENT (0x00021008) - User-defined event; server to client `135177` APPLICATION_PRIVATE_DATA (0x00021009) - Application private data; server to client `135178` GET_COMMAND_METADATA (0x0002100A) - Get command metadata; client to server `135179` RUNSPACEPOOL_INIT_DATA (0x0002100B) - RunspacePool initialization data; server to client `135180` RESET_RUNSPACE_STATE (0x0002100C) - Reset RunspacePool runspace state; client to server `135424` RUNSPACEPOOL_HOST_CALL (0x00021100) - Host method call on RunspacePool; server to client `135425` RUNSPACEPOOL_HOST_RESPONSE (0x00021101) - Host call response for RunspacePool; client to server `266242` PIPELINE_INPUT (0x00041002) - Pipeline input; client to server `266243` END_OF_PIPELINE_INPUT (0x00041003) - Close pipeline input collection; client to server `266244` PIPELINE_OUTPUT (0x00041004) - Pipeline output; server to client `266245` ERROR_RECORD (0x00041005) - Pipeline error record; server to client `266246` PIPELINE_STATE (0x00041006) - Pipeline state info; server to client or RunspacePool `266247` DEBUG_RECORD (0x00041007) - Pipeline debug record; server to client `266248` VERBOSE_RECORD (0x00041008) - Pipeline verbose record; server to client `266249` WARNING_RECORD (0x00041009) - Pipeline warning record; server to client `266256` PROGRESS_RECORD (0x00041010) - Pipeline progress record; server to client `266257` INFORMATION_RECORD (0x00041011) - Pipeline information record; server to client `266496` PIPELINE_HOST_CALL (0x00041100) - Host method call on pipeline; server to client `266497` PIPELINE_HOST_RESPONSE (0x00041101) - Host call response for pipeline; client to server
`TargetInterface` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32769,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 10,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T04:29:48.018+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0000-F6D5-7F8753F0DC01}"
    },
    "execution": {
      "process_id": 15220,
      "thread_id": 4892
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "DataType": 65538,
    "Destination": 2,
    "PowerShell_InstanceId": "00000000-0000-0000-0000-000000000000",
    "Runspace_InstanceId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569",
    "TargetInterface": 1
  },
  "message": "win:None"
}

Event ID 32775: An unhandled exception occurred in the appdomain.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: Open(async)

Description

An unhandled exception occurred in the appdomain.

Message #

An unhandled exception occurred in the appdomain. 
Exception Type: %1 
Exception Message: %2 
Exception StackTrace: %3

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 32776: Runspace Id: SessionId Pipeline Id: PipelineId.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: Open(async)

Description

Runspace Id: SessionId Pipeline Id: PipelineId. WSMan reported an error with error code: ErrorCode.

Message #

Runspace Id: %1 Pipeline Id: %2. WSMan reported an error with error code: %3. 
 Error message: %4 
 StackTrace: %5

Fields #

Name	Description
`SessionId` UnicodeString
`PipelineId` UnicodeString
`ErrorCode` UnicodeString
`ErrorMessage` UnicodeString
`StackTrace` UnicodeString

Event ID 32777: An unhandled exception occurred in the appdomain.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: win:None
Opcode: Open(async)

Description

An unhandled exception occurred in the appdomain.

Message #

An unhandled exception occurred in the appdomain. 
Exception Type: %1 
Exception Message: %2 
Exception StackTrace: %3

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 32784: Runspace Id: SessionId Pipeline Id: PipelineId.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Level: Error
Collection Priority: Recommended (Yamato Security)
Task: win:None
Opcode: Open(async)

Description

Runspace Id: SessionId Pipeline Id: PipelineId. WSMan reported an error with error code: ErrorCode.

Message #

Runspace Id: %1 Pipeline Id: %2. WSMan reported an error with error code: %3. 
 Error message: %4 
 StackTrace: %5

Fields #

Name	Description
`SessionId` UnicodeString
`PipelineId` UnicodeString
`ErrorCode` UnicodeString
`ErrorMessage` UnicodeString
`StackTrace` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "A0C1853B-5C40-4B15-8766-3CF1C58F985A",
    "event_source_name": "",
    "event_id": 32784,
    "version": 1,
    "level": 2,
    "task": 0,
    "opcode": 10,
    "keywords": 0,
    "time_created": "2026-03-13T19:48:48.051299+00:00",
    "event_record_id": 692957,
    "correlation": {
      "ActivityID": "0DB6BBF5-303D-4E93-8DE3-887C047E8B68"
    },
    "execution": {
      "process_id": 1512,
      "thread_id": 1452
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "SessionId": "0db6bbf5-303d-4e93-8de3-887c047e8b68",
    "PipelineId": "00000000-0000-0000-0000-000000000000",
    "ErrorCode": "-2144108101",
    "ErrorMessage": "Connecting to remote server 10.2.10.21 failed with the following error message : The WinRM client cannot process the request. Default authentication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to set TrustedHosts run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.",
    "StackTrace": ""
  },
  "message": ""
}

Event ID 32785: Runspace Id param1.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: win:None
Opcode: connect

Description

Runspace Id param1. Establishing a connection using WSMan Create Shell.

Message #

Runspace Id %1. Establishing a connection using WSMan Create Shell

Fields #

Name	Description
`param1` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32785,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 10,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T05:29:54.150+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0008-D88F-818753F0DC01}"
    },
    "execution": {
      "process_id": 5004,
      "thread_id": 10052
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": ""
  },
  "message": "win:None"
}

Event ID 32786: Runspace Id param1.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: connect

Description

Runspace Id param1. Callback received for WSMan Create Shell.

Message #

Runspace Id %1. Callback received for WSMan Create Shell

Fields #

Name	Description
`param1` UnicodeString

Event ID 32787: Runspace Id: RunspaceId.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: Disconnect

Description

Runspace Id: RunspaceId. Closing shell using WSManCloseShell.

Message #

Runspace Id: %1. Closing shell using WSManCloseShell

Fields #

Name	Description
`param1` UnicodeString

Event ID 32788: Runspace Id: RunspaceId.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: Disconnect

Description

Runspace Id: RunspaceId. Callback received for WSManCloseShell.

Message #

Runspace Id: %1. Callback received for WSManCloseShell

Fields #

Name	Description
`param1` UnicodeString

Event ID 32789: Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: win:None
Opcode: Send(Async)

Description

Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id. Sending data of size SessionId.

Message #

Runspace Id: %1 Pipeline Id: %2. Sending data of size %3

Fields #

Name	Description
`SessionId` UnicodeString
`PipelineId` UnicodeString
`DataSize` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32789,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 21,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T04:29:48.128+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
    },
    "execution": {
      "process_id": 7868,
      "thread_id": 7116
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "DataSize": "2480",
    "PipelineId": "ba938c13-e497-4b6f-8de6-08b164dd5a82",
    "SessionId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569"
  },
  "message": "win:None"
}

Event ID 32790: Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: win:None
Opcode: Send(Async)

Description

Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id. Callback received for WSManSendShellInputEx.

Message #

Runspace Id: %1 Pipeline Id: %2. Callback received for WSManSendShellInputEx

Fields #

Name	Description
`SessionId` UnicodeString
`PipelineId` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32790,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 12,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T04:29:48.126+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
    },
    "execution": {
      "process_id": 7868,
      "thread_id": 7116
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PipelineId": "00000000-0000-0000-0000-000000000000",
    "SessionId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569"
  },
  "message": "win:None"
}

Event ID 32791: Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: Receive(Async)

Description

Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id. Placing Receive request using WSManReceiveShellOutputEx.

Message #

Runspace Id: %1 Pipeline Id: %2. Placing Receive request using WSManReceiveShellOutputEx

Fields #

Name	Description
`SessionId` UnicodeString
`PipelineId` UnicodeString

Event ID 32792: Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: win:None
Opcode: Receive(Async)

Description

Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id. Received Data of size SessionId.

Message #

Runspace Id: %1 Pipeline Id: %2. Received Data of size %3.

Fields #

Name	Description
`SessionId` UnicodeString
`PipelineId` UnicodeString
`DataSize` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32792,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 22,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T04:29:48.022+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
    },
    "execution": {
      "process_id": 7868,
      "thread_id": 7116
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "DataSize": "223",
    "PipelineId": "00000000-0000-0000-0000-000000000000",
    "SessionId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569"
  },
  "message": "win:None"
}

Event ID 32793: Runspace Id SessionId Pipeline Id PipelineId.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: win:None
Opcode: connect

Description

Runspace Id SessionId Pipeline Id PipelineId. Establishing a command connection using WSManRunShellCommandEx.

Message #

Runspace Id %1 Pipeline Id %2. Establishing a command connection using WSManRunShellCommandEx

Fields #

Name	Description
`SessionId` UnicodeString
`PipelineId` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32793,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 12,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T04:29:48.127+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
    },
    "execution": {
      "process_id": 7868,
      "thread_id": 8196
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PipelineId": "ba938c13-e497-4b6f-8de6-08b164dd5a82",
    "SessionId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569"
  },
  "message": "win:None"
}

Event ID 32800: Runspace Id SessionId Pipeline Id PipelineId.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: win:None
Opcode: connect

Description

Runspace Id SessionId Pipeline Id PipelineId. Callback received for command connection.

Message #

Runspace Id %1 Pipeline Id %2. Callback received for command connection

Fields #

Name	Description
`SessionId` UnicodeString
`PipelineId` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32800,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 12,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T04:29:48.128+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
    },
    "execution": {
      "process_id": 7868,
      "thread_id": 7116
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PipelineId": "ba938c13-e497-4b6f-8de6-08b164dd5a82",
    "SessionId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569"
  },
  "message": "win:None"
}

Event ID 32801: Runspace Id: Runspace_Id Pipeline Id SessionId.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: win:None
Opcode: Disconnect

Description

Runspace Id: Runspace_Id Pipeline Id SessionId. Closing transport for command.

Message #

Runspace Id: %1 Pipeline Id %2. Closing transport for command

Fields #

Name	Description
`SessionId` UnicodeString
`PipelineId` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32801,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 13,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T04:29:48.131+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
    },
    "execution": {
      "process_id": 7868,
      "thread_id": 9420
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PipelineId": "ba938c13-e497-4b6f-8de6-08b164dd5a82",
    "SessionId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569"
  },
  "message": "win:None"
}

Event ID 32802: Runspace Id: Runspace_Id Pipeline Id SessionId.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: win:None
Opcode: Disconnect

Description

Runspace Id: Runspace_Id Pipeline Id SessionId. Callback received for command close.

Message #

Runspace Id: %1 Pipeline Id %2. Callback received for command close

Fields #

Name	Description
`SessionId` UnicodeString
`PipelineId` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32802,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 13,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T04:29:48.131+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{E3450CF8-EBFD-44C7-97D8-B6C7C3DA8569}"
    },
    "execution": {
      "process_id": 7868,
      "thread_id": 7116
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "PipelineId": "ba938c13-e497-4b6f-8de6-08b164dd5a82",
    "SessionId": "e3450cf8-ebfd-44c7-97d8-b6c7c3da8569"
  },
  "message": "win:None"
}

Event ID 32803: Runspace Id: Runspace_Id Pipeline Id SessionId.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: Disconnect

Description

Runspace Id: Runspace_Id Pipeline Id SessionId. Sending signal with code PipelineId using WSManSignalShellEx.

Message #

Runspace Id: %1 Pipeline Id %2. Sending signal with code %3 using WSManSignalShellEx

Fields #

Name	Description
`SessionId` UnicodeString
`PipelineId` UnicodeString
`SignalCode` UnicodeString

Event ID 32804: Runspace Id: Runspace_Id Pipeline Id SessionId.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: Disconnect

Description

Runspace Id: Runspace_Id Pipeline Id SessionId. Callback received for WSManSignalShellEx.

Message #

Runspace Id: %1 Pipeline Id %2. Callback received for WSManSignalShellEx

Fields #

Name	Description
`SessionId` UnicodeString
`PipelineId` UnicodeString

Event ID 32805: Runspace Id: SessionId.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: connect

Description

Runspace Id: SessionId. Connection is getting redirected to Uri: Uri.

Message #

Runspace Id: %1. Connection is getting redirected to Uri: %2

Fields #

Name	Description
`SessionId` UnicodeString
`Uri` UnicodeString

Event ID 32849: Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: win:None
Opcode: Send(Async)

Description

Runspace Id: Runspace_Id Pipeline Id: Pipeline_Id. Server is sending data of size TargetInterface to client. DataType: Runspace_InstanceId TargetInterface: PowerShell_InstanceId.

Message #

Runspace Id: %1 Pipeline Id: %2. Server is sending data of size %3 to client. DataType: %4 TargetInterface: %5

Fields #

Name	Description
`Runspace_InstanceId` UnicodeString
`PowerShell_InstanceId` UnicodeString
`DataSize` UnicodeString
`DataType` UInt32	Known values `65538` SESSION_CAPABILITY (0x00010002) - Session capability; bidirectional `65540` INIT_RUNSPACEPOOL (0x00010004) - Initialize RunspacePool; client to server `65541` PUBLIC_KEY (0x00010005) - Public key; client to server `65542` ENCRYPTED_SESSION_KEY (0x00010006) - Encrypted session key; server to client `65543` PUBLIC_KEY_REQUEST (0x00010007) - Public key request; server to client `65544` CONNECT_RUNSPACEPOOL (0x00010008) - Connect to a RunspacePool; client to server `135170` SET_MAX_RUNSPACES (0x00021002) - Set maximum runspaces; client to server `135171` SET_MIN_RUNSPACES (0x00021003) - Set minimum runspaces; client to server `135172` RUNSPACE_AVAILABILITY (0x00021004) - Runspace availability response; server to client `135173` RUNSPACEPOOL_STATE (0x00021005) - RunspacePool state info; server to client `135174` CREATE_PIPELINE (0x00021006) - Create and invoke pipeline; client to server `135175` GET_AVAILABLE_RUNSPACES (0x00021007) - Get available runspace count; client to server `135176` USER_EVENT (0x00021008) - User-defined event; server to client `135177` APPLICATION_PRIVATE_DATA (0x00021009) - Application private data; server to client `135178` GET_COMMAND_METADATA (0x0002100A) - Get command metadata; client to server `135179` RUNSPACEPOOL_INIT_DATA (0x0002100B) - RunspacePool initialization data; server to client `135180` RESET_RUNSPACE_STATE (0x0002100C) - Reset RunspacePool runspace state; client to server `135424` RUNSPACEPOOL_HOST_CALL (0x00021100) - Host method call on RunspacePool; server to client `135425` RUNSPACEPOOL_HOST_RESPONSE (0x00021101) - Host call response for RunspacePool; client to server `266242` PIPELINE_INPUT (0x00041002) - Pipeline input; client to server `266243` END_OF_PIPELINE_INPUT (0x00041003) - Close pipeline input collection; client to server `266244` PIPELINE_OUTPUT (0x00041004) - Pipeline output; server to client `266245` ERROR_RECORD (0x00041005) - Pipeline error record; server to client `266246` PIPELINE_STATE (0x00041006) - Pipeline state info; server to client or RunspacePool `266247` DEBUG_RECORD (0x00041007) - Pipeline debug record; server to client `266248` VERBOSE_RECORD (0x00041008) - Pipeline verbose record; server to client `266249` WARNING_RECORD (0x00041009) - Pipeline warning record; server to client `266256` PROGRESS_RECORD (0x00041010) - Pipeline progress record; server to client `266257` INFORMATION_RECORD (0x00041011) - Pipeline information record; server to client `266496` PIPELINE_HOST_CALL (0x00041100) - Host method call on pipeline; server to client `266497` PIPELINE_HOST_RESPONSE (0x00041101) - Host call response for pipeline; client to server
`TargetInterface` UInt32	3 to client. DataType.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32849,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 21,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T04:29:48.022+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0000-F6D5-7F8753F0DC01}"
    },
    "execution": {
      "process_id": 15220,
      "thread_id": 4892
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "DataSize": "223",
    "DataType": 65538,
    "PowerShell_InstanceId": "00000000-0000-0000-0000-000000000000",
    "Runspace_InstanceId": "00000000-0000-0000-0000-000000000000",
    "TargetInterface": 1
  },
  "message": "win:None"
}

Event ID 32850: Request param1.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: connect

Description

Request param1. Creating a server remote session. UserName: UserName Custome Shell Id: CustomeShellId.

Message #

Request %1. Creating a server remote session. UserName: %2 Custome Shell Id: %3

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 32851: Reporting context for request: ReportingContextForRequest Context Reported: ReportingContextForRequest.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: win:None
Opcode: connect

Description

Reporting context for request: ReportingContextForRequest Context Reported: ReportingContextForRequest.

Message #

Reporting context for request: %1 Context Reported: %1

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32851,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 12,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T05:29:54.158+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0001-EB9A-828753F0DC01}"
    },
    "execution": {
      "process_id": 5004,
      "thread_id": 19268
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "System.Management.Automation.Remoting.Client.WSManNativeApi+WSManPluginRequest",
    "param2": "System.Management.Automation.Remoting.Client.WSManNativeApi+WSManPluginRequest"
  },
  "message": "win:None"
}

Event ID 32852: Reporting operation complete for request: ReportingOperationCompleteForRequest.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: win:None
Opcode: connect

Description

Reporting operation complete for request: ReportingOperationCompleteForRequest.

Message #

Reporting operation complete for request: %1 
 Error Code: %2 
 Error Message: %3 
 StackTrace: %4

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32852,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 11,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T05:29:54.150+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0008-D88F-818753F0DC01}"
    },
    "execution": {
      "process_id": 5004,
      "thread_id": 10052
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "System.Management.Automation.Remoting.Client.WSManNativeApi+WSManPluginRequest",
    "param2": "NoError",
    "param3": "",
    "param4": ""
  },
  "message": "win:None"
}

Event ID 32853: Shell Context param1.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: win:None
Opcode: connect

Description

Shell Context param1. Request Id param2. Creating a commonad session for running a command.

Message #

Shell Context %1. Request Id %2. Creating a commonad session for running a command.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32853,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 12,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T05:29:54.150+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0008-D88F-818753F0DC01}"
    },
    "execution": {
      "process_id": 5004,
      "thread_id": 10052
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "",
    "param2": "CreateCommand: Create a new command in the shell context completed"
  },
  "message": "win:None"
}

Event ID 32854: Shell Context param1 Command Context param2 Request Id param3.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: Disconnect

Description

Shell Context param1 Command Context param2 Request Id param3. Stopping command.

Message #

Shell Context %1 Command Context %2 Request Id %3. Stopping command.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 32855: Shell Context param1 Command Context param2 Request Id param3.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: win:None
Opcode: Open(async)

Description

Shell Context param1 Command Context param2 Request Id param3. Received data from client.

Message #

Shell Context %1 Command Context %2 Request Id %3. Received data from client.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32855,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 10,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T05:29:54.161+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0008-D88F-818753F0DC01}"
    },
    "execution": {
      "process_id": 5004,
      "thread_id": 10052
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "",
    "param2": "PerformWSManPluginReceive: Invoked",
    "param3": ""
  },
  "message": "win:None"
}

Event ID 32856: Shell Context param1 Command Context param2 Request Id param3.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: win:None
Opcode: Open(async)

Description

Shell Context param1 Command Context param2 Request Id param3. Client sent a receive request so that server can send data.

Message #

Shell Context %1 Command Context %2 Request Id %3. Client sent a receive request so that server can send data.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32856,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 10,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T05:29:54.161+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0008-D88F-818753F0DC01}"
    },
    "execution": {
      "process_id": 5004,
      "thread_id": 10052
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "",
    "param2": "EnableShellOrCommandToSendDataToClient: unlock the shell / command specified so that the shell / command starts sending data to the client.",
    "param3": ""
  },
  "message": "win:None"
}

Event ID 32857: Shell Context param1 Command Context param2 IsReceiveOperation param3.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: Disconnect

Description

Shell Context param1 Command Context param2 IsReceiveOperation param3. Got close operation request.

Message #

Shell Context %1 Command Context %2 IsReceiveOperation %3. Got close operation request.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 32865: Loading assembly param1 for custom shell with shell Id param2.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: connect

Description

Loading assembly param1 for custom shell with shell Id param2.

Message #

Loading assembly %1 for custom shell with shell Id %2

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 32866: Loading type param1 for custom shell with shell Id param2.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: connect

Description

Loading type param1 for custom shell with shell Id param2.

Message #

Loading type %1 for custom shell with shell Id %2

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 32867: Received remoting fragment.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Verbose
Task: win:None
Opcode: Receive(Async)

Description

Received remoting fragment.

Message #

Received remoting fragment. 
 	 Object Id: %1 
 	 Fragment Id: %2 
 	 Start Flag: %3 
 	 End Flag: %4 
 	 Payload Length: %5 
 	 Payload Data: %6

Fields #

Name	Description
`ObjectId` Int64
`FragmentId` Int64
`sFlag` Int32	Known values `0` Not a Start fragment - this fragment is a continuation of a previous fragment `1` Start fragment - this is the first fragment of a PSRP message (FragmentId must be 0)
`eFlag` Int32	Known values `0` Not an End fragment - more fragments follow for this PSRP message `1` End fragment - this is the final fragment of a PSRP message
`FragmentLength` UInt32
`FragmentPayload` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32867,
    "version": 1,
    "level": 5,
    "task": 0,
    "opcode": 22,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T04:29:47.999+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0000-F6D5-7F8753F0DC01}"
    },
    "execution": {
      "process_id": 15220,
      "thread_id": 4892
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "FragmentId": 0,
    "FragmentLength": 752,
    "FragmentPayload": "0x0200000002000100F80C45E3FDEBC74497D8B6C7C3DA856900000000000000000000000000000000EFBBBF3C4F626A2052656649643D2230223E3C4D533E3C56657273696F6E204E3D2270726F746F636F6C76657273696F6E223E322E333C2F56657273696F6E3E3C56657273696F6E204E3D22505356657273696F6E223E322E303C2F56657273696F6E3E3C56657273696F6E204E3D2253657269616C697A6174696F6E56657273696F6E223E312E312E302E313C2F56657273696F6E3E3C4241204E3D2254696D655A6F6E65223E414145414141442F2F2F2F2F415141414141414141414145415141414142785465584E305A57307551335679636D567564464E356333526C62565270625756616232356C424141414142647458304E685932686C5A455268655778705A32683051326868626D646C63773174583352705932747A54325A6D63325630446D316663335268626D5268636D524F5957316C446D31665A47463562476C6E6148524F5957316C417741424152785465584E305A573075513239736247566A64476C76626E4D755347467A61485268596D786C43516B434141414141414141414141414141414B436751434141414148464E356333526C62533544623278735A574E30615739756379354959584E6F644746696247554841414141436B78765957524759574E3062334948566D567963326C76626768446232317759584A6C6368424959584E6F5132396B5A56427962335A705A47567943456868633268546158706C4245746C65584D47566D46736457567A41414144417741464251734948464E356333526C62533544623278735A574E30615739756379354A51323974634746795A58496B55336C7A644756744C6B4E766247786C593352706232357A4C6B6C4959584E6F5132396B5A56427962335A705A475679434F78524F4438414141414143676F444141414143514D414141414A424141414142414441414141414141414142414541414141414141414141733D3C2F42413E3C2F4D533E3C2F4F626A3E",
    "ObjectId": 17,
    "eFlag": 1,
    "sFlag": 1
  },
  "message": "win:None"
}

Event ID 32868: Sent remoting fragment.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Also via: realtime ETW trace
Level: Verbose
Task: win:None
Opcode: Send(Async)

Description

Sent remoting fragment.

Message #

Sent remoting fragment. 
 	 Object Id: %1 
 	 Fragment Id: %2 
 	 Start Flag: %3 
 	 End Flag: %4 
 	 Payload Length: %5 
 	 Payload Data: %6

Fields #

Name	Description
`ObjectId` Int64
`FragmentId` Int64
`sFlag` Int32	Known values `0` Not a Start fragment - this fragment is a continuation of a previous fragment `1` Start fragment - this is the first fragment of a PSRP message (FragmentId must be 0)
`eFlag` Int32	Known values `0` Not an End fragment - more fragments follow for this PSRP message `1` End fragment - this is the final fragment of a PSRP message
`FragmentLength` UInt32
`FragmentPayload` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 32868,
    "version": 1,
    "level": 5,
    "task": 0,
    "opcode": 21,
    "keywords": "0x4000000000000008",
    "time_created": "2026-06-02T04:29:48.022+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0000-F6D5-7F8753F0DC01}"
    },
    "execution": {
      "process_id": 15220,
      "thread_id": 4892
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "FragmentId": 0,
    "FragmentLength": 202,
    "FragmentPayload": "0x01000000020001000000000000000000000000000000000000000000000000000000000000000000EFBBBF3C4F626A2052656649643D2230223E3C4D533E3C56657273696F6E204E3D2270726F746F636F6C76657273696F6E223E322E333C2F56657273696F6E3E3C56657273696F6E204E3D22505356657273696F6E223E322E303C2F56657273696F6E3E3C56657273696F6E204E3D2253657269616C697A6174696F6E56657273696F6E223E312E312E302E313C2F56657273696F6E3E3C2F4D533E3C2F4F626A3E",
    "ObjectId": 1,
    "eFlag": 1,
    "sFlag": 1
  },
  "message": "win:None"
}

Event ID 32869: Shutting down winrm service.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: win:None
Opcode: Shuttingdown

Description

Shutting down winrm service.

Message #

Shutting down winrm service.

Event ID 40961: PowerShell console is starting up

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellConsoleStartup
Opcode: Start

Description

PowerShell console is starting up.

Message #

PowerShell console is starting up

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 40961,
    "version": 1,
    "level": 4,
    "task": 4,
    "opcode": 1,
    "keywords": 0,
    "time_created": "2026-06-13T05:24:19.4248057+00:00",
    "event_record_id": 164809,
    "correlation": {
      "ActivityID": "{AA583517-FAF4-0001-143A-58AAF4FADC01}"
    },
    "execution": {
      "process_id": 7180,
      "thread_id": 7184
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": "PowerShell console is starting up"
}

Event ID 40962: PowerShell console is ready for user input

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellConsoleStartup
Opcode: Stop

Description

PowerShell console is ready for user input.

Message #

PowerShell console is ready for user input

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 40962,
    "version": 1,
    "level": 4,
    "task": 4,
    "opcode": 2,
    "keywords": 0,
    "time_created": "2026-06-13T05:24:20.0746353+00:00",
    "event_record_id": 164811,
    "correlation": {
      "ActivityID": "{AA583517-FAF4-0001-143A-58AAF4FADC01}"
    },
    "execution": {
      "process_id": 7180,
      "thread_id": 7184
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": "PowerShell console is ready for user input"
}

Event ID 45057: Tracing ErrorRecord.

Provider: Microsoft-Windows-PowerShell
Channel: Debug
Opcode: Tobeusedwhenanexceptionisraised

Description

Tracing ErrorRecord.

Message #

Tracing ErrorRecord: 
 Message: %1 
 CategoryInfo.Category: %2 
 CategoryInfo.Reason : %3 
 CategoryInfo.TargetName : %4 
 FullyQualifiedErrorId: %5 
 Exception Details: 
 Message : %6 
 Stack Trace: %7 
 InnerException %8

Fields #

Name	Description
`Message` UnicodeString	[Exception Details] Message.
`Category` UnicodeString
`Reason` UnicodeString
`TargetName` UnicodeString
`FullyQualifiedErrorId` UnicodeString	[Tracing ErrorRecord] FullyQualifiedErrorId.
`ExceptionMessage` UnicodeString
`ExceptionStackTrace` UnicodeString
`ExceptionInnerException` UnicodeString

Event ID 45058: Exception: Message: Message StackTrace: StackTrace InnerException : InnerException.

Provider: Microsoft-Windows-PowerShell
Channel: Debug
Opcode: Tobeusedwhenanexceptionisraised

Description

Exception.

Message #

Exception: 
 Message: %1 
 StackTrace: %2 
 InnerException : %3

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 45059: Tracing PSObject

Provider: Microsoft-Windows-PowerShell
Channel: Debug
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Tracing PSObject.

Message #

Tracing PSObject

Event ID 45060: Tracing Job: Id: Id InstanceId: InstanceId Name: Name Location: Location State: State Command: Command.

Provider: Microsoft-Windows-PowerShell
Channel: Debug
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Tracing Job.

Message #

Tracing Job: 
 Id: %1 
 InstanceId: %2 
 Name: %3 
 Location: %4 
 State: %5 
 Command: %6

Fields #

Name	Description
`Id` UnicodeString	[Tracing Job] Id.
`InstanceId` UnicodeString	[Tracing Job] InstanceId.
`Name` UnicodeString	[Tracing Job] Name.
`Location` UnicodeString	[Tracing Job] Location.
`State` UnicodeString	[Tracing Job] State.
`Command` UnicodeString	[Tracing Job] Command.

Event ID 45061: Trace Information.

Provider: Microsoft-Windows-PowerShell
Channel: Debug
Also via: realtime ETW trace
Level: Informational

Description

Trace Information.

Message #

Trace Information: 
 %1

Fields #

Name	Description
`param1` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 45061,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": "0x2000000000000000",
    "time_created": "2026-06-02T04:29:47.998+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{877F78A1-F053-0000-F6D5-7F8753F0DC01}"
    },
    "execution": {
      "process_id": 15220,
      "thread_id": 4892
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "OutOfProcessUtils.ProcessElement : PS_OUT_OF_PROC_DATA received, psGuid : 00000000-0000-0000-0000-000000000000"
  },
  "message": "win:None"
}

Event ID 45062: Connection Paramters are Connection URI: Connection_URI Resource URI: Resource_URI User: User OpenTimeout: OpenTimeout IdleTimeout: IdleTimeout CancelTimeout: CancelTimeout AuthenticationMechanism:...

Provider: Microsoft-Windows-PowerShell
Channel: Debug
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Connection Paramters are.

Message #

Connection Paramters are 
 Connection URI: %1 
 Resource URI: %2 
 User: %3 
 OpenTimeout: %4 
 IdleTimeout: %5 
 CancelTimeout: %6 
 AuthenticationMechanism: %7 
 Thumb Print: %8 
 MaxUriRedirectionCount: %9 
 MaxReceivedDataSizePerCommand: %10 
 MaxReceivedObjectSize: %11

Fields #

Name	Description
`uri` UnicodeString
`shell` UnicodeString
`userName` UnicodeString
`opentimeout` UnicodeString
`idletimeout` UnicodeString
`canceltimeout` UnicodeString
`auth` UInt32	Known values `0` Default - use the default authentication defined by the underlying protocol `1` Basic - use Basic authentication (credentials sent in clear text) `2` Negotiate - use Negotiate authentication for the remote connection `3` NegotiateWithImplicitCredential - use Negotiate with implicit credentials `4` CredSSP - use Credential Security Support Provider authentication `5` Digest - use Digest authentication (credentials sent as a hash value) `6` Kerberos - use Kerberos mutual authentication with certificates
`thumbPrint` UnicodeString
`redircount` UnicodeString
`recvdDataSize` UnicodeString
`recvdObjSize` UnicodeString

Event ID 45063: Workflow plugin loaded.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowHosting
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow plugin loaded.

Message #

Workflow plugin loaded. 
 	 EndpointName: %1 
 	 User: %2 
 	 HostingMode: %3 
 	 Protocol: %4 
 	 Configuration: 
 %5

Fields #

Name	Description
`endpointName` UnicodeString
`user` UnicodeString
`hostingMode` UnicodeString
`protocol` UnicodeString
`configuration` UnicodeString

Event ID 45064: Workflow execution started.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow execution started.

Message #

Workflow execution started. 
 	 WorkflowId: %1 
 	 ManagedNodes: %2

Fields #

Name	Description
`workflowId` GUID
`managedNodes` UnicodeString

Event ID 45065: Workflow state changed.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow state changed.

Message #

Workflow state changed. 
 	 WorkflowId: %1 
 	 NewState: %2 
 	 OldState: %3

Fields #

Name	Description
`workflowId` GUID
`newState` UnicodeString
`oldState` UnicodeString

Event ID 45072: Workflow plugin has been requested for a shutdown.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowHosting
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow plugin has been requested for a shutdown.

Message #

Workflow plugin has been requested for a shutdown. 
 	 EndpointName: %1

Fields #

Name	Description
`endpointName` UnicodeString

Event ID 45073: Workflow plugin restarted.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowHosting
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow plugin restarted.

Message #

Workflow plugin restarted. 
 	 EndpointName: %1

Fields #

Name	Description
`endpointName` UnicodeString

Event ID 45074: Workflow is resuming.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow is resuming.

Message #

Workflow is resuming. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45075: A quota limit that was set for the endpoint was exceeded.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

A quota limit that was set for the endpoint was exceeded.

Message #

A quota limit that was set for the endpoint was exceeded. 
 	 EndpointName: %1 
 	 ConfigName: %2 
 	 AllowedValue: %3 
 	 ValueInQuestion: %4

Fields #

Name	Description
`endpointName` UnicodeString
`configName` UnicodeString
`allowedValue` UnicodeString
`valueInQuestion` UnicodeString

Event ID 45076: Workflow has resumed.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow has resumed.

Message #

Workflow has resumed. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45078: Workflow runspace pool was created.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow runspace pool was created.

Message #

Workflow runspace pool was created. 
 	 WorkflowId: %1 
 	 ManagedNode: %2

Fields #

Name	Description
`workflowId` GUID
`managedNode` UnicodeString

Event ID 45079: Activity was queued for execution.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Activity was queued for execution.

Message #

Activity was queued for execution. 
 	 WorkflowId: %1 
 	 ActivityName: %2

Fields #

Name	Description
`workflowId` GUID
`activityName` UnicodeString

Event ID 45080: Activity execution started.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Activity execution started.

Message #

Activity execution started. 
 	 ActivityName: %1 
 	 ActivityTypeName: %2

Fields #

Name	Description
`activityName` UnicodeString
`activityTypeName` UnicodeString

Event ID 45081: Workflow is being imported from a XAML file.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow is being imported from a XAML file.

Message #

Workflow is being imported from a XAML file. 
 	 WorkflowId: %1 
 	 XamlFile: %2

Fields #

Name	Description
`workflowId` GUID
`xamlFile` UnicodeString

Event ID 45082: Workflow has been imported from a XAML file.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow has been imported from a XAML file.

Message #

Workflow has been imported from a XAML file. 
 	 WorkflowId: %1 
 	 XamlFile: %2

Fields #

Name	Description
`workflowId` GUID
`xamlFile` UnicodeString

Event ID 45083: Workflow could not be imported from a XAML file because of an error.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow could not be imported from a XAML file because of an error.

Message #

Workflow could not be imported from a XAML file because of an error. 
 	 WorkflowId: %1 
 	 ErrorDescription: %2

Fields #

Name	Description
`workflowId` GUID
`errorDescription` UnicodeString

Event ID 45084: Workflow validation started.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowValidation
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow validation started.

Message #

Workflow validation started. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45085: Workflow validation succeeded.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowValidation
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow validation succeeded.

Message #

Workflow validation succeeded. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45086: Workflow validation failed with error.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowValidation
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow validation failed with error.

Message #

Workflow validation failed with error. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45087: Workflow activity validated.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow activity validated.

Message #

Workflow activity validated. 
 	 WorkflowId: %1 
 	 ActivityDisplayName: %2 
 	 ActivityTypeName: %3

Fields #

Name	Description
`workflowId` GUID
`activityDisplayName` UnicodeString
`activityType` UnicodeString

Event ID 45088: Workflow activity could not be validated.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowValidation
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow activity could not be validated.

Message #

Workflow activity could not be validated. 
 	 WorkflowId: %1 
 	 ActivityDisplayName: %2 
 	 ActivityTypeName: %3

Fields #

Name	Description
`workflowId` GUID
`activityDisplayName` UnicodeString
`activityType` UnicodeString

Event ID 45089: Activity execution failed.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Activity execution failed.

Message #

Activity execution failed. 
 	 WorkflowId: %1 
 	 ActivityName: %2 
 	 FailureDescription: %3

Fields #

Name	Description
`workflowId` GUID
`activityName` UnicodeString
`failureDescription` UnicodeString

Event ID 45090: Runspace availability changed.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Runspace availability changed.

Message #

Runspace availability changed. 
 	 RunspaceId: %1 
 	 Availability: %2

Fields #

Name	Description
`runspaceId` UnicodeString
`availability` UnicodeString

Event ID 45091: Runspace state changed.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Runspace state changed.

Message #

Runspace state changed. 
 	 RunspaceId: %1 
 	 NewState: %2 
 	 OldState: %3

Fields #

Name	Description
`runspaceId` UnicodeString
`newState` UnicodeString
`oldState` UnicodeString

Event ID 45092: Workflow loaded for execution.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow loaded for execution.

Message #

Workflow loaded for execution. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45093: Workflow unloaded.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow unloaded.

Message #

Workflow unloaded. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45094: Workflow execution cancelled.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow execution cancelled.

Message #

Workflow execution cancelled. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45095: Workflow execution aborted.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow execution aborted.

Message #

Workflow execution aborted. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45096: Workflow cleanup operation executed.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow cleanup operation executed.

Message #

Workflow cleanup operation executed. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45097: Persisted workflow loaded from disk.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Persisted workflow loaded from disk.

Message #

Persisted workflow loaded from disk. 
 	 WorkflowId: %1 
 	 Path: %2

Fields #

Name	Description
`workflowId` GUID
`path` UnicodeString

Event ID 45098: Workflow data was deleted from disk.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow data was deleted from disk.

Message #

Workflow data was deleted from disk. 
 	 WorkflowId: %1 
 	 Path: %2

Fields #

Name	Description
`workflowId` GUID
`path` UnicodeString

Event ID 45100: Starting remove job.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Starting remove job.

Message #

Starting remove job. 
 	 JobId: %1

Fields #

Name	Description
`jobId` GUID

Event ID 45101: Job state changed.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Job state changed.

Message #

Job state changed. 
 	 JobId: %1 
 	 WorkflowId: %2 
 	 NewState: %3 
 	 OldState: %4

Fields #

Name	Description
`jobId` Int32
`workflowId` GUID
`newState` UnicodeString
`oldState` UnicodeString

Event ID 45102: Job error.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Job error.

Message #

Job error. 
 	 JobId: %1 
 	 WorkflowId: %2 
 	 ErrorDescription: %3

Fields #

Name	Description
`jobId` Int32
`workflowId` GUID
`errorDescription` UnicodeString

Event ID 45104: Job created for workflow (child job).

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Job created for workflow (child job).

Message #

Job created for workflow (child job). 
 	 ParentJobId: %1 
 	 ChildJobId: %2 
 	 ChildWorkflowId: %3

Fields #

Name	Description
`parentJobId` GUID
`childJobId` GUID
`childWorkflowId` GUID

Event ID 45105: Parent job created for workflow.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Parent job created for workflow.

Message #

Parent job created for workflow. 
 	 JobId: %1

Fields #

Name	Description
`jobId` GUID

Event ID 45106: All required jobs were created for workflow execution.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

All required jobs were created for workflow execution.

Message #

All required jobs were created for workflow execution. 
 	 JobId: %1 
 	 WorkflowId: %2

Fields #

Name	Description
`jobId` GUID
`workflowId` GUID

Event ID 45107: Child job removed for workflow.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Child job removed for workflow.

Message #

Child job removed for workflow. 
 	 ParentJobId: %1 
 	 ChildJobId: %2 
 	 WorkflowId: %3

Fields #

Name	Description
`parentJobId` GUID
`childJobId` GUID
`workflowId` GUID

Event ID 45108: An error occurred while removing job.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

An error occurred while removing job.

Message #

An error occurred while removing job. 
 	 ParentJobId: %1 
 	 ChildJobId: %2 
 	 WorkflowId: %3 
 	 Error: %4

Fields #

Name	Description
`parentJobId` GUID
`childJobId` GUID
`workflowId` GUID
`error` UnicodeString

Event ID 45109: Loading workflow for execution.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Loading workflow for execution.

Message #

Loading workflow for execution. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45110: Workflow execution finished.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow execution finished.

Message #

Workflow execution finished. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45111: Cancelling workflow execution.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Cancelling workflow execution.

Message #

Cancelling workflow execution. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45112: Aborting workflow execution.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Aborting workflow execution.

Message #

Aborting workflow execution. 
 	 WorkflowId: %1 
 	 Reason: %2

Fields #

Name	Description
`workflowId` GUID
`reason` UnicodeString

Event ID 45113: Unloading workflow.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Unloading workflow.

Message #

Unloading workflow. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45114: Forced workflow shutdown started.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Forced workflow shutdown started.

Message #

Forced workflow shutdown started. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45115: Forced workflow shutdown finished.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Forced workflow shutdown finished.

Message #

Forced workflow shutdown finished. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45116: An error occurred while forcefully shutting down a workflow.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

An error occurred while forcefully shutting down a workflow.

Message #

An error occurred while forcefully shutting down a workflow. 
 	 WorkflowId: %1 
 	 ErrorDescription: %2

Fields #

Name	Description
`workflowId` GUID
`errorDescription` UnicodeString

Event ID 45117: Persisting workflow to disk.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Persisting workflow to disk.

Message #

Persisting workflow to disk. 
 	 WorkflowId: %1 
 	 PersistPath: %2

Fields #

Name	Description
`workflowId` GUID
`persistPath` UnicodeString

Event ID 45118: Workflow persisted to disk.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow persisted to disk.

Message #

Workflow persisted to disk. 
 	 WorkflowId: %1

Fields #

Name	Description
`workflowId` GUID

Event ID 45119: Activity execution finished.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Activity execution finished.

Message #

Activity execution finished. 
 	 ActivityName: %1

Fields #

Name	Description
`activityName` UnicodeString

Event ID 45120: Workflow execution error.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow execution error.

Message #

Workflow execution error. 
 	 WorkflowId: %1 
 	 ErrorDescription: %2

Fields #

Name	Description
`workflowId` GUID
`errorDescription` UnicodeString

Event ID 45121: A new PowerShell endpoint was registered.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Configuration
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

A new PowerShell endpoint was registered.

Message #

A new PowerShell endpoint was registered. 
 	 EndpointName: %1 
 	 EndpointType: %2 
 	 RegisteredBy: %3

Fields #

Name	Description
`endpointName` UnicodeString
`endpointType` UnicodeString
`registeredBy` UnicodeString

Event ID 45122: Endpoint configuration modified.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Configuration
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Endpoint configuration modified.

Message #

Endpoint configuration modified. 
 	 EndpointName: %1 
 	 ModifiedBy: %2

Fields #

Name	Description
`endpointName` UnicodeString
`modifiedBy` UnicodeString

Event ID 45123: Endpoint configuration unregistered.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Configuration
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Endpoint configuration unregistered.

Message #

Endpoint configuration unregistered. 
 	 EndpointName: %1 
 	 UnregisteredBy: %2

Fields #

Name	Description
`endpointName` UnicodeString
`unregisteredBy` UnicodeString

Event ID 45124: Endpoint configuration disabled.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Configuration
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Endpoint configuration disabled.

Message #

Endpoint configuration disabled. 
 	 EndpointName: %1 
 	 DisabledBy: %2

Fields #

Name	Description
`endpointName` UnicodeString
`disabledBy` UnicodeString

Event ID 45125: Endpoint configuration enabled.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: Configuration
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Endpoint configuration enabled.

Message #

Endpoint configuration enabled. 
 	 EndpointName: %1 
 	 EnabledBy: %2

Fields #

Name	Description
`endpointName` UnicodeString
`enabledBy` UnicodeString

Event ID 45126: Out of process runspace started.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Out of process runspace started.

Message #

Out of process runspace started. 
 	 Command: %1

Fields #

Name	Description
`command` UnicodeString

Event ID 45127: Parameter splatting was performed during workflow execution.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowExecution
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Parameter splatting was performed during workflow execution.

Message #

Parameter splatting was performed during workflow execution. 
 	 Parameters: %1 
 	 Computers: %2

Fields #

Name	Description
`parameters` UnicodeString
`computers` UnicodeString

Event ID 45128: Workflow engine started.

Provider: Microsoft-Windows-PowerShell
Channel: Analytic
Task: WorkflowHosting
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Workflow engine started.

Message #

Workflow engine started. 
 	 EndpointName: %1

Fields #

Name	Description
`endpointName` UnicodeString

Event ID 45129: Workflow manager instantiated with CheckpointPath: CheckpointPath ConfigProviderId: ConfigProviderId UserName: UserName Path: Path.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

Workflow manager instantiated with.

Message #

Workflow manager instantiated with 
 	 CheckpointPath: %1 
 	 ConfigProviderId: %2 
 	 UserName: %3 
 	 Path: %4

Fields #

Name	Description
`checkpointPath` UnicodeString
`configProviderId` UnicodeString
`userName` UnicodeString
`path` UnicodeString

Event ID 46337: BEGIN ImportWorkflowCommand::StartWorkflowApplication.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

BEGIN ImportWorkflowCommand::StartWorkflowApplication. Starting invocation of workflow function. Tracking Guid TrackingId.

Message #

BEGIN ImportWorkflowCommand::StartWorkflowApplication. Starting invocation of workflow function. Tracking Guid %1

Fields #

Name	Description
`TrackingId` GUID

Event ID 46338: END ImportWorkflowCommand::StartWorkflowApplication.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

END ImportWorkflowCommand::StartWorkflowApplication. Ending invocation of workflow function. Tracking Guid TrackingId.

Message #

END ImportWorkflowCommand::StartWorkflowApplication. Ending invocation of workflow function. Tracking Guid %1

Fields #

Name	Description
`TrackingId` GUID

Event ID 46339: BEGIN Creating new job in ImportWorkflowCommand::StartWorkflowApplication.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

BEGIN Creating new job in ImportWorkflowCommand::StartWorkflowApplication. Tracking Guid TrackingId.

Message #

BEGIN Creating new job in ImportWorkflowCommand::StartWorkflowApplication. Tracking Guid %1

Fields #

Name	Description
`TrackingId` GUID

Event ID 46340: END Creating new job in ImportWorkflowCommand::StartWorkflowApplication.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

END Creating new job in ImportWorkflowCommand::StartWorkflowApplication. Tracking Guid TrackingId.

Message #

END Creating new job in ImportWorkflowCommand::StartWorkflowApplication. Tracking Guid %1

Fields #

Name	Description
`TrackingId` GUID

Event ID 46341: END Creating new job in ImportWorkflowCommand::StartWorkflowApplication.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

END Creating new job in ImportWorkflowCommand::StartWorkflowApplication. Tracking Guid TrackingId : ContainerParentJob Guid ContainerParentJobInstanceId.

Message #

END Creating new job in ImportWorkflowCommand::StartWorkflowApplication. Tracking Guid %1 : ContainerParentJob Guid %2

Fields #

Name	Description
`TrackingId` GUID
`ContainerParentJobInstanceId` GUID

Event ID 46342: BEGIN JobLogic ContainerParentJob Guid WorkflowJobJobInstanceId.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

BEGIN JobLogic ContainerParentJob Guid WorkflowJobJobInstanceId.

Message #

BEGIN JobLogic ContainerParentJob Guid %1

Fields #

Name	Description
`WorkflowJobJobInstanceId` GUID

Event ID 46343: END JobLogic ContainerParentJob Guid WorkflowJobJobInstanceId.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

END JobLogic ContainerParentJob Guid WorkflowJobJobInstanceId.

Message #

END JobLogic ContainerParentJob Guid %1

Fields #

Name	Description
`WorkflowJobJobInstanceId` GUID

Event ID 46344: BEGIN WorkflowExecution ContainerParentJob Guid WorkflowJobJobInstanceId.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

BEGIN WorkflowExecution ContainerParentJob Guid WorkflowJobJobInstanceId.

Message #

BEGIN WorkflowExecution ContainerParentJob Guid %1

Fields #

Name	Description
`WorkflowJobJobInstanceId` GUID

Event ID 46345: END WorkflowExecution ContainerParentJob Guid WorkflowJobJobInstanceId.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

END WorkflowExecution ContainerParentJob Guid WorkflowJobJobInstanceId.

Message #

END WorkflowExecution ContainerParentJob Guid %1

Fields #

Name	Description
`WorkflowJobJobInstanceId` GUID

Event ID 46346: WorkflowJob with Guid WorkflowJobInstanceId added to ContainerParentJob with Guid ContainerParentJobInstanceId.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

WorkflowJob with Guid WorkflowJobInstanceId added to ContainerParentJob with Guid ContainerParentJobInstanceId.

Message #

WorkflowJob with Guid %1 added to ContainerParentJob with Guid %2

Fields #

Name	Description
`WorkflowJobInstanceId` GUID
`ContainerParentJobInstanceId` GUID

Event ID 46347: ProxyJob with Guid ProxyJobInstanceId associated with remote ContainerParentJob with Guid ContainerParentJobInstanceId.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

ProxyJob with Guid ProxyJobInstanceId associated with remote ContainerParentJob with Guid ContainerParentJobInstanceId.

Message #

ProxyJob with Guid %1 associated with remote ContainerParentJob with Guid %2

Fields #

Name	Description
`ProxyJobInstanceId` GUID
`ContainerParentJobInstanceId` GUID

Event ID 46348: BEGIN Execution of ContainerParentJob with Guid ContainerParentJobInstanceId.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

BEGIN Execution of ContainerParentJob with Guid ContainerParentJobInstanceId.

Message #

BEGIN Execution of ContainerParentJob with Guid %1

Fields #

Name	Description
`ContainerParentJobInstanceId` GUID

Event ID 46349: END Execution of ContainerParentJob with Guid ContainerParentJobInstanceId.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

END Execution of ContainerParentJob with Guid ContainerParentJobInstanceId.

Message #

END Execution of ContainerParentJob with Guid %1

Fields #

Name	Description
`ContainerParentJobInstanceId` GUID

Event ID 46350: BEGIN Execution of Proxy Job with Guid ProxyJobInstanceId.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

BEGIN Execution of Proxy Job with Guid ProxyJobInstanceId.

Message #

BEGIN Execution of Proxy Job with Guid %1

Fields #

Name	Description
`ProxyJobInstanceId` GUID

Event ID 46351: END Execution of Proxy Job with Guid ProxyJobInstanceId.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

END Execution of Proxy Job with Guid ProxyJobInstanceId.

Message #

END Execution of Proxy Job with Guid %1

Fields #

Name	Description
`ProxyJobInstanceId` GUID

Event ID 46352: BEGIN StateChanged event handler for Proxy Job with Guid ProxyJobInstanceId.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

BEGIN StateChanged event handler for Proxy Job with Guid ProxyJobInstanceId.

Message #

BEGIN StateChanged event handler for Proxy Job with Guid %1

Fields #

Name	Description
`ProxyJobInstanceId` GUID

Event ID 46353: END StateChanged event handler for Proxy Job with Guid ProxyJobInstanceId.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

END StateChanged event handler for Proxy Job with Guid ProxyJobInstanceId.

Message #

END StateChanged event handler for Proxy Job with Guid %1

Fields #

Name	Description
`ProxyJobInstanceId` GUID

Event ID 46354: BEGIN StateChanged event handler for Proxy Child Job with Guid ProxyChildJobInstanceId.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

BEGIN StateChanged event handler for Proxy Child Job with Guid ProxyChildJobInstanceId.

Message #

BEGIN StateChanged event handler for Proxy Child Job with Guid %1

Fields #

Name	Description
`ProxyChildJobInstanceId` GUID

Event ID 46355: END StateChanged event handler for Proxy Child Job with Guid ProxyChildJobInstanceId.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

END StateChanged event handler for Proxy Child Job with Guid ProxyChildJobInstanceId.

Message #

END StateChanged event handler for Proxy Child Job with Guid %1

Fields #

Name	Description
`ProxyChildJobInstanceId` GUID

Event ID 46356: BEGIN Running garbage collection

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

BEGIN Running garbage collection.

Message #

BEGIN Running garbage collection

Event ID 46357: END Running garbage collection

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

END Running garbage collection.

Message #

END Running garbage collection

Event ID 46358: Persistence store has reached its maximum specified size

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Persistence store has reached its maximum specified size.

Message #

Persistence store has reached its maximum specified size

Event ID 49152: message.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

message

Message #

%1

Fields #

Name	Description
`message` UnicodeString

Event ID 49153: Trace Information.

Provider: Microsoft-Windows-PowerShell
Channel: Debug

Description

Trace Information.

Message #

Trace Information: 
 %1 %2

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 53249: Scheduled Job ScheduledJobDefName started at StartTime.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellScheduledJobs
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Scheduled Job ScheduledJobDefName started at StartTime.

Message #

Scheduled Job %1 started at %2

Fields #

Name	Description
`ScheduledJobDefName` UnicodeString
`StartTime` UnicodeString

Event ID 53250: Scheduled Job ScheduledJobDefName completed at StopTime with state State.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellScheduledJobs
Opcode: Tobeusedwhenoperationisjustexecutingamethod

Description

Scheduled Job ScheduledJobDefName completed at StopTime with state State.

Message #

Scheduled Job %1 completed at %2 with state %3

Fields #

Name	Description
`ScheduledJobDefName` UnicodeString
`StopTime` UnicodeString
`State` UnicodeString

Event ID 53251: Scheduled Job Exception Message.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellScheduledJobs
Opcode: Tobeusedwhenanexceptionisraised

Description

Scheduled Job Exception Message.

Message #

Scheduled Job Exception %1: 
 Message: %2 
 StackTrace: %3 
 InnerException: %4

Fields #

Name	Description
`Name` UnicodeString
`Message` UnicodeString
`StackTrace` UnicodeString
`InnerException` UnicodeString

Event ID 53504: Windows PowerShell has started an IPC listening thread on process: param1 in AppDomain: param2.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellNamedPipeIPC
Opcode: Open(async)

Description

Windows PowerShell has started an IPC listening thread on process: param1 in AppDomain: param2.

Message #

Windows PowerShell has started an IPC listening thread on process: %1 in AppDomain: %2.

Fields #

Name	Description
`param1` UnicodeString	Windows PowerShell has started an IPC listening thread on process.
`param2` UnicodeString	in AppDomain.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-PowerShell",
    "guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}",
    "event_source_name": "",
    "event_id": 53504,
    "version": 1,
    "level": 4,
    "task": 111,
    "opcode": 10,
    "keywords": 0,
    "time_created": "2026-06-13T14:08:49.4178649+00:00",
    "event_record_id": 168240,
    "correlation": {
      "ActivityID": "{DFAAFF10-0837-4168-B0A2-798638094318}"
    },
    "execution": {
      "process_id": 7864,
      "thread_id": 7432
    },
    "channel": "Microsoft-Windows-PowerShell/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "param1": "7864",
    "param2": "DefaultAppDomain"
  },
  "message": "Windows PowerShell has started an IPC listening thread on process: 7864 in AppDomain: DefaultAppDomain."
}

Event ID 53505: Windows PowerShell has ended an IPC listening thread on process: param1 in AppDomain: param2.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellNamedPipeIPC
Opcode: Close(Async)

Description

Windows PowerShell has ended an IPC listening thread on process: param1 in AppDomain: param2.

Message #

Windows PowerShell has ended an IPC listening thread on process: %1 in AppDomain: %2.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 53506: An error has occurred in Windows PowerShell IPC listening thread on process: param1 in AppDomain: param2.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellNamedPipeIPC
Opcode: Tobeusedwhenanexceptionisraised

Description

An error has occurred in Windows PowerShell IPC listening thread on process: param1 in AppDomain: param2. Error Message: ErrorMessage.

Message #

An error has occurred in Windows PowerShell IPC listening thread on process: %1 in AppDomain: %2.  Error Message: %3.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 53507: Windows PowerShell IPC connect on process: param1 in AppDomain: param2 for User: param3.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellNamedPipeIPC
Opcode: connect

Description

Windows PowerShell IPC connect on process: param1 in AppDomain: param2 for User: param3.

Message #

Windows PowerShell IPC connect on process: %1 in AppDomain: %2 for User: %3.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 53508: Windows PowerShell IPC disconnect on process: param1 in AppDomain: param2 for User: param3.

Provider: Microsoft-Windows-PowerShell
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: PowerShellNamedPipeIPC
Opcode: Close(Async)

Description

Windows PowerShell IPC disconnect on process: param1 in AppDomain: param2 for User: param3.

Message #

Windows PowerShell IPC disconnect on process: %1 in AppDomain: %2 for User: %3.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {A0C1853B-5C40-4B15-8766-3CF1C58F985A}

Defined in PSEvents.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.2849, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Windows-PowerShell

Event ID 4097: Computer Name $null or.

Description

Message #

Event ID 4098: Resolving to default scheme http

Description

Message #

Event ID 4099: Remote shell name resolved to default Microsoft.

Description

Message #

Event ID 4100: Payload Context: ContextInfo User Data: UserData.

Description

Message #

Fields #

Example Event #

Event ID 4101: Payload Context: ContextInfo User Data: UserData.

Description

Message #

Fields #

Example Event #

Event ID 4102: Payload Context: ContextInfo User Data: UserData.

Description

Message #

Fields #

Example Event #

Event ID 4103: Payload Context: ContextInfo User Data: UserData.

Description

Message #

Fields #

Example Event #

Detection Patterns #

Sigma

Splunk

Sigma

Splunk

Common Indicators #

Detection Rules #

Sigma # view in coverage

Splunk # view in coverage

Related Events #

References #

Event ID 4104: Creating Scriptblock text (MessageNumber of MessageTotal).

Description

Message #

Fields #

Example Event #

Detection Patterns #

Sigma

Splunk

Sigma

Splunk

Group Membership Change

Sigma

Common Indicators #

Detection Rules #

Sigma # view in coverage

Elastic # view in coverage

Splunk # view in coverage

Kusto # view in coverage

Related Events #

References #

Event ID 4105: Started invocation of ScriptBlock ID: ScriptBlockId.

Description

Message #

Fields #

Example Event #

References #

Event ID 4106: Completed invocation of ScriptBlock ID: ScriptBlockId.

Description

Message #

Fields #

Example Event #

References #

Event ID 7937: ContextInfo Context: Context User Data: User_Data.

Description

Message #

Fields #

Example Event #

Event ID 7938: Payload Context: ContextInfo User Data: UserData.

Description