Microsoft-Windows-ServerManager-MultiMachine
333 events across 2 channels
Event ID 0: Refresh scheduler started.
#Description
Refresh scheduler started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 0,
"version": 0,
"level": 0,
"task": 0,
"opcode": 0,
"keywords": 0,
"time_created": "2022-04-07T17:06:29.351679+00:00",
"event_record_id": 174,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0000-F886-7BDD9E4AD801",
"RelatedActivityID": "AA4DB9AF-DA1D-455F-908A-502ABDF549C8"
},
"execution": {
"process_id": 1460,
"thread_id": 4948
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2: Start of filtering out in-progress refresh.
#Event ID 3: End of filtering out in-progress refresh.
#Event ID 4: Short circuit refresh.
#Description
Short circuit refresh.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 4,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T08:14:07.080861+00:00",
"event_record_id": 370,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0001-47B6-7BDD9E4AD801"
},
"execution": {
"process_id": 1460,
"thread_id": 4948
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5: Start of triggering refresh job.
#Event ID 6: End of triggering refresh job.
#Event ID 7: Error received from refresh job.
#Event ID 8: Child job completed.
#Description
Child job completed. Command: Command, Target: Target, State: State, Proxy Instance ID: ID.
Message #
Fields #
| Name | Description |
|---|---|
ID GUID | |
Command UnicodeString | |
Target UnicodeString | |
State UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 8,
"version": 0,
"level": 4,
"task": 12,
"opcode": 1,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:21:43.025255+00:00",
"event_record_id": 687,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 940
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"ID": "E829D96F-C50A-47DE-A1F2-3823DF71237B",
"Command": "ServerManagerShell\\Invoke-_InternalServiceMethod",
"Target": "localhost",
"State": "Completed"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 9: Parent job completed.
#Description
Parent job completed. Command: Command, Target: Target, State: State, Proxy Instance ID: ID.
Message #
Fields #
| Name | Description |
|---|---|
ID GUID | |
Command UnicodeString | |
Target UnicodeString | |
State UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 9,
"version": 0,
"level": 4,
"task": 12,
"opcode": 1,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:21:43.028446+00:00",
"event_record_id": 688,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 4924
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"ID": "97DEB445-282E-4B54-9C43-57E30F4270F5",
"Command": "ServerManagerShell\\Invoke-_InternalServiceMethod",
"Target": "localhost",
"State": "Completed"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 10: Start of request for refresh.
#Event ID 11: End of request for refresh.
#Event ID 12: Task 'TaskName' execution started.
#Event ID 13: Task 'TaskName' execution completed.
#Event ID 14: Error during processing data.
#Event ID 17: Error during decoding of BPA results.
#Event ID 18: Start of updating Bpa result records.
#Description
Start of updating Bpa result records.
Message #
Event ID 19: End of updating Bpa result records.
#Description
End of updating Bpa result records.
Message #
Event ID 20: Short circuting of updating of Bpa result records.
#Description
Short circuting of updating of Bpa result records.
Message #
Event ID 21: Error during updating of Bpa result records.
#Event ID 22: Triggered Bpa results updated event.
#Event ID 23: Start of decoding service statuses.
#Description
Start of decoding service statuses.
Message #
Event ID 24: End of decoding service statuses.
#Description
End of decoding service statuses.
Message #
Event ID 25: Error during decoding of service statuses.
#Event ID 26: Start of updating services records.
#Description
Start of updating services records.
Message #
Event ID 27: End of updating services records.
#Description
End of updating services records.
Message #
Event ID 28: Short circuting of updating of services records.
#Description
Short circuting of updating of services records.
Message #
Event ID 29: Error during updating of services records.
#Event ID 30: Triggered services updated event.
#Event ID 31: Plugin load started for Role Id roleId.
#Description
Plugin load started for Role Id roleId.
Message #
Fields #
| Name | Description |
|---|---|
roleId Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "{D8D37081-10BD-4A89-A971-1CDA6899BDB3}",
"event_source_name": "",
"event_id": 31,
"version": 0,
"level": 4,
"task": 1,
"opcode": 1,
"keywords": 2305843009213693952,
"time_created": "2026-06-13T13:40:28.2399161+00:00",
"event_record_id": 12632,
"correlation": {
"ActivityID": "{AA49AB17-FAF4-0003-35D0-4BAAF4FADC01}"
},
"execution": {
"process_id": 3824,
"thread_id": 1144
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"roleId": "18"
},
"message": "Plugin load started for Role Id 18."
}
Event ID 32: Plugin load stopped for Role Id roleId.
#Description
Plugin load stopped for Role Id roleId.
Message #
Fields #
| Name | Description |
|---|---|
roleId Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "{D8D37081-10BD-4A89-A971-1CDA6899BDB3}",
"event_source_name": "",
"event_id": 32,
"version": 0,
"level": 4,
"task": 1,
"opcode": 2,
"keywords": 2305843009213693952,
"time_created": "2026-06-13T13:40:28.2407439+00:00",
"event_record_id": 12633,
"correlation": {
"ActivityID": "{AA49AB17-FAF4-0003-35D0-4BAAF4FADC01}"
},
"execution": {
"process_id": 3824,
"thread_id": 6124
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"roleId": "18"
},
"message": "Plugin load stopped for Role Id 18."
}
Event ID 33: Plugin load failed for Role Id roleId.
#Event ID 34: Plugin unload started for Role Id roleId.
#Description
Plugin unload started for Role Id roleId.
Message #
Fields #
| Name | Description |
|---|---|
roleId Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 34,
"version": 0,
"level": 4,
"task": 2,
"opcode": 1,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T08:38:13.298689+00:00",
"event_record_id": 514,
"correlation": {},
"execution": {
"process_id": 5300,
"thread_id": 5256
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"roleId": 481
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 35: Plugin unload stopped for Role Id roleId.
#Event ID 36: Plugin unload failed for Role Id roleId.
#Event ID 37: Plugin registration information is loaded.
#Description
Plugin registration information is loaded.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "{D8D37081-10BD-4A89-A971-1CDA6899BDB3}",
"event_source_name": "",
"event_id": 37,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-06-13T13:40:28.2399081+00:00",
"event_record_id": 12631,
"correlation": {
"ActivityID": "{AA49AB17-FAF4-0003-35D0-4BAAF4FADC01}"
},
"execution": {
"process_id": 3824,
"thread_id": 1144
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": "Plugin registration information is loaded."
}
Event ID 38: Plugin registration information failed to load.
#Event ID 39: ARW launch command started.
#Description
ARW launch command started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 39,
"version": 0,
"level": 4,
"task": 4,
"opcode": 1,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:05:14.456573+00:00",
"event_record_id": 78,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0001-737B-7BDD9E4AD801"
},
"execution": {
"process_id": 1460,
"thread_id": 4948
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 40: ARW launch command completed.
#Description
ARW launch command completed.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 40,
"version": 0,
"level": 4,
"task": 4,
"opcode": 2,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:05:14.691796+00:00",
"event_record_id": 86,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0001-737B-7BDD9E4AD801"
},
"execution": {
"process_id": 1460,
"thread_id": 4948
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 43: The requested server machineName is already added.
#Event ID 44: Add server command failed while adding server machineName, failure: errorMessage.
#Event ID 47: Started initializing service provider.
#Description
Started initializing service provider.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 47,
"version": 0,
"level": 4,
"task": 5,
"opcode": 1,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T16:58:09.017503+00:00",
"event_record_id": 517,
"correlation": {},
"execution": {
"process_id": 4444,
"thread_id": 4448
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 48: Completed initializing service provider.
#Description
Completed initializing service provider.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 48,
"version": 0,
"level": 4,
"task": 5,
"opcode": 2,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T16:58:09.029982+00:00",
"event_record_id": 518,
"correlation": {},
"execution": {
"process_id": 4444,
"thread_id": 4448
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 49: Boot loader started.
#Description
Boot loader started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 49,
"version": 0,
"level": 4,
"task": 5,
"opcode": 1,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T16:58:09.083883+00:00",
"event_record_id": 519,
"correlation": {},
"execution": {
"process_id": 4444,
"thread_id": 4448
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 50: Boot loader completed.
#Description
Boot loader completed.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 50,
"version": 0,
"level": 4,
"task": 5,
"opcode": 2,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T16:58:23.552622+00:00",
"event_record_id": 527,
"correlation": {},
"execution": {
"process_id": 4444,
"thread_id": 4124
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 51: Boot loader can't find the service provider list, Error: errorMessage.
#Event ID 52: Failed to load user settings, Error: errorMessage.
#Event ID 53: Main window initialized.
#Description
Main window initialized.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 53,
"version": 0,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": 2306124484190404608,
"time_created": "2022-04-07T16:58:20.988934+00:00",
"event_record_id": 522,
"correlation": {},
"execution": {
"process_id": 4444,
"thread_id": 4448
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 54: Main window initialization failed, Error: errorMessage.
#Event ID 55: Failed to change the navigation item navigationItemName of type navigationItemType, attached descriptor: associatedViewDescriptorType.
#Event ID 56: Navigation service selection changed.
#Event ID 58: Server manager shutdown started
#Description
Server manager shutdown started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 58,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T08:38:13.257143+00:00",
"event_record_id": 509,
"correlation": {},
"execution": {
"process_id": 5300,
"thread_id": 5388
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 59: Server manager shutdown failure: errorMessage.
#Event ID 60: Saving server list failure: errorMessage.
#Event ID 61: Server manager automation shutdown failure: errorMessage.
#Event ID 62: Server manager plugin manager shutdown failure: errorMessage.
#Event ID 63: Server manager exception.
#Event ID 64: Start of decoding performance counter threshold alerts results.
#Description
Start of decoding performance counter threshold alerts results.
Message #
Event ID 65: Stop of decoding performance counter threshold alerts results.
#Description
Stop of decoding performance counter threshold alerts results.
Message #
Event ID 66: Error during decoding performance counter threshold alerts results.
#Event ID 67: Start of data update to performance counter threshold alert data.
#Description
Start of data update to performance counter threshold alert data.
Message #
Event ID 68: Stop of data update to performance counter threshold alert data.
#Description
Stop of data update to performance counter threshold alert data.
Message #
Event ID 69: Error during data update to performance counter threshold alert data.
#Event ID 70: Triggered performance counter threshold alert data results updated event.
#Event ID 71: Start of decoding performance counter samples results.
#Description
Start of decoding performance counter samples results.
Message #
Event ID 72: Stop of decoding performance counter samples results.
#Description
Stop of decoding performance counter samples results.
Message #
Event ID 73: Error during decoding performance counter samples results.
#Event ID 74: Start of data update to performance counter sample data.
#Description
Start of data update to performance counter sample data.
Message #
Event ID 75: Stop of data update to performance counter sample data.
#Description
Stop of data update to performance counter sample data.
Message #
Event ID 76: Error during data update to performance counter sample data.
#Event ID 77: Triggered performance counter sample data results updated event.
#Event ID 78: Start job of diagnostics data collect (process snapshots).
#Event ID 79: Stop job of diagnostics data collect (process snapshots).
#Description
Stop job of diagnostics data collect (process snapshots).
Message #
Event ID 80: Error in a job of diagnostics data collect (process snapshots).
#Event ID 81: Start of data update to diagnostics data (process snapshots).
#Description
Start of data update to diagnostics data (process snapshots).
Message #
Event ID 82: Stop of data update to diagnostics data (process snapshots).
#Description
Stop of data update to diagnostics data (process snapshots).
Message #
Event ID 83: Error during data update to diagnostics data (process snapshots).
#Event ID 84: Start of time change filter.
#Event ID 86: Error during time change filter.
#Event ID 87: Start job of time change filter.
#Event ID 89: Error in a job of time change filter.
#Event ID 90: Start of data update for time change filter.
#Description
Start of data update for time change filter.
Message #
Event ID 91: Stop of data update for time change filter.
#Description
Stop of data update for time change filter.
Message #
Event ID 92: Error during data update for time change filter.
#Event ID 93: Job refresh error.
#Event ID 94: Splash screen started.
#Description
Splash screen started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 94,
"version": 0,
"level": 4,
"task": 6,
"opcode": 1,
"keywords": 2306124484190404608,
"time_created": "2022-04-07T16:58:06.733119+00:00",
"event_record_id": 516,
"correlation": {},
"execution": {
"process_id": 4444,
"thread_id": 4448
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 95: Splash screen stopped.
#Description
Splash screen stopped.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 95,
"version": 0,
"level": 4,
"task": 6,
"opcode": 2,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T16:58:15.307676+00:00",
"event_record_id": 521,
"correlation": {},
"execution": {
"process_id": 4444,
"thread_id": 4448
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 97: Server manager shutdown stopped.
#Description
Server manager shutdown stopped.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 97,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T08:38:13.358492+00:00",
"event_record_id": 515,
"correlation": {},
"execution": {
"process_id": 5300,
"thread_id": 5388
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 98: User settings save started.
#Description
User settings save started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 98,
"version": 0,
"level": 4,
"task": 7,
"opcode": 1,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T08:38:13.280535+00:00",
"event_record_id": 510,
"correlation": {},
"execution": {
"process_id": 5300,
"thread_id": 5256
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 99: User settings save stopped.
#Description
User settings save stopped.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 99,
"version": 0,
"level": 4,
"task": 7,
"opcode": 2,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T08:38:13.293162+00:00",
"event_record_id": 511,
"correlation": {},
"execution": {
"process_id": 5300,
"thread_id": 5256
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 100: Automation job history.
#Event ID 101: Automation job history.
#Event ID 102: Group of inventory refresh jobs has finished.
#Event ID 103: Error encountered while attempting to load an advanced tool: ErrorMessage.
#Event ID 104: DataStore persistence: starting load
#Description
DataStore persistence: starting load.
Message #
Event ID 105: DataStore persistence: load error ErrorMessage.
#Event ID 106: DataStore persistence: load finished
#Description
DataStore persistence: load finished.
Message #
Event ID 107: DataStore persistence: starting save
#Description
DataStore persistence: starting save.
Message #
Event ID 108: DataStore persistence: save error: ErrorMessage.
#Event ID 109: DataStore persistence: save finished
#Description
DataStore persistence: save finished.
Message #
Event ID 110: Inventory data update failed.
#Event ID 111: Launched BPA scan on machine MachineName, BPA Model Ids JobName.
#Event ID 112: Bpa Scan launch failed for server MachineName, error: Error.
#Event ID 113: Start of enable job of performance counter collector.
#Description
Start of enable job of performance counter collector.
Message #
Event ID 114: Stop of enable job of performance counter collector.
#Description
Stop of enable job of performance counter collector.
Message #
Event ID 115: Failed enabling of performance counter collector.
#Event ID 116: Bpa include or exclude launch failed for server MachineName, error: Error.
#Event ID 117: Error while launching command 'MachineName' : Error.
#Event ID 118: Failed to close the post deployment configuration task.
#Event ID 119: Created the post deployment task.
#Event ID 120: Completed the post deployment task.
#Description
Completed the post deployment task. Description. Source=Source.
Message #
Fields #
| Name | Description |
|---|---|
Description UnicodeString | |
Source UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 120,
"version": 0,
"level": 4,
"task": 13,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:07:17.045456+00:00",
"event_record_id": 181,
"correlation": {
"ActivityID": "AA4DB9AF-DA1D-455F-908A-502ABDF549C8"
},
"execution": {
"process_id": 1460,
"thread_id": 4948
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"Description": "Additional steps are required to make this machine a domain controller.",
"Source": "Wizard"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 121: Failed to create the post deployment configuration task.
#Event ID 122: Unknown type of failure to refresh data.
#Event ID 123: Roles and features discovered on ServerName: Features.
#Event ID 124: Roles and features requiring configuration on ServerName: Features.
#Event ID 125: Skipping Server Manager auto refresh.
#Description
Skipping Server Manager auto refresh. The desktop is not active.
Message #
Event ID 126: Skipping loading the navigation item for a plugin that is not initialized.
#Description
Skipping loading the navigation item for a plugin that is not initialized. Role: roleId. Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
roleId Int32 | |
Status UnicodeString | NTSTATUS reference |
Event ID 127: Shell plugin icon not found.
#Event ID 128: Parent role not found.
#Event ID 129: String pool has been scanned.
#Event ID 130: Automation job query started.
#Event ID 131: Automation job query result.
#Event ID 132: Automation job query completed.
#Event ID 133: Automation job created.
#Description
Automation job created. Owner: Owner, Command: Command, Target: Target, Tracked: Tracked. Rehydrated: Rehydrated.
Message #
Fields #
| Name | Description |
|---|---|
Owner UnicodeString | |
Command UnicodeString | |
Target UnicodeString | |
Tracked Boolean | |
Rehydrated Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 133,
"version": 0,
"level": 4,
"task": 12,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:21:40.297165+00:00",
"event_record_id": 685,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0000-ADEC-AAE09F4AD801"
},
"execution": {
"process_id": 4444,
"thread_id": 4100
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"Owner": "ServerManager",
"Command": "ServerManagerShell\\Invoke-_InternalServiceMethod",
"Target": "",
"Tracked": true,
"Rehydrated": false
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 134: Automation job creation failed with error: ErrorMessage.
#Event ID 135: Exception reported to refresh data.
#Event ID 136: Exception reported to data collection.
#Description
Exception reported to data collection. Server: MachineName. OperationName: OperationName. MessageID: MessageId. Message: Message.
Message #
Fields #
| Name | Description |
|---|---|
MachineName UnicodeString | |
OperationName UnicodeString | |
MessageId UnicodeString | |
Message UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 136,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-04T11:01:44.968878+00:00",
"event_record_id": 1087,
"correlation": {
"ActivityID": "748EA6BB-2722-4FDA-B8B7-DA861FFC7DC8"
},
"execution": {
"process_id": 3156,
"thread_id": 5064
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": "S-1-5-21-1958040314-2592322477-2606035944-500"
}
},
"event_data": {
"MachineName": "WIN-TKC15D7KHUR",
"OperationName": "GetServerEventDetail",
"MessageId": "(None)",
"Message": "Events from 'WebServer.Events.xml' could not be enumerated.\r\n"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 150: Automation job started.
#Event ID 151: Automation job state changed.
#Event ID 152: Automation job error data added.
#Description
Automation job error data added. Error: Message, Command: Command, Target: Target, ID: ID, Parent: ParentID, Message: Action, Action: Exception, Exception: ErrorId.
Message #
Fields #
| Name | Description |
|---|---|
ID GUID | |
ParentID GUID | |
Command UnicodeString | |
Target UnicodeString | |
ErrorId UnicodeString | |
Message UnicodeString | |
Action UnicodeString | |
Exception UnicodeString |
Event ID 153: Automation job output data added.
#Event ID 154: Automation job progress data added.
#Event ID 155: Automation job error data added.
#Event ID 156: Data processing time.
#Event ID 157: Lengthy data processing time.
#Event ID 160: Error setting main window focus with the handle.
#Event ID 161: Error writing the window handle.
#Event ID 162: File mapping initialization failed.
#Event ID 163: Error shutting down the kernel service.
#Event ID 165: CEIP/WER launch command completed.
#Description
CEIP/WER launch command completed.
Message #
Event ID 168: Connection to M3P starting.
#Description
Connection to M3P starting.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 168,
"version": 0,
"level": 4,
"task": 5,
"opcode": 2,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:21:29.048530+00:00",
"event_record_id": 676,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0000-77EB-AAE09F4AD801"
},
"execution": {
"process_id": 4444,
"thread_id": 4780
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 169: Connection to M3P completed.
#Description
Connection to M3P completed.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 169,
"version": 0,
"level": 4,
"task": 5,
"opcode": 2,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:21:31.700287+00:00",
"event_record_id": 679,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 4780
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 170: Credentials set for connections to machines: Targets.
#Event ID 171: Refresh session started.
#Description
Refresh session started. Source: RefreshTriggerSource. Categories: Category. Servers: Machines. Id: ID.
Message #
Fields #
| Name | Description |
|---|---|
RefreshTriggerSource UnicodeString | |
Category UnicodeString | |
Machines UnicodeString | |
ID GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 171,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:38:23.580114+00:00",
"event_record_id": 722,
"correlation": {},
"execution": {
"process_id": 4444,
"thread_id": 2880
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"RefreshTriggerSource": "Scheduler (None, None)",
"Category": "Inventory",
"Machines": "WIN-FPV0DSIC9O6.lab.local",
"ID": "670EEE8B-2C25-447D-AAD4-2FDBE19E5196"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 172: Refresh session completed.
#Description
Refresh session completed. Id: ID.
Message #
Fields #
| Name | Description |
|---|---|
ID GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 172,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:38:27.540457+00:00",
"event_record_id": 753,
"correlation": {
"ActivityID": "C9DB0EBB-AD74-4A6D-A36D-C691522795E3"
},
"execution": {
"process_id": 4444,
"thread_id": 4868
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"ID": "670EEE8B-2C25-447D-AAD4-2FDBE19E5196"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 173: Credentials loaded from the cred store: User name = UserName.
#Event ID 174: Error loading credentials from the cred store.
#Event ID 175: Credentials saved to the cred store: User name = UserName.
#Event ID 176: Error saving credentials to the cred store.
#Event ID 177: Credentials deleted from the cred store: User name = UserName.
#Event ID 178: Error deleting credentials from the cred store.
#Event ID 179: Local server properties refresh started.
#Description
Local server properties refresh started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 179,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:11:32.549096+00:00",
"event_record_id": 613,
"correlation": {},
"execution": {
"process_id": 4444,
"thread_id": 2492
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 180: Local server properties refresh completed.
#Description
Local server properties refresh completed.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 180,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:11:34.976833+00:00",
"event_record_id": 615,
"correlation": {},
"execution": {
"process_id": 4444,
"thread_id": 2492
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 181: Error accessing local server properties.
#Event ID 182: Completed services modification job
#Description
Completed services modification job.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 182,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:21:43.028714+00:00",
"event_record_id": 689,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0000-E7EC-AAE09F4AD801"
},
"execution": {
"process_id": 4444,
"thread_id": 4448
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 183: Launching wizard from automation job started.
#Event ID 184: Launching wizard from automation job completed.
#Event ID 190: Starting WinRM service status check.
#Description
Starting WinRM service status check. Status: serviceStatus, Exception: exception.
Message #
Fields #
| Name | Description |
|---|---|
serviceStatus UnicodeString | |
exception UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 190,
"version": 0,
"level": 4,
"task": 12,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:21:29.061107+00:00",
"event_record_id": 677,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0000-77EB-AAE09F4AD801"
},
"execution": {
"process_id": 4444,
"thread_id": 4780
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"serviceStatus": "Running",
"exception": "None"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 191: Completed WinRM service status check.
#Description
Completed WinRM service status check. Status: serviceStatus, Exception: exception.
Message #
Fields #
| Name | Description |
|---|---|
serviceStatus UnicodeString | |
exception UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 191,
"version": 0,
"level": 4,
"task": 12,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:21:29.061322+00:00",
"event_record_id": 678,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0000-77EB-AAE09F4AD801"
},
"execution": {
"process_id": 4444,
"thread_id": 4780
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"serviceStatus": "Running",
"exception": "None"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 192: Refresh item completed.
#Description
Refresh item completed. Server: MachineName, Session Item Count: Count.
Message #
Fields #
| Name | Description |
|---|---|
MachineName UnicodeString | |
Count Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 192,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:38:27.540265+00:00",
"event_record_id": 752,
"correlation": {
"ActivityID": "C9DB0EBB-AD74-4A6D-A36D-C691522795E3"
},
"execution": {
"process_id": 4444,
"thread_id": 4868
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"MachineName": "WIN-FPV0DSIC9O6.lab.local",
"Count": 1
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 193: Error cleaning up credentials from the cred store.
#Event ID 194: Cluster query item added.
#Event ID 195: Cluster query item data received.
#Event ID 196: New cluster nodes added to session.
#Event ID 197: Cluster query item completed.
#Event ID 200: Refresh item session create started.
#Event ID 201: Refresh item session create completed.
#Event ID 202: Refresh item session close started.
#Event ID 203: Refresh item session close completed.
#Event ID 204: Refresh item invocation started.
#Event ID 205: Refresh item enumeration started.
#Event ID 206: Refresh item data received.
#Event ID 207: Refresh item operation completed.
#Event ID 208: Refresh item operation error.
#Event ID 209: Creating new session.
#Description
Creating new session. Server: serverName, Protocol: protocol, User: userName.
Message #
Fields #
| Name | Description |
|---|---|
serverName UnicodeString | |
protocol UnicodeString | |
userName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 209,
"version": 0,
"level": 4,
"task": 17,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:38:27.506487+00:00",
"event_record_id": 746,
"correlation": {
"ActivityID": "4ACAA8DE-FAC8-4188-A6B0-EFCD7D7B46CA"
},
"execution": {
"process_id": 4444,
"thread_id": 2632
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"serverName": "localhost",
"protocol": "DCOM",
"userName": "null"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 210: Enumerate instances started.
#Event ID 211: Enumerate instances completed.
#Event ID 212: Enumerate instances error.
#Event ID 213: Enumerate instances data received.
#Event ID 214: Invoke method started.
#Description
Invoke method started. Server: serverName, Namespace: namespaceName, Class: wmiClassName, Method: methodName.
Message #
Fields #
| Name | Description |
|---|---|
serverName UnicodeString | |
namespaceName UnicodeString | |
wmiClassName UnicodeString | |
methodName UnicodeString | |
protocol UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 214,
"version": 0,
"level": 4,
"task": 17,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:38:27.506485+00:00",
"event_record_id": 745,
"correlation": {
"ActivityID": "4ACAA8DE-FAC8-4188-A6B0-EFCD7D7B46CA"
},
"execution": {
"process_id": 4444,
"thread_id": 2632
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"serverName": "localhost",
"namespaceName": "root\\microsoft\\windows\\servermanager",
"wmiClassName": "MSFT_ServerManagerTasks",
"methodName": "GetServerBpaResult",
"protocol": "DCOM"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 215: Invoke method completed.
#Description
Invoke method completed. Server: serverName, Namespace: namespaceName, Class: wmiClassName, Method: methodName.
Message #
Fields #
| Name | Description |
|---|---|
serverName UnicodeString | |
namespaceName UnicodeString | |
wmiClassName UnicodeString | |
methodName UnicodeString | |
protocol UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 215,
"version": 0,
"level": 4,
"task": 17,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:38:27.540206+00:00",
"event_record_id": 751,
"correlation": {
"ActivityID": "C9DB0EBB-AD74-4A6D-A36D-C691522795E3"
},
"execution": {
"process_id": 4444,
"thread_id": 4868
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"serverName": "localhost",
"namespaceName": "root\\microsoft\\windows\\servermanager",
"wmiClassName": "MSFT_ServerManagerTasks",
"methodName": "GetServerEventDetail",
"protocol": "DCOM"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 216: Invoke method error.
#Description
Invoke method error. Server: serverName, Namespace: namespaceName, Class: wmiClassName, Method: methodName, Error: error.
Message #
Fields #
| Name | Description |
|---|---|
serverName UnicodeString | |
namespaceName UnicodeString | |
wmiClassName UnicodeString | |
methodName UnicodeString | |
protocol UnicodeString | |
error UnicodeString |
Event ID 217: Invoke method data received.
#Description
Invoke method data received. Server: serverName, Namespace: namespaceName, Class: wmiClassName, Method: methodName.
Message #
Fields #
| Name | Description |
|---|---|
serverName UnicodeString | |
namespaceName UnicodeString | |
wmiClassName UnicodeString | |
methodName UnicodeString | |
protocol UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 217,
"version": 0,
"level": 4,
"task": 17,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:38:27.540179+00:00",
"event_record_id": 750,
"correlation": {
"ActivityID": "C9DB0EBB-AD74-4A6D-A36D-C691522795E3"
},
"execution": {
"process_id": 4444,
"thread_id": 4868
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"serverName": "localhost",
"namespaceName": "root\\microsoft\\windows\\servermanager",
"wmiClassName": "MSFT_ServerManagerTasks",
"methodName": "GetServerEventDetail",
"protocol": "DCOM"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 218: Invoke method non-terminating error received.
#Description
Invoke method non-terminating error received. Server: serverName, Namespace: namespaceName, Class: wmiClassName, Method: methodName, Error Code: errorCode, Error Message: errorMessage.
Message #
Fields #
| Name | Description |
|---|---|
serverName UnicodeString | |
namespaceName UnicodeString | |
wmiClassName UnicodeString | |
methodName UnicodeString | |
protocol UnicodeString | |
errorCode UInt32 | |
errorMessage UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 218,
"version": 0,
"level": 3,
"task": 17,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-04T11:01:44.968700+00:00",
"event_record_id": 1086,
"correlation": {
"ActivityID": "748EA6BB-2722-4FDA-B8B7-DA861FFC7DC8"
},
"execution": {
"process_id": 3156,
"thread_id": 5064
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": "S-1-5-21-1958040314-2592322477-2606035944-500"
}
},
"event_data": {
"serverName": "localhost",
"namespaceName": "root\\microsoft\\windows\\servermanager",
"wmiClassName": "MSFT_ServerManagerTasks",
"methodName": "GetServerEventDetail",
"protocol": "DCOM",
"errorCode": 2,
"errorMessage": "Events from 'WebServer.Events.xml' could not be enumerated.\r\n"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 219: Invoke method message received.
#Description
Invoke method message received. Server: serverName, Namespace: namespaceName, Class: wmiClassName, Method: methodName, Channel: channel, Message: message.
Message #
Fields #
| Name | Description |
|---|---|
serverName UnicodeString | |
namespaceName UnicodeString | |
wmiClassName UnicodeString | |
methodName UnicodeString | |
protocol UnicodeString | |
channel UInt32 | |
message UnicodeString |
Event ID 300: Server data processer start.
#Event ID 301: Server data processer stop.
#Event ID 302: Server data processor failed.
#Event ID 303: Server data processor on next start.
#Event ID 304: Server data processor on next stop.
#Event ID 305: Feature data processer start.
#Event ID 306: Feature data processer stop.
#Event ID 307: Feature data processor failed.
#Event ID 308: Feature data processor on next start.
#Event ID 309: Feature data processor on next stop.
#Event ID 310: BPA data processer start.
#Event ID 311: BPA data processer stop.
#Event ID 312: BPA data processor failed.
#Event ID 313: BPA data processor on next start.
#Event ID 314: BPA data processor on next stop.
#Event ID 315: Events data processer start.
#Event ID 316: Events data processer stop.
#Event ID 317: Events data processor failed.
#Event ID 318: Events data processor on next start.
#Event ID 319: Events data processor on next stop.
#Event ID 320: Performance counter data processer start.
#Event ID 321: Performance counter data processer stop.
#Event ID 322: Performance counter data processor failed.
#Event ID 323: Performance counter data processor on next start.
#Event ID 324: Performance counter data processor on next stop.
#Event ID 325: Services data processer start.
#Event ID 326: Services data processer stop.
#Event ID 327: Services data processor failed.
#Event ID 328: Services data processor on next start.
#Event ID 329: Services data processor on next stop.
#Event ID 330: Servers tile view update start.
#Event ID 331: Servers tile view update stop.
#Event ID 332: Features tile view update start.
#Event ID 333: Features tile view update stop.
#Event ID 334: BPA tile view update start.
#Event ID 335: BPA tile view update stop.
#Event ID 336: Events tile view update start.
#Event ID 337: Events tile view update stop.
#Event ID 338: Performance tile view update start.
#Event ID 339: Performance tile view update stop.
#Event ID 340: Services tile view update start.
#Event ID 341: Services tile view update stop.
#Event ID 342: Servers thumbnail view update start.
#Event ID 343: Servers thumbnail view update stop.
#Event ID 344: Timestamp thumbnail view update start.
#Event ID 345: Timestamp thumbnail view update stop.
#Event ID 346: BPA thumbnail view update start.
#Event ID 347: BPA thumbnail view update stop.
#Event ID 348: Events thumbnail view update start.
#Event ID 349: Events thumbnail view update stop.
#Event ID 350: Performance thumbnail view update start.
#Event ID 351: Performance thumbnail view update stop.
#Event ID 352: Services thumbnail view update start.
#Event ID 353: Services thumbnail view update stop.
#Event ID 354: Manageability thumbnail view update start.
#Event ID 355: Manageability thumbnail view update stop.
#Event ID 356: Async job creation started.
#Description
Async job creation started. Command: Command, Target: Target, State: State, Proxy Instance ID: ID.
Message #
Fields #
| Name | Description |
|---|---|
ID GUID | |
Command UnicodeString | |
Target UnicodeString | |
State UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 356,
"version": 0,
"level": 4,
"task": 12,
"opcode": 1,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:21:41.337170+00:00",
"event_record_id": 686,
"correlation": {
"ActivityID": "1480B89F-E871-42E4-BFB4-C8F88B053137"
},
"execution": {
"process_id": 4444,
"thread_id": 4380
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"ID": "97DEB445-282E-4B54-9C43-57E30F4270F5",
"Command": "ServerManagerShell\\Invoke-_InternalServiceMethod",
"Target": "localhost",
"State": "Running"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2000: Deployment Wizard is launched.
#Description
Deployment Wizard is launched. Target Server: serverName.
Message #
Fields #
| Name | Description |
|---|---|
serverName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2000,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:05:14.611551+00:00",
"event_record_id": 85,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0001-737B-7BDD9E4AD801"
},
"execution": {
"process_id": 1460,
"thread_id": 4948
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"serverName": "WIN-FPV0DSIC9O6"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2001: Deployment Wizard is closed.
#Description
Deployment Wizard is closed. Target Server: serverName.
Message #
Fields #
| Name | Description |
|---|---|
serverName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2001,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:07:18.961762+00:00",
"event_record_id": 203,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0000-FD97-7BDD9E4AD801"
},
"execution": {
"process_id": 1460,
"thread_id": 4948
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"serverName": "WIN-FPV0DSIC9O6"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2002: Deployment Wizard repository loading start.
#Description
Deployment Wizard repository loading start. Target Server: serverName.
Message #
Fields #
| Name | Description |
|---|---|
serverName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2002,
"version": 0,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:05:14.562299+00:00",
"event_record_id": 81,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0000-5585-7BDD9E4AD801"
},
"execution": {
"process_id": 1460,
"thread_id": 1360
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"serverName": "WIN-FPV0DSIC9O6"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2003: Deployment Wizard repository loading completed.
#Description
Deployment Wizard repository loading completed. Target Server: targetServer. Status: Message.
Message #
Fields #
| Name | Description |
|---|---|
targetServer UnicodeString | |
Message UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2003,
"version": 0,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:05:15.267300+00:00",
"event_record_id": 89,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0000-5585-7BDD9E4AD801"
},
"execution": {
"process_id": 1460,
"thread_id": 1360
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"targetServer": "WIN-FPV0DSIC9O6",
"Message": "Success"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2004: Deployment Wizard repository loading completed and repository is empty.
#Event ID 2005: Deployment Wizard installation type changed.
#Event ID 2006: Deployment Wizard component selected.
#Description
Deployment Wizard component selected. ComponentId: componentId. Display Name: displayName.
Message #
Fields #
| Name | Description |
|---|---|
componentId Int32 | |
displayName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2006,
"version": 0,
"level": 4,
"task": 15,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:05:53.457840+00:00",
"event_record_id": 102,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0000-3986-7BDD9E4AD801"
},
"execution": {
"process_id": 1460,
"thread_id": 3188
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"componentId": 10,
"displayName": "Active Directory Domain Services"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2007: Deployment Wizard component unselected.
#Description
Deployment Wizard component unselected. ComponentId: componentId. Display Name: displayName.
Message #
Fields #
| Name | Description |
|---|---|
componentId Int32 | |
displayName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2007,
"version": 0,
"level": 4,
"task": 15,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-04T10:56:42.409230+00:00",
"event_record_id": 859,
"correlation": {
"ActivityID": "066FA786-2FC0-0000-A7F8-7006C02FD801"
},
"execution": {
"process_id": 3156,
"thread_id": 4644
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": "S-1-5-21-1958040314-2592322477-2606035944-500"
}
},
"event_data": {
"componentId": 468,
"displayName": "Remote Access"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2008: Deployment Wizard component selection cancelled through dependency dialog.
#Description
Deployment Wizard component selection cancelled through dependency dialog.
Message #
Event ID 2009: Deployment Wizard target server collection has changed.
#Description
Deployment Wizard target server collection has changed.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2009,
"version": 0,
"level": 4,
"task": 15,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:05:19.729055+00:00",
"event_record_id": 96,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0001-BC7B-7BDD9E4AD801"
},
"execution": {
"process_id": 1460,
"thread_id": 4948
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2010: Deployment Wizard page enter.
#Description
Deployment Wizard page enter. Page title: pageTitle.
Message #
Fields #
| Name | Description |
|---|---|
pageTitle UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2010,
"version": 0,
"level": 4,
"task": 15,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:06:24.456060+00:00",
"event_record_id": 163,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0000-9086-7BDD9E4AD801"
},
"execution": {
"process_id": 1460,
"thread_id": 4948
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"pageTitle": "InstallationCompletionPage"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2011: Deployment Wizard page exit.
#Description
Deployment Wizard page exit. Page title: pageTitle.
Message #
Fields #
| Name | Description |
|---|---|
pageTitle UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2011,
"version": 0,
"level": 4,
"task": 15,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:06:24.453440+00:00",
"event_record_id": 162,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0000-9086-7BDD9E4AD801"
},
"execution": {
"process_id": 1460,
"thread_id": 4948
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"pageTitle": "InstallationConfirmationPage"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2012: Deployment Wizard cancel requested.
#Event ID 2013: Deployment Wizard commit action started.
#Description
Deployment Wizard commit action started. Target Server: MachineName, Job: JobName.
Message #
Fields #
| Name | Description |
|---|---|
MachineName UnicodeString | |
JobName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2013,
"version": 0,
"level": 4,
"task": 12,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:06:32.648209+00:00",
"event_record_id": 177,
"correlation": {
"ActivityID": "AA4DB9AF-DA1D-455F-908A-502ABDF549C8"
},
"execution": {
"process_id": 1460,
"thread_id": 5200
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"MachineName": "WIN-FPV0DSIC9O6",
"JobName": "ID:66eda40e-d1c4-4391-9a10-1a9a078f1add;Feature installation"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2014: Deployment Wizard commit action completed.
#Description
Deployment Wizard commit action completed. Target Server: MachineName. Job: JobName. Status: Status. Reason Reason.
Message #
Fields #
| Name | Description |
|---|---|
MachineName UnicodeString | |
JobName UnicodeString | |
Status UnicodeString | NTSTATUS reference |
Reason UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2014,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:07:17.055539+00:00",
"event_record_id": 198,
"correlation": {
"ActivityID": "AA4DB9AF-DA1D-455F-908A-502ABDF549C8"
},
"execution": {
"process_id": 1460,
"thread_id": 5236
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"MachineName": "localhost",
"JobName": "ID:66eda40e-d1c4-4391-9a10-1a9a078f1add;Feature installation",
"Status": "Succeeded",
"Reason": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2015: Deployment Wizard component selection step completed.
#Description
Deployment Wizard component selection step completed. ComponentId: componentId. Display Name: displayName.
Message #
Fields #
| Name | Description |
|---|---|
componentId Int32 | |
displayName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2015,
"version": 0,
"level": 4,
"task": 15,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:05:56.402968+00:00",
"event_record_id": 140,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0001-777C-7BDD9E4AD801"
},
"execution": {
"process_id": 1460,
"thread_id": 4948
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"componentId": 10,
"displayName": "Active Directory Domain Services"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2016: Deployment Wizard component unselection completed.
#Description
Deployment Wizard component unselection completed. ComponentId: componentId. Display Name: displayName.
Message #
Fields #
| Name | Description |
|---|---|
componentId Int32 | |
displayName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2016,
"version": 0,
"level": 4,
"task": 15,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-04T10:56:42.427037+00:00",
"event_record_id": 861,
"correlation": {
"ActivityID": "066FA786-2FC0-0000-A8F8-7006C02FD801"
},
"execution": {
"process_id": 3156,
"thread_id": 3160
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": "S-1-5-21-1958040314-2592322477-2606035944-500"
}
},
"event_data": {
"componentId": 468,
"displayName": "Remote Access"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2100: Deployment plugin loading started.
#Description
Deployment plugin loading started. RoleId: roleId.
Message #
Fields #
| Name | Description |
|---|---|
roleId Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2100,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:07:17.045905+00:00",
"event_record_id": 196,
"correlation": {
"ActivityID": "AA4DB9AF-DA1D-455F-908A-502ABDF549C8"
},
"execution": {
"process_id": 1460,
"thread_id": 4948
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"roleId": 299
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2101: Deployment plugin loading completed.
#Description
Deployment plugin loading completed. RoleId: roleId. Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
roleId Int32 | |
Status UnicodeString | NTSTATUS reference |
Message UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2101,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:07:17.045906+00:00",
"event_record_id": 197,
"correlation": {
"ActivityID": "AA4DB9AF-DA1D-455F-908A-502ABDF549C8"
},
"execution": {
"process_id": 1460,
"thread_id": 4948
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"roleId": 299,
"Status": "Not required",
"Message": "The feature add-in is not required."
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2102: Deployment component pages added.
#Description
Deployment component pages added. ComponentId: componentId.
Message #
Fields #
| Name | Description |
|---|---|
componentId Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2102,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:05:56.444994+00:00",
"event_record_id": 141,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0001-777C-7BDD9E4AD801"
},
"execution": {
"process_id": 1460,
"thread_id": 4948
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"componentId": 10
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2103: Deployment component pages removed.
#Description
Deployment component pages removed. ComponentId: componentId.
Message #
Fields #
| Name | Description |
|---|---|
componentId Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 2103,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-04T10:56:42.433764+00:00",
"event_record_id": 862,
"correlation": {
"ActivityID": "066FA786-2FC0-0000-A8F8-7006C02FD801"
},
"execution": {
"process_id": 3156,
"thread_id": 3160
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-TKC15D7KHUR",
"security": {
"user_id": "S-1-5-21-1958040314-2592322477-2606035944-500"
}
},
"event_data": {
"componentId": 468
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2105: Deployment configuration data export started.
#Event ID 2106: Deployment configuration data export completed.
#Event ID 2107: Pre-requisite check started for component with ComponentId: componentId.
#Event ID 2108: Pre-requisite check completed for component with ComponentId: roleId, Status: Status.
#Description
Pre-requisite check completed for component with ComponentId: roleId, Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
roleId Int32 | |
Status UnicodeString | NTSTATUS reference |
Event ID 2109: Pre-uninstall step started for component with ComponentId: componentId.
#Event ID 2110: Pre-uninstall step completed for component with ComponentId: roleId, Status: Status.
#Description
Pre-uninstall step completed for component with ComponentId: roleId, Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
roleId Int32 | |
Status UnicodeString | NTSTATUS reference |
Event ID 4000: Add-_InternalWindowsRole workflow entered.
#Description
Add-_InternalWindowsRole workflow entered. If this event is not followed by event 4001 or 4002, the workflow either failed, was cancelled, or is still in progress. TargetComputer:targetComputer, ServerComponentNames: serverComponentNames, Remove: remove, PathToVhdFile: pathToVhdFile, PermitReboot: permitReboot, Source: source, DeleteComponents: deleteComponents
Message #
Fields #
| Name | Description |
|---|---|
targetComputer UnicodeString | |
serverComponentNames UnicodeString | |
remove Boolean | |
pathToVhdFile UnicodeString | |
permitReboot Boolean | |
source UnicodeString | |
deleteComponents Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 4000,
"version": 0,
"level": 4,
"task": 4001,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:06:32.576262+00:00",
"event_record_id": 175,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0001-E27C-7BDD9E4AD801"
},
"execution": {
"process_id": 5272,
"thread_id": 2168
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"targetComputer": "",
"serverComponentNames": "ServerComponent_AD_Domain_Services ServerComponent_GPMC ServerComponent_RSAT ServerComponent_RSAT_AD_AdminCenter ServerComponent_RSAT_AD_PowerShell ServerComponent_RSAT_AD_Tools ServerComponent_RSAT_ADDS ServerComponent_RSAT_ADDS_Tools ServerComponent_RSAT_Role_Tools",
"remove": false,
"pathToVhdFile": "",
"permitReboot": true,
"source": "",
"deleteComponents": false
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4001: Add-_InternalWindowsRole workflow ended, TargetComputer:targetComputer, RequestState:requestState, RebootRequired: restartRequired, ErrorMessage: errorMessage, ErrorId: errorId, ErrorCategory: erro...
#Description
Add-_InternalWindowsRole workflow ended, TargetComputer:targetComputer, RequestState:requestState, RebootRequired: restartRequired, ErrorMessage: errorMessage, ErrorId: errorId, ErrorCategory: errorCategory, Warning: warnings.
Message #
Fields #
| Name | Description |
|---|---|
targetComputer UnicodeString | |
requestState Int32 | |
restartRequired Boolean | |
errorMessage UnicodeString | |
errorId UnicodeString | |
errorCategory Int32 | |
warnings UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 4001,
"version": 0,
"level": 4,
"task": 4001,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2022-04-07T17:07:16.570811+00:00",
"event_record_id": 178,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0001-1F85-7BDD9E4AD801"
},
"execution": {
"process_id": 5272,
"thread_id": 4992
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"targetComputer": "",
"requestState": 1,
"restartRequired": false,
"errorMessage": "",
"errorId": "",
"errorCategory": 0,
"warnings": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4002: Add-_InternalWindowsRole workflow reported an error installing or removing the requested component(s), TargetComputer:targetComputer, RequestState:requestState, RebootRe...
#Description
Add-_InternalWindowsRole workflow reported an error installing or removing the requested component(s), TargetComputer:targetComputer, RequestState:requestState, RebootRequired: restartRequired, ErrorMessage: errorMessage, ErrorId: errorId, ErrorCategory: errorCategory, Warning: warnings
Message #
Fields #
| Name | Description |
|---|---|
targetComputer UnicodeString | |
requestState Int32 | |
restartRequired Boolean | |
errorMessage UnicodeString | |
errorId UnicodeString | |
errorCategory Int32 | |
warnings UnicodeString |
Event ID 4010: Add-_InternalWindowsRole workflow launching install/remove operation.
#Description
Add-_InternalWindowsRole workflow launching install/remove operation. If this event is not followed by event 4011, the workflow either failed, was cancelled, or is still in progress. TargetComputer:targetComputer, RequestGuid: requestGuid
Message #
Fields #
| Name | Description |
|---|---|
targetComputer UnicodeString | |
requestGuid GUID |
Event ID 4011: Add-_InternalWindowsRole workflow launched install/remove operation, TargetComputer:targetComputer, RequestGuid: requestGuid, RequestState:requestState, RebootRequired: restartRequired, Progr...
#Description
Add-_InternalWindowsRole workflow launched install/remove operation, TargetComputer:targetComputer, RequestGuid: requestGuid, RequestState:requestState, RebootRequired: restartRequired, ProgressTicks: progressTicks, TotalTicks: totalTicks, ErrorMessage: errorMessage, ErrorId: errorId, ErrorCategory: errorCategory, Warning: warnings
Message #
Fields #
| Name | Description |
|---|---|
targetComputer UnicodeString | |
requestGuid GUID | |
requestState Int32 | |
restartRequired Boolean | |
progressTicks Int32 | |
totalTicks Int32 | |
errorMessage UnicodeString | |
errorId UnicodeString | |
errorCategory Int32 | |
warnings UnicodeString |
Event ID 4012: Add-_InternalWindowsRole workflow polling for completion.
#Event ID 4013: Add-_InternalWindowsRole workflow polled for completion, TargetComputer:targetComputer, RequestGuid: requestGuid, RequestState:requestState, RebootRequired: restartRequired, ProgressTicks: progress...
#Description
Add-_InternalWindowsRole workflow polled for completion, TargetComputer:targetComputer, RequestGuid: requestGuid, RequestState:requestState, RebootRequired: restartRequired, ProgressTicks: progressTicks, TotalTicks: totalTicks, ErrorMessage: errorMessage, ErrorId: errorId, ErrorCategory: errorCategory, Warning: warnings
Message #
Fields #
| Name | Description |
|---|---|
targetComputer UnicodeString | |
requestGuid GUID | |
requestState Int32 | |
restartRequired Boolean | |
progressTicks Int32 | |
totalTicks Int32 | |
errorMessage UnicodeString | |
errorId UnicodeString | |
errorCategory Int32 | |
warnings UnicodeString |
Event ID 4020: Add-_InternalWindowsRole workflow has determined that the target computer should be restarted, and is checking whether it has already been restarted.
#Description
Add-_InternalWindowsRole workflow has determined that the target computer should be restarted, and is checking whether it has already been restarted. If this event is not followed by event 4021, the workflow either failed, was cancelled, or is still in progress. TargetComputer:targetComputer, InitialLastBootTime: initialLastBootTime
Message #
Fields #
| Name | Description |
|---|---|
targetComputer UnicodeString | |
initialLastBootTime FILETIME |
Event ID 4021: Add-_InternalWindowsRole workflow has determined that the target computer should be restarted, and finished checking whether it has already been re...
#Description
Add-_InternalWindowsRole workflow has determined that the target computer should be restarted, and finished checking whether it has already been restarted. TargetComputer:targetComputer, InitialLastBootTime: initialLastBootTime, CurrentLastBootTime:currentLastBootTime, AlreadyRebooted:alreadyRebooted
Message #
Fields #
| Name | Description |
|---|---|
targetComputer UnicodeString | |
initialLastBootTime FILETIME | |
currentLastBootTime FILETIME | |
alreadyRebooted Boolean |
Event ID 4022: Add-_InternalWindowsRole workflow is requesting restart of the target computer.
#Event ID 4023: Add-_InternalWindowsRole workflow has requested restart of the target computer.
#Event ID 4024: Add-_InternalWindowsRole workflow failed to restart the target computer within the timeout period and will exit.
#Event ID 9000: Get-WindowsFeature cmdlet started.
#Description
Get-WindowsFeature cmdlet started.
Message #
Fields #
| Name | Description |
|---|---|
requestGuid GUID | |
serverComponentNames UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 9000,
"version": 0,
"level": 4,
"task": 9001,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T19:06:27.609152+00:00",
"event_record_id": 3987,
"correlation": {
"ActivityID": "65934F52-B30E-000B-40D7-95650EB3DC01"
},
"execution": {
"process_id": 13820,
"thread_id": 10980
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"requestGuid": "7E0F4F8B-37A8-497E-806B-F440E7848387",
"serverComponentNames": "Web-Server"
},
"message": ""
}
Event ID 9001: Get-WindowsFeature cmdlet ended, Guid: requestGuid, Components: serverComponentNames.
#Description
Get-WindowsFeature cmdlet ended, Guid: requestGuid, Components: serverComponentNames.
Message #
Fields #
| Name | Description |
|---|---|
requestGuid GUID | |
serverComponentNames UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 9001,
"version": 0,
"level": 4,
"task": 9001,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T19:06:42.555723+00:00",
"event_record_id": 4251,
"correlation": {
"ActivityID": "65934F52-B30E-000B-40D7-95650EB3DC01"
},
"execution": {
"process_id": 13820,
"thread_id": 10980
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"requestGuid": "7E0F4F8B-37A8-497E-806B-F440E7848387",
"serverComponentNames": "Web-Server"
},
"message": ""
}
Event ID 9002: GetServerComponent method started.
#Event ID 9003: GetServerComponent method ended with Success.
#Event ID 9004: GetServerComponent method returned InProgress.
#Event ID 9005: GetServerComponent method returned Failed.
#Event ID 9006: GetEnumerationState method started.
#Description
GetEnumerationState method started.
Message #
Event ID 9007: GetEnumerationState method ended with Success.
#Event ID 9008: GetEnumerationState method returned InProgress.
#Event ID 9009: GetEnumerationState method returned Failed.
#Event ID 9010: Get Windows feature failed with Error: message.
#Event ID 9011: Component message1 has invalid state currentRoleId.
#Event ID 9012: Component message1 has state currentRoleId.
#Description
Component message1 has state currentRoleId.
Message #
Fields #
| Name | Description |
|---|---|
message1 UnicodeString | |
currentRoleId Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 9012,
"version": 0,
"level": 4,
"task": 9001,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T19:06:42.551154+00:00",
"event_record_id": 3988,
"correlation": {
"ActivityID": "65934F52-B30E-000B-40D7-95650EB3DC01"
},
"execution": {
"process_id": 13820,
"thread_id": 10980
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"message1": "NET-Framework-45-Features",
"currentRoleId": 1
},
"message": ""
}
Event ID 9100: Add-WindowsFeature cmdlet started.
#Description
Add-WindowsFeature cmdlet started.
Message #
Fields #
| Name | Description |
|---|---|
requestGuid GUID | |
serverComponentNames UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 9100,
"version": 0,
"level": 4,
"task": 9002,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T19:06:43.279603+00:00",
"event_record_id": 4252,
"correlation": {
"ActivityID": "65934F52-B30E-000B-55D7-95650EB3DC01"
},
"execution": {
"process_id": 8328,
"thread_id": 2708
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"requestGuid": "E8C08ECB-A15C-4FE2-B076-4C4E2A71C8E3",
"serverComponentNames": "Web-Server"
},
"message": ""
}
Event ID 9101: Add-WindowsFeature cmdlet ended.
#Description
Add-WindowsFeature cmdlet ended. Guid: requestGuid, Components serverComponentNames.
Message #
Fields #
| Name | Description |
|---|---|
requestGuid GUID | |
serverComponentNames UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "D8D37081-10BD-4A89-A971-1CDA6899BDB3",
"event_source_name": "",
"event_id": 9101,
"version": 0,
"level": 4,
"task": 9002,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-03-13T19:07:36.215587+00:00",
"event_record_id": 4561,
"correlation": {
"ActivityID": "65934F52-B30E-000B-C4D8-95650EB3DC01"
},
"execution": {
"process_id": 8328,
"thread_id": 2708
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"requestGuid": "E8C08ECB-A15C-4FE2-B076-4C4E2A71C8E3",
"serverComponentNames": "Web-Server,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Health,Web-Http-Logging,Web-Performance,Web-Stat-Compression,Web-Security,Web-Filtering,Web-Mgmt-Console,Web-Mgmt-Tools"
},
"message": ""
}
Event ID 9102: AddServerComponent method started.
#Event ID 9103: AddServerComponent method ended with Success.
#Event ID 9104: AddServerComponent method returned InProgress.
#Event ID 9105: AddServerComponent method returned Failed.
#Event ID 9106: GetAlterationState method for Add-WindowsFeature started.
#Event ID 9107: GetAlterationState method for Add-WindowsFeature ended.
#Event ID 9108: GetAlterationState method for Add-WindowsFeature returned InProgress.
#Event ID 9109: GetAlterationState method for Add-WindowsFeature returned Failed.
#Event ID 9110: Mutual Exclusion conflict detected during add.
#Event ID 9200: Remove-WindowsFeature cmdlet started.
#Event ID 9201: Remove-WindowsFeature cmdlet ended.
#Description
Remove-WindowsFeature cmdlet ended. Guid: requestGuid, Components: serverComponentNames.
Message #
Fields #
| Name | Description |
|---|---|
requestGuid GUID | |
serverComponentNames UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ServerManager-MultiMachine",
"guid": "{D8D37081-10BD-4A89-A971-1CDA6899BDB3}",
"event_source_name": "",
"event_id": 9201,
"version": 0,
"level": 4,
"task": 9003,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-05-30T02:17:48.9001580+00:00",
"event_record_id": 35568,
"correlation": {
"ActivityID": "{CEFBC89A-D2FC-0008-0B20-02CFFCD2DC01}"
},
"execution": {
"process_id": 14332,
"thread_id": 14056
},
"channel": "Microsoft-Windows-ServerManager-MultiMachine/Operational",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"requestGuid": "{8aa9205a-b0bf-4b2e-95d5-81965f786340}",
"serverComponentNames": "Telnet-Client"
},
"message": "Remove-WindowsFeature cmdlet ended. Guid: {8aa9205a-b0bf-4b2e-95d5-81965f786340}, Components: Telnet-Client."
}
Event ID 9202: RemoveServerComponent method started.
#Event ID 9203: RemoveServerComponent method ended with Success.
#Event ID 9204: RemoveServerComponent method returned InProgress.
#Event ID 9205: RemoveServerComponent method returned Failed.
#Event ID 9206: GetAlterationState method for Remove-WindowsFeature started.
#Event ID 9207: GetAlterationState method for Remove-WindowsFeature ended.
#Event ID 9208: GetAlterationState method for Remove-WindowsFeature returned InProgress.
#Event ID 9209: GetAlterationState method for Remove-WindowsFeature returned Failed.
#Event ID 9210: Remove Windows feature failed with Error: message.
#Event ID 9211: Add Windows feature failed with Error: message.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID d8d37081-10bd-4a89-a971-1cda6899bdb3
Defined in SrvMgrInst.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02