Microsoft-Windows-RemoteAssistance
50 events across 4 channels
Event ID 1: Entering function FuncName.
#Event ID 2: Leaving function FuncName.
#Event ID 3: Application will terminate, a critical error was detected in file Line line Function function.
#Event ID 4: Hit exception block of code at file Line line in function function.
#Event ID 5: Branching on Line:line File:file with the string Condition.
#Event ID 6: Switching on Line:line File:file with the value Condition.
#Event ID 7: Entering conditional block at Line:Entering_conditional_block_at_Line File:File.
#Event ID 8: Exiting conditional block at Line:Exiting_conditional_block_at_Line File:File.
#Event ID 9: There was a problem interacting with COM object FuncName.
#Event ID 10: A user tried to use Remote Assistance and send an invitation for help through their default email client, but Remote Assistance failed to successfu...
#Description
A user tried to use Remote Assistance and send an invitation for help through their default email client, but Remote Assistance failed to successfully send the invitation. It is possible the email client configured as the default client does not support SMAPI calls, or that the email client is improperly configured. It is also possible that the user closed the email client without sending the message.
Message #
Event ID 11: A user opened a Remote Assistance invitation, but the invitation was closed due to too many bad password attempts to connect to the machine.
#Description
A user opened a Remote Assistance invitation, but the invitation was closed due to too many bad password attempts to connect to the machine.
Message #
Event ID 12: A user tried to use Remote Assistance, group policy requires a session log to be maintained, and a session log couldn't be created.
#Description
A user tried to use Remote Assistance, group policy requires a session log to be maintained, and a session log couldn't be created. Remote Assistance was terminated. Check the disk to see if there are problems with the disk or if it is full.
Message #
Event ID 13: Remote Assistance started with: FuncName as the command line parameters.
#Event ID 14: A Remote Assistance Invitation was successfully opened.
#Description
A Remote Assistance Invitation was successfully opened.
Message #
Event ID 15: An RDP connection was successfully made.
#Description
An RDP connection was successfully made.
Message #
Event ID 16: The Remote Assistance password was verified.
#Description
The Remote Assistance password was verified. The Remote Assistance session has begun.
Message #
Event ID 17: The Remote Assistance password provided was incorrect.
#Event ID 18: The Remote Assistance session was disconnected remotely.
#Description
The Remote Assistance session was disconnected remotely.
Message #
Event ID 19: The Remote Assistance session was disconnected locally.
#Description
The Remote Assistance session was disconnected locally.
Message #
Event ID 20: The Remote Assistance invitation was closed, any information concerning it given out is now invalid.
#Description
The Remote Assistance invitation was closed, any information concerning it given out is now invalid.
Message #
Event ID 22: The helper can now view the screen.
#Description
The helper can now view the screen.
Message #
Event ID 23: Remote Assistance detected that it didn't restore the background and screen settings before shutting down.
#Description
Remote Assistance detected that it didn't restore the background and screen settings before shutting down. An attempt was made to restore these settings.
Message #
Event ID 24: The time limit of offered invitations has been reached.
#Description
The time limit of offered invitations has been reached.
Message #
Event ID 25: User setting value currently applied is Code.
#Event ID 26: The system or GP settings do not allow an Remote Assistance invitation to be created.
#Description
The system or GP settings do not allow an Remote Assistance invitation to be created. This action has been blocked by the application.
Message #
Event ID 27: The system or GP settings do not allow a helper to share control.
#Description
The system or GP settings do not allow a helper to share control. This action has been blocked by the application.
Message #
Event ID 28: The Windows firewall has been checked and it appears that it is configured so that it will stop Remote Assistance from working.
#Description
The Windows firewall has been checked and it appears that it is configured so that it will stop Remote Assistance from working.
Message #
Event ID 29: The error message: FuncName has been shown to the user.
#Event ID 31: Remote Assistance COM server has started.
#Description
Remote Assistance COM server has started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteAssistance",
"guid": "5B0A651A-8807-45CC-9656-7579815B6AF0",
"event_source_name": "",
"event_id": 31,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T23:50:13.780543+00:00",
"event_record_id": 41,
"correlation": {},
"execution": {
"process_id": 11236,
"thread_id": 9452
},
"channel": "Microsoft-Windows-RemoteAssistance/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 32: Remote Assistance COM server has ended.
#Description
Remote Assistance COM server has ended.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteAssistance",
"guid": "5B0A651A-8807-45CC-9656-7579815B6AF0",
"event_source_name": "",
"event_id": 32,
"version": 0,
"level": 5,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T23:50:13.791029+00:00",
"event_record_id": 42,
"correlation": {},
"execution": {
"process_id": 11236,
"thread_id": 9452
},
"channel": "Microsoft-Windows-RemoteAssistance/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 33: The Remote Assistance ticket contained the following IP addresses: FuncName.
#Event ID 34: A PNRP Node was created at the following address: FuncName.
#Event ID 35: The following PNRP clouds were detected: FuncName.
#Event ID 36: A PNRP Node was released at the following address: FuncName.
#Event ID 37: Started looking for PNRP node with the following address: FuncName.
#Event ID 38: Stopped looking for PNRP node, address: FuncName.
#Event ID 39: There was a problem interacting with the PNRP service.
#Event ID 40: Diagnosis Repro Attempt resulted in a success.
#Description
Diagnosis Repro Attempt resulted in a success.
Message #
Event ID 41: Diagnosis Repro Attempt resulted in a failure.
#Description
Diagnosis Repro Attempt resulted in a failure.
Message #
Event ID 42: Current time on NTP Server: FuncName.
#Event ID 43: Remote Assistance troubleshooting rejected problem Code.
#Event ID 44: Remote Assistance troubleshooting has confirmed the problem: FuncName.
#Event ID 45: Remote Assistance troubleshooting is starting to repair the identified problem: FuncName.
#Event ID 46: Remote Assistance troubleshooting successfully repaired the problem: FuncName.
#Event ID 47: Remote Assistance troubleshooting failed to repair the problem: FuncName.
#Event ID 100: Remote OS Type : Remote_OS_Type.
#Event ID 101: Remote Assistance connection attempt failed with error code: Code.
#Event ID 102: Remote Assistance reproduced the problem and created following ticket to verify the problem: FuncName.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 5b0a651a-8807-45cc-9656-7579815b6af0
Defined in msra.exe, which carries the event manifest.
Observed on:
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02